cugcblogs

by Ray Davis, CTA & Jacksonville CUGC Leader The purpose of this blog post is to share my preliminary testing comparing classic Teams with the new Teams. It's important to note that these findings are not suitable for production environments, and my testing has been limited to basic assessments. I did not employ any automated tools or use LoginVSI. Instead, I relied on fundamental tools like procmon and process explorer. My goal was to observe the differences and assess the backward compatibility of Hdxengine, Webrtc, and other components present in classic teams. In summary, the new Teams feels lighter, and I am optimistic that Microsoft and Citrix are moving in the right direction. Building something substantial takes time, and, as the saying goes, Rome was not built overnight. Great things require patience and careful development. With the public preview release of the “new Teams,” I was very curious to see how it performed in a VDI setup. During my testing, I installed both Classic (electron-based) and New (webview2-based). There is nothing fancy here; I will be using Process Explorer and Process Monitor. Here are my specs on the VDI I was testing. OSWindows 10 EnterpriseCPU1 socket, 2 CoresRam4GBWEMNoneVDA2308OptimizerBase 22H2vGPUNoneDownload Link https://go.microsoft.com/fwlink/?linkid=2243204&clcid=0x409A recent post from Microsoft“Announcing general availability of the new Microsoft Teams app for Windows and Mac”Announcing general availability of the new Microsoft Teams app for Windows and Mac - Microsoft Community HubSystem RequirementsNew Microsoft Teams for Virtualized Desktop Infrastructure (VDI) - Microsoft Teams | Microsoft LearnNote: “Currently, the new Teams client in VDI is not compatible with FSLogix Profile containers and ODFC containers. Microsoft is working on a solution and plan to remove these limitations soon.”Classic vs new installersInstaller formatInstall locationAuto updateClassic Teams MSI with the ALLUSERS=1 flagC:\Program Files (x86)\Microsoft\TeamsDisabledClassic Teams .EXE%localappdata%/Microsoft/TeamsEnabledNew Teams .EXE bootstrapperTeamsbootstrapper.exe is a lightweight wrapper online installer with a headless command-line interface. It allows admins to ‘provision’ (install) the app for all users on a given target computer/.Enabled (and can be disabled via regkey, coming soon It installs the Teams MSIX package on a target computer, making sure that Teams can interoperate correctly with Office and other Microsoft software. C:\Program\Files\WindowsApps\PublisherName.AppName_AppVersion_architecture_PublisherID Example C:\Program\Files\WindowsApps\MSTeams.23125.600.2069.5679_x64_8wekyb3d8bbwe Install the Citrix VDA first; this was a legacy Microsoft Teams requirement for Citrix, and at this time, I am still following the mindset.On your persistent or non-persistent VM, run the following command as an administrator: teamsbootstrapper.exe -pYou can see the installer options as well, to understand what it offers at this time.Profile and Cache location for new Teams ClientAll the user settings and configurations are now stored in:C:\Users\usernameAppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeamsC:\Users\davis\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeamsMake sure this folder is persisted for proper Teams functioning.Installer location for all users with the “-p” option.In the Microsoft document, it states the following:In addition, you must deploy the following registry key on the VDA for the new Teams client to be optimized:Location: HKLM\SOFTWARE\WOW6432Node\Citrix\WebSocketServiceKey (REG_Multi_SZ): ProcessWhitelistValue: msedgewebview2.exeIf this registry key is missing, the new Teams client functions in nonoptimized mode (server-side rendering).Note: it’s a REG_MULTI_SZ key not a REG_SZ key.Classic Teams resource consumption at launch.Starting with an Idle CPU baseTeams opened on the session. This is the default with GPU hardware acceleration on.CPU handles from the launch.Teams HDX OptimizedTurn off GPU hardware acceleration to see if there were any differences on Classic Teams. CPU handles from the launch. Compared to number 13, it does seem somewhat better.Allowing it to go Idle before jumping on a call/meetingTested a call and used Process Explorer to watch the CPU go up and down.Now, I am going to repeat the process with the New TeamsHDX optimized for new Teams using the same Webrtc and HDXEngineUSB device Devices came through okay.CPU handles from the launch.It does seem lighter and balanced out faster than the classic teams.Upon Opening the new teams, and within 5-7 seconds, this happens below. You can see the CPU go up, then go back down in time.Test call on the new Teams.Test meeting with the new teams in a meeting from my VDI to a Windows 10 PC at home on a Tmobile HotSpotOn W10 VDI, the Camera is on, screen sharing is enabled, and the background is defined.I tried to capture what process explorer was doing during this time.This shows the CPU cycles during the testing for “the Camera is on, screen sharing is enabled, and the background is defined.”What I saw on the W10 PC (non-VDI) on my T-Mobile hotspot. Outside the network. This would represent what the other people see. I am just testing in a meeting with myself on two different devices.Citrix Monitor in DaaS, and showing the WebSocketAgent on the VDA is still being used.The is the PC where I am running the Workspace App. You can see that the HDX RTC Engine is still used.The next test I wanted to see if Citrix Monitor (Director) would still pick up the Webrtc channel. I added this to the VDA to see if I can pick up the meeting stats from HDX MonitorHKLM\SOFTWARE\WOW6432Node\Citrix\HdxMediaStreamreg key value:name: WebrtcDirectorIntegrationtype: DWORDvalue: enable(1), disable(0)Reversed Sharing, Meeting from the Non-VDI device, to see how the Webrtc looked on the receiving end of the new Teams.Test meeting with Classic Teams. Running a meeting from my VDI to a iPhone running TeamsOn W10 VDI, Camera on, screensharing on, and background on. This shows the CPU cycles during the testing for “the Camera is on, screen sharing is enabled, and the background is defined.”Reverse sharing from iPhone to VDI session This shows the CPU cycles on reverse sharing etc, testing for “the Camera is on, screen sharing is enabled, and the background is defined.”Microsoft Team Process while in use. The user initiates the Microsoft Teams application.Microsoft Teams undergoes authentication with Microsoft 365, which results in the enforcement of tenant policies within the Teams client.Relevant TURN and signaling channel details are communicated to the Teams application.Microsoft Teams recognizes its operation on a Virtual Desktop Infrastructure (VDA) and initiates API calls to the Citrix JavaScript API.Within Microsoft Teams, the Citrix JavaScript component establishes a secure WebSocket connection to WebSocketService.exe, running on the