Category: Citrix

How to rein the Start Menu in Windows Server 2016

How to rein the Start Menu in Windows Server 2016

In this article I am going to show how to control or rein the start menu in Windows Server 2016. There are a lot of articles describing how to handle the start menu in Windows 10, but very few about Windows Server 2016.

Even though the steps are almost identical in Windows Server 2016 compared to Windows 10, there are a few differences. For instance in Windows Server 2016, you don’t have to remove all the “crap” applications, like Candy Crush, trial editions of Office etc. as they are simply not included with this operating system, as it is an LTSC edition of Windows Server.

Some of the best articles out there are written by James Kindon and James Rankin, I have followed these guys for quite a while, and they know what they are doing. Some of their guides can be found here:

James Kindon:
https://jkindon.com/2018/03/20/windows-10-start-menu-declutter-the-default/

James Rankin:
https://james-rankin.com/articles/management-of-start-menu-and-tiles-on-windows-10-and-server-2016-part-1/
https://james-rankin.com/articles/management-of-start-menu-and-tiles-on-windows-10-and-server-2016-part-2/

James Rankins article is great because it focuses on how to persist, or roam, the start menu, if you haven’t read it yet, it’s highly recommendable.

Both James Rankin and James Kindon adresses the Start menu Tiles, and historically these tiles have been the source of all kinds of issues since they were first introduces in Windows Server 2012/2012R2, but the start menu is not just tiles, it’s also part “old school” start menu, like the one we have in Windows 7 and this part of the start menu, can be handled in a few different ways.

In this article I’ll will cover 3 ways on how to handle the “old-school” part of the start menu. The “old school” part is the part in the red box below, also know as All Programs or Programs, in the green box we have start menu tiles.

I’ll will not be covering the different ways to handle the start menu tile configuration, as both James Kindon and James Rankin have provided excellent guides for that part.

The technologies used are Group Policy, Group Policy Preferences and Citrix Workspace Environment Management, so you will need to have some knowledge of these technologies and a basic understanding of how a Windows profiles works is also recommended.

I’ll be focusing on 3 different scenarios. Each scenario provide certain levels of usability, or lack thereof, in the start menu and start menu tiles sections

Here is a “before” screenshot of how the start menu looks at the first logon with my test account:

This is a pretty default start menu, one I have seen in many Session Host setups. As you can see I have a range of different applications available to me in the Programs area of the start menu, and of course the default pinned application tiles.

Scenario 1 – Total lockdown

This configuration, is by far the easiest one to configure and requires next to no work at all and it will provide a clean start menu with no visible applications, other than Settings and Search, or tiles.

Isn’t this the cleanest start menu you have ever seen?

This configuration can be achieved by configuring the “Remove common program group from Start Menu” which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

You will also need to delete four folders in the user’s profile:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility

In this case I have configured each folder to be deleted via Citrix Workspace Environment Management like this:

Note that Citrix Workspace Environment Management doesn’t usually take Windows variables, like %APPDATA%, so in this case I have used the so called dynamic token ##UserAppData## which is the equivalent to %APPDATA%.

You will of course have to configure the “Delete Files/Folders” action type.

Repeat this process for the remaining three folders and don’t forget to assign the actions

One major downside with this scenario is that you are not able to pin anything to the start menu, basically everything around pinning to start menu has been disabled. The reason for this is that Windows is using the Programs part of the Start Menu to provide the ability to pin applications to the start menu.

A possible use case for this scenario could be your users have gotten used to accessing everything via desktop shortcuts and don’t have the need or demand for using the start menu or start menu tiles.

Scenario 2 – Moderate Lockdown

This configuration requires a bit more work. We will have to use another group policy setting and again delete some files in the All Users profile and also the folders mentioned above in scenario 1.
This scenario relies entirely of pinned applications.

Here you’ll notice that the Programs area of the start menu has disappeared

That can be achieved via the group policy setting:
“Remove All programs list from the Start menu” which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

Remove and disable setting, does what it says, removes and disables the Programs area of the Start Menu.

If you do not have the Remove and Disable setting available, you may need to get the latest Windows 10 adminstrative templates.

We are not quite there yet, because we are still having 4 tiles in the start menu that we need to get rid of. To remove these tiles we will have to delete the shortcuts, or .lnk files, in the the All Users start menu folder, please keep in mind that this affects ALL users logging on to the Session Host server, including administrative users.

The paths to the .lnk files in question:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Server Manager.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Task Manager.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk

How you go about and delete these files is entirely up to you. You could delete them within your Golden Image, or you could delete them via Group Policy Preferences, or a script:

Be aware that this procedure may only work on NEW windows profiles, if this is implemented when a user’s profile has already been created, you will most likely see this:

The only way I have managed to get rid of these white boxes, is to either manually unpin the tiles manually, or reset the user’s profile.

New users logging on should now see this:

A nice clean start menu, where the tiles area is active and ready for some pinning.

