XenApp and XenDesktop 7.6 Long Term Service
Release (LTSR)
Feb 0 6, 20 18
What's new
Cumulative Update 5 (CU5)
Cumulative Update 4 (CU4)
Cumulative Update 3 (CU3)
Cumulative Update 2 (CU2)
Cumulative Update 1 (CU1)
Long T erm Service Release (LT SR)
Features not in this release
Known issues
System requirements
Technical overview
Concepts and components
Active Directory
Fault tolerance
Delivery methods
Reference Architectures
Design Guides
Implementation Guides
New deployments
Prepare to install
Prepare the virtualization environment: VMware
Prepare the virtualization environment: Microsoft System Center Virtual Machine Manager
Prepare for using Microsoft System Center Configuration Manager
Install using the graphical interface
Install using the command line
Create a Site
Install or remove Virtual Delivery Agents using scripts
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.1
Machine catalogs
Delivery groups
XenApp published apps and desktops
VM hosted apps
VDI desktops
Remote PC Access
App-V
Local App Access and URL redirection
Server VDI
Remove components
Upgrades and migration
Upgrade a deployment
Migrate XenApp 6.x
Migrate XenDesktop 4
Security
Getting Started with Citrix XenApp and XenDesktop Security
Security best practices and considerations
Delegated Administration
Smart cards
SSL
Policies
Work with policies
Policy templates
Create policies
Compare, prioritize, model, and troubleshoot policies
Default policy settings
Policy settings reference
Printing
Printing configuration example
Best practices, security considerations, and default operations
Print policies and preferences
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.2
Provision printers
Maintain the printing environment
Licensing
Connections and resources
Connection leasing
Virtual IP and virtual loopback
Secondary database locations
Delivery Controller environment
Add, remove, or move Controllers, or move a VDA
Active Directory OU-based Controller discovery
Session management
Using Search in Studio
IPv4/IPv6 support
Client folder redirection
Personal vDisks (Excluded from LTSR)
Install and upgrade
Configuration and management
T ools
Displays, messages, and troubleshooting
User profiles
HDX
T hinwire Compatibility Mode
HDX 3D Pro
Flash Redirection
Host to client redirection
GPU acceleration for Windows Desktop OS
GPU acceleration for Windows Server OS
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.3
OpenGL Software Accelerator
Audio features
Network traffic priorities
USB and client drive considerations
Monitoring
Director
Session Recording
Personal vDisk
Configuration Logging
Monitor Service OData API
SDK
Understanding the XenDesktop Administration Model
Get started with the SDK
PowerShell cmdlet help
Citrix VDI Best Practices for XenApp and XenDesktop 7.6 LTSR
FIPS Sample Deployments
Third party notices
Citrix SCOM Management Pack for XenApp and XenDesktop
Citrix SCOM Management Pack for License Server
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.4
What's new
Feb 0 6, 20 18
T he Long Term Service Release (LT SR) program for XenApp and XenDesktop 7.6 provides stability and long-term support
for the XenApp/XenDesktop 7.6 release.
T he latest update to LT SR is Cumulative Update 5 (CU5). Citrix recommends that you update the LT SR components of your
deployment to CU5.
If you are new to the LT SR program and did not deploy the original XenApp/XenDesktop 7.6 LT SR release, there is no need
for you to install it now. Instead, Citrix recommends that you bypass the 7.6 LT SR release and begin right with CU5.
Documentation of the entire 7.6 LT SR release is available here.
In addition, Citrix also recommends specific versions of Citrix Receiver and other components. While not required for LT SR
compliance, upgrading to the current versions of those components ensures further ease of maintenance and the
availability of the latest fixes in your deployment.
Downloads
7.6 LT SR CU5 (XenApp)
7.6 LT SR CU5 (XenDesktop)
Documentation
7.6 LT SR Cumulative Update 5
7.6 LT SR Cumulative Update 4
7.6 LT SR Cumulative Update 3
7.6 LT SR Cumulative Update 2
7.6 LT SR Cumulative Update 1
7.6 LT SR
Helpf ul links
Citrix Supportability Pack
The Supportability Pack is a collection of popular tools written by Citrix engineers to help diagnose and troubleshoot
XenDesktop/XenApp products. The tools are cataloged by features and components to make it easier to find and use.
Early versions of the Pack serves as a launch pad for efforts ...
Citrix LT SR Assistant
LTSR Assistant scans components of XenApp and XenDesktop 7.6 to determine if they are Long Term Service Release
(LTSR) compliant. The components to be scanned can reside on virtual or ...
LT SR Frequently Asked Questions (FAQs)
Citrix Windows App Delivery team has been releasing innovations and feature enhancements for the XenApp and
XenDesktop product lines at a rapid pace, with the 2015 year bringing about new product releases on a quarterly basis.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.5
This rapid pace of innovation enhances the use cases for XenApp and ...
XenApp and XenDesktop servicing options
Flexible service options enable predictable support. Citrix delivers new features and functionality for XenApp and
XenDesktop frequently to keep your business competitive, streamline IT operations, enhance data security, and ensure
your employees have access to their business resources from anywhere. ...
Product Lifecycle dates
Refer to this table for product lifecycle dates. The Product Matrix table below provides information for Citrix products
whose product lifecycle is governed by lifecycle phases. Product lifecycle milestones include Notice of Status Change
(NSC), End of Sales (EOS), End of Maintenance (EOM) and End of Life (EOL). …
LT SR Program for Receiver for Windows
For each major version (e.g., v3.0) of a Citrix Receiver for Windows, Mac, Linux, HTML5, Java, or WinCE, customers will
receive a minimum lifecycle of four years. The lifecycle consists of a Mainstream Maintenance Phase for at least the first
three years followed by an Extended Maintenance Phase for …
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.6
Cumulative Update 5 (CU5)
Feb 0 6, 20 18
Release date: Febuary 2018
Cumulative Update 5 (CU5) is the latest Cumulative Update to the XenApp and XenDesktop 7.6 Long Term Service Release
(LT SR). CU5 provides updates to ten baseline components of the original 7.6 LT SR.
Issues fixed since XenApp and XenDesktop 7.6 LT SR CU4
Known issues in this release
Downloads
Download LT SR CU5 (XenApp)
Download LT SR CU5 (XenDesktop)
New deployments
How do I deploy CU5 f rom scratch?
You can set up a brand-new XenApp or XenDesktop environment based on CU5 - using the CU5 metainstaller.* Before you
do that, we recommend that you familiarize yourself with the product:
Peruse the XenApp and XenDesktop 7.6 Long Term Service Release documentation and pay close attention to
the Technical Overview, New Deployments, and Security sections before you start planning your deployment. Make sure
your setup meets the system requirements for all components. Follow New Deployments for deployment instructions.
* Note: Provisioning Services and Session Recording are available as separate downloads and installers.
Existing deployments
What do I update?
CU5 provides updates to ten baseline components of 7.6 LT SR. Remember: Citrix recommends that you update all LT SR
components of your deployment to CU5. For example: If Provisioning Services is part of your LT SR deployment, update the
Provisioning Services component to CU5. If Provisioning Services is not part of your deployment, you do not need to install
or update it.
Since the 7.6 LT SR release, we have added a metainstaller that lets you update the existing components of your LT SR
environment from a unified interface. Following the Upgrade instructions, use the metainstaller to update the LT SR
components of your deployment.
Note
T he following information is specific to the CU5 release. For the equivalent information for the LT SR base release, CU1, CU2, CU3, or
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.7
CU4, see the respective documentation.
LTSR Baseline Components
Version
Notes
VDA for Desktop OS
7.6.5000
Special rules apply for Windows 10.
See CU5 compatible components
and platforms.
VDA for Server OS
7.6.5000
Delivery Controller
7.6.5000
Citrix Studio
7.6.5000
Citrix Director
7.6.5000
Group Policy Management Experience
2.5.5000
StoreFront
3.0.5000.1
Provisioning Services
7.6.6
Special rules apply for Windows 10.
See CU5 compatible components
and platforms.
Universal Print Server
7.6.5000
Only Windows 2008 R2 SP1
Windows 2012
Windows 2012 R2 supported
Session Recording
7.6.5000
Platinum Edition only
LTSR CU5 compatible components
T he following components are recommended for use in 7.6 LT SR CU5 environments. T hese components are not eligible for
the LT SR benefits (extended lifecycle and fix-only cumulative updates). Citrix might ask you to upgrade to a newer version
of these components within your 7.6 LT SR environments.
Note about Windows 10: Windows 10 does not get the full set of 7.6 LT SR benefits. For deployments that include
Windows 10 machines, Citrix recommends that you use the latest 7.15 LT SR version of the VDA for Desktop OS and of
Provisioning Services.
For more information, see Adding Windows 10 Compatibility to XenApp and XenDesktop 7.6 LT SR and the XenApp and
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.8
XenDesktop Servicing Options (LT SR) FAQ.
Version
LTSR CU5 Compatible Components and Platf orms
Profile Management
7.15.1000
AppDNA
7.14
License Server
11.14.0.1 Build 22103
HDX RealT ime Optimization Pack
2.4
Windows 10
VDA and Provisioning Services:
Latest 7.15 LT SR CU
Compatible versions of Citrix Receiver
For ease of maintenance, and to ensure optimal performance, Citrix recommends that you upgrade to the latest version of
Citrix Receiver any time it becomes available. T he latest versions are available for download
at https://www.citrix.com/downloads/citrix-receiver.html. For your convenience, consider subscribing to the Citrix Receiver
RSS feed to receive a notification when a new version of Citrix Receiver becomes available.
Note that Citrix Receiver is not eligible for the XenApp and XenDesktop LT SR benefits (extended lifecycle and fix-only
cumulative updates). Citrix may ask you to upgrade to a newer version of Citrix Receiver within your 7.6 LT SR environments.
In the case of Citrix Receiver for Windows, Citrix has announced a special LT SR program. More information on that program
is available on the Lifecycle Milestones for Citrix Receiver page.
Specifically, LT SR supports the following versions of Citrix Receiver and all later versions:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.9
LTSR Compatible Versions of Citrix Receiver
Version
Citrix Receiver for Android
3.13.2
Citrix Receiver for Chrome
2.6.2
Citrix Receiver for HT ML5
2.6.2
Citrix Receiver for iOS
7.5
Citrix Receiver for Mac
12.8.1
Citrix Receiver for Linux
13.8
Citrix Receiver for Universal Windows Platform
1.0.5
Citrix Receiver for Windows
4.9
LTSR notable exclusions
T he following features, components, and platforms are not eligible for LT SR lifecycle milestones and benefits. Specifically,
cumulative updates and extended lifecycle benefits are excluded. Updates to excluded features and components will be
available through regular current releases.
Excluded Features
Local App Access
Framehawk
Excluded Components
Linux VDA
Personal vDisk
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.10
Excluded Windows Platf orms*
Windows 2008 32-bit (for Universal Print Server)
* Citrix reserves the right to update platform support based on third party vendors’ lifecycle milestones.
Install and upgrade analytics
When you use the full-product installer to deploy or upgrade XenApp or XenDesktop components, anonymous information
about the installation process is gathered and stored on the machine where you are installing/upgrading the component.
T his data is used to help Citrix improve its customers' installation experiences. For more information, see
http://more.citrix.com/XD-INSTALLER.
XenApp 6.5 migration
T he XenApp 6.5 migration process helps you more efficiently and quickly transition from a XenApp 6.5 farm to a Site running
XenApp 7.6 (or a later supported release). T his is helpful in deployments that contain large numbers of applications and
Citrix group policies, lowering the risk of inadvertently introducing errors when manually moving applications and Citrix group
policies to the new XenApp Site.
After you install the XenApp 7.6 core components and create a Site, the migration process follows this sequence:
Run the XenApp 7.6 installer on each XenApp 6.5 worker, which automatically upgrades it to a new Virtual Delivery Agent
for Windows Server OS for use in the new Site.
Run PowerShell export cmdlets on a XenApp 6.5 controller, which exports application and Citrix policy settings to XML
files.
Edit the XML files, if desired, to refine what you want to import to the new Site. By tailoring the files, you can import
policy and application settings into your XenApp 7.6 Site in stages: some now and others later.
Run PowerShell import cmdlets on the new XenApp 7.6 Controller, which import settings from the XML files to the new
XenApp Site.
Reconfigure the new Site as needed, and then test it.
For more information, see Migrate XenApp 6.x.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.11
Fixed issues
Feb 0 6, 20 18
XenApp/XenDesktop 7.6 LT SR Cumulative Update 5 contains all fixes that were included in XenApp and XenDesktop 7.6
LT SR, Cumulative Update 1, Cumulative Update 2, Cumulative Update 3, and Cumulative Update 4, plus the following, new
fixes:
Citrix Director
An exception might occur when you, as a custom administrator, cannot retrieve the Remote PC setting from the
machine catalog. T he issue occurs when you have permission to manage the machine catalog, but the scope does not
contain the particular catalog. [#LC8170]
Citrix Policy
Group Policy Objects that contain both Citrix and Microsoft settings might not be enforced. T his issue occurs when the
extension unit in the list contains more than two GUIDs. [#LC7533]
When you open a second instance of Group Policy Editor (gpedit.msc), the Citrix Policies node does not open and the
following error message might appear:
"Unhandled exception in managed code snap-in." [#LC7600]
When files in the local policies cache folder (%ProgramData%/CitrixCseCache) are set to "Read-only," the policy settings
might not be applied successfully. [#LC8750]
Citrix Studio
Attempts to add machines to a Delivery Group by using the "NET BIOS" name for user association might fail. Instead, the
domain name might appear. T he issue occurs when the NET BIOS name uses the wrong URL. [#LC7830]
Controller
Attempts to add machines to a Delivery Group by using the "NET BIOS" name for user association might fail. Instead, the
domain name might appear. T he issue occurs when the NET BIOS name uses the wrong URL. [#LC7830]
T he symptoms of this issue might vary and the following effects can be observed:
PowerShell queries might time out in large (5000+ VDA) sites.
A Citrix Studio search request might be slow or time out due to the size of a site.
Event ID 1201 "Connection to the database has been lost – Exception T imeout expired" might be logged on the
Delivery Controller when the query runs for a long time. [#LC7833]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.12
T he AllowRestart policy for sessions on Server OS does not allow you to log off from the disconnected sessions. When
you restart a disconnected session, the session is reconnected to the previous session instead of starting a new one.
[#LC8090]
T he connection between the Delivery Controller and the SQL Server might be lost intermittently due to a deadlock in
the SQL database. [#LC8477]
In a large XenApp and XenDesktop environment, the stored procedure for Monitor database grooming does not work
correctly if the size of the Monitor database is large. [#LC8770]
Installer
When the read and write permissions (only traverse permissions) are restricted on the parent folder of the folder that
contains the installation media, attempts to install VDA software from the shared folder might fail. T he following error
message appears:
"A non-recoverable error occurred during a database lookup." [#LC6520]
Provisioning Services
Console Issues
T he XenDesktop Setup wizard might fail after creating a template virtual machine. [#LC8018]
Server Issues
When the Boot Device Manager (BDM) is configured for the DHCP Discover, Offer, Request and Acknowledge (DORA)
process, the process might not complete. T he issue occurs when the DHCP relay sends the "OFFER" packet as a
UNICAST packet. [#LC8130]
T he same disk identifier is erroneously assigned to the vDisk residing in different stores when the existing vDisk was
added using the "MCLI Add DiskLocator" command. [#LC8281]
Target Issues
T arget devices might become unresponsive. [#LC7911]
Session Recording (Agent)
When user1 launches a session that is delivered by VDA1 that is being recorded and does not close the notification
message in session1, the notification message does not appear in session2 that is delivered by VDA1. T his can happen
when the session is launched by user2 until user1 manually closes the notification message in session1. [#LC8132]
StoreFront
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.13
After upgrading StoreFront, attempts to log on to one of the servers can cause the server to not display the users'
application subscription data. T he issue occurs because of the Microsoft peer mesh limitation due to which one of the
peers might not detect itself online until the first mesh operation is attempted. [#LC1454]
With the Auto launch desktop setting enabled, the Multiple launch prevention option might not work. As a result,
subsequent requests to launch the same instance of the desktop fail. [#LC7430]
After upgrading StoreFront 2.6 installed on a non-default drive, users' application subscription data might not be
retained. [#LC8046]
When you attempt to view the details of a desktop, details of an already viewed desktop might appear. [#LC8062]
With socket pooling enabled and the Site database connectivity inconsistent, the sockets in StoreFront might get
exhausted when you continuously log on and log off. [#LC8514]
VDA for Desktop OS
HDX MediaStream Flash Redirection
Attempts to save Microsoft Office files such as Microsoft Excel spreadsheets that are running in a session with HDX
seamless apps enabled can cause the files to exit unexpectedly. [#LC8572]
Printing
Attempts to launch a published application might fail when the application is waiting for a mutex object in Citrix Print
Manager service (cpsvc.exe). [#LC6829]
After you save printer properties by selecting Preferences in a published application, the settings might not be restored
when you log off and then log back on to the session. T he issue occurs on network printers that are redirected from the
user device. [#LC7770]
Server/Site Administration
Changes you make to Advanced System Settings under Visual Ef f ects apply to the current VDA for Desktop OS
session but might not be retained for subsequent sessions. To make such changes persistent, set the following registry
key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Control\Citrix
Name: EnableVisualEffect
Type: DWORD
Value: 1 [#LC8049]
Session/Connection
When you launch certain third-party applications that are used for video conferencing with flexible resolution, the
application might exit unexpectedly. [#LC6994]
When you establish a Skype for Business video call, a blue window border might appear after intersecting with the
window of a third party application. [#LC7773]
A session running on a VDA for Desktop OS might become unresponsive when using legacy graphics mode. When the
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.14
issue occurs, you might not be able to update anything on the Desktop Viewer, but the Desktop Viewer is not in an
unresponsive state. Also, after 30-60 minutes, the previously unresponsive session recovers. [#LC7777]
With local app access enabled, using the interactive logon disclaimer policy might result in a black or gray screen.
[#LC7798]
When performing an insert operation between two Microsoft Excel 2010 worksheets running on a Version 7.9 VDA, the
Excel window might become unresponsive. [#LC7912]
In certain scenarios, seamless applications might not appear in seamless mode or certain features might not work.
[#LC8030]
After you maximize and restore a published application multiple times, the mouse cursor might appear incorrectly and the
application cannot be expanded vertically and horizontally. Also, the application does not cover the entire screen and a
black border appears. [#LC8988]
Smart Cards
When you log on to a session using a smart card, the session might become unresponsive until you disconnect and
reconnect the session. [#LC8036]
T he Citrix Smart Card Service might exit unexpectedly on a VDA. [#LC8386]
System Exceptions
T he wfshell.exe process might exit unexpectedly, pointing to the taskbar grouping module.[#LC6968]
On systems with Hotfix Rollup Pack 7 installed, servers might experience a fatal exception, displaying a blue screen, on
picadm.sys with bugcheck code 0x00000050 (PAGE_FAULT _IN_NONPAGED_AREA). [#LC6985]
Servers might experience a fatal exception, displaying a blue screen, on picadm.sys with bugcheck code 0x22. [#LC7574]
Servers might experience a fatal exception, displaying a blue screen, on vdtw30.dll with stop code 0xc0000006. [#LC7608]
VDAs might experience a fatal exception, displaying a blue screen, on tdica.sys with a bugcheck code. [#LC7632]
VDAs might experience a fatal exception, displaying a blue screen with bugcheck code 0x7E. T he issue occurs when you
leave the VDA session idle for some time. [#LC8045]
User Experience
Windows Media Player might display Microsoft AVI (.avi) files format as vertically flipped. [#LC8308]
T he screen might not refresh with the logon prompt after you attempt to log on to a session that was locked
previously. [#LC8774]
VDA for Server OS
HDX MediaStream Flash Redirection
Attempts to save Microsoft Office files such as Microsoft Excel spreadsheets that are running in a session with HDX
seamless apps enabled can cause the files to exit unexpectedly. [#LC8572]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.15
Printing
Attempts to launch a published application might fail when the application is waiting for a mutex object in Citrix Print
Manager service (cpsvc.exe). [#LC6829]
After you save printer properties by selecting Preferences in a published application, the settings might not be restored
when you log off and then log back on to the session. T he issue occurs on network printers that are redirected from the
user device. [#LC7770]
Server/Site Administration
Changes you make to Advanced System Settings under Visual Ef f ects apply to the current VDA for Desktop OS
session but might not be retained for subsequent sessions. To make such changes persistent, set the following registry
key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Control\Citrix
Name: EnableVisualEffect
Type: DWORD
Value: 1 [#LC8049]
Session/Connection
Attempts to reconnect to a session can fail intermittently and cause the VDAs for Server OS to go into "Initializing"
status. T he issue occurs when the VDA is registered again with a Delivery Controller. [#LC6647]
When you click "Cancel" on the progress bar of a session launch, wrong session information can remain on the Delivery
Controller. As a result, the actual session is not created on the VDA and you might not be able to launch a new session.
[#LC6779]
After undocking a laptop, session sharing might fail. T he issue occurs when the VDA reregisters with the Delivery
Controller while an-out-of-order notification is triggered during auto client reconnect. [#LC7450]
T he microphone might be redirected intermittently in the user session even after setting the Client microphone
redirection policy value to Prohibited.
T his fix addresses the issue. However, if you continue to observe the issue, apply the following registry key on the device
with the microphone:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Control\T erminal Server\WinStations\ica-tcp\AudioConfig
Name: MaxPolicyAge
T ype: DWORD
Value: Maximum time (in seconds) allowed between the last policy evaluation and the time of endpoint activation.
Default is 30 seconds.
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Control\T erminal Server\WinStations\ica-tcp\AudioConfig
Name: PolicyT imeout
T ype: DWORD
Value: Maximum time (in milliseconds) that the system waits for policies after determining that the policies are not up
to date. Default is 4,000 milliseconds. When the timeout occurs, the system reads the policies and continues with
initialization. Setting this value to (0) bypasses the Active Directory policies check and processes policies immediately.
[#LC7495]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.16
When you establish a Skype for Business video call, a blue window border might appear after intersecting with the
window of a third party application. [#LC7773]
A session running on a VDA for Desktop OS might become unresponsive when using legacy graphics mode. When the
issue occurs, you might not be able to update anything on the Desktop Viewer, but the Desktop Viewer is not in an
unresponsive state. Also, after 30-60 minutes, the previously unresponsive session recovers. [#LC7777]
A spurious XenApp session might be displayed in Citrix Studio when a Remote Desktop session takes over a console
session on a VDA for Server OS. [#LC7826]
When performing an insert operation between two Microsoft Excel 2010 worksheets running on a Version 7.9 VDA, the
Excel window might become unresponsive. [#LC7912]
In certain scenarios, seamless applications might not appear in seamless mode or certain features might not work.
[#LC8030]
Servers might become unresponsive on RPM.dll and the following error message appears:
"Event ID 1009, picadm: T imeout waiting for response message from client" [#LC8339]
After you maximize and restore a published application multiple times, the mouse cursor might appear incorrectly and the
application cannot be expanded vertically and horizontally. Also, the application does not cover the entire screen and a
black border appears. [#LC8988]
Smart Cards
When you log on to a session using a smart card, the session might become unresponsive until you disconnect and
reconnect the session. [#LC8036]
T he Citrix Smart Card Service might exit unexpectedly on a VDA. [#LC8386]
System Exceptions
T he wfshell.exe process might exit unexpectedly, pointing to the taskbar grouping module. [#LC6968]
On systems with Hotfix Rollup Pack 7 installed, servers might experience a fatal exception, displaying a blue screen, on
picadm.sys with bugcheck code 0x00000050 (PAGE_FAULT _IN_NONPAGED_AREA). [#LC6985]
Servers might experience a fatal exception, displaying a blue screen, on picadm.sys with bugcheck code 0x22. [#LC7574]
Servers might experience a fatal exception, displaying a blue screen, on vdtw30.dll with stop code 0xc0000006. [#LC7608]
VDAs might experience a fatal exception, displaying a blue screen, on tdica.sys with a bugcheck code. [#LC7632]
T he Service Host (svchost.exe) process might experience an access violation and exit unexpectedly. T he issue occurs
because of the faulting module, icaendpoint.dll. [#LC7694]
T he Service Host (svchost.exe) process might experience an access violation and exit unexpectedly. T he issue occurs
because of the faulting module, icaendpoint.dll. [#LC7900]
Servers might experience a fatal exception, displaying a blue screen, on icardd.dll with bugcheck code 0x0000003B.
[#LC8492]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.17
Servers might experience a fatal exception, displaying a blue screen, on icardd.dll with bugcheck code 0x0000003B.
[#LC8732]
User Experience
Windows Media Player might display Microsoft AVI (.avi) files format as vertically flipped. [#LC8308]
User Interf ace
T he logoff screen might not appear when you attempt to log off from a Microsoft Windows Server 2008 R2 desktop
session. You might be able to log off from the session, but the session appears as though it is disconnected
unexpectedly. [#LC8016]
Virtual Desktop Components - Other
App-V applications located outside Virtual File System (VFS) servers or on the network drive might not work correctly
when using Connection Groups. [#LC6837]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.18
Cumulative Update 4 (CU4)
Jun 19, 20 17
Release date: June 2017
Cumulative Update 4 (CU4) is the latest Cumulative Update to the XenApp and XenDesktop 7.6 Long Term Service Release
(LT SR). CU4 provides updates to 10 baseline components of the original 7.6 LT SR.
Issues fixed since XenApp and XenDesktop 7.6 LT SR CU3
Known issues in this release
Downloads
Download LT SR CU4 (XenApp)
Download LT SR CU4 (XenDesktop)
New deployments
How do I deploy CU4 from scratch?
You can set up a brand-new XenApp or XenDesktop environment based on CU4 - using the CU4 metainstaller.* Before you
do that, we recommend that you familiarize yourself with the product:
Peruse the XenApp and XenDesktop 7.6 Long Term Service Release documentation and pay close attention to
the Technical Overview, New Deployments, and Security sections before you start planning your deployment. Make sure
your setup meets the system requirements for all components. Follow New Deployments for deployment instructions.
* Note: Provisioning Services and Session Recording are available as separate downloads and installers.
Existing deployments
What do I update?
CU4 provides updates to 10 baseline components of 7.6 LT SR. Remember: Citrix recommends that you update all LT SR
components of your deployment to CU4. For example: If Provisioning Services is part of your LT SR deployment, update the
Provisioning Services component to CU4. If Provisioning Services is not part of your deployment, you do not need to install
or update it.
Since the 7.6 LT SR release, we have added a metainstaller that lets you update the existing components of your LT SR
environment from a unified interface. Following the Upgrade instructions, use the metainstaller to update the LT SR
components of your deployment.
Note
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.19
T he following information is specific to the CU4 release. For the equivalent information for the LT SR base release, CU1, CU2, or CU3,
see the respective documentation.
LTSR Baseline Components
Version
Notes
VDA for Desktop OS
7.6.4000
Special rules apply for Windows 10.
See CU4 compatible components
and platforms.
VDA for Server OS
7.6.4000
Delivery Controller
7.6.4000
Citrix Studio
7.6.4000
Citrix Director
7.6.4000
Group Policy Management Experience
2.5.4000
StoreFront
3.0.4000
Provisioning Services
7.6.5
Special rules apply for Windows 10.
See CU4 compatible components
and platforms.
Universal Print Server
7.6.4000
Only Windows 2008 R2 SP1
Windows 2012
Windows 2012 R2 supported
Session Recording
7.6.4000
Platinum Edition only
LTSR CU4 compatible components
T he following components are recommended for use in 7.6 LT SR CU4 environments. T hese components are not eligible for
the LT SR benefits (extended lifecycle and fix-only cumulative updates). Citrix might ask you to upgrade to a newer version
of these components within your 7.6 LT SR environments.
Note about Windows 10: Regular support for Windows 10 is available through the Current Release path. Windows 10
does not get the full set of 7.6 LT SR benefits. For deployments that include Windows 10 machines, Citrix recommends that
you use the Current Release Version 7.9 or later of the VDA for Desktop OS and of Provisioning Services.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.20
For more information, see Adding Windows 10 Compatibility to XenApp and XenDesktop 7.6 LT SR and the XenApp and
XenDesktop Servicing Options (LT SR) FAQ.
Version
LTSR CU4 Compatible Components and Platf orms
Profile Management
5.8
AppDNA
7.14
License Server
11.14.0 Build 20101
HDX RealT ime Optimization Pack
2.2.100
Windows 10
VDA: Version 7.9 or later
Provisioning Services: Version 7.9 or later
Compatible versions of Citrix Receiver
For ease of maintenance, and to ensure optimal performance, Citrix recommends that you upgrade to the latest version of
Citrix Receiver any time it becomes available. T he latest versions are available for download
at https://www.citrix.com/downloads/citrix-receiver.html. For your convenience, consider subscribing to the Citrix Receiver
RSS feed to receive a notification when a new version of Citrix Receiver becomes available.
Note that Citrix Receiver is not eligible for the XenApp and XenDesktop LT SR benefits (extended lifecycle and fix-only
cumulative updates). Citrix may ask you to upgrade to a newer version of Citrix Receiver within your 7.6 LST R environments.
In the case of Citrix Receiver for Windows, Citrix has announced a special LT SR program. More information on that program
is available on the Lifecycle Milestones for Citrix Receiver page.
Specifically, LT SR supports the following versions of Citrix Receiver and all later versions:
LTSR Compatible Versions of Citrix Receiver
Version
Citrix Receiver for Windows
4.4 or later
Citrix Receiver for Linux
13.5 or later
Citrix Receiver for Mac
12.5 or later
Citrix Receiver for Chrome
2.4 or later
Citrix Receiver for HT ML5
2.4 or later
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.21
Citrix Receiver for iOS
7.2 or later
Citrix Receiver for Android
3.11.1 or later
LTSR notable exclusions
T he following features, components, and platforms are not eligible for LT SR lifecycle milestones and benefits. Specifically,
cumulative updates and extended lifecycle benefits are excluded. Updates to excluded features and components will be
available through regular current releases.
Excluded Features
Local App Access
Framehawk
Excluded Components
Linux VDA
Personal vDisk
Excluded Windows Platf orms*
Windows 2008 32-bit (for Universal Print Server)
* Citrix reserves the right to update platform support based on third party vendors’ lifecycle milestones.
Install and upgrade analytics
When you use the full-product installer to deploy or upgrade XenApp or XenDesktop components, anonymous information
about the installation process is gathered and stored on the machine where you are installing/upgrading the component.
T his data is used to help Citrix improve its customers' installation experiences. For more information, see
http://more.citrix.com/XD-INSTALLER.
XenApp 6.5 migration
T he XenApp 6.5 migration process helps you more efficiently and quickly transition from a XenApp 6.5 farm to a Site running
XenApp 7.6 (or a later supported release). T his is helpful in deployments that contain large numbers of applications and
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.22
Citrix group policies, lowering the risk of inadvertently introducing errors when manually moving applications and Citrix group
policies to the new XenApp Site.
After you install the XenApp 7.6 core components and create a Site, the migration process follows this sequence:
Run the XenApp 7.6 installer on each XenApp 6.5 worker, which automatically upgrades it to a new Virtual Delivery Agent
for Windows Server OS for use in the new Site.
Run PowerShell export cmdlets on a XenApp 6.5 controller, which exports application and Citrix policy settings to XML
files.
Edit the XML files, if desired, to refine what you want to import to the new Site. By tailoring the files, you can import
policy and application settings into your XenApp 7.6 Site in stages: some now and others later.
Run PowerShell import cmdlets on the new XenApp 7.6 Controller, which import settings from the XML files to the new
XenApp Site.
Reconfigure the new Site as needed, and then test it.
For more information, see Migrate XenApp 6.x.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.23
Fixed issues
Jun 19, 20 17
XenApp/XenDesktop 7.6 LT SR Cumulative Update 4 contains all fixes that were included in XenApp and XenDesktop 7.6
LT SR, Cumulative Update 1, Cumulative Update 2, and Cumulative Update 3, plus the following, new fixes:
Citrix Director
Attempts to reset the Citrix user profile using Citrix Director might fail, resulting in the following error message:
"T he reset process could not be initiated."
T he issue occurs when Citrix Director sends only the user name instead of sending the user name along with the domain
name. As a result, the Citrix Broker Service fails to locate the user in the DDC domain.
[#LC6681]
Citrix Studio
Microsoft Management Console might become unresponsive when adding machines to the Catalog.
[#LC5334]
Attempts to publish an App-V package that contains certain third-party applications with multiple file type associations
might fail, resulting in the following error message:
"Cannot validate argument on parameter 'ExtensionName'. T he character length of the 28 argument is too long.
Shorten the character length of the argument so it is fewer than or equal to "16" characters, and then try the command
again."
T he issue occurs when you attempt to add the App-V package to Citrix Studio.
[#LC6507]
With the access policy "IncludedClientIPFilterEnabled" set to enabled, the following error message might appear when
you click "Edit Delivery Group" in Citrix Studio:
"T he Users configuration has been manually modified and cannot be changed by Studio."
[#LC6620]
When you attempt to add virtual machines to a Citrix Provisioning Services catalog in Citrix Studio, the following error
message might appear:
"T he machine "virtual machine name” is already in a Machine Catalog."
[#LC6944]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.24
Controller
T he Configuration Logging Service might consume high memory, causing the Delivery Controller to become unresponsive.
[#LC6480]
Attempts to delete virtual machines that are created by Machine Creation Services can cause Citrix Studio to become
unresponsive.
[#LC6581]
With the access policy "IncludedClientIPFilterEnabled" set to enabled, the following error message might appear when
you click "Edit Delivery Group" in Citrix Studio:
"T he Users configuration has been manually modified and cannot be changed by Studio."
[#LC6620]
After successfully removing a machine from the MCS catalog, the following failed task notice appears on the Logging
tab of Citrix Studio:
"Locking pool catalog_name"
[#LC6653]
T he Machine Catalogs node in Citrix Studio can take several minutes to display its contents after selecting it.
[#LC6756]
When you attempt to add virtual machines to a Citrix Provisioning Services catalog in Citrix Studio, the following error
message might appear:
"T he machine "virtual machine name” is already in a Machine Catalog."
[#LC6944]
Attempts to add machines to an existing Machine Creation Services catalog might not follow the round robin method
for multiple storages that can be selected to accept the new machines.
[#LC7456]
HDX MediaStream Flash Redirection
Flash content might not redirect correctly on the client after configuration of the compatibility list policy.
[#LC6892]
Flash content on Qumu.com does not load and the website becomes dynamically blacklisted, and the following error
message appears: "T he client's Flash Player was unable to fetch Flash content directly from the client device. T he
browser page will be refreshed and server-side Flash rendering will be used if available."
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.25
[#LC6934]
With compatibility view enabled in Microsoft Internet Explorer, certain third-party websites with Flash content might not
work.
[#LC7513]
Provisioning Services
Server
Attempts to configure Provisioning Server using the Provisioning Services Configuration wizard by selecting the "Join
existing farm" option might fail while using the default instance of SQL server.
[#LC6579]
Target Device
Provisioning Services target devices might experience a fatal exception, displaying a blue screen.
[#LC6604]
Attempts to restart or shut down target devices from the Provisioning Services Console might fail.
[#LC6814]
Provisioning Services target devices might experience a fatal exception, displaying a blue screen with stop code
0x000000f.
[#LC6990]
T his fix addresses a memory leak issue in Provisioning Services target devices.
[#LC7409]
Session Recording
Administration
You might receive an Installation failed error in the following two cases. You can ignore the message, but to avoid
receiving the message, restart the machine before reinstalling the Session Recording components. [#544579]
Uninstalled the Session Recording components, and then reinstalled them without restarting the machine.
Installation failed and rollback happened, and then you tried to reinstall the Session Recording components without
restarting the machine.
[#LC6979]
StoreFront
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.26
Attempts to launch a session might fail with the following error message:
"T he ICA file contains an invalid unsigned parameter."
Before you upgrade or replace the new ADMX file, set the ICA file signing related policy "Enable ICA File Signing" to "Not
configured."
Note: Fix #LC5338 works with StoreFront 3.0.4000, StoreFront 3.9 and later versions.
[#LC5338]
Users cannot log on to StoreFront when a cached domain controller is offline, even when another domain controller is
available.
[#LC6358]
T he icon color for Citrix Receiver for Windows does not change after modifying the StoreFront theme.
[#LC6435]
Users are unable to see apps and desktops after logging on when one XML broker does not work correctly, even when
there are many working XML brokers. T he following error message appears.
"T here are no apps or desktops available to you at this time."
[#LC6928]
Attempts to propagate changes to a server group by selecting "Propagate Changes" on the StoreFront console might
fail and the following error message appears:
"Propagation failed on one or more servers."
[#LC7428]
T his fix addresses an issue with Firefox. For more information, see Knowledge Center article CT X221551.
[#LC7473]
Universal Print Server
Client
T he print spooler service might become unresponsive and, as a result, Universal Printing does not work. T he issue occurs
when a timeout is reached while waiting for a transaction response from the spooler service.
[#LC5209]
VDA for Desktop OS
HDX 3D Pro
When using the HDX 3D Pro agent on the VDA, two rows of pixels might be missing when starting a new desktop
session.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.27
[#LC6409]
Printing
Printer redirection might fail intermittently.
[#LC5320]
Security Issues
T his fix updates an internal VDA component.
[#LC6904]
Session/Connection
When you log on to a VDA where a user profile does not exist, a black screen might appear after the Windows Welcome
screen is displayed for a period of time before the logon completes.
[#LC2397]
When you attempt to send video in a Cisco WebEx meeting by using a webcam through Citrix Receiver for Mac, the
Cisco WebEx meeting might exit unexpectedly.
[#LC5518]
When reading a file from a mapped client drive, the old, cached file length might be returned if the file length was
changed outside of the client session. Additionally, null characters are inserted for any deleted characters.
To enable the fix, set the following registry value to "0":
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\services\picadm\Parameters
Name: CacheT imeout
Type: REG_DWORD
Value: Default value is 60 seconds. If CacheT imeOut is set to "0," the file length is reloaded immediately and if not it is
loaded after the defined timeout.
[#LC6314]
With local app access enabled, using the interactive logon disclaimer policy might result in a black or gray screen lasting
for 45 seconds.
[#LC6518]
T he server idle timer does not reset for iOS devices with the multi-touch feature enabled.
[#LC6743]
End User Experience Monitoring stops collecting metrics when the number of virtual channels exceeds 32.
Note: With this fix, the limit that is set for virtual channels is removed.
[#LC6768]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.28
With "Application Lingering" configured for the Delivery Group, published applications occasionally fail to appear when
you reconnect to a session.
[#LC7405]
T he window positions might not be retained when you reconnect to a published desktop session and are using multiple
monitors.
[#LC7644]
Smart Cards
Occasionally, removing a smart card reader might not trigger the user session to get locked, even though smart card
removal is configured to lock the user session.
[#LC7411]
System Exceptions
VDAs might experience a fatal exception, displaying a blue screen, on tdica.sys with bugcheck code 0x7E.
[#LC6553]
VDAs might experience a fatal exception, displaying a blue screen, on vd3dk.sys with bugcheck code 0X00000050.
[#LC6833]
VDAs can experience a fatal exception on wdica.sys, displaying a blue screen.
[#LC6883]
VDAs might experience a fatal exception, displaying a blue screen, on picadm.sys with bugcheck code 0x7F while shutting
down a session.
[#LC7545]
T he Service Host (svchost.exe) process might experience an access violation and exit unexpectedly. T he issue occurs
because of the faulting module, scardhook64.dll.
[#LC7580]
User Experience
T his fix provides improved support for sounds that play for a short period of time when using high quality audio.
Note:
T his fix does not take effect in sessions running on Windows Server 2008 R2.
For this fix to work, you must use Citrix Receiver 4.4 for Windows Long T erm Service Release (LT SR) CU5 or later
versions and the VDA version of XenApp and XenDesktop 7.6 LT SR CU4 or later.
[#LC5842]
T he USB device instance path might have additional characters at the end of the path name when the device is
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.29
redirected on Version 7.6.300 of the VDA. To change this behavior, add the Product ID (PID) or Vendor ID (VID) to the
following registry key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Services\icausbb\Parameters
Name: DeviceInstanceIDOption
Type: REG_DWORD
Value: 0 (default value), 1, 2.
If "DeviceInstanceIDOption" is configured to "0" (0 being the default value), devices whose VID/PID pairs are
configured to "UsingSerialNumberDevices" use the serial number as the instance ID. Other devices use
"serial_number+Bus_number+port_number" as the instance ID.
If "DeviceInstanceIDOption" is configured to "1," devices whose VID/PID pairs are configured to
"UsingSerialNumberDevices" use "serial_number+Bus_number+port_number" as the instance ID. Other devices use the
serial number as the instance ID.
If "DeviceInstanceIDOption" is configured to "2," all devices use the serial number as the instance ID.
All other values are invalid and treated as "0."
[#LC6212]
Sessions might become unresponsive when playing videos in a web browser.
[#LC6259]
In a multi-monitor environment, define the external monitor as the "Main Display" of Windows and position it to the
right of the secondary laptop or tablet monitor in the display settings of the Control Panel. When you start a published
application that appears on the external monitor and move this application to the tablet monitor or a laptop that is
attached to the external monitor, opening or closing the lid of the tablet or a laptop can cause the published application
to become black.
To enable the fix, you must set the following registry key value on the VDA:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\Ica\T hinwire
Name: EnableDrvTw2NotifyMonitorOrigin
Type: REG_DWORD
Value: 1 (to enable) and 0 (to disable; 0 is the default value). By default, the registry value is missing.
[#LC7760]
User Interf ace
When using the Connection Center to log off from a seamless session with unsaved data, a black window appears with
the following message:
"Programs still need to close" - with the two options - "Force Logoff " or "Cancel." T he "Cancel" option does not work.
After installing this fix, the Cancel option works as designed.
[#LC6075]
URL shortcut icons might be displayed as blank when using a touch-optimized desktop.
[#LC6663]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.30
Miscellaneous
Attempts to reconnect to a disconnected desktop session might fail.
[#LC6677]
T he SHAppBarMessage API with the "ABM_GET STAT E" message might not return the correct value when executed in a
seamless session.
[#LC7579]
VDA for Server OS
Printing
Printer redirection might fail intermittently.
[#LC5320]
Session/Connection
When you log on to a VDA where a user profile does not exist, a black screen might appear after the Windows Welcome
screen is displayed for a period of time before the logon completes.
[#LC2397]
When you attempt to send video in a Cisco WebEx meeting by using a webcam through Citrix Receiver for Mac, the
Cisco WebEx meeting might exit unexpectedly.
[#LC5518]
T he VDA for Server OS might become unresponsive at the "Welcome" screen for about two minutes during the logon
process. T he issue occurs when you configure the last interactive logon information through Active Directory Group
Policy Object (GPO).
[#LC5709]
An additional published application window might open when reconnecting to a session.
[#LC5786]
T he VDA for Server OS can become unresponsive. As a result, user sessions might fail to log off.
[#LC6117]
When reading a file from a mapped client drive, the old, cached file length might be returned if the file length was
changed outside of the client session. Additionally, null characters are inserted for any deleted characters.
To enable the fix, set the following registry value to "0":
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\services\picadm\Parameters
Name: CacheT imeout
Type: REG_DWORD
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.31
Value: Default value is 60 seconds. If CacheT imeOut is set to "0," the file length is reloaded immediately and if not it is
loaded after the defined timeout.
[#LC6314]
Microsoft Internet Explorer 11 might not use the virtual IP loopback address assigned to that session.
[#LC6622]
T he server idle timer does not reset for iOS devices with the multi-touch feature enabled.
[#LC6743]
End User Experience Monitoring stops collecting metrics when the number of virtual channels exceeds 32.
Note: With this fix, the limit that is set for virtual channels is removed.
[#LC6768]
Active sessions might be disconnected on the XenApp servers when the Delivery Controller loses connectivity. T he issue
occurs when VDAs fails to track the status of sessions that move from "pre-launch" to "active" status correctly. As a
result, when the Delivery Controller is restarted, it attempts to clear the resources from the VDAs, and sessions in the
pre-launch status are disconnected or logged off while the applications are being actively used.
[#LC6819]
When you launch a session in windowed mode in a published desktop and span the desktop through six monitors or
more, the taskbar or the screen might become gray.
[#LC6862]
After setting Google Chrome as the default browser, Microsoft Internet Explorer might continue to be the default
browser when you click URLs within applications.
[#LC6948]
With the Electrolysis (e10s) feature enabled, the 64-bit version of Mozilla Firefox might exit unexpectedly. For more
information, see Knowledge Center article CT X224067.
[#LC6982]
With "Application Lingering" configured for the Delivery Group, published applications occasionally fail to appear when
you reconnect to a session.
[#LC7405]
System Exceptions
Certain third-party applications might fail to start in an RDP session.
[#LC4141]
T he service host process (Svchost.exe) that hosts Terminal Services might exit unexpectedly. T he issue occurs because of
the faulting module, RPM.dll.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.32
[#LC6277]
VDAs might experience a fatal exception, displaying a blue screen, on tdica.sys with bugcheck code 0x7E.
[#LC6553]
VDAs can experience a fatal exception on wdica.sys, displaying a blue screen.
[#LC6883]
VDAs might experience a fatal exception, displaying a blue screen, on picadm.sys with bugcheck code 0x7F while shutting
down a session.
[#LC7545]
T he Service Host (svchost.exe) process might experience an access violation and exit unexpectedly. T he issue occurs
because of the faulting module, scardhook64.dll.
[#LC7580]
User Experience
T his fix provides improved support for sounds that play for a short period of time when using high quality audio.
Note:
T his fix does not take effect in sessions running on Windows Server 2008 R2.
For this fix to work, you must use Citrix Receiver 4.4 for Windows Long T erm Service Release (LT SR) CU5 or later
versions and the VDA version of XenApp and XenDesktop 7.6 LT SR CU4 or later.
[#LC5842]
T he USB device instance path might have additional characters at the end of the path name when the device is
redirected on Version 7.6.300 of the VDA. To change this behavior, add the Product ID (PID) or Vendor ID (VID) to the
following registry key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Services\icausbb\Parameters
Name: DeviceInstanceIDOption
Type: REG_DWORD
Value: 0 (default value), 1, 2.
If "DeviceInstanceIDOption" is configured to "0" (0 being the default value), devices whose VID/PID pairs are
configured to "UsingSerialNumberDevices" use the serial number as the instance ID. Other devices use
"serial_number+Bus_number+port_number" as the instance ID.
If "DeviceInstanceIDOption" is configured to "1," devices whose VID/PID pairs are configured to
"UsingSerialNumberDevices" use "serial_number+Bus_number+port_number" as the instance ID. Other devices use the
serial number as the instance ID.
If "DeviceInstanceIDOption" is configured to "2," all devices use the serial number as the instance ID.
All other values are invalid and treated as "0."
[#LC6212]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.33
Sessions might become unresponsive when playing videos in a web browser.
[#LC6259]
In a multi-monitor environment, define the external monitor as the "Main Display" of Windows and position it to the
right of the secondary laptop or tablet monitor in the display settings of the Control Panel. When you start a published
application that appears on the external monitor and move this application to the tablet monitor or a laptop that is
attached to the external monitor, opening or closing the lid of the tablet or a laptop can cause the published application
to become black.
To enable the fix, you must set the following registry key value on the VDA:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\Ica\T hinwire
Name: EnableDrvTw2NotifyMonitorOrigin
Type: REG_DWORD
Value: 1 (to enable) and 0 (to disable; 0 is the default value). By default, the registry value is missing.
[#LC7760]
User Interf ace
When using the Connection Center to log off from a seamless session with unsaved data, a black window appears with
the following message:
"Programs still need to close" - with the two options - "Force Logoff " or "Cancel." T he "Cancel" option does not work.
After installing this fix, the Cancel option works as designed.
[#LC6075]
URL shortcut icons might be displayed as blank when using a touch-optimized desktop.
[#LC6663]
Miscellaneous
T he SHAppBarMessage API with the "ABM_GET STAT E" message might not return the correct value when executed in a
seamless session.
[#LC7579]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.34
Cumulative Update 3 (CU3)
Jan 27, 20 17
Release date: January 2017
Cumulative Update 3 (CU3) provides updates to 10 baseline components of the original 7.6 LT SR.
Issues fixed since XenApp and XenDesktop 7.6 LT SR CU2
Known issues in this release
Downloads
Download LT SR CU3 (XenApp)
Download LT SR CU3 (XenDesktop)
New deployments
How do I deploy CU3 from scratch?
You can set up a brand-new XenApp or XenDesktop environment based on CU3 - using the CU3 metainstaller.* Before you
do that, we recommend that you familiarize yourself with the product:
Peruse the XenApp and XenDesktop 7.6 Long Term Service Release documentation and pay close attention to
the Technical Overview, New Deployments, and Security sections before you start planning your deployment. Make sure
your setup meets the system requirements for all components. Follow New Deployments for deployment instructions.
* Note: Provisioning Services and Session Recording are available as separate downloads and installers.
Existing deployments
What do I update?
CU3 provides updates to 10 baseline components of 7.6 LT SR. Remember: Citrix recommends that you update all LT SR
components of your deployment to CU3. For example: If Provisioning Services is part of your LT SR deployment, update the
Provisioning Services component to CU3. If Provisioning Services is not part of your deployment, you do not need to install
or update it.
Since the 7.6 LT SR release, we have added a metainstaller that lets you update the existing components of your LT SR
environment from a unified interface. Following the Upgrade instructions, use the metainstaller to update the LT SR
components of your deployment.
Note
T he following information is specific to the CU3 release. For the equivalent information for the LT SR base release, CU1, or CU2, see
the respective documentation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.35
LTSR Baseline Components
Version
Notes
VDA for Desktop OS
7.6.3000
Special rules apply for Windows 10.
See CU3 compatible components
and platforms.
VDA for Server OS
7.6.3000
Delivery Controller
7.6.3000
Citrix Studio
7.6.3000
Citrix Director
7.6.3000
Group Policy Management Experience
2.5.3000
StoreFront
3.0.3000
Provisioning Services
7.6.4
Special rules apply for Windows 10.
See CU3 compatible components
and platforms.
Universal Print Server
7.6.3000
Only Windows 2008 R2 SP1
Windows 2012
Windows 2012 R2 supported
Session Recording
7.6.3000
Platinum Edition only
LTSR CU3 compatible components
T he following components are recommended for use in 7.6 LT SR CU3 environments. T hese components are not eligible for
the LT SR benefits (extended lifecycle and fix-only cumulative updates). Citrix might ask you to upgrade to a newer version
of these components within your 7.6 LT SR environments.
Note about Windows 10: Regular support for Windows 10 is available through the Current Release path. Windows 10
does not get the full set of 7.6 LT SR benefits. For deployments that include Windows 10 machines, Citrix recommends that
you use the Current Release Version 7.9 or later of the VDA for Desktop OS and of Provisioning Services.
For more information, see Adding Windows 10 Compatibility to XenApp and XenDesktop 7.6 LT SR and the XenApp and
XenDesktop Servicing Options (LT SR) FAQ.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.36
Version
LTSR CU3 Compatible Components and Platf orms
Profile Management
5.6
AppDNA
7.12
License Server
11.14.0 Build 18001
HDX RealT ime Optimization Pack
2.2
Windows 10
VDA: Version 7.9 or later
Provisioning Services: Version 7.9 or later
Compatible versions of Citrix Receiver
For ease of maintenance, and to ensure optimal performance, Citrix recommends that you upgrade to the latest version of
Citrix Receiver any time it becomes available. T he latest versions are available for download
at https://www.citrix.com/downloads/citrix-receiver.html. For your convenience, consider subscribing to the Citrix Receiver
RSS feed to receive a notification when a new version of Citrix Receiver becomes available.
Note that Citrix Receiver is not eligible for the XenApp and XenDesktop LT SR benefits (extended lifecycle and fix-only
cumulative updates). Citrix may ask you to upgrade to a newer version of Citrix Receiver within your 7.6 LST R environments.
In the case of Citrix Receiver for Windows, Citrix has announced a special LT SR program. More information on that program
is available on the Lifecycle Milestones for Citrix Receiver page.
Specifically, LT SR supports the following versions of Citrix Receiver and all later versions:
LTSR Compatible Versions of Citrix Receiver
Version
Citrix Receiver for Windows
4.4 or later
Citrix Receiver for Linux
13.4 or later
Citrix Receiver for Mac
12.4 or later
Citrix Receiver for Chrome
2.2 or later
Citrix Receiver for HT ML5
2.2 or later
Citrix Receiver for iOS
7.1.2 or later
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.37
Citrix Receiver for Android
3.9.3 or later
LTSR notable exclusions
T he following features, components, and platforms are not eligible for LT SR lifecycle milestones and benefits. Specifically,
cumulative updates and extended lifecycle benefits are excluded. Updates to excluded features and components will be
available through regular current releases.
Excluded Features
Local App Access
Framehawk
Excluded Components
Linux VDA
Personal vDisk
Excluded Windows Platf orms*
Windows 2008 32-bit (for Universal Print Server)
* Citrix reserves the right to update platform support based on third party vendors’ lifecycle milestones.
Install and upgrade analytics
When you use the full-product installer to deploy or upgrade XenApp or XenDesktop components, anonymous information
about the installation process is gathered and stored on the machine where you are installing/upgrading the component.
T his data is used to help Citrix improve its customers' installation experiences. For more information, see
http://more.citrix.com/XD-INSTALLER.
XenApp 6.5 migration
T he XenApp 6.5 migration process helps you more efficiently and quickly transition from a XenApp 6.5 farm to a Site running
XenApp 7.6 (or a later supported release). T his is helpful in deployments that contain large numbers of applications and
Citrix group policies, lowering the risk of inadvertently introducing errors when manually moving applications and Citrix group
policies to the new XenApp Site.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.38
After you install the XenApp 7.6 core components and create a Site, the migration process follows this sequence:
Run the XenApp 7.6 installer on each XenApp 6.5 worker, which automatically upgrades it to a new Virtual Delivery Agent
for Windows Server OS for use in the new Site.
Run PowerShell export cmdlets on a XenApp 6.5 controller, which exports application and Citrix policy settings to XML
files.
Edit the XML files, if desired, to refine what you want to import to the new Site. By tailoring the files, you can import
policy and application settings into your XenApp 7.6 Site in stages: some now and others later.
Run PowerShell import cmdlets on the new XenApp 7.6 Controller, which import settings from the XML files to the new
XenApp Site.
Reconfigure the new Site as needed, and then test it.
For more information, see Migrate XenApp 6.x.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.39
Fixed issues
May 0 9, 20 17
XenApp/XenDesktop 7.6 LT SR Cumulative Update 3 contains all fixes that were included in XenApp and XenDesktop 7.6
LT SR, Cumulative Update 1, Cumulative Update 2, plus the following, new fixes:
Citrix Director
User name searches in Citrix Director might return a list of users listed in Citrix Director unrelated to the search.
[#LC5415]
When using Firefox 41 or later, user names are displayed with a percent-encoded space (i.e. User%20Name).
[#LC6240]
Citrix Studio
If a user logs onto a physical Remote PC console within 30 seconds after booting up, the "Current User" becomes a dash
within Citrix Studio and the user cannot connect to the Remote PC ICA session.
[#LC5408]
T he XenDesktop console consumes high amounts of CPU when searching for users.
[#LC5691]
Controller
When attempting to create network resources that contain a pipe symbol ("|"), connections to the hypervisor might fail
with the following error message:
"Cannot connect to server"
[#LC4933]
If there is any failure in storage repository when copying over to a Machine Creation Services virtual machine, the copy
displays as successful despite the copy failing.
[#LC5430]
Machine Creation Services does not recognize the "Allow migration to a Virtual Machine Host with a different processor
version" setting during set up.
[#LC5885]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.40
VDAs might get stuck in initializing state after the DDCs are rebooted.
[#LC6264]
Monitor data grooming always starts at 0:00 UTC. With this fix, monitor data grooming starts at 0:00 in local time.
[#LC6275]
When a high number of anonymous users attempt to launch apps/VDAs concurrently, the broker service loses
connectivity with the database server.
[#LC6320]
When you set the working directory for a published application, the setting might not be reflected in the published
application that is launched in Connection Leasing mode.
[#LC6397]
T he SQL database connectivity might time out on the Controller when the load is high. Extreme blocking is observed on
the SQL server and the Site might become inaccessible.
[#LC6616]
Provisioning Services
Console
When using a virtual machine to provision virtual machines from a template using a SCVMM cluster, the wizard fails to
create the virtual machines after clicking Finish.
[#LC5871]
T he XenDesktop Setup Wizard might not perform a full permission check, causing errors in permissions.
[#LC6190]
Server
PVS servers occasionally appear with the status "Server Unreachable" in the Replication Status window.
[#LC5683]
When using a virtual machine to provision virtual machines from a template using a SCVMM cluster, the wizard fails to
create the virtual machines after clicking Finish.
[#LC5871]
When the target device's boot.iso code receives an ARP request that has been sent with a broadcast destination, the
target device's boot.iso code sends an invalid ARP reply.
[#LC6099]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.41
T he XenDesktop Setup Wizard might not perform a full permission check, causing errors in permissions.
[#LC6190]
Soapserver might consume more than 13GB of RAM during usage.
[#LC6199]
Target Device
T his fix addresses a security vulnerability. For more information, see Knowledge Center article CT X219580.
[#LC6200, #LC6201, #LC6202, #LC6203, #LC6204]
T he bnistack error "[MIoWorkerT hread] I/O Stream Socket UNAVAILABLE - not counting retry," event ID 85, floods the
event viewer while the connection to the PVS server is lost.
[#LC6449]
Session Recording (Player)
When you try to play back a recording made with a version of Citrix Receiver that is newer than the version of Session
Recording, a message appears, indicating that the file cannot be played back. With this fix, even files recorded with a
newer version of Citrix Receiver can be played back.
[#LC6503]
StoreFront
StoreFront does not recognize the correct client IP address even though the proxy server sends the "x-forwarded-for"
header in the request.
[#LC5797]
When using a Microsoft browser, there might be a latency delay when entering a search term in the browser.
[#LC6324]
After installing StoreFront 3.0.1000 or 3.0.2000, the management console fails to start and the following error message
appears: "T he Management console is unavailable because of a root certificate missing, go to verisign and download the
certificate - Verisign class primary CA - G5." For more information, see Knowledge Center article CT X218815.
[#LC6471]
Upgrading StoreFront to version 3.0.2000 from version 2.5 fails with Error 1603. For more information, see Knowledge
Center article CT X220411.
[#LC6816]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.42
Universal Print Server
Attempts to print from Microsoft Internet Explorer might fail with the following error message when using the Citrix
Universal Print Driver:
"T here was an internal error and Internet Explorer is unable to print this document."
[#LC4472]
VDA for Desktop OS
Printing
T he Citrix Printer Manager Service (Cpsvc.exe) might exit unexpectedly with an access violation error.
[#LC4665]
T he XenApp session printers might not be mapped correctly. For example, create two printers on a print server with
identical names and add one additional character at the end of any one of the printer name. If you create a session
printer policy with these two printers and log on to a VDA, only one printer might be mapped.
[#LC6385]
Seamless Windows
With Excelhook enabled, minimizing and then restoring an Excel workbook can cause the Excel window to lose focus.
[#LC6637]
Server/Site Administration
T he link to \Device\MUP on VDA for Desktop OS for 32-bit systems might be missing. As a result, the anti-virus software
working as a mini driver might not scan the files on the mapped drive.
[#LC6041]
Session/Connection
Attempts to append data to files on a mapped client drive might fail when the files are opened by users with write-only
permissions. T he issue occurs when running the PowerShell command "get-process | out-file -filepath
"\\client\c$\temp\proclist.txt" -Append" for the second time.
[#LC3895]
If another process holds the same lock as picadm.sys, users cannot log off from the session and the session remains in a
disconnected state.
[#LC4415]
When transitioning from a user to console session on a remote PC, certain connection properties might not get
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.43
updated.
[#LC5139]
Client Drive Mapping returns corrupted file path information when an application attempts to enumerate files.
[#LC5163]
When sessions connected through the Cisco WAAS Gateway attempt to transfer files of large size due to buffer
overflow on the VDA side, the VDA might exit unexpectedly.
[#LC5371]
If the Client USB device redirection rules policy contains more than 1,000 characters, all USB drives are redirected, even if
there is a deny rule for the device.
[#LC5457]
Attempts to open a file might fail when there is an open handle that is overwritten. As a result, the file gets locked by
the process.
[#LC5657]
When switching between full-screen and windowed mode in published seamless applications, the applications might
become unresponsive if any one of the applications is in the unresponsive state.
[#LC5774]
If you power off or force a remote PC to restart while in a user session, all audio drivers might be disabled when the
restart completes.
[#LC6009]
With the Citrix policy "Auto Client Reconnect" set to "Prohibited," attempts to launch VM Hosted Apps might fail.
[#LC6103]
After upgrading to XenApp and XenDesktop 7.6 Long Term Service Release, copy and paste functionality might not
work.
[#LC6114]
When you attempt to download a file by using Citrix Receiver for HT ML5, the download window might not be correctly
focused. As a result, you cannot select the file that is to be downloaded. As a workaround, minimize the main application
window to view the download window from Citrix Receiver for HT ML5.
[#LC6167]
T his enhancement enables the Citrix Device Redirector service to write event logs related to USB rules and activities.
[#LC6243]
If you power off or force a remote PC to restart while in a user session, all audio drivers might be disabled when the
restart completes.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.44
[#LC6322]
Smart Cards
In a configuration where Citrix Receiver for iOS is used to launch desktop sessions to a remote PC, when you log on to
StoreFront using an explicit username and password and then attempt to log on locally with a smart card to the physical
remote PC, the logon attempt might fail in one of the following two ways:
Microsoft Windows recognizes that there is a smart card logon option, but the "Insert a smart card" prompt does not
disappear even though the smart card is properly inserted.
Microsoft Windows does not list a smart card logon option, even though the smart card reader is attached and the
smart card is properly inserted.
[#LC5997]
System Exceptions
XenApp servers can experience a fatal exception, displaying a blue screen with stop check code 0x0000000A.
[#LC5917]
VDAs can experience a fatal exception on wdica.sys, displaying a blue screen.
[#LC5938]
Citrix Audio Service (CtxAudioService.exe) might exit unexpectedly.
[#LC6323]
User Experience
When attempting to record video using OneNote, webcam redirection fails, causing recording to fail.
[#LC5205]
User Interf ace
If you remove the Microsoft PinYin Input Method Editor (IME) from the server IME language bar in a user session and
then log off, the Pinyin IME still appears in the server IME language bar.
[#LC6517]
VDA for Server OS
Printing
T he Citrix Printer Manager Service (Cpsvc.exe) might exit unexpectedly with an access violation error.
[#LC4665]
T he XenApp session printers might not be mapped correctly. For example, create two printers on a print server with
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.45
identical names and add one additional character at the end of any one of the printer name. If you create a session
printer policy with these two printers and log on to a VDA, only one printer might be mapped.
[#LC6385]
Seamless Windows
With Excelhook enabled, minimizing and then restoring an Excel workbook can cause the Excel window to lose focus.
[#LC6637]
Session/Connection
T his fix addresses the improper handling of command line parameters from within published desktops as in the following
example:
If you run "C:\Program Files (x86)\Citrix\system32\iexplore.exe" -noframemerging http://www.google.com, Internet
Explorer misinterprets the parameter and resolves the URL as http://-noframemerging%20http//www.google.com.
[#LC3660]
Attempts to append data to files on a mapped client drive might fail when the files are opened by users with write-only
permissions. T he issue occurs when running the PowerShell command "get-process | out-file -filepath
"\\client\c$\temp\proclist.txt" -Append" for the second time.
[#LC3895]
In XenApp 7.6.300, users with limited visibility to apps in a multi-forest environment might not be able to launch apps.
[#LC4374]
If another process holds the same lock as picadm.sys, users cannot log off from the session and the session remains in a
disconnected state.
[#LC4415]
Client Drive Mapping returns corrupted file path information when an application attempts to enumerate files.
[#LC5163]
Attempts to reconnect to a session can fail intermittently and cause the VDAs for Server OS to go into "Initializing"
status.
[#LC5250]
COM port mapping can intermittently fail upon reconnection when the group policy calculation is disabled in the registry.
[#LC5274]
When sessions connected through the Cisco WAAS Gateway attempt to transfer files of large size due to buffer
overflow on the VDA side, the VDA might exit unexpectedly.
[#LC5371]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.46
If the Client USB device redirection rules policy contains more than 1,000 characters, all USB drives are redirected, even if
there is a deny rule for the device.
[#LC5457]
T he VDAs for Server OS might display the VDA's status as "initializing" rather than "registered." During that time, no new
sessions are brokered for that VDA.
[#LC5621]
Attempts to open a file might fail when there is an open handle that is overwritten. As a result, the file gets locked by
the process.
[#LC5657]
When switching between full-screen and windowed mode in published seamless applications, the applications might
become unresponsive if any one of the applications is in the unresponsive state.
[#LC5774]
After upgrading to Hotfix Rollup Pack 7, copy and paste functionality might not work.
[#LC6114]
When you attempt to download a file by using Citrix Receiver for HT ML5, the download window might not be correctly
focused. As a result, you cannot select the file that is to be downloaded. As a workaround, minimize the main application
window to view the download window from Citrix Receiver for HT ML5.
[#LC6167]
T his enhancement enables the Citrix Device Redirector service to write event logs related to USB rules and activities.
[#LC6243]
T he following warning message might appear in the system event log when launching XenApp 7.6 Long Term Service
Release Cumulative Update 2 VDA for Server OS or the previous versions:
"An attempt to connect to the SemsService has failed with error code 0x2."
[#LC6311]
After upgrading to XenApp 7.6 Long Term Service Release Cumulative Update 1 or Cumulative Update 2, the "/appvve"
switch for App-V application might not take effect.
[#LC6398]
System Exceptions
T he Service Host (svchost.exe) process that is registered with Terminal Services might exit unexpectedly on RPM.dll while
accessing an invalid address location.
[#LC5696]
XenApp servers can experience a fatal exception, displaying a blue screen with stop check code 0x0000000A.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.47
[#LC5917]
VDAs can experience a fatal exception on wdica.sys, displaying a blue screen.
[#LC5938]
T he Service Host (svchost.exe) process that is registered with Terminal Services might exit unexpectedly on RPM.dll.
[#LC6461]
User Experience
When attempting to record video using OneNote, webcam redirection fails, causing recording to fail.
[#LC5205]
User Interf ace
If you remove the Microsoft PinYin Input Method Editor (IME) from the server IME language bar in a user session and
then log off, the Pinyin IME still appears in the server IME language bar.
[#LC6517]
Virtual Desktop Components - Other
Provisioned machines can lose their AD trust and VDAs fail to register. T he issue occurs after you update Microsoft
Windows 8 (and later versions) machine catalogs created through Machine Creation Services by using a master image or
virtual machine that is different from the one used for creation of the catalog.
[#LC3874]
Machine Creation Services (MCS) created machines do not honor machine account password GPOs, causing passwords
on the MCS machines to not reset.
[#LC4440]
T he Activity Manager in Director might fail to show certain applications that are running for some users.
[#LC6235]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.48
Cumulative Update 2 (CU2)
Jan 25, 20 17
Release date: September 30, 2016
Cumulative Update 2 (CU2) provides updates to 10 baseline components of the original 7.6 LT SR.
Issues fixed since XenApp and XenDesktop 7.6 LT SR CU1
Known issues in this release
Downloads
Download LT SR CU2 (XenApp)
Download LT SR CU2 (XenDesktop)
New deployments
How do I deploy CU2 from scratch?
You can set up a brand-new XenApp or XenDesktop environment based on CU2 - using the CU2 metainstaller.* Before you
do that, we recommend that you familiarize yourself with the product:
Peruse the XenApp and XenDesktop 7.6 Long Term Service Release documentation and pay close attention to
the Technical Overview, New Deployments, and Security sections before you start planning your deployment. Make sure
your setup meets the system requirements for all components. Follow New Deployments for deployment instructions.
* Note: Provisioning Services and Session Recording are available as separate downloads and installers.
Existing deployments
What do I update?
CU2 provides updates to 10 baseline components of 7.6 LT SR. Remember: Citrix recommends that you update all LT SR
components of your deployment to CU2. For example: If Provisioning Services is part of your LT SR deployment, update the
Provisioning Services component to CU2. If Provisioning Services is not part of your deployment, you do not need to install
or update it.
Since the 7.6 LT SR release, we have added a metainstaller that lets you update the existing components of your LT SR
environment from a unified interface. Following the Upgrade instructions, use the metainstaller to update the LT SR
components of your deployment.
Note
T he following information is specific to the CU2 release. For the equivalent information for the LT SR base release or CU1, see the
respective documentation.
LTSR Baseline Components
https://docs.citrix.com
Version
Notes
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.49
VDA for Desktop OS
7.6.2000
Special rules apply for Windows 10.
See CU2 compatible components
and platforms.
VDA for Server OS
7.6.2000
Delivery Controller
7.6.2000
Citrix Studio
7.6.2000
Citrix Director
7.6.2000
Group Policy Management Experience
2.5.2000
StoreFront
3.0.2000
Provisioning Services
7.6.3
Special rules apply for Windows 10.
See CU2 compatible components
and platforms.
Universal Print Server
7.6.2000
Only Windows 2008 R2 SP1
Windows 2012
Windows 2012 R2 supported
Session Recording
7.6.1000
Platinum Edition only
CU2 compatible components
T he following components are recommended for use in 7.6 LT SR CU2 environments. T hese components are not eligible for
the LT SR benefits (extended lifecycle and fix-only cumulative updates). Citrix may ask you to upgrade to a newer version of
these components within your 7.6 LT SR environments.
Note about Windows 10: Regular support for Windows 10 is available through the Current Release path. Windows 10
does not get the full set of 7.6 LT SR benefits. For deployments that include Windows 10 machines, Citrix recommends that
you use the Current Release Version 7.9 or later of the VDA for Desktop OS and of Provisioning Services.
For more information, see Adding Windows 10 Compatibility to XenApp and XenDesktop 7.6 LT SR and the XenApp and
XenDesktop Servicing Options (LT SR) FAQ.
LTSR CU2 Compatible Components and Platf orms
Version
Profile Management
5.5
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.50
AppDNA
7.6.5
License Server
11.14.0 Build 17005
HDX RealT ime Optimization Pack
2.1.1
Windows 10
VDA: Version 7.9 or later
Provisioning Services: Version 7.9 or
later
Compatible versions of Citrix Receiver
For ease of maintenance, and to ensure optimal performance, Citrix recommends that you upgrade to the latest version of
Citrix Receiver any time it becomes available. T he latest versions are available for download
at https://www.citrix.com/downloads/citrix-receiver.html. For your convenience, consider subscribing to the Citrix Receiver
RSS feed to receive a notification when a new version of Citrix Receiver becomes available.
Note that Citrix Receiver is not eligible for the XenApp and XenDesktop LT SR benefits (extended lifecycle and fix-only
cumulative updates). Citrix may ask you to upgrade to a newer version of Citrix Receiver within your 7.6 LST R environments.
In the case of Citrix Receiver for Windows, Citrix has announced a special LT SR program. More information on that program
is available on the Lifecycle Milestones for Citrix Receiver page.
Specifically, LT SR supports the following versions of Citrix Receiver and all later versions:
LTSR Compatible Versions of Citrix Receiver
Version
Citrix Receiver for Windows
4.4 or later
Citrix Receiver for Linux
13.4 or later
Citrix Receiver for Mac
12.3 or later
Citrix Receiver for Chrome
2.1 or later
Citrix Receiver for HT ML5
2.1 or later
Citrix Receiver for iOS
7.1.1 or later
Citrix Receiver for Android
3.9 or later
LTSR notable exclusions
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.51
T he following features, components, and platforms are not eligible for LT SR lifecycle milestones and benefits. Specifically,
cumulative updates and extended lifecycle benefits are excluded. Updates to excluded features and components will be
available through regular current releases.
Excluded Features
Local App Access
Framehawk
Excluded Components
Linux VDA
Personal vDisk
Excluded Windows Platf orms*
Windows 2008 32-bit (for Universal Print Server)
* Citrix reserves the right to update platform support based on third party vendors’ lifecycle milestones.
XenApp 6.5 migration
T he XenApp 6.5 migration process helps you more efficiently and quickly transition from a XenApp 6.5 farm to a Site running
XenApp 7.6 (or a later supported release). T his is helpful in deployments that contain large numbers of applications and
Citrix group policies, lowering the risk of inadvertently introducing errors when manually moving applications and Citrix group
policies to the new XenApp Site.
After you install the XenApp 7.6 core components and create a Site, the migration process follows this sequence:
Run the XenApp 7.6 installer on each XenApp 6.5 worker, which automatically upgrades it to a new Virtual Delivery Agent
for Windows Server OS for use in the new Site.
Run PowerShell export cmdlets on a XenApp 6.5 controller, which exports application and Citrix policy settings to XML
files.
Edit the XML files, if desired, to refine what you want to import to the new Site. By tailoring the files, you can import
policy and application settings into your XenApp 7.6 Site in stages: some now and others later.
Run PowerShell import cmdlets on the new XenApp 7.6 Controller, which import settings from the XML files to the new
XenApp Site.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.52
Reconfigure the new Site as needed, and then test it.
For more information, see Migrate XenApp 6.x.
Support f or Citrix Connector 7.5
Citrix Connector 7.5 provides a bridge between Microsoft System Center Configuration Manager and XenApp or
XenDesktop, enabling you to extend the use of Configuration Manager to your Citrix environments. Citrix Connector 7.5
support now includes the Platinum editions of XenApp 7.6 and XenDesktop 7.6.
For information, see Citrix Connector 7.5 for System Center Configuration Manager 2012.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.53
Fixed issues
May 10 , 20 17
XenApp/XenDesktop 7.6 LT SR Cumulative Update 2 contains all fixes that were included in XenApp and XenDesktop 7.6 LT SR and Cumulative Update 1, plus the following, new fixes:
Citrix Director
When a user session is viewed in the HDX panel of Citrix Director, a priority warning might incorrectly appear for the audio virtual channel.
[#LC5564]
Citrix Policy
T he w3wp.exe process can consume 100% of the CPU.
[#LC4355]
Citrix Studio might allow policy filter editing for read-only administrators.
[#LC4801]
Citrix group policies stored in Active Directory are removed from the machine on the next GPO refresh or when you run GPUpdate /Force. T his issue occurs on VDA versions 7.6.300 and later.
[#LC5204]
T he following error message appears when opening the Citrix Studio and selecting the policy node:
"Changes made to policies outside of this console, such as in PowerShell or management tools from previous versions, resulted in a discrepancy between policies. T he assigned objects of policy
<policy name> must match. Object Delivery Group has assignments <assignment name> in the "user" component and <assignment name> in the "computer" component."
[#LC5510]
Citrix Studio
Citrix Studio does not receive logging entries while in the logging node when trying to retrieve large amounts of data.
[#LC5292]
Citrix Studio might show an incorrect message or prompt for a Site upgrade when a FlexCast Management Architecture service has been stopped or is unavailable.
[#LC5319]
Controller
When a large number of sessions are launched in a short time, Director might take a long time to show session information.
[#LC1617]
When using VMware ESXi 5.x or 6.0 to create MCS machines, occasionally the machine deployments are consolidated and cloned as a thick provisioned disk.
[#LC4655]
When the VDA is in maintenance mode, the Get-BrokerSession cmdlet might return the maintenance mode state of the Delivery Group instead of the individual machine.
[#LC4840]
Citrix Studio occasionally launches with the following error message: "Could not connect to broker service."
[#LC4854]
T his fix addresses an issue that prevents Machine Creation Services provisioning from working in Amazon Web Services when the Controller is isolated from Amazon's public API endpoints by way
of a web proxy.
[#LC5109]
Citrix Studio might show an incorrect message or prompt for a Site upgrade when a FlexCast Management Architecture service has been stopped or is unavailable.
[#LC5319]
HDX MediaStream Flash Redirection
With HDX MediaStream Flash Redirection enabled, Microsoft Internet Explorer might close unexpectedly when it runs pseudoserverinproc2.dll.
To enable the fix, create the following registry key:
On Windows 32-bit systems:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\HdxMediaStreamForFlash\Server\PseudoServer
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.54
Name: AllowCOMObjectT rack
T ype: DWORD
Value: 0
On Windows 64-bit systems:
HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer
Name: AllowCOMObjectT rack
T ype: DWORD
Value: 0
[#LC1885]
With HDX MediaStream Windows Media Redirection enabled, certain third party players might exit unexpectedly while rendering files on a VDA that is running on Windows 10.
[#LC5110]
Licensing
Site Setup in Citrix Studio might fail to proceed when choosing "Use an existing license." As a workaround, restart the Citrix Web Services for Licensing service on the license server to complete its
configuration.
[#630814]
Provisioning Services
Console
T arget Device
Server
Console
When expanding Sites, the PVS console occasionally times out.
[#LC4737]
T he XenDesktop Setup wizard does not use the template boot properties when creating targets. To enable the fix, create the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ProvisioningServices
Name: UseTemplateBootOrder
Type: REG_DWORD
Data: 1
[#LC5237]
Server
T he number of target devices on the Provisioning Services Console might show less than the actual value after the database connection is lost and recovered.
[#LC4275]
Boot Device Manager target devices fail to acquire an IP address whereas PXE target devices acquire them successfully. T his happens because the DHCP Discover request sent by the Boot Device
Manager set the "Seconds Elapsed" value to 0. T he request is then dropped by IP Helper. T he "Seconds Elapsed" value is now set to 4 to avoid this problem.
[#LC4369]
If you change the MT U size to less than 1,500 byte, the bootstrap file fails to download and target devices fail to start using the Boot Device Manager (BDM). T his enhancement allows you to
lower the MT U size to less than 1,500 byte by setting the following registry key. T he enhancement is disabled by default:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\services\PVST SB\Parameters
Name: AllowMT UAdjust
Type: DWORD
Value: 1
[#LC4531]
When expanding Sites, the PVS console occasionally times out.
[#LC4737]
When attempting to import a new vDisk version of a VHDX file, the import fails and an error message appears that says the Manifest file is invalid.
[#LC4985]
T he Provisioning Server logs might show incorrect IP addresses for target devices.
[#LC5323]
T he following database access error might appear in the event viewer of the Provisioning Server:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.55
"DBAccess error: <Couldn't add record -- same fields as an existing record><-31749>."
T he issue occurs when multiple Provisioning Servers call a specific stored procedure simultaneously, causing conflicts between the calls to the stored procedure. As a result, an attempt to insert a
record with the same key value twice might occur.
[#LC5364]
Attempts to restart provisioned targets might fail intermittently because of a database timeout error. T he following error message might appear:
"T imeout expired. T he timeout period elapsed prior to completion of the operation or the server is not responding."
[#LC5511]
T he BNPXE Server that enables the target devices to start from the network binds to the IP address 127.0.0.1. T his prevents target devices from booting. T his issue can happen when BNPXE
enumerates the network interfaces, but the operating system has not discovered all the interfaces yet and only returns 127.0.0.1.
[#LC5916]
Attempts to start target devices might fail when using HP Moonshot systems.
[#LC6024]
Target Device
When creating a personal vDisk, a "Personal vDisk cannot start" error dialog appears after the machine is booted and a formatted disk cannot be used due to an "unknown format" error.
[#LC5935]
StoreFront
When using Windows Server 2008 R2, the Citrix StoreFront MMC might exit unexpectedly if you try to "Set Unified Experience as Default" in the Stores menu.
[#LC3614]
T his fix addresses issues with syncing changed subscription items from remote groups to local and back.
[#LC4690]
Setting the "Session T imeout" of Citrix Receiver for Web to more than 24 days causes a Session T imeout warning to appear immediately after logon.
[#LC4787]
T he Desktop Appliance Site does not launch the assigned desktop if the store is using Resources Aggregation.
[#LC4838]
With StoreFront 3.0.1, Workspace Control might not work when using Aggregation.
[#LC5042]
When using PowerShell script commands, the AllFailedBypassDuration setting is occasionally not applied.
[#LC5500]
If the "IncludedClientIPFilter" or "ExcludedClientIPFilter" options are enabled by the "Set-BrokerAccessPolicyRule" command, you might not be able to view resources such as shared resources,
published desktops, or published applications on StoreFront.
[#LC6058]
Universal Print Server
Client
Server
Client
T he NextGen application occasionally fails when trying to print to the Universal Print Server.
[#LC4246]
Server
T he Citrix XT E Server service (XT E.exe) can exit unexpectedly.
[#LC0759]
VDA for Desktop OS
Desktop Studio
https://docs.citrix.com
Session/Connection
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.56
HDX 3D Pro
Smart Cards
HDX MediaStream Windows Media Redirection
System Exceptions
Installing, Uninstalling, Upgrading
User Experience
Keyboard
User Interface
Printing
Printing
Printing
Desktop Studio
A logged off RDP session might appear as "Disconnected" in Citrix Studio and becomes unavailable for reconnection.
[#LC5427]
HDX 3D Pro
T he context menu might not display correctly on the desktop when the window is maximized.
[#LC5263]
HDX MediaStream Windows Media Redirection
With HDX MediaStream Windows Media Redirection enabled, certain third party players might exit unexpectedly while rendering files on a VDA that is running on Windows 10.
[#LC5110]
Installing, Uninstalling, Upgrading
Attempts to reconnect to a session from an endpoint with a different resolution can cause the VDA to exit unexpectedly and might result in a black or white window.
[#LC4606]
Keyboard
When upgrading from Version 5.4.400 to Version 7.6.300, the ICA Service\System32 directory is missing, and keyboard/mouse inputs fail to register in Mac clients.
[#LC4681]
Printing
When a default printer is not set, all mapped printers might fail in sessions.
[#LC4354]
With legacy printer names enabled, autocreated printers might not be available for use in a published application when multiple sessions are established on a single server for the same user.
[#LC4517]
T he "Auto-create client printers" policy might fail to set default printers correctly in a published application and Microsoft XPS Document Writer is set as the default printer.
[#LC4696]
Excel spreadsheets generated by SAP fail to print on printers redirected using the Universal Print Driver EMF driver.
[#LC4853]
After a user logs off and logs back on, printers connected to the session might not be accessible.
[#LC5188]
T he Print Preview on Client option within Citrix Universal Print Driver displays to the local end point.
[#LC5404]
Session/Connection
When resizing a reconnected session with a Citrix policy in place to prohibit session wallpaper and a Microsoft group policy in place that specified a wallpaper, the Citrix policy is not honored.
[#LC0115]
Information remains visible on the screen after the VDA goes into screen saver or power save mode, until the user provides input (mouse or keyboard) which updates the session with a blank
screen. T his occurs when screen savers and the power-save option in sessions are enabled by the DWORD value HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\Graphics\SetDisplayRequiredMode =
0.
[#LC1650]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.57
On systems with Hotfix ICAWS760WX86022 installed, attempts to reconnect to a user session might fail when you restart the Citrix ICA Service.
[#LC3714]
With this enhancement, an entry is written to the Windows Event log when a USB device is redirected in a session.
[#LC3996]
When you log on to a web interface that is configured for single sign-on using UPN credentials, the session window might appear for a while and then exit unexpectedly.
[#LC4035]
Using published instances of Microsoft Internet Explorer, attempts to download a file from a website and saving it to a mapped client drive ("Save as...") can fail.
[#LC4300]
Audio files might fail to play in a VDA session when connected through Citrix Receiver for Mac or a Chromebook.
[#LC4596]
After a network interruption between a VDA and Citrix Receiver, you cannot play back an .avi file on Windows Media Player.
[#LC4670]
When switching sessions between windowed and full-screen mode with legacy graphics mode enabled, the application windows running on the VDA might not retain the maximized state.
[#LC4693]
After upgrading a VDA from version 5.6.300, VDAs can become unresponsive.
[#LC4851]
T ime zone redirection might not work in user sessions running on iOS devices.
[#LC4869]
After using the Remote Desktop Protocol, the ICA session might display a grey screen when reconnecting to the VM. T his issue only occurs on VDAs installed with /NOCIT RIXWDDM.
[#LC4970]
A USB device might fail to work after it is redirected to Version 7.6.300 of the VDA. T he issue occurs when the instance ID of the device is different from the serial number.
To enable this fix, add the Product ID or Vendor ID pairs to the following registry key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Services\icausbb\Parameters
Name: UsingSerialNumberDevices
Type: REG_MULT I_SZ
Value: <Note: Next to the comments string, add the vid=xxxx and pid=xxxx pairs. (T he syntax for the value is an ordered list of case insensitive rules where "#" is a line comment and each rule is an
ordered vid and pid pair. For example, vid=#-number and pid=#-number. T he maximum hex value for a vid/pid is FFFF. If the length of a vid/pid hex value is less than 4, pair the number with zeroes (0).
For example, if the vid is 12 and pid is 13; the vid/pid pairs should be vid=0012, pid=0013. Each rule has a fixed length: 17, no spaces at the beginning or the end of the rule. Examples: #vid=FFFF,
#pid=FFFF #vid=0012, #pid=0013.)>
[#LC5035]
T he svchost.exe process can consume 100% of the CPU.
[#LC5041]
With Excelhook enabled and after applying hotfix ICAT S760WX64028, the Excel window does not minimize when clicking the Excel icon in the taskbar.
[#LC5060]
T he svchost.exe process might fail intermittently on SCardHook64.dll when a user is logging on or off and Certificate Propagation is active.
[#LC5083]
T his fix addresses an issue that breaks client-side fetching for DirectShow based applications, preventing videos from rendering.
[#LC5098]
T he operating system experiences an error on picadd.sys and a blue screen appears with bugcheck code 0xd5.
[#LC5134]
An external USB DVD drive that is mapped into a session as a mapped client drive can cause slow session performance.
[#LC5231]
COM port mapping can intermittently fail.
[#LC5235]
T he following counters in the performance monitor might display inconsistently.
- \ICA Session\Input Session Bandwidth
- \ICA Session\Output Session Bandwidth
T he issue occurs only when the count value is high.
[#LC5262]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.58
T he operating system experiences an error on picadd.sys and a blue screen appears with bugcheck code 0x3b.
[#LC5299]
T he VDA might become unresponsive at the "Welcome" screen due to a deadlock on picadm.sys.
[#LC5326]
Attempts to save a published Microsoft Excel spreadsheet to a Chromebook device might fail. T he issue occurs because the file extension is not present.
[#LC6001]
Smart Cards
T he Sign-in option does not appear on Version 7.6.300 and later VDAs running on Windows 10 Build 10586 and later. As a result, smart card logons are not possible.
[#LC4778]
When you allow your ICA session to be disconnected through an idle session timer and then log on to the Remote PC from the console, smart card logons no longer work. At times, the option to
see the smart card tile is missing, or the card is not detected.
[#LC5187]
XenDesktop smart card sessions might randomly disconnect.
[#LC5265]
Attempts to log on by using certain smart cards might result in the following error message:
"No valid certificates were found on this smart card.
Please try another smart card or contact your administrator."
[#LC5456]
System Exceptions
With Adobe Shockwave plugin installed on a machine catalog that is attached to a PVD, Microsoft Internet Explorer might exit unexpectedly in a user session.
[#LC4027]
T he operating system experiences an error on picadm.sys and a blue screen appears with bugcheck code 0x50.
[#LC4529]
T he operating system experiences an error on picadm.sys and a blue screen appears.
[#LC4567]
A non-handled exception copying from USB devices might cause the operating system to experience an error and a blue screen appears.
[#LC4782]
A published application process might exit unexpectedly with an exception "c000041d" on MobileDesktopHook64.dll.
[#LC4821]
When you log on to a VDA running on Windows Server 2008 R2 through a remote desktop and launch certain third-party applications, the applications might exit unexpectedly.
[#LC5891]
User Experience
When you switch from a touch-optimized published desktop to a regular published desktop, the Start button:
Does not highlight when you hover over it
Brings up the local desktop instead of the published desktop
[#LC3466]
Certain .wmv files might not play at the correct aspect ratio.
[#LC4695]
Customized functions for a 3Dconnexion SpaceMouse might not work in a VDA session.
[#LC4797]
Connecting to audio recording/dictation software during an ICA session might cause the software to exit unexpectedly.
[#LC5407]
User Interf ace
After publishing seamless applications, the generic Citrix Receiver icon may appear instead of the published app icon in the taskbar.
[#LC4757]
VDA for Server OS
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.59
HDX MediaStream Windows Media Redirection
Smart Cards
Keyboard
System Exceptions
Printing
User Experience
Server/Site Administration
User Interface
Session/Connection
HDX MediaStream Windows Media Redirection
With HDX MediaStream Windows Media Redirection enabled, certain third party players might exit unexpectedly while rendering files on a VDA that is running on Windows 10.
[#LC5110]
Keyboard
When upgrading from Version 5.4.400 to Version 7.6.300, the ICA Service\System32 directory is missing, and keyboard/mouse inputs fail to register in Mac clients.
[#LC4681]
T he Bloomberg keyboard is unable to be mapped within the VDA session even though it is allowed in the policy.
[#LC5360]
Printing
When a default printer is not set, all mapped printers might fail in sessions.
[#LC4354]
With legacy printer names enabled, autocreated printers might not be available for use in a published application when multiple sessions are established on a single server for the same user.
[#LC4517]
T he "Auto-create client printers" policy might fail to set default printers correctly in a published application and Microsoft XPS Document Writer is set as the default printer.
[#LC4696]
Excel spreadsheets generated by SAP fail to print on printers redirected using the Universal Print Driver EMF driver.
[#LC4853]
After a user logs off and logs back on, printers connected to the session might not be accessible.
[#LC5188]
T he Print Preview on Client option within Citrix Universal Print Driver displays to the local end point.
[#LC5404]
Server/Site Administration
T he changes made or values added to the registry key "HKEY_CURRENT _USER\Software\Microsoft\Internet Explorer\Main" created by the WfShell.exe process might not be preserved during
logoff.
[#LC4648]
Session/Connection
When resizing a reconnected session with a Citrix policy in place to prohibit session wallpaper and a Microsoft group policy in place that specified a wallpaper, the Citrix policy is not honored.
[#LC0115]
When exiting a 64bit T hinAPP packaged application, the application can experience an unexpected exception on sfrhook64.dll.
To prevent this, create following server-side registry key to resolve the issue:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\CtxHook\AppInit_Dlls\SfrHook
Name: SkipUnloadonProcessExit
Type: DWORD
Data: Any Value
[#LC3484]
On systems with Hotfix ICAWS760WX86022 installed, attempts to reconnect to a user session might fail when you restart the Citrix ICA Service.
[#LC3714]
With this enhancement, an entry is written to the Windows Event log when a USB device is redirected in a session.
[#LC3996]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.60
Using published instances of Microsoft Internet Explorer, attempts to download a file from a website and saving it to a mapped client drive ("Save as...") can fail.
[#LC4300]
In sessions on systems with Fix #LC1155 installed, an image display area inside a custom application is not resized properly if you resize the window manually.
[#LC4319]
Audio files might fail to play in a VDA session when connected through Citrix Receiver for Mac or a Chromebook.
[#LC4596]
After a network interruption between a VDA and Citrix Receiver, you cannot play back an .avi file on Windows Media Player.
[#LC4670]
T ime zone redirection might not work in user sessions running on iOS devices.
[#LC4869]
After using the Remote Desktop Protocol, the ICA session might display a grey screen when reconnecting to the VM. T his issue only occurs on VDAs installed with /NOCIT RIXWDDM.
[#LC4970]
A USB device might fail to work after it is redirected to Version 7.6.300 of the VDA. T he issue occurs when the instance ID of the device is different from the serial number.
To enable this fix, add the Product ID or Vendor ID pairs to the following registry key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Services\icausbb\Parameters
Name: UsingSerialNumberDevices
Type: REG_MULT I_SZ
Value: <Note: Next to the comments string, add the vid=xxxx and pid=xxxx pairs. (T he syntax for the value is an ordered list of case insensitive rules where "#" is a line comment and each rule is an
ordered vid and pid pair. For example, vid=#-number and pid=#-number. T he maximum hex value for a vid/pid is FFFF. If the length of a vid/pid hex value is less than 4, pair the number with zeroes (0).
For example, if the vid is 12 and pid is 13; the vid/pid pairs should be vid=0012, pid=0013. Each rule has a fixed length: 17, no spaces at the beginning or the end of the rule. Examples: #vid=FFFF,
#pid=FFFF #vid=0012, #pid=0013.)>
[#LC5035]
T he svchost.exe process can consume 100% of the CPU.
[#LC5041]
With Excelhook enabled and after applying hotfix ICAT S760WX64028, the Excel window does not minimize when clicking the Excel icon in the taskbar.
[#LC5060]
T he svchost.exe process might fail intermittently on SCardHook64.dll when a user is logging on or off and Certificate Propagation is active.
[#LC5083]
T his fix addresses an issue that breaks client-side fetching for DirectShow based applications, preventing videos from rendering.
[#LC5098]
Sessions might not disconnect, resulting in random VDA re-registrations.
[#LC5122]
T he operating system experiences an error on picadd.sys and a blue screen appears with bugcheck code 0xd5.
[#LC5134]
An external USB DVD drive that is mapped into a session as a mapped client drive can cause slow session performance.
[#LC5231]
COM port mapping can intermittently fail.
[#LC5235]
T he following counters in the performance monitor might display inconsistently.
- \ICA Session\Input Session Bandwidth
- \ICA Session\Output Session Bandwidth
T he issue occurs only when the count value is high.
[#LC5262]
T he operating system experiences an error on picadd.sys and a blue screen appears with bugcheck code 0x3b.
[#LC5299]
T he VDA might become unresponsive at the "Welcome" screen due to a deadlock on picadm.sys.
[#LC5326]
With Special Folder Redirection enabled, published applications might fail to launch and the following error message appears:
"T he Citrix server is unable to process your request to start this published application."
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.61
[#LC5593]
After upgrading a VDA from Version 7.6.300 to Version 7.6 LT SR Cumulative Update 1, launching of applications might be slow or can fail.
[#LC5661]
Attempts to save a published Microsoft Excel spreadsheet to a Chromebook device might fail. T he issue occurs because the file extension is not present.
[#LC6001]
Smart Cards
T he Sign-in option does not appear on Version 7.6.300 and later VDAs running on Windows 10 Build 10586 and later. As a result, smart card logons are not possible.
[#LC4778]
XenDesktop smart card sessions might randomly disconnect.
[#LC5265]
Attempts to log on by using certain smart cards might result in the following error message:
"No valid certificates were found on this smart card.
Please try another smart card or contact your administrator."
[#LC5456]
System Exceptions
T he operating system experiences an error on picadm.sys and a blue screen appears with bugcheck code 0x50.
[#LC4529]
T he operating system experiences an error on picadm.sys and a blue screen appears.
[#LC4567]
A non-handled exception copying from USB devices might cause the operating system to experience an error and a blue screen appears.
[#LC4782]
A published application process might exit unexpectedly with an exception "c000041d" on MobileDesktopHook64.dll.
[#LC4821]
When you log on to a VDA running on Windows Server 2008 R2 through a remote desktop and launch certain third-party applications, the applications might exit unexpectedly.
[#LC5891]
User Experience
When you switch from a touch-optimized published desktop to a regular published desktop, the Start button:
Does not highlight when you hover over it
Brings up the local desktop instead of the published desktop
[#LC3466]
Certain .wmv files might not play at the correct aspect ratio.
[#LC4695]
Connecting to audio recording/dictation software during an ICA session might cause the software to exit unexpectedly.
[#LC5407]
User Interf ace
After publishing seamless applications, the generic Citrix Receiver icon may appear instead of the published app icon in the taskbar.
[#LC4757]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.62
Cumulative Update 1 (CU1)
Feb 0 2, 20 17
Release date: May 26, 2016
XenApp and XenDesktop 7.6 LT SR Cumulative Update 1 (CU1):
fixes roughly 200 issues reported since 7.6 LT SR, for a total of over 330 issues since the release of XenApp and
XenDesktop 7.6
comes with a metainstaller that allows you to install most components from a single, unified interface
Note: Provisioning Services and Session Recording are available as separate downloads and installers
Issues fixed since XenApp and XenDesktop 7.6 LT SR
Issues fixed since XenApp and XenDesktop 7.6
Known issues in this release
New deployments
How do I deploy CU1 from scratch?
You can set up a brand-new XenApp/XenDesktop environment based on CU1 - using the CU1 metainstaller. Before you do
that, we recommend that you familiarize yourself with the product:
Peruse the XenApp and XenDesktop 7.6 Long Term Service Release section and pay close attention to the Technical
Overview, New Deployments, and Security sections before you start planning your deployment. Make sure your setup
meets the system requirements for all components. Follow New Deployments for deployment instructions.
Existing deployments
What do I update?
CU1 provides updates to 10 baseline components of 7.6 LT SR. Remember: Citrix recommends that you update all LT SR
components of your deployment to CU1. For example: If Provisioning Services is part of your LT SR deployment, update the
Provisioning Services component to CU1. If Provisioning Services is not part of your deployment, you do not need to install
or update it.