VDA. WebSocketService.exe operates under the Local System account and listens on 127.0.0.1:9002.WebSocketService.exe is responsible for TLS termination, user session mapping, and the initiation of WebSocketAgent.exe, which now operates within the user's session.WebSocketAgent.exe establishes a generic virtual channel by interfacing with the Citrix HDX Browser Redirection Service (CtxSvcHost.exe).The HDX Engine of Citrix Workspace app, wfica32.exe, spawns a new process known as HdxRtcEngine.exe (or HDXTeams.exe in versions prior to Workspace app 2009.6). This new process serves as the WebRTC engine for Teams optimization.HdxRtcEngine.exe and Teams.exe establish a bidirectional virtual channel, enabling the processing of multimedia requests.User A initiates a call to User B. Teams.exe communicates with the Teams services in Azure to establish an end-to-end signaling pathway with User B.Teams running on the VDA consults HdxTeams (HdxRtcEngine) to acquire a set of supplementary call parameters, including codecs and resolutions, referred to as the Session Description Protocol (SDP) offer. These call parameters are then transmitted through the established signaling path to Teams services in Azure and onward to User B.The SDP offer/answer exchange and Interactive Connectivity Establishment (ICE) checks are successfully completed.ICE checks for NAT and firewall traversal are accomplished through Session Traversal Utilities for NAT (STUN).Secure Real-time Transport Protocol (SRTP) is used for the transmission of media between HdxRtcEngine.exe and User B.In the case of a meeting, SRTP is used for media transmission between HdxRtcEngine.exe and the Microsoft 365 conference serversResources for references Optimization for Microsoft Teams Optimization for Microsoft Teams | Citrix Virtual Apps and Desktops 7 2308Troubleshooting HDX Optimization for Microsoft Teams (updated frequently) Troubleshooting HDX Optimization for Microsoft Teams (citrix.com)Quick comparison. Classic Team launched [attachment=10249:name] CPU handles from the launch. [attachment=10251:name] Test call and used Process Explorer to watch the CPU go up and down. [attachment=10253:name] [attachment=10254:name] [attachment=10255:name] [attachment=10256:name] In a meeting [attachment=10261:name] [attachment=10262:name] [attachment=10263:name] [attachment=10264:name] [attachment=10265:name] [attachment=10266:name]New Teams launched [attachment=10250:name] CPU handles from the launch. [attachment=10252:name] Test call and used Process Explorer to watch the CPU go up and down. [attachment=10257:name] [attachment=10258:name] [attachment=10259:name] [attachment=10260:name] In a meeting [attachment=10267:name] [attachment=10268:name] [attachment=10269:name] [attachment=10270:name] [attachment=10271:name] [attachment=10272:name] This wraps up my initial testing for now. As I mentioned, it was basic testing, and I anticipate that this will evolve into a more extensive and detailed discussion over time. In general, the new Teams exhibits a lighter feel and consumes less RAM. While the CPU does experience an impact compared to classic Teams, the duration of this impact is significantly shorter. I've noticed that the interface is much more responsive. It's important to note that this testing focused specifically on meetings, calls, backgrounds, and sharing. It did not encompass tasks such as using Outlook, scheduling meetings, and engaging with Teams in a day-to-day context. Additionally, I want to emphasize that this is solely testing, and I strongly discourage using it in a production environment. There are still too many uncertainties in the VDI space.

by Ray Davis, CTA & Jacksonville CUGC Leader In the exciting journey of the past year, I embarked on a project that took me back in time to 1912 (not literally, of course). My mission? To perform a daring upgrade from CVAD 1912 LTSR to 2203 LTSR for one of our cherished customers. But that's not all; this adventure included migrating databases to a new SQL Availability Group (AG). To make things even more thrilling, I also had to revamp the Citrix WEM environment from 1912 to 2206 (at that time). Also, remember that there is no LTSR for Citrix WEM, only the current release. Citrix Workspace Environment Management is covered by the Current Releases (CR) lifecycle of Citrix Virtual Apps and Desktops. Current Releases will reach the End of Maintenance (EOM) 6 months after general availability (GA). Current Releases will reach End of Life (EOL) 18 months after GA. You can find more information about this here: Citrix Product Matrix - Citrix I won't delve into the nitty-gritty details of those upgrades because there are already countless blogs out there that can walk you through the process. I even have one on CUGC that you can use as a reference if needed. It goes over just about everything. It’s older, but it will guide you. How I Upgraded My Site From 7.15 Flat All the Way to 1912 | BLOGS (mycugc.org) Instead, I'm here to guide you through a vital aspect of this escapade – the seamless migration of the WEM database from one SQL environment to another. It's essential to keep in mind that there are numerous paths to achieving the same goal. In my humble opinion, there's no definitive "right" or "wrong" way to accomplish this task. The world of database migration is versatile, and many different tools and methods can lead you to success. For my particular journey, I chose a specific route to perform this migration. Your journey might take a different path, and that's perfectly okay. What matters most is the end result of a successful database migration that meets your unique needs and preferences. So, let's explore my chosen method and keep in mind that flexibility is the key to mastering this process. Before we dive into the details of this blog, please note that what you'll find here is essentially an outline based on my lab experience, serving as a roadmap for the steps I performed for my customer. I want to stress the importance of collaboration in the process. Working closely with your Database Administrator (DBA) and security team is a smart move to ensure everything is set up correctly and securely before you kick off this operation. Often, one question I get asked is, Is there downtime? Technically speaking, no. The reason is the WEM agent Cache DB on the VDAs if the backend WEM environment is down. Now, this doesn’t mean performing this during the day. What I am saying is WEM has great resilience built into the product. However, it's crucial to clarify that this doesn't imply you should perform the migration during regular working hours. What I'm emphasizing is that WEM boasts impressive resilience built into its core functionality. So, while planning your migration, keep in mind that there won't be downtime, but it's still wise to choose a suitable window for this operation to ensure a smooth transition. These are the required Ports that Citrix WEM needs, more importantly, the SQL side. https://docs.citrix.com/en-us/tech-zone/build/tech-papers/citrix-communication-ports.html#workspace-environment-management SourceDestinationTypePortDetailsInfrastructure serviceAgent hostTCP49752“Agent port”. Listening port on the agent host which receives instructions from the infrastructure service.Administration consoleInfrastructure serviceTCP8284“Administration port”. Port on which the administration console connects to the infrastructure service.AgentInfrastructure serviceTCP8286“Agent service port”. Port on which the agent connects to the infrastructure server.Agent cache synchronization processInfrastructure serviceTCP8285“Cache synchronization port”. Applicable to Workspace Environment Management 1909 and earlier; replaced by Cached data synchronization port in Workspace Environment Management 1912 and later. