Navigation
- Create Group Policy Objects
- Windows Group Policy Templates
- Computer Settings for VDAs
- VDA Receiver Configuration
- Additional Computer Settings
Create Group Policy Objects
- Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all VDA computer objects.
- Then create sub-OUs, one for each delivery group.
- Move the VDAs from the Computers container to one of the OUs created in step 2.
![]()
- Within Group Policy Management Console, create a Group Policy Object (GPO) called Citrix VDA Computer Settings and link it to the OU created in step 1. If this policy should apply to all Delivery Groups then link it to the parent OU. Or you can link it to Delivery Group-specific sub-OUs.
![]()
![]()
- Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the GPO is disabled.
![]()
![]()
- Create and link two new GPOs to the VDA OU (in addition to the Citrix VDA Computer Settings GPO). One of the GPOs is called Citrix VDA All Users (including admins) and the other is called Citrix VDA Non-Admin Users (lockdown).
![]()
![]()
- Modify the properties of both of these GPOs and disable the Computer Configuration portion of the GPO.
![]()
![]()
- Click the Citrix VDA Non-Admin Users GPO to highlight it.
- On the right, switch to the Delegation tab and click Add.
![]()
- Find your Citrix Admins group and click OK.
![]()
- Change the Permissions to Edit settings and click OK.
![]()
- Then on the Delegation tab click Advanced.
![]()
- For Citrix Admins, place a check mark in the Deny column in the Apply Group Policy row. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
![]()
- Click Yes when asked to continue.
![]()
- For the other two GPOs, add Citrix Admins with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.
![]()
![]()
Windows Group Policy Templates
Unfortunately there are some differences between the GPO templates included with 2012 R2 and the GPO templates included with Windows 8.1/10. You’ll need to download the full set of templates.
- Download the Administrative Templates for Windows 10.
![]()
- Run the downloaded Windows10-ADMX.msi.
![]()
- In the Welcome to the Administrative Templates for Windows 10 Setup Wizard page, click Next.
![]()
- In the License Agreement page, select I Agree and click Next.
![]()
- In the Select Installation Folder page, copy the location.
- Select Everyone and click Next.
![]()
- In the Confirm Installation page, click Next.
![]()
- In the Installation Complete page, click Close.
![]()
- Go to C:\Program Files (x86)\Microsoft Group Policy\Windows 10.
- Open the PolicyDefinitions folder. Highlight all .admx files. Also highlight your desired languages (e.g. en-US). Copy the files to the clipboard.
![]()
- Go to your domain’s sysvol (e.g. \\corp.local\sysvol) and in the corp.local\Policies folder, paste the files in the PolicyDefinitions folder. If you don’t have this folder then you can create it. Or skip to the next step. If prompted, replace the existing files.
![]()
![]()
- If you prefer to not put the files in Sysvol, then instead go to C:\Windows\PolicyDefinitions and paste the files. Overwrite the existing files.
![]()
![]()
- In the PolicyDefinitions folder, look for a file called LocationProviderAdm.admx and delete it. More information at Microsoft 3077013 “‘Microsoft.Policies.Sensors.WindowsLocationProvider’ is already defined” error when you edit a policy in Windows.
![]()
Group Policy Computer Settings
Edit the Citrix VDA Computer Settings GPO and enable the settings shown below. All settings are located under Computer Configuration > Policies.
Group Policy Settings
- Computer Configuration | Policies | Administrative Templates | System | Group Policy
- Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 setting
- Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 setting.
- Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result
http://support.microsoft.com/kb/953768 – User Group Policy loopback processing mode changes in Windows Server 2008 R2. Make sure the VDA computer accounts have Read access to the loopback user GPOs, even if those GPOs only contain user settings.