With a little help from Citrix Workspace Environment Manager we can populate the start menu with some application shortcut tiles:

If the user manages to pin an application to the start menu, the configuration of your current profile management solution will decide whether this is roamed or not. The guide from James Rankin covers how to configure different profile management solutions to roam the start menu tiles. Also keep in mind that the reason the pinning of the applications work is that the All Users Programs is still available in the file system, it’s just hidden in the start menu. So if you want to pin other applications you need to create the application shortcuts on the All Users Programs and then use Citrix Workspace Environment Management to pin them.

Scenario 3 – Minimal Lockdown

This solution is in my opinion the most flexible solution as it enables us to have more or less full control with the start menu and its appearance . With this solution we’ll use Citrix Workspace Environment Management to build a start menu, and group the different applications shortcuts.

Here we have a start menu without the shortcuts from the All Programs or any tiles, both areas are nice and clean. The Search and Settings shortcuts are, in my opinion, harmless as Search only opens the search bar in the start menu, and settings can be locked down via Group Policy or registry, and is also available via the gears button.

To achieve this, we have to clear out everything in the All Users start menu folder, this can be done within the Golden Image or via Group Policy Preferences. Again keep in mind that this affects every user logging on to the Session Host, administrative users included.
The folders mentioned in scenario 1 will also have to be removed in this step, in order to remove all start menu tiles.

The path to the All Users start menu is:

C:\ProgramData\Microsoft\Windows\Start Menu

In here you will need to delete everything i the Programs folder, or delete the Program folder itself, just remember to create the Programs folder again and leave it empty.

I have created two Folders GPPs. The first one deletes everything within the Programs folder and the Programs folder itself, the configuration looks like this:

And to make sure that it only runs once, I have checked “Apply once and do not reapply”

The second one creates an empty Programs folder.

Now we bring in Citrix Workspace Environment Management to populate the start menu with application shortcuts.

Just look at this! Doesn’t it bring tears to your eyes?

Citrix Workspace Environment Management is great at populating the start menu, and provides range of different possibilities of grouping application shortcuts etc.

You can also use Citrix Workspace Environment Management to populate the start menu with application tiles, however this is where things become is bit sketchy. As mentioned you can only pin applications to the start menu when the application shortcut exist in the start menu. So when we use Citrix Workspace Environment Management to populate or build the start menu, the tiles will not show up until the next logon because the application shortcuts is also being created during the logon.
You can configure the “Enforce Applications Processing” in the Citrix Workspace Environment Management console:

With that enabled you will see both start menu applications and applications tiles, during the first logon, however you will probably notice that the tiles move around in the start menu tile area after each logon. The reason for this is that we now enforce the application shortcut creation with every logon, so depending on which application shortcut gets created first, this will also be the one to get pinned first.

This concludes the article. Reining the start menu in Windows Server 2016 can be a daunting task, but if you have Group Policy, Group Policy Preferences AND Citrix Workspace Environment Management in your arsenal of tools, you will now be able to combine these to provide a great start menu configuration for your environment.

How to prevent Citrix Workspace App popups

How to prevent Citrix Workspace App popups

The other day a coworker approached me to get a solution that would suppress the popup boxes you get, after a successful Citrix Workspace App install.

This first popup you see it this “Add Account” popup box:

The second popup box you see, is this “Citrix Receiver is now Citrix Workspace App” popup box:

Both popup boxes appear after a reboot of the computer and they both require user interaction, to make them go away.

Some may argue that it’s just one or two clicks and you’ll never see them again, I have however seen that at least the “Add Account” popup box can confuse the user and even trigger a support call. So why bother the user with these popup boxes and potentially generate more support tickets?

According to Citrix you are able to remove the “Add Account” popup box by using a combination of command line switches and registry changes:
https://support.citrix.com/article/CTX135438

This works, I have used it plenty of times and it’s easy to implement when you have 100% control over the computer via a deployment system and/or group policy.

However the command line switch /ALLOWADDSTORE=N prevents any manually configured stores to be added to the list of accounts in Citrix Workspace App. Usually that’s not an issue in a 100% managed environment, as we are able to push Citrix StoreFront store account information to the Citrix Workspace App, either via command line switches or via GPO.

But if you are in a situation where you want to remove the popup boxes, but you don’t want to restrict the manual Citrix StoreFront store account configuration, you need to apply a few registry keys and values in HKCU and not HKLM, as described in the Citrix article.

First off. To remove the “Add Account” via HKCU (User context), apply these registry fixes:
HKEY_CURRENT_USER\Software\Citrix\Receiver
HideAddAccountOnRestart=1

HKEY_CURRENT_USER\Software\Citrix\Receiver
EnableFTU=0


Both values are DWORD values.

To remove the “Citrix Receiver is now Citrix Workspace App” popup box apply this registry fix:
HKEY_CURRENT_USER\Software\Citrix\Splashscreen
SplashscreenShown=1

This value is a string or REG_SZ value.

I have tested this procedure on Windows 10 v1809, Windows Server 2016 and Windows Server 2019 with Citrix Workspace App 1812.

Try it out and silence that Citrix Workspace App!


