Jump to content
Welcome to our new Citrix community!
  • 1

Firewall created at each login with UPM enabled

Philippe Marro1709155269


I have an issue on several farms of server 2016 with Citrix 7.15 and Profile Management enabled. Each time a user logs on a server, firewall rules for Cortana and other Microsoft apps are created and never deleted. The result is thousands of firewall rules on all xdsh servers slowing them down for many things and using much ressources.


On one of the infrastructure, it was so bad that it made the reboot schedule of a delivery group failing in the way that controllers nevers gets a success of the reboot of vda and reboots them like 10 times in a row. I first thought the issue was with Citrix but after investigating with support I found out those rules and deleting them fixed the issue.


This issue is not UPM related, but also happens with Microsoft's profile management like UPD . It's a known issue but no fixed for now


Has anyone else had the issue and how do you fix it ?

Link to comment

11 answers to this question

Recommended Posts

  • 0

I know this issue. - It has nothing to do with Citrix.

It seems, that 2 years after release of Server 2016 Microsoft finally recognized, that this behaviour is bad on Session Hosts.


The latest Cumulative Update "KB4467684" seems to contain a fix for this.

Have a look at the release notes: Release Notes KB4467684



Addresses an issue that slows server performance or causes the server to stop responding because of numerous Windows firewall rules. To enable the changes, add a new registry key “DeleteUserAppContainersOnLogoff” (DWORD) on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” using Regedit, and set it to 1. 


Of course I did try it. - I installed the CU, set the mentioned registry-setting and tested.

I does not work for me. The rules are created on login and still don't get deleted on logoff.


Maybe somebody could confirm this?

Link to comment
  • 0

Does anyone have an update on this issue, we are experiencing the same thing.  The MS fix DeleteUserAppContainersOnLogoff does nothing as far as I can see. What seems to help is deleting the following key with; 

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"  /va /f.  This doesn't stop new rules from getting created for each new log on so it has to been ran often throughout the day. 



Link to comment
  • 0

Hi, I have a support ticket with Microsoft about this.


They gave me an temp fix, which is not really doing anything good, its only removes the current firewalls rules, next logon they are getting added again, pretty much the same as opening Windows Firewall and selecting all rules and remove them.

The rules are coming from the apps located in C:\Windows\SystemApps. (windows store apps)


MS Support is saying that are working on a fix.

Link to comment
  • 0

Its a small application, that query the registry, its tell you which one have a firewall rules, it outputs the users SID.

Then you have to run the application again and tell it which rules to remove with specifying the users SID.


It will only output users that are currently connected to the server. so it will if you have a large farm with many firewall rules, it will not remove many of them, as it only remove the connected or disconnected session.

Next login, the rules will be added as before. That's why I don't think this is any good as fix. Its need to be executed as administrator.

Link to comment
  • 0
8 hours ago, Philippe Marro1709155269 said:

Someone has any update about this ? Whether it has been fixed by a subsequent update or at least on Windows 2019 ?




this has been finally fixed by Citrix.

Have a look at the following excerpt from the changelog of Citrix Profile Management 1906 for details:







If you are interested in XenApp 7.15 LTSR:

As per the changelog, this should also be fixed in Cumulative Update 5.

Source: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/whats-new/cumulative-update-5/fixed-issues.html


I did also get a private fix some time before CU5 was released.

As far as I remember it was just to replace Profile-Management EXE-File.



Link to comment
  • 0

So I checked with our Citrix TAM.


So you need the updated versions of Profile Management indicated above. (In 1906 or higher, or 7.15 CU5). The fix is to now call the standard Microsoft API at logoff.


You then need to set the reg key DeleteUserAppContainersOnLogoff (DWORD set to 1) at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.


Please note: This can and likely will increase logoff times. Ours went from ~15 seconds to ~2 to 3 minutes.


We initially tried this to rectify a fault with the start menu intermittently failing. And in the image with it enabled. It does occur less, but still occurs.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...