Since the 7.6 LT SR release, we have added a metainstaller that lets you update the existing components of your LT SR
environment from a unified interface. Following the Upgrade instructions, use the metainstaller to update the LT SR
components of your deployment.
Note
T he following information is specific to the CU1 release. For the equivalent information for the LT SR base release or CU2, see the
respective documentation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.63
LTSR Baseline Components
Version
Notes
VDA for Desktop OS
7.6.1000
Special rules apply for Windows 10.
See CU1 compatible components
and platforms.
VDA for Server OS
7.6.1000
Delivery Controller
7.6.1000
Citrix Studio
7.6.1000
Citrix Director
7.6.1000
Group Policy Management Experience
2.5.1000
StoreFront
3.0.1000
Provisioning Services
7.6.2
Special rules apply for Windows 10.
See CU1 compatible components
and platforms.
Universal Print Server
7.6.1000
Only Windows 2008 R2 SP1
Windows 2012
Windows 2012 R2 supported
Session Recording
7.6.1000
Platinum Edition only
CU1 compatible components
T he following components are recommended for use in 7.6 LT SR CU1 environments. T hese components are not eligible for
the LT SR benefits (extended lifecycle and fix-only cumulative updates). Citrix may ask you to upgrade to a newer version of
these components within your 7.6 LT SR environments.
Note about Windows 10: Regular support for Windows 10 is available through the Current Release path. Windows 10
does not get the full set of 7.6 LT SR benefits. For deployments that include Windows 10 machines, Citrix recommends that
you use Version 7.9 of the VDA for Desktop OS and of Provisioning Services.
For more information, see Adding Windows 10 Compatibility to XenApp and XenDesktop 7.6 LT SR and the XenApp and
XenDesktop Servicing Options (LT SR) FAQ.
LTSR CU1 Compatible Components and Platf orms
https://docs.citrix.com
Version
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.64
Profile Management
5.4
AppDNA
7.6.5
License Server
11.13.1
HDX RealT ime Optimization Pack
2.0
Windows 10
VDA: Version 7.9
Provisioning Services: Version 7.9
Compatible versions of Citrix Receiver
For ease of maintenance, and to ensure optimal performance, Citrix recommends that you upgrade to the latest version of
Citrix Receiver any time it becomes available. T he latest versions are available for download
at https://www.citrix.com/downloads/citrix-receiver.html. For your convenience, consider subscribing to the Citrix Receiver
RSS feed to receive a notification when a new version of Citrix Receiver becomes available.
Note that Citrix Receiver is not eligible for the XenApp and XenDesktop LT SR benefits (extended lifecycle and fix-only
cumulative updates). Citrix may ask you to upgrade to a newer version of Citrix Receiver within your 7.6 LST R environments.
In the case of Citrix Receiver for Windows, Citrix has announced a special LT SR program. More information on that program
is available on the Lifecycle Milestones for Citrix Receiver page.
Specifically, LT SR supports the following versions of Citrix Receiver and all later versions:
LTSR Compatible Versions of Citrix Receiver
Version
Citrix Receiver for Windows
4.4 or later
Citrix Receiver for Linux
13.2.1 or later
Citrix Receiver for Mac
12.1 or later
Citrix Receiver for Chrome
1.8 or later
Citrix Receiver for HT ML5
1.8 or later
Citrix Receiver for iOS
6.1.1 or later
Citrix Receiver for Android
3.8 or later
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.65
LTSR notable exclusions
T he following features, components, and platforms are not eligible for LT SR lifecycle milestones and benefits. Specifically,
cumulative updates and extended lifecycle benefits are excluded. Updates to excluded features and components will be
available through regular current releases.
Excluded Features
Local App Access
Framehawk
Excluded Components
Linux VDA
Personal vDisk
Excluded Windows Platf orms*
Windows 2008 32-bit (for Universal Print Server)
* Citrix reserves the right to update platform support based on third party vendors’ lifecycle milestones.
XenApp 6.5 migration
T he XenApp 6.5 migration process helps you more efficiently and quickly transition from a XenApp 6.5 farm to a Site running
XenApp 7.6 (or a later supported release). T his is helpful in deployments that contain large numbers of applications and
Citrix group policies, lowering the risk of inadvertently introducing errors when manually moving applications and Citrix group
policies to the new XenApp Site.
After you install the XenApp 7.6 core components and create a Site, the migration process follows this sequence:
Run the XenApp 7.6 installer on each XenApp 6.5 worker, which automatically upgrades it to a new Virtual Delivery Agent
for Windows Server OS for use in the new Site.
Run PowerShell export cmdlets on a XenApp 6.5 controller, which exports application and Citrix policy settings to XML
files.
Edit the XML files, if desired, to refine what you want to import to the new Site. By tailoring the files, you can import
policy and application settings into your XenApp 7.6 Site in stages: some now and others later.
Run PowerShell import cmdlets on the new XenApp 7.6 Controller, which import settings from the XML files to the new
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.66
XenApp Site.
Reconfigure the new Site as needed, and then test it.
For more information, see Migrate XenApp 6.x.
Support f or Citrix Connector 7.5
Citrix Connector 7.5 provides a bridge between Microsoft System Center Configuration Manager and XenApp or
XenDesktop, enabling you to extend the use of Configuration Manager to your Citrix environments. Citrix Connector 7.5
support now includes the Platinum editions of XenApp 7.6 and XenDesktop 7.6.
For information, see Citrix Connector 7.5 for System Center Configuration Manager 2012.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.67
Issues fixed since XenApp and XenDesktop 7.6 LTSR
May 10 , 20 17
XenApp/XenDesktop 7.6 LT SR Cumulative Update 1 addresses the following issues reported since the release of XenApp
and XenDesktop 7.6 LT SR.
For a list of all issues fixed since the release of XenApp and XenDesktop 7.6, see Issues fixed since XenApp and XenDesktop
7.6.
Citrix Director
User name searches in Director can experience random delays of up to two minutes.
[#LC1250]
When attempting to export a large amount of data in PDF format, the server's CPU and memory consumptions can
approach 100% and the following error message appears:
"Action failed. Data source unresponsive or reported an error. View server event logs for further information."
T his fix introduces a configurable limit for the PDF export and as a result, at least a portion of the report can be
obtained.
After installing this fix, you must configure the web.config file in the wwwroot\Director folder as follows:
Add the following line to "appSettings" section:
<add key="UI.ExportPdfDrilldownLimit" value="100"/>
T he limit depends on the capability of the server, such as the memory size where the value specifies the count of rows in
the PDF report.
[#LC4108]
Attempts to export reports in any file format might fail with the following error message:
"Action failed. Unexpected server error. View server event logs for further information."
[#LC4281]
If a XenApp server has two IP addresses and the DNS server cannot resolve the first IP address, attempts to log on to
Citrix Director by an administrator might fail with the following error message:
"T he system is currently unavailable. Please try again later or contact your administrator."
[#LC4411]
When attempting to export a large amount of data in CSV format, a timeout can occur and the export might fail with
the following error message:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.68
"Action failed. Data source unresponsive or reported an error. View Director server event logs for further information."
T his fix lets you configure the timeout value for exporting data.
After installing the fix, you must configure the web.config file in the wwwroot\Director folder as follows:
Add the following line to "appSettings" section:
< add key="Connector.DataServiceContext.T imeout" value="3600" /> where the value specifies the timeout in seconds.
[#LC4467]
Selecting a user to display that user's session details can result in the user name that appears in the top left corner to
show as "NULL."
[#LC4589]
If the NetBios domain name contains an ampersand (&), shadowing from the Citrix Director console might fail. T his issue
occurs because the ampersand character is a reserved character in XML and can cause the parsing for the current logon
to fail.
[#LC4633]
Citrix Policy
T he Microsoft Management Console (MMC) fails if the "Console Root" is not selected in the navigation pane when
closing Desktop Studio.
[#LC1314]
T he Citrix Policy Engine might cause the server to become unresponsive. When this occurs, Citrix Receiver and RDP
connection requests fail.
[#LC1817]
With this enhancement, modeling reports created by the Citrix Group Policy Modeling wizard appear in Citrix Studio's
middle pane.
[#LC2189]
When adding or creating a Citrix Administrator in Citrix Studio with a user or group that contains an underscore in the
name, such as get\dl_lab_group, the first underscore does not appear in the details of the list of administrators. T he
name appears as dllab_group.
[#LC2284]
When running the Group Policy Modeling wizard on the policies node of AppCenter as a domain user, applied user and
computer policies might not be visible.
[#LC3284]
Citrix Director administrators might not be able to view Citrix policies in session details.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.69
[#LC3941]
Attempts to add multiple session printers to a group of user devices under the "Printer assignments" window fails to
expand and display the scrollbar. As a result, attempts to add multiple session printers to a group of user devices can fail.
[#LC4658]
Citrix Studio
T his fix addresses a security vulnerability. For more information, see Knowledge Center article CT X213045.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC0559]
T his fix addresses an issue that prevents members from being added to a Delivery Group if they belong to a domain
other than the one where Citrix Studio is located.
[#LC0955]
Applications that use App-V integration might not use the correct working directory.
[#LC1623]
Attempts to start App-V applications through Citrix Receiver may fail after upgrading to App-V 5.0 Service Pack 3.
[#LC1762]
When running a query in Citrix Studio that was saved with an "Is Empty" operator, that operator is replaced by the
default operator.
[#LC1940]
When you consolidate XenApp and XenDesktop licenses that have the same Subscription Advantage expiry dates into a
single license file, some XenApp licenses might be missing from the license information visible in Studio.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC2350]
T his fix addresses a memory leak in Citrix Studio that occurs while running App-V app discovery.
[#LC2559]
When using the Machine Creation Service to catalog VDAs for Server OS, unavailability of personal vDisk storage can
incorrectly set the "CleanOnBoot" property of the catalog to "False." As a result, the catalog might fail to update.
[#LC2959]
When two applications have the same ApplicationID, refreshing App-V applications can cause Citrix Studio to set the
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.70
App-V package name incorrectly.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC2969]
Citrix Studio might become unresponsive while closing PowerShell resources.
[#LC3612]
Creating multiple applications in multiple folders under Delivery Groups in Citrix Studio might result in a large folder
structure. T he first time you open Citrix Studio and click folders or applications, the folders or applications might be
dragged instead of being selected. T his moves the selected object and causes the folder or application structure to
change.
[#LC3705]
T he Add-XDController cmdlet does not assign full custom database connection strings to the Controller.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC3860]
Attempts to open Citrix Studio by users that are not members of the Database administrators user group can result in
permission errors on the SQL Server.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4127]
Attempts to provision additional resources to a multi-tenant offering in App Orchestration 2.6 can fail if the offering
already contains two or more tenants.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4170]
When multiple Citrix Studio sessions are open, policy changes made in one session can be lost and overwritten by those
made in another.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4487]
Controller
T his fix addresses a security vulnerability. For more information, see Knowledge Center article CT X213045.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.71
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC0559]
When two or more instances of event ID 3012 record in the event log, event IDs 3020 and 3021 also appear in the log
and the messages are incorrect. With this fix, if two or more instances of event ID 3012 record, then event IDs 3010 and
3011 correctly appear in the log.
[#LC1425]
T he error messages for event IDs 1110 and 1111 are incorrect in the event log. With this fix, the following correct
messages appear in the event log:
EventID:1110: T o avoid excessive event logging, the service is temporarily suppressing related messages (event IDs
1100-1109, 1112-1116).
EventID:1111: T he service is no longer suppressing related messages (event IDs 1100-1109, 1112-1116).
[#LC1485]
If the NetBios domain name contains an ampersand (&), attempts to start Citrix Studio fail with the error "You are not
authorized to perform this operation" with the code XDDS:72182E6B.
[#LC1646]
In some Active Directory organizational units (OUs), if the OU name contains a special character, the core services for
XenDesktop (such as AD Identity Service or Broker Service) might not be able to bind to the OU. T his can cause the CPU
usage to be higher than normal. Additionally, Citrix Studio might become inaccessible as the services might close
unexpectedly.
[#LC1979]
When using filtering by keywords for published applications, the workspace control might not work.
[#LC2025]
When you consolidate XenApp and XenDesktop licenses that have the same Subscription Advantage expiry dates into a
single license file, some XenApp licenses might be missing from the license information visible in Studio.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC2350]
A published application name that contains a trailing space can result in several issues. T hese issues occur when
generating browser names from the published name of the application that has truncated names containing a trailing
space.
[#LC2897]
When two applications have the same ApplicationID, refreshing App-V applications can cause Citrix Studio to set the
App-V package name incorrectly.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.72
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC2969]
When executing Set-BrokerDBConnection and related commands, the associated configuration logging entries in Citrix
Studio list the corresponding "Main Task" with a status of "In Progress," and the status is not updated when the task
completes.
[#LC3479]
After performing an upgrade to XenDesktop 7.6 using the local system account (typically used by Electronic Software
Distribution such as SCCM), the Analytics Service fails to start.
[#LC3493]
Performing a scheduled restart of a VDA for Server OS that is connected to a VMware Vsphere Hypervisor can cause
the server to shut down and remain in a powered off state.
T o enable the fix, set the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\DesktopServer\RebootSchedule
Name: ShutdownT imeoutRecovery
T ype: DWORD
Value: 1
T o disable the fix, set the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\DesktopServer\RebootSchedule
Name: ShutdownT imeoutRecovery
T ype: DWORD
Value: 0
After setting the value, you must restart the Broker Service.
[#LC3807]
T he Add-XDController cmdlet does not assign full custom database connection strings to the Controller.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC3860]
Attempts to open Citrix Studio by users that are not members of the Database administrators user group can result in
permission errors on the SQL Server.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4127]
Attempts to provision additional resources to a multi-tenant offering in App Orchestration 2.6 can fail if the offering
already contains two or more tenants.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.73
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4170]
When the setting "SupportMultipleForest" is enabled on the Controller to allow NT LM authentication, the Linux VDA
might fail to complete the registration process as its Service Principal Name (SPN) might not be set in the
EndpointReference of the Windows Communication Foundation (WCF).
[#LC4235]
If you create virtual machines (VMs) that are hosted on a VMware hypervisor, initial attempts to update or delete those
VMs from Citrix Studio can fail with an "Error ID XDDS:B125B84A," but subsequent attempts succeed.
[#LC4436]
When multiple Citrix Studio sessions are open, policy changes made in one session can be lost and overwritten by those
made in another.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4487]
When running the PowerShell command "Get-LogSummary" for a date range that encompasses a switch to or from
daylight saving time, the following error message appears:
"An item with the same key has already been added."
T he issue occurs when daylight saving time introduces ambiguous local dates or times. As a result, duplicate entries are
created in the HashMap and an exception occurs.
T his fix introduces a message to inform users to split the time span to account separately for the point in time when
daylight saving time begins or ends.
[#LC4612]
Attempts to update machine catalogs in Amazon Web Services (AWS) environments can fail intermittently. To enable the
fix, you must run the command, "Set-ProvServiceConfigurationData – Name
ImageManagementPrep_DoImagePreparation – Value $false" for the image preparation phase to be skipped during the
machine catalog update.
[#LC4709]
Controllers occasionally lose connectivity with the database when there is a high number of apps and VDA processes
running. When that happens, VDAs remain in the initialization state and applications are unavailable.
[#LC4848]
When there are too many hypervisor alerts, the SQL database server's CPU usage can reach 100%.
[#LC5277]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.74
Under high utilization conditions (more than 5,000 users launching numerous apps on numerous VDAs for Server OS
concurrently), the SQL database server's CPU usage can reach 100%, which causes outages and apps are unable to
launch.
[#LC5315]
HDX MediaStream Flash Redirection
If HDX MediaStream Flash Redirection is enabled, opening and closing multiple tabs in Internet Explorer with Flash
content can cause Internet Explorer to exit unexpectedly.
[#LC0375]
With HDX MediaStream for Flash enabled, opening and closing multiple tabs in Internet Explorer can cause Internet
Explorer to close unexpectedly.
[#LC1141]
When browsing websites with HDX MediaStream Flash Redirection enabled, the Flash redirection feature fails if the
registry value of HKEY_LOCAL_MACHINE\SOFT WARE\Microsoft\Windows NT \CurrentVersion\Windows\AppInit_DLLs
is set to just "mfaphook.dll" or "mfaphook64.dll" instead of the full path to "mfaphook.dll" or "mfaphook64.dll."
[#LC4388]
Installer
If you install version 7.6.300 of the VDA from the command line, the /noreboot switch - depending on its location in the
string of switches - is not being honored. As a result, the VDA restarts after the installation completes.
[#LC4046]
When installing a VDA, certain registry keys for performance might be installed even if you disable the "Optimize
Performance" option during installation.
[#LC4330]
Licensing
Citrix Studio displays the licensing models in Spanish for license servers set to a French system locale.
[#LC3450]
Provisioning Services
Console
https://docs.citrix.com
T arget Device
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.75
Server
Console
After installing Provisioning Services Console version 7.1.3, many .NET applications fail on Windows Server 2008 R2 and on
Windows 7.
[#LC1838]
T he XenDesktop Setup Wizard might fail to create machine when the VMware ESX host is in Maintenance Mode.
[#LC3401]
T he XenDesktop Setup Wizard might fail to honor the "Superseded" flag on the Personal vDisk storage of the hosting
unit.
[#LC3573]
When the Streamed VM Setup Wizard is running, enumerating templates on the VMware ESX cluster that contain many
hosts and data stores can take a long time to complete.
[#LC3674]
When mounting and unmounting vDisks, the SOAP service might become unresponsive and the Provisioning Services
Console might fail to start.
[#LC3723]
T he following error message can appear while creating machines using the Streamed VM Setup Wizard:
"Object reference not set to an instance of an object."
[#LC3811]
When a help desk administrator creates new virtual machines (VMs) from a standalone Provisioning Services Console
through the XenDesktop Setup wizard, attempts to start a target device from a BDM partition can fail and cause an
incorrect IP address for the logon server to appear.
[#LC3911]
Installing the Provisioning Services Console sets the following registry key to " 1." T his can cause other .NET applications
to try to use the wrong version of the Framework and possibly fail:
HKEY_LOCAL_MACHINE\SOFT WARE\Microsoft\.NET Framework
Name: OnlyUseLatestCLR
Type: REG_DWORD
Data: 1
[#LC4197]
Attempts to create virtual machines (VMs) by using the XenDesktop Setup wizard or the Streamed VM Setup wizard
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.76
might fail in a Microsoft System Center Virtual Machine Manager (SCVMM) environment. With this fix, the fully qualified
domain name (FQDN) of the host is used in the commands instead of short name.
[#LC4230]
T he XenDesktop Setup wizard might fail to create Provisioning Services target devices in System Center Virtual Machine
Manager (SCVMM) 2012 environments.
[#LC4256]
Attempts to connect to VMware Vsphere Hypervisor 5.1 by using the Streamed VM Setup wizard or the XenDesktop
Setup wizard fail if User1 and User2 are configured to use different ports.
To use a different port to connect to the VMware ESX server, you must create the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ProvisioningServices\PlatformEsx
Name: Port
Type: DWORD
Value: <port_number>
[#LC4283]
SSL connections between the XenDesktop Setup wizard and XenServer fail.
[#LC4377]
T his is an enhancement to facilitate NIC teaming with the latest Mellanox NICs and firmware used in HP Moonshot
systems.
[#LC4646]
If the template created in System Center Virtual Machine Manager (SCVMM) has NICs on two different networks - for
example, NIC1 on network xxx and NIC2 on network yyy - the XenDesktop Setup wizard default behavior is to change
both NICs to the network of the host record (network zzz). For the NIC2 network to remain unchanged, after installing
this fix, set the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ProvisioningServices\PlatformScvmm
Name: RequireMatchingNetworks
Type: REG_DWORD
Value: 1
[#LC4650]
Pressing "Ctrl+C" without any items selected, the Provisioning Services Console might exit unexpectedly with the
following error message:
"MMC has detected an error in a snap-in and will unload it."
Additionally, the issue can occur if the "Ctrl+C" key combination is automatically injected by certain third-party software.
[#LC4909]
Server
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.77
When using a BDM partition, target devices running on VMware do no attempt to log on to all servers in the list if the
top-most server is unreachable.
[#LC3805]
Attempts to mount a vDisk on a Provisioning Server fail unless the server has logical access to the vDisk.
[#LC3835]
When a help desk administrator creates new virtual machines (VMs) from a standalone Provisioning Services Console
through the XenDesktop Setup wizard, attempts to start a target device from a BDM partition can fail and cause an
incorrect IP address for the logon server to appear.
[#LC3911]
When exporting a vDisk by running the PowerShell command "Mcli-Run ExportDisk -p DiskLocatorName="DISK_NAME",
StoreName="STORE_NAME", SiteName="SIT E_NAME,"" a manifest file with multiple entries for each version of the
vDisk might be created. T he issue occurs when a vDisk with the same name is present in multiple Sites. T he number of
duplicate entries per version corresponds to the number of sites that have the vDisk.
[#LC4225]
Machine creation fails with the XenDesktop Setup wizard in SCVMM environments if there is a trailing backslash (\) at
the end of the VM storage path.
[#LC4418]
T his is an enhancement to facilitate NIC teaming with the latest Mellanox NICs and firmware used in HP Moonshot
systems.
[#LC4646]
If the template created in System Center Virtual Machine Manager (SCVMM) has NICs on two different networks - for
example, NIC1 on network xxx and NIC2 on network yyy - the XenDesktop Setup wizard default behavior is to change
both NICs to the network of the host record (network zzz). For the NIC2 network to remain unchanged, after installing
this fix, set the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ProvisioningServices\PlatformScvmm
Name: RequireMatchingNetworks
Type: REG_DWORD
Value: 1
[#LC4650]
Target Device
Provisioning Services Target device installation on systems with ESX VMXNET 3 Nics requires Microsoft hotfix
https://support.microsoft.com/en-us/kb/2550978 or a superseding hotfix to be installed. With this fix, rather than
requiring KB2550978 explicitly, a warning message appears, advising administrators to make sure KB2550978 or a
superseding hotfix is installed.
[#LC3016]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.78
T he PVS Device Service (BNDevice.exe) might not start successfully when the service logon account is set to "Local
System," which is the default value.
[#LC3209]
T he logging level of some critical error logs that are related to Active Directory password change might not be set
correctly and as a result, the logs are not sent to the server for Citrix Diagnostic Facility tracing.
[#LC3803]
Automatic vDisk Updates do not run inventory updates on PvD enabled vDisks.
[#LC3997]
ESX target devices utilizing a VMXnet3 network driver can experience a fatal exception, displaying a blue screen when
using jumbo frames (frames with more than 1500 bytes of payload per frame).
[#LC4238]
Provisioned target devices have a 96 hour license grace period after which they shut down if no valid licenses are
available. With this enhancement, the licensing grace period for target devices is extended to 30 days (720 hours).
[#LC4645]
Session Recording
Agent
Player
Agent
With "Allow third party applications to record custom data on this VDA machine" enabled in the Session Recording Agent
properties, the Session Recording Agent Service running on a Japanese language Windows operating system might fail to
start and client sessions cannot be recorded.
[#LC3861]
Player
Recordings of Microsoft Paint sessions do not play back correctly in the Session Recording Player.
[#LC4389]
An error occurs when you play back a session that was recorded on a multiple-monitor user device.
[#LC4391]
StoreFront
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.79
T his fix addresses inconsistencies in the Japanese translation of the term "Classic" in the Management Console user
interface.
[#LC3607]
When you click to launch a second or subsequent application, one or more instances of the first application you started
can launch. T he issue occurs when using a version of Receiver other than Citrix Receiver for Web when multiple-site
aggregation is configured. An additional instance of the first application launches from each aggregated Site.
[#LC4278]
Customizations for published desktops you make in the default.ica file might not be honored. For example, you might
not be able to see the connection bar inside certain desktops even if you set "ConnectionBar=1."
[#LC4688]
In certain scenarios, StoreFront generates enumeration responses that contain duplicate resources. T his can cause
Receiver for Web to report a failure and the apps might fail to appear. T he issue occurs with one or more of the
following conditions:
A farm is referenced by more than one UserFarmMapping in a multi-Site configuration.
T he user belongs to Active Directory Groups wherein multiple UserFarmMapping are applied.
T he EquvalentFarmSets that contain farms have no aggregation group, or there is a Delivery Group with multiple
assignments for the user.
[#LC4863]
Universal Print Server
Client
Server
Client
Attempts to manage ports or printers on the remote print server from the Microsoft Print Management console on a
VDA for Server OS might fail with the following error message: "Failed to complete the operation. T his operation is not
supported." Also, when navigating to the Ports tab, ports might not be listed.
Additionally, when you right-click any printer and select "Open Printer Queue," the following error message might appear:
"Windows can't find the printer. Make sure the network is working and you've entered the name of the printer and print
server correctly."
To address this issue, delete the following registry key
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\Universal Printer" from the registry of the
VDA and restart the Print Spooler Service. T he ports are enumerated correctly in the Microsoft Print Management
Console and you can configure the ports and printers.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.80
[#LC3740]
Server
Batch printing using the Microsoft GDI Print API can fail to where the last page does not print, and the following error
message appears:
"Dispatch::CDriverTripSummary::PrintReport, Error Occured While Printing....Check Printer"
[#LC3920]
T his fix introduces support for Citrix UPS Print Driver Certification Tool for Universal Print Server 7.6.300. For more
information, see Knowledge Center article CT X142119.
[#LC4265]
VDA for Desktop OS
Content Redirection
Printing
HDX 3D Pro
Seamless Windows
HDX MediaStream Flash Redirection
Server/Site Administration
HDX MediaStream Windows Media Redirection
Session/Connection
Installing, Uninstalling, Upgrading
Smart Cards
Keyboard
System Exceptions
Logon/Authentication
Content Redirection
With content redirection enabled for Mailto links, Mailto links that contain commas fail to launch and the following error
message appears:
"Could not perform this operation because the default mail client is not properly installed."
T he issue does not occur in console or Remote Desktop sessions.
[#LC3701]
HDX 3D Pro
In HDX 3D Pro dual-monitor configurations, locking Windows on one monitor can fail to blank the screen on the second
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.81
monitor. T he issue occurs after disconnecting from a dual-monitor client session, then reconnecting from a single
monitor client, then disconnecting from the session, then reconnecting from the dual-monitor client.
[#LC3934]
T he mouse pointer might not assume the proper shape when the mouse is positioned at the edge of a Microsoft
Notepad application window.
To enable this fix, you must set the following registry key:
On 32-bit Windows:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\HDX3D
Name: EnableUnknownCursorHandling
T ype: REG_DWORD
Value: 1
On 64-bit Windows:
HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\HDX3D
Name: EnableUnknownCursorHandling
T ype: REG_DWORD
Value: 1
[#LC4160]
Attempts to resize the session screen resolution can fail intermittently, leaving the DesktopViewer window grayed out.
[#LC4261]
With HDX 3D Pro enabled, customized mouse pointers in 3D graphics rendering applications might appear incorrectly.
[#LC4713]
HDX MediaStream Flash Redirection
If HDX MediaStream Flash Redirection is enabled, opening and closing multiple tabs in Internet Explorer with Flash
content can cause Internet Explorer to exit unexpectedly.
[#LC0375]
With HDX Mediastream for Flash enabled, opening and closing multiple tabs in Internet Explorer can cause Internet
Explorer to close unexpectedly.
[#LC1141]
When browsing websites with HDX MediaStream Flash Redirection enabled, the Flash redirection feature fails if the
registry value of HKEY_LOCAL_MACHINE\SOFT WARE\Microsoft\Windows NT \CurrentVersion\Windows\AppInit_DLLs
is set to just "mfaphook.dll" or "mfaphook64.dll" instead of the full path to "mfaphook.dll" or "mfaphook64.dll."
[#LC4388]
HDX MediaStream Windows Media Redirection
In Receiver sessions, seeking forward in Windows Media Player while playing .MOD, ac3, and mpeg files might cause the
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.82
video to play without audio.
[#LC2768]
If you play an .avi file with Windows Media Player within an ICA session (or published desktop session) and then start
playing another .avi file without stopping the first one, the video frames might not be properly directed to the user
device. As a result, the CPU usage of the mmvdhost.exe process can be higher than normal and the video might not
render properly on the user device.
[#LC4260]
Installing, Uninstalling, Upgrading
After installing one or more of the following Microsoft Security Updates, attempts to log on to a XenDesktop VDA
7.6.300 or 7.7 running either version of Windows 10 fail. For more information, see Knowledge Center article CT X205398.
Windows 10 RTM (LT SB)
Windows 10 Version 1511 (Current Business
Branch)
Windows 10 Version 1511
(Updated Feb 2016)
https://docs.citrix.com
Security Updates
Release Date
KB3124266
January- 2016
KB3135174
February- 2016
KB3140745
March- 2016
KB3147461
April- 2016
KB3156387
May- 2016
KB3124263
January- 2016
KB3124262
January- 2016
KB3135173
February- 2016
KB3140768
March- 2016
KB3147458
April- 2016
KB3156421
May- 2016
Cumulative image inclusive of all updates
March- 2016
up to February 2016
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.83
Note: If you have installed any of the Microsof t Security Updates above:
If you have installed any of the Microsoft Security Updates above on a Windows 10 RT M (Build 10240) VDA or on a
Windows 10 Version 1511 (Build 10586.36) VDA and want to apply this update, do the following:
1. Reboot and log in to the Windows 10 VDA using Safe Mode.
2. Uninstall the Microsoft Security Updates above and reboot.
3. Install this update and reboot.
4. Install any applicable Microsoft Security Updates.
For new deployments of the 7.6.300 VDA on Windows 10 (RT M / Version 1511 / Version 1511 (Updated Feb 2016)), do
the following:
1. Prepare a Windows 10 (RT M / Version 1511 / Version 1511 (Updated Feb 2016)) image.
Caution: Installing the VDA and rebooting in the next step can place the machine into an unrecoverable state. It is
essential not to reboot after installing the VDA.
2. Install the 7.6.300 VDA and choose NOT to reboot.
3. Install this update and reboot.
[From DesktopVDACoreWX86_7_6_305, DesktopVDACoreWX64_7_6_305][#LC4604]
Keyboard
If you are in a Citrix GoToMeeting running inside a VDA session and are made presenter, your mouse pointer might start
to flicker. T his occurs when the "Legacy graphics mode" policy setting is disabled for the session.
[#LC3033]
Logon/Authentication
If the Windows Remote Desktop Session Host Configuration policy setting "Always prompt for password upon
connection" is enabled, when users log on to VDA 7.x by using the ICA protocol, users receive a prompt to enter their
credentials again.
To enable this fix, set the following registry key:
HKEY_LOCAL_MACHINE\Software\Citrix\Portica
Name: AutoLogon
Type: DWORD
Data: 0x00000001 (value must be between 1 and 2147483647)
Note: T he Citrix Display Drive can be marked for deletion if there are multiple attempts to run the MSP file. T his causes
the installation of the hotfix to fail. In addition, the display resolution of the VDA might not work. To allow this to work,
restart the VDA and then install the hotfix again.
[From DesktopVDACoreWX86_7_6_301, DesktopVDACoreWX64_7_6_301][#LC1180]
After installing Microsoft Hotfix KB3124266 (for Windows 10) or KB3124263 (for Windows 10 Version 1511), attempts to
log on to a XenDesktop VDA 7.6.300 or 7.7 running on Windows 10 might fail. For more information see, Knowledge
Center article CT X205398.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.84
Note: If you have already installed KB3124266 or KB3124263 and want to apply this update, do the following:
1. Reboot and log in to the Windows 10 machine using Safe Mode and uninstall KB3124266 or KB3124263
2. Reboot the Windows 10 machine and install this update.
3. Reinstall KB3124266 or KB3124263.
[From DesktopVDACoreWX86_7_6_304, DesktopVDACoreWX64_7_6_304][#LC4540]
Printing
T he Citrix Print Spooler Service might exit unexpectedly.
[From DesktopVDACoreWX86_7_6_307, DesktopVDACoreWX64_7_6_307][#LC4180]
Seamless Windows
Seamless applications can become unresponsive and their icon in the Windows taskbar reverts to the generic Citrix
Receiver icon.
[#LC3783]
When you close a seamless published application, the focus goes to another published application rather than honoring
windows in the typical Windows Z-order.
[#LC4009]
Server/Site Administration
When an administrator attempts to access a virtual machine from Hyper-V console, while there is a disconnected but
active session, a black screen appears, T he issue occurs in deployments that use XPDM drivers.
[#LC3536]
A VDA might stop accepting connections. After enabling the "Legacy graphics mode" policy, the VDA starts accepting
connections again.
[#LC3749]
When launching VM hosted apps, the Windows logon screen might appear before the app is fully launched. T his fix
introduces a 15-second grace period before the Welcome screen appears. It also provides support for the following
registry key that allows you to customize the duration of the grace period.
Note: During the grace period, there is no obvious indication to users that the app is launching. Configuring too high a
grace period can delay application launches and cause users to inadvertently launch apps multiple times.
To change the duration of the grace period, set the following registry key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Control\Citrix\wfshell\T WI
Name: LogonUIHideT imeout
Type: DWORD
Value: Any value greater than zero in milliseconds (for example, 20000 milliseconds for 20 seconds)
[#LC3828]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.85
Attempts to use the attrib command to change file attributes of files on mapped client drives might fail.
[#LC3958]
T he Output Session Bandwidth Performance Monitoring counter might report inconsistent values upon recording for a
long period of time.
[#LC4151]
If you are logging on to a Version 7.6.300 VDA with explicit credentials (username/password) and User Account Control
(UAC) enabled, and then attempt to authenticate to an application running in the session using a smart card, the
following error message might appear:
"An authentication error has occurred. No credentials are available in the security package."
[#LC4486]
Session/Connection
When multiple webcams or video capturing devices are installed on an endpoint, only one of the devices is mapped into
the client session. Additionally, the device is mapped as Citrix HDX Web Camera, leaving no obvious clue as to which of
the devices is mapped.
[#LC1919]
In sessions for which you enable Local App Access, the screensaver fails to get activated.
[#LC3182]
T he Citrix policy "View window contents while dragging" does not work correctly.
[#LC3552]
Disconnected sessions might remain open on a physical machine even after the time specified under "Disconnect session
timer interval" has passed.
To enable the fix, set the following registry keys:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\Portica
Name: ForceDisableRemotePC
Type: DWORD
Value: Any value greater than zero
[#LC3650]
If an endpoint loses network connectivity for several minutes, reconnection attempts can fail until the VDA is restarted.
[From DesktopVDACoreWX86_7_6_301, DesktopVDACoreWX64_7_6_301][#LC3700]
When logging on to a VDA after it is in an idle state for an extended period of time, the credentials might not be passed
through automatically to the logon screen upon reconnection and a prompt to enter the password appears on the
logon screen.
[From DesktopVDACoreWX86_7_6_309, DesktopVDACoreWX64_7_6_309][#LC3720]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.86
T he WFICA32.exe process might keep a file locked even after the file was closed by the associated published application.
As a result, the file cannot be edited for a while.
[#LC3724]
Certain third-party published applications might fail to start on XenApp servers. As a result, the wfshell.exe process might
close unexpectedly. When this error occurs, no indication that the session is starting or error messages appear on the
user device.
[#LC3766]
After undocking the T homson Reuters Eikon toolbar in a multiple monitor session, the space occupied by the toolbar is
not reclaimed by the session.
In monitor configurations where the primary monitor is not located in the top left corner of the array, you must also
install Fix #LC1599, which is included in Receiver for Windows 4.4 and later.
[#LC3773]
When the App-V configuration setting "EnablePublishingRefreshUI" is enabled on the session host and "Session
Lingering" is enabled as well, attempts to close an application on an iOS device can result in a black window that stays on
the device screen.
[#LC3800]
With the Citrix Windows XP Display Driver Model (XPDM) display driver enabled, the mouse shadow setting is always
enabled even though it is disabled in the Control Panel.
[From DesktopVDACoreWX86_7_6_302, DesktopVDACoreWX64_7_6_302][#LC3806]
With Excelhook enabled, minimizing and then restoring an Excel workbook can cause the Excel window to lose focus.
[#LC3873]
T he "Restrict session clipboard write" and "Restrict client clipboard write" policies do not work properly for sessions using
Citrix Receiver for Android. As a result, users can copy and paste content between the session and the user device
regardless of the configuration of those two policies.
[#LC3894]
When you attempt to reconnect to a disconnected session, a Windows lock screen appears with a set of keys but
without an option to enter your password. When you click "Other credentials," a second credentials icon appears that
allows you to enter the password and unlock the session.
[From DesktopVDACoreWX86_7_6_306, DesktopVDACoreWX64_7_6_306][#LC4053]
If you power off or force a remote PC to restart while in an ICA session, all audio drivers might be disabled when the
remote PC restart completes.
[#LC4071]
If you add a file to a user device folder while the associated published application is running and then try to open the file
from within the application, the file might not appear in the application's Open File Dialog - even after clicking the
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.87
refresh button.
[#LC4073]
T he VDA might become unresponsive at the "Welcome" screen due to a deadlock on picadm.sys.
[From DesktopVDACoreWX86_7_6_308, DesktopVDACoreWX64_7_6_308][#LC4195]
With Generic USB Redirection enabled, each time a generic redirected USB device is physically disconnected and
reconnected within a session, it is treated as a new device. As a result, each time you reconnect such a USB device, an
additional GUID is created for it.
[From DesktopVDACoreWX86_7_6_303, DesktopVDACoreWX86_7_6_303][#LC4259]
T LS connections between Citrix Receiver for Chrome and VDAs fail if all three of the following conditions are met:
Fix #LC2179 (Hotfix ICAWS760WX64032 or its replacement) is installed on the VDA
T he connection is configured to use SSL
T he Citrix Gateway Protocol (CGP) is disabled
[#LC4405]
After installing Hotfix ICAWS760WX64032 and enabling SSL, attempts to reconnect to a VDA might fail intermittently.
T he issue occurs if the Citrix ICA Service exits unexpectedly or becomes unresponsive as a result of an SSL Listener
failure.
[#LC4438]
Sessions running on Version 7.6.300 of the VDA for Desktop OS with RES Workspace Manager installed can become
unresponsive when roaming sessions between user devices.
[#LC4570]
Smart Cards
In Microsoft Internet Explorer, the user interface for smart card logons to certain websites can be intermittently
unavailable.
[#LC3988]
System Exceptions
On logon or changing display resolution, the Ctxgfx.exe process may enter a deadlock causing the Session to hang.
[#LC2410]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x20.
[#LC3473]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x00000050.
[#LC3921]
T he operating system experiences an error on ctxad.sys and a blue screen appears with bugcheck code 0xD1.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.88
[#LC4007]
After upgrading a VDA for Desktop or Server OS to Version 7.6.300, the Citrix Print Manager Service (CpSvc.exe) can exit
unexpectedly upon logoff.
[From DesktopVDACoreWX86_7_6_307, DesktopVDACoreWX64_7_6_307][#LC4102]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x000000C1.
[#LC4334]
When you repeatedly play an .avi file on Windows Media Player, the memory consumption of the wfica32.exe process
might continue to increase until the process exits unexpectedly.
[#LC4335]
VDAs can experience a fatal exception on picadd.sys, displaying a blue screen, upon logoff from a Citrix Receiver session.
[#LC4360]
VDAs can experience a fatal exception with bugcheck code 0x00000044 on ctxdvcs.sys and a blue screen appears.
[#LC4505]
If the registry key HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA\T hinwire\DisableOssForProcesses is defined,
attempts to restart the VDA and launch a published desktop can result in a blue screen.
[#LC4597]
VDA for Server OS
Content Redirection
Server/Site Administration
HDX MediaStream Windows Media Redirection
Session/Connection
Keyboard
Smart Cards
Printing
System Exceptions
Seamless Windows
User Experience
Content Redirection
Server to client content redirection fails for VDAs other than those running on Windows Server 2008 R2. As a result,
when you click a URL in a VDA session, the link opens in a browser running in the session rather than in a local browser.
[#LC2221]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.89
With content redirection enabled for Mailto links, Mailto links that contain commas fail to launch and the following error
message appears:
"Could not perform this operation because the default mail client is not properly installed."
T he issue does not occur in console or Remote Desktop sessions.
[#LC3701]
HDX MediaStream Windows Media Redirection
In Receiver sessions, seeking forward in Windows Media Player while playing .MOD, ac3, and mpeg files might cause the
video to play without audio.
[#LC2768]
If you play an .avi file with Windows Media Player within an ICA session (or published desktop session) and then start
playing another .avi file without stopping the first one, the video frames might not be properly directed to the user
device. As a result, the CPU usage of the mmvdhost.exe process can be higher than normal and the video might not
render properly on the user device.
[#LC4260]
Keyboard
If you are in a Citrix GoToMeeting running inside a VDA session and are made presenter, your mouse pointer might start
to flicker. T his occurs when the "Legacy graphics mode" policy setting is disabled for the session.
[#LC3033]
Printing
T he Citrix Print Spooler Service might exit unexpectedly.
[From ServerVDACoreWX64_7_6_304][#LC4180]
Seamless Windows
Seamless applications can become unresponsive and their icon in the Windows taskbar reverts to the generic Citrix
Receiver icon.
[#LC3783]
When you close a seamless published application, the focus goes to another published application rather than honoring
windows in the typical Windows Z-order.
[#LC4009]
Server/Site Administration
When launching VM hosted apps, the Windows logon screen might appear before the app is fully launched. T his fix
introduces a 15-second grace period before the Welcome screen appears. It also provides support for the following
registry key that allows you to customize the duration of the grace period.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.90
Note: During the grace period, there is no obvious indication to users that the app is launching. Configuring too high a
grace period can delay application launches and cause users to inadvertently launch apps multiple times.
To change the duration of the grace period, set the following registry key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Control\Citrix\wfshell\T WI
Name: LogonUIHideT imeout
Type: DWORD
Value: Any value greater than zero in milliseconds (for example, 20000 milliseconds for 20 seconds)
[#LC3828]
Attempts to use the attrib command to change file attributes of files on mapped client drives might fail.
[#LC3958]
Multiple, concurrent attempts to establish a Remote Desktop (RDP) connection to a VDA from separate user devices
can cause the VDA to unregister.
[#LC4014]
T he Output Session Bandwidth Performance Monitoring counter might report inconsistent values upon recording for a
long period of time.
[#LC4151]
When a VDA for Server OS is unregistered or the Citrix Desktop Service is disabled, even domain administrators cannot
log on to that VDA through a Remote Desktop (RDP) connection. While that behavior is as designed for nonadministrator roles, administrators are expected to be able to log on.
[#LC4290]
If you are logging on to a Version 7.6.300 VDA with explicit credentials (username/password) and User Account Control
(UAC) enabled, and then attempt to authenticate to an application running in the session using a smart card, the
following error message might appear:
"An authentication error has occurred. No credentials are available in the security package."
[#LC4486]
Live scrolling (the synced state of page scrolling and scrollbar motion) does not work in Excel spreadsheets. Version
7.6.300 of the VDA introduced Fix #LC2965, intended to address the issue. However, Fix #LC2965 does not fully resolve
the issue in all cases. T his Fix, #LC4579, ensures that the issue is corrected even on systems where Fix #LC2965 does not
work.
From the description of #LC2965:
Live scrolling (the synced state of page scrolling and scrollbar motion) does not work in Excel spreadsheets. The issue
occurs because the key and value in registry location HKEY_CURRENT_USER\Control
Panel\Desktop\UserPreferencesMask on the VDA are overwritten by the wfshell.exe process each time a user logs on to
the VDA. To prevent this, create the following registry key on the VDA and set the value to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.91
Name: EnableVisualEffect
Type: REG_DWORD
Value: 1
[#LC4579]
After installing Hotfix ICAT S760WX64022 (or its replacements), any new custom registry configuration under the registry
key HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\Graphics\ might not be retained when you restart the system.
[#LC4931]
Session/Connection
T he Source Network Address displays an incorrect IP address for remote user devices in the server's Windows Security
Log with EVENT ID 4624.
[#LC1352]
With the Client audio redirection or Windows Media Redirection policies disabled, the Volume control (Speaker) icon in
the notification area of a published desktop session can display an incorrect audio state.
[#LC2538]
In Citrix Receiver for Android published desktop sessions, attempts to open a Microsoft Outlook calendar invitation can
fail with the following error message:
"Cannot open item"
T he issue occurs with calendar invitation created by other users; invitations created by the same user are not affected.
[#LC2828]
In certain scenarios, the Client Printer Redirection and Citrix Group Policies' Access Control filters might fail to work while
logging on or reconnecting to a disconnected session.
[#LC3083]
In sessions for which you enable Local App Access, the screensaver fails to get activated.
[#LC3182]
T he WFICA32.exe process might keep a file locked even after the file was closed by the associated published application.
As a result, the file cannot be edited for a while.
[#LC3724]
Certain third-party published applications might fail to start on XenApp servers. As a result, the wfshell.exe process might
close unexpectedly. When this error occurs, no indication that the session is starting or error messages appear on the
user device.
[#LC3766]
After undocking the T homson Reuters Eikon toolbar in a multiple monitor session, the space occupied by the toolbar is
not reclaimed by the session.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.92
In monitor configurations where the primary monitor is not located in the top left corner of the array, you must also
install Fix #LC1599, which is included in Receiver for Windows 4.4 and later.
[#LC3773]
When the App-V configuration setting "EnablePublishingRefreshUI" is enabled on the session host and "Session
Lingering" is enabled as well, attempts to close an application on an iOS device can result in a black window that stays on
the device screen.
[#LC3800]
T he Service Host (svchost.exe) process that is registered with Terminal Services (TermService) might close unexpectedly
on RPM.dll while connecting to a server through an RDP session.
[#LC3808]
With Excelhook enabled, minimizing and then restoring an Excel workbook can cause the Excel window to lose focus.
[#LC3873]
Even with the Client audio redirection policy enabled, audio (.wav) files can fail to play. T he issue occurs in sessions where
the session ID is reused and the Client audio redirection policy was disabled for the previous session.
[#LC3882]
T he "Restrict session clipboard write" and "Restrict client clipboard write" policies do not work properly for sessions using
Citrix Receiver for Android. As a result, users can copy and paste content between the session and the user device
regardless of the configuration of those two policies.
[#LC3894]
When a connection to a Windows Server 2008 R2 VDA fails due to a license error, the error message "You cannot access
this session because no licenses are available" fails to appear.
[#LC4026]
If you add a file to a user device folder while the associated published application is running and then try to open the file
from within the application, the file might not appear in the application's Open File Dialog - even after clicking the
refresh button.
[#LC4073]
After logging off of a newly installed Feature Pack 3 VDA for Server OS (7.6.300), Citrix Studio might display that VDA's
status as "initializing" rather than "registered." During that time, no new sessions will be brokered for that VDA.
[#LC4188]
T he VDA might become unresponsive at the "Welcome" screen due to a deadlock on picadm.sys.
[From ServerVDACoreWX64_7_6_305][#LC4195]
With Generic USB Redirection enabled, each time a generic redirected USB device is physically disconnected and
reconnected within a session, it is treated as a new device. As a result, each time you reconnect such a USB device, an
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.93
additional GUID is created for it.
[From ServerVDACoreWX64_7_6_303][#LC4259]
COM port mapping can intermittently fail.
[#LC4267]
With Application Prelaunch enabled, a black window might appear temporarily on the user device. T he issue can occur
when you start Citrix Receiver without launching an application.
[#LC4280]
T he Citrix policy "View window contents while dragging" does not work correctly on published desktops. When you log
on to a VDA, windows content is displayed correctly. However, after you reconnect to a disconnected session, the
windows content is no longer displayed.
[#LC4301]
T LS connections between Citrix Receiver for Chrome and VDAs fail if all three of the following conditions are met:
Fix #LC2179 (Hotfix ICAT S760WX64032 or its replacement) is installed on the VDA
T he connection is configured to use SSL
T he Citrix Gateway Protocol (CGP) is disabled
[#LC4405]
When launching an application in a VDA 7.6.300 session, progress bar with the following message might appear for
several minutes before the application launches: "Please wait for Local Session Manager." In the meantime, the
application appears to be unresponsive even though it is launching correctly.
[#LC4406]
Certain applications in a user session might default to an incorrect input method. You can correct that behavior by
clearing the "Let me set a different input method for each app window" check box in various Control Panels. However,
the setting revert to the incorrect defaults when you reconnect to the session.
To keep the settings from reverting, set the following registry key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Control\Citrix
Name: ClientDataOption
Type: DWORD
Data: 2 (you can change the input method setting)
[#LC4416]
When connecting through the NetScaler Gateway, the SmartAccess Control filters might not be applied correctly.
[From ServerVDACoreWX64_7_6_307][#LC4503]
T he presence of non-ASCII characters in a published application path prevents the application from launching.
[#LC4595]
With the "Auto Client Reconnect" policy enabled, attempts to reconnect to a session can fail intermittently and cause
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.94
the VDA to reregister. T he following warning message appears:
"Event 1048, Citrix Desktop Service (Warning)
T he Citrix Desktop Service is re-registering with the DDC: "NotificationManager:NotificationServiceT hread: WCF failure
or rejection by broker (<DDC: DDC NAME >)""
[#LC4767]
Smart Cards
In Microsoft Internet Explorer, the user interface for smart card logons to certain websites can be intermittently
unavailable.
[#LC3988]
System Exceptions
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x20.
[#LC3473]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x00000050.
[#LC3921]
After upgrading a VDA for Desktop or Server OS to Version 7.6.300, the Citrix Print Manager Service (CpSvc.exe) can exit
unexpectedly upon logoff.
[From ServerVDACoreWX64_7_6_304][#LC4102]
T he Service Host (svchost.exe) process that is registered with Terminal Services (TermService) might exit unexpectedly.
[#LC4150]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x000000C1.
[#LC4334]
When you repeatedly play an .avi file on Windows Media Player, the memory consumption of the wfica32.exe process
might continue to increase until the process exits unexpectedly.
[#LC4335]
VDAs can experience a fatal exception on picadd.sys, displaying a blue screen, upon logoff from a Citrix Receiver session.
[#LC4360]
VDAs can experience a fatal exception with bugcheck code 0x00000044 on ctxdvcs.sys and a blue screen appears.
[#LC4505]
If the registry key HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA\T hinwire\DisableOssForProcesses is defined,
attempts to restart the VDA and launch a published desktop can result in a blue screen.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.95
[#LC4597]
User Experience
When attempting to move a Microsoft Excel window within a seamless, dual-monitor session, the window might
experience a delay while redrawing in the new location.
[#LC4441]
Virtual Desktop Components - Other
Attempts to start App-V applications through Citrix Receiver may fail after upgrading to App-V 5.0 Service Pack 3.
[#LC1762]
T he following error message might be incorrectly logged in the application log each time the Citrix Monitor Service starts
even though the service is working correctly:
"Error querying the Broker via GetBrokerObjects to obtain 'Controller Machine Details'"
[#LC2239]
Attempts to register a VDA set to a Turkish system locale can fail and produce a 1048 error.
[#LC2704]
If the Site data store is unavailable, reconnection attempts can fail even if the Controller is in leased connection mode.
[From BrokerAgentWX86_7_6_301, BrokerAgentWX64_7_6_301][#LC4077]
For users with non-persistent profiles, published App-V applications can take an excessive amount of time to launch on
machines with PowerShell 3.0 or later installed.
[#LC4147]
When attempting to end a process running in a user session from Citrix Director, the following error message can appear:
"Action failed. Data source unresponsive or reported an error. View server event logs for further information."
[#LC4384]
Applications that use App-V integration might fail to launch if the configured working directory does not exist.
[#LC4839]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.96
Issues fixed since XenApp and XenDesktop 7.6
Aug 19, 20 16
XenApp/XenDesktop 7.6 LT SR Cumulative Update 1 addresses the following issues reported since the release of XenApp
and XenDesktop 7.6.
For a list of all issues fixed since the release of 7.6 LT SR, see Issues fixed since 7.6 LT SR.
Citrix Director
User name searches in Director can experience random delays of up to two minutes.
[#LC1250]
When attempting to export a large amount of data in PDF format, the server's CPU and memory consumptions can
approach 100% and the following error message appears:
"Action failed. Data source unresponsive or reported an error. View server event logs for further information."
T his fix introduces a configurable limit for the PDF export and as a result, at least a portion of the report can be
obtained.
After installing this fix, you must configure the web.config file in the wwwroot\Director folder as follows:
Add the following line to "appSettings" section:
<add key="UI.ExportPdfDrilldownLimit" value="100"/>
T he limit depends on the capability of the server, such as the memory size where the value specifies the count of rows in
the PDF report.
[#LC4108]
Attempts to export reports in any file format might fail with the following error message:
"Action failed. Unexpected server error. View server event logs for further information."
[#LC4281]
If a XenApp server has two IP addresses and the DNS server cannot resolve the first IP address, attempts to log on to
Citrix Director by an administrator might fail with the following error message:
"T he system is currently unavailable. Please try again later or contact your administrator."
[#LC4411]
When attempting to export a large amount of data in CSV format, a timeout can occur and the export might fail with
the following error message:
"Action failed. Data source unresponsive or reported an error. View Director server event logs for further information."
T his fix lets you configure the timeout value for exporting data.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.97
After installing the fix, you must configure the web.config file in the wwwroot\Director folder as follows:
Add the following line to "appSettings" section:
< add key="Connector.DataServiceContext.T imeout" value="3600" /> where the value specifies the timeout in seconds.
[#LC4467]
Selecting a user to display that user's session details can result in the user name that appears in the top left corner to
show as "NULL."
[#LC4589]
If the NetBios domain name contains an ampersand (&), shadowing from the Citrix Director console might fail. T his issue
occurs because the ampersand character is a reserved character in XML and can cause the parsing for the current logon
to fail.
[#LC4633]
Citrix Policy
T he Microsoft Management Console (MMC) fails if the "Console Root" is not selected in the navigation pane when
closing Desktop Studio.
[#LC1314]
T he Citrix Policy Engine might cause the server to become unresponsive. When this occurs, Citrix Receiver and RDP
connection requests fail.
[#LC1817]
With this enhancement, modeling reports created by the Citrix Group Policy Modeling wizard appear in Citrix Studio's
middle pane.
[#LC2189]
When adding or creating a Citrix Administrator in Citrix Studio with a user or group that contains an underscore in the
name, such as get\dl_lab_group, the first underscore does not appear in the details of the list of administrators. T he
name appears as dllab_group.
[#LC2284]
When running the Group Policy Modeling wizard on the policies node of AppCenter as a domain user, applied user and
computer policies might not be visible.
[#LC3284]
Citrix Director administrators might not be able to view Citrix policies in session details.
[#LC3941]
Attempts to add multiple session printers to a group of user devices under the "Printer assignments" window fails to
expand and display the scrollbar. As a result, attempts to add multiple session printers to a group of user devices can fail.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.98
[#LC4658]
Citrix Studio
When you click the machine catalog in Desktop Studio, it might take a long time for the catalogs to appear. In addition,
the hosting information also takes a long time to appear.
[#LC0237]
T his fix addresses a security vulnerability. For more information, see Knowledge Center article CT X213045.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC0559]
Citrix Studio might not recognize Citrix Service Provider licenses and the following error message appears:
"Can't find a valid license"
[#LC0813]
With this enhancement, Citrix Studio shows the correct user assignment data when adding users from multiple sites in an
Active Directory (AD) domain.
[#LC0889]
T his fix addresses an issue that prevents members from being added to a Delivery Group if they belong to a domain
other than the one where Citrix Studio is located.
[#LC0955]
T he Microsoft Management Console (MMC) fails if the "Console Root" is not selected in the navigation pane when
closing Desktop Studio.
[#LC1314]
If the property of an application changes in the "Applications" window, the priority of the Delivery groups might change
to zero.
[#LC1489]
After changing the Web Interface port number, Desktop Studio might incorrectly open the License upgrade prompt.
[#LC1575]
Attempts to configure a new site by using the XenDesktop High Level Powershell SDK command "New-XDSite" without
configuring licensing and then following attempts to run the command "Get-XDSite" fail. T he error message "T he site
has upgrade steps remaining. Run Get-XDUpgradeStatus to find out the remaining steps" appears.
[#LC1612]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.99
Applications that use App-V integration might not use the correct working directory.
[#LC1623]
If the user configures the prelaunch and lingering sessions in Citrix Studio, the "MaxT imeBeforeDisconnect" property is
set to zero minutes instead of the default value 15 minutes.
[#LC1706]
Attempts to start App-V applications through Citrix Receiver may fail after upgrading to App-V 5.0 Service Pack 3.
[#LC1762]
After upgrading to XenDesktop 7.6, Desktop Studio might take about three or four minutes to show the catalogs or
Hosting information.
[#LC1851]
When a Delivery Controller goes offline or becomes otherwise unavailable, Citrix Studio might operate slowly.
[#LC1891]
Attempts to run the Create Catalog wizard can fail. T he issue occurs when one of the connected hypervisors is in
Maintenance Mode.
[#LC1916]
When running a query in Citrix Studio that was saved with an "Is Empty" operator, that operator is replaced by the
default operator.
[#LC1940]
Attempts to automatically upgrade a site from XenDesktop 7.5 to XenDesktop 7.6 might fail because the "binding"
property in Broker Service instances might not be compared correctly while checking between the new and already
existing instances. T his can result in a "service instance already registered" error. T he issue occurs when trying to register
the service endpoints without unregistering the existing endpoints.
[#LC2043]
After a successful XenDesktop upgrade from Version 5.x or 7.x to Version 7.6, the following error message might appear
when starting Studio:
"Upgrade remaining Delivery Controllers."
T his error message's details specify the license server name even though the delivery controller is not installed on the
license server.
[#LC2044]
Attempts to upgrade the site to the latest product version might fail. T he issue occurs when the "Set-ConfigSite"
commands fails to get the new upgraded value.
[#LC2047]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.100
When adding or creating a Citrix Administrator in Citrix Studio with a user or group that contains an underscore in the
name, such as get\dl_lab_group, the first underscore does not appear in the details of the list of administrators. T he
name appears as dllab_group.
[#LC2284]
In Delivery Groups, attempts to create an application folder that contains the word "Applications" can prevent the
creation of sub-folders.
[#LC2349]
When you consolidate XenApp and XenDesktop licenses that have the same Subscription Advantage expiry dates into a
single license file, some XenApp licenses might be missing from the license information visible in Studio.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC2350]
T his fix addresses a memory leak in Citrix Studio that occurs while running App-V app discovery.
[#LC2559]
When creating a custom role for administrators, the role is created with the following error message: "T he Given key was
not present in the dictionary." Additionally, when starting Desktop Studio for the first time by using an administrator
account, the same error message appears.
[#LC2680]
If the database owner is a group in Active Directory, attempts to remove XenDesktop Controller from a site can fail.
[#LC2912]
After installing Hotfix DStudio760WX86001 you might see an Access Denied error when trying to limit the visibility of
some applications to users.
T his issue is limited to environments with unidirectional trust relationships between domains.
[#LC2956]
Attempts to update a delivery group with multiple desktops by using commands or in Studio fails with the following error
messages:
Object reference not set to an instance of an object.
Error Id: XDDS:0E01FE12
[#LC2958]
When using the Machine Creation Service to catalog VDAs for Server OS, unavailability of personal vDisk storage can
incorrectly set the "CleanOnBoot" property of the catalog to "False." As a result, the catalog might fail to update.
[#LC2959]
When two applications have the same ApplicationID, refreshing App-V applications can cause Citrix Studio to set the
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.101
App-V package name incorrectly.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC2969]
T he existing user settings are deleted after editing the "Users" section on the "Machine allocation" page in the "Edit
Delivery Group." T he issue occurs when adding users manually or when importing a list of users from a Microsoft Excel
CSV file.
[#LC3267]
With this enhancement, the "Hosting Server Name" field is available in the Search views of "Desktop OS machines" and
"Server OS machines" in the Desktop Studio.
[#LC3343]
Citrix Studio might become unresponsive while closing PowerShell resources.
[#LC3612]
Creating multiple applications in multiple folders under Delivery Groups in Citrix Studio might result in a large folder
structure. T he first time you open Citrix Studio and click folders or applications, the folders or applications might be
dragged instead of being selected. T his moves the selected object and causes the folder or application structure to
change.
[#LC3705]
T he Add-XDController cmdlet does not assign full custom database connection strings to the Controller.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC3860]
Attempts to open Citrix Studio by users that are not members of the Database administrators user group can result in
permission errors on the SQL Server.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4127]
Attempts to provision additional resources to a multi-tenant offering in App Orchestration 2.6 can fail if the offering
already contains two or more tenants.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4170]
When multiple Citrix Studio sessions are open, policy changes made in one session can be lost and overwritten by those
made in another.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.102
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4487]
Controller
When you click the machine catalog in Desktop Studio, it might take a long time for the catalogs to appear. In addition,
the hosting information also takes a long time to appear.
[#LC0237]
When the user updates a catalog, the Configuration Logging reports that the "Update Machine Catalog" is successful
but one of the tasks in the Task Details view shows the message "Release the provisioning scheme" failed.
[#LC0518]
T his fix addresses a security vulnerability. For more information, see Knowledge Center article CT X213045.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC0559]
With this enhancement, Citrix Studio shows the correct user assignment data when adding users from multiple sites in an
Active Directory (AD) domain.
[#LC0889]
If the XenServer parameter "T imeOffSet" exists on the master image virtual machine (VM), creating the Machine
Creation Services (MCS) catalog fails. To check the existence of the parameter, in the XenServer console, run the
command "xe vm-list uuid= params=other-config". To resolve this issue, apply this hotfix or manually remove the
parameter by running the XenServer command "xe vm-param-remove uuid= param-name=other-config paramkey=timeoffset".
[#LC1071]
T he Monitoring Service prematurely deletes the application instance history after seven days instead of the default 90
days. T his occurs in XenDesktop and XenApp deployments with Platinum Edition licensing.
[#LC1129]
In Desktop Director, on the "Trends > Hosted Applications Usage" tab, the totals for each application do not equal the
sum total for all applications. T his occurs in environments running for seven days or longer.
[#LC1130]
If you create virtual machines (VM) with Desktop Studio that uses Machine Creation Services and the VMs are hosted on
a VMware hypervisor, attempts to update VMs that are part of the machine catalog fail. When this occurs, an error
appears in the Machine Creation log that the virtual disk does not exist, but the directory in the datastore does exist.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.103
[#LC1201]
In some Amazon Web Services environments, provisioning desktops with Machine Creation Services (MCS) might fail with
the error “No facility for disk upload”, even when the environment is configured correctly.
[#LC1295]
When provisioning VDAs by using the Machine Creation Service, the primary DNS suffix changes for the VDAs.
[#LC1300]
T he Microsoft Management Console (MMC) fails if the "Console Root" is not selected in the navigation pane when
closing Desktop Studio.
[#LC1314]
When two or more instances of event ID 3012 record in the event log, event IDs 3020 and 3021 also appear in the log
and the messages are incorrect. With this fix, if two or more instances of event ID 3012 record, then event IDs 3010 and
3011 correctly appear in the log.
[#LC1425]
T he error messages for event IDs 1110 and 1111 are incorrect in the event log. With this fix, the following correct
messages appear in the event log:
EventID:1110: T o avoid excessive event logging, the service is temporarily suppressing related messages (event IDs
1100-1109, 1112-1116).
EventID:1111: T he service is no longer suppressing related messages (event IDs 1100-1109, 1112-1116).
[#LC1485]
If a VDA in a shared delivery group is tagged and the tag is used as part of a policy filter, the policies are not applied to
other VDAs in the delivery group.
[#LC1506]
After changing the Web Interface port number, Desktop Studio might incorrectly open the License upgrade prompt.
[#LC1575]
Creating new catalogs fail after upgrading to XenDesktop 7.6 and if the master VM image contains a nested hardware
virtualization property that is enabled on VMware vSphere 5.1.
[#LC1586]
Attempts to configure a new site by using the XenDesktop High Level Powershell SDK command "New-XDSite" without
configuring licensing and then following attempts to run the command "Get-XDSite" fail. T he error message "T he site
has upgrade steps remaining. Run Get-XDUpgradeStatus to find out the remaining steps" appears.
[#LC1612]
If the NetBios domain name contains an ampersand (&), attempts to start Citrix Studio fail with the error "You are not
authorized to perform this operation" with the code XDDS:72182E6B.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.104
[#LC1646]
If the user configures the prelaunch and lingering sessions in Citrix Studio, the "MaxT imeBeforeDisconnect" property is
set to zero minutes instead of the default value 15 minutes.
[#LC1706]
In a Hyper-V environment with System Center Virtual Machine Manager, the BrokerService.exe process can consume up
to 100% of system memory, preventing virtual desktops from being brokered successfully.
[#LC1730]
After upgrading to XenDesktop 7.6, Desktop Studio might take about three or four minutes to show the catalogs or
Hosting information.
[#LC1851]
When a Delivery Controller goes offline or becomes otherwise unavailable, Citrix Studio might operate slowly.
[#LC1891]
Attempts to run the Create Catalog wizard can fail. T he issue occurs when one of the connected hypervisors is in
Maintenance Mode.
[#LC1916]
In some Active Directory organizational units (OUs), if the OU name contains a special character, the core services for
XenDesktop (such as AD Identity Service or Broker Service) might not be able to bind to the OU. T his can cause the CPU
usage to be higher than normal. Additionally, Citrix Studio might become inaccessible as the services might close
unexpectedly.
[#LC1979]
When using filtering by keywords for published applications, the workspace control might not work.
[#LC2025]
T he tabs in the "Trends" page and "Filters option" page in Desktop Director might fail to show the data with an error
message.
[#LC2035]
Attempts to automatically upgrade a site from XenDesktop 7.5 to XenDesktop 7.6 might fail because the "binding"
property in Broker Service instances might not be compared correctly while checking between the new and already
existing instances. T his can result in a "service instance already registered" error. T he issue occurs when trying to register
the service endpoints without unregistering the existing endpoints.
[#LC2043]
After a successful XenDesktop upgrade from Version 5.x or 7.x to Version 7.6, the following error message might appear
when starting Studio:
"Upgrade remaining Delivery Controllers."
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.105
T his error message's details specify the license server name even though the delivery controller is not installed on the
license server.
[#LC2044]
Attempts to upgrade the site to the latest product version might fail. T he issue occurs when the "Set-ConfigSite"
commands fails to get the new upgraded value.
[#LC2047]
T his release adds the -enabled flag to the command Set-XDLogging -AdminAddress $ControllerName AllowDisconnectedDatabase $true.
[#LC2162]
In the Powershell snap-in, running the command Get-Help set-MonitorConfiguration -detailed returns the error message
-"GroomApplicationInstanceRetentionDays <Int32> FIXME".
[#LC2176]
T he following error message might be incorrectly logged in the application log each time the Citrix Monitor Service starts
even though the service is working correctly:
"Error querying the Broker via GetBrokerObjects to obtain 'Controller Machine Details'"
[#LC2239]
If a Delegated Administrator account has User Access Control enabled, updates to Delivery Controller are installed to the
default location in error. T he default location is "%systemroot%\Program Files\Citrix" and this might not be the same
location where you originally installed Delivery Controller.
[#LC2252]
When adding or creating a Citrix Administrator in Citrix Studio with a user or group that contains an underscore in the
name, such as get\dl_lab_group, the first underscore does not appear in the details of the list of administrators. T he
name appears as dllab_group.
[#LC2284]
If a virtual graphics processing unit (VGPU) is enabled in the VM master image in VMware vSphere 6 with a GRID board,
the machine creation process fails.
[#LC2326]
When you consolidate XenApp and XenDesktop licenses that have the same Subscription Advantage expiry dates into a
single license file, some XenApp licenses might be missing from the license information visible in Studio.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC2350]
When users log off from a session, the End Date updates incorrectly in the database, including all application instances
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.106
running within a session and applications that are closed before the session ended.
[#LC2435]
When creating a custom role for administrators, the role is created with the following error message: "T he Given key was
not present in the dictionary." Additionally, when starting Desktop Studio for the first time by using an administrator
account, the same error message appears.
[#LC2680]
T he VDA provisioned by integrated Hyper-V appears unregistered after subscribing successfully.
[#LC2722]
After upgrading the Desktop Controller from Version 7.x to Version 7.6, if the PowerShell command "SetMonitorConfiguration" is run, the following error message appears:
"A database operation failed and cannot be recovered."
[#LC2745]
Attempts to add more than 999 virtual machines (VMs) to a single catalog might fail.
[#LC2873]
A published application name that contains a trailing space can result in several issues. T hese issues occur when
generating browser names from the published name of the application that has truncated names containing a trailing
space.
[#LC2897]
If the database owner is a group in Active Directory, attempts to remove XenDesktop Controller from a site can fail.
[#LC2912]
After installing Hotfix DStudio760WX86001 you might see an Access Denied error when trying to limit the visibility of
some applications to users.
T his issue is limited to environments with unidirectional trust relationships between domains.
[#LC2956]
Attempts to update a delivery group with multiple desktops by using commands or in Studio fails with the following error
messages:
Object reference not set to an instance of an object.
Error Id: XDDS:0E01FE12
[#LC2958]
When two applications have the same ApplicationID, refreshing App-V applications can cause Citrix Studio to set the
App-V package name incorrectly.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.107
[#LC2969]
With this fix the following issues can be resolved:
When the host connection is configured to US-East-1e regions, the Amazon Web Services (AWS) connection can be
established, but however, the machine creation might fail.
When attempting to add AWS host connection to use EU-Central-1, the host connection creation might fail with an
authentication error.
[#LC3239]
Machine Creation Services (MCS) might not honor the "AvailableForPlacement" flag on System Center Virtual Machine
Manager (SCVMM) 2012 hosts. As a result, the machine creation might fail if a host with insufficient resource is chosen.
[#LC3426]
When executing Set-BrokerDBConnection and related commands, the associated configuration logging entries in Citrix
Studio list the corresponding "Main Task" with a status of "In Progress," and the status is not updated when the task
completes.
[#LC3479]
After performing an upgrade to XenDesktop 7.6 using the local system account (typically used by Electronic Software
Distribution such as SCCM), the Analytics Service fails to start.
[#LC3493]
Performing a scheduled restart of a VDA for Server OS that is connected to a VMware Vsphere Hypervisor can cause
the server to shut down and remain in a powered off state.
T o enable the fix, set the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\DesktopServer\RebootSchedule
Name: ShutdownT imeoutRecovery
T ype: DWORD
Value: 1
T o disable the fix, set the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\DesktopServer\RebootSchedule
Name: ShutdownT imeoutRecovery
T ype: DWORD
Value: 0
After setting the value, you must restart the Broker Service.
[#LC3807]
After Hotfix Rollup Pack 7 for System Center Virtual Machine Manager (SCVMM) is installed, catalog creation with
Machine Creation Services (MCS) might fail.
[#LC3822]
T he Add-XDController cmdlet does not assign full custom database connection strings to the Controller.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.108
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC3860]
Attempts to open Citrix Studio by users that are not members of the Database administrators user group can result in
permission errors on the SQL Server.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4127]
Attempts to provision additional resources to a multi-tenant offering in App Orchestration 2.6 can fail if the offering
already contains two or more tenants.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4170]
When the setting "SupportMultipleForest" is enabled on the Controller to allow NT LM authentication, the Linux VDA
might fail to complete the registration process as its Service Principal Name (SPN) might not be set in the
EndpointReference of the Windows Communication Foundation (WCF).
[#LC4235]
If you create virtual machines (VMs) that are hosted on a VMware hypervisor, initial attempts to update or delete those
VMs from Citrix Studio can fail with an "Error ID XDDS:B125B84A," but subsequent attempts succeed.
[#LC4436]
When multiple Citrix Studio sessions are open, policy changes made in one session can be lost and overwritten by those
made in another.
Note: To enable this fix, you must update both Citrix Studio and the Controller components with 7.6 LT SR Cumulative
Update 1.
[#LC4487]
When running the PowerShell command "Get-LogSummary" for a date range that encompasses a switch to or from
daylight saving time, the following error message appears:
"An item with the same key has already been added."
T he issue occurs when daylight saving time introduces ambiguous local dates or times. As a result, duplicate entries are
created in the HashMap and an exception occurs.
T his fix introduces a message to inform users to split the time span to account separately for the point in time when
daylight saving time begins or ends.
[#LC4612]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.109
Attempts to update machine catalogs in Amazon Web Services (AWS) environments can fail intermittently. To enable the
fix, you must run the command, "Set-ProvServiceConfigurationData – Name
ImageManagementPrep_DoImagePreparation – Value $false" for the image preparation phase to be skipped during the
machine catalog update.
[#LC4709]
Controllers occasionally lose connectivity with the database when there is a high number of apps and VDA processes
running. When that happens, VDAs remain in the initialization state and applications are unavailable.
[#LC4848]
When there are too many hypervisor alerts, the SQL database server's CPU usage can reach 100%.
[#LC5277]
Under high utilization conditions (more than 5,000 users launching numerous apps on numerous VDAs for Server OS
concurrently), the SQL database server's CPU usage can reach 100%, which causes outages and apps are unable to
launch.
[#LC5315]
HDX MediaStream Flash Redirection
If HDX MediaStream Flash Redirection is enabled, opening and closing multiple tabs in Internet Explorer with Flash
content can cause Internet Explorer to exit unexpectedly.
[#LC0375]
With HDX Mediastream for Flash enabled, opening and closing multiple tabs in Internet Explorer can cause Internet
Explorer to close unexpectedly.
[#LC1141]
When browsing websites with HDX MediaStream Flash Redirection enabled, the Flash redirection feature fails if the
registry value of HKEY_LOCAL_MACHINE\SOFT WARE\Microsoft\Windows NT \CurrentVersion\Windows\AppInit_DLLs
is set to just "mfaphook.dll" or "mfaphook64.dll" instead of the full path to "mfaphook.dll" or "mfaphook64.dll."
[#LC4388]
Installer
If you install version 7.6.300 of the VDA from the commandline, the /noreboot switch - depending on its location in the
string of switches - is not being honored. As a result, the VDA restarts after the installation completes.
[#LC4046]
When installing a VDA, certain registry keys for performance might be installed even if you disable the "Optimize
Performance" option during installation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.110
[#LC4330]
Licensing
Citrix Studio displays the licensing models in Spanish for license servers set to a French system locale.
[#LC3450]
Provisioning Services
Console
T arget
Server
Console
T he XenDesktop Setup Wizard sets an invalid "default" generation ID when creating XenServer virtual machines.
[#LA5924]
After completing the XenDesktop wizard, the Machine Catalog in Studio is empty and the streaming IP address appears
instead of the management IP address, which is incorrect. To use the management IP address, set the following registry
key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ProvisioningServices
Name: UseManagementIpInCatalog
Type: DWORD
Value: 1
[#LC0125]
When running the Streamed VM Setup Wizard to add VMs to a Device Collection and if a hosting entry uses a different
case format, the following error message appears:
"To avoid creating a duplicate key, the Add or Set command was cancelled"
Details:Cannot insert duplicate key row in object 'dbo.VirtualHostingPool' with unique index
'IDX_VirtualHostingPoolSiteIdName'. T he duplicate key value is (18df503c-c745-452a-89aa-3bbf431c7b33,
livsvmv01.livdc.local).
T he statement has been terminated.
[#LC0348]
T he Xen Desktop Setup Wizard does not use the template boot properties when creating targets. To fix this, create the
following registry key:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.111
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ProvisioningServices
Name: UseTemplateBootOrder
Type:REG_DWORD
Data: 1
[#LC0382]
When running the Streamed VM Setup Wizard, some Active Directory organizational units (OUs) might not appear in the
wizard if the OU name contains special characters.
[#LC0393]
Attempts to map a disk on the Provisioning Service server by using either MCLI.exe or the command "mcli-runwithreturn
mapdisk -p disklocatorName=MyDiskLocatorName, sitename=MySiteName, storeName=MyStoreName" fail and the
following error message appears:
Object Reference not set to an instance of an object (MCLI command)
Attempts to run the command "mcli-run unmapdisk" fails and shows the error message "An unexpected MAPI error
occurred."
[#LC0786]
When trying to create machines by using the XenDesktop Setup Wizard, the hard drive and the virtual DVD drives are
placed in difference storage volumes, even though the hosting unit can only access one volume.
[#LC0918]
If the Desktop Delivery Controller contains a port number in the uniform resource identifier (URI), when the XenDesktop
Setup Wizard runs, the Microsoft Management Console (MMC) stops responding.
[#LC1248]
T he XenDesktop Setup Wizard fails when one of the Cluster Shared Volumes does not contain the StorageDisk
location.
[#LC1807]
After installing Provisioning Services Console version 7.1.3, many .NET applications fail on Windows Server 2008 R2 and on
Windows 7.
[#LC1838]
In some environments, when using the Provisioning Services 7.x bootstrap file, it can take a long time to start many
target devices together.
Note: T he issue can also occur in situations where a high load does not exist.
[#LC1839]
If the account used to log on to the Provisioning Services console is not the same account used to install Provisioning
Services, running the XenDesktop Setup Wizard fails with the following error:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.112
"Cannot connect to the XenDesktop controller at <address>. Some or all identity references could not be translated."
[#LC1952]
In a Microsoft SCVMM environment, the XenDesktop Setup wizard does not assign a static MAC address to a nonstreaming network adapter when the MAC address type in the template is static.
[#LC2459]
When running the XenDesktop Setup Wizard, not all virtual machines are created if the number of standard and PvD
storages are not equal.
[#LC2496]
T he XenDesktop Setup Wizard creates ESX virtual machine metadata in one store, instead of distributing the metadata
with the different disks created for the virtual machine.
[#LC2549]
When creating virtual machines in XenServer by using the XenDesktop Setup Wizard, the template setting with the GPU
assigned might not be retained.
[#LC2859]
Machines created with the XenDesktop Setup Wizard are not added to the XenDesktop machine catalog and the
following error message appears:
"No items match the supplied pattern"
[#LC2923]
T he XenDesktop Setup Wizard might fail to create machine when the VMware ESX host is in Maintenance Mode.
[#LC3401]
T he XenDesktop Setup Wizard might fail to honor the "Superseded" flag on the Personal vDisk storage of the hosting
unit.
[#LC3573]
When the Streamed VM Setup Wizard is running, enumerating templates on the VMware ESX cluster that contain many
hosts and data stores can take a long time to complete.
[#LC3674]
When mounting and unmounting vDisks, the SOAP service might become unresponsive and the Provisioning Services
Console might fail to start.
[#LC3723]
T he following error message can appear while creating machines using the Streamed VM Setup Wizard:
"Object reference not set to an instance of an object."
[#LC3811]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.113
When a help desk administrator creates new virtual machines (VMs) from a standalone Provisioning Services Console
through the XenDesktop Setup wizard, attempts to start a target device from a BDM partition can fail and cause an
incorrect IP address for the logon server to appear.
[#LC3911]
Installing the Provisioning Services Console sets the following registry key to " 1." T his can cause other .NET applications
to try to use the wrong version of the Framework and possibly fail:
HKEY_LOCAL_MACHINE\SOFT WARE\Microsoft\.NET Framework
Name: OnlyUseLatestCLR
Type: REG_DWORD
Data: 1
[#LC4197]
Attempts to create virtual machines (VMs) by using the XenDesktop Setup wizard or the Streamed VM Setup wizard
might fail in a Microsoft System Center Virtual Machine Manager (SCVMM) environment. With this fix, the fully qualified
domain name (FQDN) of the host is used in the commands instead of short name.
[#LC4230]
T he XenDesktop Setup wizard might fail to create Provisioning Services target devices in System Center Virtual Machine
Manager (SCVMM) 2012 environments.
[#LC4256]
Attempts to connect to VMware Vsphere Hypervisor 5.1 by using the Streamed VM Setup wizard or the XenDesktop
Setup wizard fail if User1 and User2 are configured to use different ports.
To use a different port to connect to the VMware ESX server, you must create the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ProvisioningServices\PlatformEsx
Name: Port
Type: DWORD
Value: <port_number>
[#LC4283]
SSL connections between the XenDesktop Setup wizard and XenServer fail.
[#LC4377]
T his is an enhancement to facilitate NIC teaming with the latest Mellanox NICs and firmware used in HP Moonshot
systems.
[#LC4646]
If the template created in System Center Virtual Machine Manager (SCVMM) has NICs on two different networks - for
example, NIC1 on network xxx and NIC2 on network yyy - the XenDesktop Setup wizard default behavior is to change
both NICs to the network of the host record (network zzz). For the NIC2 network to remain unchanged, after installing
this fix, set the following registry key:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.114
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ProvisioningServices\PlatformScvmm
Name: RequireMatchingNetworks
Type: REG_DWORD
Value: 1
[#LC4650]
Pressing "Ctrl+C" without any items selected, the Provisioning Services Console might exit unexpectedly with the
following error message:
"MMC has detected an error in a snap-in and will unload it."
Additionally, the issue can occur if the "Ctrl+C" key combination is automatically injected by certain third-party software.
[#LC4909]
Server
T he SOAP Service might exit unexpectedly while changing the vDisk license mode to Key Management Service (KMS).
[#LC0265]
In Version 7.1 of Provisioning Services, attempts to set a subnet mask of 0.0.0.0 when configuring bootstrap to use the
Gateway/DHCP settings to set the subnet mask value at runtime fail and the following error message appears
"Invalid Subnet mask."
[#LC0312]
T he Target device might return broadcasted ARP reply packets during the bootstrap process, causing excessive network
traffic.
[#LC0451]
If there are five or more network adapters attached to the server, the following error messages appear:
Message processor timed out. Error number 0XE0070003.
No response received for successful send. Error number 0xA0070002.
[#LC0455]
When many targets attempt to reconnect after experiencing network issues, the Stream Process (StreamProcess.exe)
might close unexpectedly due to extensive retry attempts to send the packets to the target devices.
[#LC0488]
When using the network settings of the DHCP in bootstrap configuration, if the "Router" option in DHCP is not
configured, a false default gateway IP address might appear in the Provisioning Services Target device.
[#LC0688]
When installing the XenApp Enterprise and PVS Datacenter licenses on the Citrix License Server and starting the XenApp
Target device from the vDisk, the PVS Datacenter licenses are not consumed in the License Management Console.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.115
[#LC0707]
With this release, the vhdUtil tool can rename a virtual disk chain and prepare the chain to be imported as a new disk.
During renaming, the following actions occur:
Updates the disk header, footer, and timestamp.
Renames the PVP file, if it exists.
Creates an XML file based on the renamed chain that allows the renamed disk to be imported by the Provisioning
Services console.
[#LC0722]
Attempts to map a disk on the Provisioning Service server by using either MCLI.exe or the command "mcli-runwithreturn
mapdisk -p disklocatorName=MyDiskLocatorName, sitename=MySiteName, storeName=MyStoreName" fail and the
following error message appears:
Object Reference not set to an instance of an object (MCLI command)
Attempts to run the command "mcli-run unmapdisk" fails and shows the error message "An unexpected MAPI error
occurred."
[#LC0786]
After upgrading to Provisioning Services 7.1, if there are a large number of VDAs, it can take four to five hours to restart
all VDAs.
[#LC0941]
When upgrading Provisioning Services from Version 7.1 to 7.6, if you run the dbscript.exe generator that is provided with
Provisioning Services and is used to create an SQL script to upgrade the Provisioning Services database version, an error
appears and the generated script is truncated.
[#LC1087]
T he Notifier.exe process might experience an access violation and exit unexpectedly at random.
[#LC1199]
Target devices shows the correct number of retries, however the Provisioning Services console always shows zero retries.
[#LC1427]
When adding Dynamic vDisks to stores, the server reports an incorrect Replication Status after adding the Dynamic vDisk
to the second store.
[#LC1428]
When copying and pasting properties between two virtual disks, the load balancing settings are not pasted on the
second disk.
[#LC1498]
Provisioned virtual machines (VMs) might become unresponsive randomly while shutting down the system.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.116
[#LC1573]
T he Stream Service fails when starting and stopping the service.
[#LC1664]
T he Powershell MCLI command ""Mcli-Get DeviceInfo" returns an empty value in the "Status" field.
[#LC1790]
After installing Provisioning Services Console version 7.1.3, many .NET applications fail on Windows Server 2008 R2 and on
Windows 7.
[#LC1838]
In some environments, when using the Provisioning Services 7.x bootstrap file, it can take a long time to start many
target devices together.
Note: T he issue can also occur in situations where a high load does not exist.
[#LC1839]
When configuring VMware PXE Manager for vCenter, if a default gateway IP address is not provided as part of the
DHCP options, the bootstrap protocol incorrectly sets the gateway IP address (GIADDR) to the Relay Agent IP address.
[#LC1966]
T he target device can experience delays on Microsoft Hyper-V when any key is pressed in the disk menu.
[#LC1997]
When the number of target devices increase on Microsoft Hyper-V, some targets fail to start and stop responding at
the "Starting Windows" screen.
[#LC2011]
Occasionally, the Stream Service process stops responding when multiple target devices shut down.
[#LC2141]
If there are unresponsive threads, the Stream Service process cannot recover after automatically restarting.
[#LC2227]
If there are two Provisioning Servers configured to use the T FT P Service option and if NetScaler load balances the
servers, if you increase the frequency of monitor probes to run faster than the default time of five seconds, memory
consumption on bntftp.exe can increase to 7.5 gigabytes.
[#LC2314]
T he XenDesktop Setup Wizard creates ESX virtual machine metadata in one store, instead of distributing the metadata
with the different disks created for the virtual machine.
[#LC2549]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.117
If a static IP address is assigned when running Boot Device Manager, after saving the .iso image the first time and then
incrementing the IP address, subsequent attempts to save a new image overwrites the existing file.
[#LC2619]
T he Soap Server might close unexpectedly when restarting the Provisioning Server.
[#LC2750]
Attempts to use MAK activation for Microsoft Windows can fail and the following error message appears:
"Confirmation ID not retrieved, check internet access."
T he issue occurs in scenarios where Microsoft Office is installed on the vDisk and the record of the Office product exists
in the Volume Activation Management Tool (VAMT ) database. During activation, the "Install-VamtproductKey" command
attempts to install the Windows product key for both Windows and Office and then returns the same error. With this
fix, Office is not included in in MAK activation.
Additionally, the result of the "Get-VamtConfirmationId" command is saved in the incorrect location so the same error
also occurs when Microsoft Office is installed on the vDisk. With this fix, the result of the "Get-VamtConfirmationId"
command is saved in the correct location.
Note: T his fix does not provide support for Microsoft Office MAK. Provisioning Services does not support MAK for
Office. T he only supported way of installing Office on a PVS image is to use the Key Management Service (KMS) for
both Windows and Office.
[#LC3120]
When using a BDM partition, target devices running on VMware do no attempt to log on to all servers in the list if the
top-most server is unreachable.
[#LC3805]
Attempts to mount a vDisk on a Provisioning Server fail unless the server has logical access to the vDisk.
[#LC3835]
When a help desk administrator creates new virtual machines (VMs) from a standalone Provisioning Services Console
through the XenDesktop Setup wizard, attempts to start a target device from a BDM partition can fail and cause an
incorrect IP address for the logon server to appear.
[#LC3911]
When exporting a vDisk by running the PowerShell command "Mcli-Run ExportDisk -p DiskLocatorName="DISK_NAME",
StoreName="STORE_NAME", SiteName="SIT E_NAME,"" a manifest file with multiple entries for each version of the
vDisk might be created. T he issue occurs when a vDisk with the same name is present in multiple Sites. T he number of
duplicate entries per version corresponds to the number of sites that have the vDisk.
[#LC4225]
Machine creation fails with the XenDesktop Setup wizard in SCVMM environments if there is a trailing backslash (\) at
the end of the VM storage path.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.118
[#LC4418]
T his is an enhancement to facilitate NIC teaming with the latest Mellanox NICs and firmware used in HP Moonshot
systems.
[#LC4646]
If the template created in System Center Virtual Machine Manager (SCVMM) has NICs on two different networks - for
example, NIC1 on network xxx and NIC2 on network yyy - the XenDesktop Setup wizard default behavior is to change
both NICs to the network of the host record (network zzz). For the NIC2 network to remain unchanged, after installing
this fix, set the following registry key:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ProvisioningServices\PlatformScvmm
Name: RequireMatchingNetworks
Type: REG_DWORD
Value: 1
[#LC4650]
Target
T he Windows Server 2008 R2 target device experiences a fatal exception with error code 0x4E appearing on a blue
screen.
[#LC0350]
When many targets attempt to reconnect after experiencing network issues, the Stream Process (StreamProcess.exe)
might close unexpectedly due to extensive retry attempts to send the packets to the target devices.
[#LC0488]
Provisioned virtual machines (VMs) might become unresponsive randomly while shutting down the system.
[#LC1573]
After enabling the target device log, BNDevice.exe fails.
[#LC2058]
If a server becomes unavailable, IO reconnect requests are sent to the unavailable server only and not to other servers in
a high availablity configuration.
[#LC2146]
When creating an image by using the Provisioning Services Imaging Wizard or if the image is in Private image mode,
writing to the vDisk can cause a number of retries on the target.
[#LC2218]
On a target device in Microsoft Hyper-V, switching from a legacy to a synthetic network adapter does not occur when
the operating system is Italian.
[#LC2379]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.119
After building a Personal vDisk (PVD) and then installing Provisioning Services, when you use the XenDesktop Setup
wizard to create a PVD-enabled pool, some VMs start and the PVD software initializes the write-cache drive as PVD. A
write-cache is not created for Provisioning Services.
[#LC2497]
T he host name on VMware ESX target devices is set to the MAC address after restarting.
[#LC2816]
Provisioning Services Target device installation on systems with ESX VMXNET 3 Nics requires Microsoft hotfix
https://support.microsoft.com/en-us/kb/2550978 or a superseding hotfix to be installed. With this fix, rather than
requiring KB2550978 explicitly, a warning message appears, advising administrators to make sure KB2550978 or a
superseding hotfix is installed.
[#LC3016]
T he target device might send an error log entry to the write cache disk for every write attempt that fails. As a result, an
excess number of error messages appear in the Provisioning Server logs.
[#LC3110]
T he PVS Device Service (BNDevice.exe) might not start successfully when the service logon account is set to "Local
System," which is the default value.
[#LC3209]
T he logging level of some critical error logs that are related to Active Directory password change might not be set
correctly and as a result, the logs are not sent to the server for Citrix Diagnostic Facility tracing.
[#LC3803]
Automatic vDisk Updates do not run inventory updates on PvD enabled vDisks.
[#LC3997]
ESX target devices utilizing a VMXnet3 network driver can experience a fatal exception, displaying a blue screen when
using jumbo frames (frames with more than 1500 bytes of payload per frame).
[#LC4238]
Provisioned target devices have a 96 hour license grace period after which they shut down if no valid licenses are
available. With this enhancement, the licensing grace period for target devices is extended to 30 days (720 hours).
[#LC4645]
Session Recording
Agent
https://docs.citrix.com
Player
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.120
Agent
With "Allow third party applications to record custom data on this VDA machine" enabled in the Session Recording Agent
properties, the Session Recording Agent Service running on a Japanese language Windows operating system might fail to
start and client sessions cannot be recorded.
[#LC3861]
Player
Recordings of Microsoft Paint sessions do not play back correctly in the Session Recording Player.
[#LC4389]
An error occurs when you play back a session that was recorded on a multiple-monitor user device.
[#LC4391]
StoreFront
T his fix addresses inconsistencies in the Japanese translation of the term "Classic" in the Management Console user
interface.
[#LC3607]
When you click to launch a second or subsequent application, one or more instances of the first application you started
can launch. T he issue occurs when using a version of Receiver other than Citrix Receiver for Web when multiple-site
aggregation is configured. An additional instance of the first application launches from each aggregated Site.
[#LC4278]
Customizations for published desktops you make in the default.ica file might not be honored. For example, you might
not be able to see the connection bar inside certain desktops even if you set "ConnectionBar=1."
[#LC4688]
In certain scenarios, StoreFront generates enumeration responses that contain duplicate resources. T his can cause
Receiver for Web to report a failure and the apps might fail to appear. T he issue occurs with one or more of the
following conditions:
A farm is referenced by more than one UserFarmMapping in a multi-Site configuration.
T he user belongs to Active Directory Groups wherein multiple UserFarmMapping are applied.
T he EquvalentFarmSets that contain farms have no aggregation group, or there is a Delivery Group with multiple
assignments for the user.
[#LC4863]
Universal Print Server
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.121
Client
Server
Client
Attempts to manage ports or printers on the remote print server from the Microsoft Print Management console on a
VDA for Server OS might fail with the following error message: "Failed to complete the operation. T his operation is not
supported." Also, when navigating to the Ports tab, ports might not be listed.
Additionally, when you right-click any printer and select "Open Printer Queue," the following error message might appear:
"Windows can't find the printer. Make sure the network is working and you've entered the name of the printer and print
server correctly."
To address this issue, delete the following registry key
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\Universal Printer" from the registry of the
VDA and restart the Print Spooler Service. T he ports are enumerated correctly in the Microsoft Print Management
Console and you can configure the ports and printers.
[#LC3740]
Server
Batch printing using the Microsoft GDI Print API can fail to where the last page does not print, and the following error
message appears:
"Dispatch::CDriverTripSummary::PrintReport, Error Occured While Printing....Check Printer"
[#LC3920]
T his fix introduces support for Citrix UPS Print Driver Certification Tool for Universal Print Server 7.6.300. For more
information, see Knowledge Center article CT X142119.
[#LC4265]
VDA for Desktop OS
Content Redirection
Logon/Authentication
HDX 3D Pro
Printing
HDX MediaStream Flash Redirection
Seamless Windows
HDX MediaStream Windows Media Redirection
Server/Site Administration
Installing, Uninstalling, Upgrading
Session/Connection
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.122
Keyboard
Smart Cards
System Exceptions
Content Redirection
With content redirection enabled for Mailto links, Mailto links that contain commas fail to launch and the following error
message appears:
"Could not perform this operation because the default mail client is not properly installed."
T he issue does not occur in console or Remote Desktop sessions.
[#LC3701]
HDX 3D Pro
In HDX 3D Pro dual-monitor configurations, locking Windows on one monitor can fail to blank the screen on the second
monitor. T he issue occurs after disconnecting from a dual-monitor client session, then reconnecting from a single
monitor client, then disconnecting from the session, then reconnecting from the dual-monitor client.
[#LC3934]
T he mouse pointer might not assume the proper shape when the mouse is positioned at the edge of a Microsoft
Notepad application window.
To enable this fix, you must set the following registry key:
On 32-bit Windows:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\HDX3D
Name: EnableUnknownCursorHandling
T ype: REG_DWORD
Value: 1
On 64-bit Windows:
HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\HDX3D
Name: EnableUnknownCursorHandling
T ype: REG_DWORD
Value: 1
[#LC4160]
Attempts to resize the session screen resolution can fail intermittently, leaving the DesktopViewer window grayed out.
[#LC4261]
With HDX 3D Pro enabled, customized mouse pointers in 3D graphics rendering applications might appear incorrectly.
[#LC4713]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.123
HDX MediaStream Flash Redirection
If HDX MediaStream Flash Redirection is enabled, opening and closing multiple tabs in Internet Explorer with Flash
content can cause Internet Explorer to exit unexpectedly.
[#LC0375]
With HDX Mediastream for Flash enabled, opening and closing multiple tabs in Internet Explorer can cause Internet
Explorer to close unexpectedly.
[#LC1141]
When browsing websites with HDX MediaStream Flash Redirection enabled, the Flash redirection feature fails if the
registry value of HKEY_LOCAL_MACHINE\SOFT WARE\Microsoft\Windows NT \CurrentVersion\Windows\AppInit_DLLs
is set to just "mfaphook.dll" or "mfaphook64.dll" instead of the full path to "mfaphook.dll" or "mfaphook64.dll."
[#LC4388]
HDX MediaStream Windows Media Redirection
In Receiver sessions, seeking forward in Windows Media Player while playing .MOD, ac3, and mpeg files might cause the
video to play without audio.
[#LC2768]
If you play an .avi file with Windows Media Player within an ICA session (or published desktop session) and then start
playing another .avi file without stopping the first one, the video frames might not be properly directed to the user
device. As a result, the CPU usage of the mmvdhost.exe process can be higher than normal and the video might not
render properly on the user device.
[#LC4260]
Installing, Uninstalling, Upgrading
After installing one or more of the following Microsoft Security Updates, attempts to log on to a XenDesktop VDA
7.6.300 or 7.7 running either version of Windows 10 fail. For more information, see Knowledge Center article CT X205398.