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. TCP8288“Cached data synchronization port”. Applicable to Workspace Environment Management 1912 and later; replaces Cache synchronization port of Workspace Environment Management 1909 and earlier. Port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server.Monitoring serviceInfrastructure serviceTCP8287“WEM monitoring port”. Listening port on the infrastructure server used by the monitoring service. (Not yet implemented.)Infrastructure serviceMicrosoft SQL ServerTCP1433To connect to WEM Database Citrix License ServerTCP27000“Citrix License Server port”. The port on which the Citrix License Server is listening and to which the infrastructure service then connects to validate licensing. TCP7279The port used by the dedicated Citrix component (daemon) in the Citrix License Server to validate licensing.If you're anything like me, you're a stickler for data and details. It's only natural to want to see concrete evidence of how things are progressing, especially when undertaking a task as critical as database migration. While enabling logging isn't mandatory, I highly recommend it. Why, you ask? Well, logging allows you to track and verify the entire process, ensuring that your database migration is reporting accurately. Enabling logs also provides a sense of satisfaction when you can look back and say, "I did it, and I did it right!" So, let's dive into this journey, take control of our data, and bask in the glory of a successful database migration with confidence. ====================== Logging if needed. ====================== Open the WEM Infrastructure Service Configuration Utility from the Start menu.On the Advanced Settings tab, select Enable debug mode.Click Save Configuration and click Yes to start the service to apply the change.Close the WEM Infrastructure Service Configuration Utility window.By default, this log file is located in %PROGRAMFILES(X86)%\ Norskale\Norskale Infrastructure ServicesCitrix WEM Infrastructure Service Debug.log is the name of the log====================== Step 1 ====================== Snapshot WEM ServersBackup from old SQL serverI left the defaults, and you would want to put it on a SAN/NAS like a Exagrid or data domain. Depending on your SQL backup requirements.Click OK to start the backup.====================== Step 2 ====================== Copy the account over with command.You need to import the DBA tools (Note: other 3rd party SQL tools can do this for you.)In this instance, I did it with dbatoolsIf you have tools that do this then it may not be neededNo internet access https://github.com/dataplat/dbatools/discussions/7984 if you have internet access move to c)Internet access "Install-Module dbatools"Check both ways : Get-Module dabtools -ListAvailableYou need to copy the accounts over but using this: Copy-DbaLogin -source SQLServer -Destination SQLServer====================== Step 3 ====================== Restore to new SQL server. I will post some pictures from another blog post I did, where I restored a CVAD DB. The steps are the same. Ignore the Server name and DB names, though.We need to remote into the new SQL Server and Restore the Databases.In this case, it’s LABSQL02. Do this for each Database independently.Verify mappings and VeumUser accounts====================== Step 4 ====================== Open WEM Infrastructure Service Configuration on the WEM Infrastructure servers.It will show the Old Database here.In the Database Settings. Set the Name in the Database Server and Instance to the New Name.Don't set anything in "Database Failover server and instance.”Put the Database name in "Database Name.”Save settings.Open Workspace Service Configuration, ensure all settings match, then click save.WEM will now open and connect to the Database along with the configuration sets.Check Event Logs for Errors=============================== Step 5 Verify Logs for successful migration =============================== The log file is located in %PROGRAMFILES(X86)%\ Norskale\Norskale Infrastructure ServicesCitrix WEM Infrastructure Service Debug.log is the name of the log.Possible issues that I have seen in various environments. This always depends on each customer, depending on how things are structured inside their IT department.Move WEM SQL database to a new SQL instance with/without SysAdmin permissions (citrix.com) One issue I encountered was that the WEM Agent Sync failed - Remote Provider. It took us some time to track this down. I only saw this when moving from a 1912 environment to a new build. ( Not Database migration-related) WEM Agent Sync failed - Remote Provider should have two scopes - WEM (Workspace Environment Management) - Discussions (citrix.com) This tidbit of information here is not related to a WEM Database migration, but it’s more of a pre-check if you are upgrading Citrix WEM from an earlier build than 2006. Upgrade a deployment | Workspace Environment Management 2308 (citrix.com) “Keep the following in mind when you plan to upgrade a WEM deployment earlier than 2006 to 2209 or later: To avoid database upgrade failures, upgrade to 2103 first and then to 2209 or later.”With that, we wrap up our database migration journey. My hope is that the insights shared here will prove beneficial to someone within the vibrant Citrix community. The world of IT is all about sharing knowledge and experiences, and I'm thrilled to have had the opportunity to contribute to that ethos. So, as we conclude this chapter, remember that every step in your IT adventure is an opportunity to learn, grow, and support others. Here's to successful migrations and the spirit of collaboration in the Citrix community! More recent CUGC blogs:

by Amir Trujillo, Product Engineer Specialist, Citrix Time flies, and during the last year Citrix has released multiple new features for On-Prem environments based on customers feedback and how technology is evolving using advanced features such as automation, zero trust security access, new user experience and homogeneous administration. As a supplement to the material presented at our CUGC XL Great Plains on Oct 4 in Omaha, NE, in this blog post, I’m going to summarize why Citrix On-Prem is New and Cool. Let’s focus on three main pillars of this On-Prem new release: enhanced User Experience, Citrix Administration and Security. Pillar 1: USER EXPERIENCEEverybody knows that time is money or can save lives, and being on the phone trying to resolve easy issues could take hours. As a result, Citrix ITSM service + ServiceNow has so many benefits for end users, including: Reducing problem resolution and resources procurement by utilizing the Self-service / Virtual agent from 30-45min to less than 5 min.Request access Desktops and Applications (automatic approval), VM power management, Profile reset and troubleshooting.Cost optimization. Success stories show that customers can save thousands of dollars based on the correct resource planning based on the Data generated from the ServiceNow and Citrix Statistics feature.Quick access to knowledge base The above video shows how Session Reset works from an end user experience using the Citrix ITSM + ServiceNow using the Virtual Agent. In addition, here is the Architecture Diagram for your reference, which summarizes integration in 3 easy steps: Install the ITSM connector on your ServiceNow instance. You can download it from the ServiceNow store.Create a Citrix Cloud account and Install the Cloud Connector software on a dedicated Windows server. This is going to be the agent to make the connection between your on-prem environment and the Citrix ITSM service (site aggregation).Connect you ServiceNow Instance to ITSM service.You can also find great resources in Citrix documentation, podcasts, and don’t forget to watch the where we discussed ITSM administration, configuration and user experience.Pillar 2: CITRIX ADMINISTRATION The new WebStudio console comes with new features for your On-prem environment that only were available for Citrix Cloud (DaaS). With that, we bring all the technology to CVADs too. I’m going to show you two of the new advanced cool features: Backup and Restore and Autoscale. Backup and RestoreWith this feature you can back up and restore the current state of your on-prem Citrix Site. Think of this as a snapshot that creates configuration files (.yaml files) that you can manually edit and use for either restore your site or make some changes to it. This feature is based on the Automated Configuration Tool, which is a PowerShell SDK that is installed on your environment to connect to your site and run the backup and restore. The flexibility of this tool allows you to restore granular components by specifying either a single app, delivery group, machine catalog and so forth. The step-by-step configuration guide is available in the Citrix TechZone. AutoscaleThis Power Management feature historically is used for cost management in hybrid environments, no matter if you have all your workload in your own Datacenter or hybrid with any cloud provider. Autoscale allows you to create policies to schedule VM power management based on date or user load, also if this is during peak hours on a special event. In addition to that, it evaluates the session state and allows you to determine actions based on disconnection and log off times, triggering the VMs to be either suspended or powered off. As a summary, you have the following options with Autoscale for On-Prem: Scheduled-based and load-based setting for power managementDynamic session timeoutsAutoscale tagged machinesUser Logoff notifications The above video explains how Autoscale works and you can get more detail of the configuration by referring to the Citrix Documentation. Pillar 3: SECURITY Great news, Secure Private Access (SPA) for On-Prem environments is now GA! Secure Private access is part of the ZTNA (Zero Trust Network Access) solution that will use your existing Netscaler and Storefront integration to provide access to Web and SaaS applications with enhanced Security Policies trough Workspace App and the use of Citrix Enterprise Browser as centralized-managed browser. In addition, the Secure Private Access solution for on-premises provides the following benefits: No changes required to the existing architecture or deployments to use this solution.Enables single sign-on to the apps and reduces the dependency on the traditional VPNs.Enable contextual security controls based on the context (user group, device, network location)In the following video, you can watch 3 use cases and the user experience of SPA On-Prem: How to configure SPA on your On-Prem environment? We can summarize the deployment in four steps: Publish the appsPublish the policies for the appsEnable routing of traffic through NetScaler GatewayConfigure authorization policiesFor a step-by-step configuration guide, please refer to the following documentation. As you can see, On-Prem has a lot of new features that allows you to maximize the Administration of your environment use of all the advanced technology through the new WebStudio console, provide an enhanced and secure user experience through Secured Private Access (SPA) and reduce cost and wait times with the use of AI through Citrix ITSM service + ServiceNow integration. Stay tuned for more information about new features and don’t forget to register for the next CUGC events! Recent CUGC blog posts:

by Ray Davis, CTA & Jacksonville CUGC Leader In this quick post, I will go over how to successfully migrate native group policy objects (GPOs) and inject them into Citrix Workspace Environment Manager (WEM). Many organizations rely heavily on GPO in their current Citrix VDA space. Some often wonder how to put them all in WEM or if it’s a good idea or not. I say it depends on the use case. WEM, hands down, will take the login experience and dramatically reduce the login times by simply moving the GPP aspects into WEM. On the computer side of the GPO, I am not 100% sure if the juice is worth the squeeze. Computer GPO applies at machine startup, and it is speedy. But a good use case is where the Citrix Admin doesn’t have rights to GPO to manage them. This will enable them to control these aspects from a Citrix Administrative side by using WEM to apply all GPO from this product. I was working with a client to migrate all the current GPOs they had applied the native way. Then, migrate them to WEM. When I speak of the word migrate, I am referring to backing up the GPOs, importing/migrating them into Citrix WEM, and applying them to a subset of VDAs for testing. This ensures that the current production setup is not impacted if something does not apply correctly in the use case here. If you need more information, I encourage you to read James Kindon's “Migrating GPO settings to WEM” blog. Migrating GPO settings to WEM | James Kindon (jkindon.com). In this blog, he goes over more examples for different use cases. (See also WEM Advanced Guidance - 2023, recently updated by James Kindon.) Let's get started migrating GPOs to Citrix