Nick Panaccio

Profile Management - General · June 7, 2023

It has been years since I've had to configure O365 using CPM (last did it with FSLogix), so I thought I'd come here and ask for some details on the CPM config some of you are running in your non-persistent XenDesktop VDAs. We're having an issue where at around the 25 day mark post-O365 login where the tokens are downloaded into the Licensing folder, users are receiving a COULDN'T VERIFY ACCOUNT warning after launching any of their O365 apps:

I've been troubleshooting this with Microsoft for the last few days with little progress, and wanted to see if anyone could provide their CPM config in a working environment. One thing to mention here is that we do not have Seamless SSO enabled in Azure AD. Our VDAs are hybrid joined, however.

Currently, we are synchronizing the following two folders, the latter for an unrelated issue:

AppData\Local\Microsoft\Office\16.0\Licensing

AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

I have only ever had to roam the Licensing folder, so I'd really like to know if there are other folders that should/should not be excluded from CPM in order for this to function properly.

March 20, 2023

On 3/17/2023 at 4:04 PM, Michael McAlpine1709158947 said:

What happens if we use the enforce registry processing option? I reached out product development and that is what they suggested.

https://y.yarn.co/9cfafed0-eabb-4206-948d-6725fe8826fa_text.gif

March 16, 2023

Wait, so even the "Refresh Cache" option in the WEM console (Administration\Agents) didn't update this value? That doesn't make sense to me.

January 12, 2023

13 minutes ago, Martijn Verheijen said:

I have the same issue, did you ever found a solution for this?

I honestly can't recall, as that was quite a long time ago. I assume the issue resolved itself in later builds of Edge, because we did do a lot of webcam testing in Edge late last year that seemed to work.

December 22, 2022

Anyone running 2203 VDAs with Tanium and CrowdStrike? We have seen nothing but crashes in 2203 (CU1 and CU2), and most point to one or the other. Tanium just consumes resources, and it appears as though the VMs are running out of CPU and memory just before the BSOD, but CrowdStrike components are always listed within the crash dump (not the faulting file, mind you). We first saw this in our non-persistent W10 environment, but I'm testing in persistent MCS and the crashes are coming on a daily basis.

I have been told that "CrowdStrike requires no exceptions" blah blah blah, but I believe that about as much as I believe in the tooth fairy.

November 9, 2022

1 hour ago, Michael Brislen1709158665 said:

Hi, did this every get resolved as we are having a similar issue once the platform layer has been updated?

Thanks in advance

Unfortunately, the only resolution I've found to work is to completely remove all XenTools each time I need to update the agent. I wrote a process that has been 100% successful for me in the past. Here is a link to my cleanup scripts (ensure that all files are in the same directory when run): https://drive.google.com/file/d/1isOzZ8Y7V5O5hvVOwClldcR-ou_meOnX/view?usp=share_link

To upgrade the Citrix XenServer Management Agent, do the following:

Run Uninstall.ps1
- This will uninstall previous XenServer Management agents, and is required because previous upgrades result in the NIC/network being broken in future layer versions
Reboot the VM
Run Run.ps1
- This script will remove old XenServer driver files
- Edit the path to Cleanup.ps1 within this script before running!
Reboot the VM
Run Install.ps1 to install the latest XenServer Management Agent
Reboot the VM twice
Add the XenServer Agent name, version and Product GUID to the Cleanup.ps1 script

I always installed the XenServer Agent in the OS layer, so you'll want to create a new Platform layer based on this OS layer once it's finalized.

August 12, 2022

I can only speak to how I implemented Defender in our XenDesktop environment (W10 20H2, non-persistent), which is a little different than the route you took. First thing's first - there are two really good blogs on this topic, in case you haven't seen them. Here's part 1 and part 2. I did not opt for the local GPO method, instead using a domain GPO for onboarding. Here are the steps I took to configure Defender:

Create a DFS share to host Defender's Security intelligence updates per part 1 of that blog
Create a GPO to manage Defender's settings (see screenshot below)
1. Note: For "Define the order of sources...", I use FileShares|MMPC because if the share hosting the defs goes down, the only way your VMs will receive updated defs is if you use MMPC, which will grab them from the Microsoft's website directly. I found out this the hard way, and confirmed with MS on the behavior
2. This GPO also uses a PowerShell Startup script (computer policy) for onboarding
  1. Onboard-NonPersistentMachine.ps1 is used for the script, but make sure that WindowsDefenderATPOnboardingScript.cmd is also present in that folder if you intend to use 'a single entry for each machine' per part 2 of that blog. which is the route I assume most would want with non-persistent VMs
Enable Defender in the OS layer, and run Windows Update to pull in the latest defs