Citrix Published Apps migration script

Citrix Published Apps migration script

Recently I was working on a XenApp and XenDesktop 7.9 upgrade project. The customer didn’t want to touch the existing 7.9 environment, as it was a production environment with around 1000 concurrent users from different parts of the world. Instead a new XenApp and XenDesktop 7.18 site was created and we had to create everything manually in the new site.

Fortunately, besides the published application, there really wasn’t much to be done. We had to create a couple of Machine Catalogs and a few Delivery Groups. However the customer had 50+ published applications and it would take quite a while to manually create those by hand.

As it turned out, the customer couldn’t wait for me to develop this script, so I actually didn’t test it out in that specific environment. However that didn’t stop me from finishing the script, as I expect more 7.x to 7.x or 7.x to 1808 and later migration projects in the future.

As I wasn’t able to find any useful tools from Citrix to help me migrate a 7.x site to another 7.x site, I decided to write my own script, with some inspiration from some older scripts I had used earlier.

The script can be found here:

Copy the code above and save it to file called Migrate-XAapps.ps1. The script contains basic information on usage and also examples of the different switches and paramaters that can be used.

Let me know if you experience any issues. As mentioned in the script, I have tested the code on XenApp and XenDesktop 7.6 LTSR CU6, XenApp and XenDesktop 7.9 and Citrix Virtual Apps and Desktops 1808 and I haven’t run into any issues, however I have probably not covered every possible published application scenario out there.

Internet Explorer Tracking Protection

Internet Explorer Tracking Protection

One of the most overlooked features of Internet Explorer, is the Tracking Protection feature. Tracking Protection is a feature that prevents websites from tracking your browsing behavior. You know if you for instance search for, let’s sat a new Synology NAS box in Google. Suddenly a lot of NAS related adds appear in your Facebook feed and on various other add-driven sites. That’s basically tracking, someone somewhere now knows that you are in the market looking for a new NAS.

However Tracking Protection also prevents all adds, flash content and the likes from being loaded when accessing a website. This means that in most cases the websites will be loading faster and not consume as many system ressources.

In this blog I will cover how to enable Tracking Protection and why I recommend doing this, especially in a multiuser scenario.

Up until a few years ago my preferred browser was Internet Explorer. Actually, besides the good old days with Netscape Navigator, I have always used Internet Explorer when browsing the internet. I am not trying to start yet another browser war here, but the alternatives like Google Chrome, Mozilla Firefox or Opera never really said me much, I had gotten used to working with Internet Explorer and liked, and still likes, the way it works.

However as Windows 10 was released we received a new browser called Edge. Edge is supposed to be the successor of Internet Explorer and at least for my part, that is the case, but according the various sites here and here, it doesn’t look like Edge is getting favoured by many people, it’s still Google Chrome that’s topping the lists as the most preferred browser.

Even though Google Chrome may be the most preferred browser, this is usually not the case in multiuser setup like Citrix XenApp or Microsoft RDS, as we would like to provide a secure and consistent user experience, that includes the browsing experience as well. We can, via group policy, lock almost everything in Internet Explorer down, which gives us total control of what parts of Internet Explorer the user can access and/or configure. Any Internet Explorer security updates, or just regular feature updates, are all maintained either via the Microsoft Update site or via an internal Windows Server Update Service (WSUS) server, which means that during our regular Windows operating system maintenance we get updates for Internet Explorer as awell as any other relevant Microsoft software.

So how does it work?

How to configure Tracking Protection manually:

First we need to enable Tracking Protection in Internet Explorer:

Click – Tools -> Internet Options – Programs

Click – Manage add-ons

Click – Get a Tracking Protection List online…

This should bring you to this site – http://iegallery.com/da/trackingprotectionlists/ (Or a smilar looking URL based on your region)

That site errors out, way to go Microsoft!

This has been an issue for at least 6 months, maybe more, and it doesn’t look like Microsoft is going to fix it anytime soon.

So what we need to do instead, is to go to this URL – https://www.microsoft.com/en-us/iegallery

Scroll down to the Tracking Protection Lists section and select EasyList Standard, EasyList and Stop Google Tracking, by clicking add on each list.

This adds the lists to Internet Explorer and your Tracking Protection configuration, should now look like this

Your browsing experience should now be significantly faster than before the activation of Tracking Protection and also consume less system ressources.

I have created 2 short videos in which I demonstrate how the browsing experience is in Internet Explorer with and without Tracking Protection enabled. The demonstration is done in Citrix XenApp 7.18 on Windows Server 2016 in Internet Explorer 11with the latest Microsoft Updates. I have used http://www.cnn.com for demonstration purposes, however you will probably notice the same behavior with pretty much any other site.

Tracking Protection disabled:

Tracking Protection enabled:

Have a look at the CPU usage in the first video where Tracking Protection is disabled. When the site just sits there doing nothing, the CPU usage is somewhere between 40% and 70%. This is huge if you have multiple users on a Session Host server, imagine 10 users just loading this page and let it sit doing nothing.