WEM:The first thing is to back up a GPO and store it in a location you can import into WEM.The example below shows me backing up my AV exclusions.The GPO must be a ZIP format for WEM to process it.In these examples, I am using the WEM service. But the process is the same for those who have Citrix WEM on-premises.Go to DaaS and use either the Web WEM console or Legacy WEM console.WEBSelect your desired configuration set.Click on “Group Policy Settings”Click ImportBrowse to the backup of where you store the GPO after it was backed up.Import the Zip fileBelow shows the import of the GPO from Microsoft GPO into WEM.If you are using the Legacy WEM console, here are some screenshots of the same process.I already have this GPO; I will select and overwrite in this case. This example shows you how to do it via the legacy console. Then click Start Import,To see the settings, edit the imported file.Legacy Console It takes the GPO and imports all the Registry settings that contain what the GPO is made up of, such as all the registry settings.To see the settings, edit the imported file.WEB ConsoleAssigning the action.WEB ConsoleIn this example, I chose everyone, which applies to users and computers. In most production cases, you can do groups or conditions.**NOTE**“You can assign the GPO to different AD groups, just like you assign other actions. If you assign GPOs to an individual user directly, the settings do not take effect. A group can contain users and machines. Machine-level settings take effect if the related machine belongs to the group. User-level settings take effect if the current user belongs to the group.” Reference for the Legacy Console, for comparison in showing if you do it via the Web console. It will show like this in the Legacy console.The Priority is how it is applied.https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-description/actions/group-policy-settings.html#contextualize-group-policy-settings“Type an integer to specify a priority. The greater the value, the higher the priority. Settings with higher priority are processed later.”Assigned the action.Legacy ConsoleIn this example, I chose everyone, which applies to users and computers. In most production cases, you can do groups or conditions. **NOTE** “You can assign the GPO to different AD groups, just like you assign other actions. If you assign GPOs to an individual user directly, the settings do not take effect. A group can contain users and machines. Machine-level settings take effect if the related machine belongs to the group. User-level settings take effect if the current user belongs to the group.” Reference for the WEB Console, for comparison in showing if you do it via the legacy console. It will show like this in the WEB console.Let’s reboot a VDA and see the results.I logged in before, as I have this applied already, But I updated it with the new WEM AV exclusion they released in May 2023. The registry will update the list to reflect what I am missing.Last cache syncRebooting now.GPO were successfully updated.Before the antimalware was around 47%-50% of CPU.Event LogsI can see the GPO proceed, but I am unsure how to show what GPO applied from logs yet. This could be me not knowing where it logs it yet. Perhaps it does, and I am missing it. So, the only thing I can see is that the computer GPO components are processed. (More to this on line 34).After researching this, I had Sharp Gou reach out and explain to me where these logs are located. View log files | Workspace Environment Management 2303 (citrix.com) “Citrix WEM Agent Host Service Debug.log. The log that lets you troubleshoot issues with the Citrix WEM Agent Host Service. By default, this log file is located in %PROGRAMFILES(X86)%\Citrix\Workspace Environment Management Agent. To enable logging, be sure to enable Debug Mode for the relevant configuration set on the Administration Console > Advanced Settings > Configuration > Service Options tab. You now will see the GPO processing in that log file. Thank you, Sharp Gou. In this log, you will see the GPO applied and processed.We can verify in the Windows Defender section (windows) as well for the GPOs.What happens if I need to remove it? What happens if now?Go back to the area and unassing it.Reference for the Legacy Console, for comparison in showing if you do it via the Web console. It will show like this in the Legacy console:Reboot the VDA again. According to Citrix, if you restart the WEM Agent Host, it will take effect immediately. (Machine Level GPO)User levelBefore:After: it's empty now:I will reboot anyway, to show you how vital AV exclusion is needed.CPU % with Antimalware process.Processing is slower as well.Add the GPO back in WEMThe WEM agent processed exceptionally quickly in my testing.Other questions I get at times: what is the purpose of Migrating vs. Importing? a. The Migrate button in the legacy console below allows you to convert user GPPs into a readable XML file that WEM can use in user actions, where Import takes the whole GPO and imports it in. From what I found where you have GPP policies, the migrate option does the trick. In cases where you have the standard GPO settings, the Import will bring over the settings that make up the ADMX. Example: I have a GPP applying some mapped drive with Item-level targeting on myself.Loopback is set to replace being I am applying a user policy to the Citrix VDA.d. Added more to show you the value of a quick summary of how GPP/loopback can potentially slow logins down. This is not a lousy login, but it’s just a tiny example. e. By adding a couple of drives, it added 1.4-1.6 seconds. Sure, that is not bad. But that is 1.4-1.6 seconds more than I did not have before—another reason why WEM is the go-to here, IMHO. I will back up the GPO as I did above.I will unlink the Mapped Drive GPO before importing it for testing.Now, I will migrate the GPP to an XML format for WEM to understand.I kept getting the error, and I did not understand why. After messing around for a bit, I discovered that when I create a customer folder for the GUID and zip it. It was not too fond of that.So, When I backed up the GPO, I only kept the GUID name instead.Now click on Restore.You will see the File you named when you converted it from the GPO backup. Also, you will see the Network drive icon light up, ready for it to be selected.Now, you will see the Network drive in the actions for the user side. Assign it to the user of your choice. Everyone in my example.I needed to go into the “Advanced settings > Main Configuration > Check= Process Virtual Drives.”I am going to reboot the VDA now. Remember, GPO was unlinked, GPO was backed up, Converted to the WEM XML format, Then WEM XML format, we restored with the Actions, and lastly, it was assigned to a user. (Everyone in this case.)To verify WEM is doing it.Another way is to put in a description of the actions.You can let WEM update on its own or refresh the cache.As you can see below, the Drives that I had in the native GPMC is now applying via WEM.I hope you found this helpful in your journey if you are considering this technology. Citrix WEM is an excellent product and keeps improving as time goes on. Thank you, Citrix, for the great tool 😊 Another option, before WEM could do this, was to use a tool made by Arjan Mensch. It allowed you to convert the GPPs via PowerShell. I still use this today, and it’s another excellent tool to save as an ace in your back pocket. Powershell Module for Citrix WEM – Part 1 – Application actions | msfreaks (wordpress.com) References Group Policy Settings | Workspace Environment Management 2308 (citrix.com) Workspace Environment Management service (citrix.com) Agent system Settings around GPO Agent | Workspace Environment Management 2308 (citrix.com)