Windows 10 RT M [Build 10240]
Security Updates
Release Date
KB3124266
January- 2016
KB3135174
February- 2016
KB3140745
March- 2016
KB3147461
April- 2016
KB3156387
May- 2016
(Current Business Branch and LT SB)
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.124
Windows 10 Version 1511
KB3124263
January- 2016
KB3124262
January- 2016
KB3135173
February- 2016
KB3140768
March- 2016
KB3147458
April- 2016
KB3156421
May- 2016
Cumulative image inclusive of all updates
March- 2016
[Build 10586.36]
Windows 10 Version 1511
up to February 2016
(Updated Feb 2016)
Note: If you have installed any of the Microsoft Security Updates above:
If you have installed any of the Microsoft Security Updates above on a Windows 10 RT M (Build 10240) VDA or on a
Windows 10 Version 1511 (Build 10586.36) VDA and want to apply this update, do the following:
1. Reboot and log in to the Windows 10 VDA using Safe Mode.
2. Uninstall the Microsoft Security Updates above and reboot.
3. Install this update and reboot.
4. Install any applicable Microsoft Security Updates.
For new deployments of the 7.6.300 VDA on Windows 10 (RT M / Version 1511 / Version 1511 (Updated Feb 2016)), do
the following:
1. Prepare a Windows 10 (RT M / Version 1511 / Version 1511 (Updated Feb 2016)) image.
Caution: Installing the VDA and rebooting in the next step can place the machine into an unrecoverable state. It is
essential not to reboot after installing the VDA.
2. Install the 7.6.300 VDA and choose NOT to reboot.
3. Install this update and reboot.
[#LC4604]
Keyboard
If you are in a Citrix GoToMeeting running inside a VDA session and are made presenter, your mouse pointer might start
to flicker. T his occurs when the "Legacy graphics mode" policy setting is disabled for the session.
[#LC3033]
Logon/Authentication
If the Windows Remote Desktop Session Host Configuration policy setting "Always prompt for password upon
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.125
connection" is enabled, when users log on to VDA 7.x by using the ICA protocol, users receive a prompt to enter their
credentials again.
To enable this fix, set the following registry key:
HKEY_LOCAL_MACHINE\Software\Citrix\Portica
Name: AutoLogon
Type: DWORD
Data: 0x00000001 (value must be between 1 and 2147483647)
Note: T he Citrix Display Drive can be marked for deletion if there are multiple attempts to run the MSP file. T his causes
the installation of the hotfix to fail. In addition, the display resolution of the VDA might not work. To allow this to work,
restart the VDA and then install the hotfix again.
[#LC1180]
After installing Microsoft Hotfix KB3124266 (for Windows 10) or KB3124263 (for Windows 10 Version 1511), attempts to
log on to a XenDesktop VDA 7.6.300 or 7.7 running on Windows 10 might fail. For more information see, Knowledge
Center article CT X205398.
Note: If you have already installed KB3124266 or KB3124263 and want to apply this update, do the following:
1. Reboot and log in to the Windows 10 machine using Safe Mode and uninstall KB3124266 or KB3124263
2. Reboot the Windows 10 machine and install this update.
3. Reinstall KB3124266 or KB3124263.
[#LC4540]
Printing
T he Citrix Print Spooler Service might exit unexpectedly.
[#LC4180]
Seamless Windows
Seamless applications can become unresponsive and their icon in the Windows taskbar reverts to the generic Citrix
Receiver icon.
[#LC3783]
When you close a seamless published application, the focus goes to another published application rather than honoring
windows in the typical Windows Z-order.
[#LC4009]
Server/Site Administration
When an administrator attempts to access a virtual machine from Hyper-V console, while there is a disconnected but
active session, a black screen appears, T he issue occurs in deployments that use XPDM drivers.
[#LC3536]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.126
A VDA might stop accepting connections. After enabling the "Legacy graphics mode" policy, the VDA starts accepting
connections again.
[#LC3749]
When launching VM hosted apps, the Windows logon screen might appear before the app is fully launched. T his fix
introduces a 15-second grace period before the Welcome screen appears. It also provides support for the following
registry key that allows you to customize the duration of the grace period.
Note: During the grace period, there is no obvious indication to users that the app is launching. Configuring too high a
grace period can delay application launches and cause users to inadvertently launch apps multiple times.
To change the duration of the grace period, set the following registry key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Control\Citrix\wfshell\T WI
Name: LogonUIHideT imeout
Type: DWORD
Value: Any value greater than zero in milliseconds (for example, 20000 milliseconds for 20 seconds)
[#LC3828]
Attempts to use the attrib command to change file attributes of files on mapped client drives might fail.
[#LC3958]
T he Output Session Bandwidth Performance Monitoring counter might report inconsistent values upon recording for a
long period of time.
[#LC4151]
If you are logging on to a Version 7.6.300 VDA with explicit credentials (username/password) and User Account Control
(UAC) enabled, and then attempt to authenticate to an application running in the session using a smart card, the
following error message might appear:
"An authentication error has occurred. No credentials are available in the security package."
[#LC4486]
Session/Connection
When multiple webcams or video capturing devices are installed on an endpoint, only one of the devices is mapped into
the client session. Additionally, the device is mapped as Citrix HDX Web Camera, leaving no obvious clue as to which of
the devices is mapped.
[#LC1919]
In sessions for which you enable Local App Access, the screensaver fails to get activated.
[#LC3182]
T he Citrix policy "View window contents while dragging" does not work correctly.
[#LC3552]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.127
Disconnected sessions might remain open on a physical machine even after the time specified under "Disconnect session
timer interval" has passed.
To enable the fix, set the following registry keys:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\Portica
Name: ForceDisableRemotePC
Type: DWORD
Value: Any value greater than zero
[#LC3650]
If an endpoint loses network connectivity for several minutes, reconnection attempts can fail until the VDA is restarted.
[#LC3700]
When logging on to a VDA after it is in an idle state for an extended period of time, the credentials might not be passed
through automatically to the logon screen upon reconnection and a prompt to enter the password appears on the
logon screen.
[#LC3720]
T he WFICA32.exe process might keep a file locked even after the file was closed by the associated published application.
As a result, the file cannot be edited for a while.
[#LC3724]
Certain third-party published applications might fail to start on XenApp servers. As a result, the wfshell.exe process might
close unexpectedly. When this error occurs, no indication that the session is starting or error messages appear on the
user device.
[#LC3766]
After undocking the T homson Reuters Eikon toolbar in a multiple monitor session, the space occupied by the toolbar is
not reclaimed by the session.
In monitor configurations where the primary monitor is not located in the top left corner of the array, you must also
install Fix #LC1599, which is included in Receiver for Windows 4.4 and later.
[#LC3773]
When the App-V configuration setting "EnablePublishingRefreshUI" is enabled on the session host and "Session
Lingering" is enabled as well, attempts to close an application on an iOS device can result in a black window that stays on
the device screen.
[#LC3800]
With the Citrix Windows XP Display Driver Model (XPDM) display driver enabled, the mouse shadow setting is always
enabled even though it is disabled in the Control Panel.
[#LC3806]
With Excelhook enabled, minimizing and then restoring an Excel workbook can cause the Excel window to lose focus.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.128
[#LC3873]
T he "Restrict session clipboard write" and "Restrict client clipboard write" policies do not work properly for sessions using
Citrix Receiver for Android. As a result, users can copy and paste content between the session and the user device
regardless of the configuration of those two policies.
[#LC3894]
When you attempt to reconnect to a disconnected session, a Windows lock screen appears with a set of keys but
without an option to enter your password. When you click "Other credentials," a second credentials icon appears that
allows you to enter the password and unlock the session.
[#LC4053]
If you power off or force a remote PC to restart while in an ICA session, all audio drivers might be disabled when the
remote PC restart completes.
[#LC4071]
If you add a file to a user device folder while the associated published application is running and then try to open the file
from within the application, the file might not appear in the application's Open File Dialog - even after clicking the
refresh button.
[#LC4073]
T he VDA might become unresponsive at the "Welcome" screen due to a deadlock on picadm.sys.
[#LC4195]
With Generic USB Redirection enabled, each time a generic redirected USB device is physically disconnected and
reconnected within a session, it is treated as a new device. As a result, each time you reconnect such a USB device, an
additional GUID is created for it.
[#LC4259]
T LS connections between Citrix Receiver for Chrome and VDAs fail if all three of the following conditions are met:
Fix #LC2179 (Hotfix ICAWS760WX64032 or its replacement) is installed on the VDA
T he connection is configured to use SSL
T he Citrix Gateway Protocol (CGP) is disabled
[#LC4405]
After installing Hotfix ICAWS760WX64032 and enabling SSL, attempts to reconnect to a VDA might fail intermittently.
T he issue occurs if the Citrix ICA Service exits unexpectedly or becomes unresponsive as a result of an SSL Listener
failure.
[#LC4438]
Sessions running on Version 7.6.300 of the VDA for Desktop OS with RES Workspace Manager installed can become
unresponsive when roaming sessions between user devices.
[#LC4570]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.129
Smart Cards
In Microsoft Internet Explorer, the user interface for smart card logons to certain websites can be intermittently
unavailable.
[#LC3988]
System Exceptions
On logon or changing display resolution, the Ctxgfx.exe process may enter a deadlock causing the Session to hang.
[#LC2410]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x20.
[#LC3473]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x00000050.
[#LC3921]
T he operating system experiences an error on ctxad.sys and a blue screen appears with bugcheck code 0xD1.
[#LC4007]
After upgrading a VDA for Desktop or Server OS to Version 7.6.300, the Citrix Print Manager Service (CpSvc.exe) can exit
unexpectedly upon logoff.
[#LC4102]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x000000C1.
[#LC4334]
When you repeatedly play an .avi file on Windows Media Player, the memory consumption of the wfica32.exe process
might continue to increase until the process exits unexpectedly.
[#LC4335]
VDAs can experience a fatal exception on picadd.sys, displaying a blue screen, upon logoff from a Citrix Receiver session.
[#LC4360]
VDAs can experience a fatal exception with bugcheck code 0x00000044 on ctxdvcs.sys and a blue screen appears.
[#LC4505]
If the registry key HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA\T hinwire\DisableOssForProcesses is defined,
attempts to restart the VDA and launch a published desktop can result in a blue screen.
[#LC4597]
VDA for Server OS
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.130
Content Redirection
Server/Site Administration
HDX MediaStream Windows Media Redirection
Session/Connection
Keyboard
Smart Cards
Printing
System Exceptions
Seamless Windows
User Experience
Content Redirection
Server to client content redirection fails for VDAs other than those running on Windows Server 2008 R2. As a result,
when you click a URL in a VDA session, the link opens in a browser running in the session rather than in a local browser.
[#LC2221]
With content redirection enabled for Mailto links, Mailto links that contain commas fail to launch and the following error
message appears:
"Could not perform this operation because the default mail client is not properly installed."
T he issue does not occur in console or Remote Desktop sessions.
[#LC3701]
HDX MediaStream Windows Media Redirection
In Receiver sessions, seeking forward in Windows Media Player while playing .MOD, ac3, and mpeg files might cause the
video to play without audio.
[#LC2768]
If you play an .avi file with Windows Media Player within an ICA session (or published desktop session) and then start
playing another .avi file without stopping the first one, the video frames might not be properly directed to the user
device. As a result, the CPU usage of the mmvdhost.exe process can be higher than normal and the video might not
render properly on the user device.
[#LC4260]
Keyboard
If you are in a Citrix GoToMeeting running inside a VDA session and are made presenter, your mouse pointer might start
to flicker. T his occurs when the "Legacy graphics mode" policy setting is disabled for the session.
[#LC3033]
Printing
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.131
T he Citrix Print Spooler Service might exit unexpectedly.
[#LC4180]
Seamless Windows
Seamless applications can become unresponsive and their icon in the Windows taskbar reverts to the generic Citrix
Receiver icon.
[#LC3783]
When you close a seamless published application, the focus goes to another published application rather than honoring
windows in the typical Windows Z-order.
[#LC4009]
Server/Site Administration
When launching VM hosted apps, the Windows logon screen might appear before the app is fully launched. T his fix
introduces a 15-second grace period before the Welcome screen appears. It also provides support for the following
registry key that allows you to customize the duration of the grace period.
Note: During the grace period, there is no obvious indication to users that the app is launching. Configuring too high a
grace period can delay application launches and cause users to inadvertently launch apps multiple times.
To change the duration of the grace period, set the following registry key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Control\Citrix\wfshell\T WI
Name: LogonUIHideT imeout
Type: DWORD
Value: Any value greater than zero in milliseconds (for example, 20000 milliseconds for 20 seconds)
[#LC3828]
Attempts to use the attrib command to change file attributes of files on mapped client drives might fail.
[#LC3958]
Multiple, concurrent attempts to establish a Remote Desktop (RDP) connection to a VDA from separate user devices
can cause the VDA to unregister.
[#LC4014]
T he Output Session Bandwidth Performance Monitoring counter might report inconsistent values upon recording for a
long period of time.
[#LC4151]
When a VDA for Server OS is unregistered or the Citrix Desktop Service is disabled, even domain administrators cannot
log on to that VDA through a Remote Desktop (RDP) connection. While that behavior is as designed for nonadministrator roles, administrators are expected to be able to log on.
[#LC4290]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.132
If you are logging on to a Version 7.6.300 VDA with explicit credentials (username/password) and User Account Control
(UAC) enabled, and then attempt to authenticate to an application running in the session using a smart card, the
following error message might appear:
"An authentication error has occurred. No credentials are available in the security package."
[#LC4486]
Live scrolling (the synced state of page scrolling and scrollbar motion) does not work in Excel spreadsheets. Version
7.6.300 of the VDA introduced Fix #LC2965, intended to address the issue. However, Fix #LC2965 does not fully resolve
the issue in all cases. T his Fix, #LC4579, ensures that the issue is corrected even on systems where Fix #LC2965 does not
work.
From the description of #LC2965:
Live scrolling (the synced state of page scrolling and scrollbar motion) does not work in Excel spreadsheets. The issue
occurs because the key and value in registry location HKEY_CURRENT_USER\Control
Panel\Desktop\UserPreferencesMask on the VDA are overwritten by the wfshell.exe process each time a user logs on to
the VDA. To prevent this, create the following registry key on the VDA and set the value to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix
Name: EnableVisualEffect
Type: REG_DWORD
Value: 1
[#LC4579]
After installing Hotfix ICAT S760WX64022 (or its replacements), any new custom registry configuration under the registry
key HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\Graphics\ might not be retained when you restart the system.
[#LC4931]
Session/Connection
T he Source Network Address displays an incorrect IP address for remote user devices in the server's Windows Security
Log with EVENT ID 4624.
[#LC1352]
With the Client audio redirection or Windows Media Redirection policies disabled, the Volume control (Speaker) icon in
the notification area of a published desktop session can display an incorrect audio state.
[#LC2538]
In Citrix Receiver for Android published desktop sessions, attempts to open a Microsoft Outlook calendar invitation can
fail with the following error message:
"Cannot open item"
T he issue occurs with calendar invitation created by other users; invitations created by the same user are not affected.
[#LC2828]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.133
In certain scenarios, the Client Printer Redirection and Citrix Group Policies' Access Control filters might fail to work while
logging on or reconnecting to a disconnected session.
[#LC3083]
In sessions for which you enable Local App Access, the screensaver fails to get activated.
[#LC3182]
T he WFICA32.exe process might keep a file locked even after the file was closed by the associated published application.
As a result, the file cannot be edited for a while.
[#LC3724]
Certain third-party published applications might fail to start on XenApp servers. As a result, the wfshell.exe process might
close unexpectedly. When this error occurs, no indication that the session is starting or error messages appear on the
user device.
[#LC3766]
After undocking the T homson Reuters Eikon toolbar in a multiple monitor session, the space occupied by the toolbar is
not reclaimed by the session.
In monitor configurations where the primary monitor is not located in the top left corner of the array, you must also
install Fix #LC1599, which is included in Receiver for Windows 4.4 and later.
[#LC3773]
When the App-V configuration setting "EnablePublishingRefreshUI" is enabled on the session host and "Session
Lingering" is enabled as well, attempts to close an application on an iOS device can result in a black window that stays on
the device screen.
[#LC3800]
T he Service Host (svchost.exe) process that is registered with Terminal Services (TermService) might close unexpectedly
on RPM.dll while connecting to a server through an RDP session.
[#LC3808]
With Excelhook enabled, minimizing and then restoring an Excel workbook can cause the Excel window to lose focus.
[#LC3873]
Even with the Client audio redirection policy enabled, audio (.wav) files can fail to play. T he issue occurs in sessions where
the session ID is reused and the Client audio redirection policy was disabled for the previous session.
[#LC3882]
T he "Restrict session clipboard write" and "Restrict client clipboard write" policies do not work properly for sessions using
Citrix Receiver for Android. As a result, users can copy and paste content between the session and the user device
regardless of the configuration of those two policies.
[#LC3894]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.134
When a connection to a Windows Server 2008 R2 VDA fails due to a license error, the error message "You cannot access
this session because no licenses are available" fails to appear.
[#LC4026]
If you add a file to a user device folder while the associated published application is running and then try to open the file
from within the application, the file might not appear in the application's Open File Dialog - even after clicking the
refresh button.
[#LC4073]
After logging off of a newly installed Feature Pack 3 VDA for Server OS (7.6.300), Citrix Studio might display that VDA's
status as "initializing" rather than "registered." During that time, no new sessions will be brokered for that VDA.
[#LC4188]
T he VDA might become unresponsive at the "Welcome" screen due to a deadlock on picadm.sys.
[#LC4195]
With Generic USB Redirection enabled, each time a generic redirected USB device is physically disconnected and
reconnected within a session, it is treated as a new device. As a result, each time you reconnect such a USB device, an
additional GUID is created for it.
[#LC4259]
COM port mapping can intermittently fail.
[#LC4267]
With Application Prelaunch enabled, a black window might appear temporarily on the user device. T he issue can occur
when you start Citrix Receiver without launching an application.
[#LC4280]
T he Citrix policy "View window contents while dragging" does not work correctly on published desktops. When you log
on to a VDA, windows content is displayed correctly. However, after you reconnect to a disconnected session, the
windows content is no longer displayed.
[#LC4301]
T LS connections between Citrix Receiver for Chrome and VDAs fail if all three of the following conditions are met:
Fix #LC2179 (Hotfix ICAT S760WX64032 or its replacement) is installed on the VDA
T he connection is configured to use SSL
T he Citrix Gateway Protocol (CGP) is disabled
[#LC4405]
When launching an application in a VDA 7.6.300 session, progress bar with the following message might appear for
several minutes before the application launches: "Please wait for Local Session Manager." In the meantime, the
application appears to be unresponsive even though it is launching correctly.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.135
[#LC4406]
Certain applications in a user session might default to an incorrect input method. You can correct that behavior by
clearing the "Let me set a different input method for each app window" check box in various Control Panels. However,
the setting revert to the incorrect defaults when you reconnect to the session.
To keep the settings from reverting, set the following registry key:
HKEY_LOCAL_MACHINE\SYST EM\CurrentControlSet\Control\Citrix
Name: EnableLocalInputSetting
Type: DWORD
Data: 1 (you can change the input method setting)
[#LC4416]
When connecting through the NetScaler Gateway, the SmartAccess Control filters might not be applied correctly.
[#LC4503]
T he presence of non-ASCII characters in a published application path prevents the application from launching.
[#LC4595]
With the "Auto Client Reconnect" policy enabled, attempts to reconnect to a session can fail intermittently and cause
the VDA to reregister. T he following warning message appears:
"Event 1048, Citrix Desktop Service (Warning)
T he Citrix Desktop Service is re-registering with the DDC: "NotificationManager:NotificationServiceT hread: WCF failure
or rejection by broker (<DDC: DDC NAME >)""
[#LC4767]
Smart Cards
In Microsoft Internet Explorer, the user interface for smart card logons to certain websites can be intermittently
unavailable.
[#LC3988]
System Exceptions
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x20.
[#LC3473]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x00000050.
[#LC3921]
After upgrading a VDA for Desktop or Server OS to Version 7.6.300, the Citrix Print Manager Service (CpSvc.exe) can exit
unexpectedly upon logoff.
[#LC4102]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.136
T he Service Host (svchost.exe) process that is registered with Terminal Services (TermService) might exit unexpectedly.
[#LC4150]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x000000C1.
[#LC4334]
When you repeatedly play an .avi file on Windows Media Player, the memory consumption of the wfica32.exe process
might continue to increase until the process exits unexpectedly.
[#LC4335]
VDAs can experience a fatal exception on picadd.sys, displaying a blue screen, upon logoff from a Citrix Receiver session.
[#LC4360]
VDAs can experience a fatal exception with bugcheck code 0x00000044 on ctxdvcs.sys and a blue screen appears.
[#LC4505]
If the registry key HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA\T hinwire\DisableOssForProcesses is defined,
attempts to restart the VDA and launch a published desktop can result in a blue screen.
[#LC4597]
User Experience
When attempting to move a Microsoft Excel window within a seamless, dual-monitor session, the window might
experience a delay while redrawing in the new location.
[#LC4441]
Virtual Desktop Components - Other
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x20.
[#LC3473]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x00000050.
[#LC3921]
After upgrading a VDA for Desktop or Server OS to Version 7.6.300, the Citrix Print Manager Service (CpSvc.exe) can exit
unexpectedly upon logoff.
[#LC4102]
T he Service Host (svchost.exe) process that is registered with Terminal Services (TermService) might exit unexpectedly.
[#LC4150]
T he operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x000000C1.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.137
[#LC4334]
When you repeatedly play an .avi file on Windows Media Player, the memory consumption of the wfica32.exe process
might continue to increase until the process exits unexpectedly.
[#LC4335]
VDAs can experience a fatal exception on picadd.sys, displaying a blue screen, upon logoff from a Citrix Receiver session.
[#LC4360]
VDAs can experience a fatal exception with bugcheck code 0x00000044 on ctxdvcs.sys and a blue screen appears.
[#LC4505]
If the registry key HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\ICA\T hinwire\DisableOssForProcesses is defined,
attempts to restart the VDA and launch a published desktop can result in a blue screen.
[#LC4597]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.138
Long Term Service Release (LTSR)
Dec 16, 20 16
Release date: January 11, 2016
Install and upgrade LTSR components
In order to be in compliance with XenApp and XenDesktop 7.6 Long Term Service Release (LT SR), you must upgrade the
components of XenApp and XenDesktop 7.6 that are part of LT SR and part of your deployment to their LT SR versions. For
example: If Provisioning Services is part of your deployment, you must upgrade the Provisioning Services component to its
LT SR version. If Provisioning Services is not part of your deployment, you do not need to install or upgrade it.
Upgrading to the LT SR versions is mandatory for your deployment to qualify for the benefits under the LT SR terms.
In addition, Citrix also recommends specific versions of Citrix Receiver and other components. While not required for LT SR
compliance, upgrading to the current versions of those components ensures further ease of maintenance and the
availability of the latest fixes in your deployment.
Helpful links:
Download LT SR (XenApp)
Download LT SR (XenDesktop)
XenApp and XenDesktop Servicing Options
LT SR Frequently Asked Questions (FAQs)
Product Lifecycle Dates
LT SR Program for Receiver for Windows
LTSR baseline components and mandatory versions
Note
T he following information is specific to the LT SR base release. For the equivalent information for CU1 or CU2, see the respective
documentation.
While it is not necessary for LT SR compliance to have each of the following components in your deployment, you must
upgrade each component you do have in your deployment to the version indicated below.
LTSR Baseline Components
Version
Notes
VDA for Desktop OS
7.6.300
Special rules apply for Windows 10.
See Compatible components and
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.139
platforms.
VDA for Server OS
7.6.300
Delivery Controller
7.6 Update 3
Citrix Studio
7.6 Update 3
Citrix Director
7.6.300
Group Policy Management Experience
7.6.300 (2.5)
StoreFront
3.0.1
Provisioning Services
7.6 Update 1
Special rules apply for Windows 10.
See Compatible components and
platforms.
Universal Print Server
7.6.300
Only Windows 2008 R2 SP1
Windows 2012
Windows 2012 R2 supported
Session Recording
7.6.100
Platinum Edition only
Compatible components and platf orms
T he following components are recommended for use in 7.6 LT SR environments. T hese components are not eligible for the
LT SR benefits (extended lifecycle and fix-only cumulative updates). Citrix may ask you to upgrade to a newer version of
these components within your 7.6 LT SR environments.
Note about Windows 10: Regular support for Windows 10 is available through the Current Release path. Windows 10
does not get the full set of 7.6 LT SR benefits. For deployments that include Windows 10 machines, Citrix recommends that
you use Version 7.9 of the VDA for Desktop OS and of Provisioning Services.
For more information, see Adding Windows 10 Compatibility to XenApp and XenDesktop 7.6 LT SR and the XenApp and
XenDesktop Servicing Options (LT SR) FAQ.
LTSR Compatible Components and Platf orms
Version
Profile Management
5.4
AppDNA
7.6.5
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.140
License Server
11.12.1
HDX RealT ime Optimization Pack
2.0
Windows 10
VDA: Version 7.9
Provisioning Services: Version 7.9
Compatible versions of Citrix Receiver
For ease of maintenance, and to ensure optimal performance, Citrix recommends that you upgrade to the latest version of
Citrix Receiver any time it becomes available. T he latest versions are available for download
at https://www.citrix.com/downloads/citrix-receiver.html. For your convenience, consider subscribing to the Citrix Receiver
RSS feed to receive a notification when a new version of Citrix Receiver becomes available.
Note that Citrix Receiver is not eligible for the XenApp and XenDesktop LT SR benefits (extended lifecycle and fix-only
cumulative updates). Citrix may ask you to upgrade to a newer version of Citrix Receiver within your 7.6 LT SR environments.
In the case of Citrix Receiver for Windows, Citrix has announced a special LT SR program. More information on that program
is available on the Lifecycle Milestones for Citrix Receiver page.
Specifically, LT SR supports the following versions of Citrix Receiver and all later versions:
LTSR Compatible Citrix Receivers
Version
Citrix Receiver for Windows
4.4 or later
Citrix Receiver for Linux
13.2.1 or later
Citrix Receiver for Mac
12.1 or later
Citrix Receiver for Chrome
1.8 or later
Citrix Receiver for HT ML5
1.8 or later
Citrix Receiver for iOS
6.1.1 or later
Citrix Receiver for Android
3.8 or later
Notable exclusions
T he following features, components, and platforms are not eligible for LT SR lifecycle milestones and benefits. Specifically,
cumulative updates and extended lifecycle benefits are excluded. Updates to excluded features and components will be
available through regular current releases.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.141
Excluded Features
Local App Access
Framehawk
Excluded Components
Linux VDA
Personal vDisk
Excluded Windows Platf orms*
Windows 2008 32-bit (for Universal Print Server)
* Citrix reserves the right to update platform support based on third party vendors’ lifecycle milestones.
Upgrading to XenApp and XenDesktop 7.6 LTSR
You can upgrade to LT SR directly from XenApp and XenDesktop 7.6, and from any of the three 7.6 Feature Packs.
Download locations:
Download LT SR (XenApp)
Download LT SR (XenDesktop)
T he good news: T he LT SR versions of many components have been available for a while, mainly as part of Feature Pack 3.
T hat means if you have upgraded your deployment to Feature Pack 3, many components are already LT SR compliant. In
those cases, no further action is required on your part. Look for T his version was first released in the sections of the various
components below to find out whether you need to upgrade beyond Feature Pack 3.
A word of caution before you upgrade the Controller: Upgrading to the LT SR version of the Controller will modify one or
more of the DbSchemas of your Site data store. T hese modifications are permanent and irreversible - you cannot revert
those modifications automatically. So before you upgrade the Controller, be sure to read and understand the section on
upgrading to the LT SR version of the Controller.
Virtual Delivery Agent (VDA) for Desktop OS 7.6.300
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.142
LT SR Version: VDA for Desktop OS 7.6.300
T his version was first released: September 30, 2015 as part of Feature Pack 3 (VDAWorkstationSetup_7.6.300.exe)
System requirements
Fixed Issues
Installing/Upgrading
Download and run VDAWorkstationSetup_7.6.300.exe on the machine where you want install the VDA. Use either the
graphical interface or the command line.
For more information, see Install VDAs using the standalone package.
Virtual Delivery Agent (VDA) for Server OS 7.6.300
LT SR Version: VDA for Server OS 7.6.300
T his version was first released: September 30, 2015 as part of Feature Pack 3 (VDAServerSetup_7.6.300.exe)
System requirements
Fixed Issues
Installing/Upgrading
Download and run VDAServerSetup_7.6.300.exe on the machine where you want install the VDA. Use either the graphical
interface or the command line.
T he VDA for Windows Server OS installation automatically deploys Microsoft Visual C++ 2013 runtime (32-bit and 64-bit),
as well as 2008 and 2010 runtimes (32-bit and 64-bit). Microsoft Visual C++ 2005 is no longer deployed. T hese pre-requisites
will initiate a server restart, with the VDA installation continuing after the restart.
For more information, see Install VDAs using the standalone package.
Delivery Controller 7.6.3 (Controller Hotfixes Update 3)
LT SR version: Delivery Controller 7.6.3
T his version was first released: November 12, 2015 as Delivery Controller 7.6.3 (Controller Hotfixes Update 3)
System requirements
Fixed issues (32-bit)
Fixed issues (64-bit)
Installing/Upgrading
If your Controller is at Version 7.6.3:
Version 7.6.3 (Controller Hotfixes Update 3) of the Controller is the LT SR version. If you have previously upgraded to Version
7.6.3, your Controller is LT SR compliant, you do not need to upgrade it, and you can skip to the Citrix Studio
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.143
section. Important: Make sure that all components of Version 7.6.3 are installed; otherwise, your Controller might be left in
an unstable state.
If your Controller is at Version 7.6, 7.6.1, or 7.6.2:
To be LT SR compliant, you need to upgrade your Controller to the LT SR version. To do this, download the LT SR version to
your Controller and follow the upgrade instructions below.
Caution: Downgrades, also known as rollbacks, from individual Controller components are not supported and might leave
your systems in an unstable state. T he Controller components do not patch the existing installations - each fully replaces
the original component with a new installation. As a result, uninstalling a component removes the entire component from
the Controller. If the need arises to revert to an earlier version of the Controller, you must uninstall each component and
then reinstall the earlier versions of each. Reverting to an earlier version of a component might result in the loss of settings
you configure while this upgrade is installed.
Important: All components of the LT SR Version must be installed; otherwise, your Controller might be left in an unstable
state.
If you are upgrading from the base (RT M) version of the 7.6 Controller, install all components of the LT SR Controller.
If you are upgrading from Delivery Controller 7.6.1 (Controller Hotfixes Update 1) or Delivery Controller 7.6.2 (Controller
Hotfixes Update 2), install only the components that are new in the LT SR version compared to the earlier release you
already installed. T here is no need to install the individual components in a specific order.
T o upgrade successfully, servers must not have registry modification restrictions in place.
For supplemental information about installing XenDesktop/XenApp 7.x Controller updates, see CT X201988.
Upgrading from Delivery Controller 7.6.2 (Controller Hotfixes Update 2)
Caution. By design, the Broker Service (BrokerSrvc760WX64003.msi) component modifies the Broker DbSchema of your Site
data store. T hese modifications are permanent and irreversible. Should you decide, for any reason, to uninstall the Broker
Service component at a later time, these modifications do not revert automatically. As a matter of precaution, Citrix
recommends strongly that you back up your Site data store before installing the Broker Service component. Doing so
allows you to manually restore your Site data store to the backed up version. Even so, any changes you make to your Site
data store between backing up and restoring it are lost. For information about backing up and restoring data
stores, see CT X135207.
T he DbSchema update succeeds only if at least one Site is created. If you have not yet created a Site, create at least one
Site before installing this update. Otherwise, the install fails to update the existing DbSchema and you will need to rebuild
your XenDesktop.
Note: After the upgrade to this release, a prompt appears for the License Server compatibility check in Citrix Studio that
makes sure that your License Server is the required version. If you are using the License Server released with XenDesktop 7.6
or from a more recent version, you do not need to upgrade the License Server. Click Continue to proceed with the
DBschema upgrade.
1. Make sure to verify that you are upgrading from a 7.6.2 Controller. Otherwise, see Upgrading from Delivery Controller
7.6.1 or 7.6 below.
2. Make sure that at least one Site exists.
3. Back up your Site data store.
4. Copy the release package to a shared folder on the network.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.144
5. Save the component msi file(s) on the Delivery Controller you want to update.
6. Run the .msi files.
7. Restart the Delivery Controller even if not prompted to do so.
8. T o upgrade to the latest DbSchema installed by this release, go to the Citrix Studio Dashboard and click Upgrade.
Upgrading from Delivery Controller 7.6.1 or 7.6
Note. T his section does not apply if you are upgrading from Version 7.6.2 of the Controller.
Caution. By design, both the Broker Service (BrokerSrvc760WX64003.msi) and the Host Service (HostSrvc760WX64003.msi)
components modify the Broker and the Host DbSchemas, respectively, of your Site data store. T hese modifications are
permanent and irreversible. Should you decide, for any reason, to uninstall the Broker Service or the Host Service
component at a later time, these modifications do not revert automatically. As a matter of precaution, Citrix recommends
strongly that you back up your Site data store before installing the Broker Service and the Host Service component. Doing
so allows you to manually restore your Site data store to the backed up version. Even so, any changes you make to your
Site data store between backing up and restoring it are lost. For information about backing up and restoring your data
stores, see CT X135207.
T he DbSchema update succeeds only if at least one Site is created. If you have not yet created a Site, create at least one
Site before installing this update. Otherwise, the install fails to update the existing DbSchema and you will need to rebuild
your XenDesktop.
Note. After the upgrade to this release, a prompt appears for the License Server compatibility check in Citrix Studio that
makes sure that your License Server is the required version. If you are using the License Server released with XenDesktop 7.6
or from a more recent version, you do not need to upgrade the License Server. Click Continue to proceed with the
DBschema upgrade.
1. Make sure that at least one Site exists.
2. Back up your Site data store.
3. Copy the release package to a shared folder on the network.
4. Save the component msi file(s) on the Delivery Controller you want to update.
5. Run the .msi files.
6. Restart the Delivery Controller even if not prompted to do so.
7. T o upgrade to the latest DbSchema installed by this release, go to the Citrix Studio Dashboard and click Upgrade.
Uninstalling Delivery Controller components(s) and reverting to earlier levels of the component(s) and the Site data store
1. Uninstall the component(s) from ARP/Programs and Features.
2. Restore the data store(s) as described in CT X135207.
3. Install the desired level of the component(s) (base or later release).
4. Restart the Controller even if not prompted to do so.
Citrix Studio 7.6 Update 3
LT SR Version: Citrix Studio 7.6 Update 3
T his version was first released: October 29, 2015 as Hotfix DStudio760WX64003; Hotfix DStudio760WX86003
System requirements
Fixed Issues
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.145
64-bit
32-bit
Known Issues
If Citrix Studio is open during an upgrade, if you select the setting "Close the applications and attempt to restart them" on
the Files in Use page of the installation wizard of this hotfix, the following message might appear:
"Setup was unable to automatically close all requested applications. Please ensure that the applications holding files in use
are closed before continuing with the installation."
If the message appears, you can safely close the message and click OK to continue with the installation.
Installing/Upgrading
Download the LT SR version of Citrix Studio and follow the installation instructions provided in CT X201572.
Citrix Director 7.6.300
LT SR version: Director 7.6.300
T his version was first released: September 30 as part of Feature Pack 3 (Director_7.6.300.zip)
System requirements
Check that you have selected all the required features in IIS. For the full list, see CT X142260. Install the Citrix Group Policy
Management component if you haven't already done so.
Fixed issues
Installing/Upgrading
Download the LT SR version of Citrix Director to the server running Director and follow the instructions at Director.
Group Policy Management 7.6.300 (2.5)
LT SR version: Group Policy Management 7.6.300
T his version was first released: September 30 as part of Feature Pack 3 (CitrixGroupPolicyManagement_7.6.300.zip)
System requirements:
Computers running Windows 7, Windows 8, Windows 8.1, Server 2008 R2, Server 2012, or Server 2012 R2
T he new and enhanced HDX technologies features in the VDA are managed using the updated Group Policy Management
package. Note: Once installed, this component shows as Version 2.5.0.0 in Programs & Features.
Installing/Upgrading
Citrix Group Policy Management needs to be installed on the system where Director is installed for enabling policies to be
displayed on the User Details View. Download and install the LT SR version of Citrix Group Policy Management (Citrix Policy)
on the server where Director is running. T hen launch Studio or GPMC and the new and updated policies are displayed.
For more information on the updated policies, see: Visual display policy settings for enhanced T hinwire compatibility
mode; USB devices policy settings for support for signature devices and drawing tablets; and Flash
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.146
redirection and Multimedia policy settings for video fallback prevention.
StoreFront 3.0.1
LT SR version: 3.0.1
T his version was first released on September 30, 2015 as part of Feature Pack 3 (CitrixStoreFront-x64.exe)
System requirements
Fixed issues
Known issues
Installing/Upgrading
Download the LT SR version of StoreFront to the StoreFront server and follow the Upgrade instructions.
Provisioning Services 7.6 Update 1
LT SR version: Provisioning Services 7.6 Update 1 (Provisioning Services 7.6 Cumulative Update 1 for Server and Console);
PVS760TargetDeviceWX64001.zip, PVS760TargetDeviceWX86001.zip
T his version was first released: September 15, 2015 as PVS760ConsoleServerWX86001.zip;
PVS760ConsoleServerWX64001.zip
Provisioning Services 7.6 Update 1 includes fixes for over 40 issues found in the base 7.6 version.
System requirements
Fixed issues
Console, Server (64-bit | 32-bit)
T arget Devices (64-bit | 32-bit)
Installing/Upgrading
Download the LT SR version of Provisioning Services and follow the installation instructions in Installing Provisioning Services
Console Software (Console), Installing Provisioning Services Server Software (Server), and CT X135746 (Target Devices).
Session Recording 7.6.100
LT SR version: 7.6.100
T his version was first released on June 30, 2015 as part of Feature Pack 2 (SessionRecording7.6.100.zip)
Session Recording 7.6.100 as released as part of Feature Pack 2 includes the following new features and enhancements.
You can specify the connection credentials to the database when installing the Session Recording Database
component.
You can test the connectivity of database during the installation of the Session Recording Database and Session
Recording Server components and test the connectivity of the Session Recording Server during the installation of
Session Recording Agent component.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.147
Microsoft Shared Management Objects is no longer requirement for Session Recording Database installation.
Citrix Experience Improvement Program (CEIP) is integrated in Session Recording. For more information, see About the
Citrix Customer Experience Improvement Program. Existing settings are retained during upgrade.
System requirements
Installing/Upgrading
Download the LT SR version and then follow the upgrade instructions.
Known issues with Session Recording 7.6.100 when used in an LT SR deployment:
Recordings of Microsoft Paint sessions do not play back correctly in the Session Recording Player. [#0604700]
An error occurs when you play back a session that was recorded on a multiple-monitor user device. [#0605129]
Universal Print Server 7.6.300
LT SR version: 7.6.300
T his version was first released on September 30, 2015 as part of Feature Pack 3 (UpsServer_7.6.300.zip)
Note: Universal Print Server consists of both client and server components. T he client component installs as part of the
VDAs; therefore no client installation files are included in the LT SR version. On the server side, LT SR does not support
Universal Print Server on 32-bit Windows operating systems; therefore, only the 64-bit server installer is included.
System requirements
Fixed issues
Installing/Upgrading
T he Universal Print Server package contains updated versions of the standalone UPS server component (UpsServer_x64.msi)
and the prerequisite vcredist_x64.exe, vcredist_x86.exe, and cdf_x64.msi files.
1. Download the LT SR version to a Windows 2008 R2 SP1, Windows Server 2012, or Windows Server 2012 R2 print server.
2. Install the prerequisite vcredist_x64.exe, vcredist_x86.exe, and cdf_x64.msi files.
3. Install the Universal Print Server component, UpsServer_x64.msi.
4. Restart the server after installing the Universal Print Server component.
T he UPClient component is part of the VDA installation. As a result, you do not need to manually install the client
component, and it is not included as a standalone component of the LT SR version.
For more information, see Provision printers.
HDX Flash redirection
HDX Flash redirection offloads the processing of most Adobe Flash content (including animations, videos, and applications)
to users' LAN- and WAN-connected Windows devices, which reduces server and network load. T his results in greater
scalability while ensuring a high definition user experience.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.148
T he client-side components are installed as part of the Desktop and Server OS VDAs. As a result, upgrading to the LT SR
versions of the VDAs upgrades your deployment to the latest version of HDX Flash redirection.
T here are no server-side components to install. However, configuring Flash redirection requires both server-side and clientside settings. For information about configuring Flash redirection, see Flash Redirection. For the latest updates to HDX
Flash compatibility, see CT X136588.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.149
Features not in this release
Oct 0 4 , 20 16
Deprecated f eatures
XenApp and XenDesktop 7.6 LT SR is based on XenApp and XenDesktop 7.6 RT M. T he following features were deprecated
in Version 7.6 RT M, and continue to be deprecated in LT SR:
Launch touch-optimized desktop - T his setting has been disabled for Windows 10 machines. For more information,
see Mobile experience policy settings.
Secure ICA encryption below 128-bit - In releases earlier than 7.x, Secure ICA could encrypt client connections for
basic, 40-bit, 56-bit, and 128-bit encryption. In 7.x releases, Secure ICA encryption is available only for 128-bit encryption.
Legacy printing - T he following printing features are not supported in 7.x releases:
Backward compatibility for DOS clients and 16-bit printers, including legacy client printer name.
Support for printers connected to Windows 95 and Windows NT operating systems, including enhanced extended
printer properties and Win32FavorRetainedSetting.
Ability to enable or disable auto-retained and auto-restored printers.
DefaultPrnFlag, a registry setting for servers that is used to enable or disable auto-retained and auto-restored
printers, which store in user profiles on the server.
Secure Gateway - In releases earlier than 7.x, Secure Gateway was an option to provide secure connections between
the server and user devices. NetScaler Gateway is the replacement option for securing external connections.
Shadowing users - In releases earlier than 7.x, administrators set policies to control user-to-user shadowing. In 7.x
releases, shadowing end-users is an integrated feature of the Director component, which uses Windows Remote
Assistance to allow administrators to shadow and troubleshoot issues for delivered seamless applications and virtual
desktops.
Power and Capacity Management - In releases earlier than 7.x, the Power and Capacity Management feature could
be used to help reduce power consumption and manage server capacity. T he Microsoft Configuration Manager is the
replacement tool for this function.
Flash v1 Redirection - Clients that do not support second generation Flash Redirection (including Receiver for Windows
earlier than 3.0, Receiver for Linux earlier than 11.100, and Citrix Online Plug-in 12.1) will fall back to server-side rendering
for legacy Flash Redirection features. VDAs included with 7.x releases support second generation Flash Redirection
features.
Local Text Echo - T his feature was used with earlier Windows application technologies to accelerate the display of
input text on user devices on high latency connections. It is not included in 7.x releases due to improvements to the
graphics subsystem and HDX SuperCodec.
Smart Auditor - In releases earlier than 7.x, Smart Auditor allowed you to record on-screen activity of a user's session.
T his component is not available in 7.x releases. In 7.6 Feature Pack 1, it is replaced by Session Recording.
Single Sign-on - T his feature, which provides password security, is not supported for Windows 8 and Windows Server
2012 environments. It is still supported for Windows 2008 R2 and Windows 7 environments, but is not included with 7.x
releases. You can locate it on the Citrix download website: http://citrix.com/downloads.
Oracle database support - 7.x releases require a SQL Server database.
Health Monitoring and Recovery (HMR) - In releases earlier than 7.x, HMR could run tests on the servers in a server
farm to monitor their state and discover any health risks. In 7.x releases, Director offers a centralized view of system
health by presenting monitoring and alerting for the entire infrastructure from within the Director console.
Custom ICA f iles - Custom ICA files were used to enable direct connection from user devices (with the ICA file) to a
specific machine. In 7.x releases, this feature is disabled by default, but can be enabled for normal usage using a local
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.150
group or can be used in high-availability mode if the Controller becomes unavailable.
Management Pack f or System Center Operations Manager (SCOM) 2007 - T he management pack, which
monitored the activity of farms using SCOM, does not support 7.x releases.
CNAME f unction - T he CNAME function was enabled by default in releases earlier than 7.x. Deployments depending on
CNAME records for FQDN rerouting and the use of NET BIOS names might fail. In 7.x releases, Delivery Controller autoupdate is the replacement feature that dynamically updates the list of Controllers and automatically notifies VDAs when
Controllers are added to and removed from the Site. T he Controller auto-update feature is enabled by default in Citrix
policies, but can be disabled by creating a policy.
Alternatively, you can re-enable the CNAME function in the registry to continue with your existing deployment and allow
FQDN rerouting and the use of NET BIOS names. For more information, see CT X137960.
Quick Deploy wizard - In Studio releases earlier than 7.x, this option allowed a fast deployment of a fully installed
XenDesktop deployment. T he new simplified installation and configuration workflow in 7.x releases eliminates the need
for the Quick Deploy wizard option.
Remote PC Service conf iguration f ile and PowerShell script f or automatic administration - Remote PC is now
integrated into Studio and the Controller.
Workf low Studio - In releases earlier than 7.x, Workflow Studio was the graphical interface for workflow composition
for XenDesktop. T he feature is not supported in 7.x releases.
Color depth - In Studio releases earlier than 7.6, this option in the Delivery group User Setting page set the color depth
for a Delivery group. In version 7.6, Delivery group color depth can be set using the New-BrokerDesktopGroup or SetBrokerDesktopGroup PowerShell cmdlet.
Launching of non-published programs during client connection - In releases earlier than 7.x, this Citrix policy setting
specified whether to launch initial applications or published applications through ICA or RDP on the server. In 7.x releases,
this setting specifies only whether to launch initial applications or published applications through RDP on the server.
Desktop launches - In releases earlier than 7.x, this Citrix policy setting specified whether non-administrative users can
connect to a desktop session. In 7.x releases, non-administrative users must be in a VDA machine's Direct Access Users
group to connect to sessions on that VDA. T he Desktop launches setting enables non-administrative users in a VDA's
Direct Access Users group to connect to the VDA using an ICA connection. T he Desktop launches setting has no
effect on RDP connections; users an VDA's Direct Access Users group can connect to the VDA using an RDP
connection whether or not this setting is enabled.
Features not in Receiver or that have dif f erent def ault values
Citrix Receiver Enterprise Edition and of f line plug-in — Both Citrix Receiver Enterprise Edition and offline plug-in
have reached End-of-Life. T hey are not being updated as part of the LT SR installer. Customers are encouraged to
deploy the latest version of Citrix Receiver for Windows instead.
COM Port Mapping — COM Port Mapping allowed or prevented access to COM ports on the user device. COM Port
Mapping was previously enabled by default. In 7.x releases of XenDesktop and XenApp, COM Port Mapping is disabled by
default. For details, see Configure COM Port and LPT Port Redirection settings using the registry.
LPT Port Mapping — LPT Port Mapping controls the access of legacy applications to LPT ports. LPT Port Mapping was
previously enabled by default. In 7.x releases, LPT Port Mapping is disabled by default.
PCM Audio Codec — Only HT ML5 clients support the PCM Audio Codec in 7.x releases.
Support f or Microsof t ActiveSync.
Proxy Support f or Older Versions — T his includes:
Microsoft Internet Security and Acceleration (ISA) 2006 (Windows Server 2003).
Oracle iPlanet Proxy Server 4.0.14 (Windows Server 2003).
Squid Proxy Server 3.1.14 (Ubuntu Linux Server 11.10).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.151
Known issues
Jun 19, 20 17
Known issues in Cumulative Update 5
Attempts to upgrade from Versions 2.5 or 2.6 of StoreFront to any version of StoreFront included with any Cumulative
Update for XenApp and XenDesktop 7.6 LT SR can fail. T he issue occurs when the StoreFront Management Console is open
or a PowerShell session is running during the upgrade and without warning. T he issue is limited to systems running Windows
2012 R2 Server with .NET 4.6 or .NET 4.7 updates installed. [#3283]
Known issues in Cumulative Update 4
No new issues have been found in CU4 to date.
Known issues in Cumulative Update 3
No new issues have been found in CU3 to date.
Known issues in Cumulative Update 2
Attempts to manually update XenDesktop 5.6, 7.1, 7.5, or XenApp 7.5 deployments using the PowerShell SDK can fail to
upgrade one or more DBSchemas. As a workaround, upgrade the Site DBschema using the Automatic or Manual Site
upgrade methods from Citrix Studio rather than using the PowerShell SDK.
[#LCM-903]
When using Citrix Receiver for Linux, HDX Flash redirection can fall back to server-side rendering and the websites are
added to the dynamic blacklist. As a workaround, use Emulation Mode.
[#LCM-944]
Citrix Studio can exit unexpectedly upon launch. T he issue occurs if you have Studio and Storefront installed on a single
Windows 2008 R2 SP1 system that was previously updated with Microsoft articles KB3163251 and KB3135996v2. T he
following error message appears in the Event Viewer:
“.NET Runtime version 2.0.50727.5485 - Fatal Execution Engine Error.”
As a workaround, run the following prompt from the command line:
"C:\windows\microsoft.net\framework64\v2.0.50727\ngen update /force"
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.152
[#LCM-969]
Attempts to install VDA for Server OS can fail with a generic error code 1603. For more information, including a
workaround, see Knowledge Center article CT X213807.
[#LCM-1013]
Note: T his issue is fixed as #LC6934 in CU4.
Certain websites, including Qumu, are automatically blacklisted and fall back to server-side content rendering. As a
workaround to keep affected sites from being blacklisted, set the following registry key on the VDA:
HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer
Name: SupportedUrlHeads
T ype: REG_MULT I_SZ
Data: <each value on a separate line, null separated:>
http://
https://
file://
[#LCM-1605]
Note: T his issue is fixed as #LC6471 in CU3.
After installing StoreFront 3.0.1000 or 3.0.2000, the management console fails to start and the following error message
appears: "T he Management console is unavailable because of a root certificate missing, go to verisign and download the
certificate - Verisign class primary CA - G5." For more information, see Knowledge Center article CT X218815.
[#LC6471]
Note: T his issue is fixed as #LC6816 in CU3.
Upgrading StoreFront to version 3.0.2000 from version 2.5 fails with Error 1603. For more information, see Knowledge
Center article CT X220411.
[#LC6816]
Known issues in Cumulative Update 1
If you install a component of this release using its standalone msi (not recommended) rather than through the
Metainstaller, a prompt appears for the License Server compatibility check in Desktop Studio that makes sure that your
License server is the required version. If you are using the License server released with XenApp/Desktop 7.6 or from a
more recent version, you do not need to upgrade the License server. Click Continue to proceed with the DBschema
upgrade.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.153
[#575064]
When you upgrade an instance of Version 11.12.1 of the license server (included in the XenApp/XenDesktop 7.6 RT M
release) that was deployed using Active Directory, both the Citrix Licensing and the Citrix Licensing Support Services are
disabled.
T o prevent this issue, install Version 11.13.1 of the license server using citrixlicensing.exe from the CU1 media before
installing the rest of CU1.
[#630116]
Note: T his issue is fixed as #630814 in CU2.
Site Setup in Citrix Studio might fail to proceed when choosing "Use an existing license." As a workaround, restart the
“Citrix Web Services for Licensing” service on the license server to complete its configuration.
[#630814]
If you install a component of this release using its standalone msi (not recommended) rather than through the
Metainstaller, Citrix Scout displays dual entries for that component.
[#636862]
Note: T his issue is fixed as #LC6471 in CU3.
After installing StoreFront 3.0.1000 or 3.0.2000, the management console fails to start and the following error message
appears: "T he Management console is unavailable because of a root certificate missing, go to verisign and download the
certificate - Verisign class primary CA - G5." For more information, see Knowledge Center article CT X218815.
[#LC6471]
Note: T his issue is fixed as #LC6816 in CU3.
Upgrading StoreFront to version 3.0.2000 from version 2.5 fails with Error 1603. For more information, see Knowledge
Center article CT X220411.
[#LC6816]
Known issues in LTSR
Attempts to update a XenApp 6.5 server to become a VDA for Server OS can fail. T he issue occurs on XenApp 6.5 servers
that were installed in Controller and Session-Host mode because the Citrix XML Service shares a common port with IIS
Server.
As a workaround, uninstall XenApp 6.5 server, restart the server, and then install LT SR or its current Cumulative Update.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.154
For more information, see Upgrade a XenApp 6.5 worker to a new VDA for Windows Server OS.
[#LCM-893]
Note: T his issue is fixed as #LC5098 in the LT SR CU2 VDAs.
After updating your VDAs to 7.6 LT SR (7.6.300), client-side content redirection for DirectShow based applications (for
example, - QUMU, QVOP) does not work, and videos fail to render.
[#LC5098-x]
T he VDA metainstaller no longer includes or updates the following Citrix clients:
Citrix Receiver for Windows, Enterprise Edition
Offline plug-in
Both clients have reached End of Life. T he latest version of Citrix Receiver is available for download
athttps://www.citrix.com/downloads/citrix-receiver.html.
[#XA-1532]
Universal Print Server printers selected on the virtual desktop do not appear in the Devices and Printers window in
Windows Control Panel. However, when users are working in applications, they can print using those printers. T his issue
occurs only on the Windows Server 2012, Windows 10 and Windows 8 platforms. For more information, see Knowledge
Center article CT X213540. [#335153]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.155
System requirements
Dec 15, 20 17
In this article:
Session Recording
Delivery Controller
Database
Studio
Director
Virtual Delivery Agent (VDA) for Windows Desktop OS
Virtual Delivery Agent (VDA) for Windows Server OS
Hosts / Virtualization resources
Active Directory functional level support
HDX - Desktop Composition Redirection
HDX - Windows Media Delivery
HDX - Flash Redirection
HDX 3D Pro
HDX - Video conferencing requirements for webcam video compression
HDX - Other
Universal Print Server requirements
Other requirements
T he system requirements in this document were valid when this product version released. System requirements components
not covered here (such as StoreFront, host systems, receivers and plug-ins, and Provisioning Services) are described in their
respective documentation.
Important: Review Prepare to install before beginning an installation.
Unless otherwise noted, the component installer deploys software prerequisites automatically (such as .NET and C++
packages) if they are not detected on the machine. T he Citrix installation media also contains some of this prerequisite
software.
T he installation media contains several third-party components. Before using the Citrix software, check for security
updates from the third party, and install them.
T he disk space values are estimates only, and are in addition to space needed for the product image, operating system, and
other software.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.156
If you install all the core components (Controller with SQL Server Express, Studio, Director, StoreFront, and Licensing) on a
single server, you need a minimum of 3 GB of RAM to evaluate the product; more is recommended when running an
environment for users. Performance will vary depending on your exact configuration, including the number of users,
applications, desktops, and other factors.
Important: After you install XenApp on a Windows Server 2012 R2 system, use the Kerberos Enable T ool (XASsonKerb.exe)
to ensure the correct operation of Citrix Kerberos authentication. T he tool is located Support > T ools > XASsonKerb folder
on the installation media; you must have local administrator privileges to use the tool. T o ensure correct Kerberos
operation, run xassonkerb.exe -install from a command prompt on the server. If you later apply an update that changes the
registry location HKLM\System\CurrentControlSet\Control\LSA\OSConfig, run the command again. T o see all available tool
options, run the command with the -help parameter.
Session Recording
Session Recording Administration components
You can install the Session Recording Administration components (Session Recording Database, Session Recording Server,
and Session Recording Policy Console) on a single server or on separate servers.
Session Recording Database
Supported operating systems:
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2008 R2 with Service Pack 1
Requirements:
.NET Framework Version 3.5 Service Pack 1 (Windows Server 2008 R2 only) or .NET Framework Version 4.5.2 or 4.6.
Session Recording Server
Supported operating systems:
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012Microsoft Windows Server 2008 R2 with Service Pack 1
Requirements:
Before starting the Session Recording installation, you must install some prerequisites. Open the Server Manager and add
the IIS role. Select the following options:
Application Development:
ASP.NET 4.5 on Server 2012 and Server 2012 R2, ASP.NET on Server 2008 R2 (other components are automatically
selected. Click Add to accept required roles)
Security - Windows Authentication
Management T ools - IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.157
IIS 6 Scripting T ools
IIS 6 Management Console
NET Framework Version 3.5 Service Pack 1 (Windows Server 2008 R2 only) or .NET Framework Version 4.5.2 or 4.6.
If the Session Recording Server uses HT T PS as its communications protocol, add a valid certificate. Session Recording
uses HT T PS by default, which Citrix recommends.
Microsoft Message Queuing (MSMQ), with Active Directory integration disabled, and MSMQ HT T P support enabled.
Session Recording Policy Console
Supported operating systems:
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2008 R2 with Service Pack 1
Requirements:
.NET Framework Version 3.5 Service Pack 1 (Windows Server 2008 R2 only) or .NET Framework Version 4.5.2 or 4.6.
Session Recording Agent
Install the Session Recording Agent on every XenApp and XenDesktop server on which you want to record sessions.
Supported operating systems:
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2008 R2 with Service Pack 1
Requirements:
Microsoft Message Queuing (MSMQ), with Active Directory integration disabled, and MSMQ HT T P support enabled
.NET Framework Version 3.5 Service Pack 1 (Windows Server 2008 R2 only) or .NET Framework Version 4.5.2 or 4.6.
Session Recording Player
Supported operating systems:
Microsoft Windows 8.1
Microsoft Windows 8
Microsoft Windows 7 with Service Pack 1
For optimal results, install Session Recording Player on a workstation with:
Screen resolution of 1024 x 768
Color depth of at least 32-bit
Memory: 1GB RAM (minimum). Additional RAM and CPU/GPU resources can improve performance when playing graphics
intensive recordings; especially when there are a lot of animations in the recordings.
T he seek response time depends on the size of the recording and your machine's hardware specification.
Requirements:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.158
.NET Framework Version 3.5 Service Pack 1 or .NET Framework Version 4.5.2 or 4.6.
Delivery Controller
Supported operating systems:
Windows Server 2012 R2, Standard and Datacenter Editions
Windows Server 2012, Standard and Datacenter Editions
Windows Server 2008 R2 SP1, Standard, Enterprise, and Datacenter Editions
Requirements:
Disk space: 100 MB. Connection leasing (which is enabled by default) adds to this requirement; sizing depends on the
number of users, applications, and mode (RDS or VDI). For example, 100,000 RDS users with 100 recently-used
applications require approximately 3 GB of space for connection leases; deployments with more applications may require
more space. For dedicated VDI desktops, 40,000 desktops require at least 400-500 MB. In any instance, providing several
GBs of additional space is suggested.
Microsoft .NET Framework 3.5.1 (Windows Server 2008 R2 only).
Microsoft .NET Framework 4.5.2, 4.6, 4.6.1
Windows PowerShell 2.0 (included with Windows Server 2008 R2) or 3.0 (included with Windows Server 2012 R2 and
Windows Server 2012).
Visual C++ 2005, 2008 SP1, and 2010 Redistributable packages.
Database
Supported Microsoft SQL Server versions for the Site Configuration Database (which initially includes the Configuration
Logging Database and the Monitoring Database):
SQL Server 2017, Express, Standard, and Enterprise Editions.
SQL Server 2016, Express, Standard, and Enterprise Editions.
SQL Server 2014 through SP2, Express, Standard, and Enterprise Editions.
SQL Server 2012 through SP3, Express, Standard, and Enterprise Editions. By default, prior to CU4, SQL Server 2012 SP1
Express is installed when you install the Controller unless an existing, supported SQL Server installation is detected. As of
CU4, SQL Server 2012 SP3 Express is installed when you install the Controller unless an existing, supported SQL Server
installation is detected.
SQL Server 2008 R2 SP2 and SP3, Express, Standard, Enterprise, and Datacenter Editions.
T he following database features are supported (except for SQL Server Express, which supports only standalone mode):
SQL Server Clustered Instances
SQL Server Mirroring
SQL Server AlwaysOn Availability Groups (including Basic Availability Groups)
Windows authentication is required for connections between the Controller and the SQL Server database.
For information about the latest supported database versions, see CT X114501.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.159
Studio
Supported operating systems:
Windows 8.1, Professional and Enterprise Editions
Windows 8, Professional and Enterprise Editions
Windows 7 Professional, Enterprise, and Ultimate Editions
Windows Server 2012 R2, Standard and Datacenter Editions
Windows Server 2012, Standard and Datacenter Editions
Windows Server 2008 R2 SP1, Standard, Enterprise, and Datacenter Editions
Requirements:
Disk space: 75 MB
Microsoft .NET Framework 4.6.1
Microsoft .NET Framework 4.5.2, 4.6
Microsoft .NET Framework 3.5 SP1 (Windows Server 2008 R2 and Windows 7 only)
Microsoft Management Console 3.0 (included with all supported operating systems)
Windows PowerShell 2.0 (included with Windows 7 and Windows Server 2008 R2) or 3.0 (included with Windows 8.1,
Windows 8, Windows Server 2012 R2, and Windows Server 2012)
Director
Supported operating systems:
Windows Server 2012 R2, Standard and Datacenter Editions
Windows Server 2012, Standard and Datacenter Editions
Windows Server 2008 R2 SP1, Standard, Enterprise, and Datacenter Editions
Requirements:
Disk space: 50 MB.
Microsoft .NET Framework 4.5.2, 4.6
Microsoft .NET Framework 3.5 SP1 (Windows Server 2008 R2 only)
Microsoft Internet Information Services (IIS) 7.0 and ASP.NET 2.0. Ensure that the IIS server role has the Static Content
role service installed. If these are not already installed, you are prompted for the Windows Server installation media, then
they are installed for you.
Supported browsers for viewing Director:
Internet Explorer 11 and 10.
Compatibility mode is not supported for Internet Explorer. You must use the recommended browser settings to access
Director. When you install Internet Explorer, accept the default to use the recommended security and compatibility
settings. If you already installed the browser and chose not to use the recommended settings, go to Tools > Internet
Options > Advanced > Reset and follow the instructions.
Firefox ESR (Extended Support Release).
Chrome.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.160
Virtual Delivery Agent (VDA) for Windows Desktop OS
Supported operating systems:
For information about Windows 10 compatibility, see our blog.
Windows 8.1, Professional and Enterprise Editions
Windows 8, Professional and Enterprise Editions
Windows 7 SP1, Professional, Enterprise, and Ultimate Editions
To use the Server VDI feature, you can use the command line interface to install a VDA for Windows Desktop OS on a
supported server operating system; see Server VDI for guidance.
Windows Server 2012 R2, Standard and Datacenter Editions
Windows Server 2012, Standard and Datacenter Editions
Windows Server 2008 R2 SP1, Standard, Enterprise, and Datacenter Editions
Requirements:
Microsoft .NET Framework 4.5.2, 4.6, 4.6.1
Microsoft .NET Framework 3.5.1 (Windows 7 only)
Microsoft Visual C++ 2005, 2008, and 2010 Runtimes (32-bit and 64-bit).
Microsoft Visual C++ 2008, 2010 and 2013 Runtimes (32-bit and 64-bit). T his applies to XenApp and XenDesktop VDA
Standalone installations.
Remote PC Access uses this VDA, which you install on physical office PCs.
Several multimedia acceleration features (such as HDX MediaStream Windows Media Redirection) require that Microsoft
Media Foundation be installed on the machine on which you install the VDA. If the machine does not have Media
Foundation installed, the multimedia acceleration features will not be installed and will not work. Do not remove Media
Foundation from the machine after installing the Citrix software; otherwise, users will not be able to log on to the machine.
On most Windows 8.1, Windows 8, and Windows 7 editions, Media Foundation support is already installed and cannot be
removed. However, N editions do not include certain media-related technologies; you can obtain that software from
Microsoft or a third party.
During VDA installation, you can choose to install the HDX 3D Pro version of the VDA for Windows Desktop OS. T hat
version is particularly suited for use with DirectX and OpenGL-driven applications and with rich media such as video.
Virtual Delivery Agent (VDA) for Windows Server OS
Supported operating systems:
Windows Server 2012 R2, Standard and Datacenter Editions
Windows Server 2012, Standard and Datacenter Editions
Windows Server 2008 R2 SP1, Standard, Enterprise, and Datacenter Editions
T he installer automatically deploys the following requirements, which are also available on the Citrix installation media in the
Support folders:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.161
Microsoft .NET Framework 4.5.2, 4.6, 4.6.1
Microsoft .NET Framework 3.5.1 (Windows Server 2008 R2 only)
Microsoft Visual C++ 2005, 2008, and 2010 Runtimes (32-bit and 64-bit).
Microsoft Visual C++ 2008, 2010 and 2013 Runtimes (32-bit and 64-bit). T his applies to XenApp and XenDesktop VDA
Standalone installations.
T he installer automatically installs and enables Remote Desktop Services role services, if they are not already installed and
enabled.
Several multimedia acceleration features (such as HDX MediaStream Windows Media Redirection) require that the
Microsoft Media Foundation be installed on the machine on which you install the VDA. If the machine does not have Media
Foundation installed, the multimedia acceleration features will not be installed and will not work. Do not remove Media
Foundation from the machine after installing the Citrix software; otherwise, users will not be able to log on to the machine.
On most Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 editions, the Media Foundation
feature is installed through the Server Manager (for Windows Server 2012 R2 and Windows Server 2012:
ServerMediaFoundation; for Windows Server 2008 R2: DesktopExperience). However, N editions do not include certain
media-related technologies; you can obtain that software from Microsoft or a third party.
Hosts / Virtualization resources
Supported platf orms
IMPORTANT: T he following major.minor versions are supported, including updates to those versions. CT X131239 contains
the most current hypervisor version information, plus links to known issues.
XenServer.
XenServer 7.2
XenServer 7.1
XenServer 7.0
XenServer 6.5 SP1
XenServer 6.5
XenServer 6.2 SP1 plus hotfixes (you must apply SP1 to enable application of future hotfixes)
XenServer 6.1
VMware vSphere (vCenter + ESXi). No support is provided for vSphere vCenter Linked Mode operation.
VMware vSphere 6.5
VMware vSphere 6.0
VMware vSphere 5.5
VMware vSphere 5.1
VMware vSphere 5.0
VMware vCenter 5.5 / 6 appliance
System Center Virtual Machine Manager - Includes any version of Hyper-V that can register with the supported System
Center Virtual Machine Manager versions.
System Center Virtual Machine Manager 2012 R2
System Center Virtual Machine Manager 2012 SP1
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.162
System Center Virtual Machine Manager 2012
Nutanix Acropolis 4.5 - Several XenApp and XenDesktop features are not available when using this platform;
see CT X202032 for details. For more information on the use of the product with Acropolis,
see https://portal.nutanix.com/#/page/docs.
Amazon Web Services (AWS)
You can provision applications and desktops on supported Windows server operating systems.
T he Amazon Relational Database Service (RDS) is not supported.
See Citrix XenDesktop on AWS for additional information.
Citrix CloudPlatform
T he minimum supported version is 4.2.1 with hotfixes 4.2.1-4.
Deployments were tested using XenServer 6.2 (with Service Pack 1 and hotfix XS62ESP1003) and vSphere 5.1 hypervisors.
CloudPlatform does not support Hyper-V hypervisors.
CloudPlatform 4.3.0.1 supports VMware vSphere 5.5.
See the CloudPlatform documentation (including the Release Notes for your CloudPlatform version) and XenApp and
XenDesktop concepts and deployment on CloudPlatform for additional support and Linux-based system requirements
information.
T he following virtualization resource and storage technology combinations are supported for Machine Creation Services
and runtime Active Directory account injection into VMs. Combinations marked with an asterisk (*) are recommended.
Virtualization
Local Disks
resource
XenServer
Yes
NFS
Yes
Block Storage
Storage
Link
Yes
No
Yes
No
Yes * (requires Cluster Shared
No
*
VMware
Hyper-V
Yes (no vMotion or dynamic
Yes
placement)
*
Yes
No
Volumes)
T he Remote PC Access Wake on LAN feature requires Microsoft System Center Configuration Manager. See Configuration
Manager and Remote PC Access Wake on LAN for details.
Active Directory functional level support
T he following functional levels for the Active Directory forest and domain are supported:
Windows 2000 native (not supported for domain controllers)
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.163
Windows Server 2012
Windows Server 2012 R2
HDX - Desktop Composition Redirection
T he Windows user device or thin client must support or contain:
DirectX 9
Pixel Shader 2.0 (supported in hardware)
32 bits per pixel
1.5 GHz 32-bit or 64-bit processor
1 GB RAM
128 MB video memory on the graphic card or an integrated graphics processor
HDX queries the Windows device to verify that it has the required GPU capabilities and automatically reverts to serverside desktop composition if it does not. List the devices with the required GPU capabilities that do not meet the
processor speed or RAM specifications in the GPO group for devices excluded from Desktop Composition Redirection.
T he minimum available bandwidth is 1.5 Mbps; recommended bandwidth is 5 Mbps. T hose values incorporate end-to-end
latency.
HDX - Windows Media Delivery
T he following clients are supported for Windows Media client-side content fetching, Windows Media redirection, and realtime Windows Media multimedia transcoding: Receiver for Windows, Receiver for iOS, and Receiver for Linux.
To use Windows Media client-side content fetching on Windows 8 devices, set the Citrix Multimedia Redirector as a default
program: in Control Panel > Programs > Def ault Programs > Set your def ault programs, select Citrix Multimedia
Redirector and click either Set this program as def ault or Choose def aults f or this program.
GPU transcoding requires an NVIDIA CUDA-enabled GPU with Compute Capability 1.1 or higher;
see http://developer.nvidia.com/cuda/cuda-gpus.
HDX - Flash Redirection
T he following clients and Adobe Flash Players are supported:
Receiver for Windows (for second generation Flash Redirection features) - Second generation Flash Redirection features
require Adobe Flash Player for Other Browsers, sometimes referred to as an NPAPI (Netscape Plugin Application
Programming Interface) Flash Player
Receiver for Linux (for second generation Flash Redirection features) - Second generation Flash Redirection features
require Adobe Flash Player for other Linux or Adobe Flash Player for Ubuntu.
Citrix Online plug-in 12.1 (for legacy Flash Redirection features) - Legacy Flash Redirection features require Adobe Flash
Player for Windows Internet Explorer (sometimes referred to as an ActiveX player).
T he major version number of the Flash Player on the endpoint must be greater than or equal to the major version number
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.164
of the Flash Player on the VDA. If an earlier version of the Flash Player is installed on the endpoint, or if the Flash Player
cannot be installed on the endpoint, Flash content is rendered on the VDA.
T he machines running VDAs require:
Adobe Flash Player for Windows Internet Explorer (the ActiveX player)
Internet Explorer 11 (in non-Modern UI mode). - Flash Redirection works by remoting the ActiveX protocol from the VDA
to the Flash Player on the endpoint. Because Internet Explorer is the only browser that supports the ActiveX protocol,
the feature does not work unless Internet Explorer is installed on the VDA. Otherwise, Flash content is rendered on the
VDA.
Protected mode disabled in Internet Explorer (T ools > Internet Options > Security tab > Enable Protected Mode check
box cleared). Restart Internet Explorer to effect the change.
HDX 3D Pro
When installing a VDA for Windows Desktop OS, you can choose to install the HDX 3D Pro version.
T he physical or virtual machine hosting the application can use GPU Passthrough or Virtual GPU (vGPU):
GPU Passthrough is available with Citrix XenServer. GPU Passthrough is also available with VMware vSphere and VMware
ESX, where it is referred to as virtual Direct Graphics Acceleration (vDGA).
vGPU is available with Citrix XenServer; see www.citrix.com/go/vGPU (Citrix My Account credentials required).
Citrix recommends that the host computer have at least 4 GB of RAM and four virtual CPUs with a clock speed of 2.3 GHz
or higher.
Graphical Processing Unit (GPU):
For CPU-based compression (including lossless compression), HDX 3D Pro supports any display adapter on the host
computer that is compatible with the application being delivered.
For optimized GPU frame buffer access using the NVIDIA GRID API, HDX 3D Pro requires NVIDIA Quadro cards with the
latest NVIDIA drivers. T he NVIDIA GRID delivers a high frame rate, resulting in a highly interactive user experience.
For vGPU using XenServer, HDX 3D Pro requirements include NVIDIA GRID K1 and K2 cards.
User device:
HDX 3D Pro supports all monitor resolutions that are supported by the GPU on the host computer. However, for
optimum performance with the minimum recommended user device and GPU specifications, Citrix recommends a
maximum monitor resolution for user devices of 1920 x 1200 pixels for LAN connections, and 1280 x 1024 pixels for WAN
connections.
Citrix recommends that user devices have at least 1 GB of RAM and a CPU with a clock speed of 1.6 GHz or higher. Use of
the default deep compression codec, which is required on low-bandwidth connections, requires a more powerful CPU
unless the decoding is done in hardware. For optimum performance, Citrix recommends that user devices have at least 2
GB of RAM and a dual-core CPU with a clock speed of 3 GHz or higher.
For multi-monitor access, Citrix recommends user devices with quad-core CPUs.
User devices do not need a dedicated GPU to access desktops or applications delivered with HDX 3D Pro.
Citrix Receiver must be installed.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.165
HDX - Video conferencing requirements for webcam
video compression
Supported clients: Citrix Receiver for Windows, Receiver for Mac, and Receiver for Linux.
Supported video conferencing applications:
Citrix GoT oMeeting HDFaces
Adobe Connect
Cisco WebEx
IBM Sametime
Microsoft Lync 2010 and 2013
Microsoft Office Communicator
Google+ Hangouts
Media Foundation-based video applications on Windows 8.x, Windows Server 2012, and Windows Server 2012 R2
Skype 6.7. T o use Skype on a Windows client, edit the registry on the client and the server:
Client registry key HKEY_CURRENT _USER\Software\Citrix\HdxRealT ime
Name: DefaultHeight , Type: REG_DWORD, Data: 240
Name: DefaultWidth, Type: REG_DWORD, Data: 320
Server registry key HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\Vd3d\Compatibility
Name: skype.exe, Type: REG_DWORD, Data: Set to 0
Other user device requirements:
Appropriate hardware to produce sound.
DirectShow-compatible webcam (use the webcam default settings). Webcams that are hardware encoding-capable
reduces client-side CPU usage.
Webcam drivers, obtained from the camera manufacturer if possible.
HDX - Other
UDP audio for Multi-Stream ICA is supported on Receiver for Windows and Receiver for Linux 13.
Echo cancellation is supported on Citrix Receiver for Windows.
Universal Print Server Requirements
Universal Print Server - T he Universal Print Server comprises client and server components. T he UPClient component is
included in the VDA installation. T he UPServer component (which you install on each print server where the shared
printers reside that you want to provision with the Citrix Universal Print Driver in user sessions) is supported on:
Windows Server 2008 R2 SP1
Windows Server 2012 R2 and 2012.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.166
T he following are prerequisites for installing the UPServer component on the print server:
Microsoft Visual Studio 2013 Runtime (both 32-bit and 64-bit)
Microsoft .NET Framework 4.5.2
CDF_x64.msi
UpsServer_x64.msi
User authentication during printing operations requires the Universal Print Server to be joined to the same domain as the
Remote Desktop Services VDA.
Other
Citrix recommends installing or upgrading to the component software versions provided on the installation media for this
release.
StoreFront requires 2 GB of memory. See the StoreFront documentation for system requirements. StoreFront 2.6 is
the minimum supported version with this release.
When using Provisioning Services with this release, the minimum supported Provisioning Services version is 7.0.
T he Citrix License Server requires 40 MB of disk space. See the licensing documentation for system requirements. Only
Citrix License Server for Windows is supported. T he minimum supported version is 11.13.1.
T he Microsoft Group Policy Management Console (GPMC) is required if you store Citrix policy information in Active
Directory rather than the Site Configuration database. For more information, see the Microsoft documentation.
By default, the Receiver for Windows is installed when you install a VDA. For system requirements information on other
platforms, see the Receiver for Windows documentation.
T he Receiver for Linux and the Receiver for Mac are provided on the product installation media. See their documentation
for system requirements.
When using Access Gateway versions earlier than 10.0 with this release, Windows 8.1 and Windows 8 clients are not
supported.
Desktop Lock - Supported operating systems:
Windows 7, including Embedded Edition
Windows XP Embedded
Windows Vista
User devices must be connected to a local area network (LAN).
Supported Receiver: Citrix Receiver for Windows Enterprise 3.4 package (minimum).
Client folder redirection - Supported operating systems:
Server: Windows Server 2008 R2 SP1, Windows Server 2012, and Windows Server 2012 R2
Client (with latest Citrix Receiver for Windows): Windows 7, Windows 8, and Windows 8.1
Multiple network interface cards are supported.
See the App-V article for supported versions.
In CU4, the software version provided on the media for Microsoft Visual C++ 2008 SP1 (9.0.30729.4148) was updated to
Microsoft Visual C++ 2008 SP1 (9.0.30729.5677).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.167
Technical overview
May 28 , 20 16
XenApp and XenDesktop are virtualization solutions that give IT control of virtual machines, applications, licensing, and
security while providing anywhere access for any device.
XenApp and XenDesktop allow:
End users to run applications and desktops independently of the device's operating system and interface.
Administrators to manage the network and provide or restrict access from selected devices or from all devices.
Administrators to manage an entire network from a single data center.
XenApp and XenDesktop share a unified architecture called FlexCast Management Architecture (FMA). FMA's key features
are the ability to run multiple versions of XenApp or XenDesktop from a single Site and integrated provisioning.
FMA key components
A typical XenApp or XenDesktop environment consists of a few key technology components, which interact when users
connect to applications and desktops, and log data about Site activity.
Citrix Receiver
A software client that is installed on the user device, supplies the connection to the virtual machine via T CP port 80 or 443,
and communicates with StoreFront using the StoreFront Service API.
StoreFront
T he interface that authenticates users, manages applications and desktops, and hosts the application store. StoreFront
communicates with the Delivery Controller using XML.
Delivery Controller
T he central management component of a XenApp or XenDesktop Site that consists of services that manage resources,
applications, and desktops; and optimize and balance the loads of user connections.
Virtual Delivery Agent (VDA)
An agent that is installed on machines running Windows Server or Windows desktop operating systems that allows these
machines and the resources they host to be made available to users. T he VDA-installed machines running Windows Server
OS allow the machine to host multiple connections for multiple users and are connected to users on one of the following
ports:
T CP port 80 or port 443 if SSL is enabled
T CP port 2598, if Citrix Gateway Protocol (CGP) is enabled, which enables session reliability
T CP port 1494 if CGP is disabled or if the user is connecting with a legacy client
Broker Service
A Delivery Controller service that tracks which users are logged in and where, what session resources the users have, and if
users need to reconnect to existing applications. T he Broker Service executes PowerShell and communicates with the
Broker agent over T CP port 80. It does not have the option to use T CP port 443.
Broker Agent
An agent that hosts multiple plugins and collects real-time data. T he Broker agent is located on the VDA and is connected
to the Controller by T CP port 80. It does not have the option to use T CP port 443.
Monitor Service
A Delivery Controller component that collects historical data and puts it in the Site database by default. T he Monitor
Service communicates on T CP port 80 or 443.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.168
ICA File/Stack
Bundled user information that is required to connect to the VDA.
Site Database
A Microsoft SQL database that stores data for the Delivery Controller, such as site policies, machine catalogs, and delivery
groups.
NetScaler Gateway
A data-access solution that provides secure access inside or outside the LAN's firewall with additional credentials.
Director
A web-based tool that allows administers access to real-time data from the Broker agent, historical data from the Site
database, and HDX data from NetScaler for troubleshooting and support. Director communicates with the Controller on
T CP port 80 or 443.
Studio
A management console that allows administers to configure and manage Sites, and gives access to real-time data from the
Broker agent. Studio communicates with the Controller on TCP port 80.
How typical deployments work
XenApp and XenDesktop Sites are made up of machines with dedicated roles that allow for scalability, high availability, and
failover, and provide a solution that is secure by design. A XenApp or XenDesktop Site consists of VDA-installed Windows
servers and desktop machines, and the Delivery Controller, which manages access.
T he VDA enables users to connect to desktops and applications. It is installed on server or desktop machines within the
data center for most delivery methods, but it can also be installed on physical PCs for Remote PC Access.
T he Controller is made up of independent Windows services that manage resources, applications, and desktops, and
optimize and balance user connections. Each Site has one or more Controllers, and because sessions are dependent on
latency, bandwidth, and network reliability, all Controllers ideally should be on the same LAN.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.169
Users never directly access the Controller. T he VDA serves as an intermediary between users and the Controller. When users
log on to the Site using StoreFront, their credentials are passed through to the Broker Service, which obtains their profiles
and available resources based on the policies set for them.
How user connections are handled
To start a XenApp or XenDesktop session, the user connects either via Citrix Receiver, which is installed on the user's device,
or via Receiver for Web (RFW).
Within Receiver, the user selects the physical or virtual desktop or virtual application that is needed.
T he user's credentials move through this pathway to access the Controller, which determines what resources are needed by
communicating with a Broker Service. It is recommended for administrators to put a SSL certificate on StoreFront to
encrypt the credentials coming from Receiver.
T he Broker Service determines which desktops and applications the user is allowed to access.
Once the credentials are verified, the information about available apps or desktops is sent back to the user through the
StoreFront-Receiver pathway. When the user selects applications or desktops from this list, that information goes back
down the pathway to the Controller, which determines the proper VDA to host the specific applications or desktop.
T he Controller sends a message to the VDA with the user's credentials and sends all the data about the user and the
connection to the VDA. T he VDA accepts the connection and sends the information back through the same pathways all
the way to Receiver. Receiver bundles up all the information that has been generated in the session to create Independent
Computing Architecture (ICA). file on the user's device if Receiver is installed locally or on RFW if accessed through the web.
As long as the Site was properly set up, the credentials remain encrypted throughout this process.
T he ICA file is copied to the user's device and establishes a direct connection between the device and the ICA stack running
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.170
on the VDA. T his connection bypasses the management infrastructure: Receiver, StoreFront, and Controller.
T he connection between Receiver and the VDA uses the Citrix Gateway Protocol (CGP). If a connection is lost, the Session
Reliability feature enables the user to reconnect to the VDA rather than having to relaunch through the management
infrastructure. Session Reliability can be enabled or disabled in Studio.
Once the client connects to the VDA, the VDA notifies the Controller that the user is logged on, and the Controller sends
this information to the Site database and starts logging data in the Monitoring database.
How data access works
Every XenApp or XenDesktop session produces data that IT can access through Studio or Director. Studio allows
administrators to access real-time data from the Broker Agent to better manage sites. Director has access to the same
real-time data plus historical data stored in the Monitoring database as well as HDX data from NetScaler Gateway for
help-desk support and troubleshooting purposes.
Within the Controller, the Broker Service reports session data for every session on the virtual machine providing real-time
data. T he Monitor Service also tracks the real-time data and stores it as historical data in the Monitoring database.
Studio can communicate only with the Broker Service; therefore, it has access only to real-time data. Director
communicates with the Broker Service (through a plugin in the Broker Agent) to access the Site database.
Director can also access NetScaler Gateway to get information on the HDX data.
Related content
Concepts and components
Active Directory
Fault tolerance
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.171
Delivery methods
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.172
Concepts and components
May 28 , 20 16
T his illustration shows the key components in a typical XenApp or XenDesktop deployment, which is called a Site.
T he components in this illustration are:
Delivery Controller — T he Delivery Controller is the central management component of any XenApp or XenDesktop
Site. Each Site has one or more Delivery Controllers. It is installed on at least one server in the data center. (For Site
reliability and availability, install the Controller on more than one server.) T he Controller consists of services that
communicate with the hypervisor to distribute applications and desktops, authenticate and manage user access, broker
connections between users and their virtual desktops and applications, optimize use connections, and load-balance
these connections.
Each service’s data is stored in the Site database.
T he Controller manages the state of the desktops, starting and stopping them based on demand and administrative
configuration. In some editions, the Controller allows you to install Profile management to manage user personalization
settings in virtualized or physical Windows environments.
Database — At least one Microsoft SQL Server database is required for every XenApp or XenDesktop Site to store all
configuration and session information. T his database stores the data collected and managed by the services that make
up the Controller. Install the database within your data center, and ensure it has a persistent connection to the
Controller.
Virtual Delivery Agent (VDA) — T he VDA is installed on each physical or virtual machine in your Site that you want to
make available to users. It enables the machine to register with the Controller, which in turn allows the machine and the
resources it is hosting to be made available to users. VDAs establish and manage the connection between the machine
and the user device, verify that a Citrix license is available for the user or session, and apply whatever policies have been
configured for the session. T he VDA communicates session information to the Broker Service in the Controller through
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.173
the broker agent included in the VDA.
XenApp and XenDesktop include VDAs for Windows server and desktop operating systems. VDAs for Windows server
operating systems allow multiple users to connect to the server at one time. VDAs for Windows desktops allow only one
user to connect to the desktop at a time.
StoreFront — StoreFront authenticates users to Sites hosting resources and manages stores of desktops and
applications that users access. It hosts your enterprise application store, which lets you give users self-service access to
desktops and applications you make available to them. It also keeps track of users’ application subscriptions, shortcut
names, and other data to ensure they have a consistent experience across multiple devices.
Receiver — Installed on user devices and other endpoints, such as virtual desktops, Citrix Receiver provides users with
quick, secure, self-service access to documents, applications, and desktops from any of the user's devices, including
smartphones, tablets, and PCs. Receiver provides on-demand access to Windows, Web, and Software as a Service (SaaS)
applications. For devices that cannot install Receiver software, Receiver for HT ML5 provides a connection through a
HT ML5-compatible web browser.
Studio — Studio is the management console that enables you to configure and manage your deployment, eliminating
the need for separate management consoles for managing delivery of applications and desktops. Studio provides various
wizards to guide you through the process of setting up your environment, creating your workloads to host applications
and desktops, and assigning applications and desktops to users. You can also use Studio to allocate and track Citrix
licenses for your Site.
Studio gets the information it displays from the Broker Service in the Controller.
Director — Director is a web-based tool that enables IT support and help desk teams to monitor an environment,
troubleshoot issues before they become system-critical, and perform support tasks for end users. Director can be
installed outside your trusted network. You can use one Director deployment to connect to and monitor multiple
XenApp or XenDesktop Sites.
Director shows session and Site information from these sources:
Real-time session data from the Broker Service in the Controller, which include data the Broker Service gets from the
broker agent in the VDA.
Historical Site data from Monitor Service in the Controller.
Data about HDX traffic (also known as ICA traffic) captured by HDX Insight from the NetScaler, if your deployment
includes a NetScaler and your XenApp or XenDesktop edition includes HDX Insights.
You can also view and interact with a user's sessions using Microsoft Remote Assistance.
License server — License server manages your product licenses. It communicates with the Controller to manage
licensing for each user's session and with Studio to allocate license files. You must create at least one license server to
store and manage your license files.
Hypervisor — T he hypervisor hosts the virtual machines in your Site. T hese can be the virtual machines you use to host
applications and desktops as well as virtual machines you use to host the XenApp and XenDesktop components. A
hypervisor is installed on a host computer dedicated entirely to running the hypervisor and hosting virtual machines.
Citrix XenServer hypervisor is included with XenApp and XenDesktop, but you can use other supported hypervisors, such
as Microsoft Hyper-V or VMware vSphere.
Although most implementations of XenApp and XenDesktop require a hypervisor, you don’t need one to provide remote
PC access or when you are using Provisioning Services (included with some editions of XenApp and XenDesktop) instead
of MCS to provision virtual machine.
T hese additional components, not shown in the illustration above, may also be included in typical XenApp or XenDesktop
deployments:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.174
Provisioning Services — Provisioning Services is an optional component of XenApp and XenDesktop available with
some editions. It provides an alternative to MCS for provisioning virtual machines. Whereas MCS creates copies of a
master image, Provisioning Services streams the master image to user device. Provisioning Services doesn’t require a
hypervisor to do this, so you can use it to host physical machines. When Provisioning Services is included in a Site, it
communicates with the Controller to provide users with resources.
NetScaler Gateway — When users connect from outside the corporate firewall, this release can use Citrix NetScaler
Gateway (formerly Access Gateway) technology to secure these connections with SSL. NetScaler Gateway or NetScaler
VPX virtual appliance is an SSL VPN appliance that is deployed in the demilitarized zone (DMZ) to provide a single secure
point of access through the corporate firewall.
Citrix CloudBridge — In deployments where virtual desktops are delivered to users at remote locations such as branch
offices, Citrix CloudBridge (formerly Citrix Branch Repeater or WANScaler) technology can be employed to optimize
performance. Repeaters accelerate performance across wide-area networks, so with Repeaters in the network, users in
the branch office experience LAN-like performance over the WAN. CloudBridge can prioritize different parts of the user
experience so that, for example, the user experience does not degrade in the branch location when a large file or print
job is sent over the network. HDX WAN Optimization with CloudBridge provides tokenized compression and data
deduplication, dramatically reducing bandwidth requirements and improving performance. For more information, see the
Citrix CloudBridge documentation.
Setting up and assigning resources: machine catalogs and Delivery Groups
With XenApp and XenDesktop, you set up the resources you want to provide to users with machine catalogs, but you
designate which users have access to these resources with Delivery Groups.
Machine catalogs
Machine catalogs are collections of virtual or physical machines that you manage as a single entity. T hese machines, and
the application or virtual desktops on them, are the resources you want to provide to your users. All the machines in a
machine catalog have the same operating system and the same VDA installed. T hey also have the same applications or
virtual desktops available on them. T ypically, you create a master image and use it to create identical virtual machines in the
catalog.
When you create a machine catalog, you specify the type of machine and provisioning method for the machines in that
catalog.
Machine types
Windows Server OS machines — Virtual or physical machines based on a Windows server operating system used for
delivering XenApp published apps, also known as server-based hosted applications, and XenApp published desktops, also
known as server-hosted desktops. T hese machines allow multiple users to connect to them at one time.
Desktop OS machines — Virtual or physical machines based on a Windows desktop operating system used for delivering
VDI desktops (desktops running Window desktop operating systems that can be fully personalized, depending on the
options you choose), and VM-hosted apps (applications from desktop operating systems) and hosted physical desktops.
Only one user at a time can connect each of these desktops.
Remote PC Access — User devices that are included on a whitelist, enabling users to access resources on their office PCs
remotely, from any device running Citrix Receiver. Remote PC Access enables you to manage access to office PCs
through you XenDesktop deployment.
Provisioning methods
Machine Creation Services (MCS) — A collection of services that create virtual servers and desktops from a master image
on demand, optimizing storage utilization and providing a virtual machine to users every time they log on. Machine
Creation Services is fully integrated and administered in Citrix Studio.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.175
Provisioning Services — Enables computers to be provisioned and reprovisioned in real-time from a single shared-disk
image. Provisioning Services manages target devices as a device collection. T he desktop and applications are delivered
from a Provisioning Services vDisk that is imaged from a master target device, which enables you to leverage the
processing power of physical hardware or virtual machines. Provisioning Services is managed through its own console.
Existing images — Applies to desktops and applications that you have already migrated to virtual machines in the data
center. You must manage target devices on an individual basis or collectively using third-party electronic software
distribution (ESD) tools.
Delivery Groups
Delivery Groups are collections of users given to access a common group of resources. Delivery Groups contain machines
from your machine catalogs and Active Directory users who have access to your Site. Often it makes sense to assign users
to your Delivery Groups by their Active Directory group because both Active Directory groups and Delivery Groups are ways
of grouping together users with similar requirements.
Each Delivery Group can contain machines from more than one machine catalog, and each machine catalog can contribute
machines to more than one Delivery Group, but each individual machine can only belong to one Delivery Group at a time.
You can set up a Delivery Group to deliver applications, desktops, or both.
You define which resources users in the Delivery Group can access. For example, if you want to deliver different applications
to different users, one way to do this is to install all the applications you want to deliver on the master image for one
machine catalog and create enough machines in that catalog to distribute among several Delivery Groups. T hen you
configure each Delivery Group to deliver a different subset of the applications installed on the machines.
XenApp and XenDesktop 7.6 dif f er f rom XenApp 6.5 and previous versions
If you are familiar with XenApp 6.5 and previous versions of XenApp, it may be helpful to think of XenApp 7.6 and
XenDesktop 7.6 in terms of how they differ from those versions.
Although they are not exact equivalents, the following table helps map functional elements from XenApp 6.5 and previous
versions to XenApp 7.6 and XenDesktop 7.6:
Instead of this in XenApp 6.5 and bef ore:
Think of this in XenApp and XenDesktop 7.6:
Independent Management Architecture (IMA)
FlexCast Management Architecture (FMA)
Farm
Site
Worker Group
machine catalog
Delivery Group
Worker
Virtual Delivery Agent (VDA)
Server OS machine, Server OS VDA
Desktop OS machine, Desktop OS VDA
Remote Desktop Services (RDS) or Terminal Services machine
https://docs.citrix.com
Server OS machine, Server OS VDA
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.176
Zone and Data Collector
Instead of this in XenApp 6.5 and bef ore:
Delivery Controller
Think of this in XenApp and XenDesktop 7.6:
Delivery Services Console
Citrix Studio and Citrix Director
Publishing applications
Delivering applications
Data store
Database
Load Evaluator
Load Management Policy
Administrator
Delegated Administrator
Role
Scope
XenApp 7.6 and XenDesktop 7.6 are based on FlexCast Management Architecture (FMA). FMA is a service-oriented
architecture that allows interoperability and management modularity across Citrix technologies. FMA provides a platform
for application delivery, mobility, services, flexible provisioning, and cloud management.
FMA replaces the Independent Management Architecture (IMA) used in XenApp 6.5 and previous versions.
T hese are the key elements of FMA in terms of how they relate to elements of XenApp 6.5 and previous versions:
Delivery Sites
Farms were the top-level objects in XenApp 6.5 and previous versions. In XenApp 7.6 and XenDesktop 7.6, the Delivery Site is
the highest level item. Sites offer applications and desktops to groups of users.
FMA requires that you must be in a domain to deploy a site. For example, to install the servers, your account must have
local administrator privileges and be a domain user in the Active Directory.
Machine catalogs and Delivery Groups
Machines hosting applications in XenApp 6.5 and previous versions belonged to Worker Groups for efficient management
of the applications and server software. Administrators could manage all machines in a Worker Group as a single unit for
their application management and load-balancing needs. Folders were used to organize applications and machines.
In XenApp 7.6 and XenDesktop 7.6, you use a combination of machine catalogs and Delivery Groups to manage machines,
load balancing, and hosted applications or desktops.
Virtual Delivery Agents
In XenApp 6.5 and previous versions, worker machines in Worker Groups ran applications for the user and communicated
with data collectors. In XenApp 7.6 and XenDesktop 7.6, the VDA communicates with Delivery Controllers that manage the
user connections.
Delivery Controllers
In XenApp 6.5 and previous versions there was a zone master responsible for user connection requests and communication
with hypervisors. In XenApp 7.6 and XenDesktop 7.6, Controllers in the Site distribute and handle connection requests.
XenApp 6.5 and previous versions, zones provided a way to aggregate servers and replicate data across WAN connections.
Although zones have no exact equivalent in XenApp 7.6 and XenDesktop 7.6, you can provide users with applications that
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.177
cross WANs and locations. You can design Delivery Sites for a specific geographical location or data center and then allow
your users access to multiple Delivery Sites. App Orchestration with XenApp 7.6 and XenDesktop 7.6 provides capabilities
for managing multiple Sites in multiple geographies.
Citrix Studio and Citrix Director
Use the Studio console to configure your environments and provide users with access to applications and desktops. Studio
replaces the Delivery Services Console in XenApp 6.5 and previous versions.
Administrators use Director to monitor the environment, shadow user devices, and troubleshoot IT issues. T o shadow users,
Microsoft Remote Assistance must be enabled; it is enabled by default when the VDA is installed.
Delivering applications
XenApp 6.5 and previous versions used the Publish Application wizard to prepare applications and deliver them to users. In
XenApp 7.6 and XenDesktop 7.6, you use Studio to create and add applications to make them available to users who are
included in a Delivery Group. Using Studio, you first configure a Site, create and specify machine catalogs, and then create
Delivery Groups within those machine catalogs. T he Delivery Groups determine which users have access to the applications
you deliver.
Database
XenApp 7.6 and XenDesktop 7.6 do not use the IMA data store for configuration information. T hey use a Microsoft SQL
Server database to store configuration and session information.
Load Management Policy
In XenApp 6.5 and previous versions, load evaluators use predefined measurements to determine the load on a machine.
User connections can be matched to the machines with less load.
In XenApp 7.6 and XenDesktop 7.6, use load management policies for balancing loads across machines.
Delegated Administrators
In XenApp 6.5 and previous versions, you created custom administrators and assigned them permissions based on folders
and objects. In XenApp 7.6 and XenDesktop 7.6, custom administrators are based on role and scope pairs. A role represents
a job function and has defined permissions associated with it to allow delegation. A scope represents a collection of
objects. Built-in administrator roles have specific permissions sets, such as help desk, applications, hosting, and catalog. For
example, help desk administrators can work only with individual users on specified sites, while full administrators can monitor
the entire deployment and resolve systemwide IT issues.
T he transition to FMA also means some features available in XenApp 6.5 and previous versions may be implemented
differently or may require you to substitute other features, components, or tools to achieve the same goals.