In the second video, where Tracking Protection is enabled the CPU usage is loking a lot better some where between 5% and 15% when the site just sits there doing nothing. Also 37 services have been bloked on this particular website. As I scroll up and down, CPU usage spikes does occur because of the change in content on the site, this is normal behaviour and will occur both with and without Tracking Protection.

How to configure Tracking Protection via Group Policy:

So now you may be asking “Now I have the Tracking Protection enabled on my local Internet Explorer browser, how do I enable it for every user in my environment?”. The answer to that question is: “Via Group Policy and Group Policy Preferences, of course :)”

Once Tracking Protection has been enabled a few things happen in the file system and registry.

In the file system:

  • In the user’s profile 3 so called TPL files gets downloaded, these files contains the EasyList, EasyPrivacy and Stop Google Tracking lists.
  • The TPL files can be found here  – %LOCALAPPDATA%\Microsoft\Internet Explorer\Tracking Protection and looks like this:
  • Copy the TPL files to a central location like NETLOGON or a share where users have read access.

In the registry:

  • In the user’s registry 3 registry keys and a few values within these keys are created.
  • The registry key names corresponds with the above TPL GUID like names, and looks like this:
  • The full path the the above keys is – HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Safety\PrivacIE\Lists
  • So, as you see, 3 registry keys are created with names that corresponds with the names of the TPL files.
  • Export the 3 keys to a REG file and in each key, change the “Path” value to %LOCALAPPDATA%\Microsoft\Internet Explorer\Tracking Protection\nameofTPLfilehere.tpl

GPO Configuration:

  • Create a new GPO
  • Under User Configuration configure Group Policy Preferences registry items like shown below:
  • For each of the 3 registry keys modify the Path value, so that it looks like this:
  • %<LOCALAPPDATA>%\Microsoft\Internet Explorer\Tracking Protection\nameofTPLfilehere.tpl
  • This makes sure that the Group Policy engine resolves the %LOCALAPPDATA% correctly, and thereby configures the correct path to the TPL file.
  • You will also have to add this registry value:
  • This enables the Tracking Protection filtering feature.

You may have noticed the Tracking Protection Exceptions group I have in the GPO. The Tracking Protection Exceptions list enables you to configure specific URLs where you don’t want Tracking Protection to be active. This might be internal URLs like an intranet site or some other internal web based application, where Tracking Protection could be messing with the general functionallity of the web site.

To configure a list of exceptions add this to your GPO:

  • Here, as an example, I have the http://intranet.company.local URL you may add as many URLs you want here.

As this GPO configures user settings, it can be applied to both Windows client operating systems and Windows server operating systems. I have tested this specific configuration on Windows 7 and later and on Windows Server 2008 R2 and later, however only with Internet Explorer 11.

This concludes my guide on how to enable and configure Internet Explorer Tracking Protection. Feel free to comment.

The rise and fall of a champion

The rise and fall of a champion

A couple a weeks ago a attended Citrix Synergy at the Hilton Convention Center in Anaheim in the US. I’ve been there a few times before, and it has been a pleasure visiting and attending Citrix Synergy at this venue every time.

There were a lot of great sessions which sometimes made it hard to decide which one to attend. However in this article I will bring my views and opinions about some announcements made regarding Citrix Workspace Environment Manager (WEM) and Citrix Profile Management (CPM) formerly know as Citrix User Profile Manager (UPM).

Citrix announced Office 365 experience support in CPM/WEM. This means that CPM/WEM will be able to handle an Outlook OST file and Windows Search Index Roaming in a non-persistent Session Host/VDI setup, exactly like the 3rd party vendors, FSLogix and Liquidware. This is somewhat great news, as this is a feature I have wanted in CPM for years, however Citrix may have been dragging their feet just a bit too long in this matter.

The Rise….

Before I go any further, a bit of history never hurt anyone. Back in May 2008 Citrix acquired sepagoProfile from sepago, this product was rebranded and became Citrix User Profile Manager (UPM) which meant that Citrix got a Profile Management solution that was far superior to the Windows Roaming Profile solution built in to most Windows versions.

Citrix UPM was THE profile management solution from there on out, well in most cases at least. Of course UPM had issues from time to time, but Citrix was usually very quick to address and solve these issues. Back in the days with Windows XP and Windows  Server 2003 we had to rely on tools like UPHClean to get a stable Windows Roaming Profile environment without profile lockups. With Citrix UPM this was no longer the case, as UPM was much more “intelligent” and had builtin mechanisms to prevent profile lockups.

Gone were the days where we needed obscure batch or VB scripts running during logon or logoff, to manage or support application settings that was not saved in the APPDATA\Roaming folder, Citrix UPM was able to handle files and folders in the APPDATA\Local or APPDATA\LocalLow folders.

UPM eventually got additional features like Profile Streaming which enabled parts of the user’s profile to be streamed to the Session Host or VDI during logon, which most of the times had a huge impact bringing down logon times.

The Fall….