by Uddave Jajoo, CTA & Indianapolis CUGC Leader In 2021, I was asked to migrate the vGPU enabled VMs from one platform to another as our customer was migrating from VMWare Horizon to Citrix XenDesktops. I did not have enough knowledge about NVIDIA and how the GPU processing work in highly intensive graphics processing applications. I took help from community members and support teams (both Citrix and NVIDIA) and deployed the solution to provision NVIDIA vGPU-enabled Citrix VDIs on vSphere. This blog post was created 2 years ago but was not published that time. However, I am happy to publish it now to the community so that others could also benefit from it. (See also: Configuring NVIDIA vGPU VMs in Azure with Citrix DaaS.) Below are the overall configuration steps covering deployment of all the major infrastructure and other components. NVIDIA vGPU License Server DeploymentPre-Requisites Open JDK installationNVIDIA License Server InstallationAccess License Server management InterfaceCreating license server on NVIDIA portalCreating VDI Master Image (NVIDIA Driver Installation and vGPU profile)VDA installation and Machine Catalog creationConfiguring Virtual Machine to enable vGPU profilesNVIDIA vGPU License Server Deployment: Open JDK JRE PrerequisiteInstall OpenJDK JRE on the server as prerequisite component before installing vGPU License server componentDownload java-1.8.0-openjdk-1.8.0.252-2.b09.ojdkbuild.windows.x86_64.msiRun the MSI installer and proceed with the installation wizardClick NextClick Next and InstallMonitor the installation and click FinishConfigure system environment variable on the server pointing to jdk location.Edit the System Environment Variables.Add the location of the bin folder of the JDK installation to the PATH variable in System Variables.The following is a typical value for the PATH variable: C:\WINDOWS\system32;C:\WINDOWS;"C:\Program Files\Java\jdk-11\bin"Set JAVA_HOME: Under System Variables, click New. Enter the variable name as JAVA_HOME. Enter the variable value as the installation path of the JDK (without the bin sub-folder). Click OK. Configure the PATH environment to enable to run JAVA from a command promptSelect the System variables “Path”Click EditClick on NewType “%JAVA_HOME%\bin” Click OK.And OK again to apply changes.Verification: Change to the Java directory Type java.exe -version NVIDIA Legacy License Server InstallationLegacy License server is set to EOL by July 2023, hence NVIDIA offers two different methods for provisioning license server. (DLS) On Premise and Cloud(CLS). In this blog, I am going to cover how to setup a CLS based license server. Steps are very simple and described properly in the NVIDIA documentation as well. License System User Guide - NVIDIA Docs – Converting Legacy NVIDIA vGPU Software License Servers to NLS License Servers Right click the setup file and select run as administrator to proceed with configuration of license serverOpen administrative command prompt and navigate to the setup folder and launch setup.exeWhen prompted select allow the file to launch, select Allow this file and click OK.Wait for the setup file to launch and navigate through the wizard.Click Next in the Introduction TabClick Next for EULAClick Next for Accepting the Apache LicenseSelect the location as default and proceed further with installation, click Next.In the Choose Firewall Options dialog box, select the ports to be opened in the firewall. To enable remote clients to access licenses from the server and prevent remote access to the management interface, use the default setting, which sets ports as follows:‣ Port 7070 is open to enable remote clients to access licenses from the server.‣ Port 8080 is closed to ensure that the management interface is available only through a web browser running locally on the license server host. Click Install and proceed further with the installation process.Wait for the License Server installation script to executeClick Done once installation is complete.Access License Server Management InterfaceIn a web browser, visit the home page for license server management interface HTTP: http://localhost:8080/licserverIf administrative security is enabled for the license server, log in to the license server. In the license server management interface, select Login.In the Login page that is displayed, enter your user name and password for logging in to the license server and click Authorize.The default credentials for the license server administrator account are as follows: ‣ admin Admin@123 Record the license server’s MAC address, by launching the license server management console and navigating to configurationMAC Address – 00-XX-XX-XX-XX-XX-00 Note to change the MAC address binding on vecneter level Add Environment variable on the license server as below, this is needed to ensure the nvidialsadmin utility commands run perfectly fine.Variable Name:- FLEXNETLS_BASEURL Variable Value:- http://localhost:7070/api/1.0/instances/~ Reboot the serverEnable Administrative security for license serverPerform this task in a command shell on the license server host. Set the property security.enabled to true. nvidialsadmin -config -set security.enabled=true Updated the property:security.enabled with value:true successfully Authenticating with license serverTo provide your password in the command, specify the credentials as follows: nvidialsadmin -authorize username password In any subsequent nvidialsadmin command, users must provide the required credentials for authenticating with the license server Run status check on the license servernvidialsadmin -authorize admin Admin@123 -status Creating a License server on the NVIDIA PortalLogin to NVIDIA Dashboard link to register the license server on portalhttps://nvid.nvidia.com/dashboard/#/dashboard Login with the Organization user credentials and create License ServerOn the NVIDIA Licensing Portal dashboard, click CREATE LICENSE SERVER.If you are adding a license server to an organization or virtual group for which a license server has already been created, click CREATE SERVER.Enter the details as below:ServerName: TestNVIDIA Description: License