After compiling the image, I edit it in Private mode to seal it, performing the following tasks in my sealing script:

#Install the latest Defender definitions before sealing
Write-Host "Updating Defender..." -ForegroundColor Yellow -NoNewLine
Start-Process "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-RemoveDefinitions -DynamicSignatures" -Wait -PassThru | Out-Null
Start-Process "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-SignatureUpdate" -Wait -PassThru | Out-Null
Write-Host " Done" -ForegroundColor Green

#Scan the compiled image before sealing
Write-Host "Scanning the image with Defender..." -ForegroundColor Yellow -NoNewLine
Start-MpScan -ScanType FullScan
Write-Host " Done" -ForegroundColor Green

#Configure Defender settings that need to be baked into the image, as some require a reboot
Write-Host "Configuring Defender..." -ForegroundColor Yellow -NoNewLine
Set-MpPreference -SharedSignaturesPath \\domain.com\Citrix\WDAV\wdav-update
Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \\domain.com\Citrix\WDAV\wdav-update
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $False
Set-MpPreference -SignatureFallbackOrder 'FileShares|MMPC'
Write-Host " Done" -ForegroundColor Green

That's all I do for our W10 non-persistent VMs, and Defender has been fine in our environment. All VMs onboard properly, and I never have to worry about offboarding since I don't onboard my master image, etc. It's much cleaner this way, IMO. I will say that Defender is a bit of a pig, somehow. We moved from Trend Micro Apex One, which did much better in terms of resource consumption. Not only does Defender use more CPU and RAM, but it also added 10 seconds to our logon time just by having the services enabled.

July 26, 2022

20 hours ago, Björn Schläfli said:

We've upgraded WEM 2103 to 2203. Agent synchronization is not working. We use the option 'infrastructure service uses windows authentication' in database connection usually, but this option was not enabled while upgrading. As far as I know this means vuemUser is not the database user.

Am I able to change this option after update? The only gui I have is the database upgrade and that's not helping, because the database is already on 2203.

Or do I need a database restore?

You should also have access to the WEM Infrastructure Service Configuration GUI on your brokers. I'm not 100% sure, but I want to say that the DB upgrade wizard just uses that account for the upgrade, so the local account may still be in the DB (you should be able to check this directly against the SQL DB). I'd launch the Infra Svc Config GUI first to validate the connection settings, and if something is configured incorrectly (like the account used to hit the WEM DB), correct it there. Otherwise, yeah, a DB restore is probably your quickest recovery option.

Posted July 25, 2022 · July 25, 2022

On 7/23/2022 at 3:09 PM, shocko said:

Did you ever get a resolution on this issue?

We did not, no. Only one user ever had the issue, and after a while he couldn't spend as much time troubleshooting as Citrix would have liked (CDF traces, etc.), so the ticket basically faded into nothingness.

July 18, 2022

On 7/15/2022 at 6:58 PM, Vincent Bernard said:

See - https://support.citrix.com/article/CTX461461/app-layering-2206-wmi-applications-relying-on-the-global-assembly-cache-gac-fail-to-run

Thanks for this. I think I'm going to wait for 2208, though, since I was able to roll back to 2204.

July 14, 2022

I submitted a ticket with Citrix and asked for the private fix, referencing everything above, and they told me that the WMI issues were fixed with the 2206 build and that I didn't need any private fix. Okay then. Guess it was a good thing I was able to restore my appliance from backup, so I'll hang out on 2204 until the next release.

July 12, 2022

Do we just need to submit a ticket to get access to the private fix? I'm caught between a rock and a hard place, because I can't restore from backup at the moment, but need to move forward with my next image.

July 11, 2022

Out of curiosity, do you guys see this issue if you leave the OS layer on the old build tools? Wondering if it's the actual appliance upgrade or the OS tools (or both, I guess).