Power Settings
The following are more applicable to virtual desktops than session hosts:
- Computer Configuration | Policies | Administrative Templates | System | Power Management | Hard Disk Settings
- Turn Off the hard disk (plugged in) = enabled, 0 seconds
- Computer Configuration | Policies | Administrative Templates | System | Power Management | Sleep Settings
- Specify the system hibernate timeout (plugged in) = enabled, 0 seconds
- Specify the system sleep timeout (plugged in) = enabled, 0 seconds
- Turn off hybrid sleep (plugged in) = enabled, 0 seconds
- Computer Configuration | Policies | Administrative Templates | System | Power Management | Video and Display Settings
- Turn off the display (plugged in) = enabled, 0 seconds
Remote Assistance Settings
Configure the following so you can shadow users using Director:
- Computer Configuration | Policies | Administrative Templates | System | Remote Assistance
- Configure Solicited Remote Assistance = disabled
- Configure Offer Remote Assistance = enabled, specify the Help Desk and Administrator groups that can offer remote assistance
![]()
User Profiles Settings
- Computer Configuration | Policies | Administrative Templates | System | User Profiles
- Add the Administrators security group to roaming user profiles = enabled
- Delete cached copies of roaming profiles = enabled (only enable on persistent session hosts)
- Do not check for user ownership of Roaming Profile Folders = enabled
Event Viewer Settings
If you are using Provisioning Services, it might be desirable to move the event logs to a persistent cache disk. This allows you to review the event logs even after the Target Device reboots. Use Group Policy Preferences to create the folder on the cache disk.
- Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Application
- Control the location of the log file = enabled, D:\EventLogs\Application.evtx
- Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Security
- Control the location of the log file = enabled, D:\EventLogs\Security.evtx
- Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | System
- Control the location of the log file = enabled, D:\EventLogs\System.evtx
- Computer Configuration | Preferences | Folder
- Action = update
- Path = D:\EventLogs
Remote Desktop Services Settings
- Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Connections
- Restrict Remote Desktop Services users to a single Remote Desktop Services session = disabled
- More details at http://support.citrix.com/article/CTX131245
- Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Device and Resource Redirection
- Allow time zone redirection = enabled
- Do not allow smart card device redirection = enabled
- Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing
- Set the Remote Desktop license mode = enabled, Per User
- Use the specified Remote Desktop license servers = enabled, your XenDesktop Controllers
- Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security
- Always prompt for password upon connection = disabled (to override other GPOs where it might be enabled)
- Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Session Time Limits
- Set a time limit for active but idle Terminal Services sessions = enabled, 3 hours or similar
- Set time limit for disconnected sessions = enabled, 3 hours or similar
OneDrive Settings – Windows 10
- Computer Configuration | Policies | Administrative Templates | Windows Components | OneDrive
- Prevent the usage of OneDrive for file storage = enabled
Search Settings – Windows 8.1/10/2012 R2
- Computer Configuration | Policies | Administrative Templates | Windows Components | Search
- Allow Cortana = disabled (Windows 10)
- Don’t search the web or display web results in search = enabled
- Additional search settings can be found here
Store Settings – Windows 8.1/2012 R2 (not Windows 10)
- Computer Configuration | Policies | Administrative Templates | Windows Components | Store
- Turn off the Store application = enabled
- More information at http://blogs.technet.com/b/askds/archive/2014/04/09/managing-the-store-app-pin-to-the-taskbar-added-in-the-windows-8-1-update.aspx.
Windows Update Settings
- Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update
- Allow non-administrators to receive update notifications = disabled
After modifying the GPO, use Group Policy Management Console to update the VDA machines.
Or run the command gpupdate /force. Or wait 90 minutes.
Citrix Receiver
If you want pass-through authentication for the Citrix Receiver that is installed on your VDAs, use receiver.admx to enable pass-through authentication.
- See the instructions at http://www.carlstalhood.com/receiver-for-windows/#admx to copy the receiver.admx file to PolicyDefinitions.
- Edit the Citrix Computer Settings GPO.
- Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Receiver > User Authentication. On the right, open Local user name and password.
![]()
- Enable the setting.
- Check the top two boxes and click OK.
![]()
Additional Computer Settings
Microsoft has additional recommended GPO settings for virtual desktops. See http://www.microsoft.com/en-us/download/details.aspx?id=40799