Up until the release of Windows 10 and Windows Server 2016, this was more or less the story with UPM. However, Citrix UPM is curently on a deroute and should, in my opinion, no longer be considered the preferred solution, this is primarily because of how Windows 10 and Windows Server 2016 handles the user’s profiles.

As Citrix UPM still relies on the principles of a roaming profile, copying the profile back and forth between a file server share and the Session Host/VDI during logon and logoff, there are still some situations where Citrix UPM has issues, and it still requires a great deal of configuration and management to prevent profile bloating and to obtain a relatively stable profile environment. Yes it still supports the Profile Streaming feature, but even that has over time shown that it is not always the way to go, as certain applications does not support this feature and may break or not work properly.

Currently there is a major bug in the Citrix UPM version introduced in Citrix XenApp and XenDesktop 7.15 LTSR CU1, which is mentioned in the Citrix discussions forums here – https://discussions.citrix.com/topic/391754-windows-2016-start-menu-blank-icons-with-715-cu1/

Citrix has posted a CTX article with 2 workarounds, however a couple of people are mentioning that these workarounds are not working. There is however a workaround described in the forum thread, which involves a PowerShell script, that should be able to take care of things.

The fact that this bug still exists in both Citrix XenApp and XenDesktop 7.16 and 7.17 and was introduced in an LTSR edition of Citrix XenApp and XenDesktop is, in my opinion, a major let down by Citrix and illustrates just how much Citrix is struggling with Citrix UPM at the moment.

The Future….

In my opinion the future of Citrix UPM is a bit hazy.

Considering the amount of issues that I have personally encountered, with Citrix UPM in Windows Server 2012/2012 R2, Windows 10 and Windows Server 2016, and the major bug described above, I have very little faith in Citrix providing anything remotely stable within this year, eventhough they claim to have the Office 365 experience feature ready within the next 90 days. This means that we are probably going to see this feature in Citrix XenApp and XenDesktop 7.19 or 7.20.

UPDATE – 14-08-18: The UPM Office 365 Experience feature is available in Citrix XenApp and XenDesktop 7.18

Also to be considered is the fact that Citrix is around 4-6 years behind in developing anything disk based whether it be supporting Office 365 or the entire profile in a disk based solution. Microsoft have had their User Profile Disk solution since Windows Server 2012 which was released 6 years ago, FSLogix and Liquidware both have disk based profile solutions going on 4+ years now, so Citrix has some cathing up to do.

To spice things up, Citrix will now have 2 seperate and very different products covering the same Office 365 experience features as Citrix App Layering have the User Layers feature, which is the entire user profile in a disk based solution, this feature is still in Labs though, which means that it isn’t ready for production use yet.

With Citrix App Layering you also have the Office 365 Layers feature, this only covers the Outlook OST file and nothing else, this feature is however production ready, BUT and there is a major “but” in there, both User Layers and Office 365 Layers is only available with the Platinum license, mentioned in this article – A Breakdown of Citrix App Layering Features by Edition this will prevent a lot of customers from being able to implement these features.
UPDATE – 25-05-18:
Te above statement around the Office 365 Layer was incorrect. As per this article – https://www.citrix.com/products/xenapp-xendesktop/feature-matrix.html the Office 365 Layer is available in all XenApp and XenDesktop license models, however it’s currently only supported on Windows 7 and Windows 10 64-bit.

I am looking very much forward to see how Citrix will develop both the User Layer and Office 365 Layer in Citrix App Layering and the merge of Citrix WEM/CPM with the Office 365 experience feature. If Citrix manages to get the Office 365 experience feature stable, a disk based profile solution with WEM/CPM, may not be far behind and if Citrix goes down that road FSLogix and Liquidware may have their work cut out for them.

For now, my recommendation is still to go with a disk based profile solution, like FSLogix Profile Container and Office 365 Container.

Citrix XenApp and Desktop 7.16 Browser Content Redirection

Citrix XenApp and Desktop 7.16 Browser Content Redirection

I have created 2 small videos to demonstrate how the new Browser Content Redirection works. The Browser Content Redirection is among some of the new features in XenApp and XenDesktop 7.16 and it really looks promising.

Citrix have had an HTML5 video redirection feature for a while now, however for it to work properly it relied on a code snippet to be a part og the code on the destination website. We cannot expect all websites in the world to have this code snippet, so to be able to actually make use of the HTML5 video redirection isn’t easy.

However this new Browser Content Redirection does not rely on code snippets, instead it uses an Internet Explorer 11 add-on called Citrix HDXJsInjector:

This add on is installed with the Citrix VDA 7.16, so this is in the Session Host or VDI machine and obviously this feature only works in IE11.

On the endpoint nothing other than a Citrix Receiver 4.10 is needed.

This first test is done on a Citrix VDA 7.14 Session Host on Windows Server 2016.

Here we see a perfectly normal CPU usage caused by Internet Explorer, when watching an HTML5 YouTube video:

Running an HTML5 YouTube video in 1080p really puts a strain on the CPU, and when a user runs this kind of HTML5 content, it is usually something that is noticable by other users on a Session Host server.