Instead of this in XenApp
6.5 and bef ore:
Use this in XenApp and XenDesktop 7.6:
Session prelaunch and session
Session prelaunch and session linger configured by editing Delivery Group settings.
linger configured with policy
settings
As in XenApp 6.5, these features help users connect to applications quickly, by starting
sessions before they are requested (session prelaunch) and keeping sessions active
after a user closes all applications (session linger). In XenApp and XenDesktop 7.6, you
enable these features for specified users by configuring these settings for existing
Delivery groups. See Configure session prelaunch and session linger.
Support for unauthenticated
Support for unauthenticated (anonymous) users provided by configuring this option
(anonymous) users provided
when setting user properties of a Delivery Group. See Users.
by granting rights to
anonymous user when setting
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.178
the properties of published
Instead of this in XenApp
applications
6.5 and bef ore:
Use this in XenApp and XenDesktop 7.6:
Local host cache permits a
Connection leasing enables users to connect and reconnect to their most recently
worker servers to function
used applications and desktops, even when the Site database is not available. T he
even when a connection to
connection leasing feature supplements the SQL Server high availability best practices.
the data store is not available
See Connection leasing.
Application streaming
App-V delivers streamed applications, managed using Studio.
Web Interface
Citrix recommends you transition to StoreFront.
SmartAuditor
Use configuration logging to log all session activities from an administrative
perspective or use a third-party, Citrix-ready tool to record sessions.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.179
Active Directory
May 28 , 20 16
Active Directory is required for authentication and authorization. T he Kerberos infrastructure in Active Directory is used to
guarantee the authenticity and confidentiality of communications with the Delivery Controllers. For information about
Kerberos, see the Microsoft documentation.
T he System requirements document lists the supported functional levels for the forest and domain. To use Policy Modeling,
the domain controller must be running on Windows Server 2003 to Windows Server 2012 R2; this does not affect the
domain functional level.
T his product supports:
Deployments in which the user accounts and computer accounts exist in domains in a single Active Directory forest. User
and computer accounts can exist in arbitrary domains within a single forest. All domain functional levels and forest
functional levels are supported in this type of deployment.
Deployments in which user accounts exist in an Active Directory forest that is different from the Active Directory forest
containing the computer accounts of the controllers and virtual desktops. In this type of deployment, the domains
containing the Controller and virtual desktop computer accounts must trust the domains containing user accounts.
Forest trusts or external trusts can be used. All domain functional levels and forest functional levels are supported in this
type of deployment.
Deployments in which the computer accounts for Controllers exist in an Active Directory forest that is different from
one or more additional Active Directory forests that contain the computer accounts of the virtual desktops. In this type
of deployment a bi-directional trust must exist between the domains containing the Controller computer accounts and
all domains containing the virtual desktop computer accounts. In this type of deployment, all domains containing
Controller or virtual desktop computer accounts must be at "Windows 2000 native" functional level or higher. All forest
functional levels are supported.
Writable domain controllers. Read-only domain controllers are not supported.
Optionally, Virtual Delivery Agents (VDAs) can use information published in Active Directory to determine which Controllers
they can register with (discovery). T his method is supported primarily for backward compatibility, and is available only if the
VDAs are in the same Active Directory forest as the Controllers. For information about this discovery method see Active
Directory OU-based Controller discovery and CT X118976.
Deploy in a multiple Active Directory f orest environment
Note: T his information applies to minimum version XenDesktop 7.1 and XenApp 7.5. It does not apply to earlier versions of
XenDesktop or XenApp.
In an Active Directory environment with multiple forests, if one-way or two-way trusts are in place you can use DNS
forwarders for name lookup and registration. To allow the appropriate Active Directory users to create computer accounts,
use the Delegation of Control wizard. Refer to Microsoft documentation for more information about this wizard.
No reverse DNS zones are necessary in the DNS infrastructure if appropriate DNS forwarders are in place between forests.
T he SupportMultipleForest key is necessary if the VDA and Controller are in separate forests, regardless of whether the
Active Directory and NetBios names are different. T he SupportMultipleForest key is only necessary on the VDA. Use the
following information to add the registry key:
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system.
Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.180
at your own risk. Be sure to back up the registry before you edit it.
HKEY_LOCAL_MACHINE\Software\Citrix\VirtualDesktopAgent\SupportMultipleForest
Name: SupportMultipleForest
T ype: REG_DWORD
Data: 0x00000001 (1)
You might need reverse DNS configuration if your DNS namespace is different than that of Active Directory.
If external trusts are in place during setup, the ListOfSIDs registry key is required. T he ListOfSIDs registry key is also
necessary if the Active Directory FQDN is different than the DNS FQDN or if the domain containing the Domain Controller
has a different Netbios name than the Active Directory FQDN. T o add the registry key, use the following information:
For a 32-bit or 64-bit VDA, locate the registry key
HKEY_LOCAL_MACHINE\Software\Citrix\VirtualDesktopAgent\ListOfSIDs
Name: ListOfSIDs
T ype: REG_SZ
Data: Security Identifier (SID) of the Controllers
When external trusts are in place, make the following changes on the VDA:
1. Locate the file <ProgramFiles>\Citrix\Virtual Desktop Agent\brokeragentconfig.exe.config.
2. Make a backup copy of the file.
3. Open the file in a text editing program such as Notepad.
4. Locate the text allowNtlm="false" and change the text to allowNtlm="true".
5. Save the file.
After adding the ListOfSIDs registry key and editing the brokeragent.exe.config file, restart the Citrix Desktop Service to
apply the changes.
T he following table lists the supported trust types:
Trust type
Transitivity
Direction
Supported in this release
Parent and child
T ransitive
T wo-way
Yes
T ree-root
T ransitive
T wo-way
Yes
External
Nontransitive
One-way or two-way
Yes
Forest
T ransitive
One-way or two-way
Yes
Shortcut
T ransitive
One-way or two-way
Yes
Realm
T ransitive or nontransitive
One-way or two-way
No
For more information about complex Active Directory environments, see CT X134971.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.181
Fault tolerance
May 28 , 20 16
T his document outlines ways in which you can increase the level of fault tolerance in your deployment to make sure that
business-critical applications and desktops are always available.
Configure database f ault tolerance
All information is stored in the Site configuration database; Delivery Controllers communicate only with the database and
not with each other. A Controller can be unplugged or turned off without affecting other Controllers in the Site. T his
means, however, that the Site configuration database forms a single point of failure. If the database server fails, existing
connections to virtual desktops will continue to function until a user either logs off or disconnects from a virtual desktop;
new connections cannot be established if the database server is unavailable.
Citrix recommends that you back up the database regularly so that you can restore from the backup if the database server
fails. In addition, there are several high availability solutions to consider for ensuring automatic failover:
SQL Mirroring — T his is the recommended solution. Mirroring the database makes sure that, should you lose the active
database server, the automatic failover process happens in a matter of seconds, so that users are generally unaffected.
T his method, however, is more expensive than other solutions because full SQL Server licenses are required on each
database server; you cannot use SQL Server Express edition for a mirrored environment.
Using the hypervisor's high availability features — With this method, you deploy the database as a virtual machine and
use your hypervisor's high availability features. T his solution is less expensive than mirroring as it uses your existing
hypervisor software and you can also use SQL Express. However, the automatic failover process is slower, as it can take
time for a new machine to start for the database, which may interrupt the service to users.
SQL Clustering — T he Microsoft SQL clustering technology can be used to automatically allow one server to take over
the tasks and responsibilities of another server that has failed. However, setting up this solution is more complicated, and
the automatic failover process is typically slower than with alternatives such as SQL Mirroring.
AlwaysOn Availability Groups is an enterprise-level high-availability and disaster recovery solution introduced in SQL Server
2012 to enable you to maximize availability for one or more user databases. AlwaysOn Availability Groups requires that
the SQL Server instances reside on Windows Server Failover Clustering (WSFC) nodes. For more information, see
AlwaysOn Availability Groups (SQL Server).
Note: Installing a Controller on a node in an SQL clustering or SQL mirroring installation is not supported.
Configure a Site to use a mirror database
T he configuration process involves tasks an administrator completes using SQL Server management tools before creating
the Site. T he remaining tasks occur when the administrator runs the Site creation wizard.
A mirror environment requires at least two SQL Server machines (in the following example, SQL Server A and SQL Server B).
SQL Server Express edition cannot be used as either a principal or mirror.
Using Microsoft SQL Server management tools, configure the SQL Server databases:
1. Install the SQL Server software on SQL Server A and SQL Server B.
2. On SQL Server A, create the database intended to be used as the principal (for example, myDatabaseMirror).
Make sure that the database uses the full recovery model and not the simple model. (T he simple model is configured
by default, but prevents the transaction log from being backed up.)
Use the following collation setting when creating the database: Latin1_General_100_CI_AS_KS (where
Latin1_General varies depending on the country; for example Japanese_100_CI_AS_KS). If this collation setting is not
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.182
specified during database creation, subsequent creation of the service schemas within the database will fail, and an
error similar to "<service>: schema requires a case-insensitive database" appears (where <service> is the name of the
service whose schema is being created).
Enable a Read-Committed snapshot as described in CT X137161. It is important to enable this before the database is
mirrored to avoid errors.
3. On SQL Server A, back up the database to a file and copy it to SQL Server B.
4. On SQL Server B, restore the backup file to that server (SQL Server B).
5. On SQL Server A, start mirroring.
T he next step depends on whether the Citrix administrator (that is, the person running the Site creation wizard) also has full
database privileges:
If the Citrix administrator has database privileges (the same person is the database administrator and the Citrix
administrator), Studio does everything for you:
1. T he Citrix administrator uses Studio to create a Site, specifying the address of the previously-created SQL Server A
database and its name (myDatabaseMirrorForXD).
2. T he database scripts are automatically applied and the principal and mirror databases are set.
If the Citrix administrator does not have database privileges, the Citrix administrator must get help from a database
administrator:
1. T he Citrix administrator uses Studio to create a Site, specifying the address of the previously-created SQL Server and
its name (myDatabaseMirrorForXD).
2. In the Site creation wizard, selecting Generate Script generates a mirror script and a primary script. T he Citrix
administrator gives those scripts to the database administrator, who applies the scripts (the mirror script should be
applied first). T he database administrator must tell the Citrix administrator when that task is completed.
3. Back in Studio, the Citrix administrator can now complete the Create Site wizard. T he principal and mirror databases
are set.
To verify mirroring after creating the Site, run the PowerShell cmdlet get-configdbconnection to make sure that the
Failover Partner has been set in the connection string to the mirror.
If you later add, move, or remove a Delivery Controller in a mirrored database environment, see Add, remove, or move
Controllers, or move a VDA for considerations.
Ensure desktop and application access if Controllers f ail
If all Delivery Controllers in a Site fail, you can configure the Virtual Delivery Agents to operate in high availability mode so
that users can continue to access and use their desktops and applications. In high availability mode, the VDA accepts direct
ICA connections from users, rather than connections brokered by the Controller.
T his feature is for use only on the rare occasion when communication with all Controllers fails; it is not an alternative to
other high availability solutions. For more information, see CT X127564.
When the database is not available
T he connection leasing feature supplements the SQL Server high availability best practices by enabling users to connect
and reconnect to their most recently used applications and desktops, even when the Site database is not available. For
details, see Connection leasing.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.183
Delivery methods
May 28 , 20 16
It’s challenging to meet the needs of every user with one virtualization deployment. XenApp and XenDesktop allow
administrators to customize the user experience with a variety of methods sometimes referred to as FlexCast models.
T his collection of delivery methods — each with its own advantages and disadvantages — provide the best user experience
in any use-case scenario.
Mobilize Windows applications on mobile devices
Touch-screen devices, such as tablets and smartphones, are now standard in mobility. T hese devices can cause problems
when running Windows-based applications that typically utilize full-size screens and rely on right-click inputs for full
functionality.
XenApp with Citrix Receiver offers a secure solution that allows mobile-device users access to all the functionality in their
Windows-based apps without the cost of rewriting those apps for native mobile platforms.
T he XenApp published apps delivery method utilizes HDX Mobile technology that solves the problems associated with
mobilizing Windows applications. T his method allows Windows applications to be refactored for a touch experience while
maintaining features such as multitouch gestures, native menu controls, camera, and GPS functions. Many touch features
are available natively in XenApp and XenDesktop and do not require any application source code changes to activate.
T hese features include:
Automatic display of the keyboard when an editable field has the focus
Larger picker control to replace Windows combo box control
Multitouch gestures, such as pinch and zoom
Inertia-sensed scrolling
T ouchpad or direct-cursor navigation
Reduce PC ref resh costs
Upgrading physical machines is a daunting task many businesses face every three to five years, especially if the business
needs to maintain the most up-to-date operating systems and applications. Growing businesses also face daunting
overhead costs of adding new machines to their network.
T he VDI Personal vDisk delivery method provides fully personalized desktop operating systems to single users on any
machine or thin client using server resources. Administrators can create virtual machines whose resources — such as
processing, memory, and storage — are stored in the network’s data center.
T his can extend the life of older machines, keep software up to date, and minimize downtime during upgrades.
Ensure secure access to virtual apps and desktops f or contractors and partners
Network security is an ever-growing problem, especially when working with contractors, partners, and other third-party
contingent workers who need access to a company’s apps and data. T he workers may also need loaner laptops or other
devices, which cause additional cost concerns.
Data, applications, and desktops are stored behind the firewall of the secure network with XenDesktop and XenApp, so the
only thing the end user transmits is user-device inputs and outputs, such as keystrokes, mouse clicks, audio, and screen
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.184
updates. By maintaining these resources in a data center, XenDesktop and XenApp offer a more secure remote access
solution than using the typical SSL VPN.
With a VDI with Personal vDisk deployment, administrators can utilize thin clients or users’ personal devices by creating a
virtual machine on a network server and providing a single-user desktop operating system. T his allows IT to maintain
security with third-party workers without the need of purchasing expensive equipment.
Accelerate Migration
When switching to a new operating system, IT can face the challenge of delivering legacy and incompatible applications.
With virtual-machine-hosted apps, users can run older applications through Citrix Receiver on the upgraded virtual machine
without any compatibility issues. T his allows IT additional time to resolve and test application compatibility issues, ease
users into the transition, and make help desk calls more efficient.
Additional benefit for using XenDesktop during migration include:
Reducing complexity for desktops
Improving IT ’s control
Enhancing end-user flexibility in terms of device usage and workspace location
Enable designers and engineers by virtualizing prof essional 3-D graphics apps
Many design firms and manufacturing companies rely heavily on professional 3-D graphics applications. T hese companies
face financial strain from the costs of powerful hardware to support this type of software and also logistic problems that
come with the sharing of large design files via FT P, email, and similar ad hoc methods.
XenDesktop’s hosted physical desktop delivery method provides a single desktop image to workstations and blade servers
without the need of hypervisors to run graphic-intensive 3-D applications on a native operating system.
All files are saved in a central data center within the network, so sharing large design files to other users in the network is
faster and more secure because the files are not being transferred from one workstation to another.
Transf orm call centers
Businesses that need large-scale call centers face the difficult challenge of maintaining adequate staffing for peak periods
while not overprovisioning machines during less busy hours.
T he Pooled VDI delivery method provides multiple users access to a standardized desktop dynamically at a minimal cost
when provisioning a large number of users. T he pooled machines are allocated on a per-session, first-come, first-served
basis.
T here is less day-to-day management of these virtual machines because any change made during the session is discarded
when the user logs off. T his also increases security.
T he XenApp hosted desktops delivery method is another viable option for transforming call centers. T his method hosts
multiple user desktops on a single server-based operating system.
T his is a more cost-efficient method than Pooled VDI, but with XenApp hosted desktops, users are restricted from installing
applications, changing system settings, and restarting the server.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.185
New deployments
Jan 25, 20 17
To build a XenApp or XenDesktop deployment:
1. Set up the virtualization environment to host and manage the components of your XenApp or XenDesktop environment.
See System requirements for supported versions of the virtualization platforms, management tools, and cloud
deployment solutions listed here.
You can use these virtualization platforms to host and manage machines in your XenApp or XenDesktop environment:
XenServer. See XenServer for information on setting up and using XenServer.
VMware vSphere. See Prepare the virtualization environment: VMware for guidance on setting up and using VMware
vSphere with XenApp or XenDesktop.
Hyper-V with Microsoft System Center Virtualization Machine Manager (VMM). See Prepare the virtualization
environment: Microsoft System Center Virtual Machine Manager for guidance on setting up and using Hyper-V with
VMM with XenApp or XenDesktop.
You can use Microsoft System Center Configuration Manager with Citrix Connector 7.5 for System Center Configuration
Manager 2012 to manage physical and virtual machines in your XenApp or XenDesktop environment or use it to enable
the Wake on LAN feature of Remote PC Access. See Prepare for using Microsoft System Center Configuration Manager.
You can use these cloud deployment solutions to host product components and provision virtual machines. T hese
solutions pool computing resources to build public, private, and hybrid Infrastructure as a Service (Iaas) clouds.
Amazon Web Services, see Deploy XenApp and XenDesktop 7.5 and 7.6 with Amazon VPC.
Citrix CloudPlatform, see XenApp and XenDesktop concepts and deployment on CloudPlatform.
2. Set up the non-Citrix infrastructure components required to build your XenApp or XenDesktop Site. T hese include at
least one domain controller running Active Directory Domain Services.
3. Install the Citrix components that make up your XenApp or XenDesktop Site. You can install components using a wizardbased graphical interface or a command-line interface, which enables scripted installation. Both methods install most
prerequisites automatically.
1. Before beginning any installation, review the System requirements. Also, read and complete the Prepare to
install checklist.
2. Install the core components: Delivery Controller, Citrix Studio, Citrix Director, Citrix License Server, and Citrix
StoreFront. See Install using the graphical interface or Install using the command line for information on installing
these components.
3. From Studio, create a Site. See Create a Site.
4. Install a Virtual Delivery Agent (VDA), either on the master image you will use to create virtual machines or directly on
each machine. See Install using the graphical interface or Install using the command line for information on installing
the VDA. You may also want to see Install or remove Virtual Delivery Agents using scripts.
For Remote PC Access deployments, install a VDA for Desktop OS on each office PC. Citrix recommends using the
VDA installer's command line interface and your existing Electronic Software Distribution (ESD) methods.
5. Optionally, install the Universal Print Server on the print servers in your environment. See Install using the graphical
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.186
interface or Install using the command line for information on installing the Universal Print Server.
4. Optionally, integrate additional Citrix components into your XenApp or XenDesktop deployment. For example:
Provisioning Services is an optional component of XenApp and XenDesktop that provisions machines by streaming a
master image to target devices. See Provisioning Services.
Citrix NetScaler Gateway is a secure application access solution that provides administrators granular application-level
policy and action controls to secure access to applications and data. See Citrix NetScaler Gateway.
Citrix CloudBridge is a set of appliances that optimize WAN performance. See Citrix CloudBridge.
5. Set up the resources you will deliver to users. How you do this depends on the delivery method you are using, but this is
the basic sequence for most delivery methods:
1. Using your hypervisor’s management tool , create a master image that defines the desktops or applications you want
to provide. See Prepare a master image.
2. Create a machine catalog containing physical and virtual machines from that master image. See Create a machine
catalog.
If you are using Machine Creation Services to provision machines, you can add machines to the machine catalog
from within Studio.
If you are using Provisioning Services to provision machines, you add machines to the machine catalog from the
Provisioning Services console.
3. From Studio, create a Delivery Group to specify which users can access these machines and the applications installed
on them. See Delivery groups.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.187
Install and upgrade analytics
Mar 22, 20 17
When you use the full-product installer to deploy or upgrade XenApp or XenDesktop components, anonymous information
about the installation process is gathered and stored on the machine where you are installing/upgrading the component.
T his data is used to help Citrix improve its customers' installation experiences. For more information,
see http://more.citrix.com/XD-INSTALLER.
T he information is stored locally under %ProgramData%\Citrix\CTQs.
Automatic upload of this data is enabled by default in both the graphical and command line interfaces of the full-product
installer.
You can change the default value in a registry setting. If you change the registry setting before installing/upgrading, that
value will be used when you use the full-product installer.
You can override the default setting if you install/upgrade with the command line interface by specifying an option with
the command.
Registry setting that controls automatic upload of install/upgrade analytics (default = 1):
Location: HKLM:\Software\Citrix\MetaInstall
Name: SendExperienceMetrics
Value: 0 = disabled, 1 = enabled
Using PowerShell, the following cmdlet disables automatic upload of install/upgrade analytics:
New-ItemProperty -Path HKLM:\SOFT WARE\Citrix\MetaInstall -Name SendExperienceMetrics -PropertyType DWORD Value 0
To disable automatic uploads with the XenDesktopServerSetup.exe or XenDesktopVDASetup.exe command, include the
/disableexperiencemetrics option.
To enable automatic uploads with the XenDesktopServerSetup.exe or XenDesktopVDASetup.exe command, include the
/sendexperiencemetrics option.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.188
Prepare to install
Jul 0 7, 20 16
T he following tables list tasks to complete and things to consider or be aware of before installing the core components
(Delivery Controller, Citrix Studio, Citrix Director, Citrix License Server, StoreFront) and Virtual Delivery Agents (VDAs).
Core component and general installation preparation
Description
First:
If you are unfamiliar with the product, review the Technical overview and related content.
Check
— Known issues
for installation issues you might encounter.
If you are installing components in a cloud environment, see:
Deploy XenApp and XenDesktop 7.5 and 7.6 with Amazon VPC for Amazon Web Services;
XenApp and XenDesktop concepts and deployment on CloudPlatform for Citrix CloudPlatform.
If you are using XenServer for your virtualization environment, see the XenServer documentation for guidance.
If you are using VMware or Microsoft System Center Virtual Machine Manager for your virtualization environment, see the linked documents.
Decide where you will install the components and then prepare the machines and operating systems.
Review System requirements for supported operating systems and versions for the Controller, Studio, Director, Virtualization resources, and VDAs. The
Citrix StoreFront and the Citrix License Server requirements documents specify their supported platforms.
You can install the core components on the same server or on different servers. For example, to manage a smaller deployment remotely, you can
install Studio on a different machine than the server where you installed the Controller. To accommodate future expansion, consider installing
components on separate servers; for example, install the License Server and Director on different servers.
You can install both the Delivery Controller and the Virtual Delivery Agent for Windows Server OS on the same server. Launch the installer and
select the Delivery Controller (plus any other core components you want on that machine); then launch the installer again and select the Virtual
Delivery Agent for Windows Server OS.
Do not install Studio on a server running XenApp 6.5 Feature Pack 2 for Windows Server 2008 R2 or any earlier version of XenApp.
Be sure that each operating system has the latest updates.
Be sure that all machines have synchronized system clocks. Synchronization is required by the Kerberos infrastructure that secures communication
between the machines.
Components are installed in C:\Program Files\Citrix by default. You can specify a different location during installation, but it must have execute
permissions for network service.
Most component prerequisites are installed automatically; however, the
— System requirements
document notes exceptions.
Decide where to install the SQL Server software for the Site Configuration Database.
By default, SQL Server 2012 Express is installed automatically on the server when you install the Controller, if another instance is not detected.
The default installation uses the default Windows service accounts and permissions. Refer to Microsoft documentation for details of these defaults,
including the addition of Windows service accounts to the sysadmin role. The Controller uses the Network Service account in this configuration. The
Controller does not require any additional SQL Server roles or permissions.
If required, you can select Hide instance for the database instance. When configuring the address of the database in Studio, enter the instance's
static port number, rather than its name. Refer to Microsoft documentation for details about hiding an instance of SQL Server Database Engine.
Alternatively, you can separately install a supported SQL Server version on that server or on a different server. In such cases, the SQL Server software
does not need to be installed before you install the core components, but it must be installed before you create the Site.
Review the database considerations in the
— Plan
documents, and set up any supported redundancy infrastructure.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.189
Important: Windows authentication is required between the Controller and the database.
Description
Decide how you want ports opened.
By default, the following ports are opened automatically if the Windows Firewall Service is running, even if the firewall is not enabled. You can disable this
default action and open the ports manually if you use a third-party firewall or no firewall, or if you just prefer to do it yourself.
Controller: TCP 80, 443
Director: TCP 80, 443
License Server: TCP 7279, 8082, 8083, 27000
StoreFront: TCP 80, 443
Tip: For complete port information, see CTX101810. For additional installation options, see Install using the command line.
Configure your Active Directory domain.
In addition to being a domain user, you must be a local administrator on the machines where you are installing core components.
Do not attempt to install any components on a domain controller.
The
— System requirements
document lists the supported functional levels. See the Microsoft documentation for instructions.
When you install the License Server, that user account is automatically made a full administrator on the license server.
Before you install Director, decide if you will use the shadowing feature of Director, which uses Windows Remote Assistance.
Good to know:
If a component does not install successfully, the process stops with an error message. Components that installed successfully are retained; you do not
need to reinstall them.
Studio starts automatically after it is installed. You can disable this action during installation.
When you create objects before, during, and after installation, it is best practice to specify unique names for each object (for example networks, groups,
catalogs, resources).
After installing components in Amazon Web Services (AWS), you will need to know the region, availability zone, VPC name, subnet addresses, domain
name, security group names, and credentials when you use Studio to create a Site.
VDA installation preparation
Description
If you will be installing a VDA for Windows Desktop OS, decide if you want to install the HDX 3D Pro version.
T he HDX3D Pro feature delivers desktops and applications that perform best with a GPU for hardware acceleration.
For more information, see the HDX 3D Pro documentation.
Decide how you will use the VDA.
T he default setting assumes that you will use a master image containing an installed VDA with Machine Creation
Services or Provisioning Services to create other virtual machines. You can override this default if you want to install
the VDA on an existing machine.
Decide if you want to install Citrix Receiver for Windows (CitrixReceiver.exe).
You can disable this default action.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.190
Decide how you want ports opened.
Description
By default, the following ports are opened automatically if the Windows Firewall Service is running, even if the
firewall is not enabled. You can disable this default action and open the ports manually if you use a third-party
firewall or no firewall, or if you just prefer to do it yourself.
Controller: T CP 80, 1494, 2598, 8008
For communication between user devices and virtual desktops, configure inbound T CP on ports 1494 and 2598
as port exceptions. For security, Citrix recommends that you do not use these registered ports for anything
other than the ICA protocol and the Common Gateway Protocol.
For communication between Controllers and virtual desktops, configure inbound port 80 as a port exception.
Windows Remote Assistance: T CP 3389
Windows opens this port automatically if the feature is enabled, even if you choose to open the ports manually.
Real-T ime Audio Transport: UDP 16500-16509
T ip: For complete port information, see CT X101810.
Decide how you will specify the locations of installed Controllers.
Manually, by entering the Fully Qualified Domain Name (FQDN) of the Controller. Although you can specify a
Controller that is not currently in the domain, a VDA can connect only to a Controller in the domain. Also, you can
test the connection only for Controllers in the domain.
Using Active Directory, if the Controller is in the domain.
Allowing Machine Creation Services to specify the Controller.
Later, by rerunning the installer, using Citrix policies, setting registry values, or using Active Directory OUs.
Citrix Group Policy settings that specify Controller locations will override settings provided during installation.
After you initially specify the Controller location, you can use the auto-update feature to update VDAs when
additional Controllers are installed.
Decide if you want to use the following features:
Optimize performance: When this feature is enabled, the optimization tool is used for VDAs running in a VM on a
hypervisor. VM optimization includes disabling offline files, disabling background defragmentation, and reducing
event log size. For more information, see CT X125874. Do not enable this option if you will be using Remote PC
Access. Default = enabled.
Windows Remote Assistance: When this feature is enabled, Windows Remote Assistance is used with the user
shadowing feature of Director, and Windows automatically opens T CP port 3389 in the firewall, even if you
choose to open firewall ports manually. Default = enabled.
Real-T ime Audio T ransport for audio: When this feature is enabled, UDP is used for audio packets, which can
improve audio performance. Default = enabled.
Personal vDisk: (Available only when installing a VDA for Windows Desktop OS on a VM.) When this feature is
enabled, Personal vDisks can be used with a master image. For more information, see Personal vDisks. Default =
disabled.
Good to know:
T he Print Spooler Service is enabled by default on the Windows server. If you disable this service, you cannot
successfully install a VDA for Windows Server OS. T herefore, ensure that this service is enabled before installing a
VDA.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.191
T he installer automatically detects your operating system and allows you to install only the VDA type supported
Description
on that system: VDA for Windows Server OS or VDA for Windows Desktop OS.
Profile management is installed during VDA installation.
When you install the VDA, a new local user group called Direct Access Users is automatically created. On a VDA for
Windows Desktop OS, this group applies only to RDP connections; on a VDA for Windows Server OS, this group
applies to ICA and RDP connections.
When you install a VDA for Windows Server OS, Remote Desktop Services role services are automatically installed
and enabled (if they are not already installed and enabled).
For Remote PC Access configurations, install the VDA for Windows Desktop OS on each physical office PC that
users will access remotely.
As an alternative to using the full-product ISO to install VDAs, you can use a standalone VDA installation package.
For details, see Install VDAs using the standalone package.
Virtual Desktop Agents on Windows XP or Windows Vista
T he latest Virtual Delivery Agents (VDAs) are not supported on Windows XP or Windows Vista systems. Additionally, some
of the features in this release (and other recent releases) cannot be used on those operating systems. To use the full
functionality in this release, Citrix recommends you replace Windows XP or Windows Vista systems with Windows 7,
Windows 8 or Windows 10, then install a Virtual Delivery Agent from this release.
To accommodate cases when you must continue to accommodate machines running Windows XP or Windows Vista, you
can install an earlier Virtual Desktop Agent version (5.6 FP1 with certain hotfixes). See CT X140941 for details.
Keep in mind that:
You cannot install core components (Controller, Studio, Director, StoreFront, Citrix License Server) on a Windows XP or
Windows Vista system.
Remote PC Access is not supported on Windows Vista systems.
Citrix support for Windows XP ended April 8, 2014 when Microsoft ended its extended support.
Continuing to use older VDAs can affect feature availability and VDA registration with the Controller; see Mixed
environment considerations.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.192
Prepare the virtualization environment: VMware
Aug 31, 20 16
Follow this guidance if you use VMware to provide virtual machines.
Install and configure your hypervisor
1. Install vCenter Server and the appropriate management tools. (No support is provided for vSphere vCenter Linked Mode
operation.)
2. Create a VMware user account with the following permissions, at the DataCenter level, at a minimum. T his account has
permissions to create new VMs and is used to communicate with vCenter.
SDK
User Interf ace
Datastore.AllocateSpace
Datastore > Allocate space
Datastore.Browse
Datastore > Browse datastore
Datastore.FileManagement
Datastore > Low level file operations
Network.Assign
Network > Assign network
Resource.AssignVMToPool
Resource > Assign virtual machine to resource pool
System.Anonymous, System.Read, and
Added automatically.
System.View
Task.Create
Tasks > Create task
VirtualMachine.Config.AddRemoveDevice
Virtual machine > Configuration > Add or remove device
VirtualMachine.Config.AddExistingDisk
Virtual machine > Configuration > Add existing disk
VirtualMachine.Config.AddNewDisk
Virtual machine > Configuration > Add new disk
VirtualMachine.Config.AdvancedConfig
Virtual machine > Configuration > Advanced
VirtualMachine.Config.CPUCount
Virtual machine > Configuration > Change CPU Count
VirtualMachine.Config.Memory
Virtual machine > Configuration > Memory
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.193
VirtualMachine.Config.RemoveDisk
SDK
Virtual
machine
User Interf
ace > Configuration > Remove disk
VirtualMachine.Config.Resource
Virtual machine > Configuration > Change resource
VirtualMachine.Config.Settings
Virtual machine > Configuration > Settings
VirtualMachine.Interact.PowerOff
Virtual machine > Interaction > Power Off
VirtualMachine.Interact.PowerOn
Virtual machine > Interaction > Power On
VirtualMachine.Interact.Reset
Virtual machine > Interaction > Reset
VirtualMachine.Interact.Suspend
Virtual machine > Interaction > Suspend
VirtualMachine.Inventory.Create
Virtual machine > Inventory > Create new
VirtualMachine.Inventory.CreateFromExisting
Virtual machine > Inventory > Create from existing
VirtualMachine.Inventory.Delete
Virtual machine > Inventory > Remove
VirtualMachine.Inventory.Register
Virtual machine > Inventory > Register
VirtualMachine.Provisioning.Clone
Virtual machine > Provisioning > Clone virtual machine
VirtualMachine.Provisioning.DiskRandomAccess
Virtual machine > Provisioning > Allow disk access
VirtualMachine.Provisioning.GetVmFiles
Virtual machine > Provisioning > Allow virtual machine download
VirtualMachine.Provisioning.PutVmFiles
Virtual machine > Provisioning > Allow virtual machine files upload
VirtualMachine.Provisioning.DeployTemplate
Virtual machine > Provisioning > Deploy template
VirtualMachine.Provisioning.MarkAsVM
Virtual machine > Provisioning > Mark as virtual machine
VirtualMachine.State.CreateSnapshot
vSphere 5.0, Update 2 and vSphere 5.1, Update 1: Virtual machine >
State > Create snapshot
vSphere 5.5: Virtual machine > Snapshot management > Create
snapshot
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.194
SDK
VirtualMachine.State.RemoveSnapshot
User Interf ace
vSphere 5.0, Update 2 and vSphere 5.1, Update 1: Virtual machine >
State > Remove snapshot
vSphere 5.5: Virtual machine > Snapshot management > Remove
snapshot
VirtualMachine.State.RevertToSnapshot
vSphere 5.0, Update 2 and vSphere 5.1, Update 1: Virtual machine >
State > Revert to snapshot
vSphere 5.5: Virtual machine > Snapshot management > Revert to
snapshot
3. If you want the VMs you create to be tagged, add the following permissions for the user account:
SDK
User Interf ace
Global.ManageCustomFields
Global > Manage custom attributes
Global.SetCustomField
Global > Set custom attribute
To ensure that you use a clean base image for creating new VMs, tag VMs created with Machine Creation Services to
exclude them from the list of VMs available to use as base images.
Obtain and import a certificate
To protect vSphere communications, Citrix recommends that you use HT T PS rather than HT T P. HT T PS requires digital
certificates. Citrix recommends you use a digital certificate issued from a certificate authority in accordance with your
organization's security policy.
If you are unable to use a digital certificate issued from a certificate authority, and your organization's security policy
permits it, you can use the VMware-installed self-signed certificate. Add the VMware vCenter certificate to each Controller.
Follow this procedure:
1. Add the fully qualified domain name (FQDN) of the computer running vCenter Server to the hosts file on that server,
located at %SystemRoot%/WINDOWS/system32/Drivers/etc/. T his step is required only if the FQDN of the computer
running vCenter Server is not already present in the domain name system.
2. Obtain the vCenter certificate using any of the following methods:
From the vCenter server:
1. Copy the file rui.crt from the vCenter server to a location accessible on your Delivery Controllers.
2. On the Controller, navigate to the location of the exported certificate and open the rui.crt file.
Download the certificate using a web browser. If you are using Internet Explorer, depending on your user account,
you may need to right-click on Internet Explorer and choose Run as Administrator to download or install the
certificate.
1. Open your web browser and make a secure web connection to the vCenter server; for example
https://server1.domain1.com
2. Accept the security warnings.
3. Click on the address bar where it shows the certificate error.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.195
4. View the certificate and click on the Details tab.
5. Select Copy to file and export in .CER format, providing a name when prompted to do so.
6. Save the exported certificate.
7. Navigate to the location of the exported certificate and open the .CER file.
Import directly from Internet Explorer running as an administrator:
1. Open your web browser and make a secure web connection to the vCenter server; for example
https://server1.domain1.com.
2. Accept the security warnings.
3. Click on the address bar where it shows the certificate error.
4. View the certificate.
Import the certificate into the certificate store on each of your Controllers:
1. Click Install certificate, select Local Machine, and then click Next.
2. Select Place all certificates in the following store, and then click Browse.
3. If you are using Windows Server 2008 R2:
1. Select the Show physical stores check box.
2. Expand T rusted People.
3. Select Local Computer.
4. Click Next, then click Finish.
If you are using Windows Server 2012 or Windows Server 2012 R2:
1. Select T rusted People, then click OK.
2. Click Next, then click Finish.
Important: If you change the name of the vSphere server after installation, you must generate a new self-signed
certificate on that server before importing the new certificate.
Create a master VM
Use a master VM to provide user desktops and applications.
1. Install a VDA on the master VM, selecting the option to optimize the desktop, which improves performance.
2. T ake a snapshot of the master VM to use as a back-up. For more information, see Prepare a master image.
Create virtual desktops
If you are using Studio to create VMs, rather than selecting an existing machine catalog, specify the following information
when setting up your hosting infrastructure to create virtual desktops.
1. Select the VMware vSphere host type.
2. Enter the address of the access point for the vCenter SDK (https://vmware.example.com/sdk).
3. Enter the credentials for the VMware user account you set up earlier that has permissions to create new VMs. Specify
the username in the form domain/username.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.196
Prepare the virtualization environment: Microsoft
System Center Virtual Machine Manager
May 28 , 20 16
Follow this guidance if you use Hyper-V with Microsoft System Center Virtual Machine Manager (VMM) to provide virtual
machines.
T his release supports:
VMM 2012 — Provides improved management capabilities, letting you manage the entire virtualized datacenter as well
as virtual machines. T his release now orchestrates cluster host patching as well as integrating with Windows Server
Update Services, allowing you to define baselines of patches that each host needs.
VMM 2012 SP1 — Provides performance improvements for Machine Creation Services ( MCS) when using SMB 3.0 on file
servers with clustered shared volumes and Storage Area Networks (SANs). T hese file shares provide low cost caching and
reduced IO on the SAN storage improving the performance.
VMM 2012 R2 — Enables at-scale management of major Windows Server 2012 R2 capabilities, including running VM
snapshots, dynamic VHDX resize, and Storage Spaces.
T his release supports only Generation 1 virtual machines with VMM 2012 R2. Generation 2 virtual machines are not
supported for Machine Creation Services (MCS) and Provisioning Services deployments. When creating VMs with MCS or
Provisioning Services, Generation 2 VMs do not appear in the selection list for a master VM; they have Secure Boot enabled
by default, which prevents the VDA from functioning properly.
Upgrade VMM
Upgrade from VMM 2012 to VMM 2012 SP1 or VMM 2012 R2
For VMM and Hyper-V Hosts requirements, see http://technet.microsoft.com/en-us/library/gg610649.aspx. For VMM
Console requirements, see http://technet.microsoft.com/en-us/library/gg610640.aspx.
A mixed Hyper-V cluster is not supported. An example of a mixed cluster is one in which half the cluster is running HyperV 2008 and the other is running Hyper-V 2012.
Upgrade from VMM 2008 R2 to VMM 2012 SP1
If you are upgrading from XenDesktop 5.6 on VMM 2008 R2, follow this sequence to avoid XenDesktop downtime.
1. Upgrade VMM to 2012 (now running XenDesktop 5.6 and VMM 2012)
2. Upgrade XenDesktop to the latest version (now running the latest XenDesktop and VMM 2012)
3. Upgrade VMM from 2012 to 2012 SP1 (now running the latest XenDesktop and VMM 2012 SP1)
Upgrade from VMM 2012 SP1 to VMM 2012 R2
If you are starting from XenDesktop or XenApp 7.x on VMM 2012 SP1, follow this sequence to avoid XenDesktop
downtime.
1. Upgrade XenDesktop or XenApp to the latest version (now running the latest XenDesktop or XenApp, and VMM 2012
SP1)
2. Upgrade VMM 2012 SP1 to 2012 R2 (now running the latest XenDesktop or XenApp, and VMM 2012 R2)
Installation and configuration summary
1. Install and configure a hypervisor.
1. Install Microsoft Hyper-V server and VMM on your servers. All Delivery Controllers must be in the same forest as the
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.197
VMM servers.
2. Install the System Center Virtual Machine Manager console on all Controllers.
3. Verify the following account information:
T he account you use to specify hosts in Studio is a VMM administrator or VMM delegated administrator for the
relevant Hyper-V machines. If this account only has the delegated administrator role in VMM, the storage data is
not listed in Studio during the host creation process.
T he user account used for Studio integration must also be a member of the administrators local security group on
each Hyper-V server to support VM life cycle management (such as VM creation, update, and deletion).
Note: Installing Controller on a server running Hyper-V is not supported.
2. Create a master VM.
1. Install a Virtual Delivery Agent on the master VM, and select the option to optimize the desktop. T his improves
performance.
2. T ake a snapshot of the master VM to use as a backup.
For more information, see Prepare a master image.
3. Create virtual desktops. If you are using MCS to create VMs, when creating a Site or a connection,
1. Select the Microsoft virtualization host type.
2. Enter the address as the fully qualified domain name of the host server.
3. Enter the credentials for the administrator account you set up earlier that has permissions to create new VMs.
4. In the Host Details dialog box, select the cluster or standalone host to use when creating new VMs.
Important: Browse for and select a cluster or standalone host even if you are using a single Hyper-V host deployment.
MCS on SMB 3 file shares
For Machine Catalogs created with MCS on SMB 3 file shares for VM storage, make sure that credentials meet the
following requirements so that calls from the Controller's Hypervisor Communications Library (HCL) connect successfully to
SMB storage:
VMM user credentials must include full read write access to the SMB storage.
Storage virtual disk operations during VM life cycle events are performed through the Hyper-V server using the VMM user
credentials.
When you use SMB as storage, enable the Authentication Credential Security Support Provider (CredSSP) from the
Controller to individual Hyper-V machines when using VMM 2012 SP1 with Hyper-V on Windows Server 2012. For more
information, see CT X137465.
Using a standard PowerShell V3 remote session, the HCL uses CredSSP to open a connection to the to Hyper-V machine.
T his feature passes Kerberos-encrypted user credentials to the Hyper-V machine, and the PowerShell commands in the
session on the remote Hyper-V machine run with the credentials provided (in this case, those of the VMM user), so that
communication commands to storage work correctly.
T he following tasks use PowerShell scripts that originate in the HCL and are then sent to the Hyper-V machine to act on
the SMB 3.0 storage.
Consolidate Master Image - A master image creates a new MCS provisioning scheme (machine catalog). It clones and
flattens the master VM ready for creating new VMs from the new disk created (and removes dependency on the original
master VM).
ConvertVirtualHardDisk on the root\virtualization\v2 namespace
Example:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.198
$ims = Get-WmiObject -class $class -namespace "root\virtualization\v2";
$result = $ims.ConvertVirtualHardDisk($diskName, $vhdastext)
$result
Create dif f erence disk - Creates a difference disk from the master image generated by consolidating the master image.
T he difference disk is then attached to a new VM.
CreateVirtualHardDisk on the root\virtualization\v2 namespace
Example:
$ims = Get-WmiObject -class $class -namespace "root\virtualization\v2";
$result = $ims.CreateVirtualHardDisk($vhdastext);
$result
Upload identity disks - T he HCL cannot directly upload the identity disk to SMB storage. T herefore, the Hyper-V
machine must upload and copy the identity disk to the storage. Because the Hyper-V machine cannot read the disk from
the Controller, the HCL must first copy the identity disk through the Hyper-V machine as follows.
1. T he HCL uploads the Identity to the Hyper-V machine through the administrator share.
2. T he Hyper-V machine copies the disk to the SMB storage through a PowerShell script running in the PowerShell
remote session. A folder is created on the Hyper-V machine and the permissions on that folder are locked for the
VMM user only (through the remote PowerShell connection).
3. T he HCL deletes the file from the administrator share.
4. When the HCL completes the identity disk upload to the Hyper-V machine, the remote PowerShell session copies the
identity disks to SMB storage and then deletes it from the Hyper-V machine.
T he identity disk folder is recreated if it is deleted so that it is available for reuse.
Download identity disks - As with uploads, the identity disks pass though the Hyper-V machine to the HCL. T he
following process creates a folder that only has VMM user permissions on the Hyper-V server if it does not exist.
1. T he HyperV machine copies the disk from the SMB storage to local Hyper-V storage through a PowerShell script
running in the PowerShell V3 remote session.
2. HCL reads the disk from the Hyper-V machine's administrator share into memory.
3. HCL deletes the file from the administrator share.
Personal vDisk creation - If the administrator creates the VM in a Personal vDisk machine catalog, you must create an
empty disk (PvD).
T he call to create an empty disk does not require direct access to the storage. If you have PvD disks that reside on
different storage than the main or operating system disk, then the use remote PowerShell to create the PvD in a
directory folder that has the same name of the VM from which it was created. For CSV or LocalStorage, do not use
remote PowerShell. Creating the directory before creating an empty disk avoids VMM command failure.
From the Hyper-V machine, perform a mkdir on the storage.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.199
Prepare for using Microsoft System Center
Configuration Manager
May 28 , 20 16
Sites that use System Center Configuration Manager (Configuration Manager) 2012 to manage access to applications and
desktops on physical devices can extend that use to XenApp or XenDesktop through these integration options.
Citrix Connector 7.5 f or Conf iguration Manager 2012 – Citrix Connector provides a bridge between Configuration
Manager and XenApp or XenDesktop. T he Connector enables you to unify day-to-day operations across the physical
environments you manage with Configuration Manager and the virtual environments you manage with XenApp or
XenDesktop. For information about the Connector, see Citrix Connector 7.5 for System Center Configuration Manager
2012 .
Conf iguration Manager Wake Proxy f eature – Whether or not your environment includes Citrix Connector, the
Remote PC Access Wake on LAN feature requires Configuration Manager. For more information, see Configuration
Manager and Remote PC Access Wake on LAN.
XenApp and XenDesktop properties – XenApp and XenDesktop properties enable you to identify Citrix virtual
desktops for management through Configuration Manager. T hese properties are automatically used by the Citrix
Connector but can also be manually configured, as described in the following section.
Properties
Properties are available to Microsoft System Center Configuration Manager 2012 and 2012 R2 to manage virtual desktops.
Boolean properties displayed in Configuration Manager 2012 may appear as 1 or 0, not true or false.
T he properties are available for the Citrix_virtualDesktopInfo class in the Root\Citrix\DesktopInformation namespace.
Property names come from the Windows Management Instrumentation (WMI) provider.
Property
AssignmentType
Description
Sets the value of IsAssigned. Valid values are:
ClientIP
ClientName
None
User – Sets IsAssigned to T rue
BrokerSiteName
Site; returns the same value as HostIdentifier.
DesktopCatalogName
Machine Catalog associated with the desktop.
DesktopGroupName
Delivery Group associated with the desktop.
HostIdentifier
Site; returns the same value as BrokerSiteName.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.200
IsAssigned
True to assign the desktop to a user, set to False for a random desktop.
IsMasterImage
Allows decisions about the environment. For example, you may want to install
applications on the Master Image and not on the provisioned machines, especially if
those machines are in a clean state on boot machines. Valid values are:
T rue on a VM that is used as a master image (this value is set during installation based
on a selection).
Cleared on a VM that is provisioned from that image.
IsVirtualMachine
True for a virtual machine, false for a physical machine.
OSChangesPersist
False if the desktop operating system image is reset to a clean state every time it is
restarted; otherwise, true.
PersistentDataLocation
T he location where Configuration Manager stores persistent data. T his is not accessible
to users.
PersonalvDiskDriveLetter
For a desktop with a Personal vDisk, the drive letter you assign to the Personal vDisk.
BrokerSiteName,
Determined when the desktop registers with the Controller; they are null for a desktop
DesktopCatalogName,
that has not fully registered.
DesktopGroupName,
HostIdentifier
To collect the properties, run a hardware inventory in Configuration Manager. To view the properties, use the Configuration
Manager Resource Explorer. In these instances, the names may include spaces or vary slightly from the property names. For
example, BrokerSiteName may appear as Broker Site Name. For information about the following tasks, see Citrix WMI
Properties and System Center Configuration Manager 2012:
Configure Configuration Manager to collect Citrix WMI properties from the Citrix VDA
Create query-based device collections using Citrix WMI properties
Create global conditions based on Citrix WMI properties
Use global conditions to define application deployment type requirements
You can also use Microsoft properties in the Microsoft class CCM_DesktopMachine in the Root\ccm_vdi namespace. For
more information, see the Microsoft documentation.
Configuration Manager and Remote PC Access Wake on LAN
For information about planning for and delivering Remote PC Access, see Remote PC Access and Provide users with
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.201
Remote PC Access.
T o configure the Remote PC Access Wake on LAN feature, complete the following before installing a VDA on the office
PCs and using Studio to create or update the Remote PC Access deployment:
Configure Configuration Manager 2012 within the organization, and then deploy the Configuration Manager client to all
Remote PC Access machines, allowing time for the scheduled SCCM inventory cycle to run (or forcing one manually, if
required). T he access credentials you specify in Studio to configure the connection to Configuration Manager must
include collections in the scope and the Remote T ools Operator role.
For Intel Active Management T echnology (AMT ) support:
T he minimum supported version on the PC must be AMT 3.2.1.
Provision the PC for AMT use with certificates and associated provisioning processes.
For Configuration Manager Wake Proxy and/or magic packet support:
Configure Wake on LAN in each PC's BIOS settings.
For Configuration Manager Wake Proxy support, enable the option in Configuration Manager. For each subnet in the
organization that contains PCs that will use the Remote PC Access Wake on LAN feature, ensure that three or more
machines can serve as sentinel machines.
For magic packet support, configure network routers and firewalls to allow magic packets to be sent, using either a
subnet-directed broadcast or unicast.
After you install the VDA on office PCs, enable or disable power management when you create the Remote PC Access
deployment in Studio.
If you enable power management, specify connection details: the Configuration Manager address and access
credentials, plus a name.
If you do not enable power management, you can add a power management (Configuration Manager) connection later
and then edit a Remote PC Access machine catalog to enable power management and specify the new power
management connection.
You can edit a power management connection to configure the use of the Configuration Manager Wake Proxy and magic
packets, as well as change the packet transmission method.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.202
Install using the graphical interface
May 28 , 20 16
Before beginning any installation, review and complete the tasks in Prepare to install.
Launch the installer graphical interface:
1. Download the product package and unzip it. Optionally, burn a DVD of the ISO file.
2. Log on to the server where you are installing the components, using a local administrator account.
3. Insert the DVD in the drive or mount the ISO file. If the installer does not launch automatically, double-click the
AutoSelect application or the mounted drive.
4. Select the component you want to install:
If you're just getting started, select Delivery Controller. From there, you can install the Delivery Controller and
optionally, Studio, Director, License Server, and StoreFront on the same server.
If you've already installed some components and want to extend your deployment, click the component you want to
install from the right column. T his column offers core components and the Universal Print Server, which you can install
on your print server.
T o install a Virtual Delivery Agent (VDA), click the available VDA entry - the installer knows which one is right for the
operating system where you're running the installer.
Later, if you want to customize a VDA that you've already installed:
1. From the Windows feature for removing or changing programs, select Citrix Virtual Delivery Agent <version-number>,
then right-click and select Change.
2. Select Customize Virtual Delivery Agent Settings. When the installer launches, you can change the Controller addresses,
T CP/IP port to register with the Controller (default = 80), or whether to automatically open Windows Firewall port
exceptions.
You can also use the graphical interface to upgrade components; see Upgrade a deployment.
As an alternative to using the full-product ISO to install VDAs, you can use a standalone VDA installation package. For
details, see Install VDAs using the standalone package.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.203
Install using the command line
Jan 24 , 20 18
Use the command line interface to:
Install one or more core components: Delivery Controller, Citrix Studio, Citrix Director, License Server, and StoreFront.
Install a Virtual Delivery Agent (VDA) on a master image or on a virtual or physical machine.
You can also customize scripts provided on the media, then use them to install and remove VDAs in Active Directory.
Customize a previously-installed VDA.
Install a Universal Print Server, which provisions network session printers. T he Controller already has the Universal Print Server functionality; you need only install the
Universal Print Server on the print servers in your environment.
You can also:
Remove components from this version that you previously installed, using the /remove or /removeall options. For details, see Remove components.
Upgrade components; for details, see Upgrade a deployment.
To see command execution progress and return values, you must be the original administrator or use 'Run as administrator.' For more information, see the Microsoft
command documentation.
Important: Before beginning an installation, read and complete the tasks in Prepare to install.
Install core components using the command line
From the \x64\XenDesktop Setup directory on the media, run the XenDesktopServerSetup.exe command. T he following table describes command options.
Note: T o install XenApp, include the /xenapp option on the command line. T o install XenDesktop, do not include the /xenapp option.
Option
Description
/help or /h
Displays command help.
/quiet or /passive
No user interface appears during the installation. T he only evidence of the installation process is in Windows Task Manager. If this option is
omitted, the graphical interface launches.
/logpath path
Log file location. T he specified folder must already exist; the installer does not create it. Default = "%T EMP%\Citrix\XenDesktop Installer"
/noreboot
Prevents a restart after installation. (For most core components, a restart is not enabled by default.)
/remove
Removes the core components specified with the /components option.
/removeall
Removes all installed core components.
/xenapp
Installs XenApp. If this option is omitted, XenDesktop is installed.
/configure_firewall
Opens all ports in the Windows firewall needed by components being installed, if the Windows Firewall Service is running, even if the firewall is
not enabled. If you are using a third-party firewall or no firewall, you must manually open the ports.
/components
component
(Required.) Comma-separated list of components to install or remove. Valid values are:
CONT ROLLER - Controller
DESKT OPST UDIO - Studio
[,component] ...
DESKT OPDIRECT OR - Director
LICENSESERVER - Citrix Licensing
ST OREFRONT - StoreFront
If this option is omitted, all components are installed (or removed, if the /remove option is also specified).
/installdir directory
Existing empty directory where components will be installed. Default = c:\Program Files\Citrix.
/tempdir directory
Directory that holds temporary files during installation. Default = c:\Windows\Temp.
/nosql
Prevents installation of Microsoft SQL Server Express on the server where you are installing the Controller. If this option is omitted, SQL Server
Express will be installed.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.204
/no_remote_assistance
Option
(Valid only when installing Director.) Prevents the installation and enabling of the Windows Remote Assistance feature.
Description
For example, the following command installs a XenDesktop Controller, Studio, Citrix Licensing, and SQL Server Express on the server. Ports required for component
communications will be opened automatically.
\x64\XenDesktop Setup\XenDesktopServerSetup.exe /components
controller,desktopstudio,licenseserver /configure_firewall
T he following command installs a XenApp Controller, Studio, and SQL Server Express on the server. Ports required for component communication will be opened
automatically.
\x64\XenDesktop Setup\XenDesktopServerSetup.exe /xenapp /components
controller,desktopstudio /configure_firewall
Install a VDA using the command line
When installing a VDA for use with Remote PC Access, specify only options that are valid on physical machines (not VMs or master images) and for VDAs for Windows
Desktop OS.
From the XenDesktop Setup directory on the product media, run the XenDesktopVdaSetup.exe command. T he following table describes command options. Unless otherwise
noted, options apply to physical and virtual machines, and to VDAs for Windows Desktop OS and VDAs for Windows Server OS.
Option
Description
/h or /help
Displays command help.
/quiet or /passive
No user interface appears during the installation. T he only evidence of the installation and configuration process is in Windows Task
Manager. If this option is omitted, the graphical interface launches.
/logpath path
Log file location. T he specified folder must already exist; the installer does not create it. Default = "%T EMP%CitrixXenDesktop Installer"
/noreboot
Prevents a restart after installation. T he VDA will not be fully available for use until after a restart.
/remove
Removes the components specified with the /components option.
/removeall
Removes all installed VDA components.
/reconfig
Customizes previously-configured VDA settings when used with the /portnumber, /controllers, or /enable_hdx_ports options. If you
specify this option without also specifying the /quiet option, the graphical interface for customizing the VDA launches.
/portnumber port
(Valid only if the /reconfig option is specified.) Port number to enable for communications between the VDA and the Controller. T he
previously-configured port is disabled, unless it is port 80.
/components
component[,component]
Comma-separated list of components to install or remove. Valid values are:
VDA - installs the VDA
PLUGINS - installs the Citrix Receiver for Windows (CitrixReceiver.exe)
If this option is omitted, all components are installed.
/installdir directory
Existing empty directory where components will be installed. Default = c:Program FilesCitrix.
/tempdir directory
Directory to hold temporary files during installation. (T his option is not available in the graphical interface.) Default = c:WindowsTemp.
/site_guid guid
Globally Unique Identifier of the site Active Directory Organizational Unit (OU). T his associates a virtual desktop with a Site when you are
using Active Directory for discovery (auto-update is the recommended and default discovery method). T he site GUID is a site property
displayed in Studio. Do not specify both the /site_guid and /controllers options.
/controllers "controller
Space-separated Fully Qualified Domain Names (FQDNs) of Controllers with which the VDA can communicate, enclosed in quotation
[controller] [...]"
marks. Do not specify both the /site_guid and /controllers options.
/xa_server_location url
URL of the server for Windows server applications.
/enable_remote_assistance
Enables Windows Remote Assistance for use with Director. If you specify this option, Windows opens TCP port 3389 in the firewall, even
if you omit the /enable_hdx_ports option.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.205
/enable_hdx_ports
Option
Opens ports in the Windows firewall required by the Controller and features you specified (Windows Remote Assistance, real-time
Description
transport, and optimize), if the Windows Firewall Service is detected, even if the firewall is not enabled. If you are using a different
firewall or no firewall, you must configure the firewall manually.
/optimize
Enables optimization for VDAs running in a VM on a hypervisor. VM optimization includes disabling offline files, disabling background
defragmentation, and reducing event log size. Do not specify this option for Remote PC Access. For more information about the
optimization tool, see CT X125874.
/baseimage
(Valid only when installing a VDA for Windows Desktop OS on a VM.) Enables the use of Personal vDisks with a master image. For more
information, see Personal vDisks.
/enable_hdx_3d_pro
Installs the VDA for HDX 3D Pro. For more information, see the HDX 3D Pro documentation.
/enable_real_time_transport
Enables or disables use of UDP for audio packets (Real-T ime Audio Transport for audio). Enabling this feature can improve audio
performance. Include the /enable_hdx_ports option if you want the UDP ports opened automatically if the Windows Firewall Service is
detected.
/masterimage
(Valid only when installing a VDA on a VM.) Sets up the VDA as a master image.
/virtualmachine
(Valid only when installing a VDA on a VM.) Overrides detection by the installer of a physical machine, where BIOS information passed to
VMs makes them appear as physical machines.
/nodesktopexperience
(Valid only when installing a VDA for Windows Server OS.) Prevents enabling of the Enhanced Desktop Experience feature. T his feature
is also controlled with the Enhanced Desktop Experience Citrix policy setting.
/nocitrixwddm
(Valid only on Windows 7 machines that do not include a WDDM driver.) Disables installation of the Citrix WDDM driver.
/servervdi
Installs a VDA for Windows Desktop OS on a supported Windows Server. Omit this option when installing a VDA for Windows Server OS
on a Windows Server. Before using this option, see Server VDI.
Note: Add the /masterimage option if you are installing the VDA on an image, and will use MCS to create server VMs from that image.
/installwithsecurebootenabled
Allows VDA installation when Secure Boot is enabled. If this option is omitted, a warning displays that Secure Boot must be disabled to
successfully install a VDA.
/exclude "Personal
(Valid only when upgrading from an earlier 7.x VDA version on a physical machine.) Excludes Personal vDisk and Machine Identity Service
vDisk","Machine Identity
from the upgrade. For advanced use of this option, see CT X140972.
Service"
For example, the following command installs a VDA for Windows Desktop OS and Citrix Receiver to the default location on a VM. T his VDA will be used as a master image.
T he VDA will register initially with the Controller on the server named 'Contr-Main' in the domain 'mydomain,' and will use Personal vDisks, the optimization feature, and
Windows Remote Assistance.
XenDesktop SetupXenDesktopVdaSetup.exe /quiet /components
vda,plugins /controllers "Contr-Main.mydomain.local" /enable_hdx_ports /optimize
/masterimage /baseimage /enable_remote_assistance
T he following command installs a VDA for Windows Desktop OS and Citrix Receiver to the default location on an office PC that will be used with Remote PC Access. T he
machine will not be restarted after the VDA is installed; however, a restart is required before the VDA can be used. T he VDA will register initially with the Controller on the
server named 'Contr-East' in the domain 'mydomain,' and will use UDP for audio packets. HDX ports will be opened if the Windows Firewall service is detected.
XenDesktop SetupXenDesktopVdaSetup.exe /quiet /components vda,plugins /controllers "Contr-East.mydomain.local" /enable_hdx_ports /enable_real_time_transport /noreboot
As an alternative to using the full-product ISO to install VDAs, you can use a standalone VDA installation package. For details, see Install VDAs using the standalone package.
By default, when a machine restart is needed during an installation, the installer resumes automatically after the restart completes. To override the default, specify /noresume
with the installation command. T his can be helpful if you must re-mount the media or want to capture information during an automated installation.
Customize a VDA using the command line
After you install a VDA, you can customize several settings. From the \x64\XenDesktop Setup directory on the product media, run the XenDesktopVdaSetup.exe command,
using one or more of the following options, which are described above.
/reconfigure - this option is required when customizing a VDA
/h or /help
/quiet
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.206
/noreboot
/controllers
/portnumber port
/enable_hdx_ports
Install the Universal Print Server using the command line
Run one of the following commands on each print server:
On a supported 32-bit operating system: From the \x86\Universal Print Server\ directory on the Citrix installation media, run UpsServer_x86.msi.
On a supported 64-bit operating system: From the \x64\Universal Print Server\ directory on the Citrix installation media, run UpsServer_x64.msi.
In XenApp and XenDesktop 7.6 FP3, the UPS package contains updated versions of the standalone UPS client and server components. For installation instructions,
see Provision printers.
In XenApp and XenDesktop 7.6 FP3, if you install the Universal Print Server using the command line, we recommend that you add the command option, ENABLE_CEIP set to 1,
to opt in to the Citrix Customer Experience Improvement Program (CEIP).
For example:
Code
COPY
msiexec /i UpsServer.msi ENABLE_CEIP=1
When you opt in, anonymous statistics and usage information is sent to Citrix to help improve the quality and performance of our products.
7.6 FP3 deploying UpsServer_x86.msi on the Windows 2008 32-bit platf orm
To deploy UpsServer_x86.msi on Windows 2008 32-bit platform, the Minimum Version for Windows Installer for the cdf_x86.msi and UpsServer_x86.msi needs to be adjusted
first, either by using VB scripts or by using a tool such as Orca. To do this:
1. Copy the 7.6 FP3 32-bit versions of the CDF and UPS msi's (cdf_x86.msi and UpsServer_x86.msi) to a temp folder.
2. Install the WiSumInf.vbs script or Orca tool, both available in the Windows SDK Components for Windows Installer Developers package. For more information on the
script, see the MSDN article Manage Summary Information.
3. You can modify the Minimum Version for the Windows Installer using one of the two methods below:
Using WiSumInf.vbs script:
1. Copy WiSumInf.vbs to the same temp folder with the two Citrix msi's.
2. Run the script for each package with these parameters:
WiSumInf.vbs cdf_x86.msi Pages=405
WiSumInf.vbs UpsServer_x86.msi Pages=405
Using Orca, open each of the cdf_x86.msi and UpsServer_x86.msi packages, go to the View menu > Summary Information, and change the value of the "Schema"
textbox to 405.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.207
Create a Site
May 28 , 20 16
A Site is the name you give to a product deployment. It comprises the Delivery Controllers and the other core components,
VDAs, virtual resource connections (if used), plus the machine catalogs and Delivery Groups you create and manage. A Site
does not necessarily correspond to a geographical location, although it can. You create the Site after you install the
components and before creating machine catalogs and Delivery Groups.
Prepare
T he following table describes the tasks to complete and things to consider or be aware of before starting the Site creation
wizard in Studio.
Description
Decide which type of Site you will create:
Application and desktop delivery Site - When you choose to create an application and desktop delivery Site,
you can further choose to create a full deployment Site (recommended) or a empty Site. (Empty Sites are
only partially configured, and are usually created by advanced users.)
Remote PC Access Site - Allows designated users to remotely access their office PCs through a secure
connection. If you will use the Remote PC Access Wake on LAN feature, complete the tasks described in
Configuration Manager and Remote PC Access Wake on LAN.
If you create an application and desktop delivery deployment now, you can add a Remote PC Access
deployment later. Conversely, if you create a Remote PC Access deployment now, you can add a full
deployment later.
Site creation includes creating the Site Configuration database. Make sure the SQL Server software is installed
before you create a Site.
T o create the database, you must be a local administrator and a domain user. You must also either have SQL
Server permissions, or you can generate scripts to give to your database administrator to run.
Permissions – you need the following permissions when setting up the database; the permissions can be
explicitly configured or acquired by Active Directory group membership:
Operation
Purpose
Server role
Database
role
Database
Create a suitable empty database
dbcreator
Schema
Create all service-specific schemas and add the first
securityadmin
creation
Controller to the Site
*
Add Controller
Add a Controller (other than the first) to the Site
securityadmin
creation
db_owner
db_owner
*
Add Controller
Add a Controller login to the database server currently
securityadmin
(mirror server)
in the mirror role of a mirrored database
*
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.208
Description
Operation
Schema update
Purpose
Apply schema updates or hotfixes
Server role
Database
db_owner
role
* While technically more restrictive, in practice, the securityadmin server role should be treated as
equivalent to the sysadmin server role.
When using Studio to perform these operations, the user account must be a member of the sysadmin
server role.
If your Studio user credentials do not include these permissions, you are prompted for SQL Server user
credentials.
Scripts - If your database server is locked down and you do not have the required SQL Server permissions,
the Site creation wizard can generate two database scripts: one that sets up the database and the other to
use in a mirroring environment. After you request script generation, you give the generated scripts to your
database administrator (or someone with required SQL Server permissions) to run on the database server,
and the mirrored database, if needed. After the script is executed and the database is successfully created,
you can finish creating the Site.
Consider if you will use the 30-day free trial license that allows you to add license files later, or if you will use
existing licenses. You can add or download license files from within the Site creation wizard.
Configure your virtualization resource (host) environment.
If you use XenServer:
See the XenServer documentation.
You must provide the credentials for a VM Power Admin or higher-level user.
Citrix recommends using HT T PS to secure communications with XenServer. T o use HT T PS, you must replace
the default SSL certificate that was installed on XenServer with a certificate from a trusted authority; see
CT X128656.
You can configure high availability if it is enabled on the XenServer. Citrix recommends that you select all
servers in the pool to allow communication with XenServer if the pool master fails. It can be selected from
"Edit High Availablity" of added host.
You can also select a GPU type and group, or passthrough, if the XenServer supports vGPU. T he display
indicates if the selection has dedicated GPU resources.
If you use VMware, see that product's documentation and Prepare the virtualization environment: VMware.
If you are using Hyper-V, see that product's documentation and Prepare the virtualization environment:
Microsoft System Center Virtual Machine Manager.
Decide if you will use Machine Creation Services (MCS) or other tools to create VMs on the virtualization
resources.
Decide if you will use shared or local storage. Shared storage is available through the network. If you use shared
storage, you can enable the use of IntelliCache to reduce load on the storage device. For information, see Use
IntelliCache for XenServer connections.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.209
Decide if you will use Personal vDisks and whether they will use shared or local storage. Personal vDisks can use
Description
the same or different storage as the VMs. (LT SR: Not supported)
If you installed product components in a cloud environment, you will need the API key and secret key values
when configuring the first connection. You can export the key file containing those values from AWS or
CloudPlatform, and then import them into the Site creation wizard.
When you create a Site for a cloud deployment, you will also need the region, availability zone, VPC name,
subnet addresses, domain name, security group names, and credentials you configured in AWS.
Decide if you will use App-V publishing, and configure those resources, if needed.
Good to know:
When you create a Remote PC Access Site:
A machine catalog named Remote PC Access Machines, and a Delivery Group named Remote PC Access
Desktops are automatically created.
You must specify users or user groups; there is no default action that automatically adds all users.
You can enable the Wake on LAN feature (power management) and specify the Microsoft System Center
Configuration Manager (ConfigMgr) address and credentials, plus a connection name.
T he user who creates a Site becomes a Full Administrator; for more information, see Delegated
Administration.
When an empty database is created, it has default attributes except:
T he collation sequence is set to Latin1_General_100_CI_AS_KS (where Latin1_General varies, depending
on the country, for example Japanese_100_CI_AS_KS). If this collation setting is not specified during
database creation, subsequent creation of the service schemas within the database will fail, and an error
similar to "<service>: schema requires a case-insensitive database" appears. (When a database is created
manually, any collation sequence can be used, provided it is case-sensitive, accent-sensitive, and kanatypesensitive; the collation sequence name typically ends with _CI_AS_KS.)
T he recovery mode is set to Simple. For use as a mirrored database, change the recovery mode to Full.
When you create the Site Configuration Database, it also stores configuration changes recorded by the
Configuration Logging Service, plus trend and performance data that is used by the Monitoring Service and
displayed by Citrix Director. If you use those features and store more than seven days of data, Citrix
recommends that you specify different locations for the Configuration Logging Database and the
Monitoring Database (known as the secondary databases) after you create a Site.
When naming the Monitoring Database, or a Site Configuration Database that includes the Monitoring
Database, using a name that includes spaces causes errors when the database is accessed. For more
information, see to CT X200325.
At the end of the Site creation wizard, you are asked if you want to participate in the Citrix Customer
Experience Improvement Program. When you join this program, anonymous statistics and usage information
is sent to Citrix; see About the Citrix Customer Experience Improvement Program for more information.
Create
Start Studio, if it is not already open. After you choose to create a Site from the center pane, specify the following:
T he type of Site and the Site name.
Database information. If you chose during Controller installation to have the default SQL Server Express database
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.210
installed, some information is already provided. If you use a database server that is installed on a different server, enter
the database server and name:
Database type
What to enter
With this database conf iguration
Standalone or
servername
T he default instance is used and SQL Server uses the default
mirror
port.
servername\INST ANCENAME
A named instance is used and SQL Server uses the default port.
servername,port-number
T he default instance is used and SQL Server uses a custom port.
(T he comma is required.)
Other
cluster-name
A clustered database.
availability-group-listener
An AlwaysOn database.
After you click Next and are alerted that the services could not connect to a database, indicate that you want Studio to
create it. If you do not have permission to edit the database, use Generate database script. T he scripts must be run
before you can finish creating the Site.
License Server address in the form name:[port], where name is a Fully Qualified Domain Name (FQDN), NetBIOS, or IP
address; FQDN is the recommended format. If you omit the port number, the default is 27000. You cannot proceed until
a successful connection is made to the license server.
(Remote PC Access Sites only.) Power management information, including ConfigMgr connection information.
Connection information to your virtualization resource and storage information. If you are not using a resource, or if you
will use Studio to manage user desktops hosted on dedicated blade PCs, select the connection type None.
App-V management and App-V publishing server information.
(Remote PC Access Sites only.) User and machine accounts information.
User information. Click Add Users. Select users and user groups, and then click Add users.
Machine accounts information. Click Add machine accounts. Select machine accounts, and then click Add machine
accounts. Click Add OUs. Select the domain and Organizational Units, and indicate if items in subfolders should be
included. Click Add OUs.
Test a Site configuration
You can view an HT ML report of the site test results. T o run the tests:
1. From Studio, click the Studio (<site-name>) entry at the top of the left pane.
2. In the center pane, click T est site.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.211
Install or remove Virtual Delivery Agents using scripts
May 28 , 20 16
T he installation media contains sample scripts that install, upgrade, or remove Virtual Delivery Agents (VDAs) for groups of
machines in Active Directory. You can also apply the scripts to individual machines, and use them to maintain master images
used by Machine Creation Services and Provisioning Services.
Required access:
T he scripts need Everyone Read access to the network share where the VDA installation command is located. T he
installation command is XenDesktopVdaSetup.exe from the full product ISO, or VDAWorkstationSetup.exe or
VDAServerSetup.exe from the standalone installer.
Logging details are stored on each local machine. If you also want to log results centrally for review and analysis, the
scripts need Everyone Read and Write access to the appropriate network share.
To check the results of running a script, examine the central log share. Captured logs include the script log, the installer log,
and the MSI installation logs. Each installation or removal attempt is recorded in a time-stamped folder. T he folder title
indicates if the operation was successful with the prefix PASS or FAIL. You can use standard directory search tools to
quickly find a failed installation or removal in the central log share, rather than searching locally on the target machines.
Important: Before beginning any installation, read and complete the tasks in Prepare to install.
To install or upgrade VDAs using the script
1. Obtain the sample script InstallVDA.bat from \Support\AdDeploy\ on the installation media. Citrix recommends that you
make a backup of the original script before customizing it.
2. Edit the script:
Specify the version of the VDA to install: SET DESIREDVERSION. For example, version 7 can be specified as 7.0; the
full value can be found on the installation media in the ProductVersion.txt file (such as 7.0.0.3018); however, a
complete match is not required.
Specify the network share location from which the installer will be invoked. Point to the root of the layout (the
highest point of the tree): the appropriate version of the installer (32-bit or 64-bit) will be called automatically when
the script runs. For example: SET DEPLOYSHARE=\\fileserver1\share1.
Optionally, specify a network share location for storing centralized logs. For example: SET
LOGSHARE=\\fileserver1\log1).
Specify VDA configuration options as described in Install using the command line. T he /quiet and /noreboot options
are included by default in the script and are required: SET COMMANDLINEOPTIONS=/QUIET /NOREBOOT.
3. Using Group Policy Startup Scripts, assign the script to the OU in Active Directory where your machines are located. T his
OU should contain only machines on which you want to install the VDA. When the machines in the OU are restarted, the
script runs on all of them, installing a VDA on each machine that has a supported operating system.
To remove VDAs using the script
1. Obtain the sample script UninstallVDA.bat from \Support\AdDeploy\ on the installation media. Citrix recommends that
you make a backup of the original script before customizing it.
2. Edit the script.
Specify the version of the VDA to remove: SET CHECK_VDA_VERSION. For example, version 7 can be specified as
7.0; the full value can be found on the installation media in the ProductVersion.txt file (such as 7.0.0.3018); however, a
complete match is not required.
Optionally, specify a network share location for storing centralized logs.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.212
3. Using Group Policy Startup Scripts, assign the script to the OU in Active Directory where your machines are located. T his
OU should contain only machines from which you want to remove the VDA. When the machines in the OU are restarted,
the script runs on all of them, removing a VDA from each machine.
Troubleshooting
T he script generates internal log files that describe script execution progress. T he script copies a
Kickoff_VDA_Startup_Script log to the central log share within seconds of starting the deployment to the machine, so
that you can verify that the overall process is working. If this log is not copied to the central log share as expected, you can
troubleshoot further by inspecting the local machine: the script places two debugging log files in the %temp% folder on
each machine, for early troubleshooting:
Kickoff_VDA_Startup_Script_<DateT imeStamp>.log
VDA_Install_ProcessLog_<DateT imeStamp>.log
Review the content of these logs to ensure that the script is:
Running as expected.
Properly detecting the target operating system.
Correctly configured to point to the ROOT of the DEPLOYSHARE share (contains the file named AutoSelect.exe).
Capable of authenticating to both the DEPLOYSHARE and LOG shares.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.213
Install VDAs using the standalone package
Sep 16, 20 16
As an alternative to using the full-product XenApp or XenDesktop ISO to install Virtual Delivery Agents (VDAs), you can use
a standalone VDA installation package. T he smaller package more easily accommodates deployments using Electronic
Software Delivery (ESD) packages that are staged or copied locally, have physical machines, or have remote offices.
T he standalone VDA package is intended primarily for deployments that use command-line (silent) installation - it supports
the same command line parameters as the XenDesktopVdaSetup.exe command, which is used by the full-product installer.
T he package also offers a graphical interface that is very similar to the VDA installer on the full-product ISO.
T here are two self-extracting standalone VDA packages: one for installation on supported server OS machines, and
another for supported workstation (desktop) OS machines.
Prerequisites and considerations
T he supported operating systems for VDAs, plus other requirements before installation, are listed in System requirements.
See Prepare to install for details about the information you provide and choices you make during VDA installation.
T he VDA package automatically deploys prerequisites, if the machine does not already have them; this includes Visual C++
2008, 2010 and 2013 Runtimes (32-bit and 64-bit) and .NET Framework 4.5.1.
When installing on a supported server OS machine, the Remote Desktop Services (RDS) role services are installed and
enabled before installing the VDA. Alternatively, you can install the prerequisites yourself before installing the VDA.
Exception: Verify that Windows Server 2008 R2 and Windows 7 machines have at least .NET 3.5.1 installed before you start
the VDA installation.
About restarts
A restart is required at the end of the VDA installation.
T o minimize the number of additional restarts needed during the installation sequence, ensure that .NET Framework
4.5.1 or 4.5.2 is installed before beginning the VDA installation. Also, for Windows Server OS machines, install and enable
the RDS role services before installing the VDA. (Other prerequisites do not typically require machine restarts, so you can
let the installer take care of those for you.)
If you do not install prerequisites before beginning the VDA installation, and you specify the /noreboot option for a
command line installation, you must manage the restarts. For example, when using automatic prerequisite deployment,
the installer will suspend after installing RDS, waiting for a restart; be sure to run the command again after the restart, to
continue with the VDA installation.
If you use the graphical interface or the command line interface option that runs the package, the files in the package are
extracted to the Temp folder. More disk space is required on the machine when extracting to the Temp folder than when
using the full-product ISO. Files extracted to the Temp folder are not automatically deleted, but you can manually delete
them (from C:\Windows\Temp\Ctx-*, where * is a random Globally Unique Identifier) after the installation completes.
Alternatively, use a third party utility that can extract cabinet archives from EXE files (such as 7-Zip) to extract the files to a
directory of your choice, and then run the XenDesktopVdaSetup.exe command. You can use the /extract command with an
absolute path. For more information, see How to use in the section below.
If your deployment uses Microsoft System Center Configuration Manager, a VDA installation might appear to fail with exit
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.214
code 3, even though the VDA installed successfully. To avoid the misleading message, you can wrap your installation in a
CMD script or change the success codes in your Configuration Manager package. For more information, see the forum
discussion here.
Citrix Display Only Driver
T he Citrix Display Only Driver (DOD) is the only installed and supported display driver on the XenDesktop Standard VDA on
Windows 10.
T he Citrix DOD has no GPU assist, even if a GPU or vGPU is present. All rendering is performed by the MS Basic Renderer in
the software using the CPU. T he Citrix DOD does not support Desktop Composition Redirection (DCR). T he Citrix DOD is
not installed or supported on XenApp.
How to use
Important: You must either have elevated administrative privileges before starting the installation, or use "Run as
administrator."
1. Use the following table to determine which VDA installer package to use:
Where are you installing the VDA?
Install this package
On a supported server OS machine
VDAServerSetup.exe
On a supported workstation (desktop) OS machine
VDAWorkstationSetup.exe
For single user, single server OS deployments (for example, delivering Windows Server 2012 to one user for web
development), use the VDAWorkstationSetup.exe package. For more information, see Server VDI.
2. Install the VDA using the graphical interface or the command line interface.
Remember: You must either have elevated administrative privileges before starting the installation, or use Run as
administrator.
Using the graphical interf ace:
1. Disable User Account Control (UAC), then right-click the downloaded package and choose Run as administrator. T he
installer launches and proceeds through the installation wizard. T he restart at the end of the wizard is required before
the VDA can be used in a site. (T he wizard is the same as the one used in the full-product ISO to install a VDA; you will
not encounter anything different.)
Using the command line interf ace:
1. Extract the files from the package and then run XenDesktopVdaSetup.exe.
T o extract the files before installing, use /extract with the absolute path, for example:
.\VDAWorkstationSetup.exe /extract %temp%\CitrixVDAInstallMedia
T hen, in a separate command, run XenDesktopVdaSetup.exe from the directory containing the extracted content.
See Install using the command line and CT X140972 for parameter information.
2. Run the appropriate VDA installer package as if it was the XenDesktopVdaSetup.exe command in
everything except its name. See Install using the command line and CT X140972 for parameter
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
information.
p.215
For example, the most common installation command used for Remote PC Access installs a VDA on a physical office
PC, without installing Citrix Receiver or Citrix Profile Manager. T he machine will not automatically be restarted after
the VDA is installed; however, a restart is required before the VDA can be used. T he VDA will register initially with the
Controller on the server named 'Contr-East'. Ports will be opened if the Windows Firewall Service is detected.
command
COPY
VDAWorkstationSetup.exe /quiet /components vda /exclude "Citrix User Profile Manager" /controllers "Contr-East.domain.com" /enable_hdx_port
Note
Excluding Citrix Profile management from the installation (Using the /exclude "Citrix User Profile Manager" option) will affect
monitoring and troubleshooting of VDAs with Citrix Director. On the User details and EndPoint pages, the Personalization panel and
the Logon Duration panel will fail. On the Dashboard and Trends pages, the Average Logon Duration panel will display data only for
machines that have Profile management installed.
Even if you are using a third party user profile management solution, it is recommended that you install and run the Citrix Profile
management Service to avoid loss of monitoring and troubleshooting in Citrix Director (enabling the Citrix Profile management
Service is not required).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.216
Machine catalogs
May 28 , 20 16
Collections of physical or virtual machines are managed as a single entity called a session machine catalog. Many
deployments create a master image or template on their host, and then use that in the machine catalog as a guide for
Citrix tools (such as Machine Creation Services or Provisioning Services) to create VMs from the image/template. A catalog
can also contain physical machines.
After you create a machine catalog, tests run automatically to ensure that it is configured correctly. When the tests
complete, you can view a test report. You can also run the tests later on demand from Citrix Studio site-name in the Studio
navigation pane.
After the tests complete, create a Delivery group.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.217
Create a machine catalog
May 28 , 20 16
If you will use Citrix tools (Machine Creation Services or Provisioning Services) to create VMs for your deployment, prepare a
master image or template on your host hypervisor. T hen, create the machine catalog.
Make sure the host has sufficient processors, memory, and storage to accommodate the number of machines you will
create.
Prepare a master image
T he master image contains the operating system, non-virtualized applications, VDA, and other software. VMs are created in
a machine catalog, based on a master image you created earlier and specify when you create the catalog.
Good to know:
Master image is also known as clone image, golden image, or base image.
Cloud deployments use templates rather than master images. See the template guidance
in Amazon Web Services, see Deploy XenApp and XenDesktop 7.5 and 7.6 with Amazon VPC
in Citrix CloudPlatform, see XenApp and XenDesktop concepts and deployment on CloudPlatform.
When using Provisioning Services, you can use a master image or a physical computer as the master target device.
Remote PC Access machine catalogs do not use master images.
Microsoft KMS activation considerations when using Machine Creation Services:
If your deployment includes 7.x VDAs with a XenServer 6.1 or 6.2, vSphere, or Microsoft System Center Virtual Machine
Manager host, you do not need to manually re-arm Microsoft Windows or Microsoft Office.
If your deployment includes a 5.x VDA with a XenServer 6.0.2 host, see CT X128580.
Important: If you are using Provisioning Services or Machine Creation Services, do not run Sysprep on master images.
1. Using your hypervisor’s management tool, create a new master image and then install the operating system, plus all
service packs and updates.
T he number of vCPUs and amount of memory are not critical at this point because you can change those values when
you create the machine catalog. However, be sure to configure the amount of hard disk space required for desktops and
applications, because that value cannot be changed later or in the catalog.
2. Make sure that the hard disk is attached at device location 0. Most standard master image templates configure this
location by default, but some custom templates may not.
3. Install and configure the following software on the master image:
Integration tools for your hypervisor (such as XenServer T ools, Hyper-V Integration Services, or VMware tools). If you
omit this step, your applications and desktops might not function correctly.
A VDA for Windows Server OS or VDA for Windows Desktop OS (Citrix recommends installing the latest version to
allow access to the newest features. During installation, enable the optimization option, which improves performance
by reconfiguring certain Windows features.
T hird-party tools as needed, such as anti-virus software or electronic software distribution agents. Configure services
such as Windows Update with settings that are appropriate for users and the machine type.
T hird-party applications that you are not virtualizing. Citrix recommends virtualizing applications because it significantly
reduces costs by eliminating the need to update the master image after adding or reconfiguring an application. In
addition, fewer installed applications reduce the size of the master image hard disks, which saves storage costs.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.218
App-V clients with the recommended settings, if you plan to publish App-V applications.
When using Machine Creation Services, and you will localize Microsoft Windows, install the locales and language
packs. During provisioning, when a snapshot is created, the provisioned VMs use the installed locales and language
packs.
4. When using Provisioning Services, create a VHD file for the vDisk from your master target device before you join the
master target device to a domain.
5. Join the master image to the domain where desktops and applications will be members, and make sure that the master
image is available on the host where the machines will be created.
6. Citrix recommends that you create and name a snapshot of your master image so that it can be identified later. If you
specify a master image rather than a snapshot when creating a machine catalog, Studio creates a snapshot, but you
cannot name it.
Prepare a master image f or GPU-capable machines on XenServer - When using XenServer for your hosting
infrastructure, GPU-capable machines require a dedicated master image. T hose VMs require video card drivers that support
GPUs and must be configured to allow the VM to operate with software that uses the GPU for operations.
1. In XenCenter, create a VM with standard VGA, networks, and vCPU.
2. Update the VM configuration to enable GPU use (either Passthough or vGPU).
3. Install a supported operating system and enable RDP.
4. Install XenServer T ools and NVIDIA drivers.
5. T urn off the Virtual Network Computing (VNC) Admin Console to optimize performance, and then restart the VM.
6. You are prompted to use RDP. Using RDP, install the VDA and then restart the VM.
7. Optionally, create a snapshot for the VM as a baseline template for other GPU master images.
8. Using RDP, install customer-specific applications that are configured in XenCenter and use GPU capabilities.
Create a machine catalog
Before you start the machine catalog creation wizard, review the following procedure to learn about the choices you will
make and information you will supply. When you start the wizard, some of the items may not appear or they may have
different titles, based on your environment and the selections you make.
From Studio:
If you have created a Site but haven’t yet created a machine catalog, Studio will guide you to the correct starting place
to create a machine catalog.
If you have already created a machine catalog and want to create another, select Machine Catalogs in the Studio
navigation pane, and then select Create Machine Catalog in the Actions pane.
T he wizard walks you through the items described below.
Operating system
Each catalog contains machines of only one type:
Windows Server OS – A Windows Server OS catalog provides desktops and applications that can be shared by multiple
users.
Windows Desktop OS – A Windows Desktop OS catalog provides desktops and applications that are assigned to
individual users.
Remote PC Access – A Remote PC Access catalog provides users with remote access to their physical office desktop
machines. Remote PC Access does not require a VPN to provide security.
Amazon Web Services (AWS) supports only Server OS machine catalogs (and Server VDI, see Server VDI), not Desktop OS
or Remote PC Access catalogs.
Machine management
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.219
Indicate whether machines in the catalog will be power managed through Studio:
Machines are power managed through Studio or provisioned through a cloud environment (for example, VMs or blade
PCs). T his option is available only if you have a hypervisor or cloud environment connection already configured. You
probably configured a connection when you created the Site. If not, you can create a new connection later and then
edit the machine catalog.
Machines are not power managed through Studio (for example, physical machines).
Indicate which tool you will use to deploy machines:
Machine Creation Services (MCS) – Uses a master image or template to create and manage virtual machines.
MCS is not available for physical machines.
Machine catalogs in cloud environments use MCS.
Provisioning Services – Manages target devices as a device collection. A Provisioning Services vDisk imaged from a
master target device delivers desktops and applications.
Other – A tool that manages machines already in the data center. Citrix recommends you use Microsoft System
Center Configuration Manager or another third-party application to ensure that the machines in the catalog are
consistent.
Desktop experience
For machine catalogs containing Desktop OS machines that will be used to deliver desktops:
Specify whether users will connect to a new (random) desktop each time they log on, or if they will connect to the
same (static) desktop each time.
If users connect to the same desktop, specify what will happen to any changes they make on the desktop. You can
save changes to a separate Personal vDisk or the user’s local VM disk, or you can discard changes. (If you choose to
save changes to the separate Personal vDisk, you specify the drive letter and size later in the wizard.)
Master image or machine template
Select the master image (non-cloud) or machine template (cloud) you created earlier. Remember: If you are using
Provisioning Services or Machine Creation Services, do not run Sysprep on master images.
Security
(Cloud environments) Select one or more security groups for the VMs; these are shown only if the availability zone
supports security groups. Choose whether machines will use shared hardware or account-dedicated hardware.
Virtual machines or Device collection or VMs and users
Specify how many virtual machines to create. You can choose how many virtual CPUs and the amount of memory (in MB)
each machine will have. Each VM will have a 32 GB hard disk; this value is set in the master image, it cannot be changed in
the catalog.
If you indicated previously that user changes to desktops should be saved on a separate Personal vDisk, specify its size in
gigabytes and the drive letter.
If you plan to use multiple Network Interface Cards (NICs), associate a virtual network with each card. For example, you
can assign one card to access a specific secure network, and another card to access a more commonly-used network.
You can also add or remove NICs from this wizard.
Machine accounts
(Remote PC Access catalogs) Specify the Active Directory machine accounts or Organizational Units (OUs) to add that
correspond to users or user groups.
You can choose a previously-configured power management connection or elect not to use power management. If you
want to use power management but a suitable connection hasn't been configured yet, you can create that connection
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.220
later and then edit the machine catalog to update the power management settings.
Computer accounts
Each machine in the catalog must have a corresponding Active Directory computer account. Indicate whether to create
new accounts or use existing accounts, and the location for those accounts.
If you use existing accounts, make sure you have enough unused computer accounts for the machines that will be
created.
You can browse Active Directory to locate the existing accounts, or you can import a .csv file that lists the account
names. T he imported file content must use the format:
[ADComputerAccount]
ADcomputeraccountname.domain
...
For catalogs containing physical machines or existing machines, select or import existing accounts and assign each
machine to both an Active Directory computer account and to a user account.
For machines created with Provisioning Services, computer accounts for target devices are managed differently; see the
Provisioning Services documentation.
Also specify the account naming scheme for the machines that are created – hash marks (#) in the scheme represent
sequential numbers or letters that will be included with additional name text you provide.
Name and description
On the final page of the creation wizard, you specify the name and description of the machine catalog. T his information
appears in Studio.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.221
Manage machine catalogs
May 28 , 20 16
For random machine catalogs, you can maintain users' desktops by applying global changes (such as Windows updates, antivirus software updates, operating system upgrades, or configuration changes) to the master image. T hen modify the
machine catalog to use the updated master image so users receive the updated desktop the next time they log on. You
can make significant changes for large numbers of users in one operation.
For static and Remote PC Access machine catalogs, you must manage updates to users' desktops outside of Studio, either
on an individual basis or collectively using third-party software distribution tools. For machines created through Provisioning
Services, updates to users' desktops are propagated through the vDisk.
Citrix recommends that you save copies or snapshots of master images before you make updates. T he database keeps a
historical record of the master images used with each machine catalog. Do not delete, move, or rename master images. You
can revert a machine catalog to use the previous version of the master image if users encounter problems with updates you
deployed to their desktops, thereby minimizing user downtime.
Add machines
Before you start:
Make sure the virtualization host has sufficient processors, memory, and storage to accommodate the additional
machines.
Make sure that you have enough unused Active Directory computer accounts. If using existing accounts, keep in mind
that the number of machines you can add is limited by the number of accounts available.
If you will use Studio to create Active Directory computer accounts for the additional machines, you must also have
appropriate domain administrator permission.
1. Select Machine Catalogs in the Studio navigation pane.
2. Select a machine catalog and then select Add machines in the Actions pane.
3. Select the number of virtual machines to add.
4. If you indicate that new Active Directory accounts should be created (this step is required if there are insufficient
existing accounts for the number of VMs you are adding):
Select the domain and location where the accounts will be created.
Specify an account naming scheme, using hash marks to indicate where sequential numbers or letters will appear (a
name cannot begin with a number). For example, a naming scheme of PC-Sales-## (with 0-9 selected) results in
computer accounts named PC-Sales-01, PC-Sales-02 , PC-Sales-03, etc.
If you indicate that existing Active Directory accounts should be used:
Either browse to the accounts or click Import and specify a .csv file containing account names. Make sure that there
are enough accounts for all the machines you’re adding.
Studio manages these accounts, so either allow Studio to reset the passwords for all the accounts or specify the
account password (which must be the same for all accounts).
T he machines are created as a background process, and can be lengthy when creating a large number of machines.
Machine creation continues even if you close Studio.
Change a machine catalog description or change Remote PC Access settings
1. Select Machine Catalogs in the Studio navigation pane.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.222
2. Select a catalog and then select Edit Machine Catalog in the Actions pane.
3. (Remote PC Access catalogs only) On the Power Management page, you can change a Remote PC Access catalog's
power management settings and select a power management connection. On the Organizational Units page, add or
remove OUs.
On the Description page, change the machine catalog description.
Rename a machine catalog
1. Select Machine Catalogs in the Studio navigation pane.
2. Select a catalog and then select Rename Machine Catalog in the Actions pane.
3. Enter the new name.
Delete a machine catalog
Before deleting a machine catalog, ensure that:
All users are logged off and that no disconnected sessions are running.
Maintenance mode is turned on for all machines in the catalog, and then all machines are shut down.
T he catalog is not associated with a Delivery Group.
1. Select Machine Catalogs in the Studio navigation pane.
2. Select a catalog and then select Delete Machine Catalog in the Actions pane.
3. Indicate whether the machines in the catalog should be deleted. If you choose to delete the machines, indicate whether
the associated computer accounts should be left as-is, disabled, or deleted in Active Directory.
Delete machines f rom a machine catalog
After you delete a machine from a catalog, users no longer can access it. Before deleting a machine, ensure that:
User data is backed up or no longer required.
All users are logged off. T urning on maintenance mode will stop users from connecting to a machine.
Desktops are not powered on or suspended.
1. Select Machine Catalogs in the Studio navigation pane.
2. Select a catalog and then select View Machines in the Actions pane.
3. Select one or more machines and then click T urn On Maintenance Mode in the Actions pane.
4. Select Delete in the Actions pane.
5. Choose whether to delete the machines being removed. If you choose to delete the machines, select what to do with
the associated Active Directory computer accounts:
In machine catalog
In Active Directory
Leave
Do not change
Remove
Do not remove
Remove
Disable
Remove
Delete
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.223
Manage Active Directory computer accounts
T o manage Active Directory accounts in a machine catalog, you can:
Free unused machine accounts by removing Active Directory computer accounts from Desktop OS and Server OS
machine catalogs. T hose accounts can then be used for other machines.
Add accounts so that when more machines are added to the catalog, the computer accounts are already in place
1. Select Machine Catalogs in the Studio navigation pane.
2. Select a machine catalog and then select Manage AD accounts in the Actions pane.
3. Choose whether to add or delete computer accounts.
If you add accounts, you are prompted to specify what to do with the account passwords: either reset them all or
enter a password that applies to all accounts. You might reset passwords if you do not know the current account
passwords; you must have permission to perform a password reset. If you enter a password, the password will be
changed on the accounts as they are imported.
If you delete an account, you are prompted to choose whether the account in Active Directory should be kept,
disabled, or deleted.
Update a master image
Update a master image to apply changes to all the desktops and applications in a machine catalog that were created with
that master image. Managing common aspects through a single master image lets you deploy system-wide changes such as
Windows updates or configuration changes to a large number of machines quickly.
After preparing and testing a new/updated master image on the host (see Prepare a master image), modify the machine
catalog to use it.
Note the following:
Citrix recommends that you save copies or snapshots of master images before you make updates. T he database keeps a
historical record of the master images used with each machine catalog. You can revert a machine catalog to use the
previous version of the master image if users encounter problems with updates you deployed to their desktops, thereby
minimizing user downtime. Do not delete, move, or rename master images; otherwise, you will not be able to revert a
machine catalog to use them.
Although Studio can create a snapshot, Citrix recommends that you create a snapshot using the hypervisor
management console, and then select that snapshot in Studio. T his enables you to provide a meaningful name and
description rather than an automatically generated name.
For GPU master images, you can change the master image only through the XenServer XenCenter console.
For machine catalogs that use Provisioning Services, you must publish a new vDisk to apply changes to the catalog. For
details, see the Provisioning Services documentation.
After updating the master image, you must restart the machines through Studio for the changes to take effect and be
available to your users. T his may occur automatically; for example, when a user logs off a desktop, or it may occur as part
of a configured restart schedule. Alternatively, you can restart a machine from Studio.
1. Select Machine Catalogs in the Studio navigation pane.
2. Select a machine catalog and then select Update Machines in the Actions pane.
3. On the Master Image page, select the host and the new/updated master image.
4. On the Rollout Strategy page, specify when the new or updated master image is applied to users' machines: on the next
shutdown or immediately.
If you choose to update the image on the next shutdown, you can notify users of the update.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.224
If you choose to update the image immediately, you can specify whether to restart all machines at the same time or
at specified intervals. You can send a notification message to users 1, 5, or 15 minutes before they are logged off and
the machine restarted.