April 26, 2022

I've never run into the side by side errors, but what I would do is this:

Assuming that you installed Edge in your OS layer, create a new version and uninstall Edge (even if you have two entries in Add Programs listed)
Finalize that layer
Create another OS layer version and install whichever build of Edge you're looking to be on. Below is a copy of my current install script, which has some new entries that I wanted to remove in later builds of Edge

$var_Install_Exec = "msiexec.exe"
$var_Install_Arg = "/i MicrosoftEdgeEnterpriseX64.msi DONOTCREATEDESKTOPSHORTCUT=TRUE DONOTCREATETASKBARSHORTCUT=TRUE /qn"

$proc = Start-Process -FilePath $var_Install_Exec -ArgumentList $var_Install_Arg -WorkingDirectory $PSScriptRoot -Wait -PassThru

While (!(Test-Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk")) { Start-Sleep 5 }
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" -Name "StubPath" -Force

While (!(Test-Path "C:\Users\Public\Desktop\Microsoft Edge.lnk")) { Start-Sleep 5 }
Remove-Item "C:\Users\Public\Desktop\Microsoft Edge.lnk" -Force

#Fixing the Microsoft Edge tile background color so that it matches the other Windows 10 tiles
Remove-Item "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml" -Force
$Shell = New-Object -ComObject ("WScript.Shell")
$Shortcut = $Shell.CreateShortcut("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk")
$Shortcut.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe";
$Shortcut.Save()

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate\" -Force | Out-Null
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate\" -Name "UpdateDefault" -Value 0 -PropertyType "DWORD" -Force | Out-Null
New-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch\" -Name "AutoRunOnLogon" -Value 0 -PropertyType "DWORD" -Force | Out-Null
New-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost\" -Name "AutoRunOnLogon" -Value 0 -PropertyType "DWORD" -Force | Out-Null
Get-ScheduledTask -TaskName MicrosoftEdgeUpdate* | Disable-ScheduledTask | Out-Null
Get-ScheduledTask -TaskName MicrosoftEdgeUpdate* | Unregister-ScheduledTask -Confirm:$False | Out-Null

$Services = "edgeupdate","MicrosoftEdgeElevationService"
ForEach ($Service in $Services){
	Set-Service -Name $Service -StartupType Disabled
	Stop-Service -Name $Service -Force
}

February 8, 2022

Gotcha. I added that step to my App Layering document, so I'll just make sure that the cert is updated at each upgrade now, just in case.

February 8, 2022

Just seeing this now. My cert expired on 10/2/20, but everything has worked fine throughout. So... is it even needed?

January 25, 2022

Bit of a strange one here. Like the title says, in my W10 VDA (1912 LTSR CU3), when testing webcam redirection in Edge (versions 94-97), the webcam initially works fine, and then it'll turn off, even though the page still says it's enabled. When I test with the same versions of Chrome, I never see this behavior. The Edge and Chrome GPOs are identical, and even after disabling them for both, the same pattern repeats. Has anyone experienced the same? It's driving me nuts, because we have already removed Chrome from our image, and I'd like to keep it that way.

January 6, 2022

I'm seeing this now on my W10 1912 LTSR CU3 VDAs when accessing Citrix Desktop via an IGEL thin client. None of the additions mentioned here or in Slack are working. Anyone else seeing the same?

November 9, 2021

Nope, just Profile containers here. I've got a case open with Microsoft right now, but so far nothing has come of it. They're currently analyzing logs.

October 27, 2021

IMO, I would keep it in the OS layer since it doesn't actually need to be that high in the priority list. I treat it like I do other OS components, like Edge, .NET, etc.

October 19, 2021

I know it's regarding FSLogix, but I'm asking this everywhere I can, as I'm having no luck figuring it out...

My environment:

CVAD 1912 LTSR CU3
Windows 10 20H2 VDA (non-persistent PVS)
FSLogix 2.9.7838.44263 (also happens with 2.9.7654.46150)
Folder Redirection via Citrix WEM (Documents to the OneDrive\Documents location)

In my FSL GPO, I have Store search database in profile container Enabled/single-user search, and in the image itself I have RoamSearch set to 1. When I login to my Citrix Desktop and create a brand new profile, I am unable to search for content in both File Explorer and the Search taskbar, even after a full OneDrive sync. Searching simply returns no results. If I rebuild the index, searching will start working, though I'm not sure if it will continue to index with new folders being created.

I have tried setting the Windows Search service to Automatic (Delayed Start) via GPP. This seems to enable me to search in File Explorer, but only if I'm in the OneDrive folder, where the search field displays Search OneDrive - tenant; If I'm in my redirected Documents folder, no results are returned.