The second test is done on a Citrix VDA 7.16 Session Host on Windows Server 2016.

Here we see the CPU usage caused by Internet Explorer, is barely noticable, running the same HTML5 YouTube video in 1080p:

On the endpoint, in this case Windows 10 v1709 with Citrix Receiver 4.10, we see the HDX Overlay Browser process is responsible for around 15-20% CPU usage, a great deal of CPU usage is offloaded to the endpoint. (The obs64.exe process is my screen recording software)

To activate the Browser Content Redirection you need to upgrade your Delivery Controller and Studio to 7.16 and enable this Citrix computer policy:

UPDATE – december 4th 2017:

I have been made aware, by Citrix PM Fernando Klurfan, that I originally used a screenshot referencing the HTML5 Video Redirection feature. As Fernando Klurfan has correctly stated, there is a difference between these two features as the HTML5 Video Redirection feature has been available since XenApp and XenDesktop 7.12 and works together with the Multimedia Redirection Feature, the Browser Content Redirection is the correct policy to reference. A huge thanks to Fernando Klurfan for making me aware of my mistake!

Fernando Klurfan provided me with some additional information on how to enable the Browser Content Redirection feature to make use of the client side GPU. To enable the use of client side GPU create these two registry values:

HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING (Create if not present)
HdxBrowser.exe = (DWORD) 00000001

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING (Create if not present)
HdxBrowser.exe = (DWORD) 00000001

Make sure to check out Rasmus Raun-Nielsens article about Browser Content Redirection.

To conclude – The BrowserContent Redirection feature is impressive, as it reduces a great deal of CPU usage on the Session Host or VDI when running HTML5 content in Internet Explorer 11, be sure to enable this feature when your Delivery Controllers have been upgraded, however keep in mind that this will require a fairly strong CPU in the endpoint device. If you are using thin clients or older computers, be sure to do some testing, before enabling this feature.

 

Citrix is finally ditching Windows Server 2008 R2 and Windows 7

Citrix is finally ditching Windows Server 2008 R2 and Windows 7

As the clickbait-like headline says, Citrix is ditching Windows Server 2008 R2 and Windows 7. As of XenApp And XenDesktop 7.16, Windows Server 2008 R2 and Windows 7 are no loger supported. This means that XenApp And XenDesktop 7.15 LTSR is the last version to support Windows Server 2008 R2 and Windows 7.

Finally!

A few weeks ago Citrix released this article:

Upcoming OS Changes Introduce Greater Flexibility and Innovation

It covers the new release types – Current Release (CR), LTSR Release and Cloud Release, I will not go further into these release types, as they are described very well in the article. However it is worth mentioning that it is now possible and supported to mix CR and LTSR release VDAs.

I will however share some thoughts about Citrix finally ending the Windows Server 2008 R2 and Windows 7 support.

Initially I would like to say that if you haven’t already started planning your migration from Windows 7 to Windows 10 and Windows Server 2008 R2 to Windows Server 2016, now would be a very good time to start!

As Microsoft ended mainstream support in 2015 for both Windows 7 and Windows Server 2008 R2, we have only been able to receive hotfixes classified as “Security Updates” for the last couple of years. This is due to the “Extended Support” that Windows 7 and Windows Server 2008 R2 is currently in, however if you have a so called “Premier Support” and “Extended hotfix support” agreement with Microsoft, this will enable you receive other update classifications from Microsoft as well.

A more in depth explanation of the “Extended Support” phase can be found here:

https://support.microsoft.com/en-us/help/17140/lifecycle-faq-general-policy-questions

When the “Extended Support” phase has ended for both Windows 7 and Windows Server 2008 R2, these operating systems have been supported by Microsoft for 11 years, 11 years!

This stand in heavy contrast to the new servicing channel for Windows 10 and Windows Server Core, where you basically have to upgrade the operating system every 18 months to be able to receive support from Microsoft.

So why is it a good thing that Citrix, with XenApp and XenDesktop 7.16, is deprecating support for legacy operating systems? Well, for starters Citrix is participating in keeping Windows Server 2008 R2 “artificially” alive, as they have lengthened the XenApp 6.5 End of Life date to June 30 2018. This means that Citrix has been an active part in hindering upgrades to their own XenApp and XenDesktop 7.x, even though XenApp and XenDesktop 7.x have had support for Windows Server 2008 R2 from day one.

Another thing is that by staying on legacy operating system like Windows 7 and Windows Server 2008 R2, we are allowing software developers to remain in their old ways of thinking, which could potentially provide us with subpar security and/or less innovation when developers are designing applications or software solutions.

I recognise that some applications cannot run on anything other than Windows 7 and/or Windows Server 2008 R2. However now is the time to prepare a plan to either replace the application in question or how to upgrade/patch the application, so it can run and work on Windows 10 and/or Windows Server 2016. You have around 2 years to prepare that plan, as the Extended Support ends January 14 2020.