Revert to the previous version of the master image
1. Select Machine Catalogs in the Studio navigation pane.
2. Select the machine catalog and then select Rollback machine update in the Actions pane.
3. Specify how to apply the reverted master image to user desktops, as described above.
T he rollback strategy is applied only to desktops that need to be reverted. For desktops that have not been updated with
the new/updated master image that prompted the rollback (for example, desktops with users who have not logged off),
users do not receive messages and are not forced to log off.
Upgrade a machine catalog
Upgrade the machine catalog after you upgrade the VDAs on the machines to a newer version. Citrix recommends
upgrading all VDAs to the latest version so they can all access the newest features.
Note: If you have Windows XP or Windows Vista machines, they must use an earlier VDA version, and will not be able to use
the latest product features. If you cannot upgrade those machines to a currently supported Windows operating system,
Citrix recommends you keep them in a separate machine catalog. For more information, see VDAs on machines running
Windows XP or Windows Vista and Mixed VDA support.
Before you upgrade a machine catalog:
If you’re using Provisioning Services, upgrade the VDA version in the Provisioning Services console.
Start the upgraded machines so that they register with the Controller. T his lets Studio determine that the machines in
the machine catalog need upgrading.
1. Select Machine Catalogs in the Studio navigation pane.
2. Select the machine catalog. T he Details tab in the lower pane displays version information.
3. Select Upgrade Catalog.
If Studio detects that the catalog needs upgrading, it displays a message. Follow the prompts.
If one or more machines cannot be upgraded, a message explains why. Citrix recommends you resolve machine issues
before upgrading the machine catalog to ensure that all machines function properly.
Revert a machine catalog upgrade
Before you revert a machine catalog upgrade, if you used Provisioning Services to create the machine catalog, change the
VDA version in the Provisioning Services console.
1. Select Machine Catalogs in the Studio navigation pane.
2. Select the machine catalog. T he Details tab in the lower pane displays version information.
3. Select Undo and then follow the prompts.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.225
Delivery groups
May 28 , 20 16
A Delivery group is a collection of machines selected from one or more machine catalogs. T he Delivery group specifies which
users can use those machines, and the applications available to those users.
Begin by creating the Delivery group. Later, you can change the initial settings and configure additional ones.
Create a Delivery Group
T o create a Delivery Group:
1. Select Delivery Groups in the Studio navigation pane.
2. Select Create Delivery Group in the Actions pane. T he wizard walks you through the items described below.
Machines
Select a machine catalog and specify the number of machines you want to use from the catalog.
At least one machine must remain unused in the selected machine catalog.
A machine catalog can be specified in more than one Delivery group; however, a machine can be used in only one Delivery
group.
A Delivery group can use more than one machine catalog; however, those catalogs must contain the same machine
types (Server OS, Desktop OS, or Remote PC Access). In other words, you cannot mix machine types in a Delivery group
or in a machine catalog.
Similarly, you cannot create a Delivery group containing Desktop OS machines from a machine catalog configured for
static desktops and machines from a machine catalog configured for random desktops.
Each machine in a Remote PC Access machine catalog is automatically associated with a Delivery group.
Delivery type
T he type indicates what the Delivery group offers: only desktops, only applications, or both desktops and applications.
Delivery groups with static Desktop OS machines cannot offer both desktops and applications.
Users
Specify the users and user groups who can use the applications and/or desktops in the Delivery group.
T here are two types of users: authenticated and unauthenticated (unauthenticated is also called anonymous). You can
configure one or both types.
Authenticated - T he users and group members you specify by name must present credentials (such as smart card or
user name and password) to StoreFront or Citrix Receiver to access applications and desktops.
Unauthenticated (anonymous) - For Delivery Groups containing Server OS machines, you can select a check box that
will allow users to access applications and desktops without presenting credentials to StoreFront or Citrix Receiver. For
example, when users access applications through kiosks, the application might require credentials, but the Citrix access
portal and tools do not. An Anonymous Users Group is created when you install the VDA.
T o grant access to unauthenticated users, each machine in the Delivery Group must have a VDA for Windows Server
OS (minimum version 7.6) installed. When unauthenticated users are enabled, you must have an unauthenticated
StoreFront store.
Unauthenticated user accounts are created on demand when a session is launched, and named AnonXYZ, in which
XYZ is a unique three-digit value.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.226
Unauthenticated user sessions have a default idle timeout of 10 minutes, and are logged off automatically when the
client disconnects. Reconnection, roaming between clients, and Workspace Control are not supported.
T he following table describes your choices.
Enable access f or
Add/assign users and
user groups?
Enable the "Give access to unauthenticated
users" check box?
Only authenticated users
Yes
No
Only unauthenticated users
No
Yes
Both authenticated and
unauthenticated users
Yes
Yes
For Desktop groups containing Desktop OS machines, you can import user data (a list of users) after you create the
Delivery group. See Import or export user lists.
Applications
A list displays the applications that were discovered on a machine created from the master image, a template in the
machine catalog, or on the App-V management server. Choose one or more applications to add to the Delivery group.
You can also add (create) applications manually. You’ll need to provide the path to the executable, working directory,
optional command line arguments, and display names for administrators and users.
You can change an application’s properties; see Change application properties for details.
You cannot create applications for Remote PC Access Delivery groups.
By default, applications you add are placed in a folder named Applications. Folders can make it easier to manage large
numbers of applications. You can specify a different folder when you add the application; however, it’s easier to manage
folders later. See Manage application folders for details.
If you publish two applications with the same name to the same users, change the Application name (for user) property in
Studio; otherwise, users will see duplicate names in Receiver.
StoreFront
Select or add StoreFront URLs that will be used by the Citrix Receiver that is installed on each machine in the Delivery group.
You can also specify the StoreFront server address later by selecting Configuration > StoreFront in the navigation pane.
When adding the StoreFront Server add ‘/Discovery’ to the end of the URL.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.227
Settings
May 28 , 20 16
T he following documents describe how to configure and manage most of the settings you can specify and update for
Delivery Groups:
Applications
Machines
Remote PC Access
Session
Users
T he information below describes settings that are not covered in those documents.
Change delivery type
Before changing an application only or desktop and applications Delivery group to a desktop only Delivery group, delete all
applications from the Delivery group.
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery group, and then select Edit Delivery Group in the Actions pane.
3. On the Delivery T ype page, select the delivery type you want to change the Deliver group to.
Change basic settings
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery group, and then select Edit Delivery Group in the Actions pane.
3. On the Basic Settings page, you can change the following:
Setting
Description
Description
T he text that StoreFront uses and that users see.
Enabled
Whether or not the Delivery Group is enabled.
check box
Desktops
(Desktop OS machines only) T he maximum number of shared desktops that a user can have active at
per user
the same time. In assign-on-first-use deployments, this value specifies how many desktops users can
assign to themselves.
T ime zone
Enable
Secures communications to and from machines in the Delivery Group using SecureICA, which encrypts
Secure ICA
the ICA protocol (default level is 128-bit; the level can be changed using the SDK). Citrix recommends
using additional encryption methods such as SSL/T LS encryption when traversing public networks. Also,
SecureICA does not check data integrity.
Upgrade a Delivery Group
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.228
Upgrade a Delivery Group after you upgrade the VDAs on its machines.
Note: If you must continue using earlier VDA versions, newer product features may not be available. For more information,
see Upgrade a deployment.
Before you start the Delivery Group upgrade:
If you use Provisioning Services, upgrade the VDA version in the Provisioning Services console.
Start the machines containing the new VDA so that they can register with the Controller. T his process tells Studio what
needs upgrading in the Delivery Group.
1. Select Delivery Groups in the Studio navigation pane.
2. Select the Delivery group and then select Upgrade Delivery Group in the Actions pane.
Before starting the upgrade process, Studio tells you which, if any, machines cannot be upgraded and why. You can then
cancel the upgrade, resolve the machine issues, and then start the Delivery Group upgrade again.
After the Delivery Group upgrade completes, you can revert the machines to their previous states by selecting the Delivery
Group and then selecting Undo in the Actions pane.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.229
Machines
May 23, 20 17
Unless otherwise noted, the following procedures are supported for all Delivery Group types: Server OS, Desktop OS, and
Remote PC Access.
Shut down and restart machines
Note: T his procedure is not supported for Remote PC Access machines.
1. Select Delivery Groups in the Studio navigation pane.
2. Select the Delivery Group and then select View Machines in the Actions pane.
3. Select the machine and select one of the following in the Actions pane (some options may not be available, depending
on the machine state):
Force shut down — Forcibly powers off the machine and refreshes the list of machines.
Restart — Requests the operating system to shut down and then start the machine again. If the operating system
cannot comply, the machine remains in its current state.
Suspend — Pauses the machine without shutting it down, and refreshes the list of machines.
Shut down — Requests the operating system to shut down.
If the machine does not shut down within 10 minutes, it is powered off. If Windows attempts to install updates during the
shutdown, there is a risk that the machine will be powered off before the updates finish.
Note: Citrix recommends that you prevent Desktop OS machine users from selecting Shut Down within a session. See the
Microsoft policy documentation for details.
Power manage machines
Note: You can power manage only virtual Desktop OS machines, not physical ones (including Remote PC Access machines).
Desktop OS machines with GPU capabilities cannot be suspended, so power off operations fail. For Server OS machines,
see Create a restart schedule
Machines can be in one of the following states:
Delivery Group
State
Random
Randomly allocated and in use
Unallocated and unconnected
Static (assigned)
Permanently allocated and in use
Permanently allocated and unconnected (but ready)
Unallocated and unconnected
During normal use, static Delivery Groups typically contain both permanently allocated and unallocated machines. Initially, all
machines are unallocated (except for those manually allocated when the Delivery Group was created). As users connect,
machines become permanently allocated. You can fully power manage the unallocated machines in those Delivery Groups,
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.230
but only partially manage the permanently allocated machines.
Pools and buf f ers - For random Delivery Groups and unallocated machines in static Delivery Groups, a pool is a set of
unallocated (or temporarily allocated) machines that are kept in a powered-on state, ready for users to connect; a user
gets a machine immediately after log on. T he pool size (the number of machines kept powered-on) is configurable by
time of day. (For static Delivery Groups, use the SDK to configure the pool.)
A buffer is an additional standby set of unallocated machines that are turned on when the number of machines in the
pool falls below a threshold that is a percentage of the Delivery Group size. For large Delivery Groups, a significant
number of machines might be turned on when the threshold is exceeded, so plan Delivery Group sizes carefully or use the
SDK to adjust the default buffer size.
Power state timers - You can use power state timers to suspend machines after users have disconnected for a
specified amount of time. For example, machines will suspend automatically outside of office hours if users have been
disconnected for at least ten minutes. Random machines or machines with Personal vDisks automatically shut down
when users log off, unless you configure the ShutdownDesktopsAfterUse Delivery Group property in the SDK.
You can configure timers for weekdays and weekends, and for peak and nonpeak intervals.
Partial power management of permanently allocated machines - For permanently allocated machines, you can set
power state timers, but not pools or buffers. T he machines are turned on at the start of each peak period, and turned
off at the start of each off-peak period; you do not have the fine control that you have with unallocated machines over
the number of machines that become available to compensate for machines that are consumed.
T o power manage virtual Desktop OS machines:
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group, and then select Edit Delivery Group in the Actions pane.
3. On the Power Management page, select Weekdays in the Power manage machines dropdown. (By default, weekdays
are Monday to Friday.)
4. For random Delivery Groups, in Machines to be powered on, select Edit and then specify the pool size during weekdays.
T hen, select the number of machines to power on.
5. In Peak hours, set the peak and off-peak hours for each day.
6. Set the power state timers for peak and non-peak hours during weekdays:
In During peak hours > When disconnected, specify the delay (in minutes) before suspending any disconnected
machine in the Delivery Group, and select Suspend.
In During off-peak hours > When disconnected, specify the delay before turning off any logged-off machine in the
Delivery Group, and select Shutdown. T his timer is not available for Delivery Groups with random machines.
7. Select Weekend in the Power manage machines dropdown, and then configure the peak hours and power state timers
for weekends.
Use the SDK to:
Shut down, rather than suspend, machines in response to power state timers, or if you want the timers to be based on
logoffs, rather than disconnections.
Change the default weekday and weekend definitions.
Create a restart schedule
Note: You can use a restart schedule for Server OS machines only. For Desktop OS machines, see Power manage machines.
T o configure a restart schedule:
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group, and then select Edit Delivery Group in the Actions pane,
3. On the Restart Schedule page:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.231
In the Restart machines drop-down, choose how often to restart the machines.
In the Restart first group at fields, specify the hour and minute (in 24-hour format) when the first server will begin the
restart process.
In the Restart additional groups every drop-down, Indicate whether all servers should be restarted at once, or how
much time should be allowed to restart every server in the Delivery Group.
For example, assume a Delivery Group has five servers, a Restart first group at time of 13:00 (1:00 pm), and a Restart
additional groups every selection of 1 hour. T hat duration (60 minutes) is divided by the number of machines (five),
which yields a restart interval of 12 minutes. So, the restart times are 1:00 pm, 1:12 pm, 1:24 pm, 1:36 pm, and 1:48 pm.
T his gives all five machines the chance to complete their restart at the end of the specified interval (1 hour).
Indicate whether you want to send a message to users at a specified interval before they are logged off. T he
notification will be sent relative to each server's calculated restart time, as described in the example.
You cannot perform an automated power-on or shutdown in Studio.
Prevent users f rom connecting to a machine (maintenance mode)
When you need to temporarily stop new connections to machines, you can turn on maintenance mode for one or all the
machines in a Delivery Group. You might do this before applying patches or using management tools.
When a Server OS machine is in maintenance mode, users can connect to existing sessions, but cannot start new
sessions.
When a Desktop OS machine (or a PC using Remote PC Access) is in maintenance mode, users cannot connect or
reconnect. Current connections remain connected until they disconnect or log off.
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group.
3. T o turn on maintenance mode for all machines in the Delivery Group, select T urn On Maintenance Mode in the Actions
pane.
T o turn on maintenance mode for one machine:
1. Select View Machines in the Actions pane.
2. Select a machine, and then select T urn On Maintenance Mode in the Actions pane.
4. T o turn maintenance mode off for one or all machines in a Delivery Group, follow the previous instructions, but select
T urn Off Maintenance Mode in the Actions pane.
Windows Remote Desktop Connection (RDC) settings also affect whether a Server OS machine is in maintenance mode.
Maintenance mode is on when any of the following occur:
Server maintenance mode is set to on, as described above.
RDC is set to Don’t allow connections to this computer.
RDC is not set to Don’t allow connections to this computer, and the Remote Host Configuration User Logon Mode
setting is one of the following:
Allow reconnections, but prevent new logons
Allow reconnections, but prevent new logons until the server is restarted.
Reallocate machines (change users)
Note: You can reallocate only Desktop OS machines, not Server OS machines or machines created through Provisioning
Services.
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group.
3. T o reallocate more than one machine:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.232
1. Select Edit Delivery Group in the Actions pane.
2. On the Machine Allocation (User Assignment) page, select machines and specify the new users.
4. T o reallocate one machine:
1. Select View Machines in the Actions pane.
2. Select a machine, and then select Change User in the Actions pane.
3. Add or remove the user.
Change the maximum number of machines per user
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group, and then select Edit Delivery Group in the Actions pane.
3. On the User Settings page, set the desktops per user value.
Identif y machines using tags
You can use tags to refine a machine search or to limit machine access. You can add any number of tags of any length.
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group, and then select View Machines in the Actions pane.
3. Select a machine.
4. T o add tags, select Add T ag in the Actions menu and then enter one or more tags, separated by semicolons (;).
To change or remove tags, select Edit Tags in the Actions menu and then make the necessary changes.
Load manage
Note: You can load manage Server OS machines only.
Load Management measures the server load and determines which server to select under the current environment
conditions. T his selection is based on:
Server maintenance mode status – a Server OS machine is considered for load balancing only when maintenance
mode is off. (See Prevent users from connecting to a machine (maintenance mode) for details.)
Server load index – determines how likely a server delivering Server OS machines is to receive connections. T he index is a
combination of load evaluators: the number of sessions and the settings for performance metrics such as CPU, disk, and
memory use. You specify the load evaluators in load management policy settings.
You can monitor the load index in Director, Studio search, and the SDK.
In Studio, the Server Load Index column is hidden by default. T o display it, select a machine, right-select a column
heading and then choose Select Column. In the Machine category, select Load Index.
In the SDK, use the Get-BrokerMachine cmdlet.
A server load index of 10000 indicates that the server is fully loaded. If no other servers are available, users might receive
a message that the desktop or application is currently unavailable when they launch a session.
Concurrent logon tolerance policy setting - the maximum number of concurrent requests to log on to the server.
(T his setting is equivalent to load throttling in XenApp versions earlier than 7.5.)
If all servers are at or higher than the concurrent logon tolerance setting, the next logon request is assigned to the server
with the lowest pending logons. If more than one server meets this criteria, the server with the lowest load index is
selected.
For more information, see the
— Policy settings reference
.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.233
Remove a machine
Removing a machine deletes it from a Delivery Group but does not delete it from the machine catalog that the Delivery
Group uses. T herefore, the machines are available for assignment to other Delivery Groups.
Machines must be shut down before they can be removed. To temporarily stop users from connecting to a machine while
you are removing it, put the machine into maintenance mode before shutting it down.
Keep in mind that machines may contain personal data, so use caution before allocating the machine to another user. You
may want to reimage the machine.
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group and the select View Machines in the Actions pane.
3. Make sure that the machine is shut down.
4. Select Remove from Delivery Group in the Actions pane.
Restrict access to machines
Any changes you make to restrict access to machines in a Delivery Group supersede previous settings, regardless of the
method you use. You can:
Restrict access for administrators using Delegated Administration scopes. You can create and assign a scope that
permits administrators to access all applications, and another scope that provides access to only certain applications.
See the Delegated Administration documentation for details.
Restrict access for users through SmartAccess policy expressions that filter user connections made through NetScaler
Gateway.
1. Select Delivery Groups in the Studio navigation pane.
2. Select the Delivery Group and then select Edit Delivery Group in the Actions pane.
3. On the Access policy page, select Connections through NetScaler Gateway.
4. T o choose a subset of those connections, select Connections meeting any of the following filters. T hen define the
NetScaler Gateway site, and add, edit, or remove the SmartAccess policy expressions for the allowed user access
scenarios. For details, see the NetScaler Gateway documentation.
Restrict access for users through exclusion filters on access policies that you set in the SDK. Access policies are applied
to Delivery Groups to refine connections. For example, you can restrict machine access to a subset of users, and you can
specify allowed user devices. Exclusion filters further refine access policies. For example, for security you can deny access
to a subset of users or devices.
By default, exclusion filters are disabled.
For example, for a teaching lab on a subnet in the corporate network, to prevent access from that lab to a particular
Delivery Group, regardless of who is using the machines in the lab, use the following command: Set-BrokerAccessPolicy Name VPDesktops_Direct -ExcludedClientIPFilterEnabled $True You can use the asterisk (*) wildcard to match all tags that start with the same policy expression. For example, if you add
the tag VPDesktops_Direct to one machine and VPDesktops_Test to another, setting the tag in the SetBrokerAccessPolicy script to VPDesktops_* applies the filter to both machines.
Update a machine
1. Select Delivery Groups in the Studio navigation pane.
2. Select the Delivery Group, select View Machines in the Action pane.
3. Select a machine and then select Update machines in the Actions pane.
T o choose a different master image, select Master image. T hen select a snapshot. Expanding a selected snapshot
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.234
displays associated master images.
T o apply changes and notify machine users, select Rollout notification to end-users. T hen specify:
When to update the master image: now or on the next restart.
T he restart distribution time: all machines at the same time or at time variations.
If and when users will be notified of the restart, plus the message they will receive.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.235
Applications
May 28 , 20 16
Add applications
T o add an application to a Delivery Group:
1. Select Delivery Groups in the Studio navigation pane.
2. Select the Delivery Group.
3. Select Add Applications in the Actions pane.
A list displays the applications that were discovered on a machine created from the master image, a template in the
machine catalog, or on the App-V management server. Choose one or more applications to add to the Delivery Group.
You can also add (create) applications manually. You’ll need to provide the path to the executable, working directory,
optional command line arguments, and display names for administrators and users.
You can change an application's properties; see below.
By default, applications you add are placed in a folder named Applications. For more information about application folders,
see below.
Duplicate, disable, rename, edit tags, or delete an application
T o duplicate, disable, rename, edit tags, or delete an application:
1. Select Delivery Groups in the Studio navigation pane.
2. Select the Applications tab in the middle pane and then select the application.
3. Select the appropriate task in the Actions pane.
Good to know:
When you duplicate an application, it is automatically renamed and placed adjacent to the original.
Deleting an application removes it from the Delivery Group but not from the master image.
T o move an application to a different application folder, see below.
Change application properties
T o change the properties of an application:
1. Select Delivery Groups in the Studio navigation pane.
2. Select the Applications tab in the middle pane and then select the application.
3. Select Properties in the Actions pane.
You can view and change the following:
Property to view or change
Select this page
Application name
Identification
Category in Receiver
Delivery
Command line arguments
Location
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.236
Description
Property
to view or change
Identification
Select
this page
File extensions
File T ype Association
File type association
File T ype Association
Icon
Delivery
Keywords for StoreFront
Identification
Path to executable
Location
Shortcut on user’s desktop
Delivery
Visibility
Limit Visibility
Working directory
Location
Application changes might not take effect for current application users until they log off their sessions.
Manage application f olders
By default, applications you add are placed in a folder named
— Applications
. You can:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.237
Create additional folders and then move applications into those new folders.
Folders can be nested up to five levels.
Folders do not have to contain applications; empty folders are allowed.
Folders are listed alphabetically unless you move them or specify a different location when you create them.
You can have more than one folder with the same name, as long as each has a different parent folder. Similarly, you
can have more than one application with the same name, as long as each is in a different folder.
Move a folder to the same or a different level. Moving is easiest using drag-and-drop.
Rename or delete a folder you created. You cannot rename or delete the Applications folder, but you can move all the
applications it contains to other folders you create.
You can also create folders for applications when you create a Delivery Group.
You must have View Applications permission to see the applications in folders, and you must have Edit Application
Properties permission for all applications in the folder to remove, rename, or delete a folder that contains applications. For
details, see Delegated Administration.
T ip: T he following instructions use the Actions pane in Studio. Alternatively, you can use right-click menus or drag and drop.
If you create or move a folder in a location you did not intend, you can drag and drop it to the correct location.
Select Delivery Groups in the Studio navigation pane, and then select the Applications tab in the middle pane.
T o view all folders (excluding nested folders), click Show all.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.238
T o create a folder:
1. T o place the new folder at the highest level (not nested under another folder), select the top Applications folder. T o
place the new folder under an existing folder other than Applications, select that folder.
2. Select Create Folder in the Actions pane. Enter a 1-64 character name for the folder. Spaces are permitted.
T o move a folder:
1. Select the folder and then select Move Folder in the Actions pane. (You can move only one folder at a time unless the
folder contains nested folders.)
2. T o move the folder to the highest level (not nested under another folder), select the top Applications folder. T o move
a new folder under an existing folder other than Applications, select that folder.
T o rename a folder, select the folder, and then select Rename Folder in the Actions pane. Enter a 1-64 character new
name.
T o delete a folder, select the folder, and then select Delete Folder in the Actions pane. When you delete a folder that
contains applications and other folders, those objects are also deleted. Deleting an application removes the application
assignment from the Delivery Group; it does not remove it from the machine.
T o move applications into a folder, select one or more applications, and then select Move Application in the Actions
pane. Select the folder.
T o add or move applications to folders from within the Create Delivery Group wizard, select one or more applications on
the Applications page, and then select Change.
T o move the application to an existing folder, select that folder.
T o move the application to a new folder:
T o create a folder at the highest level (not nested under another folder), select the top Applications folder and then
select New folder. Specify a 1-64 character folder name. Spaces are allowed.
T o create a new nested folder under an existing folder (other than Applications), select an existing folder and then
select New folder. Specify a 1-64 character folder name. Spaces are allowed.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.239
Users
May 28 , 20 16
Add users, remove users, and enable/disable access to unauthenticated (anonymous) users
T here are two types of users: authenticated and unauthenticated (unauthenticated is also called anonymous). You can
configure one or both types.
Authenticated - T he users and group members you specify by name must present credentials (such as smart card or
user name and password) to StoreFront or Citrix Receiver to access applications and desktops.
Unauthenticated (anonymous) - For Delivery Groups containing Server OS machines, you can select a check box that
will allow users to access applications and desktops without presenting credentials to StoreFront or Citrix Receiver. For
example, when users access applications through kiosks, the application might require credentials, but the Citrix access
portal and tools do not. An Anonymous Users Group is created when you install the VDA.
T o grant access to unauthenticated users, each machine in the Delivery Group must have a VDA for Windows Server
OS (minimum version 7.6) installed. When unauthenticated users are enabled, you must have an unauthenticated
StoreFront store.
Unauthenticated user accounts are created on demand when a session is launched, and named AnonXYZ, in which
XYZ is a unique three-digit value.
Unauthenticated user sessions have a default idle timeout of 10 minutes, and are logged off automatically when the
client disconnects. Reconnection, roaming between clients, and Workspace Control are not supported.
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group, and then select Edit Delivery Group in the Actions pane.
3. T he following table describes your choices.
Enable access f or
Add/assign users and
Enable the "Give access to unauthenticated
user groups?
users" check box?
Only authenticated users
Yes
No
Only unauthenticated users
No
Yes
Both authenticated and
Yes
Yes
unauthenticated users
For Desktop Groups containing Desktop OS machines, you can import user data (a list of users) after you create the
Delivery Group. See Import or export user lists below.
Import or export user lists
For Delivery Groups containing physical Desktop OS machines, you can import user information from a .csv file after you
create the Delivery Group. You can also export user information to a .csv file. T he .csv file can contain data from a previous
product version.
T he first line in the .csv file must contain comma-separated column headings (in any order), which can include:
ADComputerAccount, AssignedUser, VirtualMachine, and HostId. Subsequent lines in the file contain comma-separated
data. T he ADComputerAccount entries can be common names, IP addresses, distinguished names, or domain and computer
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.240
name pairs.
T o import or export user information:
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group, and then select Edit Delivery Group in the Actions pane.
3. On the Machine Allocation page, select the Import list or Export list button, and then browse to the file location.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.241
Sessions
May 28 , 20 16
Log of f or disconnect a session, or send a message to users
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group and then select View Machines in the Actions pane.
3. T o log a user off a session, select the session or desktop and select Log off in the Actions pane. T he session closes and
the machine becomes available to other users, unless it is allocated to a specific user.
To disconnect a session, select the session or desktop, and select Disconnect in the Actions pane. Applications continue
to run and the machine remains allocated to that user. T he user can reconnect to the same machine.
To send a message to users, select the session, machine, or user, and then select Send message in the Actions pane.
Enter the message.
You can configure power state timers for Desktop OS machines to automatically handle unused sessions. See Power
manage machines for details.
Configure session prelaunch and session linger
Note: T hese features are supported on Server OS machines only.
T his brief video shows you how to configure session prelaunch and session linger:
T he session prelaunch and session linger features help specified users access applications quickly, by starting sessions
before they are requested (session prelaunch) and keeping application sessions active after a user closes all applications
(session linger).
By default, session prelaunch and session linger are not used: a session starts (launches) when a user starts an application,
and remains active until the last open application in the session closes.
Considerations:
T he Delivery Group must support applications, and the machines must be running a VDA for Server OS, minimum version
7.6.
Session prelaunch is supported only when using Citrix Receiver for Windows. Session linger is supported when using Citrix
Receiver for Windows and Receiver for Web. Additional Receiver configuration is required. For instructions, search for
“session prelaunch” in the eDocs content for your Receiver for Windows version.
Note: Receiver for HT ML5 is not supported.
When using session prelaunch:
Regardless of the admin-side settings, if an end user’s machine is put into "suspend" or "hibernate" mode, prelaunch
will not work.
Prelaunch will work as long as the end user locks their machine/session, but if the end user logs off from Citrix
Receiver, the session is ended and prelaunch no longer applies.
Prelaunched and lingering sessions consume a license, but only when connected. Unused prelaunched and lingering
sessions disconnect after 15 minutes by default. T his value can be configured in PowerShell (New/SetBrokerSessionPreLaunch cmdlet).
Careful planning and monitoring of your users’ activity patterns are essential to tailoring these features to complement
each other. Optimal configuration balances the benefits of earlier application availability for users against the cost of
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.242
keeping licenses in use and resources allocated.
You can also configure session prelaunch for a scheduled time of day in Receiver.
T o enable session prelaunch:
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group, and then click Edit Delivery Group in the Actions pane.
3. On the Application Prelaunch page, enable session prelaunch by choosing when sessions should launch:
When a user starts an application. T his is the default setting; session prelaunch is disabled.
When any user in the Delivery Group logs on to Receiver for Windows.
When anyone in a list of users and user groups logs on to Receiver for Windows. Be sure to also specify users or user
groups if you choose this option.
4. A prelaunched session is replaced with a regular session when the user starts an application. If the user does not start an
application (the prelaunched session is unused), the following settings affect how long that session remains active. For
details about these settings, see
— How long unused prelaunched and lingering sessions remain active
below.
When a specified time interval elapses. You can change the time interval (1-99 days, 1-2376 hours, or 1-142,560
minutes).
When the average load on all machines in the Delivery Group exceeds a specified percentage (1-99%).
When the load on any machine in the Delivery Group exceeds a specified percentage (1-99%).
Recap: A prelaunched session remains active until one of the following events occurs: a user starts an application, the
specified time elapses, or a specified load threshold is exceeded.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.243
T o enable session linger:
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Delivery Group, and then click Edit Delivery Group in the Actions pane.
3. On the Application Lingering page, enable session linger by selecting the Keep sessions active until radio button.
4. Several settings affect how long a lingering session remains active if the user does not start another application. For
details about these settings, see
— How long prelaunched and lingering sessions remain active
below.
When a specified time interval elapses. You can change the time interval (1-99 days, 1-2376 hours, or 1-142,560
minutes).
When the average load on all machines in the Delivery Group exceeds a specified percentage (1-99%).
When the load on any machine in the Delivery Group exceeds a specified percentage (1-99%).
Recap: A lingering session remains active until one of the following events occurs: a user starts an application, the
specified time elapses, or a specified load threshold is exceeded.
How long unused prelaunched and lingering sessions remain active - T here are several ways to specify how long an
unused session remains active if the user does not start an application: a configured timeout and server load thresholds.
You can configure all of them; the event that occurs first will cause the unused session to end.
T imeout - A configured timeout specifies the number of minutes, hours, or days an unused prelaunched or lingering
session remains active. If you configure too short a timeout, prelaunched sessions will end before they provide the user
benefit of quicker application access. If you configure too long a timeout, incoming user connections might be denied
because the server doesn't have enough resources.
You cannot disable this timeout from Studio, but you can in the SDK (New/Set-BrokerSessionPreLaunch cmdlet). If you
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.244
disable the timeout, it will not appear in the Studio display for that Delivery Group or in the Edit Delivery Group wizard.
T hresholds - Automatically ending prelaunched and lingering sessions based on server load ensures that sessions remain
open as long as possible, assuming server resources are available. Unused prelaunched and lingering sessions will not cause
denied connections because they will be ended automatically when resources are needed for new user sessions.
You can configure two thresholds: the average percentage load of all servers in the Delivery Group, and the maximum
percentage load of a single server in the Delivery Group. When a threshold is exceeded, the sessions that have been in
the prelaunch or lingering state for the longest time are ended, sessions are ended one-by-one at minute intervals until
the load falls below the threshold. (While the threshold is exceeded, no new prelaunch sessions are started.)
Servers with VDAs that have not registered with the Controller, and servers in maintenance mode are considered fully
loaded. An unplanned outage will cause prelaunch and lingering sessions to be ended automatically to free capacity.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.245
XenApp published apps and desktops
May 28 , 20 16
Use Server OS machines to deliver XenApp published apps and XenApp published desktops.
T his table describe the situations, users, and considerations for using these delivery methods.
Use Case
You want
Inexpensive server-based delivery to minimize the cost of delivering applications to a large number of
users, while providing a secure, high-definition user experience.
Your users
Perform well-defined tasks and do not require personalization or offline access to applications. Users
may include task workers such as call center operators and retail workers, or users that share
workstations.
Application types
Any application.
Benefits and
considerations
Benefits
Manageable and scalable solution within your datacenter.
Most cost effective application delivery solution.
Hosted applications are managed centrally and users cannot modify the application, providing a user
experience that is consistent, safe, and reliable.
Considerations
Users must be online to access their applications.
User
User requests one or more applications from StoreFront, their Start menu, or a URL you provide to
experience
them.
Applications are delivered virtually and display seamlessly in high definition on user devices.
Depending on profile settings, user changes are saved when the user's application session ends.
Otherwise, the changes are deleted.
Process, host,
Process
and deliver
applications
Application processing takes place on hosting machines, rather than on the user devices.
T he hosting machine can be a physical or a virtual machine.
Host
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.246
Applications and desktops reside on a Server OS machine.
Machines become available through machine catalogs.
Delivery
Machines within machine catalogs are organized into Delivery groups that deliver the same set of
applications to groups of users.
Server OS machines support:
Desktop and applications Delivery groups that host both desktops and applications.
Application Delivery groups that host only applications.
Session
management
and
assignment
Sessions
Server OS machines run multiple sessions from a single machine to deliver multiple applications and
desktops to multiple, simultaneously connected users. Each user requires a single session from which
they can run all their hosted applications.
For example, a user logs on and requests an application. One session on that machine becomes
unavailable to other users. A second user logs on and requests an application which that machine
hosts. A second session on the same machine is now unavailable. If both users request additional
applications, no additional sessions are required because a user can run multiple application using the
same session. If two more users log on and request desktops, and two sessions are available on that
same machine, that single machine is now using four sessions to host four different users.
Random machine assignments
Within the Delivery group to which a user is assigned, a machine on the least loaded server is
selected. A machine with session availability is randomly assigned to deliver applications to a user
when that user logs on.
T o deliver XenApp published apps:
1. Install the applications you want to deliver on a master image running a supported Windows server OS.
2. Create a machine catalog for this master image or update an existing catalog with the master image.
3. Create an application Delivery group to deliver the application to users.
4. From the list of application installed, select the application you want to deliver.
T o deliver XenApp published desktops:
1. Install apps on a master image running a supported Windows server OS.
2. Create a machine catalog for this master image or update an existing catalog with the master image.
3. Create a desktop Delivery group to deliver the desktops to users.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.247
VM hosted apps
May 28 , 20 16
Use Desktop OS machines to deliver VM hosted app.
T his table describe the situations, users, and considerations for using this delivery method.
Use Case
You want
A client-based application delivery solution that is secure, provides centralized management, and
supports a large number of users per host server (or hypervisor), while providing users with
applications that display seamlessly in high-definition.
Your users
Are internal, external contractors, third-party collaborators, and other provisional team members.
Your users do not require off line access to hosted applications.
Application types
Applications that might not work well with other applications or might interact with the operation
system, such as Microsoft .NET framework. T hese types of applications are ideal for hosting on
virtual machines.
Applications running on older operating systems such as Windows XP or Windows Vista, and older
architectures, such as 32-bit or 16-bit. By isolating each application on its own virtual machine, if one
machine fails, it does not impact other users.
Benefits and
considerations
Benefits
Applications and desktops on the master image are securely managed, hosted, and run on machines
within your datacenter, providing a more cost effective application delivery solution.
On log on, users can be randomly assigned to a machine within a Delivery Group that is configured
to host the same application.
You can also statically assign a single machine to deliver an application to a single user each time
that user logs on. Statically assigned machines allow users to install and manage their own
applications on the virtual machine.
Considerations
Running multiple sessions is not supported on Desktop OS machines. T herefore, each user consumes
a single machine within a Delivery group when they log on, and users must be online to access their
applications.
T his method may increase the amount of server resources for processing applications and increase
the amount of storage for users' Personal vDisks.
User
https://docs.citrix.com
T he same seamless application experience as hosting shared applications on Server OS machines.
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.248
experience
Process, host,
and deliver
applications
Process
T he same as Server OS machines except they are virtual Desktop OS machines.
Host
T he same as Server OS machines except they are virtual Desktop OS machines.
Delivery
T he same as Server OS machines except Desktop OS machines can exist only in a desktop Delivery
group.
Session
management
and
assignment
Sessions
Desktop OS machines run a single desktop session from a single machine. When accessing
applications only, a single user can use multiple applications (and is not limited to a single application)
because the operating system sees each application as a new session.
Random and static machine assignments
Within a Delivery group to which a user is assigned, when users log on they can access:
Statically assigned machine so that each time the user logs on to the same machine.
Randomly assigned machine that is selected based on session availability.
T o deliver VM hosted apps:
1. Install the applications you want to deliver on a master image running a supported Windows desktop OS.
2. Create a machine catalog for this master image or update an existing catalog with the master image.
When defining the desktop experience for the machine catalog, decide whether you want users to connect to a new
VM each time they log in or connect to the same machine each time they log in.
3. Create an application Delivery group to deliver the application to users.
4. From the list of application installed, select the application you want to deliver.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.249
VDI desktops
Jan 12, 20 17
Use Desktop OS machines to deliver VDI desktops.
VDI desktops are hosted on virtual machines and provide each user with a desktop operating system.
VDI desktops require more resources than XenApp published desktops, but do not require that applications installed on
them support server-based operating systems. In additional, depending on the type of VDI desktop you choose, these
desktops can be assigned to individual users and allow these users a high degree of personalization.
When you create a machine catalog for VDI desktops, you create one of these types of desktops:
Random non-persistent desktops, also known as Pooled VDI desktops. Each time users log in to use one of these
desktops, they connect to a dynamically selected desktop in a pool of desktops based on a single master image. All
changes to the desktop are lost when the machine reboots.
Static non-persistent desktop. T he first time a user logs on the use one off these desktops, the user is assigned a
desktop from a pool of desktops based on a single master image. After the first use, each time a user logs in to use one
of these desktop, the user connects to the same desktop that user was assigned on first use. All changes to the
desktop are lost when the machine reboots.
Static persistent, also known as VDI with Personal vDisk. Unlike other types of VDI desktops, these desktops can be fully
personalized by users. T he first time a user logs on the use one off these desktops, the user is assigned a desktop from a
pool of desktops based on a single master image. After the first use, each time a user logs in to use one of these
desktop, the user connects to the same desktop that user was assigned on first use. Changes to the desktop are
retained when the machine reboots because they are stored in a Personal vDisk.
T o deliver VDI desktops:
1. Create a master image running a supported Windows desktop OS.
2. Create a machine catalog for this master image or update an existing catalog with the master image.
When defining the desktop experience for the machine catalog, decide whether you want users to connect to a new
VM each time the log in or connect to the same machine each time they log in and specify how changes to the desktop
are retained.
3. Create a desktop Delivery group to deliver the desktops to users.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.250
Remote PC Access
Aug 10 , 20 16
Remote PC Access allows an end user to log on remotely from virtually anywhere to the physical Windows PC in the office.
T he Virtual Delivery Agent (VDA) is installed on the office PC; it registers with the Delivery Controller and manages the HDX
connection between the PC and the end user client devices. Remote PC Access supports a self-service model; after you set
up the whitelist of machines that users are permitted to access, those users can join their office PCs to a Site themselves,
without administrator intervention. T he Citrix Receiver running on their client device enables access to the applications and
data on the office PC from the Remote PC Access desktop session.
A user can have multiple desktops, including more than one physical PC or a combination of physical PCs and virtual
desktops.
Note: Sleep mode & Hibernation mode for Remote PC is not supported. Remote PC Access is valid only for XenDesktop
licenses; sessions consume licenses in the same way as other XenDesktop sessions.
Active Directory considerations:
Before configuring the remote PC deployment site, set up your Organizational Units (OUs) and security groups and then
create user accounts. Use these accounts to specify users for the Delivery Groups you will use to provide Remote PC
Access.
If you modify Active Directory after a machine has been added to a machine catalog, Remote PC Access does not
reevaluate that assignment. You can manually reassign a machine to a different catalog, if needed.
If you move or delete OUs, those used for Remote PC Access can become out of date. VDAs might no longer be
associated with the most appropriate (or any) machine catalog or Delivery Group.
Machine catalog and Delivery Group considerations:
A machine can be assigned to only one machine catalog and one Delivery Group at a time.
You can put machines in one or more Remote PC Access machine catalogs.
When choosing Machine Accounts for a machine catalog, select the lowest applicable OU to avoid potential conflicts
with machines in another catalog. For example, in the case of Bank/officers/tellers, select tellers.
You can allocate all machines from one remote PC machine catalog through one or more Delivery Groups. For example, if
one group of users requires certain policy settings and another group requires different settings, assigning the users to
different Delivery Groups enables you to filter the HDX policies according to each Delivery Group.
If your IT infrastructure assigns responsibility for servicing users based on geographic location, department, or some
other category, you can group machines and users accordingly to allow for delegated administration. Ensure that each
administrator has permissions for both the relevant machine catalogs and the corresponding Delivery Groups.
For users with office PCs running Windows XP, create a separate machine catalog and Delivery Group for those systems.
When choosing machine accounts for that catalog in Studio, select the checkbox indicating that some machines are
running Windows XP.
Deployment considerations:
You can create a Remote PC Access deployment and then add traditional Virtual Desktop Infrastructure (VDI) desktops
or applications later. You can also add Remote PC Access desktops to an existing VDI deployment.
Consider whether to enable the Windows Remote Assistance feature when you install the VDA on the office PC. T his
option allows help desk teams using Director to view and interact with a user sessions using Windows Remote
Assistance.
Consider how you will deploy the VDA to each office PC. Citrix recommends using electronic software distribution such
as Active Directory scripts and Microsoft System Center Configuration Manager. T he installation media contains sample
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.251
Active Directory scripts.
Secure Boot functionality is currently unsupported. Disable Secure Boot if intending to deploy the workstation VDA.
Each office PC must be domain-joined with a wired network connection.
Windows 7 Aero is supported on the office PC, but not required.
Connect the keyboard and mouse directly to the PC or laptop, not to the monitor or other components that can be
turned off. (If you must connect input devices to components such as monitors, they should not be turned off. )
If you are using smart cards, see Smart cards.
Remote PC Access can be used on most laptop computers. T o improve accessibility and deliver the best connection
experience, configure the laptop power saving options to those of a desktop PC. For example:
Disable the Hibernate feature.
Disable the Sleep feature.
Set the close lid action to Do Nothing.
Set the press the power button action to Shut Down.
Disable video card energy saving features.
Disable network interface card energy saving features.
Disable battery saving technologies.
T he following are not supported for Remote PC Access devices:
Docking and undocking the laptop.
KVM switches or other components that can disconnect a session.
Hybrid PCs (including All-in-One and NVIDIA Optimus laptops and PCs) and Surface Pro/Books.
Install Citrix Receiver on each client device that remotely accesses the office PC.
Multiple users with remote access to the same office PC see the same icon in Receiver. When any user remotely logs on
to the PC, that resource appears as unavailable to other users.
By default, a remote user’s session is automatically disconnected when a local user initiates a session on that machine
(by pressing CT RL+AT L+DEL). T o prevent this automatic action, add the following registry entry on the office PC, and
then restart the machine.
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating
system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk. Be sure to back up the registry before you edit it.
HKLM\SOFT WARE\Citrix\PortICA\RemotePC "SasNotification"=dword:00000001
To further customize the behavior of this feature under HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\PortICA\RemotePC
• RpcaMode (dword)
• RpcaT imeout (dword)
RpcaMode:
1 - Means that the remote user will always win if he does not respond to the Messaging UI in the specified timeout
period.
2 - Means that the Local user will always win. If this setting is not specified, the Remote user will always win by default.
RpcaT imeout:
T he number of seconds given to the user before we automatically decide which type of mode to enforce. If this setting
is not specified, the default value is :30 seconds. T he minimum value here should be :30 seconds. T he User needs to
restart the machine for these changes to take place.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.252
When user wants to forcibly get the console access: T he local user can hit Ctr+Alt+Del twice in a gap of :10 seconds to
get local control over a remote session and force a disconnect event.
After the registry change and machine restart, if a local user presses CT RL+ALT +DEL to log on to that PC while it is in
use by a remote user, the remote user receives a prompt asking whether or not to allow or deny the local user's
connection. Allowing the connection will disconnect the remote user's session.
T he following XenDesktop features are not supported for Remote PC Access deployments:
Creating master images and virtual machines
Delivering hosted applications
Personal vDisks
Client folder redirection
Wake on LAN
Remote PC Access supports Wake on LAN, which gives users the ability to turn on physical PCs remotely. T his feature
enables users to keep their office PCs turned off when not in use, saving energy costs. It also enables remote access when
a machine has been turned off inadvertently, such as during weather events.
With XenDesktop 7.6 Feature Pack 3, Citrix released an experimental Wake on LAN SDK. T his enables you or a third-party
Wake on LAN solution to create a connector without the requirement of System Center 2012 R2. For more information,
see Knowledge Center article CT X202272.
T he Remote PC Access Wake on LAN feature is supported on both of the following:
PCs that support Intel Active Management T echnology (AMT )
PCs that have the Wake on LAN option enabled in the BIOS
You must configure Microsoft System Center Configuration Manager (ConfigMgr) 2012 to use the Wake on LAN feature.
ConfigMgr provides access to invoke AMT power commands for the PC, plus Wake-up proxy and magic-packet support.
T hen, when you use Studio to create a Remote PC Access deployment (or when you add another power management
connection to be used for Remote PC Access), you enable power management and specify ConfigMgr access information.
Additionally:
Using AMT power operations is preferred for security and reliability; however, support is also provided for two non-AMT
methods: ConfigMgr Wake-up proxy and raw magic packets.
On AMT -capable machines only, the Wake on LAN feature also supports the Force-Shutdown and Force-Restart
actions in Studio and Director. Additionally, a Restart action is available in StoreFront and Receiver.
For more information, see Configuration Manager and Remote PC Access Wake on LAN and Provide users with Remote PC
Access.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.253
Provide users with Remote PC Access
May 28 , 20 16
Using Remote PC Access, desktop users can securely access resources on the office PC while experiencing the benefits of
Citrix HDX technology.
Note: Remote PC Access is valid only for XenDesktop licenses.
1. T o use the Remote PC Access power management feature (also known as Remote PC Access Wake on LAN), complete
the configuration tasks on the PCs and on Microsoft System Center Configuration Manager (ConfigMgr) before
creating the Remote PC Access deployment in Studio. See Configuration Manager and Remote PC Access Wake on LAN
for details.
2. When creating the initial Remote PC Access deployment, you can enable or disable power management for the
machines in the default Remote PC Access Machine Catalog. If you enable power management, specify ConfigMgr
connection information. T hen specify users and machine accounts. See Create a Site for more information. Creating a
Remote PC deployment does not prevent VDI use of the Site in the future.
Creating a Remote PC Access deployment creates a default machine catalog named
— Remote PC Access Machines
and a default delivery group named
— Remote PC Access Desktops
.
3. When creating another machine catalog for use with Remote PC Access:
Operating System: Select Remote PC Access, and choose a power management connection. You can also choose not
to use power management. If there are no configured power management connections, you can add one after you
finish the machine catalog creation wizard (connection type = Microsoft Configuration Manager Wake on LAN), and
then edit the machine catalog, specifying that new connection.
Machine Accounts: You can select from the machine accounts or Organizational Units (OUs) displayed, or add machine
accounts and OUs.
4. Install the VDA on the office PC used for local and remote access. T ypically, you deploy the VDA automatically using
your package management software; however, for proof-of-concept or small deployments, you can install the VDA
manually on each office PC.
After the VDA is installed, the next domain user that logs on to a console session (locally or through RDP) on the office
PC is automatically assigned to the Remote PC desktop. If additional domain users log on to a console session, they are
also added to the desktop user list, subject to any restrictions you have configured.
Note: T o use RDP connections outside of your XenApp or XenDesktop environment, you must add users or groups to
the Direct Access Users group.
5. Instruct users to download and install Citrix Receiver onto each client device they will use to access the office PC
remotely. Citrix Receiver is available from http://www.citrix.com or the application distribution systems for supported
mobile devices.
You can edit a power management connection to configure advanced settings. You can enable:
Wake-up proxy delivered by ConfigMgr.
Wake on LAN (magic) packets. If you enable Wake on LAN packets, you can select a Wake on LAN transmission method:
subnet-directed broadcasts or Unicast.
T he PC uses AMT power commands (if they are supported), plus any of the enabled advanced settings. If the PC does not
use AMT power commands, it uses the advanced settings.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.254
Troubleshooting
T he Delivery Controller writes the following diagnostic information about Remote PC Access to the Windows Application
Event log. Informational messages are not throttled. Error messages are throttled by discarding duplicate messages.
3300 (informational) - Machine added to catalog
3301 (informational) - Machine added to delivery group
3302 (informational) - Machine assigned to user
3303 (error) - Exception
When power management for Remote PC Access is enabled, subnet-directed broadcasts might fail to start machines that
are located on a different subnet from the Controller. If you need power management across subnets using subnetdirected broadcasts, and AMT support is not available, try the Wake-up proxy or Unicast method (ensure those settings are
enabled in the advanced properties for the power management connection).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.255
Manage Remote PC Access Delivery Groups
May 28 , 20 16
If a machine in a Remote PC Access machine catalog is not assigned to a user, Studio temporarily assigns the machine to a
Delivery Group associated with that machine catalog. T his temporary assignment provides information, so that the machine
can be assigned later to a user. T he Delivery Group to machine catalog association has a priority value.
Priority determines to which Delivery Group that machine is assigned when it registers with the system or when a user
needs a machine assignment. T he lower the value, the higher the priority. If a Remote PC Access machine catalog has
multiple Delivery Group assignments, the software selects the match with the highest priority. You can set this priority value
using the PowerShell SDK.
Add or remove a Remote PC Access machine catalog association
When first created, Remote PC Access machine catalogs are associated with a Delivery Group. T his means that machine
accounts or Organizational Units added to the machine catalog later can be added to the Delivery Group. T his association
can be switched off or on.
1. Select Delivery Groups in the Studio navigation pane.
2. Select a Remote PC Access Delivery Group.
3. In the Details section, select the Catalogs tab and then select a Remote PC Access machine catalog.
4. T o add or restore an association, select Add Desktops. T o remove an association, select Remove Association.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.256
App-V
May 28 , 20 16
Microsoft Application Virtualization (App-V) lets you deploy, update, and support applications as services. Users access
applications without installing them on their own devices. App-V and Microsoft User State Virtualization (USV) provide
access to applications and data, regardless of location and connection to the Internet.
T he following table lists supported versions. (T he App-V 4.6 2 client is no longer supported.)
App-V
5.0
XenDesktop and XenApp versions
Delivery Controller
VDA
XenDesktop 7 through current
7.0 through current
XenApp 7.5 through current
5.0 SP1
XenDesktop 7 through current
XenApp 7.5 through current
7.0 through current
5.0 SP2
XenDesktop 7 through current
7.1 through current
XenApp 7.5 through current
5.0 SP3 and 5.1
XenDesktop 7.6
XenApp 7.6
7.6.300
T he supported App-V client does not support offline access to applications. App-V integration support includes using SMB
shares for applications; the HT T P protocol is not supported.
Applications are available seamlessly without any pre-configuration or changes to operating system settings. App-V
contains the following components:
Management server — Provides a centralized console to manage App-V infrastructure and deliver virtual applications to
both the App-V Desktop Client as well as a Remote Desktop Services Client. T he App-V management server
authenticates, requests, and provides the security, metering, monitoring, and data gathering required by the
administrator. T he server uses Active Directory and supporting tools to manage users and applications.
Publishing server — Provides App-V clients with applications for specific users, and hosts the virtual application package
for streaming. It fetches the packages from the management server.
Client — Retrieves virtual applications, publishes the applications on the client, and automatically sets up and manages
virtual environments at runtime on Windows devices. T he App‑V client is installed on the VDA and stores user-specific
virtual application settings, such as registry and file changes in each user's profile.
You can launch App-V applications from Server OS and Desktop OS Delivery Groups:
T hrough Citrix Receiver
From the Start menu
T hrough the App-V client and Citrix Receiver
Simultaneously by multiple users on multiple devices
T hrough Citrix StoreFront
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.257
Modified App-V application properties are implemented when the application is started. For example, for applications with a
modified display name or customized icon, the modification appears when users start the application.
T here is no change in App-V applications performance when a desktop and application Delivery Group is changed to an
application-only Delivery Group.
Only an App-V server-based deployment in which an administrator uses an App-V management server and publishing server
to manage App-V applications is supported.
Configure App-V
T o deliver App-V applications:
1. Deploy App-V, as described in the instructions in http://technet.microsoft.com/en-us/virtualization/hh710199.
2. Publish the App-V applications on the App-V management server. Configure settings such as permissions and File T ype
Association. T hese settings already exist if you already deployed App-V.
3. Optionally, change App-V publishing server settings; see below.
4. Install the App-V client on VDAs.
5. During Site creation in Studio, specify the App-V publishing and management server URLs with port numbers. T hese
servers are automatically used by the Delivery Groups.
6. Install the App-V client in the master image for machine catalogs. Configured the client with settings such as
ShareContentStoreMode and EnablePackageScripts. (You do not need to configure the App-V Publishing Server in the
master image because it is configured during application launch.)
7. During Delivery Group creation, select the App-V applications.
T he applications are now available.
You can specify or change App-V server information after you create a Site. Select Configuration > App-V Publishing in the
Studio navigation pane and then selecting entries in the Actions pane. You can add App-V publishing by specifying URLs with
port numbers for the App-V management and publishing servers. You can also edit or remove those addresses. If you refresh
the App-V applications, the display indicates if there is a problem connecting to a server and removes entries for
applications that are no longer available.
App-V publishing server settings
T o change publishing server settings, Citrix recommends using the SDK cmdlets on the Controller.
T o view publishing server settings, enter Get-CtxAppvServerSetting -AppVPublishingServer <pubServer>.
T o ensure that App-V applications launch properly, enter Set-CtxAppvServerSetting – UserRefreshonLogon 0.
T he following cmdlet changes the settings of the App-V publishing server on the Controller. Not all parameters are
mandatory.
Set-CtxAppvServerSetting –AppVPublishingServer
<pubServer> -UserRefreshOnLogon <bool> -UserRefrehEnabled <bool>
-UserRefreshInterval <int> -UserRefreshIntervalUnit <Day/Hour>
-GlobalRefreshOnLogon <bool> -GlobalRefresfEnabled<bool>
-GlobalRrefreshInterval <int> -GlobalRefreshIntervalUnit <Day/Hour>
Note: If you previously used GPO policy settings for managing publishing server settings, the GPO settings override any AppV integration settings, including the previous cmdlet settings. T his may result in App-V application launch failure. Citrix
recommends that you remove all GPO policy settings and configure the same settings using the SDK.
Troubleshoot
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.258
If the T est connection operation returns an error when you specify App-V management server and publishing server
addresses in Studio, check the following:
1. T he App-V server is powered on: either send a Ping command or check the IIS Manager (each App-V server should be
in a Started and Running state).
2. PowerShell remoting is enabled on the App-V server. If it is not, follow the procedure in
http://technet.microsoft.com/en-us/magazine/ff700227.aspx.
3. T he App-V server is added to Active Directory.
If the Studio machine and the App-V server are in different Active Directory domains that do not have a trust
relationship, from the PowerShell console on the Studio machine, run winrm s winrm/Config/client
‘@(TrustedHosts=”<App-V server FQDN>”)’. If TrustedHosts is managed by GPO, the following error message will
display: “T he config setting TrustedHosts cannot be changed because use is controlled by policies. T he policy would
need to be set to “Not Configured” in order to change the config setting”. If this message displays, add an entry for
the App-V server name to the TrustedHosts policy in GPO (Administrative Templates > Windows Components >
Windows Remote Management (WinRM) > WinRM Client).
4. T he Studio administrator is also an App-V server administrator.
5. File sharing is enabled on the App-V server: enter \\<App-V server FQDN> in Windows Explorer or with the Run
command.
6. T he App-V server has the same file sharing permissions as the App-V administrator: on the App-V server, add an entry
for\\<App-V Server FQDN> in Stored User Names and Passwords, specifying the credentials of the user who has
administrator privileges on the App-V server. For guidance, see http://support.microsoft.com/kb/306541.
If Application discovery fails, check the following:
1. Studio administrator is an App-V management server administrator.
2. T he App-V management server is running. Check this by opening the IIS Manager; the server should be in a Started and
Running state.
3. PowerShell remoting is enabled on the App-V servers. If either is not enabled, follow the procedure in
http://technet.microsoft.com/en-us/magazine/ff700227.aspx.
4. Packages have appropriate security permissions for the Studio administrator to access.
If App-V applications do not launch, check the following:
1. T he publishing server is running. Check this by opening the IIS Manager; the server should be in a Started and Running
state.
2. App-V packages have appropriate security permissions so that users can access.
3. On the VDA:
Make sure that T emp is pointing to the correct location, and that there is enough space available in the T emp
directory.
Make sure that the App-V client is installed, and no earlier than version 5.0.
Make sure you have Administrator permissions and run Get-AppvClientConfiguration. Make sure that
EnablePackageScripts is set to 1. If it is not set to 1, run Set-AppvClientConfiguration -EnablePackageScripts $true.
Citrix recommends that you perform this step when you create a master image so that all VDAs created from the
master image have the correct configuration.
From the Registry editor (regedit), go to HKEY_LOCAL_MACHINE\SOFT WARE\Policies\Citrix\AppV. Make sure that
the AppVServers key has the following value format: AppVManagementServer+metadata;PublishingServer (for
example: http://xmas-demo-appv.blrstrm.com+0+0+0+1+1+1+0+1;http://xmas-demo-appv.blrstrm.com:8082).
Make sure that CtxAppVCOMAdmin has administrator privileges. During VDA installation CtxAppVCOMAdmin is
usually created and added to the Local Administrators Group on the VDA machine. However, depending on the
Active Directory policy, this user might lose the administrative association.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.259
Run compmgmt.msc and browse to Local Users and Groups Users. If CtxAppVCOMAdmin is not an administrator,
edit the group policy or contact your administrator, so that this user account retains its administrative association.
4. On the master image where the App-V client is installed, the PowerShell ExecutionPolicy should be set to
RemoteSigned because the AppV client module provided by Microsoft is not signed, and this ExecutionPolicy allows
PowerShell to run unsigned local scripts and cmdlets. Use one of the following methods to set the ExecutionPolicy:
Logged in as administrator, enter the following PowerShell cmdlet: Set-ExecutionPolicy RemoteSigned.
From Group Policy settings, go to Computer Configuration > Policies > Administrative T emplates > Windows
Components > Windows PowerShell> T urn on Script Execution.
5. Check the publishing servers:
Run Get-AppvPublishingServer * to display the list of publishing servers.
Check whether UserRefreshonLogon is set to False. If not, the first App-V application launch typically fails.
With Administrator privileges, run Set-AppvPublishingServer and set UserRefreshonLogon to False.
If these steps do not resolve the issues, enable and examine the logs.
Enable logs
T o enable Studio logs:
1. Create the folder C:\CtxAppvLogs.
2. Go to C:\ProgramFiles\Citrix\StudioAppVInegration\SnapIn\Citrix.Appv.Admin.V1 and open CtxAppvCommon.dll.config in
a text editor such as Notepad, as an administrator. Uncomment the following line:
<add key =”LogFileName” value=”C:\CtxAppvLogs\log.txt”/>
T o enable VDA logs:
1. Create the folder C:\CtxAppvLogs.
2. Go to C:\ProgramFiles\Citrix\ Virtual Desktop Agent, and open CtxAppvCommon.dll.config in a text editor such as
Notepad, as an administrator. Uncomment the following line:
<add key =”LogFileName” value=”C:\CtxAppvLogs\log.txt”/>
3. Uncomment the following line and set the value field to 1, as shown in the following example:
<add key =”EnableLauncherLogs” value=”1”/>
All configuration-related logs are located at C:\CtxAppvLogs. T he application launch logs are located at:
XenDesktop 7.1 and later, and XenApp 7.5 and later — %LOCALAPPDAT A%\Citrix\CtxAppvLogs.
XenDesktop 7.0 — %LocalAppData%\temp\CtxAppVLogs
LOCALAPPDATA resolves to the local folder for the logged in user. Make sure to check in the local folder of the
launching user (for whom application launch failed).
4. As administrator, restart the Broker service or restart the VDA machine to start logging.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.260
Local App Access and URL redirection
Sep 0 9, 20 15
Local App Access seamlessly integrates locally installed Windows applications into a hosted desktop environment without
changing from one computer to another. With Local App Access, you can:
Access applications installed locally on a physical laptop, PC, or other device directly from the virtual desktop.
Provide a flexible application delivery solution. If users have local applications that you cannot virtualize or that IT does
not maintain, those applications still behave as though they are installed on a virtual desktop.
Eliminate double-hop latency when applications are hosted separately from the virtual desktop, by putting a shortcut to
the published application on the user's Windows device.
Use applications such as:
Video conferencing software such as GoT oMeeting.
Specialty or niche applications that are not yet virtualized.
Applications and peripherals that would otherwise transfer large amounts of data from a user device to a server and
back to the user device, such as DVD burners and T V tuners.
In XenApp and XenDesktop, hosted desktop sessions use URL redirection to launch Local App Access applications. URL
redirection makes the application available under more than one URL address. It launches a local browser (based on the
browser's URL blacklist) by selecting embedded links within a browser in a desktop session. If you navigate to a URL that is
not present in the blacklist, the URL is opened in the desktop session again.
URL redirection works only for desktop sessions, not application sessions. T he only redirection feature you can use for
application sessions is host-to-client content redirection, which is a type of server FTA. T his FTA redirects certain protocols
to the client, such as http, https, rtsp, or mms. For example, if you only open embedded links with http, the links directly
open with the client application. T here is no URL blacklist or whitelist support.
When Local App Access is enabled, URLs that are displayed to users as links from locally-running applications, from userhosted applications, or as shortcuts on the desktop are redirected in one of the following ways:
From the user's computer to the hosted desktop
From the XenApp or XenDesktop server to the user's computer
Rendered in the environment in which they are launched (not redirected)
To specify the redirection path of content from specific Web sites, configure the URL whitelist and URL blacklist on the
Virtual Delivery Agent. T hose lists contain multi-string registry keys that specify the URL redirection policy settings; for more
information, see the Local App Access policy settings.
URLs can be rendered on the VDA with the following exceptions:
Geo/Locale information — Web sites that require locale information, such as msn.com or news.google.com (opens a
country specific page based on the Geo). For example, if the VDA is provisioned from a data center in the UK and the
client is connecting from India, the user expects to see in.msn.com but instead sees uk.msn.com.
Multimedia content — Web sites containing rich media content, when rendered on the client device, give the end users a
native experience and also save bandwidth even in high latency networks. Although there is Flash redirection feature, this
complements by redirecting sites with other media types such as Silverlight. T his is in a very secure environment. T hat is,
the URLs that are approved by the administrator are run on the client while the rest of the URLs are redirected to the
VDA.
In addition to URL redirection, you can use File Type Association (FTA) redirection. FTA launches local applications when a
file is encountered in the session. If the local app is launched, it must have access to the file to open it. T herefore, you can
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.261
only open files that reside on network shares or on client drives (using client drive mapping) using local applications. For
example, when opening a PDF file, if a PDF reader is a local app, then the file opens using that PDF reader. Because the
local app can access the file directly, there is no network transfer of the file through ICA to open the file.
Requirements, considerations, and limitations
Local App Access is supported on the valid operating systems for VDAs for Windows Server OS and VDAs for Windows
Desktop OS, and requires Citrix Receiver for Windows version 4.1 (minimum). T he following browsers are supported:
Internet Explorer 8, 9, 10, and 11
Firefox 3.5 through 21.0
Chrome 10
Review the following considerations and limitations when using Local App Access and URL redirection.
Local App Access is designed for full-screen, virtual desktops spanning all monitors:
T he user experience can be confusing if Local App Access is used with a virtual desktop that runs in windowed mode
or does not cover all monitors.
For multiple monitors, when one monitor is maximized it becomes the default desktop for all applications launched in
that session, even if subsequent applications typically launch on another monitor.
T he feature supports one VDA; there is no integration with multiple concurrent VDAs.
Some applications can behave unexpectedly, affecting users:
Users might be confused with drive letters, such as local C: rather than virtual desktop C: drive.
Available printers in the virtual desktop are not available to local applications.
Applications that require elevated permissions cannot be launched as client-hosted applications.
T here is no special handling for single-instance applications (such as Windows Media Player).
Local applications appear with the Windows theme of the local machine.
Full-screen applications are not supported. T his includes applications that open to full screen, such as PowerPoint
slide shows or photo viewers that cover the entire desktop.
Local App Access copies the properties of the local application (such as the shortcuts on the client's desktop and
Start menu) on the VDA; however, it does not copy other properties such as shortcut keys and read-only attributes.
Applications that customize how overlapping window order is handled can have unpredictable results. For example,
some windows might be hidden.
Shortcuts are not supported, including My Computer, Recycle Bin, Control Panel, Network Drive shortcuts, and folder
shortcuts.
T he following file types and files are not supported: custom file types, files with no associated programs, zip files, and
hidden files.
T askbar grouping is not supported for mixed 32-bit and 64-bit client-hosted or VDA applications, such as grouping 32bit local applications with 64-bit VDA applications.
Applications cannot be launched using COM. For example, if you click an embedded Office document from within an
Office application, the process launch cannot be detected, and the local application integration fails.
URL redirection supports only explicit URLs (that is, those appearing in the browser's address bar or found using the inbrowser navigation, depending on the browser).
URL redirection works only with desktop sessions, not with application sessions.
T he local desktop folder in a VDA session does not allow users to create new files.
Multiple instances of a locally-running application behave according to the taskbar settings established for the virtual
desktop. However, shortcuts to locally-running applications are not grouped with running instances of those
applications. T hey are also not grouped with running instances of hosted applications or pinned shortcuts to hosted
applications. Users can close only windows of locally-running applications from the T askbar. Although users can pin local
application windows to the desktop T askbar and Start menu, the applications might not launch consistently when using
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.262
these shortcuts.
Interaction with Windows
T he Local App Access interaction with Windows includes the following behaviors.
Windows 8 and Windows Server 2012 short cut behavior
Windows Store applications installed on the client are not enumerated as part of Local App Access shortcuts.
Image and video files are usually opened by default using Windows store applications. However, Local App Access
enumerates the Windows store applications and opens shortcuts with desktop applications.
Local Programs
For Windows 7, the folder is available in the Start menu.
For Windows 8, Local Programs is available only when the user chooses All Apps as a category from the Start screen.
Not all subfolders are displayed in Local Programs.
Windows 8 graphics features for applications
Desktop applications are restricted to the desktop area and are covered by the Start screen and Windows 8 style
applications.
Local App Access applications do not behave like desktop applications in multi-monitor mode. In multi-monitor mode,
the Start screen and the desktop display on different monitors.
Windows 8 and Local App Access URL Redirection
Because Windows 8 Internet Explorer has no add-ons enabled, use desktop Internet Explorer to enable URL
redirection.
In Windows Server 2012, Internet Explorer disables add-ons by default. T o implement URL Redirection, disable Internet
Explorer enhanced configuration. T hen reset the Internet Explorer options and restart to ensure that add-ons are
enabled for standard users.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.263
Configure Local App Access and URL redirection
Jan 24 , 20 17
T o use Local App Access and URL redirection with Citrix Receiver:
Install Receiver on the local client machine. You can enable both features during Receiver installation or you can enable
Local App Access template using the Group Policy editor.
Set the Allow local app access policy setting to Enabled. You can also configure URL whitelist and blacklist policy settings
for URL redirection. For more information, see Local App Access policy settings.
Enable local app access and URL redirection during Receiver installation
T o enable Local App Access and URL redirection for all local applications:
1. Set the Allow local app access policy setting to Enabled. When this setting is enabled, the VDA allows the client to
decide whether administrator-published applications and Local App Access shortcuts are enabled in the session. (When
this setting is disabled, both administrator-published applications and Local App Access shortcuts do not work for the
VDA.) T his policy setting applies to the entire machine, as well as the URL redirection policy.
2. Enable Local App Access and URL redirection when you install Citrix Receiver for all users on a machine. T his action also
registers the browser add-ons required for URL redirection.
From the command prompt, run the appropriate command to install the Receiver with the following option:
CitrixReceiver.exe /ALLOW_CLIENTHOSTEDAPPSURL=1
CitrixReceiverWeb.exe /ALLOW_CLIENTHOSTEDAPPSURL=1
Enable the local app access template using the Group Policy editor
1. Run gpedit.msc.
2. Select Computer Configuration. Right-click Administrative T emplates and select Add/Remote T emplates > Add.
3. Add the icaclient.adm template located in the Receiver Configuration folder (usually in c:\Program Files (x86)\Citrix\Online
Plugin\Configuration). (After the icaclient.adm template is added to Computer Configuration, it is also available in User
Configuration.)
4. Expand Administrative T emplates > Classic Administrative T emplates (ADM) > Citrix Components > Citrix Receiver > User
Experience.
5. Select Local App Access settings.
6. Select Enabled and then select Allow URL Redirection. For URL redirection, register browser add-ons using the command
line, as described below.
Provide access to only published applications
T o provide access to only published applications:
1. On the server where the Delivery Controller is installed, run regedit.exe.
1. Navigate to HKLM\Software\Wow6432Node\Citrix\DesktopStudio.
2. Add the REG_DWORD entry ClientHostedAppsEnabled with a value of 1. (A 0 value disables Local App Access.)
2. Restart the Delivery Controller server and then restart Studio.
3. Publish Local App Access applications.
1. Select Delivery Groups in the Studio navigation pane and then select the Applications tab.
2. Select Create Local Access Application in the Actions pane.
3. Select the desktop Delivery Group.
4. Enter the full executable path of the application on the user's local machine.
5. Indicate if the shortcut to the local application on the virtual desktop will be visible on the Start menu, the desktop, or
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.264
both.
6. Accept the default values on the Name page and then review the settings.
4. Enable Local App Access and URL redirection when you install Citrix Receiver for all users on a machine. T his action also
registers the browser add-ons required for URL redirection.
From the command prompt, run the command to install the Receiver with the following option:
CitrixReceiver.exe /ALLOW_CLIENTHOSTEDAPPSURL=1
CitrixReceiverWeb.exe /ALLOW_CLIENTHOSTEDAPPSURL=1
5. Set the Allow local app access policy setting to Enabled. When this setting is enabled, the VDA allows the client to
decide whether administrator-published applications and Local App Access shortcuts are enabled in the session. (When
this setting is disabled, both administrator-published applications and Local App Access shortcuts do not work for the
VDA.)
Register browser add-ons
Note: T he browser add-ons required for URL redirection are registered automatically when you install Receiver from the
command line with the /ALLOW_CLIENT HOST EDAPPSURL=1 option.
You can use the following commands to register and unregister one or all add-ons:
T o register add-ons on a client device: <client-installation-folder>\redirector.exe /reg<browser>
T o unregister add-ons on a client device: <client-installation-folder>\redirector.exe /unreg<browser>
T o register add-ons on a VDA: <VDAinstallation-folder>\VDARedirector.exe /reg<browser>
T o unregister add-ons on a VDA: <VDAinstallation-folder>\VDARedirector.exe /unreg<browser>
where <browser> is IE, FF, Chrome, or All.
For example, the following command registers Internet Explorer add-ons on a device running Receiver.
C:\Program Files\Citrix\ICA Client\redirector.exe/regIE
T he following command registers all add-ons on a Windows Server OS VDA.
C:\Program Files (x86)\Citrix\System32\VDARedirector.exe /regAll
URL interception across browsers
Description
Conf iguration
By default, Internet Explorer redirects the URL
entered. If the URL is not in the blacklist but is
For URL redirection to work correctly, enable the add-on when
prompted by the browser. If the add-ons using Internet options
redirected to another URL by the browser or
or the add-ons in the prompt are disabled, URL redirection does
website, the final URL is not redirected, even if it is
on the blacklist.
not work correctly.
T he Firefox add-ons always redirect the URLs.
When an add-on is installed, Firefox prompts to allow/prevent
installing the add-on on a new tab page. You must allow the
add-on for the feature to work.
T he Chrome add-on always redirects the final URL
T he extensions have been installed externally. If you disable the
that is navigated and not the entered URLs.
extension, the URL redirection feature does not work in
Chrome. If the URL redirection is required in Incognito mode,
allow the extension to run in that mode in the browser
Settings.
Configure local application behavior on logof f and disconnect
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.265
1. On the hosted desktop, run regedit.msc.
1. Navigate to HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\Client Hosted Apps\Policies\Session State.
For a 64-bit system, navigate to HKEY_LOCAL_MACHINE\SOFT WARE\wow6432node\Citrix\Client Hosted
Apps\Policies\Session State.
2. Add the REG_DWORD entry T erminate with one of the values:
1 - Local applications continue to run when a user logs off or disconnects from the virtual desktop. Upon
reconnection, local applications are reintegrated if they are available in the local environment.
3 - Local applications close when a user logs off or disconnects from the virtual desktop.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.266
Server VDI
Oct 24 , 20 16
Use the Server VDI (Virtual Desktop Infrastructure) feature to deliver a desktop from a server operating system for a single
user.
Enterprise administrators can deliver server operating systems as VDI desktops, which can be valuable for users such as
engineers and designers.
Service Providers can offer desktops from the cloud; those desktops comply with the Microsoft Services Provider License
Agreement (SPLA).
You can use the Enhanced Desktop Experience Citrix policy setting to make the server operating system look like a
Windows 7 operating system.
T he following features cannot be used with Server VDI:
Personal vDisks
HDX 3D Pro
Hosted applications
Local App Access
Direct (non-brokered) desktop connections
Remote PC Access
For Server VDI to work with T WAIN devices such as scanners, the Windows Server Desktop Experience feature must be
installed. In Windows Server 2012, this is an optional feature which you install from Administrative Tools > Server Manager >
Features > Add features > Desktop Experience.
Server VDI is supported on the same server operating systems as the VDA for Windows Server OS.
1. Prepare the Windows server for installation: ensure that Remote Desktop Services role services are not installed and that users are restricted to a single session:
Use Windows Server Manager to ensure that the Remote Desktop Services role services are not installed. If they were previously installed, remove them.
Ensure that the ‘Restrict each user to a single session’ property is enabled.
On Windows Server 2008 R2, access this property through Administrative Tools > Remote Desktop Services > Remote Desktop Session Host
Configuration. In the Edit settings > General section, the Restrict each user to a single session setting should indicate Yes.
On Windows Server 2012, edit the registry to set the Terminal Server setting. In registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer to set DWORD fSingleSessionPerUser to 1.
2. For Windows Server 2008 R2, install Microsoft .NET Framework 3.5 SP1 on the server before installing the VDA.
3. Use the command line interface to install a VDA on a supported server or server master image, specifying the /quiet and /servervdi options. (By default, the
installer blocks the Windows Desktop OS VDA on a server operating system; using the command line overrides this behavior.)
XenDesktopVdaSetup.exe /quiet /servervdi
You can specify the Delivery Controller or Controllers while installing the VDA using the command line, using the /controllers option.
Use the /enable_hdx_ports option to open porst in the firewall, unless the firewall is to be configured manually.
Add the /masterimage option if you are installing the VDA on an image, and will use MCS to create server VMs from that image.
Do not include options for features that are not supported with Server VDI, such as /baseimage, /enable_hdx_3d_pro, or /xa_server_location.
4. Create a Machine Catalog for Server VDI.
1. On the Operating System page, select Windows Desktop OS.
2. On the Summary page, specify a machine catalog name and description for administrators that clearly identifies it as Server VDI; this will be the only indicator
in Studio that the catalog supports Server VDI.
When using Search in Studio, the Server VDI catalog you created is displayed on the Desktop OS Machines tab, even though the VDA was installed on a server.
5. Create a Delivery Group and assign the Server VDI catalog you created in the previous step.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.267
If you did not specify the Delivery Controllers while installing the VDA, specify them afterward using Citrix policy setting, Active Directory, or by editing the VDA
machine's registry values.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.268
Remove components
May 28 , 20 16
To remove components, Citrix recommends using the Windows feature for removing or changing programs. Alternatively,
you can remove components using the command line, or a script on the installation media.
When you remove components, prerequisites are not removed, and firewall settings are not changed. When you remove a
Controller, the SQL Server software and the databases are not removed.
Before removing a Controller, remove it from the Site. Before removing Studio or Director, Citrix recommends closing them.
If you upgraded a Controller from an earlier deployment that included Web Interface, you must remove the Web Interface
component separately; you cannot use the installer to remove Web Interface.
To remove components using the Windows f eature f or removing or changing programs
From the Windows feature for removing or changing programs:
T o remove a Controller, Studio, Director, License Server, or StoreFront, select Citrix XenApp <version> or Citrix
XenDesktop <version>, then right-click and select Uninstall. T he installer launches, and you can select the components to
be removed.
Alternatively, you can remove StoreFront by right-clicking Citrix StoreFront and selecting Uninstall.
T o remove a VDA, select Citrix Virtual Delivery Agent <version>, then right-click and select Uninstall. T he installer launches
and you can select the components to be removed.
T o remove the Universal Print Server, select Citrix Universal Print Server, then right-click and select Uninstall.
To remove core components using the command line
From the \x64\XenDesktop Setup directory on the installation media, run the XenDesktopServerSetup.exe command.
T o remove one or more components, use the /remove and /components options.
T o remove all components, use the /removeall option.
For command and parameter details, see Install using the command line.
For example, the following command removes Studio.
\x64\XenDesktop Setup\XenDesktopServerSetup.exe /remove /components studio
To remove a VDA using the command line
From the \x64\XenDesktop Setup directory on the installation media, run the XenDesktopVdaSetup.exe command.
T o remove one or more components, use the /remove and /components options.
T o remove all components, use the /removeall option.
For command and parameter details, see Install using the command line.
For example, the following command removes the VDA and Receiver.
\x64\XenDesktop Setup\XenDesktopVdaSetup.exe /removeall
To remove VDAs using a script in Active Directory; see Install or remove Virtual Delivery Agents using scripts.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.269
Upgrades and migration
May 28 , 20 16
Upgrade
Upgrading changes deployments to the newest component versions without having to set up new machines or Sites; this is
known as an in-place upgrade. You can upgrade:
From XenDesktop version 5.6 (or a later version) to the latest version of 7.6 LT SR
From XenApp version 7.5 to the latest version of 7.6 LT SR
You can also upgrade a XenApp 6.5 worker server to a XenApp 7.6 VDA for Windows Server OS. T his is a supplementary
activity to migrating XenApp 6.5.
T o upgrade a XenDesktop 5.6 (or later) farm or a XenApp 7.5 Site:
1. Run the installer on the machines where the core components and VDAs are installed. T he software determines if an
upgrade is available and installs the newer version.
2. Use the newly upgraded Studio to upgrade the database and the Site.
For more information, see Upgrade a deployment.
For information about installing Controller hotfixes, see Knowledge Center article CT X201988.
T o upgrade a XenApp 6.5 worker server to the latest version of the 7.6 LT SR VDA:
1. Run the product installer on the XenApp 6.5 worker server. T he software removes the server from the XenApp 6.5 farm,
removes the XenApp 6.5 software, and installs the latest version of the 7.6 LT SR VDA for Windows Server OS.
2. After upgrading the server, add it to machine catalogs and Delivery Groups in the 7.6 Site.
For more information, see Upgrade a XenApp 6.5 worker to a new VDA for Windows Server OS.
Migrate
Migrating moves data from an earlier deployment to the newest version. You can migrate a XenApp 6.5 or a XenDesktop 4
deployment. Migrating includes installing the latest 7.6 LT SR components and creating a new Site, exporting data from the
older farm, and then importing the data to the new Site.
T o migrate from XenApp 6.5:
1. Install core components and create a new Site based on the latest 7.6 LT SR.
2. From the XenApp 6.5 Controller, use PowerShell cmdlets to export policy and/or farm data to XML files. You can edit the
XML file content to tailor the information you will import.
3. From the new 7.6 Site, use PowerShell cmdlets and the XML files to import policy and/or application data to the new
Site.
4. Complete post-migration tasks on the new Site.
For more information, see Migrate XenApp 6.x.
T o migrate from XenDesktop 4:
1. Install core components and create a new XenDesktop Site.
2. From the XenDesktop 4 farm, use the export command tool to export farm data to an XML file. You can edit the XML
file content to tailor the information you will import.
3. From the 7.6 Site, use the import command tool and the XML file to import the farm data to the new Site.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.270
4. Complete post-migration tasks on the new Site.
For more information, see Migrate XenDesktop 4.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.271
Install and upgrade analytics
Mar 22, 20 17
When you use the full-product installer to deploy or upgrade XenApp or XenDesktop components, anonymous information
about the installation process is gathered and stored on the machine where you are installing/upgrading the component.
T his data is used to help Citrix improve its customers' installation experiences. For more information, see
http://more.citrix.com/XD-INSTALLER.
T he information is stored locally under %ProgramData%\Citrix\CTQs.
Automatic upload of this data is enabled by default in both the graphical and command line interfaces of the full-product
installer.
You can change the default value in a registry setting. If you change the registry setting before installing/upgrading, that
value will be used when you use the full-product installer.
You can override the default setting if you install/upgrade with the command line interface by specifying an option with
the command.
Registry setting that controls automatic upload of install/upgrade analytics (default = 1):
Location: HKLM:\Software\Citrix\MetaInstall
Name: SendExperienceMetrics
Value: 0 = disabled, 1 = enabled
Using PowerShell, the following cmdlet disables automatic upload of install/upgrade analytics:
New-ItemProperty -Path HKLM:\SOFT WARE\Citrix\MetaInstall -Name SendExperienceMetrics -PropertyType DWORD Value 0
To disable automatic uploads with the XenDesktopServerSetup.exe or XenDesktopVDASetup.exe command, include the
/disableexperiencemetrics option.
To enable automatic uploads with the XenDesktopServerSetup.exe or XenDesktopVDASetup.exe command, include the
/sendexperiencemetrics option.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.272
Upgrade a deployment
May 0 9, 20 17
You can upgrade certain deployments to newer versions without having to first set up new machines or Sites; this is called
an in-place upgrade. You can upgrade:
From XenDesktop version 5.6 (or a later version) to the latest version of 7.6 LT SR
From XenApp version 7.5 to the latest version of 7.6 LT SR
You can also use the latest XenApp 7.6 LT SR installer to upgrade a XenApp 6.5 worker server to the latest XenApp 7.6 LT SR
VDA for Windows Server OS. T his is a supplementary activity to migrating XenApp 6.5; see Upgrade a XenApp 6.5 worker to
a new VDA for Windows Server OS.
To start an upgrade, you run the installer from the new version to upgrade previously installed core components (Delivery
Controller, Citrix Studio, Citrix Director, Citrix License Server) and VDAs. T he installer determines which components require
upgrading and then starts the upgrade at your command. After upgrading the components, you use the newly upgraded
Studio to upgrade the Site database and the Site.
Be sure to review all the information in this article before beginning the upgrade.
Upgrade sequence
T he following diagram summarizes the upgrade sequence. Details are provided in Upgrade procedure below. For example, if
you have more than one core component installed on a server, running the installer on that machine will upgrade all
components that have new versions. You might want to upgrade the VDA used in a master image, and then update the
image. T hen, update the catalog that uses that image and the Delivery Group that uses that catalog. Details also cover
how to upgrade the Site databases and the Site automatically or manually.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.273
Which product component versions can be upgraded
Using the product installer and Studio, you can upgrade:
Citrix License Server, Studio, and StoreFront
Delivery Controllers 5.6 or later
VDA 5.6 or later
Unlike earlier VDA releases, you must use the product installer to upgrade VDAs; you cannot use MSIs.
If the installer detects Receiver for Windows (Receiver.exe) on the machine, it is upgraded to the Receiver version
included on the product installation media.
Director 1 or later
Database: T his Studio action upgrades the schema and migrates data for the Site database (plus the Configuration
Logging and Monitoring databases, if you're upgrading from an earlier 7.x version)
Using the guidance in the feature/product documentation, upgrade the following if needed:
Provisioning Services (for XenApp 7.x and XenDesktop 7.x, Citrix recommends using the latest released version; the
minimum supported version is Provisioning Services 7.0).
Upgrade the Provisioning Services server using the server rolling upgrade, and the clients using vDisk versioning.
Provisioning Services 7.x does not support creating new desktops with XenDesktop 5 versions. So, although existing
desktops will continue to work, you cannot use Provisioning Services 7.x to create new desktops until you upgrade
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.274
XenDesktop. T herefore, if you plan a mixed environment of XenDesktop 5.6 and 7.x Sites, do not upgrade Provisioning
Services to version 7.
Microsoft System Center Virtual Machine Manager SCVMM. T he current product supports SCVMM 2012 and SCVMM
2012 SP1; XenDesktop 5.x supports earlier versions. Use the following upgrade sequence to avoid downtime:
1. If you have Controllers running versions earlier than XenDesktop 5.6 FP1, upgrade them to XenDesktop 5.6 FP1 (see
the XenDesktop documentation for that version).
2. Upgrade the SCVMM server to SCVMM 2012; see the Microsoft documentation for instructions.
3. Upgrade XenDesktop components to the current version.
4. Optionally, upgrade the SCVMM server to SCVMM 2012 SP1.
StoreFront.
Limits
T he following limits apply to upgrades:
Selective component install
If you install or upgrade any components to the new version but choose not to upgrade other components (on
different machines) that require upgrade, Studio will remind you. For example, let's say an upgrade includes new
versions of the Controller and Studio. You upgrade the Controller but you do not run the installer on the machine
where Studio is installed. Studio will not let you continue to manage the Site until you upgrade Studio.
You do not have to upgrade VDAs, but Citrix recommends upgrading all VDAs to enable you to use all available
features. If you do not plan to upgrade all VDAs to the latest version, review Mixed VDA support.
XenApp version earlier than 7.5
You cannot upgrade from a XenApp version earlier than 7.5. You can migrate from XenApp 6.x; see Migrate XenApp
6.x.
Although you cannot upgrade a XenApp 6.5 farm, you can replace the XenApp 6.5 software on a Windows Server
2008 R2 machine with a current VDA for Server OS. See Upgrade a XenApp 6.5 worker to a new VDA.
XenDesktop version earlier than 5.6
You cannot upgrade from a XenDesktop version earlier than 5.6.
XenDesktop Express Edition
You cannot upgrade XenDesktop Express edition. Obtain and install a license for a currently supported edition, and
then upgrade it.
Early Release or Technology Preview versions
You cannot upgrade from a XenApp or XenDesktop Early Release or Technology Preview version.
Windows XP/Vista
If you have VDAs installed on Windows XP or Windows Vista machines, see VDAs on machines running Windows XP or
Windows Vista.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.275
Product selection
When you upgrade from an earlier 7.x version, you do not choose or specify the product (XenApp or XenDesktop)
that was set during the initial installation.
Mixed environments/sites
If you must continue to run earlier version Sites and current version Sites, see Mixed environment considerations.
Preparation
Before beginning an upgrade:
Decide which interf ace to use
Use the installer's graphical or command-line interface to upgrade core components and VDAs. You cannot import or
migrate data from an earlier version.
Check your Site's health
Ensure the Site is in a stable and functional state before starting an upgrade. If a Site has issues, upgrading will not fix
them, and can leave the Site in a complex state that is difficult to recover from. To test the Site, select the Site entry
in the Studio navigation pane. In the Site configuration portion of the middle pane, click Test site.
Back up the Site, monitoring, and Configuration Logging databases
Follow the instructions in CT X135207. If any issues are discovered after the upgrade, you can restore the backup.
Optionally, back up templates and upgrade hypervisors, if needed.
Complete any other preparation tasks dictated by your business continuity plan.
In a high availability environment, ensure that the Site, monitoring, and Configuration Logging databases are running
on the primary database server before starting an upgrade.
Ensure your Citrix licensing is up to date
Before upgrading the Citrix License Server, be sure your Subscription Advantage date is valid for the new product
version. If you are upgrading from an earlier 7.x product version, the date must be at least 2016.0420.
Close applications and consoles
Before starting an upgrade, close all programs that might potentially cause file locks, including administration consoles
and PowerShell sessions. (Restarting the machine ensures that any file locks are cleared, and that there are no
Windows updates pending.)
Important: Before starting an upgrade, stop and disable any third-party monitoring agent services.
Ensure you have proper permissions
In addition to being a domain user, you must be a local administrator on the machines where you are upgrading
product components.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.276
T he Site database and the Site can be upgraded automatically or manually. For an automatic database upgrade, the
Studio user's permissions must include the ability to update the SQL Server database schema (for example, the
db_securityadmin or db_owner database role). If the Studio user does not have those permissions, initiating a manual
database upgrade will generate scripts. T he Studio user runs some of the scripts from Studio; the database
administrator runs other scripts using a tool such as SQL Server Management Studio.
Use StoreFront
If you deployment includes Web Interface, Citrix recommends using StoreFront.
Mixed environment considerations
When your environment contains Sites/farms with different product versions (a mixed environment), Citrix recommends
using StoreFront to aggregate applications and desktops from different product versions (for example, if you have a
XenDesktop 7.1 Site and a XenDesktop 7.5 Site). For details, see the StoreFront documentation.
In a mixed environment, continue using the Studio and Director versions for each release, but ensure that different
versions are installed on separate machines.
If you plan to run XenDesktop 5.6 and 7.x Sites simultaneously and use Provisioning Services for both, either deploy a
new Provisioning Services for use with the 7.x Site, or upgrade the current Provisioning Services and be unable to
provision new workloads in the XenDesktop 5.6 Site.
Within each Site, Citrix recommends upgrading all components. Although you can use earlier versions of some components,
all the features in the latest version might not be available. For example, although you can use current VDAs in deployments
containing earlier Controller versions, new features in the current release may not be available. VDA registration issues can
also occur when using non-current versions.
Sites with Controllers at version 5.x and VDAs at version 7.x should remain in that state only temporarily. Ideally, you
should complete the upgrade of all components as soon as possible.
Do not upgrade a standalone Studio version until you are ready to use the new version.
VDAs on machines running Windows XP or Windows
Vista
You cannot upgrade VDAs installed on machines running Windows XP or Windows Vista to a 7.x version. You must use VDA
5.6 FP1 with certain hotfixes; see CT X140941 for instructions. Although earlier-version VDAs will run in a 7.x Site, they
cannot use many of its features, including:
Features noted in Studio that require a newer VDA version.
Configuring App-V applications from Studio.
Configuring Receiver StoreFront addresses from Studio.
Automatic support for Microsoft Windows KMS licensing when using Machine Creation Services. See CT X128580.
Information in Director:
Logon times and logon end events impacting the logon duration times in the Dashboard, T rends, and User Detail
views.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.277
Logon duration breakdown details for HDX connection and authentication time, plus duration details for profile load,
GPO load, logon script, and interactive session establishment.
Several categories of machine and connection failure rates.
Activity Manager in the Help Desk and User Details views.
Citrix recommends reimaging Windows XP and Windows Vista machines to a supported operating system version and then
installing the latest VDA.
VDAs on machines running Windows 8.x and
Windows 7
To upgrade VDAs installed on machines running Windows 8.x or Window 7 to Windows 10, Citrix recommends reimaging
Windows 7 and Windows 8.x machines to Windows 10 and then installing the supported VDA for Windows 10, using the
standalone VDA installation package delivered with XenApp and XenDesktop 7.6 FP3. If reimaging is not an option, uninstall
the VDA prior to upgrading the operating system, otherwise the VDA will be in an unsupported state.
Mixed VDA support
When you upgrade the product to a later version, Citrix recommends you upgrade all the core components and VDAs so
you can access all the new and enhanced features in your edition.
In some environments, you may not be able to upgrade all VDAs to the most current version. In this scenario, when you
create a machine catalog, you can specify the VDA version installed on the machines. By default, this setting specifies the
latest recommended VDA version. Consider changing this setting only if the machine catalog contains machines with earlier
VDA versions. Mixing VDA versions in a machine catalog is not recommended.
If a machine catalog is created with the default recommended VDA version setting, and any of the machines in the catalog
has an earlier VDA version installed, those machines will not be able to register with the Controller and will not work.
For example, you create a machine catalog with the default VDA setting: "7.6 (recommended, to access the latest
features)." You add three machines to that catalog: two with VDA 7.6 and one with VDA 7.1. T he VDA 7.1 machine will
not register with the Controller. If you cannot upgrade that VDA, consider creating a separate machine catalog
configured with a VDA setting of "version 7.0 or later" and adding that machine. Although that machine will not be
able to take advantage of new 7.6 features, it will be able to register with the Controller.
Upgrade procedure
To run the product installer graphical interface, log on to the machine and then insert the media or mount the ISO drive for
the new release. Double-click AutoSelect. To use the command-line interface, see Install using the command line.
Step 1. If more than one core component is installed on the same server (for example, the Controller, Studio, and License
Server) and several of those components have new versions available, they will all be upgraded when you run the installer on
that server.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.278
If any core components are installed on machines other than the Controller, run the installer on each of those machines.
T he recommended order is: License Server, StoreFront, and then Director.
Step 2. If you use Provisioning Services, upgrade the PVS servers and target devices, using the guidance in the Provisioning
Services documentation.
Step 3. Run the product installer on machines containing VDAs. (See Step 12 if you use master images and Machine
Creation Services.)
When upgrading VDAs from an earlier 7.x version that are installed on physical machines (including Remote PC Access),
use the command-line interface with the option /exclude "Personal vDisk","Machine Identity Service". For example:
C:\x64\XenDesktop Setup\XenDesktopVdaSetup.exe /exclude "Personal vDisk","Machine Identity Service"
Step 4 . Run the product installer on half of the Controllers. (T his also upgrades any other core components installed on
those servers.) For example, if your Site has four Controllers, run the installer on two of them.
Leaving half of the Controllers active allows users to access the Site. VDAs can register with the remaining Controllers.
T here may be times when the Site has reduced capacity because fewer Controllers are available. T he upgrade causes
only a brief interruption in establishing new client connections during the final database upgrade steps. T he upgraded
Controllers cannot process requests until the entire Site is upgraded.
If your Site has only one Controller, the Site is inoperable during the upgrade.
Step 5. If Studio is installed on a different machine than one you've already upgraded, run the installer on the machine
where Studio is installed.
Step 6. From the newly upgraded Studio, upgrade the Site database. For details, see Upgrade the databases and the
Site below.
Step 7. From the newly upgraded Studio, select Citrix Studio site-name in the navigation pane. Select the Common
Tasks tab. Select Upgrade remaining Delivery Controllers.
Step 8. After completing the upgrade and confirming completion, close and then reopen Studio.
Step 9. In the Site Configuration section of the Common Tasks page, select Perf orm registration. Registering the
Controllers makes them available to the Site.
Step 10. After you select Finish when the upgrade completes, you are offered the opportunity to enroll in the Citrix
telemetry programs, which collect information about your deployment. T hat information is used to improve product quality,
reliability, and performance.
Step 11. After upgrading components, the database, and the Site, test the newly-upgraded Site. From Studio, select Citrix
Studio site-name in the navigation pane. Select the Common Tasks tab and then select Test Site. T hese tests were run
automatically after you upgraded the database, but you can run them again at any time.
Step 12. If you use Machine Creation Services and want to use upgraded VDAs: After you upgrade and test the
deployment, update the VDA used in the master images (if you haven't done that already). Update master images that use
those VDAs. T hen update machine catalogs that use those master images, and upgrade Delivery Groups that use those
catalogs.
Upgrade the database and Site
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.279
After upgrading the core components and VDAs, use the newly upgraded Studio to initiate an automatic or manual
database and Site upgrade.
For an automatic database upgrade, the Studio user's permissions must include the ability to update the SQL Server
database schema (for example, the db_securityadmin or db_owner database role).
If the Studio user does not have those permissions, initiating a manual database upgrade will generate scripts. T he
Studio user runs some of the scripts from Studio. T he database administrator runs other scripts using a tool such as SQL
Server Management Studio. If the SQL scripts are run manually, they should be run using either the SQLCMD utility or
the SQL Management Studio in SQLCMD mode. Inaccurate errors may result otherwise.
Important: Citrix strongly recommends you back up the databases before upgrading, as described in CT X135207.
During a database upgrade, product services are disabled. During that time, Controllers cannot broker new connections for
the Site, so plan carefully.
After the database upgrade completes and product services are enabled, Studio tests the environment and configuration,
and then generates an HT ML report. If problems are identified, you can restore the database backup. After resolving issues,
you can upgrade the database again.
Upgrade the databases and Site automatically
Launch the newly upgraded Studio. After you choose to start the Site upgrade automatically and confirm that you are
ready, the database and Site upgrade proceeds.
Upgrade the databases and Site manually
T his process includes generating and running scripts.