If I disable the FSL services on the VDA and then login (fresh profile), searching works in both File Explorer and the Search taskbar, and Indexing Options shows that it appears to be indexing all of the OneDrive content; thousands of indexed items vs. ~600 when FSL is enabled.

The FSL logs all look fine. I can see that it knows Search Index roaming is enabled, and it successfully processes the commands. Has anyone else run into this? Or does anyone have any idea on what else I can try here? Being unable to search in a published desktop is a major issue. I do already have a ticket in with MS on this.

September 30, 2021

After getting bit by Edge's update scheduled task name change recently, I had to pivot with my install script. I'm doing basically what Rob suggests:

Install Edge in the OS layer
Hardcode the UpdateDefault registry key to 0, disabling Edge updates
Disabling all scheduled tasks named MicrosoftEdgeUpdate*
Disabling the two Edge update services

Below is my install script:

$var_Install_Exec = "msiexec.exe"
$var_Install_Arg = "/i MicrosoftEdgeEnterpriseX64.msi DONOTCREATEDESKTOPSHORTCUT=TRUE DONOTCREATETASKBARSHORTCUT=TRUE /qn"

$proc = Start-Process -FilePath $var_Install_Exec -ArgumentList $var_Install_Arg -WorkingDirectory $PSScriptRoot -Wait -PassThru

While (!(Test-Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk")) { Start-Sleep 5 }
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" -Name "StubPath" -Force

While (!(Test-Path "C:\Users\Public\Desktop\Microsoft Edge.lnk")) { Start-Sleep 5 }
Remove-Item "C:\Users\Public\Desktop\Microsoft Edge.lnk" -Force

#Fixing the Microsoft Edge tile background color so that it matches the other Windows 10 tiles
Remove-Item "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml" -Force
$Shell = New-Object -ComObject ("WScript.Shell")
$Shortcut = $Shell.CreateShortcut("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk")
$Shortcut.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe";
$Shortcut.Save()

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate\" -Force | Out-Null
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\EdgeUpdate\" -Name "UpdateDefault" -Value 0 -PropertyType "DWORD" -Force | Out-Null
Get-ScheduledTask -TaskName MicrosoftEdgeUpdate* | Disable-ScheduledTask | Out-Null

$Services = "edgeupdate","MicrosoftEdgeElevationService"
ForEach ($Service in $Services){
	Set-Service -Name $Service -StartupType Disabled
	Stop-Service -Name $Service -Force
}

That middle section isn't necessary, but it drives me nuts seeing Edge's icon so much larger than the other Windows 10 icons, so I correct it as part of my script.

September 30, 2021

What Rob said - you need to make sure that your O365 layer is a prerequisite when creating your Teams layer, otherwise that won't work. Kasper Johansen wrote a nice article on Teams in Citrix: https://virtualwarlock.net/microsoft-teams-in-citrix/

For presence to work properly, you need to load Teams and Outlook, close both, and then then load both again (assuming you have Teams set as your IM presence). Painfully stupid, but this is Microsoft.

Posted September 30, 2021 · September 30, 2021

So when you generate support logs from Teams, it doesn't include that file? Well isn't that just awfully convenient. I guess I have to wait until next Wednesday to attempt this again to gather everything.

Posted September 29, 2021 · September 29, 2021

This is a bit of a weird one, and I've only seen it happen in a large Teams meeting. The presenter is using a user-based version of Teams (latest build) on their Windows 10 laptop, and sharing out their first monitor (1080p). If you join the meeting in Citrix Desktop using Teams installed in the VDA (machine-based, optimized) early enough, you can see the shared content. However, if a certain number of others are already in the meeting - and I don't know what this number is - then optimized Teams users cannot see the incoming screen sharing; they just see a gallery view of the users (not video). However, if I disable Teams optimization in Citrix via Studio, they can see the incoming screen sharing in this meeting every time.

My environment:

W10 20H2 VDA

1912 LTSR CU3 (saw it in my previous CU2 image, as well)

Teams (machine-based, optimized) 1.4.0.22976; also experienced this issue on the previous 2 builds, .22472, etc.

CWA 2107 (saw it in CWA 2105, as well)

Any ideas here? I don't see this listed as a limitation anywhere, and it's driving me nuts.

Forums

Articles

Labs

Videos

TechZone

Citrix Community Articles

Events

Profiles

Posts posted by Nick Panaccio