 

 

AppLocker is breaking Windows Start Menu

AppLocker is breaking Windows Start Menu

The other day I was setting up a couple of Window Server 2016 XenApp VDA servers to do some more extensive tests of the different Citrix policy templates, to evaluate how the settings in these policy templates impacts the user experience.

During these tests I kept running into an issue with the Start Menu not working properly. The context menu worked is it should, but nothing happened with a regular left click on the Start button. I have run into this issue many times before, in both Windows Server 2016 and Windows 10, the main cause was always either Citrix UPM not being able to handle the Tile Data Service database, or plain old regular Windows Roaming Profile just being old and broken.

However in this case I had not configured either Citrix UPM nor Windows Roaming Profile, I had configured FSLogix Profile Container, so why was this happening? To make it even more strange I experienced the issue with an admin user with a local profile as well, so this ruled out any profile handling issues.

As you may already have guessed, AppLocker had a part to play in the issue I experienced, but what was AppLocker actually doing?

Well as it turns out, AppLocker was blocking the “Windows Shell Experience Host” and “Cortana”, and apparently both are necessary for the Start Menu to work properly.

During my troubleshooting I came across this message in the AppLocker part of Windows Event Viewer:

Not very helpful! I had Exe rules configured alright, but the “no Packaged app rules have been configured” part was a bit confusing. My AppLocker GPO was configured to enforce Packaged app rules, however no rules were configured, just like the event viewer was telling me. As it turns out Packaged Apps is another word for Universal Windows Platform (UWP) apps, these UWP apps are, among other things, handled by the before mentioned “Windows Shell Experience Host”.

As AppLocker was apparently blocking the Windows Shell Experience, this would explain why my Start Menu wasn’t working properly. The solution was actually really simple and required nothing more than creating another AppLocker rule.

Go into your AppLocker GPO and right click the Packaged app Rules and select “Create Default Rules” this should create one rule which allows all signed packaged apps to be executed.

Once this rule is created, either run a “gpupdate /target: computer /force” in a command prompt or simply reboot the server/computer.

This should bring back the Start Menu and Cortana and all your application shortcuts.

 

Citrix Receiver versions

Citrix Receiver versions

A few days ago I was asked “how to you know which Citrix Receiver version is being used based on the build number?”. Well you just have to know 🙂

When monitoring your Citrix installation via either the defunct Citrix Edgesight or the more modern Citrix Director, you may be in need of finding out which version of Citrix Receiver is installed on the different end-points devices connecting to your Citrix XenApp or VDI’s

Both Edgesight and Director will show you the Citrix Receiver “product version”, and not the actual version, like Citrix Receiver 4.9.

I have created this small overview of the Citrix Receiver versions and the corresponding “product version”:

Citrix Receiver versions for Windows

Receiver versionProduct Version
3.013.0.0
3.113.1.0
3.213.1.200
3.313.3.0
3.413.4.0
4.014.0.0
4.114.1.0
4.1 CU114.1.200
4.214.2.0
4.314.3.0
4.3.10014.3.100
4.414.4.0
4.4 CU114.4.1000
4.514.5.0
4.614.6.0
4.714.7.0
4.814.8.0
4.9 LTSR CU214.9.2000
4.1014.10.0
4.10.114.10.1
4.1114.11.0
4.1214.12.0

I’ll keep this list updated as Citrix releases new Citrix Receiver versions and try to add the versions from other operating systems as well.

Update – 16-08-2018:

Citrix has release the Citrix Workspace App client which is the successor to Citrix Receiver. The Citrix Workspace App does not have the same version information as Citrix Receiver, as it is now a so called evergreen application. This means that the only version information availbale is going to be in the same format as Microsoft uses, ie Citrix Workspace App 1808, which indicates that this particular Citrix Workspace App version was released in august (08) of 2018.

The latest Citrix Workspace App client can be downloaded here – https://www.citrix.com/downloads/workspace-app/

User Profiles…the struggle is real!

User Profiles…the struggle is real!

During the last couple of years I have seen that managing user profiles in a Citrix environment can be a major PITA. However before going any further, let’s take a few steps back in time.

In the good old days in the world of Citrix, with Windows Server 2008 R2 and Windows 7, everything was nice and quite in the user profile area. We were happily rolling along with Citrix User Profile Manager, telling ourselves that the old, dusty and rather unstable Windows Roaming Profile was a thing of the past and no one would ever be using that again. We were managing User Profiles like a boss, with fine tuned configurations preventing profile bloating, roaming of Internet Explorer cookies and passwords and perhaps roaming different files and folders outside the APPDATA\Roaming folder.

Fast forward to today, or a couple of years ago, Microsoft released Windows 10 and Windows Server 2016 and with them new Windows Profile versions.

Let’s have a quick look at the different Windows Profile versions dating back to Windows XP and Windows Server 2003:

UPDATE – 04/11-17: I have updated the table below to reflect the current Windows 10 versions.

