User layer - policy evidence is not updated

[Alexey Kutuzov1709163409]

Hi All,

We stumbled on the following issue with the user layer (ELM2306 + CVAD 1912CU8 LTSR + Windows 10 1809 LTSR) :

Somehow policy evidence Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\1\Evidence\ClientIP is not updated on connection and following user logon leads to the policies applied incorrectly.  In our case, the policies are filtered using Client IP filters (for scenarios when users come from home via VPN and from an internal network). It is possible to fix policies behavior by manually fixing the evidence and making disconnect followed by reconnect.

Digging a bit we also found:

1 ) The evidence actually taken from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\PortICA\Policy\Machine\PolicyInputValues

2) There is no issue if the user layer is not used in the same environment, e.g. elastic layers and UPM profiles works without issues. 

3) If we reset the user layer the problem does not appear some time and then gets back.

 

Could you please advise how to fix the described issue? 

[Chip Gonsalves]

By default, we only exclude from virtualization keys that we know should be excluded.  There are millions of keys that get added to the registry, so we don't know by default which ones have to be excluded until someone actually brings them to our attention.

 

In this case, this is a key that we were not aware of.  But you can add this key to the list of keys that we will exclude by adding a value to your registry to add this key to the ones that you want us to exclude.  I would make an OS revision or possibly add a revision to your platform layer where I would imagine you have your VDA code installed.  In regedit, navigate to HKLM\System\CurrentControlSet\Services\Unirsd and add a MULTI-SZ value called ExcludeKey.  Add the following as you see it here because the strings at the front are key to tell the driver what key to exclude: \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Citrix\PortICA\Policy\Machine\PolicyInputValues  Finalize and deploy new images with the change.  That will tell us to skip that key when it is updated when users are logged in.  We will in turn add this key to ones that we will exclude by default in later releases (because now that we know about it, we can exclude it going forward).

[Alexey Kutuzov1709163409]

@Chip Gonsalves 

Thanks a million! I will check this as soon as I can and update the topic.

[Alexey Kutuzov1709163409]

I do confirm that applaying the setting below to the platform layer solved the issue.

 

Add the following entry to the Windows Registry: HKLM\SYSTEM\CurrentControlSet\Services\Unirsd\ExcludeKey [multi_SZ] = "\Registry\Machine\SOFTWARE\WOW6432Node\Citrix\PortICA\Policy\Machine\PolicyInputValues" "\Registry\Machine\SOFTWARE\WOW6432Node\Citrix\PortICA\Policy\Session\PolicyInputValues"