Step 1. Launch the newly created Studio. After you choose to manually upgrade the Site, the wizard prompts to confirm
that you have backed up the databases. T hen, the wizard generates and displays the scripts and a checklist of upgrade
steps.
Step 2. Run the following scripts in the order shown.
DisableServices.ps1: PowerShell script to be run by the Studio user on a Controller to disable product services.
UpgradeSiteDatabase.sql: SQL script to be run by the database administrator on the server containing the Site
database.
UpgradeMonitorDatabase.sql: SQL script to be run by the database administrator on the server containing the
Monitor database.
UpgradeLoggingDatabase.sql: SQL script to be run by the database administrator on the server containing the
Configuration logging database. Run this script only if this database changes (for example, after applying a hotfix).
EnableServices.ps1: PowerShell script to be run by the Studio user on a Controller to enable product services.
Step 3. After completing all the checklist tasks shown in the wizard, click Finish upgrade.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.280
Upgrade a XenApp 6.5 worker to a new VDA for
Windows Server OS
May 28 , 20 16
When you run the LT SR installer on a XenApp 6.5 worker server, it:
Removes the server from the XenApp 6.5 farm (this task automatically invokes the XenApp 6.5 installer's command-line
interface)
Removes the XenApp 6.5 software
Installs a new (XenApp 7.6 or later supported release) VDA for Windows Server OS
When you use the installer's graphical interface, you are guided through the same wizard that you used when installing
VDAs for Windows Server OS in your new XenApp Site. Similarly, the command-line interface uses the same commands and
parameters you use to install other VDAs.
You are probably already familiar with using the installer from installing your XenApp 7.6 core components and other VDAs.
To review preparatory information, see VDA installation preparation. T hen, launch the installer (Install using the graphical
interface) or issue the command (Install a VDA using the command line) on the XenApp 6.5 worker server.
Good to know:
T his upgrade is valid on XenApp 6.5 servers that are configured in session-host only mode (also called session-only or
worker servers).
Uninstalling XenApp 6.5 requires several server restarts. When using the command-line interface, you can use the
/NOREBOOT option to inhibit that automatic action; however, you must restart the server for the uninstallation and
subsequent installation to proceed.
If an error occurs during the XenApp uninstallation process, check the uninstall error log referenced in the error message.
Uninstall log files reside in the folder "%T EMP%\Citrix\XenDesktop Installation\XenApp 6.5 Uninstall Log Files\."
After you upgrade the XenApp 6.5 worker servers, from Studio in the new XenApp Site, create Machine Catalogs (or edit
existing catalogs) for the upgraded workers.
If you migrated policy and application settings from a XenApp 6.5 controller server (see Migrate XenApp 6.x), assign the
Delivery Groups containing the migrated published applications to the machine catalog that hosted those applications in
XenApp 6.5.
Troubleshooting
Symptoms: Removal of the XenApp 6.5 software fails. T he uninstall log contains the message: "Error 25703. An error
occurred while plugging XML into Internet Information Server. Setup cannot copy files to your IIS Scripts directory. Please
make sure that your IIS installation is correct."
Cause: T he issue occurs on systems where (1) during the initial XenApp 6.5 installation, you indicated that the Citrix XML
Service (CtxHttp.exe) should not share a port with IIS, and (2) .NET Framework 3.5.1 is installed.
Resolution:
1. Remove the Web Server (IIS) role using the Windows Remove Server Roles wizard. (You can reinstall the Web Server
(IIS) role later.)
2. Restart the server.
3. Using Add/Remove Programs, uninstall the following:
1. Citrix XenApp 6.5
2. Microsoft Visual C++ 2005 Redistributable (x64), version 8.0.56336
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.281
4. Restart the server.
5. Run the XenApp 7.6 installer to install the VDA for Windows Server OS.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.282
Migrate XenApp 6.x
May 28 , 20 16
Important: Review this entire article before beginning a migration.
T he XenApp 6.x Migration Tool (the migration tool) is a collection of PowerShell scripts containing cmdlets that migrate
XenApp 6.x (6.0 or 6.5) policy and farm data. On the XenApp 6.x controller server, you run export cmdlets that gather that
data into XML files. T hen, from the XenApp 7.6 Controller, you run import cmdlets that create objects using the data
gathered during the export.
A video overview of the migration tool is available here.
T he following sequence summarizes the migration process; details are provided later.
1. On a XenApp 6.0 or 6.5 controller:
1. Import the PowerShell export modules.
2. Run the export cmdlets to export policy and/or farm data to XML files.
2. Copy the XML files (and icons folder if you chose not to embed them in the XML files during the export) to the XenApp
7.6 Controller.
3. On the XenApp 7.6 Controller:
1. Import the PowerShell import modules.
2. Run the import cmdlets to import policy and/or farm data (applications), using the XML files as input.
4. Complete post-migration steps.
Before you run an actual migration, you can export your XenApp 6.x settings and then perform a preview import on the
XenApp 7.6 site. T he preview identifies possible failure points so you can resolve issues before running the actual import. For
example, a preview might detect that an application with the same name already exists in the new XenApp 7.6 site. You can
also use the log files generated from the preview as a migration guide.
Unless otherwise noted, the term 6.x refers to XenApp 6.0 or 6.5.
New in this release
T his December 2014 release (version 20141125) contains the following updates:
If you encounter issues using the migration tool on a XenApp 6.x farm, report them to the support forum
http://discussions.citrix.com/forum/1411-xenapp-7x/, so that Citrix can investigate them for potential improvements to
the tool.
New packaging - the XAMigration.zip file now contains two separate, independent packages: ReadIMA.zip and
ImportFMA.zip. T o export from a XenApp 6.x server, you need only ReadIMA.zip. T o import to a XenApp 7.6 server, you
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.283
need only ImportFMA.zip.
T he Export-XAFarm cmdlet supports a new parameter (EmbedIconData) that eliminates the need to copy icon data to
separate files.
T he Import-XAFarm cmdlet supports three new parameters:
MatchServer - import applications from servers whose names match an expression
NotMatchServer - import applications from servers whose names do not match an expression
IncludeDisabledApps - import disabled applications
Prelaunched applications are not imported.
T he Export-Policy cmdlet works on XenDesktop 7.x.
Migration Tool package
T he migration tool is available under the XenApp 7.6 Citrix download site. T he XAMigration.zip file contains two separate,
independent packages:
ReadIMA.zip - contains the files used to export data from your XenApp 6.x farm, plus shared modules.
Module or f ile
Description
ExportPolicy.psm1
PowerShell script module for exporting XenApp 6.x policies to an XML file.
ExportXAFarm.psm1
PowerShell script module for exporting XenApp 6.x farm settings to an XML file.
ExportPolicy.psd1
PowerShell manifest file for script module ExportPolicy.psm1.
ExportXAFarm.psd1
PowerShell manifest file for script module ExportXAFarm.psm1.
LogUtilities.psm1
Shared PowerShell script module that contains logging functions.
XmlUtilities.psd1
PowerShell manifest file for script module XmlUtilities.psm1.
XmlUtilities.psm1
Shared PowerShell script module that contains XML functions.
ImportFMA.zip - contains the files used to import data to your XenApp 7.6 farm, plus shared modules.
Module or f ile
Description
ImportPolicy.psm1
PowerShell script module for importing policies to XenApp 7.6.
ImportXAFarm.psm1
PowerShell script module for importing applications to XenApp 7.6
ImportPolicy.psd1
PowerShell manifest file for script module ImportPolicy.psm1.
ImportXAFarm.psd1
PowerShell manifest file for script module ImportXAFarm.psm1.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.284
PolicyData.xsd
Module or f ile
XML schema for policy data.
Description
XAFarmData.xsd
XML schema for XenApp farm data.
LogUtilities.psm1
Shared PowerShell script module that contains logging functions.
XmlUtilities.psd1
PowerShell manifest file for script module XmlUtilities.psm1.
XmlUtilities.psm1
Shared PowerShell script module that contains XML functions.
Limitations
Not all policies settings are imported; see Policy settings not imported. Settings that are not supported are ignored and
noted in the log file.
While all application details are collected in the output XML file during the export operation, only server-installed
applications are imported into the XenApp 7.6 site. Published desktops, content, and most streamed applications are not
supported (see the Import-XAFarm cmdlet parameters in Step-by-step: import data for exceptions).
Application servers are not imported.
Many application properties are not imported because of differences between the XenApp 6.x Independent
Management Architecture (IMA) and the XenApp 7.6 FlexCast Management Architecture (FMA) technologies; see
Application property mapping.
A Delivery Group is created during the import. See Advanced use for details about using parameters to filter what is
imported.
Only Citrix policy settings created with the AppCenter management console are imported; Citrix policy settings created
with Windows Group Policy Objects (GPOs) are not imported.
T he migration scripts are intended for migrations from XenApp 6.x to XenApp 7.6 only.
Nested folders greater than five levels deep are not supported by Studio and will not be imported. If your application
folder structure includes folders more than five levels deep, consider reducing the number of nested folder levels before
importing.
Security considerations
T he XML files created by the export scripts can contain sensitive information about your environment and organization,
such as user names, server names, and other XenApp farm, application, and policy configuration data. Store and handle
these files in secure environments.
Carefully review the XML files before using them as input when importing policies and applications, to ensure they contain
no unauthorized modifications.
Policy object assignments (previously known as policy filters) control how policies are applied. After importing the policies,
carefully review the object assignments for each policy to ensure that there are no security vulnerabilities resulting from the
import. Different sets of users, IP addresses, or client names may be applied to the policy after the import. T he allow/deny
settings may have different meanings after the import.
Logging and error handling
T he scripts provide extensive logging that tracks all cmdlet executions, informative messages, cmdlet execution results,
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.285
warnings, and errors.
Most Citrix PowerShell cmdlet use is logged. All PowerShell cmdlets in the import scripts that create new site objects are
logged.
Script execution progress is logged, including the objects being processed.
Major actions that affect the state of the flow are logged, including flows directed from the command line.
All messages printed to the console are logged, including warnings and errors.
Each line is time-stamped to the millisecond.
Citrix recommends specifying a log file when you run each of the export and import cmdlets.
If you do not specify a log file name, the log file is stored in the current user's home folder (specified in the PowerShell
$HOME variable) if that folder exists; otherwise, it is placed in the script's current execution folder. T he default log name is
"XFarmYYYYMMDDHHmmSS-xxxxxx" where the last six digits constitute a random number.
By default, all progress information is displayed. To suppress the display, specify the NoDetails parameter in the export and
import cmdlet.
Generally, a script stops execution when an error is encountered, and you can run the cmdlet again after clearing the error
conditions.
Conditions that are not considered errors are logged; many are reported as warnings, and script execution continues. For
example, unsupported application types are reported as warnings and are not imported. Applications that already exist in
the XenApp 7.6 site are not imported. Policy settings that are deprecated in XenApp 7.6 are not imported.
T he migration scripts use many PowerShell cmdlets, and all possible errors might not be logged. For additional logging
coverage, use the PowerShell logging features. For example, PowerShell transcripts log everything that is printed to the
screen. For more information, see the help for the Start-Transcript and Stop-Transcript cmdlets.
Requirements, preparation, and best practices
Important: Remember to review this entire article before beginning a migration.
You should understand basic PowerShell concepts about execution policy, modules, cmdlets, and scripts. Although extensive
scripting expertise is not required, you should understand the cmdlets you execute. Use the Get-Help cmdlet to review each
migration cmdlet's help before executing it. For example:
Get-Help -full Import-XAFarm
Specify a log file on the command line and always review the log file after running a cmdlet. If a script fails, check and fix the
error identified in the log file and then run the cmdlet again.
Good to know:
T o facilitate application delivery while two deployments are running (the XenApp 6.x farm and the new XenApp 7.6 site),
you can aggregate both deployments in StoreFront or Web Interface. See the eDocs documentation for your
StoreFront or Web Interface release (Manage > Create a store).
Application icon data is handled in one of two ways:
If you specify the EmbedIconData parameter in the Export-XAFarm cmdlet, exported application icon data is
embedded in the output XML file.
If you do not specify the EmbedIconData parameter in the Export-XAFarm cmdlet, exported application icon data is
stored under a folder named by appending the string "-icons" to the base name of the output XML file. For example,
if the XmlOutputFile parameter is "FarmData.xml" then the folder "FarmData-icons" is created to store the
application icons.
T he icon data files in this folder are .txt files that are named using the browser name of the published application
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.286
(although the files are .txt files, the stored data is encoded binary icon data, which can be read by the import script to
re-create the application icon). During the import operation, if the icon folder is not found in the same location as the
import XML file, generic icons are used for each imported application.
T he names of the script modules, manifest files, shared module, and cmdlets are similar. Use tab completion with care to
avoid errors. For example, Export-XAFarm is a cmdlet. ExportXAFarm.psd1 and ExportXAFarm.psm1 are files that cannot
be executed.
In the step-by-step sections below, most <string> parameter values show surrounding quotation marks. T hese are
optional for single-word strings.
For exporting f rom the XenApp 6.x server:
T he export must be run on a XenApp 6.x server configured with the controller and session-host (commonly known as
controller) server mode.
T o run the export cmdlets, you must be a XenApp administrator with permission to read objects. You must also have
sufficient Windows permission to run PowerShell scripts; the step-by-step procedures below contain instructions.
Ensure the XenApp 6.x farm is in a healthy state before beginning an export. Back up the farm database. Verify the
farm's integrity using the Citrix IMA Helper utility (CT X133983): from the IMA Datastore tab, run a Master Check (and
then use the DSCheck option to resolve invalid entries). Repairing issues before the migration helps prevent export
failures. For example, if a server was removed improperly from the farm, its data might remain in the database; that could
cause cmdlets in the export script to fail (for example, Get-XAServer -ZoneName). If the cmdlets fail, the script fails.
You can run the export cmdlets on a live farm that has active user connections; the export scripts read only the static
farm configuration and policy data.
For importing to the XenApp 7.6 server:
You can import data to XenApp 7.6 deployments (and later supported versions). You must install a XenApp 7.6 Controller
and Studio, and create a site before importing the data you exported from the XenApp 6.x farm. Although VDAs are not
required to import settings, they allow application file types to be made available.
T o run the import cmdlets, you must be a XenApp administrator with permission to read and create objects. A Full
Administrator has these permissions. You must also have sufficient Windows permission to run PowerShell scripts; the
step-by-step procedures below contain instructions.
No other user connections should be active during an import. T he import scripts create many new objects, and
disruptions may occur if other users are changing the configuration at the same time.
Remember that you can export data and then use the -Preview parameter with the import cmdlets to see what would
happen during an actual import, but without actually importing anything. T he logs will indicate exactly what would happen
during an actual import; if errors occur, you can resolve them before starting an actual import.
Step-by-step: export data
A video of an export walk-through is available here.
Complete the following steps to export data from a XenApp 6.x controller to XML files.
1. Download the XAMigration.zip migration tool package from the Citrix download site. For convenience, place it on a
network file share that can be accessed by both the XenApp 6.x farm and the XenApp 7.6 site. Unzip XAMigration.zip on
the network file share. T here should be two zip files: ReadIMA.zip and ImportFMA.zip.
2. Log on to the XenApp 6.x controller as a XenApp administrator with at least read-only permission and Windows
permission to run PowerShell scripts.
3. Copy ReadIMA.zip from the network file share to the XenApp 6.x controller. Unzip and extract ReadIMA.zip on the
controller to a folder (for example: C:\XAMigration).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.287
4. Open a PowerShell console and set the current directory to the script location. For example:
cd C:\XAMigration
5. Check the script execution policy by running Get-ExecutionPolicy.
6. Set the script execution policy to at least RemoteSigned to allow the scripts to be executed. For example:
Set-ExecutionPolicy RemoteSigned
7. Import the module definition files ExportPolicy.psd1 and ExportXAFarm.psd1:
Import-Module .\ExportPolicy.psd1
Import-Module .\ExportXAFarm.psd1
Good to know:
If you intend to export only policy data, you can import only the ExportPolicy.psd1 module definition file. Similarly, if
you intend to export only farm data, import only ExportXAFarm.psd1.
Importing the module definition files also adds the required PowerShell snap-ins.
Do not import the .psm1 script files.
8. T o export policy data, run the Export-Policy cmdlet.
Parameter
Description
-
XML output file name; this file will hold the exported data. Must have an .xml extension. T he file
XmlOutputFile
must not exist, but if a path is specified, the parent path must exist.
"<string>.xml"
Default: None; this parameter is required.
-LogFile "
Log file name. An extension is optional. T he file is created if it does not exist. If the file exists and
<string>"
the NoClobber parameter is also specified, an error is generated; otherwise, the file's content is
overwritten.
Default: See Logging and error handling
-NoLog
Do not generate log output. T his overrides the LogFile parameter if it is also specified.
Default: False; log output is generated
-NoClobber
Do not overwrite an existing log file specified in the LogFile parameter. If the log file does not exist,
this parameter has no effect.
Default: False; an existing log file is overwritten
-NoDetails
Do not send detailed reports about script execution to the console.
Default: False; detailed reports are sent to the console
-
Do not print the message "XenApp 6.x to XenApp/XenDesktop 7.6 Migration Tool Version
SuppressLogo
#yyyyMMdd-hhmm#" to the console. T his message, which identifies the script version, can be
helpful during troubleshooting; therefore, Citrix recommends omitting this parameter.
Default: False; the message is printed to the console
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.288
Parameter
Description
Example: T he following cmdlet exports policy information to the XML file named MyPolicies.xml. T he operation is logged
to the file named MyPolicies.log.
Export-Policy -XmlOutputFile ".\MyPolicies.XML"
-LogFile ".\MyPolicies.Log"
9. T o export farm data, run the Export-XAFarm cmdlet, specifying a log file and an XML file.
Parameter
Description
-XmlOutputFile
XML output file name; this file will hold the exported data. Must have an .xml extension. T he file
"<string>.xml"
must not exist, but if a path is specified, the parent path must exist.
Default: None; this parameter is required.
-LogFile "
Log file name. An extension is optional. T he file is created if it does not exist. If the file exists and
<string>"
the NoClobber parameter is also specified, an error is generated; otherwise, the file's content is
overwritten.
Default: See Logging and error handling
-NoLog
Do not generate log output. T his overrides the LogFile parameter if it is also specified.
Default: False; log output is generated
-NoClobber
Do not overwrite an existing log file specified in the LogFile parameter. If the log file does not
exist, this parameter has no effect.
Default: False; an existing log file is overwritten
-NoDetails
Do not send detailed reports about script execution to the console.
Default: False; detailed reports are sent to the console
-SuppressLogo
Do not print the message "XenApp 6.x to XenApp/XenDesktop 7.6 Migration Tool Version
#yyyyMMdd-hhmm#" to the console. T his message, which identifies the script version, can be
helpful during troubleshooting; therefore, Citrix recommends omitting this parameter.
Default: False; the message is printed to the console
-IgnoreAdmins
Do not export administrator information. See Advanced use for how-to-use information.
Default: False; administrator information is exported
-IgnoreApps
Do not export application information. See Advanced use for how-to-use information.
Default: False; application information is exported
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.289
Parameter
-IgnoreServers
Description
Do not export server information.
Default: False: server information is exported
-IgnoreZones
Do not export zone information.
Default: False; zone information is exported.
-IgnoreOthers
Do not export information such as configuration logging, load evaluators, load balancing policies,
printer drivers, and worker groups.
Default: False; other information is exported
Note: T he purpose of the -IgnoreOthers switch is to allow you to proceed with an export when
an error exists that would not affect the actual data being used for the exporting or importing
process.
-AppLimit
<integer>
EmbedIconData
Number of applications to be exported. See Advanced use for how-to-use information.
Default: All applications are exported
Embed application icon data in the same XML file as the other objects.
Default: Icons are stored separately. See Requirements, preparation, and best practices for
details
-SkipApps
<integer>
Number of applications to skip. See Advanced use for how-to-use information.
Default: No applications are skipped
Example: T he following cmdlet exports farm information to the XML file named MyFarm.xml. T he operation is logged to
the file MyFarm.log. A folder named "MyFarm-icons" is created to store the application icon data files; this folder is at
the same location as MyFarm.XML.
Export-XAFarm -XmlOutputFile ".\MyFarm.XML"
-LogFile ".\MyFarm.Log"
After the export scripts complete, the XML files specified on the command lines contain the policy and XenApp farm data.
T he application icon files contain icon data files, and the log file indicate what occurred during the export.
Step-by-step: import data
A video of an import walk-through is available here.
Remember that you can run a preview import (by issuing the Import-Policy or Import-XAFarm cmdlet with the Preview
parameter) and review the log files before performing an actual import.
Complete the following steps to import data to a XenApp 7.6 site, using the XML files generating from the export.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.290
1. Log on to the XenApp 7.6 controller as an administrator with read-write permission and Windows permission to run
PowerShell scripts.
2. If you have not unzipped the migration tool package XAMigration on the network file share, do so now. Copy
ImportFMA.zip from the network file share to the XenApp 7.6 Controller. Unzip and extract ImportFMA.zip on the
Controller to a folder (for example: C:\XAMigration).
3. Copy the XML files (the output files generated during the export) from the XenApp 6.x controller to the same location
on the XenApp 7.6 Controller where you extracted the ImportFMA.zip files.
If you chose not to embed the application icon data in the XML output file when you ran the Export-XAFarm cmdlet, be
sure to copy the icon data folder and files to the same location on the XenApp 7.6 controller as the output XML file
containing the application data and the extracted ImportFMA.zip files.
4. Open a PowerShell console and set the current directory to the script location.
cd C:\XAMigration
5. Check the script execution policy by running Get-ExecutionPolicy.
6. Set the script execution policy to at least RemoteSigned to allow the scripts to be executed. For example:
Set-ExecutionPolicy RemoteSigned
7. Import the PowerShell module definition files ImportPolicy.psd1 and ImportXAFarm.psd1:
Import-Module .\ImportPolicy.psd1
Import-Module .\ImportXAFarm.psd1
Good to know:
If you intend to import only policy data, you can import only the ImportPolicy.psd1 module definition file. Similarly, if
you intend to import only farm data, import only ImportXAFarm.psd1.
Importing the module definition files also adds the required PowerShell snap-ins.
Do not import the .psm1 script files.
8. T o import policy data, run the Import-Policy cmdlet, specifying the XML file containing the exported policy data.
Parameter
Description
-XmlInputFile
XML input file name; this file contains data collected from running the Export-Policy cmdlet. Must
"<string>.xml"
have an .xml extension.
Default: None; this parameter is required.
-XsdFile "
XSD file name. T he import scripts use this file to validate the syntax of the XML input file. See
<string>"
Advanced use for how-to-use information.
Default: PolicyData.XSD
-LogFile "
Log file name. If you copied the export log files to this server, consider using a different log file name
<string>"
with the import cmdlet.
Default: See Logging and error handling
-NoLog
Do not generate log output. T his overrides the LogFile parameter, if it is also specified.
Default: False; log output is generated
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.291
Parameter
-NoClobber
Description
Do not overwrite an existing log file specified in the LogFile parameter. If the log file does not exist,
this parameter has no effect.
Default: False; an existing log file is overwritten
-NoDetails
Do not send detailed reports about script execution to the console.
Default: False; detailed reports are sent to the console
-
Do not print the message "XenApp 6.x to XenApp/XenDesktop 7.6 Migration Tool Version
SuppressLogo
#yyyyMMdd-hhmm#" to the console. T his message, which identifies the script version, can be
helpful during troubleshooting; therefore, Citrix recommends omitting this parameter.
Default: False; the message is printed to the console
-Preview
Perform a preview import: read data from the XML input file, but do not import objects to the site.
T he log file and console indicate what occurred during the preview import. A preview shows
administrators what would happen during a real import.
Default: False; a real import occurs
Example: T he folowing cmdlet imports policy data from the XML file named MyPolcies.xml. T he operation is logged to
the file named MyPolicies.log.
Import-Policy -XmlInputFile ".\MyPolicies.XML"
-LogFile ".\MyPolicies.Log"
9. T o import applications, run the Import-XAFarm cmdlet, specifying a log file and the XML file containing the exported
farm data.
Parameter
Description
-XmlInputFile "
XML input file name; this file contains data collected from running the Export-XAFarm
<string>.xml"
cmdlet. Must have an .xml extension.
Default: None; this parameter is required.
-XsdFile "<string>"
XSD file name. T he import scripts use this file to validate the syntax of the XML input file.
See Advanced use for how-to-use information.
Default: XAFarmData.XSD
-LogFile "<string>"
Log file name. If you copied the export log files to this server, consider using a different
log file name with the import cmdlet.
Default: See Logging and error handling
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.292
-NoLog
Parameter
Do not generate log output. T his overrides the LogFile parameter, if it is also specified.
Description
Default: False; log output is generated
-NoClobber
Do not overwrite an existing log file specified in the LogFile parameter. If the log file does
not exist, this parameter has no effect.
Default: False; an existing log file is overwritten
-NoDetails
Do not send detailed reports about script execution to the console.
Default: False; detailed reports are sent to the console
-SuppressLogo
Do not print the message "XenApp 6.x to XenApp/XenDesktop 7.6 Migration Tool Version
#yyyyMMdd-hhmm#" to the console. T his message, which identifies the script version, can
be helpful during troubleshooting; therefore, Citrix recommends omitting this parameter.
Default: False; the message is printed to the console
-Preview
Perform a preview import: read data from the XML input file, but do not import objects to
the site. T he log file and console indicate what occurred during the preview import. A
preview shows administrators what would happen during a real import.
Default: False; a real import occurs
-DeliveryGroupName "
Delivery Group name for all imported applications. See Advanced use for how-to-use
<string>"
information.
Default: "<xenapp-farm-name> - Delivery Group"
-MatchFolder "<string>"
Import only those applications in folders with names that match the string. See Advanced
use for how-to-use information.
Default: No matching occurs
-NotMatchFolder "
Import only those applications in folders with names that do not match the string. See
<string>"
Advanced use for how-to-use information.
Default: No matching occurs
-MatchServer "<string>"
Import only those applications from servers whose names match the string. See Advanced
use for how-to-use information.
-NotMatchServer "
Import only those applications from servers whose names do not match the string. See
<string>"
Advanced use for how-to-use information.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.293
Parameter
Default: No matching occurs
Description
-MatchWorkerGroup "
Import only those applications published to worker groups with names that match the
<string>"
string. See Advanced use for how-to-use information.
Default: No matching occurs
-
Import only those applications published to worker groups with names that do not match
NotMatchWorkerGroup
the string. See Advanced use for how-to-use information.
"<string>"
Default: No matching occurs
-MatchAccount "
Import only those applications published to user accounts with names that match the
<string>"
string. See Advanced use for how-to-use information.
Default: No matching occurs
-NotMatchAccount "
Import only those applications published to user accounts with names that do not match
<string>"
the string. See Advanced use for how-to-use information.
Default: No matching occurs
-IncludeStreamedApps
Import applications of type "StreamedToClientOrServerInstalled" . (No other streamed
applications are imported.)
Default: Streamed applications are not imported
-IncludeDisabledApps
Import applications that have been marked as disabled.
Default: Disabled applications are not imported
Example: T he following cmdlet imports applications from the XML file named MyFarm.xml. T he operation is logged to the
file named MyFarm.log.
Import-XAFarm -XmlInputFile ".\MyFarm.XML"
-LogFile ".\MyFarm.Log"
10. After the import completes successfully, complete the post-migration tasks.
Post-migration tasks
After successfully importing XenApp 6.x policies and farm settings into a XenApp 7.6 site, use the following guidance to
ensure that the data has been imported correctly.
Policies and policy settings
Importing policies is essentially a copy operation, with the exception of deprecated settings and policies, which are not
imported. T he post-migration check essentially involves comparing the two sides.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.294
1. T he log file lists all the policies and settings imported and ignored. First, review the log file and identify which settings
and policies were not imported.
2. Compare the XenApp 6.x policies with the policies imported to XenApp 7.6. T he values of the settings should remain
the same (except for deprecated policy settings, as noted in the next step).
If you have a small number of policies, you can perform a side-by-side visual comparison of the policies displayed in
the XenApp 6.x AppCenter and the policies displayed in the XenApp 7.6 Studio.
If you have a large number of policies, a visual comparison might not be feasible. In such cases, use the policy
export cmdlet (Export-Policy) to export the XenApp 7.6 policies to a different XML file, and then use a text diff
tool (such as windiff) to compare that file’s data to the data in the XML file used during the policy export from
XenApp 6.x.
3. Use the information in the Policy settings not imported section to determine what might have changed during the
import. If a XenApp 6.x policy contains only deprecated settings, as a whole policy, it is not imported. For example, if a
XenApp 6.x policy contains only HMR test settings, that policy is completely ignored because there is no equivalent
setting supported in XenApp 7.6.
Some XenApp 6.x policy settings are no longer supported, but the equivalent functionality is implemented in XenApp
7.6. For example, in XenApp 7.6, you can configure a restart schedule for Server OS machines by editing a Delivery
Group; this functionality was previously implemented through policy settings.
4. Review and confirm how filters will apply to your XenApp 7.6 site versus their use in XenApp 6.x; significant differences
between the XenApp 6.x farm and the XenApp 7.6 site could change the effect of filters.
Filters
Carefully examine the filters for each policy. Changes may be required to ensure they still work in XenApp 7.6 as originally
intended in XenApp 6.x.
Filter
Considerations
Access
Access Control Should contain the same values as the original XenApp 6.x filters and should work
Control
without requiring changes.
Citrix
A simple Boolean; should work without requiring changes.
CloudBridge
Client IP
Lists client IP address ranges; each range is either allowed or denied. T he import script preserves the
Address
values, but they may require changes if different clients connect to the XenApp 7.6 VDA machines.
Client Name
Similar to the Client IP Address filter, the import script preserves the values, but they may require
changes if different clients connect to the XenApp 7.6 VDA machines.
Organizational
Values might be preserved, depending on whether or not the OUs can be resolved at the time they
Unit
are imported. Review this filter closely, particularly if the XenApp 6.x and XenApp 7.6 machines
reside in different domains. If you do not configure the filter values correctly, the policy may be
applied to an incorrect set of OUs.
T he OUs are represented by names only, so there is a small chance that an OU name will be
resolved to an OU containing different members from the OUs in the XenApp 6.x domain. Even if
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.295
Filter
some of the values of the OU filter are preserved, you should carefully review the values.
Considerations
User or Group
Values might be preserved, depending on whether or not the accounts can be resolved at the time
they are imported.
Similar to OUs, the accounts are resolved using names only, so if the XenApp 7.6 site has a domain
with the same domain and user names, but are actually two different domains and users, the
resolved accounts could be different from the XenApp 6.x domain users. If you do not properly
review and modify the filter values, incorrect policy applications can occur.
Worker Group
Worker groups are not supported in XenApp 7.6. Consider using the Delivery Group, Delivery Group
T ype, and T ag filters, which are supported in XenApp 7.6 (not in XenApp 6.x).
Delivery Group: Allows policies to be applied based on Delivery Groups. Each filter entry specifies
a Delivery Group and can be allowed or denied.
Delivery Group T ype: Allows policies to be applied based on the Delivery Group types. Each filter
specifies a Delivery Group type that can be allowed or denied.
T ag: Specifies policy application based on tags created for the VDA machines. Each tag can be
allowed or denied.
To recap, filters that involve domain user changes require the most attention if the XenApp 6.x farm and the XenApp 7.6
site are in different domains. Because the import script uses only strings of domain and user names to resolve users in
the new domain, some of the accounts might be resolved and others might not. While there is only a small chance that
different domains and users have the same name, you should carefully review these filters to ensure they contain correct
values.
Applications
T he application importing scripts do not just import applications; they also create objects such as Delivery Groups. If the
application import involves multiple iterations, the original application folder hierarchies can change significantly.
1. First, read the migration log files that contain details about which applications were imported, which applications were
ignored, and the cmdlets that were used to create the applications.
2. For each application:
Visually check to ensure the basic properties were preserved during the import. Use the information in the
Application property mapping section to determine which properties were imported without change, not imported,
or initialized using the XenApp 6.x application data.
Check the user list. T he import script automatically imports the explicit list of users into the application's limit
visibility list in XenApp 7.6. Check to ensure that the list remains the same.
3. Application servers are not imported. T his means that none of the imported applications can be accessed yet. T he
Delivery Groups that contain these applications must be assigned machine catalogs that contain the machines that
have the published applications’ executable images. For each application:
Ensure that the executable name and the working directory point to an executable that exists in the machines
assigned to the Delivery Group (through the machine catalogs).
Check a command line parameter (which may be anything, such as file name, environment variable, or executable
name). Verify that the parameter is valid for all the machines in the machine catalogs assigned to the Delivery
Group.
Log f iles
T he log files are the most important reference resources for an import and export. T his is why existing log files are not
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.296
overwritten by default, and default log file names are unique.
As noted in the “Logging and error handling” section, if you chose to use additional logging coverage with the PowerShell
Start-Transcript and Stop-Transcript cmdlets (which record everything typed and printed to the console), that output,
together with the log file, provides a complete reference of import and export activity.
Using the time stamps in the log files, you can diagnose certain problems. For example, if an export or import ran for a
very long time, you could determine if a faulty database connection or resolving user accounts took most of the time.
T he commands recorded in the log files also tell you how some objects are read or created. For example, to create a
Delivery Group, several commands are executed to not only create the Delivery Group object itself, but also other
objects such as access policy rules that allow application objects to be assigned to the Delivery Group.
T he log file can also be used to diagnose a failed export or import. Typically, the last lines of the log file indicate what
caused the failure; the failure error message is also saved in the log file. Together with the XML file, the log file can be
used to determine which object was involved in the failure.
After reviewing and testing the migration, you can:
1. Upgrade your XenApp 6.5 worker servers to current Virtual Delivery Agents (VDAs) by running the 7.6 installer on the
server, which removes the XenApp 6.5 software and then automatically installs a current VDA. See Upgrade a XenApp 6.5
worker to a new VDA for Windows Server OS for instructions.
For XenApp 6.0 worker servers, you must manually uninstall the XenApp 6.0 software from the server. You can then use
the 7.6 installer to install the current VDA. You cannot use the 7.6 installer to automatically remove the XenApp 6.0
software.
2. From Studio in the new XenApp site, create machine catalogs (or edit existing catalogs) for the upgraded workers.
3. Add the upgraded machines from the machine catalog to the Delivery Groups that contain the applications installed on
those VDAs for Windows Server OS.
Advanced use
By default, the Export-Policy cmdlet exports all policy data to an XML file. Similarly, Export-XAFarm exports all farm data to
an XML file. You can use command line parameters to more finely control what is exported and imported.
Export applications partially - If you have a large number of applications and want to control how many are exported
to the XML file, use the following parameters:
AppLimit - Specifies the number of applications to export.
SkipApps - Specifies the number of applications to skip before exporting subsequent applications.
You can use both of these parameters to export large quantities of applications in manageable chunks. For example, the
first time you run Export-XAFarm, you want to export only the first 200 applications, so you specify that value in the
AppLimit parameter.
Export-XAFarm -XmlOutputFile "Apps1-200.xml"
-AppLimit "200"
T he next time you run Export-XAFarm, you want to export the next 100 applications, so you use the SkipApps parameter
to disregard the applications you've already exported (the first 200), and the AppLimit parameter to export the next 100
applications.
Export-XAFarm -XmlOutputFile "Apps201-300.xml"
-AppLimit "100" -SkipApps "200"
Do not export certain objects - Some objects can be ignored and thus do not need to be exported, particularly those
objects that are not imported; see Policy settings not imported and Application property mapping. Use the following
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.297
parameters to prevent exporting unneeded objects:
IgnoreAdmins - Do not export administrator objects
IgnoreServers - Do not export server objects
IgnoreZones - Do not export zone objects
IgnoreOthers - Do not export configuration logging, load evaluator, load balancing policy, printer driver, and worker
group objects
IgnoreApps - Do not export applications; this allows you to export other data to an XML output file and then run the
export again to export applications to a different XML output file.
You can also use these parameters to work around issues that could cause the export to fail. For example, if you have a
bad server in a zone, the zone export might fail; if you include the IgnoreZones parameter, the export continues with
other objects.
Delivery Group names - If you do not want to put all of your applications into one Delivery Group (for example,
because they are accessed by different sets of users and published to different sets of servers), you can run ImportXAFarm multiple times, specifying different applications and a different Delivery Group each time. Although you can use
PowerShell cmdlets to move applications from one Delivery Group to another after the migration, importing selectively
to unique Delivery Groups can reduce or eliminate the effort of moving the applications later.
1. Use the DeliveryGroupName parameter with the Import-XAFarm cmdlet. T he script creates the specified Delivery
Group if it doesn't exist.
2. Use the following parameters with regular expressions to filter the applications to be imported into the Delivery
Group, based on folder, worker group, user account, and/or server names. Enclosing the regular expression in single or
double quotation marks is recommended. For information about regular expressions, see
http://msdn.microsoft.com/en-us/library/hs600312(v=vs.110).aspx.
MatchWorkerGroup and NotMatchWorkerGroup - For example, for applications published to worker groups, the
following cmdlet imports applications in the worker group named "Productivity Apps" to a XenApp 7.6 Delivery
Group of the same name:
Import-XAFarm –XmlInputFile XAFarm.xml –LogFile XAFarmImport.log
–MatchWorkerGroup ‘Productivity Apps’ –DeliveryGroupName ‘Productivity Apps’
MatchFolder and NotMatchFolder - For example, for applications organized in application folders, the following
cmdlet imports applications in the folder named "Productivity Apps" to a XenApp 7.6 Delivery Group of the same
name.
Import-XAFarm –XmlInputFile XAFarm.xml –LogFile XAFarmImport.log
–MatchFolder ‘Productivity Apps’ –DeliveryGroupName ‘Productivity Apps’
For example, the following cmdlet imports applications in any folder whose name contains "MS Office Apps" to the
default Delivery Group.
Import-XAFarm -XmlInputFile .\THeFarmApps.XML -MatchFolder ".*/MS Office Apps/.*"
MatchAccount and NotMatchAccount - For example, for applications published to Active Directory users or user
groups, the following cmdlet imports applications published to the user group named "Finance Group" to a XenApp
7.6 Delivery Group named "Finance."
Import-XAFarm –XmlInputFile XAFarm.xml –LogFile XAFarmImport.log
–MatchAccount ‘DOMAIN\\Finance Group’ –DeliveryGroupName ‘Finance’
MatchServer and NotMatchServer - For example, for applications organized on servers, the following cmdlet
imports applications associated with the server not named "Current" to a XenApp Delivery Group named "Legacy."
Import-XAFarm -XmlInputFile XAFarm.xml -LogFile XAFarmImport.log
-NotMatchServer 'Current' -DeliveryGroupName 'Legacy'
Customization - PowerShell programmers can create their own tools. For example, you can use the export script as an
inventory tool to keep track of changes in a XenApp 6.x farm. You can also modify the XSD files or (create your own XSD
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.298
files) to store additional data or data in different formats in the XML files. You can specify a nondefault XSD file with
each of the import cmdlets.
Note: Although you can modify script files to meet specific or advanced migration requirements, support is limited to the
scripts in their unmodified state. Citrix T echnical Support will recommend reverting to the unmodified scripts to
determine expected behavior and provide support, if necessary.
Troubleshooting
If you are using PowerShell verison 2.0 and you added the Citrix Group Policy PowerShell Provider snap-in or the Citrix
Common Commands snap-in using the Add-PSSnapIn cmdlet, you might see the error message "Object reference not set
to an instance of an object" when you run the export or import cmdlets. T his error does not affect script execution and
can be safely ignored.
Avoid adding or removing the Citrix Group Policy PowerShell Provider snap-in in the same console session where the
export and import script modules are used, because those script modules automatically add the snap-in. If you add or
remove the snap-in separately, you might see one of the following errors:
"A drive with the name 'LocalGpo' already exists." T his error appears when the snap-in is added twice; the snap-in
attempts to mount the drive LocalGpo when it's loaded, and then reports the error.
"A parameter cannot be found that matches parameter name 'Controller'." T his error appears when the snap-in has
not been added but the script attempts to mount the drive. T he script is not aware that the snap-in was removed.
Close the console and launch a new session. In the new session, import the script modules; do not add or remove the
snap-in separately.
When importing the modules, if you right-click a .psd1 file and select Open or Open with PowerShell, the PowerShell
console window will rapidly open and close until you stop the process. T o avoid this error, enter the complete PowerShell
script module name directly in the PowerShell console window (for example, Import-Module .\ExportPolicy.psd1).
If you receive a permission error when running an export or import, ensure you are a XenApp administrator with
permission to read objects (for export) or read and create objects (for import). You must also have sufficient Windows
permission to run PowerShell scripts.
If an export fails, check that the XenApp 6.x farm is in a healthy state by running the DSMAINT and DSCHECK utilities on
the XenApp 6.x controller server.
If you run a preview import and then later run the import cmdlets again for an actual migration, but discover that nothing
was imported, verify that you removed the Preview parameter from the import cmdlets.
Policy settings not imported
T he following computer and user policy settings are not imported because they are no longer supported. Please note,
unfiltered policies are never imported. T he features and components that support these settings have either been replaced
by new technologies/components or the settings do not apply because of architectural and platform changes.
Computer policy settings not imported
Connection access control
CPU management server level
DNS address resolution
Farm name
Full icon caching
Health monitoring, Health monitoring tests
License server host name, License server port
Limit user sessions, Limits on administrator sessions
Load evaluator name
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.299
Logging of logon limit events
Maximum percent of servers with logon control
Memory optimization, Memory optimization application exclusion list, Memory optimization interval, Memory
optimization schedule: day of month, Memory optimization schedule: day of week, Memory optimization schedule: time
Offline app client trust, Offline app event logging, Offline app license period, Offline app users
Prompt for password
Reboot custom warning, Reboot custom warning text, Reboot logon disable time, Reboot schedule frequency, Reboot
schedule randomization interval, Reboot schedule start date, Reboot schedule time, Reboot warning interval, Reboot
warning start time, Reboot warning to users, Scheduled reboots
Shadowing *
T rust XML requests (configured in StoreFront)
Virtual IP adapter address filtering, Virtual IP compatibility programs list, Virtual IP enhanced compatibility, Virtual IP filter
adapter addresses programs list
Workload name
XenApp product edition, XenApp product model
XML service port
* Replaced with Windows Remote Assistance
User policy settings not imported
Auto connect client COM ports, Auto connect client LPT ports
Client COM port redirection, Client LPT port redirection
Client printer names
Concurrent logon limit
Input from shadow connections *
Linger disconnect timer interval, Linger terminate timer interval
Log shadow attempts *
Notify user of pending shadow connections *
Pre-launch disconnect timer interval, Pre-launch terminate timer interval
Session importance
Single Sign-On, Single Sign-On central store
Users who can shadow other users, Users who cannot shadow other users *
* Replaced with Windows Remote Assistance
Application types not imported
T he following application types are not imported.
Server desktops
Content
Streamed applications (App-V is the new method used for streaming applications)
Application property mapping
T he farm data import script imports only applications. T he following application properties are imported without change.
IMA Property
FMA Property
AddT oClientDesktop
ShortcutAddedT oDesktop
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.300
AddT
oClientStartMenu
IMA Property
ShortcutAddedT
FMA Property oStartMenu
ClientFolder
ClientFolder
CommandLineExecutable
CommandLineExecutable
CpuPriorityLevel
CpuPriorityLevel
Description
Description
DisplayName
PublishedName
Enabled
Enabled
StartMenuFolder
StartMenuFolder
WaitOnPrinterCreation
WaitForPrinterCreation
WorkingDirectory
WorkingDirectory
FolderPath
AdminFolderName
Note: IMA and FMA have different restrictions on folder name length. In IMA, the folder name limit is 256 characters; the
FMA limit is 64 characters. When importing, applications with a folder path containing a folder name of more than 64
characters are skipped. T he limit applies only to the folder name in the folder path; the entire folder path can be longer
than the limits noted. T o avoid applications from being skipped during the import, Citrix recommends checking the
application folder name length and shortening it, if needed, before exporting.
T he following application properties are initialized or uninitialized by default, or set to values provided in the XenApp 6.x
data:
FMA Property
Value
Name
Initialized to the full path name, which contains the IMA properties FolderPath
and DisplayName, but stripped of the leading string "Applications\"
ApplicationT ype
HostedOnDesktop
CommandLineArguments
Initialized using the XenApp 6.x command line arguments
IconFromClient
Uninitialized; defaults to false
IconUid
Initialized to an icon object created using XenApp 6.x icon data
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.301
FMA Property
Value
SecureCmdLineArgumentsEnabled
Uninitialized; defaults to true
UserFilterEnabled
Uninitialized; defaults to false
UUID
Read-only, assigned by the Controller
Visible
Uninitialized; defaults to true
T he following application properties are partially migrated:
IMA
Property
Comments
FileT ypes
Only the file types that exist on the new XenApp site are migrated. File types that do not exist on the new
site are ignored. File types are imported only after the file types on the new site are updated.
IconData
New icon objects are created if the icon data has been provided for the exported applications.
Accounts
T he user accounts of an application are split between the user list for the Delivery Group and the
application. Explicit users are used to initialize the user list for the application. In addition, the "Domain
Users" account for the domain of the user accounts is added to the user list for the Delivery Group.
T he following XenApp 6.x properties are not imported:
IMA Property
Comments
ApplicationT ype
Ignored.
HideWhenDisabled
Ignored.
AccessSessionConditions
Replaced by Delivery Group access policies.
AccessSessionConditionsEnabled
Replaced by Delivery Group access policies.
ConnectionsT hroughAccessGatewayAllowed
Replaced by Delivery Group access policies.
OtherConnectionsAllowed
Replaced by Delivery Group access policies.
AlternateProfiles
FMA does not support streamed applications.
OfflineAccessAllowed
FMA does not support streamed applications.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.302
ProfileLocation
IMA Property
FMA
does not support streamed applications.
Comments
ProfileProgramArguments
FMA does not support streamed applications.
ProfileProgramName
FMA does not support streamed applications.
RunAsLeastPrivilegedUser
FMA does not support streamed applications.
AnonymousConnectionsAllowed
FMA uses a different technology to support unauthenticated
(anonymous) connections.
ApplicationId, SequenceNumber
IMA-unique data.
AudioT ype
FMA does not support advanced client connection options.
EncryptionLevel
SecureICA is enabled/disabled in Delivery Groups.
EncryptionRequired
SecureICA is enabled/disabled in Delivery Groups.
SslConnectionEnabled
FMA uses a different SSL implementation.
ContentAddress
FMA does not support published content.
ColorDepth
FMA does not support advanced window appearances.
MaximizedOnStartup
FMA does not support advanced window appearances.
T itleBarHidden
FMA does not support advanced window appearances.
WindowsT ype
FMA does not support advanced window appearances.
InstanceLimit
FMA does not support application limits.
MultipleInstancesPerUserAllowed
FMA does not support application limits.
LoadBalancingApplicationCheckEnabled
FMA uses a different technology to support load balancing.
PreLaunch
FMA uses a different technology to support session prelaunch.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.303
CachingOption
IMA Property
FMA uses a different technology to support session prelaunch.
Comments
ServerNames
FMA uses a different technology.
WorkerGroupNames
FMA does not support worker groups.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.304
Migrate XenDesktop 4
May 28 , 20 16
You can transfer data and settings from a XenDesktop 4 farm to a XenDesktop 7.x Site using the Migration T ool, which is
available in the Support > T ools > MigrationT ool folder on the XenDesktop installation media. T he tool includes:
T he export tool, XdExport, which exports XenDesktop 4 farm data to an XML file (default name: XdSettings.xml). T he
XML file schema resides in the file XdFarm.xsd.
T he import tool, XdImport, which imports the data by running the PowerShell script Import-XdSettings.ps1.
To successfully use the Migration Tool, both deployments must have the same hypervisor version (for example, XenServer
6.2), and Active Directory environment.
You cannot use this tool to migrate XenApp, and you cannot migrate XenDesktop 4 to XenApp.
T ip: You can upgrade XenDesktop 5 (or later XenDesktop versions) to the current XenDesktop version; see Upgrade a
deployment.
Limitations
Not all data and settings are exported. T he following configuration items are not migrated because they are exported but
not imported:
Administrators
Delegated administration settings
Desktop group folders
Licensing configuration
Registry keys
T hese use cases are not directly supported in migration:
Merging settings of policies or desktop group or hosting settings.
Merging private desktops into random Delivery Groups.
Adjusting existing component settings through the migration tools.
For more information, see What is and is not migrated .
Migration steps
T he following figure summarizes the migration process.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.305
T he migration process follows this sequence:
1. In the Studio console on the XenDesktop 4 Controller, turn on maintenance mode for all machines to be exported.
2. Export data and settings from your XenDesktop 4 farm to an XML file using XdExport; see Export from a XenDesktop 4
farm.
3. Edit the XML file so that it contains only the data and settings you want to import into your new XenDesktop Site; see
Edit the Migration T ool XML file.
4. Import the data and settings from the XML file to your new XenDesktop Site using XdImport; see Import XenDesktop 4
data.
5. T o make additional changes, repeat steps 3 and 4. After making changes, you might want to import additional desktops
into existing Delivery Groups. T o do so, use the Mergedesktops parameter when you import.
6. Complete the post-migration tasks; see Post-migration tasks.
Bef ore migrating
Complete the following before beginning a migration:
Make sure you understand which data can be exported and imported, and how this applies to your own deployment. See
What is and is not migrated.
Citrix strongly recommends that you manually back up the Site database so that you can restore it if any issues are
discovered.
Install the XenDesktop 7.x components and create a Site, including the database.
T o migrate from XenDesktop 4 , all VDAs must be at a XenDesktop 5.x level so that they are compatible with both
XenDesktop 4 and XenDesktop 7.x controllers. After the Controller infrastructure is fully running XenDesktop 7.x,
Windows 7 VDAs can be upgraded to XenDesktop 7.x. For details, see Migration examples.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.306
Export from a XenDesktop 4 farm
May 28 , 20 16
T he export tool, XdExport, extracts data from a single XenDesktop 4 farm and produces an XML file from representations
of the data values.
T he schema of the XML file resides in the file XdFarm.xsd, which is included in the migration tool download XdExport.zip and
XdImport.zip.
Run XdExport on a XenDesktop 4 Controller in the farm from which you want to export data. T his machine must have the
XenDesktop 4 PowerShell SDK installed. You must have the following permissions to export the data:
T he user identity of at least read-only Citrix administrator of the farm.
Permission to read the registry.
Although not recommended, you can run the tool while the XenDesktop Controller is in active use (for example, users are
logged in to VDAs).
Citrix strongly recommends:
T he XenDesktop 4 Controller on which you run the tool be up-to-date with public hotfixes.
Not making configuration changes to the Site while the export is running (for example, removing Desktop Groups).
1. Download XdExport.zip and extract the files to the XenDesktop 4 Controller.
2. At a command line prompt, run XdExport.exe with the following optional parameters:
Parameter
Description
-Verbose
Generates messages providing detailed progress information.
-FilePath
Indicates the location of the XML file to which the farm data is exported. Default = .\XdSettings.xml
<path>
-Overwrite
Overwrites any file existing in the location specified in -FilePath. If you do not supply this parameter
and an output file already exists, the tool fails with the message "Error: File already exists. Specify Overwrite to allow the file to be overwritten. "
-? or -help
Displays text describing the parameters and exits without exporting any data.
3. If the tool runs successfully, the message Done appears. T he XdSettings.xml file resides in the location specified in the
FilePath parameter. If the tool fails, an error message appears.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.307
Edit the Migration Tool XML file
May 28 , 20 16
Before importing data to a XenDesktop 7.x Site, check and edit the contents of the XML file generated by the export tool
(XdExport), particularly if you migrate in multiple stages and import some users, Delivery Groups, and policies before
importing others.
Use any text editor to view or change the file contents; you can use a specialized XML editor such as Microsoft XML
Notepad.
Some elements within the XML content must be present for the XML file to be accepted by the import tool (XdImport).
T he required XML schema is defined in the XdFarm.xsd file that is supplied as part of the Migration T ool download. When
working with this file:
A minOccurs attribute with a value of 1 or more indicates that particular elements must be present if the parent element
is present.
If the XML file supplied to the Import tool is not valid, the tool halts and an error message appears that should enable
you to locate where the problem lies in the XML file.
Import a subset of desktops or Delivery Groups
To import only a subset of Delivery Groups and desktops, edit the contents of the DesktopGroups element. T he
DesktopGroups element can hold many DesktopGroup elements, and within each DesktopGroup element there is a
Desktops element that can contain many Desktop elements.
Do not delete the DesktopGroups element, although you can delete all the DesktopGroup elements and leave it empty.
Similarly, within each DesktopGroup element, the Desktops element must be present but can be empty of Desktop
elements.
Delete Desktop or DesktopGroup elements to avoid importing particular single machines or entire Delivery Groups. For
example, the XML file contains:
<DesktopGroups>
<DesktopGroup name="Group1">
…
<Desktops>
<Desktop sameName="DOMAIN\MACHINE1$">
…
</Desktop>
</Desktops>
…
</DesktopGroup>
<DesktopGroup name="Group2">
…
<Desktops>
<Desktop samName="DOMAIN\MACHINE2$">
…
</Desktop>
<Desktop samName="DOMAIN\MACHINE3$">
…
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.308
</Desktop>
</Desktops>
…
</DesktopGroup>
</DesktopGroups>
In this example, the edits prevent Group1 group from being imported. Only Machine3 from the Group2 group will be
imported:
<DesktopGroups>
<DesktopGroup name="Group2">
…
<Desktops>
<Desktop samName="DOMAIN\MACHINE3$">
…
</Desktop>
</Desktops>
…
</DesktopGroup>
</DesktopGroups>
Manage Delivery Groups with duplicate names
In XenDesktop 4, Desktop Groups can be organized in folders, Desktop Groups with the same name can appear in different
folders, and the internal desktop group name is the name that appears to users. In this release, Delivery Groups cannot be
placed in folders, and each Delivery Group must have a unique internal name, and the name that appears to users can be
different from the internal name. To accommodate these differences, you might have to rename Desktop Groups.
For example, in your XenDesktop 4 farm, you could have two different Desktop Groups that appear with the name "My
Desktop" to two different users, and you could use Desktop Groups folders to achieve this. If these Delivery Groups are to
remain separate in the XenDesktop 7.x Site, you must edit the Desktop Group names in the XML file to make them unique.
If a Delivery Group in the XenDesktop 7.x Site has the same name as a Desktop Group to be imported, and the Delivery
Groups are to remain separate in the XenDesktop 7.x Site, you must edit the XenDesktop 4 Desktop Group name in the
XML file to keep the name unique in the Site. If the Desktop Group to be imported is really the same as the XenDesktop
7.x Delivery Group, and the machines in the XML file are to be merged into the existing Desktop Group, you do not need to
rename the Desktop Group; instead, specify the -MergeDesktops parameter to the Import tool. For example, if the XML
file contains:
<DesktopGroups>
<DesktopGroup name="My Desktop">
…
<Folder>\Sales</Folder>
</DesktopGroup>
<DesktopGroup name="My Desktop">
…
<Folder>\Finance</Folder>
</DesktopGroup>
</DesktopGroups>
Remove the duplicate names as follows:
<DesktopGroups>
<DesktopGroup name="Sales Desktops">
…
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.309
<Folder>\Sales</Folder>
</DesktopGroup>
<DesktopGroup name="Finance Desktops">
…
<Folder>\Finance</Folder>
</DesktopGroup>
</DesktopGroups>
Manage policy imports
You can delete policies from the XML file, and you can specify unique names to avoid policy name duplication. T here is no
support for merging policies.
When you import policy data, either all polices are imported successfully or, if there is any failure, no policy data is
imported.
Importing large numbers of policies with many settings can take several hours.
If you import policies in batches, their original prioritization may be affected. When you import policies, the relative
priorities of the imported polices are maintained, but they are given higher priority than policies already in the Site. For
example, if you have four polices to import with priority numbers 1 to 4, and you decide to import them in two batches,
you should import policies with priorities 3 and 4 first, because the second batch of policies automatically gets higher
priority.
T o import only a subset of policies into the XenDesktop 7.x Site, edit the contents of the Policies element. T he Policies
element can hold many Policy elements. You must not delete the Policies element, although you can delete all the Policy
elements and leave it empty. Delete entire Policy elements to avoid importing particular XenDesktop 4 farm policies. For
example, if the XML file contains:
<Policies>
<Policy name="Sales Policy">
…
</Policy>
…
</Policies>
T o avoid importing any XenDesktop 4 policies, and avoid clashes with policies already configured in the XenDesktop 7.x
Site, edit the file to remove the individual Policy elements as follows:
<Policies>
</Policies>
Alternatively, edit the file so that the policy is imported with a different name as follows:
<Policies>
<Policy name="XD4 Sales Policy">
…
</Policy>
…
</Policies>
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.310
Import XenDesktop 4 data
May 28 , 20 16
T he import tool, XdImport, reads settings from XenDesktop 4 that are contained in the XML file produced by the export
tool, XdExport, and applies those settings to an existing XenDesktop 7.x Site. T he Import tool uses the PowerShell script
Import-XdSettings.ps1.
To apply only a subset of the exported data, edit the XML file before running the Import tool. For example, you might want
to remove desktop groups and policies that are not needed in your XenDesktop 7.x deployment. T he import tool runs
successfully if you leave entire elements empty. For example, you can delete all the desktop groups without causing any
issues. T he tool always validates the XML file before attempting to import any data.
Run XdImport on any machine on which all the XenDesktop 7.x SDKs are installed. You must be a Full XenDesktop
administrator identity to run the tool.
Before you import, make sure that you have set up a XenDesktop 7.x Site, including its database. Citrix recommends that
you complete the import to XenDesktop 7.x before any user testing or general Site configuration occurs. Merge
configurations only when the Site is not in use.
1. Create a XenDesktop 7.x Site.
2. Download XdImport.zip and extract the files to the machine where you will run the tool.
3. In a PowerShell session, run Import-XdSettings.ps1 with the following parameters:
Parameter
Description
-
(Required.) A PowerShell hash table that maps Hypervisor addresses to
HypervisorConnectionCredentials
PSCredential instances as required for the creation of Hypervisor connections.
Default = @{}
Enter credentials for the Hypervisor to which the XenDesktop 4 farm connects.
For a single Hypervisor, create the argument as follows:
$credential = Get-Credential
$mappings = @{"http://<HypervisorIP>"
=$credential}
.\Import-XdSettings.ps1
-FilePath. \XdSettings.xml
-HypervisorConnectionCredentials $mappings
T he address specified in the hash table must exactly match the address in the
XML file.
For example, with both a XenServer and a VMware hypervisor, create the
following argument:
$Xencredential = Get-Credential
$VMWcredential = Get-Credential
$mappings = @{"http://<XenHypervisorIP>"
= $Xencredential;"http://<VmWHypervisorIP>/SDK"
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.311
Parameter
= $VMWcredential}
Description
.\Import-XdSettings.ps1
-FilePath. \XdSettings.xml
-HypervisorConnectionCredentials $mappings
-FilePath <path>
(T he value for <path> is required. ) T he location of the XML file from which the
farm data is to be imported.
-AdminAddress
T he name of a Controller in the XenDesktop 7.x Site. Default = localhost
-MergeDesktops
Adds desktops defined in the XML file to Delivery Groups in the XenDesktop 7.x
Site that have the same name as the groups described in the XML file. T he
associated machines and users are also added.
If this parameter is not supplied, no content is added to existing Delivery Groups
in the XenDesktop 7.x Site.
-SkipMachinePolicy
T he script does not create a machine policy that contains site-level settings. If
you do not supply this parameter and the machine policy for the Site exists, the
script fails.
-WhatIf
Completes a trial run to determine what would be changed in or added to the
XenDesktop 7.x Site. Including this parameter sends the information to the log
file, but does not change the Site.
-LogFilePath <path>
Indicates the full path of the log file. T he log file contains text describing all
writes performed against the XenDesktop 7.x Site. Default = .\ImportXdSettings.log
-? or -help
Displays information about parameters and exits without importing any data.
If the XML file contains policy data, either all polices are imported successfully or if there is any failure, no policy data is
imported. Importing large numbers of policies with many settings can take several hours.
When the script completes, the message Done appears. After successfully importing the data from the XML file, you can
either run further export and import iterations, or if you have imported all the relevant data, complete the post-migration
tasks.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.312
Post-migration tasks
May 28 , 20 16
After successfully importing data from a XenDesktop 4 farm to a XenDesktop 7.x Site, complete the following tasks
before using the new Site for production work:
Upgrade the Virtual Delivery Agents (VDAs). Although it is not required, Citrix recommends that you upgrade VDAs before
upgrading Controllers, Studio, or Director.
For Windows Vista and Windows XP, upgrade to XenDesktop 5. 6 Feature Pack 1 Virtual Desktop Agent.
For Windows 7, upgrade to the XenDesktop 7.x Virtual Delivery Agent.
Create administrators you need for the XenDesktop 7.x Site.
Update user devices — Citrix recommends that you update user devices with the latest version of Citrix Receiver to
benefit from hotfixes and to receive support for the latest features.
Modify the imported desktops to use registry-based Controller discovery, and point them to the XenDesktop 7.x
Controllers using one of the following methods:
Manually edit the registry to remove the unnecessary Organizational Unit (OU) GUID registry entry, and add a
ListOfDDCs registry entry.
Set up a machine policy to distribute the list of Controllers to the desktops, using the Active Directory policy
GPMC.msc. You cannot use Studio to configure this setting.
Registry-based Controller discovery is the default for XenDesktop 7.x, but Active Directory-based discovery is still
available.
Optionally, implement the following registry key settings described in the best practices for XenDesktop registry-based
registration in CT X133384:
HeartbeatPeriodMS
PrepareSessionConnectionT imeoutSec
MaxWorkers
DisableActiveSessionReconnect
ControllersGroupGuid
If you do not perform this action, the default XenDesktop 7.x settings for these keys are used.
T urn off maintenance mode for the imported machines if they were in maintenance mode in XenDesktop 4 before the
XML file was generated.
Check the XenDesktop 7.x settings to make sure that they are correct, particularly if you had changed the
PortICAConfig XML file on XenDesktop 4.
Review all migrated components to make sure that the migration was successful.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.313
Migration examples
May 28 , 20 16
Example 1: Single large-scale XenDesktop 4 f arm to a XenDesktop 7 Site
In this example, a XenDesktop 4 farm is in use. T he XenDesktop 4 farm has 50 desktop groups, where each group contains
an average 100 desktops. T he XenDesktop 4 desktops are provided through Provisioning Services (PVS), and the machines
are running on VMware ESX hypervisors. T he VDA installed on all the VMs is the XenDesktop version 4.
Migration steps
1. Upgrade all XenDesktop 4 VDAs to XenDesktop 5.6 Feature Pack 1 VDA software. T his allows the VDAs to register with
both the XenDesktop 4 controller and the XenDesktop 7 Delivery Controller.
For Windows 7 VDAs, see Upgrading the Virtual Desktop Agent on a VM or Blade Computer.
For Windows XP and Windows Vista VDAs, see Virtual Desktop Agents on Windows XP or Windows Vista.
2. Make sure that all users log off the XenDesktop 4 farm.
3. Make sure that all these machines are in maintenance mode.
4. Run the export tool (XdExport) on the XenDesktop 4 farm.
5. Install XenDesktop 7 components.
1. Use Studio to create a full production mode Site.
2. If Provisioning Services is part of the deployment, upgrade the Provisioning Services server and agents.
3. Upgrade the License Server and associated licenses.
6. Unzip the Import T ool (XdImport) to a local directory on the XenDesktop 7 Controller.
7. Copy the XML file (XdSettings.xml) generated in Step 4 by the export tool to the local directory.
8. From the PowerShell console of the Studio root node on the XenDesktop 7 Site, start a PowerShell session.
9. Run the import tool (XdImport), passing the credentials of the associated hypervisors and the path of the XML file.
10. Manually recreate administrator settings from the Administrator node in the Studio navigation pane; see Delegated
Administration for details.
11. Modify the imported desktops to use registry-based Controller discovery; and point them to the new XenDesktop 7
Controller.
12. For VDAs running on Windows 7, Citrix recommends you upgrade those VDAs to use the XenDesktop 7 VDA for
Windows Desktop OS, which provides access to all new features.
After upgrading the VDAs to XenDesktop 7 for machines in a catalog or Delivery Group, upgrade the catalog (see
Manage machine catalogs) and Delivery Groups (see Manage settings in Delivery Groups).
13. T urn off maintenance mode for the Delivery Groups.
14. Configure StoreFront to provide the desktops formerly provided through Web Interface. See the StoreFront
documentation.
Example 2: XenDesktop 4 f arm export with a partial import to XenDesktop 7.1 Site
In this example, the migration occurs in a number of steps, each step migrating a subset of the remaining desktops. A
XenDesktop 4 farm is in use, and a XenDesktop 7.1 Site has already been created and is in use. T he XenDesktop 4 farm has
50 desktop groups, and each group contains an average 100 desktops. T he XenDesktop 4 desktops are provided through
Provisioning Services, and the machines are running on Citrix XenServer hypervisors. T he VDA installed on all the VMs is the
XenDesktop version 4.
Migration steps
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.314
1. Run the export tool on the XenDesktop 4 farm.
1. Unzip the Export T ool (XdExport) on one of the Desktop Delivery Controllers in the farm.
2. As a Citrix Administrator, run the export tool with no parameters.
2. Copy and edit the resulting XML file so that it contains only the groups and desktops that you want to migrate.
3. In the XenDesktop 4 farm, make sure that all users on desktops to be migrated have logged off and turn on
maintenance mode for all desktops that are to be migrated.
4. Unzip the Import T ool (XdImport) to a local directory on the XenDesktop 7.1 Delivery Controller.
5. Copy the edited XML to the local directory.
6. From the PowerShell console of the Studio root node on the XenDesktop 7.1 Site, start a PowerShell session.
7. Run the Import T ool (XdImport), passing the credentials of the associated hypervisors and the path of the XML file.
8. Manually recreate Administrator settingsf rom the Administrator node in the Studio navigation pane; see Delegated
Administration for details.
9. Modify the imported desktops to use registry-based Controller discovery; and point them to the new XenDesktop 7.1
Controller.
10. Upgrade all VDAs to the appropriate VDA software:
For Windows 7 VDAs:
Upgrade to XenDesktop 7 Virtual Delivery Agents as described in Upgrading the Virtual Desktop Agent on a VM or
Blade Computer
After upgrading all VDA software to XenDesktop 7 for machines in a catalog or Delivery Group, upgrade the
catalog (see Manage machine catalogs) and Delivery Groups (see Manage settings in Delivery Groups).
For Windows XP and Windows Vista VDAs, upgrade to XenDesktop 5.6 FP1; see Virtual Desktop Agents on Windows
XP or Windows Vista.
11. T urn off maintenance mode for the Delivery Groups.
12. Configure StoreFront to provide the desktops formerly provided through Web Interface. See the StoreFront
documentation.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.315
What is and is not migrated
May 28 , 20 16
What is migrated
Although not all inclusive, the following table describes what happens to the most significant data during migration to this
release. Unless noted, the data type is imported.
Data type
Notes
Desktop
Desktop Groups become Delivery Groups in this release. Desktop Group icons are not exported.
Groups
SecureIcaRequired is set to True if the DefaultEncryptionLevel in XenDesktop 4 is not Basic.
If a Desktop Group in the XenDesktop 4 farm has the same name as a Delivery Group in the
XenDesktop 7.x Site, you can add desktops belonging to the XenDesktop 4 group to a Delivery group
of the same name in the target Site.
To do this, specify the MergeDesktops parameter when you run the import tool. T he settings of the
XenDesktop 7.x Delivery Group are not overwritten with the settings of the XenDesktop 4 group. If
this parameter is not specified and there is a group with the same name as one defined in the XML file,
the tool displays an error and stops before any data is imported.
Desktops
You cannot add private desktops to a random Delivery Group. Random desktops cannot be added to a
static Delivery Group.
Machines
Machines are imported into four machine catalogs. T he following machine catalogs are automatically
created in the XenDesktop 7.x Site by the import tool:
Imported existing random (for pooled VMs)
Imported existing static (for assigned VMs)
Imported physical random (for pooled PCs or blades)
Imported physical static (for private PCs or blades).
Any subsequent import of machines uses the same four machine catalogs.
Pool
management
Includes multi-pool pools, and idle pool settings including schedule.
PeakBuffersizePercent is set to 10% by default.
OffPeakBufferSizePercent is set to 10% by default.
pools
Any unselected days in the Business days setting on XenDesktop 4 are imported as part of the
Weekend power time scheme in this release.
HostingXD4 action times are rounded up to the nearest minute.
Start times are rounded down to the nearest hour.
End times are rounded up to the nearest hour.
Farm settings
T he following farm settings are imported as a Machine policy:
IcaKeepAlive
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.316
Data type
AutoClientReconnect
Notes
SessionReliability
T he setting to enable Flash player is not imported.
Policies
Some policy data is imported. Filters, settings, and printers are imported as User policies. For further
details of user policy export and import, see the other table in this document.
New access policy rules are created from XenDesktop 4 group settings.
When policies are imported, their relative priority order is preserved. However, they are always added
with a higher priority than any existing policies on the XenDesktop 7.x Site.
Policy merging is not supported.
T here is no option to import policies into Active Directory. T hey are always stored in the Site.
User
assignments
Hypervisor
settings
T his parameter is required with the XdImport tool.
Hypervisor addresses are exported, but not the credentials required to access those hypervisors. To
create hypervisor connections in the XenDesktop 7.x Site, extract the addresses from the XML file
and create a PowerShell hash table that maps them to the relevant credential instances. T hen specify
this hash table in the import tool HypervisorConnectionCredentials parameter. For further details, see
Import XenDesktop 4 data
Merging or updating hypervisor settings for existing Desktop Groups and hypervisor connections is not
supported.
Administrators
(Not imported.) No administrator data is imported, including data about delegated administrators. You
create new administrators for your XenDesktop 7.x Site.
Licensing
(Not imported.) Includes information such as the License Server name and edition. License files are not
configuration
exported.
Desktop
(Not imported.) T his release does not support Desktop Group folders. If there are duplicate Desktop
Group folders
Group names (because different folders in the XenDesktop 4 farm contained groups with the same
names) and you do not edit names in the XML file, the Import Tool halts.
Registry keys
(Not imported.) For information on implementing registry keys, see Post-migration tasks.
User policy data
T he following table describes how User policy data is exported and imported.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.317
XenDesktop 4 category and
XML f ile
setting
XenDesktop 7.x category
and setting
Bandwidth\Visual Effects\Session
ClientOEMVCBandwidth
Not imported
DisableOEMVirtualChannels
Not imported
DoNotUseClientLocalT ime
Not imported
ClientSecurityRequirement
Not imported
LossyCompression settings
ICA\Visual Display\Still
Limits
OEM Virtual Channels
Client Devices\Resources\Other
Turn off OEM virtual channels
User Workspace\T ime Zones
Do not use client's local time
Security\Encryption
SecureICA encryption
Bandwidth\SpeedScreen
Images
Image acceleration using lossy
compression
Lossy compression level
Lossy compression threshold
value
Heavyweight compression
ICA\Visual Display\Moving
Images
Progressive compression
level
Progressive compression
threshold value
Bandwidth\Visual Effects
TurnOffWallpaper
Turn off desktop wallpaper
Bandwidth\Visual Effects
Menu animation
https://docs.citrix.com
ICA\Desktop UI
Desktop wallpaper
TurnOffMenuWindowAnimation
ICA\Desktop UI
Menu animation
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.318
Bandwidth\Visual Effects
XenDesktop 4 category and
setting
Turn off window contents while
DoNotShowWindowContentsWhileDragging
XML f ile
dragging
while dragging
Bandwidth\Visual Effects\Session
ClientAudioBandwidth__AllowedBandWidth
Limits
limit
Bandwidth\Visual Effects\Session
ClientClipboardBandwidth__AllowedBandWidth
Limits
ICA\Bandwidth
Clipboard redirection
Clipboard
bandwidth limit
Bandwidth\Visual Effects\Session
ClientComBandwidth__AllowedBandWidth
Limits
COM port redirection is
deprecated in XenDesktop
7.x
COM Ports
Bandwidth\Visual Effects\Session
ClientDriveBandwidth__AllowedBandWidth
Limits
ICA\Bandwidth
File redirection bandwidth
Drives
limit
Bandwidth\Visual Effects\Session
ClientLptBandwidth__AllowedBandWidth
Limits
LPT port redirection is
deprecated in XenDesktop
7.x
LPT Ports
Bandwidth\Visual Effects\Session
OverallBandwidth__AllowedBandWidth
Limits
ICA\Bandwidth
Overall session bandwidth
Overall Session
limit
Bandwidth\Visual Effects\Session
LimitPrinterBandWidth__AllowedBandWidth
Limits
ICA\Bandwidth
Printer redirection
Printer
Microphones
ICA\Bandwidth
Audio redirection bandwidth
Audio
Client Devices\Resources\Audio
ICA\Desktop UI
XenDesktop 7.x category
and setting
View window contents
bandwidth limit
ClientAudioMicrophone__TurnOn
ICA\Audio
Client microphone
redirection
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.319
Client Devices\Resources\Audio
XenDesktop 4 category and
setting
Sound Quality
ClientAudioQuality__Quality
XML f ile
ICA\Audio
XenDesktop 7.x category
and setting
Audio quality
Client Devices\Resources\Audio
DisableClientAudioMapping
ICA\Audio
Turn off speakers
Client audio redirection
Client Devices\Resources\Drives
ConnectClientDriveAtLogon__TurnOn
Connection
ICA\File Redirection
Auto connect drives
Client Devices\Resources\Drives
DisableClientDriveMapping__DisableFloppyDrive
Turn off Floppy disk drives
ICA\File Redirection
Client floppy drives
Client Devices\Resources\Drives
DisableClientDriveMapping__DisableHardDrive
Turn off Hard drives
ICA\File Redirection
Client fixed drives
Client Devices\Resources\Drives
DisableClientDriveMapping__DisableCdrom
Turn off CD-ROM drives
ICA\File Redirection
Client optical drives
Client Devices\Resources\Drives
DisableClientDriveMapping__DisableRemote
Turn off Remote drives
ICA\File Redirection
Client network drives
Client Devices\Resources\Drives
DisableClientDriveMapping__DisableUSB
Turn off USB disk drives
ICA\File Redirection
Client removable drives
Client
CDMAsyncWrites
Devices\Resources\Drives\Optimize
ICA\File Redirection
User asynchronous writes
Asynchronous writes
Client Devices\Resources\Other
DisableClientClipboardMapping
Turn off clipboard mapping
Client Devices\Resources\Ports
Client clipboard redirection
DisableClientCOMPortMapping
https://docs.citrix.com
COM port redirection is
deprecated in XenDesktop
Turn off COM ports
Client Devices\Resources\Ports
ICA
7.x
DisableClientLPT PortMapping
LPT port redirection is
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.320
Turn off LPT ports
XenDesktop 4 category and
setting
XML f ile
deprecated in XenDesktop
XenDesktop 7.x category
7.x
and setting
Client Devices\Resources\USB
RemoteUSBDevices__DisableRemoteUSBDevices
ICA\USB Devices
USB
Printing\Client Printers
Client USB device redirection
ConnectClientPrinterAtLogon__Flag
Auto-creation
Printing\Client Printers
Auto-create client printers
LegacyClientPrinters__TurnOn
Legacy client printers
Printing\Client Printers
ICA\Printing\Client Printers
Client printer names
ModifiedPrinterProperties__WriteMethod
Printer properties retention
Printing\Client Printers
ICA\Printing\Client Printers
ICA\Printing\Client Printers
Printer properties retention
ClientPrintingForNetworkPrinter__TurnOn
Print job routing
ICA\Printing\Client Printers
Direct connections to print
servers
Printing\Client Printers
DisableClientPrinterMapping
Turn off client printer mapping
Printing\Drivers
ICA\Printing
Client printer redirection
PrintDriverAutoInstall__TurnOn
Native printer driver auto-install
ICA\Printing\Drivers
Automatic installation of
inbox printer drivers
Printing\Drivers
ClientPrintDriverToUse
Universal driver
Printing\Session printers
ICA\Printing\Drivers
Universal print driver use
NetworkPrinters
Session printers
ICA\Printing
Session printers
Printing\Session printers
DefaultToMainClientPrinter__NetworkDefault
ICA\Printing
Choose client's default printer
DefaultToMainClientPrinter__TurnOn
Default printer
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.321
What is not migrated
Not all XenDesktop 4 components are supported in this release. T he following items are not migrated:
Virtual Delivery Agent - Before a XenDesktop 7.x Delivery Controller can manage virtual desktops from XenDesktop 4,
you must upgrade the VDAs to a minimum release of XenDesktop 5.x. For information about upgrading VDAs, see Postmigration tasks.
Controllers - You must deploy new Controller servers. You cannot upgrade a XenDesktop 4 Controller to a XenDesktop
7.x Site. XenDesktop 7.x Sites cannot join a XenDesktop 4 farm, and XenDesktop 4 Controllers cannot join a
XenDesktop 7.x Site. In addition, each version has different server requirements; XenDesktop 4 requires Windows Server
2003 and XenDesktop 7.x requires later Windows Server versions.
Web Interf ace - Citrix recommends using StoreFront with XenDesktop 7.x. See the StoreFront documentation for
installation and setup details. When the XenDesktop installer detects Web Interface, it installs StoreFront, but does not
remove Web Interface.
Active Directory Organizational Unit (OU) conf iguration - Sharing an Organizational Unit (OU) between two farms or
two Sites, or a farm and a Site is not supported. If you plan to configure the new Site to use Active Directory-based
Controller discovery rather than the default registry-based Controller discovery, you must create a new OU to support it.
PortICAConf ig XML f ile - If you have changed the default settings for this file you may need to configure these
settings for the new Site through Group Policy Objects.
Conf iguration logging settings provided through XenDesktop 4 Service Pack 1.
Provisioning Services-related data.
Applications.
List of Controllers.
NetScaler Gateway.
Event log throttling settings.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.322
Security
May 28 , 20 16
PDF
Getting Started with Citrix XenApp and XenDesktop Security
XenApp and XenDesktop offer a secure-by-design solution that allows you to tailor your environment to your security
needs.
One security concern IT faces with mobile workers is lost or stolen data. By hosting applications and desktops, XenApp and
XenDesktop securely separate sensitive data and intellectual property from end-point devices by keeping all data in a data
center. When policies are enabled to allow data transfer, all data is encrypted.
T he XenDesktop and XenApp data centers also make incident response easier with a centralized monitoring and
management service. Director allows IT to monitor and analyze data that is being accessed around the network, and
Studio allows IT to patch and remedy most vulnerabilities in the data center instead of fixing the problems locally on each
end-user device.
XenApp and XenDesktop also simplify audits and regulatory compliance because investigators can use a centralized audit
trail to determine who accessed what applications and data. Director gathers historical data regarding updates to the
system and user data usage by accessing Configuration Logging and OData API.
Delegated Administration allows you to set up administrator roles to control access to XenDesktop and XenApp at a
granular level. T his allows flexibility in your organization to give certain administrators full access to tasks, operations, and
scopes while other administrators have limited access.
XenApp and XenDesktop give administrators granular control over users by applying policies at different levels of the
network — from the local level to the Organizational Unit level. T his control of policies determines if a user, device, or
groups of users and devices can connect, print, copy/paste, or map local drives, which could minimize security concerns with
third-party contingency workers. Administrators can also use the Desktop Lock feature so end users can only use the virtual
desktop while preventing any access to the local operating system of the end-user device.
Administrators can increase security on XenApp or XenDesktop by configuring the Site to use the Secure Sockets Layer
(SSL) security protocol of the Controller or between end users and Virtual Delivery Agents (VDA). Transport Layer Security
(T LS) security protocol can also be enabled on a Site to provide server authentication, data stream encryption, and message
integrity checks for a TCP/IP connection.
XenApp and XenDesktop also support multifactor authentication for Windows or a specific application. Multifactor
authentication could also be used to manage all resources delivered by XenApp and XenDesktop. T hese methods include:
T okens
Smart cards
RADIUS
Kerberos
Biometrics
XenDesktop can be integrated with many third-party security solutions, ranging from identity management through to
antivirus software. A list of supported products can be found at http://www.citrix.com/ready.
Select releases of XenApp and XenDesktop are certified for Common Criteria standard. For a list of those standards, go to
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.323
http://www.commoncriteriaportal.org/cc/.
Related content
Security best practices and considerations
Delegated Administration
Smart cards
SSL
Desktop Lock
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.324
Security best practices and considerations
Jan 31, 20 17
T his document describes:
General security best practices when using this release, and any security-related differences between this release and a
conventional computer environment
Manage user accounts
Manage user privileges
Manage logon rights
Configure user rights
Configure service settings
Deployment scenarios and their security implications
Remote PC Access security considerations
Your organization may need to meet specific security standards to satisfy regulatory requirements. T his document does not
cover this subject, because such security standards change over time. For up-to-date information on security standards and
Citrix products, consult http://www.citrix.com/security/.
Security best practices
Keep all machines in your environment up to date with security patches. One advantage is that you can use thin clients as
terminals, which simplifies this task.
Protect all machines in your environment with antivirus software.
Protect all machines in your environment with perimeter firewalls, including at enclave boundaries as appropriate.
If you are migrating a conventional environment to this release, you may need to reposition an existing perimeter firewall or
add new perimeter firewalls. For example, suppose there is a perimeter firewall between a conventional client and database
server in the data center. When this release is used, that perimeter firewall must instead be placed so that the virtual
desktop and user device are on one side, and the database servers and Delivery Controllers in the data center are on the
other side. You should therefore consider creating an enclave within your data center to contain the database servers and
Controllers. You should also consider having protection between the user device and the virtual desktop.
All machines in your environment should be protected by a personal firewall. When you install core components and Virtual
Delivery Agents (VDAs), you can choose to have the ports required for component and feature communication opened
automatically if the Windows Firewall Service is detected (even if the firewall is not enabled). You can also choose to
configure those firewall ports manually. If you use a different firewall, you must configure the firewall manually.
Note: T CP ports 1494 and 2598 are used for ICA and CGP and are therefore likely to be open at firewalls so that users
outside the data center can access them. Citrix recommends that you do not use these ports for anything else, to avoid
the possibility of inadvertently leaving administrative interfaces open to attack. Ports 1494 and 2598 are officially
registered with the Internet Assigned Number Authority (see http://www.iana.org/).
All network communications should be appropriately secured and encrypted to match your security policy. You can secure
all communication between Microsoft Windows computers using IPSec; refer to your operating system documentation for
details about how to do this. In addition, communication between user devices and desktops is secured through Citrix
SecureICA, which is configured by default to 128-bit encryption. You can configure SecureICA when you are creating or
updating an assignment; see Change basic settings.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.325
Manage user accounts
If the option to install App-V publishing components is selected when installing a VDA, or if this feature is added later, the
local administrative account CtxAppVCOMAdmin is added to the VDA. If you use the App-V publishing feature, do not
modify this account. If you do not need to use the App-V publishing feature, do not select it at installation time. If you
later decide not to use the App-V publishing feature, you can disable or delete this account.
T his account is created with an initial password that is a strong password, compatible with all Group Policy settings for
password policy. You cannot change the password for this account.
Manage user privileges
Grant users only the capabilities they require. Microsoft Windows privileges continue to be applied to desktops in the usual
way: configure privileges through User Rights Assignment and group memberships through Group Policy. One advantage of
this release is that it is possible to grant a user administrative rights to a desktop without also granting physical control over
the computer on which the desktop is stored.
When planning for desktop privileges, note:
By default, when non-privileged users connect to a desktop, they see the time zone of the system running the desktop
instead of the time zone of their own user device. For information on how to allow users to see their local time when
using desktops, see Change basic settings.
A user who is an administrator on a desktop has full control over that desktop. If a desktop is a pooled desktop rather
than a dedicated desktop, the user must be trusted in respect of all other users of that desktop, including future users.
All users of the desktop need to be aware of the potential permanent risk to their data security posed by this situation.
T his consideration does not apply to dedicated desktops, which have only a single user; that user should not be an
administrator on any other desktop.
A user who is an administrator on a desktop can generally install software on that desktop, including potentially
malicious software. T he user can also potentially monitor or control traffic on any network connected to the desktop.
Some applications require desktop privileges, even though they are intended for users rather than for administrators. T hese
users may not be as aware of security risks.
T reat these applications as highly-sensitive applications, even if their data is not sensitive. Consider these approaches to
reduce security risk:
Enforce two-factor authentication and disable any single sign-on mechanism for the application
Enforce contextual access policies
Publish the application to a dedicated desktop. If the application must be published to a shared hosted desktop, do not
publish any other applications to that shared hosted desktop
Ensure the desktop privileges are only applied to that desktop, and not to other computers
Enable Session Recording for the application. Also enable other security logging capabilities in the application, and within
Windows itself.
Configure XenApp and XenDesktop to limit features used with the application (for example, clipboard, printer, client drive,
and USB redirection)
Enable any security features of the application. Limit it to match strictly the users' requirements - no more
Configure security features of Windows to match strictly the users' requirements. T his will be a simpler configuration if
only that single application is published to the desktop; for example, a restrictive AppLocker configuration can be used.
Control access to the file system.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.326
Plan to reconfigure, upgrade, or replace the application so that desktop privileges are not required in future
T hese approaches will not remove all security risk from applications that require desktop privileges.
Manage logon rights
Logon rights are required for both user accounts and computer accounts. As with Microsoft Windows privileges, logon
rights continue to be applied to desktops in the usual way: configure logon rights through User Rights Assignment and
group memberships through Group Policy.
T he Windows logon rights are: log on locally, log on through Remote Desktop Services, log on over the network (access this
computer from the network), log on as a batch job, and log on as a service.
For computer accounts, grant computers only the logon rights they require. T he logon right "Access this computer from the
network" is required:
At VDAs, for the computer accounts of Delivery Controllers
At Delivery Controllers, for the computer accounts of VDAs. See Active Directory OU-based Controller discovery.
At StoreFront servers, for the computer accounts of other servers in the same StoreFront server group
For user accounts, grant users only the logon rights they require.
According to Microsoft, by default the group Remote Desktop Users is granted the logon right "Allow log on through
Remote Desktop Services" (except on domain controllers).
Your organization's security policy may state explicitly that this group should be removed from that logon right. Consider
the following approach:
T he Virtual Delivery Agent (VDA) for Server OS uses Microsoft Remote Desktop Services. You can configure the Remote
Desktop Users group as a restricted group, and control membership of the group via Active Directory group policies.
Refer to Microsoft documentation for more information.
For other components of XenApp and XenDesktop, including the VDA for Desktop OS, the group Remote Desktop
Users is not required. So, for those components, the group Remote Desktop Users does not require the logon right
"Allow log on through Remote Desktop Services"; you can remove it. Additionally:
If you administer those computers via Remote Desktop Services, ensure that all such administrators are already
members of the Administrators group.
If you do not administer those computers via Remote Desktop Services, consider disabling Remote Desktop Services
itself on those computers.
Although it is possible to add users and groups to the login right "Deny logon through Remote Desktop Services", the use
of deny logon rights is not generally recommended. Refer to Microsoft documentation for more information.
Configure user rights
Delivery Controller installation creates the following Windows services:
Citrix AD Identity Service (NT SERVICE\CitrixADIdentityService): Manages Microsoft Active Directory computer accounts
for VMs.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.327
Citrix Analytics (NT SERVICE\CitrixAnalytics): Collects site configuration usage information for use by Citrix, if this
collection been approved by the site administrator. It then submits this information to Citrix, to help improve the
product.
Citrix App Library (NT SERVICE\CitrixAppLibrary): Supports management and provisioning of AppDisks, AppDNA
integration, and management of App-V.
Citrix Broker Service (NT SERVICE\CitrixBrokerService): Selects the virtual desktops or applications that are available to
users.
Citrix Configuration Logging Service (NT SERVICE\CitrixConfigurationLogging): Records all configuration changes and
other state changes made by administrators to the site.
Citrix Configuration Service (NT SERVICE\CitrixConfigurationService): Site-wide repository for shared configuration.
Citrix Delegated Administration Service (NT SERVICE\CitrixDelegatedAdmin): Manages the permissions granted to
administrators.
Citrix Environment T est Service (NT SERVICE\CitrixEnvT est): Manages self-tests of the other Delivery Controller services.
Citrix Host Service (NT SERVICE\CitrixHostService): Stores information about the hypervisor infrastructures used in a
XenApp or XenDesktop deployment, and also offers functionality used by the console to enumerate resources in a
hypervisor pool.
Citrix Machine Creation Service (NT SERVICE\CitrixMachineCreationService): Orchestrates the creation of desktop VMs.
Citrix Monitor Service (NT SERVICE\CitrixMonitor): Collects metrics for XenApp or XenDesktop, stores historical
information, and provides a query interface for troubleshooting and reporting tools.
Citrix Storefront Service (NT SERVICE\ CitrixStorefront): Supports management of StoreFront. (It is not part of the
StoreFront component itself.)
Citrix Storefront Privileged Administration Service (NT SERVICE\CitrixPrivilegedService): Supports privileged management
operations of StoreFront. (It is not part of the StoreFront component itself.)
Delivery Controller installation also creates the following Windows services. T hese are also created when installed with
other Citrix components:
Citrix Diagnostic Facility COM Server (NT SERVICE\CdfSvc): Supports the collection of diagnostic information for use by
Citrix Support.
Citrix T elemetry Service (NT SERVICE\CitrixT elemetryService): Collects diagnostic information for analysis by Citrix, such
that the analysis results and recommendations can be viewed by administrators to help diagnose issues with the site.
Except for the Citrix Storefront Privileged Administration Service, these services are granted the logon right Log on as a
service and the privileges Adjust memory quotas for a process, Generate security audits, and Replace a process level token.
You do not need to change these user rights. T hese privileges are not used by the Delivery Controller and are automatically
disabled.
Configure service settings
Except for the Citrix Storefront Privileged Administration service and the Citrix Telemetry Service, the Delivery Controller
Windows services listed above in the "Configure user rights" section are configured to log on as the NET WORK SERVICE
identity. Do not alter these service settings.
T he Citrix Storefront Privileged Administration service is configured to log on Local System (NT AUT HORIT Y\SYST EM). T his
is required for Delivery Controller StoreFront operations that are not normally available to services (including creating
Microsoft IIS sites). Do not alter its service settings.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.328
T he Citrix Telemetry Service is configured to log on as its own service-specific identity.
You can disable the Citrix Telemetry Service. Apart from this service, and services that are already disabled, do not disable
any other of these Delivery Controller Windows services.
Deployment scenario security implications
Your user environment can consist either of user devices that are unmanaged by your organization and completely under
the control of the user, or of user devices that are managed and administered by your organization. T he security
considerations for these two environments are generally different.
Managed user devices - Managed user devices are under administrative control; they are either under your own control,
or the control of another organization that you trust. You may configure and supply user devices directly to users;
alternatively, you may provide terminals on which a single desktop runs in full-screen-only mode. You should follow the
general security best practices described above for all managed user devices. T his release has the advantage that minimal
software is required on a user device.
A managed user device can be set up to be used in full-screen-only mode or in window mode:
If a user device is configured to be used in full-screen-only mode, users log on to it with the usual Log On T o Windows
screen. T he same user credentials are then used to log on automatically to this release.
If a user device is configured so that users see their desktop in a window, users first log on to the user device, then log
on to this release through a Web site supplied with the release.
Unmanaged user devices - User devices that are not managed and administered by a trusted organization cannot be
assumed to be under administrative control. For example, you might permit users to obtain and configure their own
devices, but users might not follow the general security best practices described above. T his release has the advantage
that it is possible to deliver desktops securely to unmanaged user devices. T hese devices should still have basic antivirus
protection that will defeat keylogger and similar input attacks.
Data storage considerations - When using this release, you can prevent users from storing data on user devices that
are under their physical control. However, you must still consider the implications of users storing data on desktops. It is
not good practice for users to store data on desktops; data should be held on file servers, database servers, or other
repositories where it can be appropriately protected.
Your desktop environment may consist of various types of desktops, such as pooled and dedicated desktops:
Users should never store data on desktops that are shared amongst users, such as pooled desktops.
If users store data on dedicated desktops, that data should be removed if the desktop is later made available to
other users.
Mixed-version environments Mixed-version environments are inevitable during some upgrades. Follow best-practice
and minimize the time that Citrix components of different versions co-exist.
In mixed-version environments security policy, for example, may not be uniformly enforced.
Note: T his is typical of other software products; the use of an earlier version of Active Directory only partially enforces
Group Policy with later versions of Windows.
T he following scenario describes a security issue that can occur in a specific mixed-version Citrix environment. When Citrix
Receiver 1.7 is used to connect to a virtual desktop running the Virtual Delivery Agent in XenApp and XenDesktop 7.6
Feature Pack 2, the policy "Allow file transfer between desktop and client" is enabled in the Site but cannot be disabled
by a Delivery Controller running XenApp and XenDesktop 7.1. It does not recognize the policy, which was released only in
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.329
the later version of the product. T his policy allows users to upload and download files to their virtual desktop – the
security issue. To work around this, upgrade the Delivery Controller, or a standalone instance of Studio, to Version 7.6
Feature Pack 2 and then use GP to disable the policy. Alternatively, use local policy on all affected virtual desktops.
Remote PC Access
Remote PC Access implements the following security features:
Smart card use is supported.
When a remote session connects, the office PC's monitor appears as blank.
Remote PC Access redirects all keyboard and mouse input to the remote session, except CT RL+ALT +DEL and USBenabled smart cards and biometric devices.
SmoothRoaming is supported for a single user only.
When a user has a remote session connected to an office PC, only that user can resume local access of the office PC.
T o resume local access, the user presses Ctrl-Alt-Del on the local PC and then logs on with the same credentials used by
the remote session. T he user can also resume local access by inserting a smart card or leveraging biometrics, if your
system has appropriate third-party Credential Provider integration.
T his default behavior can be overridden by enabling Fast User Switching via Group Policy Objects (GPOs) or by editing the
registry.
By default, Remote PC Access supports automatic assignment of multiple users to a VDA. In XenDesktop 5.6 Feature
Pack 1, administrators could override this behavior using the RemotePCAccess.ps1 PowerShell script. T his release uses a
registry entry to allow or prohibit multiple automatic remote PC assignments; this setting applies to the entire Site.
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating
system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk. Be sure to back up the registry before you edit it.
T o restrict automatic assignments to a single user:
1. Set the following registry entry on each Controller in the Site:
HKEY_LOCAL_MACHINE\Software\Citrix|DesktopServer
Name: AllowMultipleRemotePCAssignments
Type: REG_DWORD
Data: 0 = Disable multiple user assignment, 1 = (Default) Enable multiple user assignment.
2. If there are any existing user assignments, remove them using SDK commands for the VDA to subsequently be eligible
for a single automatic assignment.
1. Remove all assigned users from the VDA: $machine.AssociatedUserNames | %{ Remove-BrokerUser-Name $_ Machine $machine
2. Remove the VDA from the Delivery Group: $machine | Remove-BrokerMachine -DesktopGroup $desktopGroup
3. Restart the physical office PC.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.330
Delegated Administration
May 28 , 20 16
T he Delegated Administration model offers the flexibility to match how your organization wants to delegate
administration activities, using role and object-based control. Delegated Administration accommodates deployments of all
sizes, and allows you to configure more permission granularity as your deployment grows in complexity. Delegated
Administration uses three concepts: administrators, roles, and scopes.
Administrators — An administrator represents an individual person or a group of people identified by their Active
Directory account. Each administrator is associated with one or more role and scope pairs.
Roles — A role represents a job function, and has defined permissions associated with it. For example, the Delivery Group
Administrator role has permissions such as 'Create Delivery Group' and 'Remove Desktop from Delivery Group.' An
administrator can have multiple roles for a Site, so a person could be a Delivery Group Administrator and a Machine
Catalog Administrator. Roles can be built-in or custom.
T he built-in roles are:
Role
Permissions
Full
Can perform all tasks and operations. A Full Administrator is always combined with the All scope.
Administrator
Read Only
Can see all objects in specified scopes as well as global information, but cannot change anything. For
Administrator
example, a Read Only Administrator with Scope=London can see all global objects (such as
Configuration Logging) and any London-scoped objects (for example, London Delivery Groups).
However, that administrator cannot see objects in the New York scope (assuming that the London
and New York scopes do not overlap).
Help Desk
Can view Delivery Groups, and manage the sessions and machines associated with those groups. Can
Administrator
see the Machine Catalog and host information for the Delivery Groups being monitored, and can
also perform session management and machine power management operations for the machines in
those Delivery Groups.
Machine
Can create and manage Machine Catalogs and provision the machines into them. Can build Machine
Catalog
Catalogs from the virtualization infrastructure, Provisioning Services, and physical machines. T his role
Administrator
can manage base images and install software, but cannot assign applications or desktops to users.