Client Operating SystemServer Operating SystemOperating System VersionProfile Version/extension
Windows XPWindows Server 2003/2003 R2None
Windows VistaWindows Server 2008 V2
Windows 7Windows Server 2008 R2V2
Windows 8Windows Server 2012V3
Windows 8.1Windows Server 2012 R2V4
Windows 10V1507V5
Windows 10V1511 (November Update)V5
Windows 10Windows Server 2016V1607 (Anniversary Update)V6
Windows 10V1703 (Creators UpdateV6
Windows 10V1709 (Fall Creators Update)V6

 

You may have noticed that Windows 10 is currently offering 2 different Windows Profile versions, V5 and V6, and rumors are that the Windows 10 Fall Creators Update may present a V7 Windows Profile. This is where the struggle begins!

UPDATE – 04/11-17: Windows 10 v1709 (Fall Creators Update) did infact NOT present a V7 Windows Profile version. V1709 is still on V6, like v1703 and v1607.

As per this “Windows as a service” guide Windows 10 will receive 2 feature updates per year, a feature update is like the Anniversary Update or the Creators Update and even though Microsoft is boasting of an “outstanding app compatibility”, this isn’t really of much use to us, if they change the profile version. A profile version change will initially trigger a new profile to be created at login which means that we need to do some kind of profile migration between the old profile and the new profile, unless we really like to receive a lot of support calls about missing application settings or that no default printer is set, because something went wrong during the profile version upgrade.

If we are using Citrix Profile Manager this profile version upgrade is handled automatically, however do wo really want to do that? If we shortly revisit the good old times, we didn’t upgrade the user profiles when we migrated from Windows XP to Windows 7 or from Windows 7 to Windows 8 or Windows 10, did we? I sure didn’t and when is comes to traditional profile management I always recommend to do a profile migration NOT an upgrade!

In the good old times, a profile upgrade was always associated with a operating system upgrade. So when we are offered, at the moment, 2 different windows profile versions i Windows 10, in my mind that is the equivalent of an operating system upgrade, which means that the profile needs to be migrated as the functionality and stability of the profile cannot be guaranteed, if it’s upgraded.

In a Windows 10 VDI scenario this presents us with a couple of things to keep in mind. As per above guide, each feature update is maintained with so called quality updates every 18 months, so at least once every 18 months we need to upgrade our Windows 10 VDIs with a feature update. Let’s just assume, and I am NOT saying that this will be the case, but let’s just assume that Microsoft will upgrade the windows profile version every 18 months, this may not be a desirable scenario, as we need to maintain some kind of profile migration feature/script to be able to migrate the settings from the old profile to the new profile with the new version.

Some Citrix setups offer hundreds of different applications where all kinds of settings are saved in all kinds of places eg. files/folders/registry, this means that a potential migration feature/script needs to cover whether the settings of one or more applications needs to be migrated or not in case of a profile version upgrade. As applications come and go or gets upgraded these different places where applications might save their settings, will have to be maintained in what ever migration feature used, which then again means that we need to have a great deal of knowledge of our applications, not just how to install them, but also how and where their settings are saved.

Let’s take a look at how Citrix User Profile Manager can help us, some of the way, when upgrading Windows 10.

This is how a Citrix UPM share looks like, when a user has logged on from a Windows 10 v1511, Windows 10 v1607 and Windows 10 v1703:

This is achieved with the “Path to user store” in a Citrix UPM GPO configured like this:

The !CTX_OSNAME! and the !CTX_OSBITNESS! are both variables that can be used as a part of the profile share path. When these variables are combined you get a very flexible profile share path where a folder is created that corresponds to the operating system and the bitness of the operating system. This means that you would usually never need more than one profile share, when using Citrix User Profile Manager.

This configuration makes sure that a new profile is created when logging on to an upgraded Windows 10 computer with a new windows profile version.

You can omit the !CTX_OSNAME! and the !CTX_OSBITNESS! and point directly at the #SAMAccountName# variable, however this will create a profile folder for the user in the root of the share, which means that you will no longer have a folder named “Win10RS2x64”. If this is the case you now have a profile share that is “locked” to this specific version of Windows 10, that’s not wrong but it may present some issue at some point, as we essentially don’t want Windows or Citrix UPM to do profile upgrades.

One way or another we are in need of some way to transfer and/or migrate settings between different profile versions. You can of course bring out the big guns and go with RES or AppSense as they are perfectly capable of migrating profile and applications settings between different profile versions with their User Environment Management (UEM) solutions.

Liquidware is, compared to RES and AppSense, a smaller player in this area, however they have in their ProfileUnity product a way to migrate profile and application settings between different Windows versions and that of course includes Windows 10 as well. They also have disk based profiles, which really boosts the login performance.

You can of course also create your own profile and applications migration script, I have seen a few so I know they are out there.

To conclude – With Windows 10 we are, in my opinion, entering a new ara where we are basically doing operating system upgrades once every 12-18 months, this adds a bunch of additional tasks to our already long list of Citrix and Citrix related tasks. I think now would be a great time to implement some kind of UEM feature, to be able to manage and maintain the profile and applications settings in different user profile on different operating systems. Citrix User Profile Manager is, in my opinion, now considered the “old solution” together with the traditionel Windows Roaming Profile.