Delivery
Can deliver applications, desktops, and machines; can also manage the associated sessions. Can also
Group
manage application and desktop configurations such as policies and power management settings.
Administrator
Host
Can manage host connections and their associated resource settings. Cannot deliver machines,
Administrator
applications, or desktops to users.
In certain product editions, you can create custom roles to match the requirements of your organization, and delegate
permissions with more detail. You can use custom roles to allocate permissions at the granularity of an action or task in a
console.
Scopes — A scope represents a collection of objects. Scopes are used to group objects in a way that is relevant to your
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.331
organization (for example, the set of Delivery Groups used by the Sales team). Objects can be in more than one scope;
you can think of objects being labeled with one or more scopes. T here is one built-in scope: 'All,' which contains all
objects. T he Full Administrator role is always paired with the All scope.
Example
Company XYZ decided to manage applications and desktops based on their department (Accounts, Sales, and Warehouse)
and their desktop operating system (Windows 7 or Windows 8). T he administrator created five scopes, then labeled each
Delivery Group with two scopes: one for the department where they are used and one for the operating system they use.
T he following administrators were created:
Administrator
Roles
Scopes
domain/fred
Full Administrator
All (the Full Administrator role always has the All scope)
domain/rob
Read Only Administrator
All
domain/heidi
Read Only Administrator
All
Help Desk Administrator
Sales
domain/warehouseadmin
Help Desk Administrator
Warehouse
domain/peter
Delivery Group Administrator
Win7
Machine Catalog Administrator
Fred is a Full Administrator and can view, edit, and delete all objects in the system.
Rob can view all objects in the Site but cannot edit or delete them.
Heidi can view all objects and can perform help desk tasks on Delivery Groups in the Sales scope. T his allows her to
manage the sessions and machines associated with those groups; she cannot make changes to the Delivery Group, such
as adding or removing machines.
Anyone who is a member of the warehouseadmin Active Directory security group can view and perform help desk tasks
on machines in the Warehouse scope.
Peter is a Windows 7 specialist and can manage all Windows 7 Machine Catalogs and can deliver Windows 7
applications, desktops, and machines, regardless of which department scope they are in. T he administrator considered
making Peter a Full Administrator for the Win7 scope; however, she decided against this, because a Full Administrator
also has full rights over all objects that are not scoped, such as 'Site' and 'Administrator.'
How to use Delegated Administration
Generally, the number of administrators and the granularity of their permissions depends on the size and complexity of the
deployment.
In small or proof-of-concept deployments, one or a few administrators do everything; there is no delegation. In this case,
create each administrator with the built-in Full Administrator role, which has the All scope.
In larger deployments with more machines, applications, and desktops, more delegation is needed. Several administrators
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.332
might have more specific functional responsibilities (roles). For example, two are Full Administrators, and others are Help
Desk Administrators. Additionally, an administrator might manage only certain groups of objects (scopes), such as
machine catalogs. In this case, create new scopes, plus administrators with one of the built-in roles and the appropriate
scopes.
Even larger deployments might require more (or more specific) scopes, plus different administrators with unconventional
roles. In this case, edit or create additional scopes, create custom roles, and create each administrator with a built-in or
custom role, plus existing and new scopes.
For flexibility and ease of configuration, you can create new scopes when you create an administrator. You can also specify
scopes when creating or editing Machine Catalogs or connections.
Create and manage administrators
When you create a Site as a local administrator, your user account automatically becomes a Full Administrator with full
permissions over all objects. After a Site is created, local administrators have no special privileges.
T he Full Administrator role always has the All scope; you cannot change this.
By default, an administrator is enabled. Disabling an administrator might be necessary if you are creating the new
administrator now, but that person will not begin administration duties until later. For existing enabled administrators, you
might want to disable several of them while you are reorganizing your object/scopes, then re-enable them when you are
ready to go live with the updated configuration. You cannot disable a Full Administrator if it will result in there being no
enabled Full Administrator. T he enable/disable check box is available when you create, copy, or edit an administrator.
When you delete a role/scope pair while copying, editing, or deleting an administrator, it deletes only the relationship
between the role and the scope for that administrator; it does not delete either the role or the scope, nor does it affect
any other administrator who is configured with that role/scope pair.
T o manage administrators, click Configuration > Administrators in the Studio navigation pane, and then click the
Administrators tab in the upper middle pane.
T o create an administrator, click Create new Administrator in the Actions pane. T ype or browse to the user account
name, select or create a scope, and select a role. T he new administrator is enabled by default; you can change this.
T o copy an administrator, select the administrator in the middle pane and then click Copy Administrator in the Actions
pane. T ype or browse to the user account name. You can select and then edit or delete any of the role/scope pairs, and
add new ones. T he new administrator is enabled by default; you can change this.
T o edit an administrator, select the administrator in the middle pane and then click Edit Administrator in the Actions
pane. You can edit or delete any of the role/scope pairs, and add new ones.
T o delete an administrator, select the administrator in the middle pane and then click Delete Administrator in the Actions
pane. You cannot delete a Full Administrator if it will result in there being no enabled Full Administrator.
Create and manage roles
Role names can contain up to 64 Unicode characters; they cannot contain the following characters: \ (backslash), /
(forward slash), ; (semicolon), : (colon), # (pound sign) , (comma), * (asterisk), ? (question mark), = (equal sign), < (left arrow), >
(right arrow), | (pipe), [ ] (left or right bracket), ( ) (left or right parenthesis), " (quotation marks), and ' (apostrophe).
Descriptions can contain up to 256 Unicode characters.
You cannot edit or delete a built-in role. You cannot delete a custom role if any administrator is using it.
Note: Only certain product editions support custom roles. Editions that do not support custom roles do not have related
entries in the Actions pane.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.333
T o manage roles, click Configuration > Administrators in the Studio navigation pane, and then click the Roles tab in the
upper middle pane.
T o view role details, select the role in the middle pane. T he lower portion of the middle pane lists the object types and
associated permissions for the role. Click the Administrators tab in the lower pane to display a list of administrators who
currently have this role.
T o create a custom role, click Create new Role in the Actions pane. Enter a name and description. Select the object
types and permissions.
T o copy a role, select the role in the middle pane and then click Copy Role in the Actions pane. Change the name,
description, object types, and permissions, as needed.
T o edit a custom role, select the role in the middle pane and then click Edit Role in the Actions pane. Change the name,
description, object types, and permissions, as needed.
T o delete a custom role, select the role in the middle pane and then click Delete Role in the Actions pane. When
prompted, confirm the deletion.
Create and manage scopes
When you create a Site, the only available scope is the 'All' scope, which cannot be deleted.
You can create scopes using the procedure below. You can also create scopes when you create an administrator; each
administrator must be associated with at least one role and scope pair. When you are creating or editing desktops, machine
catalogs, applications, or hosts, you can add them to an existing scope; if you do not add them to a scope, they remain part
of the 'All' scope.
Site creation cannot be scoped, nor can Delegated Administration objects (scopes and roles). However, objects you cannot
scope are included in the 'All' scope. (Full Administrators always have the All scope.) Machines, power actions, desktops, and
sessions are not directly scoped; administrators can be allocated permissions over these objects through the associated
machine catalogs or Delivery Groups.
Scope names can contain up to 64 Unicode characters; they cannot include the following characters: \ (backslash), /
(forward slash), ; (semicolon), : (colon), # (pound sign) , (comma), * (asterisk), ? (question mark), = (equal sign), < (left arrow), >
(right arrow), | (pipe), [ ] (left or right bracket), ( ) (left or right parenthesis), " (quotation marks), and ' (apostrophe).
Descriptions can contain up to 256 Unicode characters.
When you copy or edit a scope, keep in mind that removing objects from the scope can make those objects inaccessible to
the administrator. If the edited scope is paired with one or more roles, ensure that the scope updates you make do not
make any role/scope pair unusable.
T o manage scopes, click Configuration > Administrators in the Studio navigation pane, and then click the Scopes tab in the
upper middle pane.
T o create a scope, click Create new Scope in the Actions pane. Enter a name and description. T o include all objects of a
particular type (for example, Delivery Groups), select the object type. T o include specific objects, expand the type and
then select individual objects (for example, Delivery Groups used by the Sales team).
T o copy a scope, select the scope in the middle pane and then click Copy Scope in the Actions pane. Enter a name and
description. Change the object types and objects, as needed.
T o edit a scope, select the scope in the middle pane and then click Edit Scope in the Actions pane. Change the name,
description, object types, and objects, as needed.
T o delete a scope, select the scope in the middle pane and then click Delete Scope in the Actions pane. When prompted,
confirm the deletion.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.334
Create reports
You can create two types of Delegated Administration reports:
An HT ML report that lists the role/scope pairs associated with an administrator, plus the individual permissions for each
type of object (for example, Delivery Groups and Machine Catalogs). You generate this report from Studio.
To create this report, click Configuration > Administrators in the navigation pane. Select an administrator in the middle
pane and then click Create Report in the Actions pane.
You can also request this report when creating, copying, or editing an administrator.
An HT ML or CSV report that maps all built-in and custom roles to permissions. You generate this report by running a
PowerShell script named OutputPermissionMapping.ps1.
To run this script, you must be a Full Administrator, a Read Only Administrator, or a custom administrator with permission
to read roles. T he script is located in: Program
Files\Citrix\DelegatedAdmin\SnapIn\Citrix.DelegatedAdmin.Admin.V1\Scripts\.
Syntax:
OutputPermissionMapping.ps1 [-Help] [-Csv] [-Path <string>] [-AdminAddress <string>] [-Show] [<CommonParameters>]
Parameter
Description
-Help
Displays script help.
-Csv
Specifies CSV output. Default = HT ML
-Path <string>
Where to write the output. Default = stdout
-AdminAddress
IP address or host name of the Delivery Controller to connect to. Default = localhost
<string>
-Show
(Valid only when the -Path parameter is also specified) When you write the output to a file,
-Show causes the output to be opened in an appropriate program, such as a web browser.
<CommonParameters>
Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer,
and OutVariable. For details, see the Microsoft documentation.
T he following example writes an HT ML table to a file named Roles.html and opens the table in a web browser.
& "$env:ProgramFiles\Citrix\DelegatedAdmin\SnapIn\
Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermissionMapping.ps1"
-Path Roles.html –Show
T he following example writes a CSV table to a file named Roles.csv. T he table is not displayed.
& "$env:ProgramFiles\Citrix\DelegatedAdmin\SnapIn\
Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermissionMapping.ps1"
–CSV -Path Roles.csv
From a Windows command prompt, the preceding example command is:
powershell -command "& '%ProgramFiles%\Citrix\DelegatedAdmin\SnapIn\
Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermissionMapping.ps1'
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.335
-CSV -Path Roles.csv"
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.336
Smart cards
Aug 29, 20 16
Smart cards and equivalent technologies are supported within the guidelines described in this article. To use smart cards
with XenApp or XenDesktop:
Understand your organization’s security policy concerning the use of smart cards. T hese policies might, for example,
state how smart cards are issued and how users should safeguard them. Some aspects of these policies might need to
be reassessed in a XenApp or XenDesktop environment.
Determine which user device types, operating systems, and published applications are to be used with smart cards.
Familiarize yourself with smart card technology and your selected smart card vendor hardware and software.
Know how to deploy digital certificates in a distributed environment.
Types of smart cards
Enterprise and consumer smart cards have the same dimensions, electrical connectors, and fit the same smart card readers.
Smart cards for enterprise use contain digital certificates. T hese smart cards support Windows logon, and can also be used
with applications for digital signing and encryption of documents and e-mail. XenApp and XenDesktop support these uses.
Smart cards for consumer use do not contain digital certificates; they contain a shared secret. T hese smart cards can
support payments (such as a chip-and-signature or chip-and-PIN credit card). T hey do not support Windows logon or typical
Windows applications. Specialized Windows applications and a suitable software infrastructure (including, for example, a
connection to a payment card network) are needed for use with these smart cards. Contact your Citrix representative for
information on supporting these specialized applications on XenApp or XenDesktop.
For enterprise smart cards, there are compatible equivalents that can be used in a similar way.
A smart card-equivalent USB token connects directly to a USB port. T hese USB tokens are usually the size of a USB flash
drive, but can be as small as a SIM card used in a mobile phone. T hey appear as the combination of a smart card plus a
USB smart card reader.
A virtual smart card using a Windows T rusted Platform Module (T PM) appears as a smart card. T hese virtual smart cards
are supported for Windows 8 and Windows 10, using Citrix Receiver minimum 4.3.
Versions of XenApp and XenDesktop earlier than 7.6 FP3 do not support virtual smart cards.
For more information on virtual smart cards, see Virtual Smart Card Overview.
Note: T he term “virtual smart card” is also used to describe a digital certificate simply stored on the user
computer. T hese digital certificates are not strictly equivalent to smart cards.
XenApp and XenDesktop smart card support is based on the Microsoft Personal Computer/Smart Card (PC/SC) standard
specifications. A minimum requirement is that smart cards and smart card devices must be supported by the underlying
Windows operating system and must be approved by the Microsoft Windows Hardware Quality Labs (WHQL) to be used
on computers running qualifying Windows operating systems. See the Microsoft documentation for additional information
about hardware PC/SC compliance. Other types of user devices may comply with the PS/SC standard. For more
information, refer to the Citrix Ready program athttp://www.citrix.com/ready/.
Usually, a separate device driver is needed for each vendor’s smart card or equivalent. However, if smart cards conform to a
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.337
standard such as the NIST Personal Identity Verification (PIV) standard, it may be possible to use a single device driver for a
range of smart cards. T he device driver must be installed on both the user device and the Virtual Delivery Agent (VDA). T he
device driver is often supplied as part of a smart card middleware package available from a Citrix partner; the smart card
middleware package will offer advanced features. T he device driver may also be described as a Cryptographic Service
Provider (CSP), Key Storage Provider (KSP), or minidriver.
T he following smart card and middleware combinations for Windows systems have been tested by Citrix as representative
examples of their type. However, other smart cards and middleware can also be used. For more information about Citrixcompatible smart cards and middleware, see http://www.citrix.com/ready.
Middleware
Matching cards
ActivClient 7.0 (DoD mode enabled)
DoD CAC card
ActivClient 7.0 in PIV mode
NIST PIV card
Microsoft mini driver
NIST PIV card
GemAlto Mini Driver for .NET card
GemAlto .NET v2+
Microsoft native driver
Virtual Smart Cards (T PM)
For information about smart card usage with other types of devices, see the Citrix Receiver documentation for that device.
Remote PC Access
Smart cards are supported only for remote access to physical office PCs running Windows 10, Windows 8 or Windows 7;
smart cards are not supported for office PCs running Windows XP.
T he following smart cards were tested with Remote PC Access:
Middleware
Matching cards
Gemalto .NET minidriver
Gemalto .NET v2+
ActivIdentity ActivClient 6.2
NIST PIV
ActivIdentity ActivClient 6.2
CAC
Microsoft minidriver
NIST PIV
Microsoft native driver
Virtual smart cards
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.338
Types of smart card readers
A smart card reader may be built in to the user device, or be separately attached to the user device (usually via USB or
Bluetooth). Contact card readers that comply with the USB Chip/Smart Card Interface Devices (CCID) specification are
supported. T hey contain a slot or swipe into which the user inserts the smart card. T he Deutsche Kreditwirtschaft
(DK) standard defines four classes of contact card readers.
Class 1 smart card readers are the most common, and usually just contain a slot. Class 1 smart card readers are supported,
usually with a standard CCID device driver supplied with the operating system.
Class 2 smart card readers also contain a secure keypad that cannot be accessed by the user device. Class 2 smart card
readers may be built into a keyboard with an integrated secure keypad. For class 2 smart card readers, contact your Citrix
representative; a reader-specific device driver may be required to enable the secure keypad capability.
Class 3 smart card readers also contain a secure display. Class 3 smart card readers are not supported.
Class 4 smart card readers also contain a secure transaction module. Class 4 smart card readers are not supported.
Note: T he smart card reader class is unrelated to the USB device class.
Smart card readers must be installed with a corresponding device driver on the user device.
User experience
Smart card support is integrated into XenApp and XenDesktop, using a specific ICA/HDX smart card virtual channel that is
enabled by default.
Important: Do not use generic USB redirection for smart card readers. T his is disabled by default for smart card readers,
and is not supported if enabled.
Multiple smart cards and multiple readers can be used on the same user device, but if pass-through authentication is in use,
only one smart card must be inserted when the user starts a virtual desktop or application. When a smart card is used within
an application (for example, for digital signing or encryption functions), there might be additional prompts to insert a smart
card or enter a PIN. T his can occur if more than one smart card has been inserted at the same time.
If users are prompted to insert a smart card when the smart card is already in the reader, they should select Cancel.
If users are prompted for the PIN, they should enter the PIN again.
If you are using hosted applications running on Windows Server 2008 or 2008 R2 and with smart cards requiring the
Microsoft Base Smart Card Cryptographic Service Provider, you might find that if a user runs a smart card transaction, all
other users who use a smart card in the logon process are blocked. For further details and a hotfix for this issue,
see http://support.microsoft.com/kb/949538.
You can reset PINs using a card management system or vendor utility.
Before deploying smart cards
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.339
Obtain a device driver for the smart card reader and install it on the user device. Many smart card readers can use the
CCID device driver supplied by Microsoft.
Obtain a device driver and cryptographic service provider (CSP) software from your smart card vendor, and install them on
both user devices and virtual desktops. T he driver and CSP software must be compatible with XenApp and XenDesktop;
check the vendor documentation for compatibility. For virtual desktops using smart cards that support and use the
minidriver model, smart card minidrivers should download automatically, but you can obtain them
from http://catalog.update.microsoft.com or from your vendor. Additionally, if PKCS#11 middleware is required, obtain it
from the card vendor.
Important: Citrix recommends that you install and test the drivers and CSP software on a physical computer before
installing Citrix software.
Add the Citrix Receiver for Web URL to the T rusted Sites list for users who work with smart cards in Internet Explorer
with Windows 10. In Windows 10, Internet Explorer does not run in protected mode by default for trusted sites.
Ensure that your public key infrastructure (PKI) is configured appropriately. T his includes ensuring that certificate-toaccount mapping is correctly configured for Active Directory environment and that user certificate validation can be
performed successfully.
Ensure your deployment meets the system requirements of the other Citrix components used with smart cards, including
Citrix Receiver and StoreFront.
Ensure access to the following servers in your Site:
T he Active Directory domain controller for the user account that is associated with a logon certificate on the smart
card
Delivery Controller
Citrix StoreFront
Citrix NetScaler Gateway/Citrix Access Gateway 10.x
VDA
(Optional for Remote PC Access): Microsoft Exchange Server
Enable smart card use
Step 1. Issue smart cards to users according to your card issuance policy.
Step 2. (Optional) Set up the smart cards to enable users for Remote PC Access.
Step 3. Install and configure the Delivery Controller and StoreFront (if not already installed) for smart card remoting.
Step 4 . Enable StoreFront for smart card use. For details, see Configure smart card authentication in
the StoreFront documentation.
Step 5. Enable NetScaler Gateway/Access Gateway for smart card use. For details, see Configuring Authentication and
Authorization and Configuring Smart Card Access with the Web Interface in the NetScaler documentation.
Step 6. Enable VDAs for smart card use.
Ensure the VDA has the required applications and updates.
Install the middleware.
Set up smart card remoting, enabling the communication of smart card data between Citrix Receiver on a user device
and a virtual desktop session.
Step 7. Enable user devices (including domain-joined or non-domain-joined machines) for smart card use. See Configure
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.340
smart card authentication in the StoreFront documentation for details.
Import the certificate authority root certificate and the issuing certificate authority certificate into the
device's keystore.
Install your vendor's smart card middleware.
Install and configure Citrix Receiver for Windows, being sure to import icaclient.adm using the Group Policy Management
Console and enable smart card authentication.
Step 8. Test the deployment. Ensure that the deployment is configured correctly by launching a virtual desktop with a test
user's smart card. Test all possible access mechanisms (for example, accessing the desktop through Internet Explorer and
Citrix Receiver).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.341
Smart card deployments
May 28 , 20 16
T he following types of smart card deployments are supported by this product version and by mixed environments
containing this version. Other configurations might work but are not supported.
Type
StoreFront connectivity
Local domain-joined computers
Directly connected
Remote access from domain-joined computers
Connected through NetScaler
Gateway
Non-domain-joined computers
Directly connected
Remote access from non-domain-joined computers
Connected through NetScaler
Gateway
Non-domain-joined computers and thin clients accessing the Desktop Appliance
site
Connected through Desktop
Appliance sites
Domain-joined computers and thin clients accessing StoreFront through the
XenApp Services URL
Connected through XenApp
Services URLs
T he deployment types are defined by the characteristics of the user device to which the smart card reader is connected:
Whether the device is domain-joined or non-domain-joined.
How the device is connected to StoreFront.
What software is used to view virtual desktops and applications.
In addition, smart card-enabled applications such as Microsoft Word, and Microsoft Excel can be used in these
deployments. T hose applications allow users to digitally sign or encrypt documents.
Bimodal authentication
Where possible in each of these deployments, Receiver supports bimodal authentication by offering the user a choice
between using a smart card and entering their user name and password. T his is useful if the smart card cannot be used (for
example, the user has left it at home or the logon certificate has expired).
Because users of non-domain-joined devices log on to Receiver for Windows directly, you can enable users to fall back to
explicit authentication. If you configure bimodal authentication, users are initially prompted to log on using their smart
cards and PINs but have the option to select explicit authentication if they experience any issues with their smart cards.
If you deploy NetScaler Gateway, users log on to their devices and are prompted by Receiver for Windows to authenticate
to NetScaler Gateway. T his applies to both domain-joined and non-domain-joined devices. Users can log on to NetScaler
Gateway using either their smart cards and PINs, or with explicit credentials. T his enables you to provide users with bimodal
authentication for NetScaler Gateway logons. Configure pass-through authentication from NetScaler Gateway to
StoreFront and delegate credential validation to NetScaler Gateway for smart card users so that users are silently
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.342
authenticated to StoreFront.
Multiple Active Directory f orest considerations
In a Citrix environment, smart cards are supported within a single forest. Smart card logons across forests require a direct
two-way forest trust to all user accounts. More complex multi-forest deployments involving smart cards (that is, where
trusts are only one-way or of different types) are not supported.
You can use smart cards in a Citrix environment that includes remote desktops. T his feature can be installed locally (on the
user device that the smart card is connected to) or remotely (on the remote desktop that the user device connects to).
Smart card removal policy
T he smart card removal policy set on the product determines what happens if you remove the smart card from the reader
during a session. T he smart card removal policy is configured through and handled by the Windows operating system.
Policy setting
Desktop behavior
No action
No action.
Lock workstation
T he desktop session is disconnected and the virtual desktop is locked.
Force logoff
T he user is forced to log off. If the network connection is lost and this setting is
enabled, the session may be logged off and the user may lose data.
Disconnect if a remote
T he session is disconnected and the virtual desktop is locked.
Terminal Services session
Certificate revocation checking
If certificate revocation checking is enabled and a user inserts a smart card with an invalid certificate into a card reader, the
user cannot authenticate or access the desktop or application related to the certificate. For example, if the invalid
certificate is used for email decryption, the email remains encrypted. If other certificates on the card, such as ones used for
authentication, are still valid, those functions remain active.
Deployment example: domain-joined computers
T his deployment involves domain-joined user devices that run the Desktop Viewer and connect directly to StoreFront.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.343
A user logs on to a device using a smart card and PIN. Receiver authenticates the user to a Storefront server using
Integrated Windows Authentication (IWA). StoreFront passes the user security identifiers (SIDs) to XenApp or XenDesktop.
When the user starts a virtual desktop or application, the user is not prompted for a PIN again because the single sign-on
feature is configured on Receiver.
T his deployment can be extended to a double-hop with the addition of a second StoreFront server and a server hosting
applications. A Receiver from the virtual desktop authenticates to the second StoreFront server. Any authentication
method can be used for this second connection. T he configuration shown for the first hop can be reused in the second
hop or used in the second hop only.
Deployment example: remote access f rom domain-joined computers
T his deployment involves domain-joined user devices that run the Desktop Viewer and connect to StoreFront through
NetScaler Gateway/Access Gateway.
A user logs on to a device using a smart card and PIN, and then logs on again to NetScaler Gateway/Access Gateway. T his
second logon can be with either the smart card and PIN or a user name and password because Receiver allows bimodal
authentication in this deployment.
T he user is automatically logged on to StoreFront, which passes the user security identifiers (SIDs) to XenApp or
XenDesktop. When the user starts a virtual desktop or application, the user is not prompted again for a PIN because the
single sign-on feature is configured on Receiver.
T his deployment can be extended to a double-hop with the addition of a second StoreFront server and a server hosting
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.344
applications. A Receiver from the virtual desktop authenticates to the second StoreFront server. Any authentication
method can be used for this second connection. T he configuration shown for the first hop can be reused in the second
hop or used in the second hop only.
Deployment example: non-domain-joined computers
T his deployment involves non-domain-joined user devices that run the Desktop Viewer and connect directly to StoreFront.
A user logs on to a device. Typically, the user enters a user name and password but, since the device is not joined to a
domain, credentials for this logon are optional. Because bimodal authentication is possible in this deployment, Receiver
prompts the user either for a smart card and PIN or a user name and password. Receiver then authenticates to Storefront.
StoreFront passes the user security identifiers (SIDs) to XenApp or XenDesktop. When the user starts a virtual desktop or
application, the user is prompted for a PIN again because the single sign-on feature is not available in this deployment.
T his deployment can be extended to a double-hop with the addition of a second StoreFront server and a server hosting
applications. A Receiver from the virtual desktop authenticates to the second StoreFront server. Any authentication
method can be used for this second connection. T he configuration shown for the first hop can be reused in the second
hop or used in the second hop only.
Deployment example: remote access f rom non-domain-joined computers
T his deployment involves non-domain-joined user devices that run the Desktop Viewer and connect directly to StoreFront.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.345
A user logs on to a device. Typically, the user enters a user name and password but, since the device is not joined to a
domain, credentials for this logon are optional. Because bimodal authentication is possible in this deployment, Receiver
prompts the user either for a smart card and PIN or a user name and password. Receiver then authenticates to Storefront.
StoreFront passes the user security identifiers (SIDs) to XenApp or XenDesktop. When the user starts a virtual desktop or
application, the user is prompted for a PIN again because the single sign-on feature is not available in this deployment.
T his deployment can be extended to a double-hop with the addition of a second StoreFront server and a server hosting
applications. A Receiver from the virtual desktop authenticates to the second StoreFront server. Any authentication
method can be used for this second connection. T he configuration shown for the first hop can be reused in the second
hop or used in the second hop only.
Deployment example: non-domain-joined computers and thin clients accessing the Desktop Appliance site
T his deployment involves non-domain-joined user devices that may run the Desktop Lock and connect to StoreFront
through Desktop Appliance sites.
T he Desktop Lock is a separate component that is released with XenApp, XenDesktop, and VDI-in-a-Box. It is an
alternative to the Desktop Viewer and is designed mainly for repurposed Windows computers and Windows thin clients.
T he Desktop Lock replaces the Windows shell and Task Manager in these user devices, preventing users from accessing the
underlying devices. With the Desktop Lock, users can access Windows Server Machine desktops and Windows Desktop
Machine desktops. Installation of Desktop Lock is optional.
A user logs on to a device with a smart card. If Desktop Lock is running on the device, the device is configured to launch a
Desktop Appliance site through Internet Explorer running in Kiosk Mode. An ActiveX control on the site prompts the user
for a PIN, and sends it to StoreFront. StoreFront passes the user security identifiers (SIDs) to XenApp or XenDesktop. T he
first available desktop in the alphabetical list in an assigned Desktop Group starts.
T his deployment can be extended to a double-hop with the addition of a second StoreFront server and a server hosting
applications. A Receiver from the virtual desktop authenticates to the second StoreFront server. Any authentication
method can be used for this second connection. T he configuration shown for the first hop can be reused in the second
hop or used in the second hop only.
Deployment example: domain-joined computers and thin clients accessing StoreFront through the XenApp
Services URL
T his deployment involves domain-joined user devices that run the Desktop Lock and connect to StoreFront through
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.346
XenApp Services URLs.
T he Desktop Lock is a separate component that is released with XenApp, XenDesktop, and VDI-in-a-Box. It is an
alternative to the Desktop Viewer and is designed mainly for repurposed Windows computers and Windows thin clients.
T he Desktop Lock replaces the Windows shell and Task Manager in these user devices, preventing users from accessing the
underlying devices. With the Desktop Lock, users can access Windows Server Machine desktops and Windows Desktop
Machine desktops. Installation of Desktop Lock is optional.
A user logs on to a device using a smart card and PIN. If Desktop Lock is running on the device, it authenticates the user to
a Storefront server using Integrated Windows Authentication (IWA). StoreFront passes the user security identifiers (SIDs) to
XenApp or XenDesktop. When the user starts a virtual desktop, the user is not prompted for a PIN again because the single
sign-on feature is configured on Receiver.
T his deployment can be extended to a double-hop with the addition of a second StoreFront server and a server hosting
applications. A Receiver from the virtual desktop authenticates to the second StoreFront server. Any authentication
method can be used for this second connection. T he configuration shown for the first hop can be reused in the second
hop or used in the second hop only.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.347
Pass-through authentication and single sign-on with
smart cards
Aug 30 , 20 17
Pass-through authentication
Pass-through authentication with smart cards to virtual desktops is supported on user devices running Windows 10, and
Windows 8 and Windows 7 SP1 Enterprise and Professional Editions.
Pass-through authentication with smart cards to hosted applications is supported on servers running Windows Server 2008
and Windows Server 2012.
To use pass-through authentication with smart cards hosted applications, ensure you enable the use of Kerberos when you
configure Pass-through with smartcard as the authentication method for the site.
Note: T he availability of pass-through authentication with smart cards depends on many factors including, but not limited
to:
Your organization's security policies regarding pass-through authentication.
Middleware type and configuration.
Smart card reader types.
Middleware PIN caching policy.
Pass-through authentication with smart cards is configured on Citrix StoreFront. See the StoreFront documentation for
details.
Single sign-on
Single sign-on is a Citrix feature that implements pass-through authentication with virtual desktop and application
launches. You can use this feature in domain-joined, direct-to-StoreFront and domain-joined, NetScaler-to-StoreFront
smart card deployments to reduce the number of times that users enter their PIN. To use single sign-on in these
deployment types, edit the following parameters in the default.ica file, which is located on the StoreFront server:
Domain-joined, direct-to-StoreFront smart card deployments — Set DisableCtrlAltDel to Off
Domain-joined, NetScaler-to-StoreFront smart card deployments — Set UseLocalUserAndPassword to On
For more instructions on setting these parameters, see the StoreFront or NetScaler Gateway documentation.
T he availability of single sign-on functionality depends on many factors including, but not limited to:
Your organization's security policies regarding single sign-on.
Middleware type and configuration.
Smart card reader types.
Middleware PIN caching policy.
Note: When the user logs on to the Virtual Delivery Agent (VDA) on a machine with an attached smart card reader, a
Windows tile may appear representing the previous successful mode of authentication, such as smart card or password. As
a result, when single sign-on is enabled, the single sign-on tile may appear. T o log on, the user must select Switch Users to
select another tile because the single sign-on tile will not work.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.348
SSL
May 28 , 20 16
Configuring a XenApp or XenDesktop Site to use the Secure Sockets Layer (SSL) security protocol includes the following
procedures:
Obtain, install, and register a server certificate on all Delivery Controllers, and configure a port with the SSL certificate.
For details, see Install SSL server certificates on Controllers.
Optionally, you can change the ports the Controller uses to listen for HT T P and HT T PS traffic.
Enable SSL connections between users and Virtual Delivery Agents (VDAs) by completing the following tasks:
Configure SSL on the machines where the VDAs are installed. (For convenience, further references to machines where
VDAs are installed are simply called "VDAs.") You can use a PowerShell script supplied by Citrix, or configure it manually.
For general information, see About SSL settings on VDAs. For details, see Configure SSL on a VDA using the
PowerShell script and Manually configure SSL on a VDA.
Configure SSL in the Delivery Groups containing the VDAs by running a set of PowerShell cmdlets in Studio. For details,
see Configure SSL on Delivery Groups.
Requirements and considerations:
Enabling SSL connections between users and VDAs is valid only for XenApp 7.6 and XenDesktop 7.6 Sites, plus later
supported releases.
Configure SSL in the Delivery Groups and on the VDAs after you install components, create a Site, create Machine
Catalogs, and create Delivery Groups.
T o configure SSL in the Delivery Groups, you must have permission to change Controller access rules; a Full
Administrator has this permission.
T o configure SSL on the VDAs, you must be a Windows administrator on the machine where the VDA is installed.
If you intend to configure SSL on VDAs that have been upgraded from earlier versions, uninstall any SSL relay
software on those machines before upgrading them.
T he PowerShell script configures SSL on static VDAs; it does not configure SSL on pooled VDAs that are provisioned
by Machine Creation Services or Provisioning Services, where the machine image resets on each restart.
For tasks that include working in the Windows registry:
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system.
Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor
at your own risk. Be sure to back up the registry before you edit it.
For information about enabling SSL to the Site database, see CT X137556.
Install SSL server certificates on Controllers
For HT T PS, the XML Service supports SSL features through the use of server certificates, not client certificates. T o obtain,
install, and register a certificate on a Controller, and to configure a port with the SSL certificate:
If the Controller has IIS installed, follow the guidance in https://technet.microsoft.com/enus/library/cc771438%28v=ws.10%29.aspx.
If the Controller does not have IIS installed, one method of configuring the certificate is:
1. Obtain an SSL server certificate and install it on the Controller using the guidance in
http://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually.aspx. For
information on the certreq tool, see http://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx.
If you intend to use the PowerShell script to configure SSL on VDAs, and unless you intend on specifying the SSL
certificate’s thumbprint, make sure the certificate is located in the Local Computer > Personal > Certificates area of
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.349
the certificate store. If more than one certificate resides in that location, the first one found will be used.
2. Configure a port with the certificate; see http://msdn.microsoft.com/en-us/library/ms733791%28v=vs.110%29.aspx.
Change HTTP or HTTPS ports
By default, the XML Service on the Controller listens on port 80 for HT T P traffic and port 443 for HT T PS traffic. Although
you can use non-default ports, be aware of the security risks of exposing a Controller to untrusted networks. Deploying a
standalone StoreFront server is preferable to changing the defaults.
To change the default HT T P or HT T PS ports used by the Controller, run the following command from Studio:
BrokerService.exe -WIPORT <http-port> -WISSLPORT <https-port>
where <http-port> is the port number for HT T P traffic and <https-port> is the port number for HT T PS traffic.
Note: After changing a port, Studio might display a message about license compatibility and upgrading. T o resolve the issue,
re-register service instances using the following PowerShell cmdlet sequence:
Get-ConfigRegisteredServiceInstance -ServiceType Broker -Binding
XML_HTTPS | Unregister-ConfigRegisteredServiceInstance
Get-BrokerServiceInstance | where Binding -eq "XML_HTTPS" |
Register-ConfigServiceInstance
Enforce HTTPS traffic only
If you want the XML Service to ignore HT T P traffic, set the following registry value in
HKLM\Software\Citrix\DesktopServer\ on the Controller and then restart the Broker Service.
To ignore HT T P traffic, set XmlServicesEnableNonSsl to 0.
T here is a corresponding registry value to ignore HT T PS traffic: XmlServicesEnableSsl. Ensure that this is not set to 0.
About SSL settings on VDAs
When you configure SSL on VDAs, it changes permissions on the installed SSL certificate, giving the ICA Service read access
to the certificate’s private key, and informing the ICA Service of the following:
Which certif icate in the certif icate store to use f or SSL.
Which TCP port number to use f or SSL connections.
T he Windows Firewall (if it is enabled) must be configured to allow incoming connection on this TCP port. T his
configuration is done for you when you use the PowerShell script.
Which versions of the SSL protocol to allow.
T he supported SSL protocol versions follow a hierarchy (lowest to highest): SSL 3.0, T LS 1.0, T LS 1.1, and T LS 1.2. You
specify the minimum allowed version; all protocol connections using that version or a higher version are allowed.
For example, if you specify T LS 1.1 as the minimum version, then T LS 1.1 and T LS 1.2 protocol connections are allowed. If
you specify SSL 3.0 as the minimum version, then connections for all the supported versions are allowed. If you specify
T LS 1.2 as the minimum version, only T LS 1.2 connections are allowed.
Which SSL ciphers to allow.
A cipher suite is a list of common SSL ciphers. When a client connects and sends a list of supported SSL ciphers, the VDA
matches one of the client’s ciphers with one of the ciphers in its configured cipher suite and accepts the connection. If
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.350
the client sends a cipher that is not in the VDA’s cipher suite, the VDA rejects the connection.
T hree cipher suites are supported: GOV(ernment), COM(mercial), and ALL. T he ciphers in those cipher suites depend on
the Windows FIPS mode; see http://support.microsoft.com/kb/811833 for information about Windows FIPS mode. T he
following table lists the ciphers in each supported cipher suite.
SSL cipher suite
GOV
COM
ALL
GOV
COM
ALL
FIPS Mode
Off
Off
Off
On
On
On
RSA_KEYX
x
x
x
x
x
x
RSA_SIGN
x
x
x
x
x
x
3DES
x
x
x
RC4
x
x
x
MD5
x
x
x
SHA
x
x
x
x
x
x
SHA_256
x
x
x
x
x
x
SHA_384
x
x
x
x
x
x
SHA_512
x
x
x
x
x
x
AES
x
x
x
x
x
x
A Delivery Group cannot have a mixture of some VDAs with SSL configured and some VDAs without SSL configured. When
you configure SSL for a Delivery Group, you should have already configured SSL for all of the VDAs in that Delivery Group.
Configure SSL on a VDA using the PowerShell script
T he Enable-VdaSSL.ps1 script enables or disables the SSL listener on a VDA. T his script is available in the Support >Tools >
SslSupport folder on the installation media.
When you enable SSL, the script disables all existing Windows Firewall rules for the specified T CP port before adding a new
rule that allows the ICA Service to accept incoming connections only on the SSL T CP port. It also disables the Windows
Firewall rules for:
Citrix ICA (default: 1494)
Citrix CGP (default: 2598)
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.351
Citrix WebSocket (default: 8008)
T he result is that users can connect only over SSL; they cannot use raw ICA, CGP, or WebSocket to connect.
T he script contains the following syntax descriptions, plus additional examples; you can use a tool such as Notepad++ to
review this information.
You must specify either the – Enable or – Disable parameter; all other parameters are optional.
Syntax
Enable-VdaSSL {-Enable | -Disable} [– SSLPort <port>] [-SSLMinVersion “<min-ssl-version>”] [-SSLCipherSuite “<suite>”] [CertificateT humbPrint “<thumbprint>”]
Parameter
Description
-Enable
Installs and enables the SSL listener on the VDA. Either this parameter or the – Disable
parameter is required.
-Disable
Disables the SSL listener on the VDA. Either this parameter or the – Enable parameter is
required. If you specify this parameter, no other parameters are valid.
– SSLPort <port>
SSL port. Default: 443
-SSLMinVersion
Minimum SSL protocol version, enclosed in quotation marks. Valid values: "SSL_3.0", "T LS_1.0",
“<min-ssl-version>”
"T LS_1.1", and "T LS_1.2". Default: "T LS_1.0"
-SSLCipherSuite
SSL cipher suite, enclosed in quotation marks. Valid values: "GOV", "COM", and "ALL". Default:
“<suite>”
"ALL"
-
T humbprint of the SSL certificate in the certificate store, enclosed in quotation marks. T his
CertificateT humbPrint
“<thumbprint>”
parameter is generally used when the certificate store has multiple certificates; the script uses
the thumbprint to select the certificate you want to use. Default: the first available
certificate found in the Local Computer > Personal > Certificates area of the certificate store.
Examples
T he following script installs and enables the SSL listener, using default values for all optional parameters.
Enable-VdaSSL –Enable
T he following script installs and enables the SSL listener, and specifies SSL port 400, the GOV cipher suite, and a minimum
T LS 1.2 SSL protocol value.
Enable-VdaSSL – Enable –SSLPort 400 ‘SSLMinVersion “TLS_1.2”
–SSLCipherSuite “GOV”
T he following script disables the SSL listener on the VDA.
Enable-VdaSSL –Disable
Manually configure SSL on a VDA
When configuring SSL on a VDA manually, you grant generic read access to the SSL certificate’s private key for the
appropriate service on each VDA: NT SERVICE\PorticaService for a VDA for Windows Desktop OS, or NT
SERVICE\T ermService for a VDA for Windows Server OS. On the machine where the VDA is installed:
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.352
1. Launch the Microsoft Management Console (MMC): Start > Run > mmc.exe.
2. Add the Certificates snap-in to the MMC:
1. Select File > Add/Remove Snap-in.
2. Select Certificates and then click Add.
3. When prompted with “T his snap-in will always manage certificates for:” choose “Computer account” and then click
Next.
4. When prompted with “Select the computer you want this snap-in to manage” choose “Local computer” and then click
Finish.
3. Under Certificates (Local Computer) > Personal > Certificates, right– click the certificate and then select All T asks >
Manage Private Keys.
4. T he Access Control List Editor displays “Permissions for (FriendlyName) private keys” where (FriendlyName) is the name of
your SSL certificate. Add one of the following services and give it Read access:
For a VDA for Windows Desktop OS, "PORT ICASERVICE"
For a VDA for Windows Server OS, "T ERMSERVICE"
5. Double-click the installed SSL certificate. In the certificate dialog, select the Details tab and then scroll to the bottom.
Click T humbprint.
6. Run regedit and go to HKLM\SYST EM\CurrentControlSet\Control\T erminal Server\Wds\icawd.
1. Edit the SSL T humbprint key and copy the value of the SSL certificate’s thumbprint into this binary value. You can
safely ignore unknown items in the Edit Binary Value dialog box (such as '0000' and special characters).
2. Edit the SSLEnabled key and change the DWORD value to 1. (T o disable SSL later, change the DWORD value to 0.)
3. If you want to change the default settings (optional), use the following in the same registry path:
SSLPort DWORD – SSL port number. Default: 443.
SSLMinVersion DWORD – 1 = SSL 3.0, 2 = T LS 1.0, 3 = T LS 1.1, 4 = T LS 1.2. Default: 2 (T LS 1.0).
SSLCipherSuite DWORD – 1 = GOV, 2 = COM, 3 = ALL. Default: 3 (ALL).
7. Ensure the SSL T CP port is open in the Windows Firewall if it is not the default 443. (When you create the inbound rule
in Windows Firewall, make sure its properties have the "Allow the connection" and "Enabled" entries selected.)
8. Ensure that no other applications or services (such as IIS) are using the SSL T CP port.
9. For VDAs for Windows Server OS, restart the machine for the changes to take effect. (You do not need to restart
machines containing VDAs for Windows Desktop OS.)
Configure SSL on Delivery Groups
Complete this procedure for each Delivery Group that contains VDAs you have configured for SSL connections.
1. From Studio, open the PowerShell console.
2. Run asnp Citrix.* to load the Citrix product cmdlets.
3. Run Get-BrokerAccessPolicyRule – DesktopGroupName ‘<delivery-group-name>’ | Set-BrokerAccessPolicyRule –
HdxSslEnabled $true.
where <delivery-group-name> is the name of the Delivery Group containing VDAs.
4. Run Set-BrokerSite – DnsResolutionEnabled $true.
Troubleshooting
If a connection error occurs, check the VDA's system event log.
When using Receiver for Windows, if you receive a connection error (such as 1030) that indicates an SSL error, disable
Desktop Viewer and then try connecting again; although the connection will still fail, an explanation of the underlying SSL
issue might be provided (for example, you specified an incorrect template when requesting a certificate from the certificate
authority).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.353
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.354
Policies
May 28 , 20 16
Policies are a collection of settings that define how sessions, bandwidth, and security are managed for a group of users,
devices, or connection types.
You can apply policy settings to physical and virtual machines or to users. You can apply settings to individual users at the
local level or in security groups in Active Directory. T he configurations define specific criteria and rules, and if you do not
specifically assign the policies, the settings are applied to all connections.
You can apply policies on different levels of the network. Policy settings placed at the Organizational Unit GPO level take
the highest precedence on the network. Policies at the Domain GPO level override policies on the Site Group Policy Object
level, which override any conflicting policies on both the Microsoft and Citrix Local Policies levels.
All Citrix Local Policies are created and managed in the Citrix Studio console and stored in the Site Database; whereas,
Group Policies are created and managed with the Microsoft Group Policy Management Console (GPMC) and stored in
Active Directory. Microsoft Local Policies are created in the Windows Operating System and are stored in the registry.
Studio uses a Modeling Wizard to help administrators compare configuration settings within templates and policies to help
eliminate conflicting and redundant settings. Administrators can set GPOs using the GPMC to configure settings and apply
them to a target set of users at different levels of the network.
T hese GPOs are saved in Active Directory, and access to the management of these settings is generally restricted for most
of IT for security.
Settings are merged according to priority and their condition. Any disabled setting overrides a lower-ranked enabled setting.
Unconfigured policy settings are ignored and do not override lower-ranked settings.
Local policies can also have conflicts with group policies in the Active Directory, which could override each other depending
on the situation.
All policies are processed in the following order:
1. T he end user logs on to a machine using domain credentials.
2. Credentials are sent to the domain controller.
3. Active Directory applies all policies (end user, endpoint, organizational unit, and domain).
4. T he end user logs on to Receiver and accesses an application or desktop.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.355
5. Citrix and Microsoft policies are processed for the end user and machine hosting the resource.
6. Active Directory determines precedence for policy settings and applies them to the registries of the endpoint device and
to the machine hosting the resource.
7. T he end user logs off from the resource. Citrix policies for the end user and endpoint device are no longer active.
8. T he end user logs off the user device, which releases the GPO user policies.
9. T he end user turns off the device, which releases the GPO machine policies.
When creating policies for groups of users, devices, and machines, some members may have different requirements and
would need exceptions to some policy settings. Exceptions are made by way of filters in Studio and the GPMC that
determine who or what the policy affects.
Related content
Work with policies
Policy templates
Create policies
Compare, prioritize, model, and troubleshoot policies
Default policy settings
Policy settings reference
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.356
Work with policies
May 28 , 20 16
Configure Citrix policies to control user access and session environments. Citrix policies are the most efficient method of
controlling connection, security, and bandwidth settings. You can create policies for specific groups of users, devices, or
connection types. Each policy can contain multiple settings.
Tools f or working with Citrix policies
You can use the following tools to work with Citrix policies.
Studio - If you are a Citrix administrator without permission to manage group policy, use Studio to create policies for
your site. Policies created using Studio are stored in the site database and updates are pushed to the virtual desktop
either when that virtual desktop registers with the broker or when a user connects to that virtual desktop.
Local Group Policy Editor (Microsoft Management Console snap-in) - If your network environment uses Active
Directory and you have permission to manage group policy, you can use the Local Group Policy Editor to create policies
for your Site. T he settings you configure affect the Group Policy Objects (GPOs) you specify in the Group Policy
Management Console.
Important: You must use the Local Group Policy Editor to configure some policy settings, including those related to
registering VDAs with a Controller and those related to Microsoft App-V servers.
Policy processing order and precedence
Group policy settings are processed in the following order:
1. Local GPO
2. XenApp or XenDesktop Site GPO (stored in the Site database)
3. Site-level GPOs
4. Domain-level GPOs
5. Organizational Units
However, if a conflict occurs, policy settings that are processed last can overwrite those that are processed earlier. T his
means that policy settings take precedence in the following order:
1. Organizational Units
2. Domain-level GPOs
3. Site-level GPOs
4. XenApp or XenDesktop Site GPO (stored in the Site database)
5. Local GPO
For example, a Citrix administrator uses Studio to create a policy (Policy A) that enables client file redirection for the
company's sales employees. Meanwhile, another administrator uses the Group Policy Editor to create a policy (Policy B) that
disables client file redirection for sales employees. When the sales employees log on to the virtual desktops, Policy B is
applied and Policy A is ignored because Policy B was processed at the domain level and Policy A was processed at the
XenApp or XenDesktop Site GPO level.
However, when a user launches an ICA or Remote Desktop Protocol (RDP) session, Citrix session settings override the same
settings configured in an Active Directory policy or using Remote Desktop Session Host Configuration. T his includes
settings that are related to typical RDP client connection settings such as Desktop wallpaper, Menu animation, and View
window contents while dragging.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.357
When using multiple policies, you can prioritize policies that contain conflicting settings; see Compare, prioritize, model, and
troubleshoot policies for details.
Workflow f or Citrix policies
T he process for configuring policies is as follows:
1. Create the policy.
2. Configure policy settings.
3. Assign the policy to machine and user objects.
4. Prioritize the policy.
5. Verify the effective policy by running the Citrix Group Policy Modeling wizard.
Navigate Citrix policies and settings
In the Local Group Policy Editor, policies and settings appear in two categories: Computer Configuration and User
Configuration. Each category has a Citrix Policies node. See the Microsoft documentation for details about navigating and
using this snap-in.
In Studio, policy settings are sorted into categories based on the functionality or feature they affect. For example, the
Profile management section contains policy settings for Profile management.
Computer settings (policy settings applying to machines) define the behavior of virtual desktops and are applied when a
virtual desktop starts. T hese settings apply even when there are no active user sessions on the virtual desktop. User
settings define the user experience when connecting using ICA. User policies are applied when a user connects or
reconnects using ICA. User policies are not applied if a user connects using RDP or logs on directly to the console.
T o access policies, settings, or templates, select Policies in the Studio navigation pane.
T he Policies tab lists all policies. When you select a policy, tabs to the right display: Overview (name, priority,
enabled/disabled status, and description), Settings (list of configured settings), and Assigned to (user and machine
objects to which the policy is currently assigned). For more information, see Create policies.
T he Templates tab lists Citrix-provided and custom templates you created. When you select a template, tabs to the
right display: Description (why you might want to use the template) and Settings (list of configured settings). For more
information, see Policy templates.
T he Comparison tab enables you to compare the settings in a policy or template with those in other policies or
templates. For example, you might want to verify setting values to ensure compliance with best practices. For more
information, see Compare, prioritize, model, and troubleshoot policies.
From the Modelling tab, you can simulate connection scenarios with Citrix policies. For more information, see
Compare, prioritize, model, and troubleshoot policies.
T o search for a setting in a policy or template:
1. Select the policy or template.
2. Select Edit policy or Edit T emplate in the Actions pane.
3. On the Settings page, begin to type the name of the setting.
You can refine your search by selecting a specific product version, selecting a category (for example, Bandwidth), or by
selecting the View selected only check box or selecting to search only the settings that have been added to the
selected policy. For an unfiltered search, select All Settings.
T o search for a setting within a policy :
1. Select the policy.
2. Select the Settings tab, begin to type the name of the setting.
You can refine your search by selecting a specific product version or by selecting a category. For an unfiltered search, select
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.358
All Settings.
A policy, once created, is completely independent of the template used. You can use the Description field on a new policy
to keep track of the source template used.
In Studio, policies and templates are displayed in a single list regardless of whether they contain user, computer or both
types of settings and can be applied using both user and computer filters.
In Group Policy Editor, Computer and User settings must be applied separately, even if created from a template that
contains both types of settings. In this example choosing to use Very High Definition User Experience in Computer
Configuration:
Legacy Graphics mode is a Computer setting that will be used in a policy created from this template.
T he User settings, grayed out, will not be used in a policy created from this template.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.359
Policy templates
May 28 , 20 16
Templates are a source for creating policies from a predefined starting point. Built-in Citrix templates, optimized for specific
environments or network conditions, can be used as:
A source for creating your own policies and templates to share between sites.
A reference for easier comparison of results between deployments as you will be able to quote the results, for example,
"..when using Citrix template x or y..".
A method for communicating policies with Citrix Support or trusted third parties by importing or exporting templates.
Policy templates can be imported or exported. For additional templates and updates to the built-in templates, see
CT X202000.
For considerations when using templates to create policies, see CT X202330.
Built-in Citrix templates
T he Group Policy Management package includes the following policy templates that replace and enhance the previously
available built-in Citrix templates:
Very High Def inition User Experience. T his template enforces default settings which maximize the user experience.
Use this template in scenarios where multiple policies are processed in order of precedence.
High Server Scalability. Apply this template to economize on server resources. T his template balances user experience
and server scalability. It offers a good user experience while increasing the number of users you can host on a single
server. T his template does not use video codec for compression of graphics and prevents server side multimedia
rendering.
High Server Scalability-Legacy OS. T his High Server Scalability template applies only to VDAs running Server 2008 R2 or
Windows 7 and earlier. T his template relies on the Legacy graphics mode which is more efficient for those operating
systems.
Optimized f or CloudBridge. Apply this template for users working from branch offices with CloudBridge deployed for
optimizing delivery of XenDesktop. T hese locations typically have highly utilized links and/or high latencies. T his template
optimizes bandwidth efficiency for use in such conditions.
Settings:
·
Desktop Composition Redirection
·
Menu Animation
·
View window contents while dragging
Optimized f or WAN. T his template is intended for task workers in branch offices using a shared WAN connection or
remote locations with low bandwidth connections accessing applications with graphically simple user interfaces with
little multimedia content. T his template trades off video playback experience and some server scalability for optimized
bandwidth efficiency.
Optimized f or WAN-Legacy OS. T his Optimized for WAN template applies only to VDAs running Server 2008 R2 or
Windows 7 and earlier. T his template relies on the Legacy graphics mode which is more efficient for those operating
systems.
Security and Control. Use this template in environments with low tolerance to risk, to minimize the features enabled by
default in XenApp and XenDesktop. T his template includes settings which will disable access to printing, clipboard,
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.360
peripheral devices, drive mapping, port redirection, and Flash acceleration on user devices. Applying this template may use
more bandwidth and reduce user density per server.
While we recommend using the built-in Citrix templates with their default settings, you will find settings that do not have a
specific recommended value. For example, Overall session bandwidth limit, included in the Optimized for WAN templates. In
this case, the template takes the approach of exposing the setting so the administrator will understand this setting is likely
to apply to the scenario.
If you are working with a deployment (policy management and VDAs) prior to XenApp and XenDesktop 7.6 FP3, and require
High Server Scalability and Optimized for WAN templates, please use the Legacy OS versions of these templates when
these apply.
Note
Built-in templates are created and updated by Citrix. You cannot modify or delete these templates.
Create and manage templates using Studio
To create a new template based on a template:
1. Select Policies in the Studio navigation pane.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.361
2. Select the Templates tab and then select the template from which you will create the new template.
3. Select Create Template in the Actions pane.
4. Select and configure the policy settings to include in the template. Remove any existing settings that should not be
included. Enter a name for the template.
After you click Finish, the new template appears on the Templates tab.
To create a new template based on a policy:
1. Select Policies in the Studio navigation pane.
2. Select the Policies tab and then select the policy from which you will create the new template.
3. Select Save as Template in the Actions pane.
4. Select and configure any new policy settings to include in the template. Remove any existing settings that should not be
included. Enter a name and description for the template, and then click Finish.
To import a template:
1. Select Policies in the Studio navigation pane.
2. Select the Templates tab and then select Import Template.
3. Select the template file to import and then click Open. If you import a template with the same name as an existing
template, you can choose to overwrite the existing template or save the template with a different name that is
generated automatically.
To export a template:
1. Select Policies in the Studio navigation pane.
2. Select the Templates tab and then select Export Template.
3. Select the location where you want to save the template and then click Save.
A .gpt file is created in the specified location.
Create and manage templates using the Group Policy Editor
From the Group Policy Editor, expand Computer Configuration or User Configuration. Expand the Policies node and then
select Citrix Policies. Choose the appropriate action below.
Task
Instruction
Create a new template from an existing
policy
On the Policies tab, select the policy and then select Actions > Save as
T emplate.
Create a new policy from an existing
template
On the T emplates tab, select the template and then click New Policy.
Create a new template from an existing
template
On the T emplates tab, select the template and then click New
T emplate.
Import a template
On the T emplates tab, select Actions > Import.
Export a template
On the T emplates tab, select Actions > Export.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.362
View template settings
Task
On the T emplates tab, select the template and then click the Settings
Instruction
tab.
View a summary of template properties
On the T emplates tab, select the template and then click the Properties
tab.
View template prerequisites
On the T emplates tab, select the template and then click the
Prerequisites tab.
Templates and Delegated Administration
Policy templates are stored on the machine where the policy management package was installed. T his machine is either the
Delivery Controller machine or the Group Policy Objects management machine - not the XenApp and XenDesktop Site's
database. T his means that the policy template files are controlled by Windows administrative permissions rather than Site's
Delegated Administration roles and scopes.
As a result, an administrator with read-only permission in the Site can, for example, create new templates. However,
because templates are local files, no changes are actually made to your environment.
Custom templates are only visible to the user account that creates them and stored in the user’s Windows profile. To
expose a custom template further, create a policy from it or export it to a shared location.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.363
Create policies
May 28 , 20 16
Before creating a policy, decide which group of users or devices it should affect. You may want to create a policy based on
user job function, connection type, user device, or geographic location. Alternatively, you can use the same criteria that you
use for Windows Active Directory group policies.
If you already created a policy that applies to a group, consider editing that policy and configuring the appropriate settings,
instead of creating another policy. Avoid creating a new policy solely to enable a specific setting or to exclude the policy
from applying to certain users.
When you create a new policy, you can base it on settings in a policy template and customize settings as needed, or you
can create it without using a template and add all the settings you need.
Policy settings
Policy settings can be enabled, disabled, or not configured. By default, policy settings are not configured, which means they
are not added to a policy. Settings are applied only when they are added to a policy.
Some policy settings can be in one of the following states:
Allowed or Prohibited allows or prevents the action controlled by the setting. In some cases, users are allowed or
prevented from managing the setting's action in a session. For example, if the Menu animation setting is set to Allowed,
users can control menu animations in their client environment.
Enabled or Disabled turns the setting on or off. If you disable a setting, it is not enabled in lower-ranked policies.
In addition, some settings control the effectiveness of dependent settings. For example, Client drive redirection controls
whether or not users are allowed to access the drives on their devices. To allow users to access their network drives, both
this setting and the Client network drives setting must be added to the policy. If the Client drive redirection setting is
disabled, users cannot access their network drives, even if the Client network drives setting is enabled.
In general, policy setting changes that impact machines go into effect either when the virtual desktop restarts or when a
user logs on. Policy setting changes that impact users go into effect the next time users log on. If you are using Active
Directory, policy settings are updated when Active Directory re-evaluates policies at 90-minute intervals and applied either
when the virtual desktop restarts or when a user logs on.
For some policy settings, you can enter or select a value when you add the setting to a policy. You can limit configuration
of the setting by selecting Use default value; this disables configuration of the setting and allows only the setting's default
value to be used when the policy is applied, regardless of the value that was entered before selecting Use default value.
As best practice:
Assign policies to groups rather than individual users. If you assign policies to groups, assignments are updated
automatically when you add or remove users from the group.
Do not enable conflicting or overlapping settings in Remote Desktop Session Host Configuration. In some cases,
Remote Desktop Session Host Configuration provides similar functionality to Citrix policy settings. When possible, keep
all settings consistent (enabled or disabled) for ease of troubleshooting.
Disable unused policies. Policies with no settings added create unnecessary processing.
Policy assignments
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.364
When creating a policy, you assign it to certain user and machine objects; that policy is applied to connections according to
specific criteria or rules. In general, you can add as many assignments as you want to a policy, based on a combination of
criteria. If you specify no assignments, the policy is applied to all connections.
T he following table lists the available assignments:
Assignment Name
Applies a policy based on
Access Control
Access control conditions through which a client is connecting.
Connection type - Whether to apply the policy to connections made with or without
NetScaler Gateway.
NetScaler Gateway farm name - Name of the NetScaler Gateway virtual server.
Access condition - Name of the end point analysis policy or session policy to use.
Citrix CloudBridge
Whether or not a user session is launched through Citrix CloudBridge.
Note: You can add only one Citrix CloudBridge assignment to a policy.
Client IP Address
IP address of the user device used to connect to the session.
IPv4 examples: 12.0.0.0, 12.0.0.*, 12.0.0.1-12.0.0.70, 12.0.0.1/24
IPv6 examples: 2001:0db8:3c4d:0015:0:0:abcd:ef12, 2001:0db8:3c4d:0015::/54
Client Name
Name of the user device.
Exact match: ClientABCName
Using wildcard: Client*Name
Delivery Group
Delivery Group membership.
Delivery Group type
Type of desktop or application: private desktop, shared desktop, private application, or shared
application.
Organizational Unit
Organizational unit.
(OU)
Tag
T ags.
User or Group
User or group name.
When a user logs on, all policies that match the assignments for the connection are identified. T hose policies are sorted
into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority
ranking of the policy. Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy
settings that are not configured are ignored.
Important: When configuring both Active Directory and Citrix policies using the Group Policy Management Console,
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.365
assignments and settings may not be applied as expected. For more information, see CT X127461
A policy named "Unfiltered" is provided by default.
If you use Studio to manage Citrix policies, settings you add to the Unfiltered policy are applied to all servers, desktops,
and connections in a Site.
If you use the Local Group Policy Editor to manage Citrix policies, settings you add to the Unfiltered policy are applied to
all Sites and connections that are within the scope of the Group Policy Objects (GPOs) that contain the policy. For
example, the Sales OU contains a GPO called Sales-US that includes all members of the US sales team. T he Sales-US GPO
is configured with an Unfiltered policy that includes several user policy settings. When the US Sales manager logs on to
the Site, the settings in the Unfiltered policy are automatically applied to the session because the user is a member of
the Sales-US GPO.
An assignment's mode determines if the policy is applied only to connections that match all the assignment criteria. If the
mode is set to Allow (the default), the policy is applied only to connections that match the assignment criteria. If the mode
is set to Deny, the policy is applied if the connection does not match the assignment criteria. T he following examples
illustrate how assignment modes affect Citrix policies when multiple assignments are present.
Example: Assignments of like type with dif f ering modes - In policies with two assignments of the same type, one
set to Allow and one set to Deny, the assignment set to Deny takes precedence, provided the connection satisfies both
assignments. For example:
Policy 1 includes the following assignments:
Assignment A specifies the Sales group; the mode is set to Allow
Assignment B specifies the Sales manager's account; the mode is set to Deny
Because the mode for Assignment B is set to Deny, the policy is not applied when the Sales manager logs on to the Site,
even though the user is a member of the Sales group.
Example: Assignments of dif f ering type with like modes - In policies with two or more assignments of differing
types, set to Allow, the connection must satisfy at least one assignment of each type in order for the policy to be
applied. For example:
Policy 2 includes the following assignments:
Assignment C is a User assignment that specifies the Sales group; the mode is set to Allow
Assignment D is a Client IP Address assignment that specifies 10.8.169.* (the corporate network); the mode is set to
Allow
When the Sales manager logs on to the Site from the office, the policy is applied because the connection satisfies both
assignments.
Policy 3 includes the following assignments:
Assignment E is a User assignment that specifies the Sales group; the mode is set to Allow
Assignment F is an Access Control assignment that specifies NetScaler Gateway connection conditions; the mode is
set to Allow
When the Sales manager logs on to the Site from the office, the policy is not applied because the connection does not
satisfy Assignment F.
Create a new policy based on a template, using Studio
1. Select Policies in the Studio navigation pane.
2. Select the T emplates tab and select a template.
3. Select Create Policy from T emplate in the Actions pane.
4. By default, the new policy uses all the default settings in the template (the Use template default settings radio button is
selected). If you want to change settings, select the Modify defaults and add more settings radio button, and then add
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.366
or remove settings.
5. Specify how to apply the policy by selecting one of the following:
Assign to selected user and machine objects and then select the user and machine objects to which the policy will
apply.
Assign to all objects in a site to apply the policy to all user and machine objects in the Site.
6. Enter a name for the policy (or accept the default); consider naming the policy according to who or what it affects, for
example Accounting Department or Remote Users. Optionally, add a description.
T he policy is enabled by default; you can disable it. Enabling the policy allows it to be applied immediately to users logging
on. Disabling prevents the policy from being applied. If you need to prioritize the policy or add settings later, consider
disabling the policy until you are ready to apply it.
Create a new policy using Studio
1. Select Policies in the Studio navigation pane.
2. Select the Policies tab.
3. Select Create Policy in the Actions pane.
4. Add and configure policy settings.
5. Specify how to apply the policy by choosing one of the following:
Assign to selected user and machine objects and then select the user and machine objects to which the policy will
apply.
Assign to all objects in a site to apply the policy to all user and machine objects in the Site.
6. Enter a name for the policy (or accept the default); consider naming the policy according to who or what it affects, for
example Accounting Department or Remote Users. Optionally, add a description.
T he policy is enabled by default; you can disable it. Enabling the policy allows it to be applied immediately to users logging
on. Disabling prevents the policy from being applied. If you need to prioritize the policy or add settings later, consider
disabling the policy until you are ready to apply it.
Create and manage policies using the Group Policy Editor
From the Group Policy Editor, expand Computer Configuration or User Configuration. Expand the Policies node and then
select Citrix Policies. Choose the appropriate action below.
Task
Instruction
Create a new policy
On the Policies tab, click New.
Edit an existing policy
On the Policies tab, select the policy and then click Edit.
Change the priority of an existing
policy
On the Policies tab, select the policy and then click either Higher or Lower.
View summary information about a
policy
On the Policies tab, select the policy and then click the Summary tab.
View and amend policy settings
On the Policies tab, select the policy and then click the Settings tab.
View and amend policy filters
On the Policies tab, select the policy and then click the Filters tab.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.367
Enable or disable a policy
Task
On the Policies tab, select the policy and then select either Actions > Enable or
Instruction
Actions > Disable.
Create a new policy from an existing
template
On the T emplates tab, select the template and then click New Policy.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.368
Compare, prioritize, model, and troubleshoot policies
Sep 16, 20 16
You can use multiple policies to customize your environment to meet users' needs based on their job functions, geographic
locations, or connection types. For example, for security you may need to place restrictions on user groups who regularly
work with sensitive data. You can create a policy that prevents users from saving sensitive files on their local client drives.
However, if some people in the user group do need access to their local drives, you can create another policy for only those
users. You then rank or prioritize the two policies to control which one takes precedence.
When using multiple policies, you must determine how to prioritize them, how to create exceptions, and how to view the
effective policy when policies conflict.
In general, policies override similar settings configured for the entire Site, for specific Delivery Controllers, or on the user
device. T he exception to this principle is security. T he highest encryption setting in your environment, including the
operating system and the most restrictive shadowing setting, always overrides other settings and policies.
Citrix policies interact with policies you set in your operating system. In a Citrix environment, Citrix settings override the
same settings configured in an Active Directory policy or using Remote Desktop Session Host Configuration. T his includes
settings that are related to typical Remote Desktop Protocol (RDP) client connection settings such as Desktop wallpaper,
Menu animation, and View window contents while dragging. For some policy settings, such as Secure ICA, the settings in
policies must match the settings in the operating system. If a higher priority encryption level is set elsewhere, the Secure
ICA policy settings that you specify in the policy or when you are delivering application and desktops can be overridden.
For example, the encryption settings that you specify when creating Delivery Groups should be at the same level as the
encryption settings you specified throughout your environment.
Note: In the second hop of double-hop scenarios, when a Desktop OS VDA connects to Server OS VDA, Citrix policies act
on the Desktop OS VDA as if it were the user device. For example, if policies are set to cache images on the user device, the
images cached for the second hop in a double-hop scenario are cached on the Desktop OS VDA machine.
Compare policies and templates
You can compare settings in a policy or template with those in other policies or templates. For example, you might need to
verify setting values to ensure compliance with best practices. You might also want to compare settings in a policy or
template with the default settings provided by Citrix.
1. Select Policies in the Studio navigation pane.
2. Click the Comparison tab and then click Select.
3. Choose the policies or templates to compare. T o include default values in the comparison, select the Compare to default
settings check box.
4. After you click Compare, the configured settings are displayed in columns.
5. T o see all settings, select Show All Settings. T o return to the default view, select Show Common Settings.
Prioritize policies
Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. When a user logs
on, all policies that match the assignments for the connection are identified. T hose policies are sorted into priority order
and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy.
You prioritize policies by giving them different priority numbers in Studio. By default, new policies are given the lowest
priority. If policy settings conflict, a policy with a higher priority (a priority number of 1 is the highest) overrides a policy with a
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.369
lower priority. Settings are merged according to priority and the setting's condition; for example, whether the setting is
disabled or enabled. Any disabled setting overrides a lower-ranked setting that is enabled. Policy settings that are not
configured are ignored and do not override the settings of lower-ranked settings.
1. Select Policies in the Studio navigation pane. Make sure the Policies tab is selected.
2. Select a policy.
3. Select Lower Priority or Higher Priority in the Actions pane.
Exceptions
When you create policies for groups of users, user devices, or machines, you may find that some members of the group
require exceptions to some policy settings. You can create exceptions by:
Creating a policy only for those group members who need the exceptions and then ranking the policy higher than the
policy for the entire group
Using the Deny mode for an assignment added to the policy
An assignment with the mode set to Deny applies a policy only to connections that do not match the assignment criteria.
For example, a policy contains the following assignments:
Assignment A is a client IP address assignment that specifies the range 208.77.88.*; the mode is set to Allow
Assignment B is a user assignment that specifies a particular user account; the mode is set to Deny
T he policy is applied to all users who log on to the Site with IP addresses in the range specified in Assignment A. However,
the policy is not applied to the user logging on to the Site with the user account specified in Assignment B, even though the
user's computer is assigned an IP address in the range specified in Assignment A.
Determine which policies apply to a connection
Sometimes a connection does not respond as expected because multiple policies apply. If a higher priority policy applies to
a connection, it can override the settings you configure in the original policy. You can determine how final policy settings are
merged for a connection by calculating the Resultant Set of Policy.
You can calculate the Resultant Set of Policy in the following ways:
Use the Citrix Group Policy Modeling Wizard to simulate a connection scenario and discern how Citrix policies might be
applied. You can specify conditions for a connection scenario such as domain controller, users, Citrix policy assignment
evidence values, and simulated environment settings such as slow network connection. T he report that the wizard
produces lists the Citrix policies that would likely take effect in the scenario. If you are logged on to the Controller as a
domain user, the wizard calculates the Resultant Set of Policy using both site policy settings and Active Directory Group
Policy Objects (GPOs).
Use Group Policy Results to produce a report describing the Citrix policies in effect for a given user and controller. T he
Group Policy Results tool helps you evaluate the current state of GPOs in your environment and generates a report that
describes how these objects, including Citrix policies, are currently being applied to a particular user and controller.
You can launch the Citrix Group Policy Modeling Wizard from the Actions pane in Studio. You can launch either tool from
the Group Policy Management Console in Windows.
If you run the Citrix Group Policy Modeling Wizard or Group Policy Results tool from the Group Policy Management
Console, site policy settings created using Studio are not included in the Resultant Set of Policy.
To ensure you obtain the most comprehensive Resultant Set of Policy, Citrix recommends launching the Citrix Group Policy
Modeling wizard from Studio, unless you create policies using only the Group Policy Management Console.
Use the Citrix Group Policy Modeling Wizard
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.370
Open the Citrix Group Policy Modeling Wizard using one of the following:
Select Policies in the Studio navigation pane, select the Modeling tab, and then select Launch Modeling Wizard in the
Actions pane.
Launch the Group Policy Management Console (gpmc.msc), right-click Citrix Group Policy Modeling in the tree pane, and
then select Citrix Group Policy Modeling Wizard.
Follow the wizard instructions to select the domain controller, users, computers, environment settings, and Citrix
assignment criteria to use in the simulation. After you click Finish, the wizard produces a report of the modeling results. In
Studio, the report appears in the middle pane under the Modeling tab.
To view the report, select View Modeling Report.
Troubleshoot policies
Users, IP addresses, and other assigned objects can have multiple policies that apply simultaneously. T his can result in
conflicts where a policy may not behave as expected. When you run the Citrix Group Policy Modeling Wizard or the Group
Policy Results tool, you might discover that no policies are applied to user connections. When this happens, users
connecting to their applications and desktops under conditions that match the policy evaluation criteria are not affected
by any policy settings. T his occurs when:
No policies have assignments that match the policy evaluation criteria.
Policies that match the assignment do not have any settings configured.
Policies that match the assignment are disabled.
If you want to apply policy settings to the connections that meet the specified criteria, make sure:
T he policies you want to apply to those connections are enabled.
T he policies you want to apply have the appropriate settings configured.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.371
Default policy settings
Aug 0 8 , 20 16
T he following tables list policy settings, their default, and the Virtual Delivery Agent (VDA) versions to which they apply.
ICA
Name
Def ault setting
VDA
Client clipboard redirection
Allowed
All VDA versions
Desktop launches
Prohibited
VDA for Server OS 7 through current
ICA listener connection timeout
120000
milliseconds
VDA 5, 5.5, 5.6 Feature Pack 1, VDA for Desktop
OS 7 through current
ICA listener port number
1494
All VDA versions
Launching of non-published programs during
Prohibited
VDA for Server OS 7 through current
No formats are
VDA 7.6 through current
client connection
Client clipboard write allowed formats
specified
Restrict client clipboard write
Prohibited
VDA 7.6 through current
Restrict session clipboard write
Prohibited
VDA 7.6 through current
Session clipboard write allowed formats
No formats are
specified
VDA 7.6 through current
ICA/Adobe Flash Delivery/Flash Redirection
Name
Def ault setting
VDA
Flash video fallback prevention
Not configured
VDA 7.6 FP3 through current
Flash video fallback prevention error *.swf
VDA 7.6 FP3 through current
ICA/Audio
Name
Def ault setting
VDA
Audio Plug N Play
Allowed
VDA for Server OS 7 through current
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.372
Name
Audio quality
Def ault setting
High - high definition audio
VDA
All VDA versions
Client audio redirection
Allowed
All VDA versions
Client microphone redirection
Allowed
All VDA versions
ICA/Auto Client Reconnect
Name
Def ault setting
VDA
Auto client reconnect
Allowed
VDA
Auto client reconnect authentication
Do not require authentication
VDA
Auto client reconnect logging
Do not log auto-reconnect events
VDA
ICA/Bandwidth
Name
Def ault
VDA
setting
Audio redirection bandwidth limit
0 Kbps
VDA
Audio redirection bandwidth limit percent
0
VDA
Client USB device redirection bandwidth
limit
0 Kbps
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA
for Desktop OS 7 through current
Client USB device redirection bandwidth
limit percent
0
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA
for Desktop OS 7 through current
Clipboard redirection bandwidth limit
0 Kbps
All VDA versions
Clipboard redirection bandwidth limit
0
All VDA versions
0 Kbps
All VDA versions; for VDA 7.x, configure this setting using
percent
COM port redirection bandwidth limit
the registry.
COM port redirection bandwidth limit
0
percent
File redirection bandwidth limit
https://docs.citrix.com
All VDA versions; for VDA 7.x, configure this setting using
the registry.
0 Kbps
All VDA versions
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.373
Name
File redirection bandwidth limit percent
Def ault
0
setting
VDA
All VDA versions
HDX MediaStream Multimedia Acceleration
0 Kbps
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA
bandwidth limit
for Desktop OS 7 through current
HDX MediaStream Multimedia Acceleration
0
bandwidth limit percent
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA
for Desktop OS 7 through current
LPT port redirection bandwidth limit
0 Kbps
All VDA versions; for VDA 7.x, configure this setting using
the registry.
LPT port redirection bandwidth limit
0
percent
All VDA versions; for VDA 7.x, configure this setting using
the registry.
Overall session bandwidth limit
0 Kbps
All VDA versions
Printer redirection bandwidth limit
0 Kbps
All VDA versions
Printer redirection bandwidth limit percent
0
All VDA versions
T WAIN device redirection bandwidth limit
0 Kbps
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA
for Desktop OS 7 through current
T WAIN device redirection bandwidth limit
0
percent
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA
for Desktop OS 7 through current
ICA/Client Sensors
Name
Def ault
VDA
setting
Allow applications to use the physical
Prohibited
location of the client device
VDA 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
ICA/Desktop UI
Name
Def ault setting
VDA
Desktop Composition Redirection
Disabled (7.6 FP3 through
VDA 5.6, VDA for Desktop OS 7 through
current)
current, VDA
Enabled (5.6 through 7.6
FP2)
Desktop Composition Redirection
graphics quality
https://docs.citrix.com
Medium
VDA 5.6, VDA for Desktop OS 7 through
current, VDA
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.374
Name
Desktop wallpaper
Def ault setting
Allowed
VDA
All VDA versions
Menu animation
Allowed
All VDA versions
View window contents while dragging
Allowed
All VDA versions
ICA/End User Monitoring
Name
Def ault setting
VDA
ICA round trip calculation
Enabled
All VDA versions
ICA round trip calculation interval
15 seconds
All VDA versions
ICA round trip calculations for idle connections
Disabled
All VDA versions
ICA/Enhanced Desktop Experience
Name
Def ault setting
VDA
Enhanced Desktop Experience
Allowed
VDA for Server OS 7 through current
ICA/File Redirection
Name
Def ault
setting
VDA
Auto connect client
drives
Allowed
All VDA versions
Client drive redirection
Allowed
All VDA versions
Client fixed drives
Allowed
All VDA versions
Client floppy drives
Allowed
All VDA versions
Client network drives
Allowed
All VDA versions
Client optical drives
Allowed
All VDA versions
Client removable drives
Allowed
All VDA versions
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.375
Name
Host to client
redirection
Preserve client drive
Def ault
Disabled
setting
VDA
VDA for Server OS 7 through current
Disabled
VDA 5, 5.5, 5.6 Feature Pack 1, VDA for Desktop OS 7 through current
Disabled
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for Desktop OS 7
letters
Read-only client drive
access
Special folder
through current
Allowed
Web Interface deployments only; VDA for Server OS 7 through current
Disabled
All VDA versions
redirection
Use asynchronous
writes
ICA/Graphics
Name
Def ault setting
VDA
Display memory limit
65536 Kb
VDA 5, 5.5, 5.6 Feature Pack 1, VDA for Desktop OS 7 through
current
Display mode degrade
preference
Degrade color
depth first
All VDA versions
Dynamic windows preview
Enabled
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
Image caching
Enabled
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
Legacy graphics mode
Disabled
VDA for Server OS 7 and VDA for Desktop OS 7 through current
Maximum allowed color
depth
32 bits per pixel
All VDA versions
Notify user when display
mode is degraded
Disabled
VDA for Server OS 7 through current
Queuing and tossing
Enabled
All VDA versions
ICA/Graphics/Caching
Name
Def ault setting
VDA
Persistent cache threshold
3000000 bps
VDA for Server OS 7 through current
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.376
ICA/Keep Alive
Name
Def ault setting
VDA
ICA keep alive timeout
60 seconds
All VDA versions
ICA keep alives
Do not send ICA keep alive messages
All VDA versions
ICA/Local App Access
Name
Def ault setting
VDA
Allow local app access
Prohibited
VDA for Server OS 7 and VDA for Desktop OS 7 through current
URL redirection black list
No sites are specified
VDA for Server OS 7 and VDA for Desktop OS 7 through current
URL redirection white list
No sites are specified
VDA for Server OS 7 and VDA for Desktop OS 7 through current
ICA/Mobile Experience
Name
Def ault
setting
VDA
Automatic keyboard
display
Prohibited
VDA 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for Desktop OS 7
through current
Launch touch-optimized
desktop
Allowed
VDA 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for Desktop OS 7
through current
T his setting is disabled and not available for Windows 10 machines.
Remote the combo box
Prohibited
VDA 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for Desktop OS 7
through current
ICA/Multimedia
Name
Def ault
VDA
setting
Limit video quality
Not configured
VDA for Server OS 7 and
VDA for Desktop OS 7
through current
Multimedia conferencing
https://docs.citrix.com
Allowed
All VDA versions
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.377
Optimization for Windows Media multimedia redirection over WAN
Allowed
VDA for Server OS 7 and
VDA for Desktop OS 7
through current
Use GPU for optimizing Windows Media multimedia redirection over
Prohibited
WAN
VDA for Server OS 7 and
VDA for Desktop OS 7
through current
Video load management policy setting
Not configured
VDA 7.6 FP3 through current
Windows Media client-side content fetching
Allowed
VDA for Server OS 7 and
VDA for Desktop OS 7
through current
Windows Media Redirection
Allowed
All VDA versions
Windows Media Redirection buffer size
5 seconds
VDA 5, 5.5, and 5.6, Feature
Pack 1 through current
Windows Media Redirection buffer size use
Disabled
VDA 5, 5.5, and 5.6, Feature
Pack 1 through current
ICA/Multi-Stream Connections
Name
Def ault setting
VDA
Audio over UDP
Allowed
VDA for Server OS 7 through current
Audio UDP port range
16500, 16509
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
Multi-Port policy
Primary port (2598) has
High Priority
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
Multi-Stream
computer setting
Disabled
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
Multi-Stream user
setting
Disabled
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
ICA/Port Redirection
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.378
Name
Def ault
setting
VDA
Auto connect client COM
Disabled
All VDA versions; for VDA 7.x, configure this setting using the
ports
Auto connect client LPT ports
registry.
Disabled
All VDA versions; for VDA 7.x, configure this setting using the
registry.
Client COM port redirection
Prohibited
All VDA versions; for VDA 7.x, configure this setting using the
registry.
Client LPT port redirection
Prohibited
All VDA versions; for VDA 7.x, configure this setting using the
registry.
ICA/Printing
Name
Def ault setting
VDA
Client printer redirection
Allowed
All VDA
versions
Default printer
Set default printer to the client's main printer
All VDA
versions
Printer assignments
Printer auto-creation event log
User's current printer is used as the default printer for the
All VDA
session
versions
Log errors and warnings
All VDA
preference
versions
Session printers
No printers are specified
All VDA
versions
Wait for printers to be created
Disabled
All VDA
(desktop)
versions
ICA/Printing/Client Printers
Name
Def ault setting
VDA
Auto-create client printers
Auto-create all client printers
All VDA versions
Auto-create generic universal printer
Disabled
All VDA versions
Client printer names
Standard printer names
All VDA versions
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.379
Direct connections to print servers
Name
Enabled
Def ault setting
All VDA versions
VDA
Printer driver mapping and compatibility
No rules are specified
All VDA versions
Printer properties retention
Held in profile only if not saved on client
All VDA versions
Retained and restored client printers
Allowed
VDA 5, 5,5 and 5.6 Feature Pack 1
ICA/Printing/Drivers
Name
Def ault setting
VDA
Automatic installation of in-box printer
drivers
Enabled
All VDA
versions
Universal driver preference
EMF; XPS; PCL5c; PCL4; PS
All VDA
versions
Universal print driver usage
Use universal printing only if requested driver is
unavailable
All VDA
versions
ICA/Printing/Universal Print Server
Name
Def ault setting
VDA
Universal Print Server enable
Disabled
All VDA versions
Universal Print Server print data stream (CGP) port
7229
All VDA versions
Universal Print Server print stream input bandwidth limit (kpbs)
0
All VDA versions
Universal Print Server web service (HT T P/SOAP) port
8080
All VDA versions
ICA/Printing/Universal Printing
Name
Def ault setting
VDA
Universal printing EMF processing
Spool directly to printer
All VDA
mode
versions
Universal printing image compression
Best quality (lossless compression)
limit
https://docs.citrix.com
All VDA
versions
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.380
Universal printing optimization
Name
defaults
Image Compression
Def ault setting
Desired image quality = Standard quality
All VDA
VDA
versions
Enable heavyweight compression = False
Image and Font Caching
Allow caching of embedded images = T rue
Allow caching of embedded fonts = T rue
Allow non-administrators to modify these settings = False
Universal printing preview preference
Universal printing print quality limit
Do not use print preview for auto-created or generic universal
All VDA
printers
versions
No limit
All VDA
versions
ICA/Security
Name
Def ault setting
VDA
SecureICA minimum encryption level
Basic
VDA for Server OS 7 through current VDA for Server OS
ICA/Server Limits
Name
Def ault setting
VDA
Server idle timer interval
0 milliseconds
VDA for Server OS 7 through current VDA for Server OS
ICA/Session Limits
Name
Def ault
VDA
setting
Disconnected session timer
Disabled
VDA 5, 5.5, 5.6 Feature Pack 1, VDA for Desktop OS 7 through
current
Disconnected session timer
1440 minutes
interval
Session connection timer
VDA 5, 5.5, 5.6 Feature Pack 1, VDA for Desktop OS 7 through
current
Disabled
VDA 5, 5.5, 5.6 Feature Pack 1, VDA for Desktop OS 7 through
current
Session connection timer
1440 minutes
interval
Session idle timer
https://docs.citrix.com
VDA 5, 5.5, 5.6 Feature Pack 1, VDA for Desktop OS 7 through
current
Enabledf
VDA 5, 5.5, 5.6 Feature Pack 1, VDA for Desktop OS 7 through
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.381
Name
Def ault
current
VDA
Session idle timer interval
setting
1440 minutes
VDA 5, 5.5, 5.6 Feature Pack 1, VDA for Desktop OS 7 through
current
ICA/Session Reliability
Name
Def ault setting
VDA
Session reliability connections
Allowed
All VDA versions
Session reliability port number
2598
All VDA versions
Session reliability timeout
180 seconds
All VDA versions
ICA/Time Zone Control
Name
Def ault setting
VDA
Estimate local time for legacy clients
Enabled
VDA for Server OS 7 through current
Use local time of client
Use server time zone
All VDA versions
ICA/TWAIN Devices
Name
Def ault
VDA
setting
Client T WAIN device
Allowed
redirection
T WAIN compression level
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for Desktop OS
7 through current
Medium
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for Desktop OS
7 through current
ICA/USB Devices
Name
Def ault setting
VDA
Client USB device optimization rules
No rules are specified
VDA 7.6 FP3 through current
Client USB device redirection
Prohibited
All VDA versions
Client USB device redirection rules
No rules are specified
All VDA versions
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.382
Client USB Plug and Play device redirection
Allowed
VDA for Server OS 7 and VDA for
Desktop OS 7 through current
ICA/Visual Display
Name
Def ault setting
VDA
Preferred color depth for simple
24 bits per pixel
VDA 7.6 FP3 through current
Target frame rate
30 fps
All VDA versions
Visual quality
Medium
VDA for Server OS 7 and VDA for Desktop OS 7
graphics
through current
Use video codec for compression
Use video codec when
VDA 7.6 FP3 through current
available
ICA/Visual Display/Moving Images
Name
Def ault
setting
VDA
Minimum image quality
Normal
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
Moving image compression
Enabled
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
Progressive compression level
None
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
Progressive compression
2147483647
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
threshold value
Kbps
Desktop OS 7 through current
T arget minimum frame rate
10 fps
VDA 5.5, 5.6 Feature Pack 1, VDA for Server OS 7 and VDA for
Desktop OS 7 through current
ICA/Visual Display/Still Images
Name
Def ault setting
VDA
Extra color compression
Disabled
All VDA versions
Extra color compression threshold
8192 Kbps
All VDA versions
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.383
Name
Heavyweight compression
Def ault setting
Disabled
VDA
All VDA versions
Lossy compression level
Medium
All VDA versions
Lossy compression threshold value
2147483647 Kbps
All VDA versions
ICA/WebSockets
Name
Def ault setting
VDA
WebSockets connections
Prohibited
VDA for Server OS 7 and VDA for Desktop OS
7 through current
WebSockets port number
8008
VDA for Server OS 7 and VDA for Desktop OS
7 through current
WebSockets trusted
T he wildcard, *, is used to trust all
VDA for Server OS 7 and VDA for Desktop OS
origin server list
Receiver for Web URLs
7 through current
Load Management
Name
Def ault setting
VDA
Concurrent logon tolerance
2
VDA for Server OS 7 through current
CPU usage
Disabled
VDA for Server OS 7 through current
CPU usage excluded process priority
Below Normal or Low
VDA for Server OS 7 through current
Disk usage
Disabled
VDA for Server OS 7 through current
Maximum number of sessions
250
VDA for Server OS 7 through current
Memory usage
Disabled
VDA for Server OS 7 through current
Memory usage base load
Zero load: 768MB
VDA for Server OS 7 through current
Profile Managment/Advanced settings
Name
Def ault setting
VDA
Disable automatic configuration
Disabled
All VDA versions
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.384
Name
Log off user if a problem is encountered
Def ault setting
Disabled
VDA
All VDA versions
Number of retries when accessing locked files
5
All VDA versions
Process Internet cookie files on logoff
Disabled
All VDA versions
Profile Management/Basic settings
Name
Def ault setting
VDA
Active write back
Disabled
All VDA versions
Enable Profile management
Disabled
All VDA versions
Excluded groups
Disabled. Members of all user groups are processed.
All VDA versions
Offline profile support
Disabled
All VDA versions
Path to user store
Windows
All VDA versions
Process logons of local administrators
Disabled
All VDA versions
Processed groups
Disabled. Members of all user groups are processed.
All VDA versions
Profile Management/Cross-Platf orm Settings
Name
Def ault setting
VDA
Cross-platform settings user groups
Disabled. All user groups specified in Processed groups are
All VDA
processed
versions
Disabled
All VDA
Enable cross-platform settings
versions
Path to cross-platform definitions
Disabled. No path is specified.
All VDA
versions
Path to cross-platform settings store
Disabled. Windows\PM_CM is used.
All VDA
versions
Source for creating cross-platform
Disabled
settings
https://docs.citrix.com
All VDA
versions
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.385
Profile Management/File System/Exclusions
Name
Def ault setting
VDA
Exclusion list - directories
Disabled. All folders in the user profile are synchronized.
All VDA versions
Exclusion list - files
Disabled. All files in the user profile are synchronized.
All VDA versions
Profile Management/File System/Synchronization
Name
Def ault setting
VDA
Directories to synchronize
Disabled. Only non-excluded folders are synchronized.
All VDA versions
Files to synchronize
Disabled. Only non-excluded files are synchronized.
All VDA versions
Folders to mirror
Disabled. No folders are mirrored.
All VDA versions
Profile Management/Folder Redirection
Name
Def ault setting
VDA
Grant administrator access
Disabled
All VDA versions
Include domain name
Disabled
All VDA versions
Profile Management/Folder Redirection/AppData(Roaming)
Name
Def ault setting
VDA
AppData(Roaming) path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
Contents are redirected to the UNC path specified in the
All VDA
AppData(Roaming)
AppData(Roaming) path policy settings
versions
Profile Management/Folder Redirection/Contacts
Name
Def ault setting
VDA
Contacts path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
https://docs.citrix.com
Contents are redirected to the UNC path specified in the Contacts path
© 1999-2017 Citrix Systems, Inc. All rights reserved.
All VDA
p.386
Contacts
Name
policy settings
Def ault setting
versions
VDA
Profile Management/Folder Redirection/Desktop
Name
Def ault setting
VDA
Desktop path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
Contents are redirected to the UNC path specified in the Desktop path
All VDA
Desktop
policy settings
versions
Profile Management/Folder Redirection/Documents
Name
Def ault setting
VDA
Documents path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
Contents are redirected to the UNC path specified in the Documents
All VDA
Documents
path policy settings
versions
Profile Management/Folder Redirection/Downloads
Name
Def ault setting
VDA
Downloads path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
Contents are redirected to the UNC path specified in the Downloads
All VDA
Downloads
path policy settings
versions
Profile Management/Folder Redirection/Favorites
Name
Def ault setting
VDA
Favorites path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
Contents are redirected to the UNC path specified in the Favorites path
All VDA
Favorites
policy settings
versions
Profile Management/Folder Redirection/Links
Name
Def ault setting
VDA
Links path
Disabled. No location is specified.
All VDA
versions
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.387
Redirection settings for
Name
Links
Contents are redirected to the UNC path specified in the Links path policy
Def ault setting
settings
All VDA
VDA
versions
Profile Management/Folder Redirection/Music
Name
Def ault setting
VDA
Music path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
Contents are redirected to the UNC path specified in the Music path
All VDA
Music
policy settings
versions
Profile Management/Folder Redirection/Pictures
Name
Def ault setting
VDA
Pictures path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
Contents are redirected to the UNC path specified in the Pictures path
All VDA
Pictures
policy settings
versions
Profile Management/Folder Redirection/Saved Games
Name
Def ault setting
VDA
Saved Games path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
Contents are redirected to the UNC path specified in the Saved Games
All VDA
Saved Games
path policy settings
versions
Profile Management/Folder Redirection/Searches
Name
Def ault setting
VDA
Searches path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
Contents are redirected to the UNC path specified in the Searches path
All VDA
Searches
policy settings
versions
Profile Management/Folder Redirection/Start Menu
Name
Def ault setting
VDA
Start Menu path
Disabled. No location is specified.
All VDA
versions
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.388
Name
Redirection settings for
Def ault setting
Contents are redirected to the UNC path specified in the Start Menu
VDA
All VDA
Start Menu
path policy settings
versions
Profile Management/Folder Redirection/Video
Name
Def ault setting
VDA
Video path
Disabled. No location is specified.
All VDA
versions
Redirection settings for
Video
Contents are redirected to the UNC path specified in the Video path
policy settings
All VDA
versions
Profile Management/Log settings
Name
Def ault setting
VDA
Active Directory
Disabled
All VDA
actions
Common information
versions
Disabled
All VDA
versions
Common warnings
Disabled
All VDA
versions
Enable logging
Disabled
All VDA
versions
File system actions
Disabled
All VDA
versions
File system
Disabled
notifications
Logoff
All VDA
versions
Disabled
All VDA
versions
Logon
Disabled
All VDA
versions
Maximum size of the
1048576
log file
Path to log file
Personalized user
versions
Disabled. Log files are saved in the default location;
All VDA
%SystemRoot%\System32\Logfiles\UserProfileManager.
versions
Disabled
All VDA
information
https://docs.citrix.com
All VDA
versions
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.389
Policy
Name values at logon
and logoff
Disabled
Def ault setting
All
VDA
VDA
versions
Registry actions
Disabled
All VDA
versions
Registry differences at
Disabled
All VDA
logoff
versions
Profile Management/Profile handling
Name
Def ault setting
VDA
Delay before deleting cached profiles
0
All VDA
versions
Delete locally cached profiles on
Disabled
All VDA
logoff
versions
Local profile conflict handling
Use local profile
All VDA
versions
Migration of existing profiles
Local and roaming
All VDA
versions
Path to the template profile
T emplate profile overrides local profile
Disabled. New user profiles are created from the default user
All VDA
profile on the device where a user first logs on.
versions
Disabled
All VDA
versions
T emplate profile overrides roaming
Disabled
All VDA
profile
versions
T emplate profile used as a Citrix
Disabled
All VDA
mandatory profile for all logons
versions
Profile Management/Registry
Name
Def ault setting
VDA
Exclusion list
Disabled. All registry keys in the HKCU hive are processed when a user logs off.
All VDA versions
Inclusion list
Disabled. All registry keys in the HKCU hive are processed when a user logs off.
All VDA versions
Profile Management/Streamed user profiles
Name
https://docs.citrix.com
Def ault setting
© 1999-2017 Citrix Systems, Inc. All rights reserved.
VDA
p.390
Always cache
Name
Disabled
Def
ault setting
All VDA
VDA
versions
Always cache size
0 Mb
All VDA
versions
Profile streaming
Disabled
All VDA
versions
Streamed user profile groups
T imeout for pending area lock files
Disabled. All user profiles within an OU are processed
All VDA
normally.
versions
1 day
All VDA
(days)
versions
Receiver
Name
Def ault setting
VDA
StoreFront accounts list
No stores are specified
VDA for Server OS 7 and VDA for Desktop OS 7 through current
Virtual Delivery Agent
Name
Def ault setting
VDA
Controller registration IPv6
No netmask is specified
VDA for Server OS 7 and VDA for Desktop OS 7 through
netmask
current
Controller registration port
80
All VDA versions
Controller SIDs
No SIDs are specified
All VDA versions
Controllers
No controllers are
specified
All VDA versions
Enable auto update of
controllers
Enabled
VDA for Server OS 7 and VDA for Desktop OS 7 through
current
Only use IPv6 controller
registration
Disabled
VDA for Server OS 7 and VDA for Desktop OS 7 through
current
Site GUID
No GUID is specified
All VDA versions
Virtual IP
Name
https://docs.citrix.com
Def ault setting
© 1999-2017 Citrix Systems, Inc. All rights reserved.
VDA
p.391
Virtual IP loopback support
Name
Disabled
Def ault setting
VDA 7.6
VDA
Virtual IP virtual loopback programs list
None
VDA 7.6
HDX 3D Pro
Name
Def ault setting
VDA
Enable lossless
Enabled
VDA 5.5 and 5.6 Feature Pack 1
HDX 3D Pro quality settings
https://docs.citrix.com
VDA 5.5 and 5.6 Feature Pack 1
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.392
Policy settings reference
May 28 , 20 16
Policies contain settings that are applied when the policy is enforced. Descriptions in this section also indicate if additional
settings are required to enable a feature or are similar to a setting.
Quick ref erence
T he following tables list the settings you can configure within a policy. Find the task you want to complete in the left
column, then locate its corresponding setting in the right column.
Audio
For this task
Use this policy setting
Control whether to allow the use of multiple audio devices
Audio Plug N Play
Control whether to allow audio input from microphones on
Client microphone redirection
the user device
Control audio quality on the user device
Audio quality
Control audio mapping to speakers on the user device
Client audio redirection
Bandwidth for user devices
To limit bandwidth used f or
Use this policy setting
Client audio mapping
Audio redirection bandwidth limit or
Audio redirection bandwidth limit percent
Cut-and-paste using local clipboard
Clipboard redirection bandwidth limit or
Clipboard redirection bandwidth limit percent
Access in a session to local client drives
File redirection bandwidth limit or
File redirection bandwidth limit percent
HDX MediaStream Multimedia Acceleration
HDX MediaStream Multimedia Acceleration
bandwidth limit or
HDX MediaStream Multimedia Acceleration
bandwidth limit percent
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.393
To limit bandwidth used f or
Client session
Use this policy setting
Overall session bandwidth limit
Printing
Printer redirection bandwidth limit or
Printer redirection bandwidth limit percent
T WAIN devices (such as a camera or scanner)
T WAIN device redirection bandwidth limit or
T WAIN device redirection bandwidth limit percent
USB devices
Client USB device redirection bandwidth limit or
Client USB device redirection bandwidth limit percent
Redirection of client drives and user devices
For this task
Use this policy setting
Control whether or not drives on the user device are
Auto connect client drives
connected when users log on to the server
Control cut-and-paste data transfer between the server and
Client clipboard redirection
the local clipboard
Control how drives map from the user device
Client drive redirection
Control whether users' local hard drives are available in a
Client fixed drives and
session
Client drive redirection
Control whether users' local floppy drives are available in a
Client floppy drives and
session
Client drive redirection
Control whether users' network drives are available in a
Client network drives and
session
Client drive redirection
Control whether users' local CD, DVD, or Blu-ray drives are
Client optical drives and
available in a session
Client drive redirection
Control whether users' local removable drives are available in
Client removable drives and
a session
Client drive redirection
Control whether users' T WAIN devices, such as scanners and
Client T WAIN device redirection
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.394
cameras, are available in a session and control compression
For this task
of image data transfers
Control whether USB devices are available in a session
T WAIN compression redirection
Use this policy setting
Client USB device redirection and
Client USB device redirection rules
Improve the speed of writing and copying files to a client
Use asynchronous writes
disk over a WAN
Content redirection
For this task
Use this policy setting
Control whether to use content redirection from the server
Host to client redirection
to the user device
Desktop UI
For this task
Use this policy setting
Control whether or not Desktop wallpaper is used in users'
Desktop wallpaper
sessions
View window contents while a window is dragged
View window contents while dragging
Graphics and multimedia
For this task
Use this policy setting
Control the maximum number of frames per second sent to
Target frame rate
user devices from virtual desktops
Control the visual quality of images displayed on the user
Visual quality
device
Control whether Flash content is rendered in sessions
Flash default behavior
Control whether websites can display Flash content when
Flash server-side content fetching URL list
accessed in sessions
Flash URL compatibility list
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.395
Flash video fallback prevention policy setting
Use this policy setting
Flash video fallback prevention error *.swf
For this task
Prioritize Multi-Stream network traffic
For this task
Use this policy setting
Specify ports for ICA traffic across multiple connections and establish network
Multi-Port policy
priorities
Enable support for multi-stream connections between servers and user devices
Multi-Stream (computer and user
settings)
Print
For this task
Use this policy setting
Control creation of client printers on the user device
Auto-create client printers and
Client printer redirection
Control the location where printer properties are stored
Printer properties retention
Control whether print requests are processed by the client
Direct connections to print servers
or the server
Control whether users can access printers connected to
Client printer redirection
their user devices
Control installation of native Windows drivers when
Automatic installation of in-box printer drivers
automatically creating client and network printers
Control when to use the Universal Printer Driver
Universal print driver usage
Choose a printer based on a roaming user's session
Default printer
information
Note: Policies cannot be used to enable a screen saver in a desktop or application session. For users who require screen
savers, the screen saver can be implemented on the user device.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.396
ICA policy settings
May 28 , 20 16
T he ICA section contains policy settings related to ICA listener connections and mapping to the clipboard.
Client clipboard redirection
T his setting allows or prevents the clipboard on the user device being mapped to the clipboard on the server.
By default, clipboard redirection is allowed.
To prevent cut-and-paste data transfer between a session and the local clipboard, select Prohibit. Users can still cut and
paste data between applications running in sessions.
After allowing this setting, configure the maximum allowed bandwidth the clipboard can consume in a client connection
using the Clipboard redirection bandwidth limit or the Clipboard redirection bandwidth limit percent settings.
Client clipboard write allowed f ormats
When the Restrict client clipboard write setting is Enabled, host clipboard data cannot be shared with the client endpoint
but you can use this setting to allow specific data formats to be shared with the client endpoint clipboard. To use this
setting, enable it and add the specific formats to be allowed.
T he following clipboard formats are system defined:
CF_T EXT
CF_BIT MAP
CF_MET AFILEPICT
CF_SYLK
CF_DIF
CF_T IFF
CF_OEMT EXT
CF_DIB
CF_PALET T E
CF_PENDAT A
CF_RIFF
CF_WAVE
CF_UNICODET EXT
CF_ENHMET AFILE
CF_HDROP
CF_LOCALE
CF_DIBV5
CF_OWNERDISPLAY
CF_DSPT EXT
CF_DSPBIT MAP
CF_DSPMET AFILEPICT
CF_DISPENHMET AFILE
T he following custom formats are predefined in XenApp and XenDesktop:
CFX_RICHT EXT
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.397
CFX_OfficeDrawingShape
CFX_BIFF8
Additional custom formats can be added. T he custom format name must match the formats to be registered with the
system. Format names are case-sensitive.
T his setting does not apply if either Client clipboard redirection or Restrict client clipboard write is set to Prohibited.
Desktop launches
T his setting allows or prevents non-administrative users in a VDA's Direct Access Users group connecting to a session on
that VDA using an ICA connections.
By default, non-administrative users cannot connect to these sessions.
T his setting has no effect on non-administrative users in a VDA's Direct Access Users group who are using a RDP
connection; these users can connect to the VDA whether this setting is enabled or disabled. T his setting has no effect on
non-administrative users not in a VDA's Direct Access Users group; these users cannot connect to the VDA whether this
setting is enabled or disabled.
ICA listener connection timeout
Note: T his setting applies only to these Virtual Delivery Agents: 5.0, 5.5, and 5.6 Feature Pack 1.
T his setting specifies the maximum wait time for a connection using the ICA protocol to be completed.
By default, the maximum wait time is 120000 milliseconds, or two minutes.
ICA listener port number
T his setting specifies the TCP/IP port number used by the ICA protocol on the server.
By default, the port number is set to 1494.
Valid port numbers must be in the range of 0-65535 and must not conflict with other well-known port numbers. If you
change the port number, restart the server for the new value to take effect. If you change the port number on the server,
you must also change it on every Receiver or plug-in that connects to the server.
Launching of non-published programs during client connection
T his setting specifies whether to allow launching initial applications through RDP on the server.
By default, launching initial applications through RDP on the server is not allowed.
Restrict client clipboard write
If this setting is Allowed, host clipboard data cannot be shared with the client endpoint. You can allow specific formats by
enabling the Client clipboard write allowed formats setting.
By default, this is set to Prohibited.
Restrict session clipboard write
When this setting is Allowed, client clipboard data cannot be shared within the user session. You can allow specific formats
by enabling the Session clipboard write allowed formats setting.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.398
By default, this is set to Prohibited.
Session clipboard write allowed f ormats
When the Restrict session clipboard write setting is Allowed, client clipboard data cannot be shared with session
applications, but you can use this setting to allow specific data formats to be shared with the session clipboard.
T he following clipboard formats are system defined:
CF_T EXT
CF_BIT MAP
CF_MET AFILEPICT
CF_SYLK
CF_DIF
CF_T IFF
CF_OEMT EXT
CF_DIB
CF_PALET T E
CF_PENDAT A
CF_RIFF
CF_WAVE
CF_UNICODET EXT
CF_ENHMET AFILE
CF_HDROP
CF_LOCALE
CF_DIBV5
CF_OWNERDISPLAY
CF_DSPT EXT
CF_DSPBIT MAP
CF_DSPMET AFILEPICT
CF_DISPENHMET AFILE
T he following custom formats are predefined in XenApp and XenDesktop:
CFX_RICHT EXT
CFX_OfficeDrawingShape
CFX_BIFF8
Additional custom formats can be added. T he custom format name must match the formats to be registered with the
system. Format names are case-sensitive.
T his setting does not apply if either the Client clipboard redirection setting or Restrict session clipboard write setting is set
to Prohibited.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.399
Auto Client Reconnect policy settings
May 28 , 20 16
T he Auto Client Reconnect section contains policy settings for controlling the automatic reconnection of sessions.
Auto client reconnect
T his setting allows or prevents automatic reconnection by the same client after a connection has been interrupted.
By default, automatic reconnection is allowed.
Allowing automatic reconnection allows users to resume working where they were interrupted when a connection was
broken. Automatic reconnection detects broken connections and then reconnects the users to their sessions.
However, automatic reconnection can result in a new session being launched (instead of reconnecting to an existing
session) if the Receiver's cookie, which contains the key to the session ID and credentials, is not used. T he cookie is not
used if it has expired, for example, because of a delay in reconnection, or if credentials must be reentered. Auto client
reconnect is not triggered if users intentionally disconnect.
For application sessions, when automatic reconnection is allowed, Receiver attempts to reconnect to the session until
there is a successful reconnection or the user cancels the reconnection attempts.
For desktop sessions, when automatic reconnection is allowed, Receiver attempts to reconnect to the session for a
specified period of time, unless there is a successful reconnection or the user cancels the reconnection attempts. By
default, this period of time is five minutes. To change this period of time, edit this registry on the user device:
HKLM\Software\Citrix\ICA Client\TransportReconnectRetryMaxTimeSeconds; DWORD;<seconds>
where <seconds> is the number of seconds after which no more attempts are made to reconnect the session.
Auto client reconnect authentication
T his setting requires authentication for automatic client reconnections.
By default, authentication is not required.
When a user initially logs on, their credentials are encrypted, stored in memory, and a cookie is created containing the
encryption key that is sent to Receiver. When this setting is configured, cookies are not used. Instead, a dialog box is
displayed to users requesting credentials when Receiver attempts to reconnect automatically.
Auto client reconnect logging
T his setting enables or disables the recording of auto client reconnections in the event log.
By default, logging is disabled.
When logging is enabled, the server's System log captures information about successful and failed automatic reconnection
events. A site does not provide a combined log of reconnection events for all servers.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.400
Audio policy settings
Jan 10 , 20 17
T he Audio section contains policy settings that permit user devices to send and receive audio in sessions without reducing
performance.
Audio over UDP real-time transport
T his setting allows or prevents the transmission and receipt of audio between the VDA and user device over RT P using the
User Datagram Protocol (UDP). When this setting is disabled, audio is sent and received over TCP.
By default, audio over UDP is allowed.
Audio Plug N Play
T his setting allows or prevents the use of multiple audio devices to record and play sound.
By default, the use of multiple audio devices is allowed.
T his setting applies only to Windows Server OS machines.
Audio quality
T his setting specifies the quality level of sound received in user sessions.
By default, sound quality is set to High - high definition audio.
T o control sound quality, choose one of the following options:
Select Low - for low speed connections for low-bandwidth connections. Sounds sent to the user device are compressed
up to 16 Kbps. T his compression results in a significant decrease in the quality of the sound but allows reasonable
performance for a low-bandwidth connection.
Select Medium - optimized for speech to deliver Voice over IP (VoIP) applications, to deliver media applications in
challenging network connections with lines less than 512 Kbps, or significant congestion and packet loss. T his codec
offers very fast encode time, making it ideal for use with softphones and Unified Communications applications when you
require server-side media processing.
Audio sent to the user device is compressed up to 64 Kbps; this compression results in a moderate decrease in the quality
of the audio played on the user device, while providing low latency and consuming low bandwidth. If VoIP quality is
unsatisfactory, ensure that the Audio over UDP Real-time Transport policy setting is set to Allowed.
Currently, Real-time Transport (RT P) over UDP is only supported when this audio quality is selected. Use this audio quality
even for delivering media applications for the challenging network connections like very low (less than 512Kbps) lines and
when there is congestion and packet loss in the network.
Select High - high definition audio for connections where bandwidth is plentiful and sound quality is important. Clients
can play sound at its native rate. Sounds are compressed at a high quality level maintaining up to CD quality, and using up
to 112 Kbps of bandwidth. T ransmitting this amount of data can result in increased CPU utilization and network
congestion.
Bandwidth is consumed only while audio is recording or playing. If both occur at the same time, the bandwidth consumption
is doubled.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.401
To specify the maximum amount of bandwidth, configure the Audio redirection bandwidth limit or the Audio redirection
bandwidth limit percent settings.
Client audio redirection
T his setting specifies whether applications hosted on the server can play sounds through a sound device installed on the
user device. T his setting also specifies whether users can record audio input.
By default, audio redirection is allowed.
After allowing this setting, you can limit the bandwidth consumed by playing or recording audio. Limiting the amount of
bandwidth consumed by audio can improve application performance but may also degrade audio quality. Bandwidth is
consumed only while audio is recording or playing. If both occur at the same time, the bandwidth consumption doubles. To
specify the maximum amount of bandwidth, configure the Audio redirection bandwidth limit or the Audio redirection
bandwidth limit percent settings.
On Windows Server OS machines, ensure that the Audio Plug N Play setting is Enabled to support multiple audio devices.
Important: Prohibiting Client audio redirection disables all HDX audio functionality.
Client microphone redirection
T his setting enables or disables client microphone redirection. When enabled, users can use microphones to record audio
input in a session.
By default, microphone redirection is allowed.
For security, users are alerted when servers that are not trusted by their devices try to access microphones. Users can
choose to accept or not accept access. Users can disable the alert on Citrix Receiver.
On Windows Server OS machines, ensure that the Audio Plug N Play setting is Enabled to support multiple audio devices.
If the Client audio redirection setting is disabled on the user device, this rule has no effect.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.402
Bandwidth policy settings
May 28 , 20 16
T he Bandwidth section contains policy settings to avoid performance problems related to client session bandwidth use.
Important: Using these policy settings with the Multi-Stream policy settings may produce unexpected results. If you use
Multi-Stream settings in a policy, ensure these bandwidth limit policy settings are not included.
Audio redirection bandwidth limit
T his setting specifies the maximum allowed bandwidth, in kilobits per second, for playing or recording audio in a user session.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the Audio redirection bandwidth limit percent setting, the most
restrictive setting (with the lower value) is applied.
Audio redirection bandwidth limit percent
T his setting specifies the maximum allowed bandwidth limit for playing or recording audio as a percentage of the total
session bandwidth.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the Audio redirection bandwidth limit setting, the most restrictive setting
(with the lower value) is applied.
If you configure this setting, you must also configure the Overall session bandwidth limit setting, which specifies the total
amount of bandwidth available for client sessions.
Client USB device redirection bandwidth limit
T his setting specifies the maximum allowed bandwidth, in kilobits per second, for the redirection of USB devices to and from
the client.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the Client USB device redirection bandwidth limit percent setting, the
most restrictive setting (with the lower value) is applied.
Client USB device redirection bandwidth limit percent
T his setting specifies the maximum allowed bandwidth for the redirection of USB devices to and from the client as a
percentage of the total session bandwidth.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the Client USB device redirection bandwidth limit setting, the most
restrictive setting (with the lower value) is applied.
If you configure this setting, you must also configure the Overall session bandwidth limit setting, which specifies the total
amount of bandwidth available for client sessions.
Clipboard redirection bandwidth limit
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.403
T his setting specifies the maximum allowed bandwidth, in kilobits per second, for data transfer between a session and the
local clipboard.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the Clipboard redirection bandwidth limit percent setting, the most
restrictive setting (with the lower value) is applied.
Clipboard redirection bandwidth limit percent
T his setting specifies the maximum allowed bandwidth for data transfer between a session and the local clipboard as a
percentage of the total session bandwidth.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the Clipboard redirection bandwidth limit setting, the most restrictive
setting (with the lower value) is applied.
If you configure this setting, you must also configure the Overall session bandwidth limit setting, which specifies the total
amount of bandwidth available for client sessions.
COM port redirection bandwidth limit
Note: For the Virtual Delivery Agent 7.x, configure this setting using the registry; see Configure COM Port and LPT Port
Redirection settings using the registry.
T his setting specifies the maximum allowed bandwidth in kilobits per second for accessing a COM port in a client
connection. If you enter a value for this setting and a value for the COM port redirection bandwidth limit percent setting,
the most restrictive setting (with the lower value) is applied.
COM port redirection bandwidth limit percent
Note: For the Virtual Delivery Agent 7.x, configure this setting using the registry; see Configure COM Port and LPT Port
Redirection settings using the registry.
T his setting specifies the maximum allowed bandwidth for accessing COM ports in a client connection as a percentage of
the total session bandwidth.
By default, no maximum (zero) is specified
If you enter a value for this setting and a value for the COM port redirection bandwidth limit setting, the most restrictive
setting (with the lower value) is applied.
If you configure this setting, you must also configure the Overall session bandwidth limit setting, which specifies the total
amount of bandwidth available for client sessions
File redirection bandwidth limit
T his setting specifies the maximum allowed bandwidth, in kilobits per second, for accessing a client drive in a user session.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the File redirection bandwidth limit percent setting, the most restrictive
setting (with the lower value) takes effect.
File redirection bandwidth limit percent
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.404
T his setting specifies the maximum allowed bandwidth limit for accessing client drives as a percentage of the total session
bandwidth.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the File redirection bandwidth limit setting, the most restrictive setting
(with the lower value) is applied.
If you configure this setting, you must also configure the Overall session bandwidth limit setting, which specifies the total
amount of bandwidth available for client sessions.
HDX MediaStream Multimedia Acceleration bandwidth limit
T his setting specifies the maximum allowed bandwidth limit, in kilobits per second, for delivering streaming audio and video
using HDX MediaStream Multimedia Acceleration.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the HDX MediaStream Multimedia Acceleration bandwidth limit percent
setting, the most restrictive setting (with the lower value) takes effect.
HDX MediaStream Multimedia Acceleration bandwidth limit percent
T his setting specifies the maximum allowed bandwidth for delivering streaming audio and video using HDX MediaStream
Multimedia Acceleration as a percentage of the total session bandwidth.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the HDX MediaStream Multimedia Acceleration bandwidth limit setting,
the most restrictive setting (with the lower value) takes effect.
If you configure this setting, you must also configure the Overall session bandwidth limit setting, which specifies the total
amount of bandwidth available for client sessions.
LPT port redirection bandwidth limit
Note: For the Virtual Delivery Agent 7.x, configure this setting using the registry; see Configure COM Port and LPT Port
Redirection settings using the registry.
T his setting specifies the maximum allowed bandwidth, in kilobits per second, for print jobs using an LPT port in a single user
session.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the LPT port redirection bandwidth limit percent setting, the most
restrictive setting (with the lower value) is applied.
LPT port redirection bandwidth limit percent
Note: For the Virtual Delivery Agent 7.x, configure this setting using the registry; see Configure COM Port and LPT Port
Redirection settings using the registry.
T his setting specifies the bandwidth limit for print jobs using an LPT port in a single client session as a percentage of the
total session bandwidth.
By default, no maximum (zero) is specified.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.405
If you enter a value for this setting and a value for the LPT port redirection bandwidth limit setting, the most restrictive
setting (with the lower value) is applied.
If you configure this setting, you must also configure the Overall session bandwidth limit setting, which specifies the total
amount of bandwidth available for client sessions.
Overall session bandwidth limit
T his setting specifies the total amount of bandwidth available, in kilobits per second, for user sessions.
T he maximum enforceable bandwidth cap is 10 Mbps (10,000 Kbps). By default, no maximum (zero) is specified.
Limiting the amount of bandwidth consumed by a client connection can improve performance when other applications
outside the client connection are competing for limited bandwidth.
Printer redirection bandwidth limit
T his setting specifies the maximum allowed bandwidth, in kilobits per second, for accessing client printers in a user session.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the Printer redirection bandwidth limit percent setting, the most
restrictive setting (with the lower value) is applied.
Printer redirection bandwidth limit percent
T his setting specifies the maximum allowed bandwidth for accessing client printers as a percentage of the total session
bandwidth.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the Printer redirection bandwidth limit setting, the most restrictive
setting (with the lower value) is applied.
If you configure this setting, you must also configure the Overall session bandwidth limit setting, which specifies the total
amount of bandwidth available for client sessions.
TWAIN device redirection bandwidth limit
T his setting specifies the maximum allowed bandwidth, in kilobits per second, for controlling T WAIN imaging devices from
published applications.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the T WAIN device redirection bandwidth limit percent setting, the most
restrictive setting (with the lower value) is applied.
TWAIN device redirection bandwidth limit percent
T his setting specifies the maximum allowed bandwidth for controlling T WAIN imaging devices from published applications as
a percentage of the total session bandwidth.
By default, no maximum (zero) is specified.
If you enter a value for this setting and a value for the T WAIN device redirection bandwidth limit setting, the most
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.406
restrictive setting (with the lower value) is applied.
If you configure this setting, you must also configure the Overall session bandwidth limit setting, which specifies the total
amount of bandwidth available for client sessions.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.407
Client sensors policy settings
May 28 , 20 16
T he Client Sensors section contains policy settings for controlling how mobile device sensor information is handled in a user
session.
Allow applications to use the physical location of the client device
T his setting determines whether applications running in a session on a mobile device are allowed to use the physical
location of the user device.
By default, the use of location information is prohibited
When this setting is prohibited, attempts by an application to retrieve location information return a "permission denied"
value.
When this setting is allowed, a user can prohibit use of location information by denying a Receiver request to access the
location. Android and iOS devices prompt at the first request for location information in each session.
When developing hosted applications that use the Allow applications to use the physical location of the client device
setting, consider the following:
A location-enabled application should not rely on location information being available because:
A user might not allow access to location information.
T he location might not be available or might change while the application is running.
A user might connect to the application session from a different device that does not support location information.
A location-enabled application must:
Have the location feature off by default.
Provide a user option to allow or disallow the feature while the application is running.
Provide a user option to clear location data that is cached by the application. (Receiver does not cache location data.)
A location-enabled application must manage the granularity of the location information so that the data acquired is
appropriate to the purpose of the application and conforms to regulations in all relevant jurisdictions.
A secure connection (for example, using SSL/T LS or a VPN) should be enforced when using location services. Citrix
Receiver should connect to trusted servers.
Consider obtaining legal advice regarding the use of location services.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.408
Desktop UI policy settings
Aug 0 8 , 20 16
T he Desktop UI section contains policy settings that control visual effects such as desktop wallpaper, menu animations,
and drag-and-drop images, to manage the bandwidth used in client connections. You can improve application performance
on a WAN by limiting bandwidth usage.
Desktop Composition Redirection
T his setting specifies whether to use the processing capabilities of the graphics processing unit (GPU) or integrated graphics
processor (IGP) on the user device for local DirectX graphics rendering to provide users with a more fluid Windows desktop
experience. When enabled, Desktop Composition Redirection delivers a highly responsive Windows experience while
maintaining high scalability on the server.
By default, Desktop Composition Redirection is disabled.
To turn off Desktop Composition Redirection and reduce the bandwidth required in user sessions, select Disabled when
adding this setting to a policy.
Desktop Composition Redirection graphics quality
T his setting specifies the quality of graphics used for Desktop Composition Redirection.
By default, this is set to high.
Choose from High, Medium, Low, or Lossless quality.
Desktop wallpaper
T his setting allows or prevents wallpaper showing in user sessions.
By default, user sessions can show wallpaper.
To turn off desktop wallpaper and reduce the bandwidth required in user sessions, select Prohibited when adding this
setting to a policy.
Menu animation
T his setting allows or prevents menu animation in user sessions.
By default, menu animation is allowed.
Menu animation is a Microsoft personal preference setting for ease of access. When enabled, it causes a menu to appear
after a short delay, either by scrolling or fading in. An arrow icon appears at the bottom of the menu. T he menu appears
when you point to that arrow.
Menu animation is enabled on a desktop if this policy setting is set to Allowed and the menu animation Microsoft personal
preference setting is enabled.
Note: Changes to the menu animation Microsoft personal preference setting are changes to the desktop. T his means that
if the desktop is set to discard changes when the session ends, a user who has enabled menu animations in a session may
not have menu animation available in subsequent sessions on the desktop. For users who require menu animation, enable
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.409
the Microsoft setting in the master image for the desktop or ensure that the desktop retains user changes.
View window contents while dragging
T his setting allows or prevents the display of window contents when dragging a window across the screen.
By default, viewing window contents is allowed.
When set to Allowed, the entire window appears to move when you drag it. When set to Prohibited, only the window
outline appears to move until you drop it.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.410
End user monitoring policy settings
May 28 , 20 16
T he End User Monitoring section contains policy settings for measuring session traffic.
ICA round trip calculation
T his setting determines whether ICA round trip calculations are performed for active connections.
By default, calculations for active connections are enabled.
By default, each ICA round trip measurement initiation is delayed until some traffic occurs that indicates user interaction.
T his delay can be indefinite in length and is designed to prevent the ICA round trip measurement being the sole reason for
ICA traffic.
ICA round trip calculation interval
T his setting specifies the frequency, in seconds, at which ICA round trip calculations are performed.
By default, ICA round trip is calculated every 15 seconds.
ICA round trip calculations f or idle connections
T his setting determines whether ICA round trip calculations are performed for idle connections.
By default, calculations are not performed for idle connections.
By default, each ICA round trip measurement initiation is delayed until some traffic occurs that indicates user interaction.
T his delay can be indefinite in length and is designed to prevent the ICA round trip measurement being the sole reason for
ICA traffic.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.411
Enhanced desktop experience policy setting
May 28 , 20 16
T he Enhanced Desktop Experience policy setting sessions running on server operating systems to look like local Windows 7
desktops, providing users with an enhanced desktop experience.
By default, this setting is allowed.
If a user profile with Windows Classic theme already exists on the virtual desktop, enabling this policy does not provide an
enhanced desktop experience for that user. If a user with a Windows 7 theme user profile logs on to a virtual desktop
running Windows Server 2012 for which this policy is either not configured or disabled, that user sees an error message
indicating failure to apply the theme.
In both cases, resetting the user profile resolves the issue.
If the policy changes from enabled to disabled on a virtual desktop with active user sessions, the look and feel of those
sessions is inconsistent with both the Windows 7 and Windows Classic desktop experience. To avoid this, ensure you restart
the virtual desktop after changing this policy setting. You must also delete any roaming profiles on the virtual desktop. Citrix
also recommends deleting any other user profiles on the virtual desktop to avoid inconsistencies between profiles.
If you are using roaming user profiles in your environment, ensure the Enhanced Desktop Experience feature is enabled or
disabled for all virtual desktops that share a profile.
Citrix does not recommend sharing roaming profiles between virtual desktops running server operating systems and client
operating systems. Profiles for client and server operating systems differ and sharing roaming profiles across both types can
lead to inconsistencies in profile properties when a user moves between the two.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.412
File Redirection policy settings
Oct 0 4 , 20 16
T he File Redirection section contains policy settings relating to client drive mapping and client drive optimization.
Auto connect client drives
T his setting allows or prevents automatic connection of client drives when users log on.
By default, automatic connection is allowed.
When adding this setting to a policy, make sure to enable the settings for the drive types you want automatically
connected. For example, to allow automatic connection of users' CD-ROM drives, configure this setting and the Client
optical drives setting.
T he following policy settings are related:
Client drive redirection
Client floppy drives
Client optical drives
Client fixed drives
Client network drives
Client removable drives
Client drive redirection
T his setting enables or disables file redirection to and from drives on the user device.
By default, file redirection is enabled.
When enabled, users can save files to all their client drives. When disabled, all file redirection is prevented, regardless of the
state of the individual file redirection settings such as Client floppy drives and Client network drives.
T he following policy settings are related:
Client floppy drives
Client optical drives
Client fixed drives
Client network drives
Client removable drives
Client fixed drives
T his setting allows or prevents users from accessing or saving files to fixed drives on the user device.
By default, accessing client fixed drives is allowed.
When adding this setting to a policy, make sure the Client drive redirection setting is present and set to Allowed. If these
settings are disabled, client fixed drives are not mapped and users cannot access these drives manually, regardless of the
state of the Client fixed drives setting.
To ensure fixed drives are automatically connected when users log on, configure the Auto connect client drives setting.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.413
Client floppy drives
T his setting allows or prevents users from accessing or saving files to floppy drives on the user device.
By default, accessing client floppy drives is allowed.
When adding this setting to a policy, make sure the Client drive redirection setting is present and set to Allowed. If these
settings are disabled, client floppy drives are not mapped and users cannot access these drives manually, regardless of the
state of the Client floppy drives setting.
To ensure floppy drives are automatically connected when users log on, configure the Auto connect client drives setting.
Client network drives
T his setting allows or prevents users from accessing and saving files to network (remote) drives through the user device.
By default, accessing client network drives is allowed.
When adding this setting to a policy, make sure the Client drive redirection setting is present and set to Allowed. If these
settings are disabled, client network drives are not mapped and users cannot access these drives manually, regardless of the
state of the Client network drives setting.
To ensure network drives are automatically connected when users log on, configure the Auto connect client drives setting.
Client optical drives
T his setting allows or prevents users from accessing or saving files to CD-ROM, DVD-ROM, and BD-ROM drives on the user
device.
By default, accessing client optical drives is allowed.
When adding this setting to a policy, make sure the Client drive redirection setting is present and set to Allowed. If these
settings are disabled, client optical drives are not mapped and users cannot access these drives manually, regardless of the
state of the Client optical drives setting.
To ensure optical drives are automatically connected when users log on, configure the Auto connect client drives setting.
Client removable drives
T his setting allows or prevents users from accessing or saving files to USB drives on the user device.
By default, accessing client removable drives is allowed.
When adding this setting to a policy, make sure the Client drive redirection setting is present and set to Allowed. If these
settings are disabled, client removable drives are not mapped and users cannot access these drives manually, regardless of
the state of the Client removable drives setting.
To ensure removable drives are automatically connected when users log on, configure the Auto connect client drives
setting.
Host to client redirection
T his setting enables or disables file type associations for URLs and some media content to be opened on the user device.
When disabled, content opens on the server.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.414
By default, file type association is disabled.
T hese URL types are opened locally when you enable this setting:
Hypertext T ransfer Protocol (HT T P)
Secure Hypertext T ransfer Protocol (HT T PS)
Real Player and QuickT ime (RT SP)
Real Player and QuickT ime (RT SPU)
Legacy Real Player (PNM)
Microsoft Media Server (MMS)
For more information, see the article on Host to client redirection.
Preserve client drive letters
T his setting enables or disables mapping of client drives to the same drive letter in the session.
By default, client drive letters are not preserved.
When adding this setting to a policy, make sure the Client drive redirection setting is present and set to Allowed.
Read-only client drive access
T his setting allows or prevents users and applications from creating or modifying files or folders on mapped client drives.
By default, files and folders on mapped client drives can be modified.
If set to Enabled, files and folders are accessible with read-only permissions.
When adding this setting to a policy, make sure the Client drive redirection setting is present and set to Allowed.
Special f older redirection
T his setting allows or prevents Citrix Receiver and Web Interface users to see their local Documents and Desktop special
folders from a session.
By default, special folder redirection is allowed.
T his setting prevents any objects filtered through a policy from having special folder redirection, regardless of settings that
exist elsewhere. When this setting is prohibited, any related settings specified for StoreFront, Web Interface, or Citrix
Receiver are ignored.
To define which users can have special folder redirection, select Allowed and include this setting in a policy filtered on the
users you want to have this feature. T his setting overrides all other special folder redirection settings.
Because special folder redirection must interact with the user device, policy settings that prevent users from accessing or
saving files to their local hard drives also prevent special folder redirection from working.
When adding this setting to a policy, make sure the Client fixed drives setting is present and set to Allowed.
Use asynchronous writes
T his setting enables or disables asynchronous disk writes.
By default, asynchronous writes are disabled.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.415
Asynchronous disk writes can improve the speed of file transfers and writing to client disks over WANs, which are typically
characterized by relatively high bandwidth and high latency. However, if there is a connection or disk fault, the client file or
files being written may end in an undefined state. If this happens, a pop-up window informs the user of the files affected.
T he user can then take remedial action such as restarting an interrupted file transfer on reconnection or when the disk
fault is corrected.
Citrix recommends enabling asynchronous disk writes only for users who need remote connectivity with good file access
speed and who can easily recover files or data lost in the event of connection or disk failure.
When adding this setting to a policy, make sure that the Client drive redirection setting is present and set to Allowed. If this
setting is disabled, asynchronous writes will not occur.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.416
Flash Redirection policy settings
May 28 , 20 16
T he Flash Redirection section contains policy settings for handling Flash content in user sessions.
Flash acceleration
T his setting enables or disables Flash content rendering on user devices instead of the server. By default, client-side Flash
content rendering is enabled.
Note: T his setting is used for legacy Flash redirection with the Citrix online plug-in 12.1.
When enabled, this setting reduces network and server load by rendering Flash content on the user device. Additionally, the
Flash URL compatibility list setting forces Flash content from specific websites to be rendered on the server.
On the user device, the Enable HDX MediaStream for Flash on the user device setting must be enabled as well.
When this setting is disabled, Flash content from all websites, regardless of URL, is rendered on the server. To allow only
certain websites to render Flash content on the user device, configure the Flash URL compatibility list setting.
Flash background color list
T his setting enables you to set key colors for given URLs.
By default, no key colors are specified.
Key colors appear behind client-rendered Flash and help provide visible region detection. T he key color specified should be
rare; otherwise, visible region detection might not work properly.
Valid entries consist of a URL (with optional wildcards at the beginning or end) followed by a 24-bit RGB color hexadecimal
code. For example: http://citrix.com 000003.
Ensure that the URL specified is the URL for the Flash content, which might be different from the URL of the website.
Warning
Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot
guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make
sure you back up the registry before you edit it.
On VDA machines running Windows 8 or Windows 2012, this setting might fail to set key colors for the URL. If this occurs,
edit the registry on the VDA machine.
For 32-bit machines, use this registry setting:
[HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\HdxMediaStreamForFlash\Server\PseudoServer]
"ForceHDXFlashEnabled"=dword:00000001
For 64-bit machines, use this registry setting:
[HKEY_LOCAL_MACHINE\SOFT WARE\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer]
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.417
"ForceHDXFlashEnabled"=dword:00000001
Flash backwards compatibility
T his setting enables or disables the use of original, legacy Flash redirection features with older versions of Citrix Receiver
(formerly the Citrix online plug-in).
By default, this setting is enabled.
On the user device, the Enable HDX MediaStream for Flash on the user device setting must also be enabled.
Second generation Flash redirection features are enabled for use with Citrix Receiver 3.0. Legacy redirection features are
supported for use with the Citrix online plug-in 12.1. To ensure second generation Flash redirection features are used, both
the server and the user device must have second generation Flash redirection enabled. If legacy redirection is enabled on
either the server or the user device, legacy redirection features are used.
Flash def ault behavior
T his setting establishes the default behavior for second generation Flash acceleration.
By default, Flash acceleration is enabled.
T o configure this setting, choose one of the following options:
Enable Flash acceleration. Flash Redirection is used.
Block Flash Player. Flash Redirection and server-side rendering are not used. T he user cannot view any Flash content.
Disable Flash acceleration. Flash Redirection is not used. T he user can view server-side rendered Flash content if a version
of Adobe Flash Player for Windows Internet Explorer compatible with the content is installed on the server.
T his setting can be overridden for individual Web pages and Flash instances based on the configuration of the Flash URL
compatibility list setting. Additionally, the user device must have the Enable HDX MediaStream for Flash on the user device
setting enabled.
Flash event logging
T his setting enables Flash events to be recorded in the Windows application event log.
By default, logging is allowed.
On computers running Windows 7 or Windows Vista, a Flash redirection-specific log appears in the Applications and Services
Log node.
Flash intelligent f allback
T his setting enables or disables automatic attempts to employ server-side rendering for Flash Player instances where clientside rendering is either unnecessary or provides a poor user experience.
By default, this setting is enabled.
Flash latency threshold
T his setting specifies a threshold between 0-30 milliseconds to determine where Adobe Flash content is rendered.
By default, the threshold is 30 milliseconds.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.418
During startup, HDX MediaStream for Flash measures the current latency between the server and user device. If the
latency is under the threshold, HDX MediaStream for Flash is used to render Flash content on the user device. If the
latency is above the threshold, the network server renders the content if an Adobe Flash player is available there.
When enabling this setting, make sure the Flash backwards compatibility setting is also present and set to Enabled.
Note: Applies only when using HDX MediaStream Flash redirection in Legacy mode.
Flash video f allback prevention
T his setting specifies if and how "small" flash content is rendered and displayed to users.
By default, this setting is not configured.
To configure this setting, choose one of the following options:
Only small content. Only intelligent fallback content will be rendered on the server; other Flash content will be replaced
with an error *.swf.
Only small content with a supported client. Only intelligent fallback content will be rendered on the server if the
client is currently using Flash Redirection; other content will be replaced with an error *.swf.
No server side content. All content on the server will be replaced with an error *swf.
To use this policy setting you should specify an error *.swf file. T his error *.swf will replace any content that you do not
want to be rendered on the VDA.
Flash video f allback prevention error *.swf
T his setting specifies the URL of the error message which is displayed to users to replace Flash instances when the server
load management policies are in use. For example:
http://domainName.tld/sample/path/error.swf
Flash server-side content f etching URL list
T his setting specifies websites whose Flash content can be downloaded to the server and then transferred to the user
device for rendering.
By default, no sites are specified.
T his setting is used when the user device does not have direct access to the Internet; the server provides that connection.
Additionally, the user device must have the Enable server-side content fetching setting enabled.
Second generation Flash redirection includes a fallback to server-side content fetching for Flash .swf files. If the user device
is unable to fetch Flash content from a Web site, and the Web site is specified in the Flash server-side content fetching URL
list, server-side content fetching occurs automatically.
When adding URLs to the list:
Add the URL of the Flash application instead of the top-level HT ML page that initiates the Flash Player.
Use an asterisk (*) at the beginning or end of the URL as a wildcard.
Use a trailing wildcard to allow all child URLs (http://www.citrix.com/*).
T he prefixes http:// and https:// are used when present, but are not required for valid list entries.
Flash URL compatibility list
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.419
T his setting specifies the rules which determine whether Flash content on certain websites is rendered on the user device,
rendered on the server, or blocked from rendering.
By default, no rules are specified.
When adding URLs to the list:
Prioritize the list with the most important URLs, actions, and rendering locations at the top.
Use an asterisk (*) at the beginning or end of the URL as a wildcard.
Use a trailing wildcard to refer to all child URLs (http://www.citrix.com/*).
T he prefixes http:// and https:// are used when present, but are not required for valid list entries.
Add to this list websites whose Flash content does not render correctly on the user device and select either the Render
on Server or Block options.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.420
Graphics policy settings
May 28 , 20 16
T he Graphics section contains policy settings for controlling how images are handled in user sessions.
Display memory limit
T his setting specifies the maximum video buffer size in kilobytes for the session.
By default, the display memory limit is 65536 kilobytes.
For connections requiring more color depth and higher resolution, increase the limit. Calculate the maximum memory
required using the equation:
Memory depth in bytes = (color-depth-in-bits-per-pixel) / 8) * (vertical-resolution-in-pixels) * (horizontal-resolution-in-pixels).
For example, with a color depth of 32, vertical resolution of 600, and a horizontal resolution of 800, the maximum memory
required is (32 / 8) * (600) * (800) = 1920000 bytes, which yields a display memory limit of 1920 KB.
Color depths other than 32-bit are available only if the Legacy graphics mode policy setting is enabled.
HDX allocates only the amount of display memory needed for each session. So, if only some users require more than the
default, there is no negative impact on scalability by increasing the display memory limit.
Display mode degrade pref erence
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting specifies whether color depth or resolution degrades first when the session display memory limit is reached.
By default, color depth is degraded first.
When the session memory limit is reached, you can reduce the quality of displayed images by choosing whether color depth
or resolution is degraded first. When color depth is degraded first, displayed images use fewer colors. When resolution is
degraded first, displayed images use fewer pixels per inch.
To notify users when either color depth or resolution are degraded, configure the Notify user when display mode is
degraded setting.
Dynamic windows preview
T his setting enables or disables the display of seamless windows in Flip, Flip 3D, T askbar Preview, and Peek window preview
modes.
Windows Aero preview
option
Description
T askbar Preview
When the user hovers over a window's taskbar icon, an image of that window appears
above the taskbar.
Windows Peek
When the user hovers over a taskbar preview image, a full-sized image of the window
appears on the screen.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.421
Flip
Windows Aero preview
option
When
the user presses ALT +T AB, small preview icons are shown for each open window.
Description
Flip 3D
When the user presses T AB+Windows logo key, large images of the open windows
cascade across the screen.
By default, this setting is enabled.
Image caching
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting enables or disables the caching and retrieving of sections of images in sessions. Caching images in sections and
retrieving these sections when needed makes scrolling smoother, reduces the amount of data transmitted over the
network, and reduces the processing required on the user device.
By default, the image caching setting is enabled.
Note: T he image caching setting controls how images are cached and retrieved; it does not control whether images are
cached. Images are cached if the Legacy graphics mode setting is enabled.
Legacy graphics mode
T his setting disables the rich graphics experience, providing fallback to the legacy graphics experience to improve scalability
over a WAN or mobile connection.
By default, this setting is disabled and users are provided with the rich graphics experience.
Maximum allowed color depth
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting specifies the maximum color depth allowed for a session.
By default, the maximum allowed color depth is 32 bits per pixel.
T his setting applies only to T hinWire drivers and connections. It does not apply to VDAs that have a non-T hinWire driver as
the primary display driver, such as VDAs that use a Windows Display Driver Model (WDDM) driver as the primary display driver.
For Desktop OS VDAs using a WDDM driver as the primary display driver, such as Windows 8, this setting has no effect. For
Windows Server OS VDAs using a WDDM driver, such as Windows Server 2012 R2, this setting might prevent users from
connecting to the VDA.
Setting a high color depth requires more memory. To degrade color depth when the memory limit is reached, configure the
Display mode degrade preference setting. When color depth is degraded, displayed images use fewer colors.
Notif y user when display mode is degraded
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting displays a brief explanation to the user when the color depth or resolution is degraded.
By default, notifying users is disabled.
Queuing and tossing
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.422
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting discards queued images that are replaced by another image.
By default, queuing and tossing is enabled.
T his improves response when graphics are sent to the user device. Configuring this setting can cause animations to become
choppy because of dropped frames.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.423
Caching policy settings
May 28 , 20 16
T he Caching section contains policy settings that enable caching image data on user devices when client connections are
limited in bandwidth.
Persistent cache threshold
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting caches bitmaps on the hard drive of the user device. T his enables re-use of large, frequently-used images from
previous sessions.
By default, the threshold is 3000000 bits per second.
T he threshold value represents the point below which the Persistent Cache feature will take effect. For example, using the
default value, bitmaps are cached on the hard drive of the user device when bandwidth falls below 3000000 bps.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.424
Keep alive policy settings
May 28 , 20 16
T he Keep Alive section contains policy settings for managing ICA keep-alive messages.
ICA keep alive timeout
T his setting specifies the number of seconds between successive ICA keep-alive messages.
By default, the interval between keep-alive messages is 60 seconds.
Specify an interval between 1-3600 seconds in which to send ICA keep-alive messages. Do not configure this setting if your
network monitoring software is responsible for closing inactive connections.
ICA keep alives
T his setting enables or disables sending ICA keep-alive messages periodically.
By default, keep-alive messages are not sent.
Enabling this setting prevents broken connections from being disconnected. If the server detects no activity, this setting
prevents Remote Desktop Services (RDS) from disconnecting the session. T he server sends keep-alive messages every few
seconds to detect if the session is active. If the session is no longer active, the server marks the session as disconnected.
ICA keep-alive does not work if you are using session reliability. Configure ICA keep-alive only for connections that are not
using Session Reliability.
Related policy settings: Session reliability connections.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.425
Mobile experience policy settings
May 28 , 20 16
T he Mobile Experience section contains policy settings for handling the Citrix Mobility Pack.
Automatic keyboard display
T his setting enables or disables the automatic display of the keyboard on mobile device screens.
By default, the automatic display of the keyboard is disabled.
Launch touch-optimized desktop
T his setting is disabled and not available for Windows 10 machines.
T his setting determines the overall Receiver interface behavior by allowing or prohibiting a touch-friendly interface that is
optimized for tablet devices.
By default, a touch-friendly interface is used.
To use only the Windows interface, set this policy setting to Prohibited.
Remote the combo box
T his setting determines the types of combo boxes you can display in sessions on mobile devices. To display the devicenative combo box control, set this policy setting to Allowed. When this setting is allowed, a user can change a Receiver for
iOS session setting to use the Windows combo box.
By default, the Remote the combo box feature is prohibited.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.426
Multimedia policy settings
Apr 13, 20 17
T he Multimedia section contains policy settings for managing streaming audio and video in user sessions.
Limit video quality
T his setting specifies the maximum video quality level allowed for an HDX connection. When configured, maximum video
quality is limited to the specified value, ensuring that multimedia Quality of Service (QoS) is maintained within an
environment.
By default, this setting is not configured.
T o limit the maximum video quality level allowed, choose one of the following options:
1080p/8.5mbps
720p/4.0mbps
480p/720kbps
380p/400kbps
240p/200kbps
Note: Playing multiple videos simultaneously on the same server consumes large amounts of resources and may impact
server scalability.
Multimedia conf erencing
T his setting allows or prevents support for video conferencing applications.
By default, video conferencing support is allowed.
When adding this setting to a policy, make sure the Windows Media Redirection setting is present and set to Allowed.
When using multimedia conferencing, make sure the following conditions are met:
Manufacturer-supplied drivers for the web cam used for multimedia conferencing must be installed.
T he web cam must be connected to the user device before initiating a video conferencing session. T he server uses only
one installed web cam at any given time. If multiple web cams are installed on the user device, the server attempts to use
each web cam in succession until a video conferencing session is created successfully.
Optimization f or Windows Media multimedia redirection over WAN
T his setting enables real-time multimedia transcoding, allowing audio and video media streaming to mobile devices, and
enhancing the user experience by improving how Windows Media content is delivered over a WAN.
By default, the delivery of Windows Media content over the WAN is optimized.
When adding this setting to a policy, make sure the Windows Media Redirection setting is present and set to Allowed.
When this setting is enabled, real-time multimedia transcoding is deployed automatically as needed to enable media
streaming, providing a seamless user experience even in extreme network conditions.
Use GPU f or optimizing Windows Media multimedia redirection over WAN
T his setting enables real-time multimedia transcoding to be done in the Graphics Processing Unit (GPU) on the Virtual
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.427
Delivery Agent (VDA), to improve server scalability. GPU transcoding is available only if the VDA has a supported GPU for
hardware acceleration. Otherwise, transcoding falls back to the CPU.
Note: GPU transcoding is supported only on NVIDIA GPUs.
By default, using the GPU on the VDA to optimize the delivery of Windows Media content over the WAN is prohibited.
When adding this setting to a policy, make sure the Windows Media Redirection and Optimization for Windows Media
multimedia redirection over WAN settings are present and set to Allowed.
Windows media f allback prevention
Administrators can use the Windows media fallback prevention policy setting to specify the methods that will be
attempted to deliver streamed content to users.
By default, this setting is not configured. When the setting is set to Not Confgured, the behavior is the same as Play all
content.
To configure this setting, choose one of the following options:
Play all content. Attempt client-side content fetching, then Windows Media Redirection. If unsuccessful, play content
on the server.
Play all content only on client. Attempt client-side fetching, then Windows Media Redirection. If unsuccessful, the
content does not play.
Play only client-accessible content on client. Attempt only client-side fetching. If unsuccessful, the content does not
play.
When the content does not play, the error message "Company has blocked video because of lack of resources" displays in
the player window (for a default duration of 5 seconds).
T he duration of this error message can be customized with the following registry key on the VDA. If the registry entry does
not exist, the duration defaults to 5 seconds.
Windows Media client-side content f etching
T his setting enables a user device to stream multimedia files directly from the source provider on the Internet or Intranet,
rather than through the host server.
By default, the streaming of multimedia files to the user device direct from the source provider is allowed.
Allowing this setting improves network utilization and server scalability by moving any processing on the media from the
host server to the user device. It also removes the requirement that an advanced multimedia framework such as Microsoft
DirectShow or Media Foundation be installed on the user device; the user device requires only the ability to play a file from
a URL
When adding this setting to a policy, make sure the Windows Media Redirection setting is present and set to Allowed. If
this setting is disabled, the streaming of multimedia files to the user device direct from the source provider is also disabled.
Windows Media Redirection
T his setting controls and optimizes the way servers deliver streaming audio and video to users.
By default, the delivery of streaming audio and video to users is allowed.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.428
Allowing this setting increases the quality of audio and video rendered from the server to a level that compares with audio
and video played locally on a user device. T he server streams multimedia to the client in the original, compressed form and
allows the user device to decompress and render the media.
Windows Media redirection optimizes multimedia files that are encoded with codecs that adhere to Microsoft DirectShow,
DirectX Media Objects (DMO), and Media Foundation standards. To play back a given multimedia file, a codec compatible
with the encoding format of the multimedia file must be present on the user device.
By default, audio is disabled on Citrix Receiver. To allow users to run multimedia applications in ICA sessions, turn on audio or
give users permission to turn on audio in their Receiver interface.
Select Prohibited only if playing media using Windows Media redirection appears worse than when rendered using basic ICA
compression and regular audio. T his is rare but can happen under low bandwidth conditions, for example, with media with a
very low frequency of key frames.
Windows Media Redirection buf f er size
T his setting specifies a buffer size from 1 to 10 seconds for multimedia acceleration.
By default, the buffer size is 5 seconds.
Windows Media Redirection buf f er size use
T his setting enables or disables using the buffer size specified in the Windows Media Redirection buffer size setting.
By default, the buffer size specified is not used.
If this setting is disabled or if the Windows Media Redirection buffer size setting is not configured, the server uses the
default buffer size value (5 seconds).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.429
Multi-stream connections policy settings
May 28 , 20 16
T he Multi-Stream Connections section contains policy settings for managing Quality of Service (QoS) prioritization for
multiple ICA connections in a session.
Audio over UDP
T his setting allows or prevents audio over UDP on the server.
By default, audio over UDP is allowed on the server.
When enabled, this setting opens a UDP port on the server to support all connections configured to use Audio over UDP
Realtime Transport.
Audio UDP port range
T his setting specifies the range of port numbers (in the form lowest port number,highest port number) used by the Virtual
Delivery Agent (VDA) to exchange audio packet data with the user device. T he VDA attempts to use each UDP port pair to
exchange data with the user device, starting with the lowest and incrementing by two for each subsequent attempt. Each
port handles both inbound and outbound traffic.
By default, this is set to 16500,16509.
Multi-Port policy
T his setting specifies the TCP ports to be used for ICA traffic and establishes the network priority for each port.
By default, the primary port (2598) has a High priority.
When you configure ports, you can assign the following priorities:
Very High - for real-time activities, such as webcam conferences
High - for interactive elements, such as screen, keyboard, and mouse
Medium - for bulk processes, such as client drive mapping
Low - for background activities, such as printing
Each port must have a unique priority. For example, you cannot assign a Very High priority to both CGP port 1 and CGP port
3.
To remove a port from prioritization, set the port number to 0. You cannot remove the primary port and you cannot modify
its priority level.
When configuring this setting, restart the server. T his setting takes effect only when the Multi-Stream computer setting
policy setting is enabled.
Multi-Stream computer setting
T his setting enables or disables Multi-Stream on the server.
By default, Multi-Stream is disabled.
If you use Citrix Cloudbridge with Multi-Stream support in your environment, you do not need to configure this setting.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.430
Configure this policy setting when using third-party routers or legacy Branch Repeaters to achieve the desired Quality of
Service (QoS).
When configuring this setting, reboot the server to ensure changes take effect.
Important: Using this policy setting in conjunction with bandwidth limit policy settings such as Overall session bandwidth
limit may produce unexpected results. When including this setting in a policy, ensure that bandwidth limit settings are not
included.
Multi-Stream user setting
T his setting enables or disables Multi-Stream on the user device.
By default, Multi-Stream is disabled for all users.
T his setting takes effect only on hosts where the Multi-Stream computer setting policy setting is enabled.
Important: Using this policy setting with bandwidth limit policy settings such as Overall session bandwidth limit may produce
unexpected results. When including this setting in a policy, ensure that bandwidth limit settings are not included.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.431
Port redirection policy settings
May 28 , 20 16
T he Port Redirection section contains policy settings for client LPT and COM port mapping.
Note: For the Virtual Delivery Agent 7.x, configure these settings using the registry; see Configure COM Port and LPT Port
Redirection settings using the registry.
Auto connect client COM ports
T his setting enables or disables automatic connection of COM ports on user devices when users log on to a site.
By default, client COM ports are not automatically connected.
Auto connect client LPT ports
T his setting enables or disables automatic connection of LPT ports on user devices when users log on to a site.
By default, client LPT ports are not connected automatically.
Client COM port redirection
T his setting allows or prevents access to COM ports on the user device.
By default, COM port redirection is prohibited.
T he following policy settings are related:
COM port redirection bandwidth limit
COM port redirection bandwidth limit percent
Client LPT port redirection
T his setting allows or prevents access to LPT ports on the user device.
By default, LPT port redirection is prohibited.
LPT ports are used only by legacy applications that send print jobs to the LPT ports and not to the print objects on the
user device. Most applications today can send print jobs to printer objects. T his policy setting is necessary only for servers
that host legacy applications that print to LPT ports.
T he following policy settings are related:
LPT port redirection bandwidth limit
LPT port redirection bandwidth limit percent
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.432
Printing policy settings
May 28 , 20 16
T he Printing section contains policy settings for managing client printing.
Client printer redirection
T his setting controls whether client printers are mapped to a server when a user logs on to a session.
By default, client printer mapping is allowed. If this setting is disabled, the PDF printer for the session is not auto-created.
Related policy settings: auto-create client printers
Def ault printer
T his setting specifies how the default printer on the user device is established in a session.
By default, the user's current printer is used as the default printer for the session.
T o use the current Remote Desktop Services or Windows user profile setting for the default printer, select Do not adjust
the user's default printer. If you choose this option, the default printer is not saved in the profile and it does not change
according to other session or client properties. T he default printer in a session will be the first printer auto-created in the
session, which is either:
T he first printer added locally to the Windows server in Control Panel > Devices and Printers.
T he first auto-created printer, if there are no printers added locally to the server.
You can use this option to present users with the nearest printer through profile settings (known as proximity printing).
Printer assignments
T his setting provides an alternative to the Default printer and Session printers settings. Use the individual Default printer
and Session printers settings to configure behaviors for a site, large group, or organizational unit. Use the Printer
assignments setting to assign a large group of printers to multiple users.
T his setting specifies how the default printer on the listed user devices is established in a session.
By default, the user's current printer is used as the default printer for the session.
It also specifies the network printers to be auto-created in a session for each user device. By default, no printers are
specified.
When setting the default printer value:
To use the current default printer for the user device, select Do not adjust.
To use the current Remote Desktop Services or Windows user profile setting for the default printer, select Do no adjust.
If you choose this option, the default printer is not saved in the profile and it does not change according to other
session or client properties. T he default printer in a session will be the first printer auto-created in the session, which is
either:
T he first printer added locally to the Windows server in Control Panel > Devices and Printers.
T he first auto-created printer, if there are no printers added locally to the server.
When setting the session printers value: to add printers, type the UNC path of the printer you want to auto-create.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.433
After adding the printer, you can apply customized settings for the current session at every logon.
Printer auto-creation event log pref erence
T his setting specifies the events that are logged during the printer auto-creation process. You can choose to log no errors
or warnings, only errors, or errors and warnings.
By default, errors and warnings are logged.
An example of a warning is an event in which a printer’s native driver could not be installed and the Universal print driver is
installed instead. To use the Universal print driver in this scenario, configure the Universal print driver usage setting to Use
universal printing only or Use universal printing only if requested driver is unavailable.
Session printers
T his setting specifies the network printers to be auto-created in a session.
By default, no printers are specified.
To add printers, type the UNC path of the printer you want to auto-create. After adding the printer, you can apply
customized settings for the current session at every logon.
Wait f or printers to be created (server desktop)
T his setting allows or prevents a delay in connecting to a session so that server desktop printers can be auto-created.
By default, a connection delay does not occur.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.434
Client printers policy settings
May 28 , 20 16
T he Client Printers section contains policy settings for client printers, including settings to autocreate client printers, retain
printer properties, and connect to print servers.
Auto-create client printers
T his setting specifies the client printers that are auto-created. T his setting overrides default client printer auto-creation
settings.
By default, all client printers are auto-created.
T his setting takes effect only if the Client printer redirection setting is present and set to Allowed.
When adding this setting to a policy, select an option:
Auto-create all client printers automatically creates all printers on a user device.
Auto-create the client's default printer only automatically creates only the printer selected as the default printer on the
user device.
Auto-create local (non-network) client printers only automatically creates only printers directly connected to the user
device through an LPT , COM, USB, T CP/IP, or other local port.
Do not auto-create client printers turns off autocreation for all client printers when users log on. T his causes the
Remote Desktop Services (RDS) settings for autocreating client printers to override this setting in lower priority policies.
Auto-create generic universal printer
T his setting enables or disables autocreation of the generic Citrix Universal Printer object for sessions where a user device
compatible with Universal Printing is in use.
By default, the generic Universal Printer object is not autocreated.
T he following policy settings are related:
Universal print driver usage
Universal driver preference
Client printer names
T his setting selects the naming convention for auto-created client printers.
By default, standard printer names are used.
Select Standard printer names to use printer names such as "HPLaserJet 4 from clientname in session 3."
Select Legacy printer names to use old-style client printer names and preserve backward compatibility for users or groups
using MetaFrame Presentation Server 3.0 or earlier. An example of a legacy printer name is "Client/clientname#/HPLaserJet
4." T his option is less secure.
Note: T his option is provided only for backwards compatibility with legacy versions of XenApp and XenDesktop.
Direct connections to print servers
T his setting enables or disables direct connections from the virtual desktop or server hosting applications to a print server
for client printers hosted on an accessible network share.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.435
By default, direct connections are enabled.
Enable direct connections if the network print server is not across a WAN from the virtual desktop or server hosting
applications. Direct communication results in faster printing if the network print server and the virtual desktop or server
hosting applications are on the same LAN.
Disable direct connections if the network is across a WAN or has substantial latency or limited bandwidth. Print jobs are
routed through the user device where they are redirected to the network print server. Data sent to the user device is
compressed, so less bandwidth is consumed as the data travels across the WAN.
If two network printers have the same name, the printer on the same network as the user device is used.
Printer driver mapping and compatibility
T his setting specifies the driver substitution rules for auto-created client printers.
By default, no rules are specified.
When you define driver substitution rules, you can allow or prevent printers to be created with the specified driver.
Additionally, you can allow created printers to use only universal print drivers. Driver substitution overrides or maps printer
driver names the user device provides, substituting an equivalent driver on the server. T his gives server applications access to
client printers that have the same drivers as the server, but different driver names.
You can add a driver mapping, edit an existing mapping, override custom settings for a mapping, remove a mapping, or
change the order of driver entries in the list. When adding a mapping, enter the client printer driver name and then select
the server driver you want to substitute.
Printer properties retention
T his setting specifies whether or not to store printer properties and where to store them.
By default, the system determines if printer properties are stored on the user device, if available, or in the user profile.
When adding this setting to a policy, select an option:
Saved on the client device only is for user devices that have a mandatory or roaming profile that is not saved. Choose
this option only if all the servers in your farm are running XenApp 5 and above and your users are using Citrix online plug-in
versions 9 through 12.x, or Citrix Receiver 3.x.
Retained in user profile only is for user devices constrained by bandwidth (this option reduces network traffic) and logon
speed or for users with legacy plug-ins. T his option stores printer properties in the user profile on the server and prevents
any properties exchange with the user device. Use this option with MetaFrame Presentation Server 3.0 or earlier and
MetaFrame Presentation Server Client 8.x or earlier. Note that this is applicable only if a Remote Desktop Services (RDS)
roaming profile is used.
Held in profile only if not saved on client allows the system to determine where printer properties are stored. Printer
properties are stored either on the user device, if available, or in the user profile. Although this option is the most flexible,
it can also slow logon time and use extra bandwidth for system-checking.
Do not retain printer properties prevents storing printer properties.
Retained and restored client printers
T his setting enables or disables the retention and re-creation of printers on the user device. By default, client printers are
auto-retained and auto-restored.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.436
Retained printers are user-created printers that are created again, or remembered, at the start of the next session. When
XenApp recreates a retained printer, it considers all policy settings except the Auto-create client printers setting.
Restored printers are printers fully customized by an administrator, with a saved state that is permanently attached to a
client port.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.437
Drivers policy settings
May 28 , 20 16
T he Drivers section contains policy settings related to printer drivers.
Automatic installation of in-box printer drivers
T his setting enables or disables the automatic installation of printer drivers from the Windows in-box driver set or from
driver packages staged on the host using pnputil.exe /a.
By default, these drivers are installed as needed.
Universal driver pref erence
T his setting specifies the order in which universal printer drivers are used, beginning with the first entry in the list.
By default, the preference order is:
EMF
XPS
PCL5c
PCL4
PS
You can add, edit, or remove drivers, and change the order of drivers in the list.
Universal print driver usage
T his setting specifies when to use universal printing.
By default, universal printing is used only if the requested driver is unavailable.
Universal printing employs generic printer drivers instead of standard model-specific drivers, potentially simplifying the burden
of driver management on host computers. T he availability of universal print drivers depends on the capabilities of the user
device, host, and print server software. In certain configurations, universal printing might not be available.
When adding this setting to a policy, select an option:
Use only printer model specific drivers specifies that the client printer uses only the standard model-specific drivers that
are auto-created at logon. If the requested driver is unavailable, the client printer cannot be auto-created.
Use universal printing only specifies that no standard model-specific drivers are used. Only universal print drivers are used
to create printers.
Use universal printing only if requested driver is unavailable uses standard model-specific drivers for printer creation if they
are available. If the driver is not available on the server, the client printer is created automatically with the appropriate
universal driver.
Use printer model specific drivers only if universal printing is unavailable uses the universal print driver if it is available. If the
driver is not available on the server, the client printer is created automatically with the appropriate model-specific printer
driver.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.438
Universal Print Server policy settings
May 28 , 20 16
T he Universal Print Server section contains policy settings for handling the Universal Print Server.
Universal Print Server enable
T his setting enables or disables the Universal Print Server feature on the virtual desktop or the server hosting applications.
Apply this policy setting to Organizational Units (OUs) containing the virtual desktop or server hosting applications.
By default, the Universal Print Server is disabled.
When adding this setting to a policy, select one of the following options:
Enabled with f allback to Windows native remote printing. Network printer connections are serviced by the Universal
Print Server, if possible. If the Universal Print Server is not available, the Windows Print Provider is used. T he Windows Print
Provider continues to handle all printers previously created with the Windows Print Provider.
Enabled with no f allback to Windows native remote printing. Network printer connections are serviced by the
Universal Print Server exclusively. If the Universal Print Server is unavailable, the network printer connection fails. T his
setting effectively disables network printing through the Windows Print Provider. Printers previously created with the
Windows Print Provider are not created while a policy containing this setting is active.
Disabled. T he Universal Print Server feature is disabled. No attempt is made to connect with the Universal Print Server
when connecting to a network printer with a UNC name. Connections to remote printers continue to use the Windows
native remote printing facility.
Universal Print Server print data stream (CGP) port
T his setting specifies the TCP port number used by the Universal Print Server print data stream Common Gateway Protocol
(CGP) listener. Apply this policy setting only to OUs containing the print server.
By default, the port number is set to 7229.
Valid port numbers must be in the range of 1 to 65535.
Universal Print Server print stream input bandwidth limit (kpbs)
T his setting specifies the upper boundary (in kilobits per second) for the transfer rate of print data delivered from each print
job to the Universal Print Server using CGP. Apply this policy setting to OUs containing the virtual desktop or server hosting
applications.
By default, the value is 0, which specifies no upper boundary.
Universal Print Server web service (HTTP/SOAP) port
T his setting specifies the TCP port number used by the Universal Print Server's web service (HT T P/SOAP) listener. T he
Universal Print Server is an optional component that enables the use of Citrix universal print drivers for network printing
scenarios. When the Universal Print Server is used, printing commands are sent from XenApp and XenDesktop hosts to the
Universal Print Server via SOAP over HT T P. T his setting modifies the default TCP port on which the Universal Print Server
listens for incoming HT T P/SOAP requests.
You must configure both host and print server HT T P port identically. If you do not configure the ports identically, the host
software will not connect to the Universal Print Server. T his setting changes the VDA on XenApp and XenDesktop. In
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.439
addition, you must change the default port on the Universal Print Server.
By default, the port number is set to 8080.
Valid port numbers must be in the range of 0 to 65535.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.440
Universal printing policy settings
May 28 , 20 16
T he Universal Printing section contains policy settings for managing universal printing.
Universal printing EMF processing mode
T his setting controls the method of processing the EMF spool file on the Windows user device.
By default, EMF records are spooled directly to the printer.
When adding this setting to a policy, select an option:
Reprocess EMFs for printer forces the EMF spool file to be reprocessed and sent through the GDI subsystem on the
user device. You can use this setting for drivers that require EMF reprocessing but that might not be selected
automatically in a session.
Spool directly to printer, when used with the Citrix Universal print driver, ensures the EMF records are spooled and
delivered to the user device for processing. T ypically, these EMF spool files are injected directly to the client's spool
queue. For printers and drivers that are compatible with the EMF format, this is the fastest printing method.
Universal printing image compression limit
T his setting specifies the maximum quality and the minimum compression level available for images printed with the Citrix
Universal print driver.
By default, the image compression limit is set to Best quality (lossless compression).
If No Compression is selected, compression is disabled for EMF printing only.
When adding this setting to a policy, select an option:
No compression
Best quality (lossless compression)
High quality
Standard quality
Reduced quality (maximum compression)
When adding this setting to a policy that includes the Universal printing optimization defaults setting, be aware of the
following:
If the compression level in the Universal printing image compression limit setting is lower than the level defined in the
Universal printing optimization defaults setting, images are compressed at the level defined in the Universal printing image
compression limits setting.
If compression is disabled, the Desired image quality and Enable heavyweight compression options of the Universal
printing optimization defaults setting have no effect in the policy.
Universal printing optimization def aults
T his setting specifies the default values for printing optimization when the universal print driver is created for a session.
Desired image quality specifies the default image compression limit applied to universal printing. By default, Standard
Quality is enabled, meaning that users can only print images using standard or reduced quality compression.
Enable heavyweight compression enables or disables reducing bandwidth beyond the compression level set by Desired
image quality, without losing image quality. By default, heavyweight compression is disabled.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.441
Image and Font Caching settings specify whether or not to cache images and fonts that appear multiple times in the
print stream, ensuring each unique image or font is sent to the printer only once. By default, embedded images and fonts
are cached. Note that these settings apply only if the user device supports this behavior.
Allow non-administrators to modify these settings specifies whether or not users can change the default print
optimization settings within a session. By default, users are not allowed to change the default print optimization
settings.
Note: All of these options are supported for EMF printing. For XPS printing, only the Desired image quality option is
supported.
When adding this setting to a policy that includes the Universal printing image compression limit setting, be aware of the
following:
If the compression level in the Universal printing image compression limit setting is lower than the level defined in the
Universal printing optimization defaults setting, images are compressed at the level defined in the Universal printing image
compression limits setting.
If compression is disabled, the Desired image quality and Enable heavyweight compression options of the Universal
printing optimization defaults setting have no effect in the policy.
Universal printing preview pref erence
T his setting specifies whether or not to use the print preview function for auto-created or generic universal printers.
By default, print preview is not used for auto-created or generic universal printers.
When adding this setting to a policy, select an option:
Do not use print preview for auto-created or generic universal printers
Use print preview for auto-created printers only
Use print preview for generic universal printers only
Use print preview for both auto-created and generic universal printers
Universal printing print quality limit
T his setting specifies the maximum dots per inch (dpi) available for generating printed output in a session.
By default, No Limit is enabled, meaning users can select the maximum print quality allowed by the printer to which they
connect.
If this setting is configured, it limits the maximum print quality available to users in terms of output resolution. Both the print
quality itself and the print quality capabilities of the printer to which the user connects are restricted to the configured
setting. For example, if configured to Medium Resolution (600 DPI), users are restricted to printing output with a maximum
quality of 600 DPI and the Print Quality setting on the Advanced tab of the Universal Printer dialog box shows resolution
settings only up to and including Medium Quality (600 DPI).
When adding this setting to a policy, select an option:
Draft (150 DPI)
Low Resolution (300 DPI)
Medium Resolution (600 DPI)
High Resolution (1200 DPI)
No Limit
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.442
Security policy settings
Nov 27, 20 17
T he Security section contains the policy setting for configuring session encryption and encryption of logon data.
SecureICA minimum encryption level
T his setting specifies the minimum level at which to encrypt session data sent between the server and a user device.
Important:
For the Virtual Delivery Agent 7.x, this policy setting can be used only to enable the encryption of the logon data with RC5
128-bit encryption. Other settings are provided only for backwards compatibility with legacy versions of XenApp and
XenDesktop.
For the VDA 7.x, encryption of session data is set using the basic settings of the VDA's Delivery group. If Enable Secure ICA
is selected for the Delivery group, session data is encrypted with RC5 (128 bit) encryption. If Enable Secure ICA is not
selected for the Delivery group, session data is encrypted with Basic encryption.
When adding this setting to a policy, select an option:
Basic encrypts the client connection using a non-RC5 algorithm. It protects the data stream from being read directly, but
it can be decrypted. By default, the server uses Basic encryption for client-server traffic.
RC5 (128 bit) logon only encrypts the logon data with RC5 128-bit encryption and the client connection using Basic
encryption.
RC5 (40 bit) encrypts the client connection with RC5 40-bit encryption.
RC5 (56 bit) encrypts the client connection with RC5 56-bit encryption.
RC5 (128 bit) encrypts the client connection with RC5 128-bit encryption.
T he settings you specify for client-server encryption can interact with any other encryption settings in your environment
and your Windows operating system. If a higher priority encryption level is set on either a server or user device, settings you
specify for published resources can be overridden.
You can raise encryption levels to further secure communications and message integrity for certain users. If a policy requires
a higher encryption level, Receivers using a lower encryption level are denied connection.
SecureICA does not perform authentication or check data integrity. To provide end-to-end encryption for your site, use
SecureICA with SSL/T LS encryption.
SecureICA does not use FIPS-compliant algorithms. If this is an issue, configure the server and Receivers to avoid using
SecureICA.
SecureICA uses the RC5 block cipher as described in RFC 2040 for confidentiality. T he block size is 64 bits (a multiple of 32bit word units). T he key length is 128 bits. T he number of rounds is 12.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.443
Server limits policy settings
May 28 , 20 16
T he Server Limits section contains the policy setting for controlling idle connections.
Server idle timer interval
T his setting determines, in milliseconds, how long an uninterrupted user session is maintained if there is no input from the
user.
By default, idle connections are not disconnected (server idle timer interval = 0).
Note
When this policy setting is used, an "Idle timer expired" dialog box might appear to users when the session has been idle for the
specified time. T his is a Mircosoft dialog box that is not controlled by Citirx policy settings. For more information, see Knowledge
Center article CT X118618.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.444
Session limits policy settings
May 28 , 20 16
T he Session Limits section contains policy settings that control how long sessions remain connected before they are
forced to log off.
Disconnected session timer
T his setting enables or disables a timer that specifies how long a disconnected, locked desktop can remain locked before
the session is logged off.
By default, disconnected sessions are not logged off.
Disconnected session timer interval
T his setting specifies how many minutes a disconnected, locked desktop can remain locked before the session is logged off.
By default, the time period is 1440 minutes (24 hours).
Session connection timer
T his setting enables or disables a timer that specifies the maximum duration of an uninterrupted connection between a
user device and a desktop.
By default, this timer is disabled.
Session connection timer interval
T his setting specifies the maximum number of minutes for an uninterrupted connection between a user device and a
desktop.
By default, the maximum duration is 1440 minutes (24 hours).
Session idle timer
T his setting enables or disables a timer that specifies how long an uninterrupted user device connection to a desktop will be
maintained if there is no input from the user.
By default, this timer is enabled.
Session idle timer interval
T his setting specifies how many minutes an uninterrupted user device connection to a desktop will be maintained if there is
no input from the user.
By default, idle connections are maintained for 1440 minutes (24 hours).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.445
Session reliability policy settings
May 28 , 20 16
T he Session Reliability section contains policy settings for managing session reliability connections.
Session reliability connections
T his setting allows or prevents sessions to remain open during a loss of network connectivity.
By default, session reliability is allowed.
Session reliability keeps sessions active and on the user's screen when network connectivity is interrupted. Users continue
to see the application they are using until network connectivity resumes.
With session reliability, the session remains active on the server. To indicate that connectivity is lost, the user's display
freezes and the cursor changes to a spinning hourglass until connectivity is restored. T he user continues to access the
display during the interruption and can resume interacting with the application when the network connection is restored.
Session reliability reconnects users without reauthentication prompts. If you do not want users to be able to reconnect to
interrupted sessions without having to reauthenticate, configure the Auto client reconnect authentication setting to
require authentication. Users are then prompted to reauthenticate when reconnecting to interrupted sessions.
If you use both session reliability and auto client reconnect, the two features work in sequence. Session reliability closes (or
disconnects) the user session after the amount of time specified in the Session reliability timeout setting. After that, the
auto client reconnect settings take effect, attempting to reconnect the user to the disconnected session.
Session reliability port number
T his setting specifies the TCP port number for incoming session reliability connections.
By default, the port number is set to 2598.
Session reliability timeout
T his setting specifies the length of time, in seconds, the session reliability proxy waits for a user to reconnect before
allowing the session to be disconnected.
By default, this is set to 180 seconds, or three minutes.
Although you can extend the amount of time a session is kept open, this feature is designed to be convenient to the user
and it does not prompt the user for reauthentication. As you extend the amount of time a session is kept open, chances
increase that a user may get distracted and walk away from the user device, potentially leaving the session accessible to
unauthorized users.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.446
Time zone control policy settings
May 28 , 20 16
T he T ime Zone Control section contains policy settings related to using local time in sessions.
Estimate local time f or legacy clients
T his setting enables or disables estimating the local time zone of user devices that send inaccurate time zone information
to the server.
By default, the server estimates the local time zone when necessary.
T his setting is intended for use with legacy receivers or ICA clients that do not send detailed time zone information to the
server. When used with receivers that send detailed time zone information to the server, such as supported versions of
Receiver for Windows, this setting has no effect.
Use local time of client
T his setting determines the time zone setting of the user session. T his can be either the time zone of the user session or
the time zone of the user device.
By default, the time zone of the user session is used.
For this setting to take effect, enable the Allow time zone redirection setting in the Group Policy Editor (User Configuration
> Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device
and Resource Redirection).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.447
TWAIN devices policy settings
May 28 , 20 16
T he T WAIN devices section contains policy settings related to mapping client T WAIN devices, such as digital cameras or
scanners, and optimizing image transfers from server to client.
Note
T WAIN 2.0 is not currently supported.
Client TWAIN device redirection
T his setting allows or prevents users from accessing T WAIN devices on the user device from image processing applications
hosted on servers. By default, T WAIN device redirection is allowed.
T he following policy settings are related:
T WAIN compression level
T WAIN device redirection bandwidth limit
T WAIN device redirection bandwidth limit percent
TWAIN compression level
T his setting specifies the level of compression of image transfers from client to server. Use Low for best image quality,
Medium for good image quality, or High for low image quality. By default, medium compression is applied.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.448
USB devices policy settings
May 28 , 20 16
T he USB devices section contains policy settings for managing file redirection for USB devices.
Client USB device optimization rules
As of XenApp and XenDesktop 7.6 FP3 and LT SR, the Client USB device optimization rules can be applied to devices to
disable optimization, or to change the optimization mode.
When a user plugs in a USB input device, the host checks if the device is allowed by the USB policy settings. If the device is
allowed, the host then checks the Client USB device optimization rules for the device. If no rule is specified, then the
device is handled as Interactive mode (02). Capture mode (04) is the recommended mode for signature devices. See
descriptions below for available modes.
Good to know
For the use of Wacom signature pads and tablets, we recommend that you disable the screen saver. Steps on how to do
this are at the end of this section.
Support for the optimization of Wacom ST U signature pads and tablets series of products has been preconfigured in
the installation of XenApp and XenDesktop policies for XenApp and XenDesktop 7.6 FP3 and LT SR.
Signature devices work across XenApp and XenDesktop and do not require a driver to be used as a signature device.
Wacom has additional software that can be installed to customize the device further. See http://www.wacom.com/.
Drawing tablets. Certain drawing input devices may present as an HID device on PCI/ACPI buses and are not supported.
T hese devices should be attached on a USB host controller on the client to be redirected inside a XenDesktop session.
Policy rules take the format of tag=value expressions separated by whitespace. T he following tags are supported:
Tag Name
Description
Mode
T he optimization mode is supported for input devices for class=03.
Supported modes are:
No optimization - value 01.
Interactive mode - value 02. Recommended for devices such as pen
tablets and 3D Pro mice.
Capture mode - value 04 . Preferred for devices such as signature
pads.
VID
Vendor ID from the device descriptor
PID
Product ID from the device descriptor
REL
Release ID from the device descriptor
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.449
Class
Class from either the device descriptor or an interface descriptor
SubClass
Subclass from either the device descriptor or an interface descriptor
Prot
Protocol from either the device descriptor or an interface descriptor
Examples
Mode=00000004 VID=1230 PID=1230 class=03 #Input device operating in capture mode
Mode=00000002 VID=1230 PID=1230 class=03 #Input device operating in interactive mode (default)
Mode=00000001 VID=1230 PID=1230 class=03 #Input device operating without any optimization
Mode=00000100 VID=1230 PID=1230 # Device setup optimization disabled (default)
Mode=00000200 VID=1230 PID=1230 # Device setup optimization enabled
Disabling the optimization mode using a registry setting
T he optimization mode can be disabled system-wide by a registry flag:
HKLM\System\CurrentControlSet\Services\Icausbb\Parameters
DisableInputOptimization DWORD - set value to 1
A system restart is required for this registry change to take effect.
Disabling the screen saver f or Wacom signature pad devices
For the use of Wacom signature pads and tablets, we recommend that you disable the screen saver as follows:
1. Install the Wacom-STU-Driver after redirecting the device.
2. Install Wacom-STU-Display MSI to gain access to the signature pad control panel.
3. Go to Control Panel > Wacom STU Display > STU4 30 or STU530, and select the tab for your model.
4. Click Change, then select Yes when the UAC security window pops up.
5. Select Disable slideshow, then Apply.
Once the setting is set for one signature pad model, it is applied to all models.
Client USB device redirection
T his setting allows or prevents redirection of USB devices to and from the user device.
By default, USB devices are not redirected.
Client USB device redirection rules
T his setting specifies redirection rules for USB devices.
By default, no rules are specified.
When a user plugs in a USB device, the host device checks it against each policy rule in turn until a match is found. T he first
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.450
match for any device is considered definitive. If the first match is an Allow rule, the device is remoted to the virtual desktop.
If the first match is a Deny rule, the device is available only to the local desktop. If no match is found, default rules are used.
Policy rules take the format {Allow:|Deny:} followed by a set of tag= value expressions separated by whitespace. T he
following tags are supported:
Tag Name
Description
VID
Vendor ID from the device descriptor
PID
Product ID from the device descriptor
REL
Release ID from the device descriptor
Class
Class from either the device descriptor or an interface descriptor
SubClass
Subclass from either the device descriptor or an interface descriptor
Prot
Protocol from either the device descriptor or an interface descriptor
When creating new policy rules, remember:
Rules are case-insensitive.
Rules may have an optional comment at the end, introduced by #.
Blank and pure comment lines are ignored.
T ags must use the matching operator = (for example, VID=1230_.
Each rule must start on a new line or form part of a semicolon-separated list.
Refer to the USB class codes available from the USB Implementers Forum, Inc. web site.
Examples of administrator-defined USB policy rules:
Allow: VID=1230 PID=0007 # ANOther Industries, ANOther Flash Drive
Deny: Class=08 subclass=05 # Mass Storage
T o create a rule that denies all USB devices, use "DENY:" with no other tags.
Client USB plug and play device redirection
T his setting allows or prevents plug-and-play devices such as cameras or point-of-sale (POS) devices to be used in a client
session.
By default, plug-and-play device redirection is allowed. When set to Allowed, all plug-and-play devices for a specific user or
group are redirected. When set to Prohibited, no devices are redirected.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.451
Visual display policy settings
May 28 , 20 16
T he Visual Display section contains policy settings for controlling the quality of images sent from virtual desktops to the
user device.
Pref erred color depth f or simple graphics
Allows lowering of the color depth at which simple graphics are set to 16 bits per pixel, potentially improving
responsiveness over low bandwidth connections, at the cost of a slight degradation of image quality. T his option is
supported only when a video codec is not used to compress graphics.
By default, this is set to 24 bits per pixel.
Target f rame rate
T his setting specifies the maximum number of frames per second sent from the virtual desktop to the user device.
By default, the maximum is 30 frames per second.
Setting a high number of frames per second (for example, 30) improves the user experience, but requires more bandwidth.
Decreasing the number of frames per second (for example, 10) maximizes server scalability at the expense of user
experience. For user devices with slower CPUs, specify a lower value to improve the user experience.
Use video codec f or compression
Allows use of a video codec to compress graphics when video decoding is available on the endpoint. When video decoding is
not available on the endpoint, or when you specify Do not use video codec a combination of still image compression and
bitmap caching is used.
By default, this is set to Use video codec when available.
Visual quality
T his setting specifies the desired visual quality for images displayed on the user device.
By default, this is set to Medium.
T o specify the quality of images, choose one of the following options:
Low
Medium - Offers the best performance and bandwidth efficiency in most use cases
High - Recommended if you require visually lossless image quality
Build to lossless - Sends lossy images to the user device during periods of high network activity and lossless images
after network activity reduces; this setting improves performance over bandwidth-constrained network connections
Always lossless - In cases where preserving image data is vital (for example, when displaying X-ray images where no loss
of quality is acceptable), select Always lossless to ensure lossy data is never sent to the user device.
If the Legacy graphics mode setting is enabled, the Visual quality setting has no effect in the policy.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.452
Moving images policy settings
May 28 , 20 16
T he Moving Images section contains settings that enable you to remove or alter compression for dynamic images.
Minimum image quality
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting specifies the minimum acceptable image quality for Adaptive Display. T he less compression used, the higher the
quality of images displayed. Choose from Ultra High, Very High, High, Normal, or Low compression.
By default, this is set to Normal.
Moving image compression
T his setting specifies whether or not Adaptive Display is enabled. Adaptive Display automatically adjusts the image quality
of videos and transitional slides in slide shows based on available bandwidth. With Adaptive Display enabled, users should
see smooth-running presentations with no reduction in quality.
By default, Adaptive Display is enabled.
For VDA versions 7.0 through 7.6, this setting applies only when Legacy graphics mode is enabled. For VDA versions 7.6 FP1,
FP2, FP3, and LT SR, this setting applies when Legacy graphics mode is enabled, or when the legacy graphics mode is disabled
and a video codec is not used to compress graphics.
When legacy graphics mode is enabled, the session must be restarted before policy changes take effect. Adaptive Display is
mutually exclusive with Progressive Display; enabling Adaptive Display disables Progressive Display and vice versa. However,
both Progressive Display and Adaptive Display can be disabled at the same time. Progressive Display, as a legacy feature, is
not recommended for XenApp or XenDesktop. Setting Progressive threshold Level will disable Adaptive Display.
Progressive compression level
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting provides a less detailed but faster initial display of images.
By default, no progressive compression is applied.
T he more detailed image, defined by the normal lossy compression setting, appears when it becomes available. Use Very
High or Ultra High compression for improved viewing of bandwidth-intensive graphics such as photographs.
For progressive compression to be effective, its compression level must be higher than the Lossy compression level setting.
Note: T he increased level of compression associated with progressive compression also enhances the interactivity of
dynamic images over client connections. T he quality of a dynamic image, such as a rotating three-dimensional model, is
temporarily decreased until the image stops moving, at which time the normal lossy compression setting is applied.
T he following policy settings are related:
Progressive compression threshold value
Progressive heavyweight compression
Progressive compression threshold value
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.453
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting represents the maximum bandwidth in kilobits per second for a connection to which progressive compression is
applied. T his is applied only to client connections under this bandwidth.
By default, the threshold value is 2147483647 kilobits per second.
T he following policy settings are related:
Progressive compression threshold value
Progressive heavyweight compression
Target minimum f rame rate
T his setting specifies the minimum frame rate per second the system attempts to maintain, for dynamic images, under low
bandwidth conditions.
By default, this is set to 10fps.
For VDA versions 7.0 through 7.6, this setting applies only when Legacy graphics mode is enabled. For VDA versions 7.6 FP1,
FP2, FP3, and LT SR, this setting applies when the Legacy graphics mode is disabled or enabled.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.454
Still images policy settings
May 28 , 20 16
T he Still Images section contains settings that enable you to remove or alter compression for static images.
Extra color compression
T his setting enables or disables the use of extra color compression on images delivered over client connections that are
limited in bandwidth, improving responsiveness by reducing the quality of displayed images.
By default, extra color compression is disabled.
When enabled, extra color compression is applied only when the client connection bandwidth is below the Extra color
compression threshold value. When the client connection bandwidth is above the threshold value or Disabled is selected,
extra color compression is not applied.
Extra color compression threshold
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting represents the maximum bandwidth in kilobits per second for a connection below which extra color
compression is applied. If the client connection bandwidth drops below the set value, extra color compression, if enabled, is
applied.
By default, the threshold value is 8192 kilobits per second.
Heavyweight compression
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting enables or disables reducing bandwidth beyond progressive compression without losing image quality by using a
more advanced, but more CPU-intensive, graphical algorithm.
By default, heavyweight compression is disabled.
If enabled, heavyweight compression applies to all lossy compression settings. It is supported on Citrix Receiver but has no
effect on other plug-ins.
T he following policy settings are related:
Progressive compression level
Progressive compression threshold value
Lossy compression level
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting controls the degree of lossy compression used on images delivered over client connections that are limited in
bandwidth. In such cases, displaying images without compression can be slow.
By default, medium compression is selected.
For improved responsiveness with bandwidth-intensive images, use high compression. Where preserving image data is vital;
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.455
for example, when displaying X-ray images where no loss of quality is acceptable, you may not want to use lossy
compression.
Related policy setting: Lossy compression threshold value
Lossy compression threshold value
Note: For the Virtual Delivery Agent 7.x, this policy setting applies only when the Legacy graphics mode policy setting is
enabled.
T his setting represents the maximum bandwidth in kilobits per second for a connection to which lossy compression is
applied.
By default, the threshold value is 2147483647 kilobits per second.
Adding the Lossy compression level setting to a policy and including no specified threshold can improve the display speed of
high-detail bitmaps, such as photographs, over a LAN.
Related policy setting: Lossy compression level
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.456
WebSockets policy settings
May 28 , 20 16
T he WebSockets section contains policy settings for accessing virtual desktops and hosted applications with Receiver for
HT ML5. T he WebSockets feature increases security and reduces overhead by conducting two-way communication
between browser-based applications and servers without opening multiple HT T P connections.
WebSockets connections
T his setting allows or prohibits WebSockets connections.
By default, WebSocket connections are prohibited.
WebSockets port number
T his setting identifies the port for incoming WebSocket connections.
By default, the value is 8008.
WebSockets trusted origin server list
T his setting provides a comma-separated list of trusted origin servers, usually Receiver for Web, expressed as URLs. Only
WebSockets connections originating from one of these addresses is accepted by the server.
By default, the wildcard * is used to trust all Receiver for Web URLs.
If you choose to type an address in the list, use this syntax:
<protocol>://<Fully qualified domain name of host>:[port]
T he protocol should be HT T P or HT T PS. If the port is not specified, port 80 is used for HT T P and port 443 is used for
HT T PS.
T he wildcard * can be used within the URL, except as part of an IP address (10.105.*.*).
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.457
Load management policy settings
May 28 , 20 16
T he Load Management section contains policy settings for enabling and configuring load management between servers
delivering Windows Server OS machines.
Concurrent logon tolerance
T his setting specifies the maximum number of concurrent logons a server can accept.
By default, this is set to 2.
CPU usage
T his setting specifies the level of CPU usage, as a percentage, at which the server reports a full load. When enabled, the
default value at which the server reports a full load is 90%.
By default, this setting is disabled and CPU usage is excluded from load calculations.
CPU usage excluded process priority
T his setting specifies the priority level at which a process' CPU usage is excluded from the CPU Usage load index.
By default, this is set to Below Normal or Low.
Disk usage
T his setting specifies the disk queue length at which the server reports a 75% full load. When enabled, the default value for
disk queue length is 8.
By default, this setting is disabled and disk usage is excluded from load calculations.
Maximum number of sessions
T his setting specifies the maximum number of sessions a server can host. When enabled, the default setting for maximum
number of sessions a server can host is 250.
By default, this setting is enabled.
Memory usage
T his setting specifies the level of memory usage, as a percentage, at which the server reports a full load. When enabled, the
default value at which the server reports a full load is 90%.
By default, this setting is disabled and memory usage is excluded from load calculations.
Memory usage base load
T his setting specifies an approximation of the base operating system's memory usage and defines, in MB, the memory
usage below which a server is considered to have zero load.
By default, this is set to 768 MB.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.458
Profile management policy settings
May 28 , 20 16
T he Profile Management section contains policy settings for enabling profile management and specifying which groups to
include in and exclude from profile management processing.
Other information (such as the names of the equivalent .ini file settings and which version of profile management is required
for a policy setting) is available in Profile Management Policies.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.459
Advanced policy settings
May 28 , 20 16
T he Advanced settings section contains policy settings relating to the advanced configuration of Profile management.
Disable automatic configuration
T his setting enables profile management to examine your environment, for example, to check for the presence of Personal
vDisks and configure Group Policy accordingly. Only Profile management policies in the Not Configured state are adjusted,
so any customizations made previously are preserved. T his feature speeds up deployment and simplifies optimization. No
configuration of the feature is necessary, but you can disable automatic configuration when upgrading (to retain settings
from earlier versions) or when troubleshooting. Automatic configuration does not work in XenApp or other environments.
By default, automatic configuration is allowed.
If this setting is not configured here, the value from the .ini file is used.
If this setting is not configured here or in the .ini file, automatic configuration is turned on so Profile management settings
might change if your environment changes.
Log of f user if a problem is encountered
T his setting enables Profile management to log a user off if a problem is encountered; for example, if the user store is
unavailable. When enabled, an error message is displayed to the user before they are logged off. When disabled, users are
given a temporary profile.
By default, this setting is disabled and users are given a temporary profile if a problem is encountered.
If this setting is not configured here, the value from the .ini file is used.
If this setting is not configured here or in the .ini file, a temporary profile is provided.
Number of retries when accessing locked files
T his setting specifies the number of attempts Profile management makes to access locked files.
By default, this is set to five retries.
If this setting is not configured here, the value from the .ini file is used.
If this setting is not configured here or in the .ini file, the default value is used.
Process Internet cookie files on logof f
T his setting enables Profile management to process index.dat on logoff to remove Internet cookies left in the file system
after sustained browsing that can lead to profile bloat. Enabling this setting increases logoff times, so only enable it if you
experience this issue.
By default, this setting is disabled and Profile management does not process index.dat on logoff.
If this setting is not configured here, the value from the .ini file is used.
If this setting is not configured here or in the .ini file, no processing of Index.dat takes place.
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.460
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.461
Basic policy settings
May 28 , 20 16
T he Basic settings section contains policy settings relating to the basic configuration of Profile management.
Active write back
T his setting enables modified files and folders (but not registry settings) to be synchronized to the user store during a
session, before logoff.
By default, synchronization to the user store during a session is disabled.
If this setting is not configured here, the value from the .ini file is used.
If this setting is not configured here or in the .ini file, it is enabled.
Enable Profile management
T his setting enables Profile management to process logons and logoffs.
By default, this is setting is disabled to facilitate deployment.
Important: Citrix recommends enabling Profile management only after carrying out all other setup tasks and testing how
Citrix user profiles perform in your environment.
If this setting is not configured here, the value from the .ini file is used.
If this setting is not configured here or in the .ini file, Profile management does not process Windows user profiles in any
way.
Excluded groups
T his setting specifies which computer local groups and domain groups (local, global, and universal) are excluded from Profile
management processing.
When enabled, Profile management does not process members of the specified user groups.
By default, this setting is disabled and members of all user groups are processed.
Specify domain groups in the form <DOMAIN NAME>\<GROUP NAME>.
If this setting is not configured here, the value from the .ini file is used .
If this setting is not configured here or in the .ini file, members of all user groups are processed.
Of fline profile support
T his setting enables offline profile support, allowing profiles to synchronize with the user store at the earliest opportunity
after a network disconnection.
By default, support for offline profiles is disabled.
T his setting is applicable to laptop or mobile users who roam. When a network disconnection occurs, profiles remain intact
on the laptop or device even after restarting or hibernating. As mobile users work, their profiles are updated locally and are
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.462
synchronized with the user store when the network connection is re-established.
If this setting is not configured here, the value from the .ini file is used.
If this setting is not configured here or in the .ini file, support for offline profiles is disabled.
Path to user store
T his setting specifies the path to the directory (user store) in which user settings, such as registry settings and synchronized
files, are saved.
By default, the Windows directory on the home drive is used.
If this setting is disabled, user settings are saved in the Windows subdirectory of the home directory.
T he path can be:
A relative path.T his must be relative to the home directory, typically configured as the #homeDirectory# attribute for a
user in Active Directory.
An absolute UNC path. T his typically specifies a server share or a DFS namespace.
Disabled or unconf igured. In this case, a value of #homeDirectory#\Windows is assumed.
Use the following types of variables when configuring this policy setting:
System environment variables enclosed in percent signs (for example, %ProfVer%). Note that system environment
variables generally require additional setup.
Attributes of the Active Directory user object enclosed in hashes (for example, #sAMAccountName#).
Profile management variables. For more information, see the Profile management documentation.
You can also use the %username% and %userdomain% user environment variables and create custom attributes to fully
define organizational variables such as location or users. Attributes are case-sensitive.
Examples:
\\server\share\#sAMAccountName# stores the user settings to the UNC path \\server\share\JohnSmith (if
#sAMAccountName# resolves to JohnSmith for the current user)
\\server\profiles$\%USERNAME%.%USERDOMAIN%\!CT X_PROFILEVER!!CT X_OSBIT NESS! might expand to
\\server\profiles$\JohnSmith.DOMAINCONT ROLLER1\v2x64
Important: Whichever attributes or variables you use, check that this setting expands to the folder one level higher than
the folder containing NT USER.DAT . For example, if this file is contained in
\\server\profiles$\JohnSmith.Finance\v2x64\UPM_Profile, set the path to the user store as
\\server\profiles$\JohnSmith.Finance\v2x64, not the \UPM_Profile subfolder.
If this setting is not configured here, the value from the .ini file is used.
If this setting is not configured here or in the .ini file, the Windows directory on the home drive is used.
Process logons of local administrators
T his setting specifies whether or not logons of members of the BUILT IN\Administrators group are processed. T his allows
domain users with local administrator rights, typically users with assigned virtual desktops, to bypass processing, log on, and
troubleshoot a desktop experiencing problems with Profile management.
If this setting is disabled or not configured on server operating systems, Profile management assumes that logons by
domain users, but not local administrators, must be processed. On desktop operating systems, local administrator logons
https://docs.citrix.com
© 1999-2017 Citrix Systems, Inc. All rights reserved.
p.463
are processed.
By default this setting is disabled, and local administrator logons are not processed.
If this setting is not configured here, the value from the .ini file is used.
If this setting is not configured here or in the .ini file, local administrator logons are not processed.
Processed groups
T his setting specifies which computer local groups and domain groups (local, global, and universal) are included in Profile
management processing.
When enabled, Profile management processes only members of the specified user groups.
By default, this setting is disabled and members of all user groups are processed.
Specify domain groups in the form <DOMAIN NAME>\<GROUP NAME>.
If this setting