Server for NVIDIA vGPU MAC Address: 00-XX-XX-XX-XX-XX-00 Select product – Virtual PC 2.0-10 Licenses Click Add Click create license server Verify the License server details along with the available license displayed in portalDownload the License FileLogin to License server and upload the license file to the server.Navigate to Licensed Feature UsageVerify the details for the License added to the console. Creating VDI Master Image (NVIDIA Driver Installation and vGPU profile)For vGPU card installation on vSphere or hypervisor please refer to the links: https://blogs.vmware.com/apps/2018/09/using-gpus-with-virtual-machines-on-vsphere-part-3-installing-the-nvidia-grid-technology.html https://virtualizationreview.com/articles/2015/05/29/how-to-install-an-nvidia-vgpu-in-esxi-hosts.aspx Create a new VM and install NVIDIA and VDA agent.In our case virtual machine was cloned from existing WIN10 Master image.Uninstall VDA from the image.Shutdown the machineNavigate to VMware vcenter, and locate the virtual machine.Click on Edit settings and add Shared PCI Device, Click Add and select the vGPU profile and click Reserve all MemoryThe New Shared PCI device with vGPU profile will show as configuredSelect Ok to complete the configurationPower on the virtual machine and monitor through remote console.Login as administratorOpen Device Manager, it will show Microsoft Basic Display Adapter with exclamation mark, which is normal Caution: NVIDIA vGPU vSphere VIB version and NVIDIA driver for Windows version need to match Locate the media for NVIDIA driver and copy to local C DriveRight click on the NVIDIA driver setup file and run as administratorSelect Yes to allow the UACLeave the extraction path as default and click OK.In the installation wizard, select Agree and Continue and proceed furtherInstallation options select, Custom (advanced), it would let you select components to install as needed.Click Next, in the next window, it will display the list of components which will be install on the image.Select the check box to Perform a Clean Installation and select Next.Wait for the installation to complete and monitor the progress.Select restart now on successful installation of NVIDIA Driver. After restarting, the mouse cursor may not track properly using VNC or vSphere console. If so, use Remote Desktop. RDP to the virtual machine and verify the device manager configuration.Upon login to machine you may receive a prompt that NVIDIA license is not present. Ignore the alert for now.In order to validate the successful installation of the graphics drivers as well as the vGPU device, open Windows Device Manager and expand the Display Adapter section.It will show NVIDIA GRID M60-8Q adapter.’New Device NVDIA GRID V100D-8Q, it will show up as this in the display adaptersNew DeviceShutdown the virtual machine and remove the Shared PCI device added on the master image.Right click machine, edit settingsClick on the x mark against the Shared PCI deviceIt will show as device will be removed, click OK.The recent Task Pane will display the status of completion once the device will be removed. A XenDesktop machine catalog can be safely configured now.VDA installation and Machine Catalog creationRDP to the virtual machine, copy the media to C:\SupportRun the AutoSelect.exe fileIt will detect the VDA to be installed in Single Session OS by default.Select the option for VDA in single session OS and click Next.In the next screen select Create a Master MCS image, click Next.VDA will be selected by default, click Next.In the component screen, select the option, Citrix Supportability Tools, Citrix User profile manager and Citrix User profile manager_WMI Plugin. Click Next.In the controller’s Tab, select configure later and click Next.In the Features Tab, select the options- Optimize Performance, use windows Remote Assistance, Enable Real Time Audio Transport for audio and MCS IO, click Next.In the Firewall Tab, leave the default and click Next.In the Summary Tab, review the selected configuration and proceed with Install. Click Install.Uncheck the box and click Next.Click Finish and Restart the machine, it will reboot.Login to the machine again to resume the VDA installation process.RDP to the machine and run Citrix Optimizer against the respective windows OS version template.Shut down the master image and take snapshot for the virtual machine.Login to Citrix studio and create machine catalog using the snapshot taken in above step.Navigate to the Machine Catalog Tab and select create Machine catalog, in the wizard select Next.In the next screen select Single Session OS and click Next.Select the options as highlighted and click Next.Check the option for Machines that are Power Managed Check Citrix MCS and select the resources corresponding to Cluster (ESXi Grid Server, where vGPU Cards and driver was configured) and click Next. Select the options as highlighted and click Next.In the Master Image, select the Snapshot created for the master image.Ex – NVIDATESTVM_SNAP Select the minimum functional level for this catalog as 2206 or newer.In the Network cards tab, keep the VLAN selected and change if needed.In the Virtual Machines page, select the number of virtual machine and allocate the memory:2 Machines with 32 GB RAM Create the Active directory machine accounts for the DesktopsName the Machine Catalog with Description:TEST-MC-NVIDA-vGPU-Pool Monitor the Catalog creation process in studio and vcenter.Configuring Virtual Machine to enable vGPU profilesAssign vGPU profiles as per the requirementAssign B series profile to the provisioned desktops for allocating Virtual PCAssign a series profile to the provisioned desktops for allocating virtual Apps.Reference: License System User Guide - NVIDIA Docs – Converting Legacy NVIDIA vGPU Software License Servers to NLS License Servers https://blogs.vmware.com/apps/2018/09/using-gpus-with-virtual-machines-on-vsphere-part-3-installing-the-nvidia-grid-technology.html https://virtualizationreview.com/articles/2015/05/29/how-to-install-an-nvidia-vgpu-in-esxi-hosts.aspx License System User Guide - NVIDIA Docs Legacy License server is set to EOL by July 2023 See More Recent Posts:

by Uddave Jajoo, CTA & Indianapolis CUGC Leader Recently, I started working on a project for one of the customers performing research work in healthcare on molecule studies, who needed them to run CUDA-based applications using High Graphics processing utilizing NVIDIA vGPU Tesla V100 cards. I had already worked on a similar requirement previously in an on-prem datacenter. However, this time the requirement was to configure that in Azure with Citrix DaaS. Hence, I decided to implement the solution in Azure using Azure Native VM Family size supporting NVIDIA vGPU enabled cards. Azure already offers N Series VM Family Size supporting vGPU cards, there are several offerings depending on the graphics card OEM. Before we deep dive into the setup and configuration for the NVIDIA vGPU enabled workloads in Azure, lets talk about Accelerated computing: "Accelerated computing is the use of specialized hardware to dramatically speed up work, often with parallel processing that bundles frequently occurring tasks. It offloads demanding work that can bog down CPUs, processors that typically execute tasks in serial fashion. Born in the PC, accelerated computing came of age in supercomputers. It lives today in your smartphone and every cloud service. And now companies of every stripe are adopting it to transform their businesses with data. Accelerated computers blend CPUs and other kinds of processors together as equals in an architecture sometimes called heterogeneous computing." –Rick Merritt, What is Accelerated Computing, NVIDIA blogs. Let's walk through the below configuration steps on how to deploy and configure the VDAs to utilize vGPU enabled VMs in Azure: RequirementsConfiguring Cloud License ServerInstall Driver on Master Image in AzureProvision Catalog and Create VDIsConfigure Licensing on Client VDIsRequirementsIdentify the VM Family Size supporting NVIDIA vGPU Tesla cards - NCv3 SeriesIdentify the supported Driver version - NVIDIA supported Tesla DriversWindows 10 Client OS 22H2Citrix VDA Agent 2305New Cloud License Server applianceFirewall requirements to enable communication with Cloud license serverConfiguring Cloud License ServerLegacy License server is set to EOL by July 2023. Hence, NVIDIA offers two different methods for provisioning license server. (DLS) On Premise and Cloud(CLS). In this blog, I am going to cover how to setup a CLS-based license server. Steps are very simple and described properly in the NVIDIA documentation as well. 1. Login to NVIDIA Licensing Portal to create the new CLS based license server. 2. In the Dashboard, click on License Servers and select Create Server. 3. In the next screen, provide details for the license server creation. 4. In Step 1, Enter the details as below: Name- AZNVIDIACLS Description - This is a cloud license Server 5. In Step 2 Features, select the available features based on the purchase of licenses. 6. Select NVIDIA virtual PC and NVIDIA Virtual Applications and enter the amount of license that needs to be added. Example: I have just added 1 license for each. 7. In Step 3 Environment, select the option CLOUD (CLS). 8. Select Express Installation. 9. In Step 4 Configuration, select Standard configuration, which will configure all the default settings for Cloud License Server. 10. Review the summary and click Create Server. 11. Wait for Cloud License Server to be created in the console and verify the required license configuration exists. 12. Verify the License server is created successfully. 13. Click on Actions and select Generate Client Config Token. 14. Navigate to Settings to modify Lease Duration settings if needed. By default the lease time is 24 hours and upon expiration of lease time the client will acquire another license from the Cloud License server instance. It's an automatic process that handles the licensing by communicating with the URL over port 443. api.cls.licensing.nvidia.com - Licensing operations, namely, the borrowing, renewal, and return of a license. Licensed client authentication api.licensing.nvidia.com - License return from a Windows licensed client that has not been shut down cleanly Install Driver on Master Image in Azure For the image to be created in Azure, first you need to finalize the VM Family size to go with it. This depends on multiple factors like supported driver version, supported vGPU cards, acquired licenses for vGPU cards. In my scenario, the customer already purchased the license for NVIDIA Tesla V100 vGPU Cards and in Azure NCv3 is the VM Family size that offers Tesla V100 vGPU card. The NCv3-series is focused on high-performance computing and AI workloads featuring NVIDIA’s Tesla V100 GPU Important Note: Please identify the discount with MS account rep before selecting any specific VM Family size, always prefer to go with Reserved Instances + Savings Plan to save cost by 80% from normal Pay-as-you-go pricing. 1. Create a new Native Azure VM, by selecting NC6s_v3 as VM Family Size in Azure portal. Why do we need to create new VM in Azure? So that you can bind the catalog to the respective VM family size and select the required machine profile pointing to master image. 2. Login to the Azure Image using the local administrator account. 3. Login to the Licensing portal and download the latest vGPU package including the guest drivers. 4. I preferred to go with the latest version - 16.1, released on Aug 29, 2023 Note: You could also install driver using Azure VM Extensions, but there seems to be an issue with how binaries are pushed from Azure, some folder structure within the C:\ProgramFiles\NVIDIA Corporation\ seems to be missing post installation of the drivers. 5. Post download of the binaries from the portal, copy the zip folder to C:\Support 6. Right click on the exe file and select Run As Administrator. 7. Let the binaries extract to the local folder as displayed. 8. In the System Check window make sure there are not computability errors. If yes, then restart the VM and proceed with the installation again. 9. Under license agreement, select Agree and Continue to proceed further with the installation. 10. Under Installation options, select Custom(Advanced) to proceed with the clean install for drivers on the operating system. Click Next. 11. In the custom installation options, check the box for perform a clean installation. Click Next. 12. Monitor the installation process and wait for the drivers to successfully install. 13. Once installation has finished and status shows installed, click Close. 14. Post Driver installation, create below registry key on location in the master image: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\GridLicensing Create - FeatureType DWORD, Set Value - 2 Reference: Client Licensing User Guide :: NVIDIA Virtual GPU Software Documentation Note: Do not download and copy the client configuration file token on the master image to avoid license consumption. Physical GPUs only: Add the FeatureType DWord (REG_DWORD) registry value to the Windows registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\GridLicensing. Note: If you're licensing an NVIDIA vGPU, the FeatureType DWord (REG_DWORD) registry value is not required. NVIDIA vGPU software automatically selects the correct type of license based on the vGPU type. If you are upgrading an existing driver, this value is already set. You can also perform this step from NVIDIA Control Panel. Set this value to the feature type of a GPU in pass-through mode or a bare-metal deployment: 0: NVIDIA Virtual Applications 2: NVIDIA RTX Virtual Workstation Limitation of Azure VM Extension Please do not utilize Azure VM Extension for Driver install on the native master image in Azure, as this does not properly configure drivers and misses some configuration folders in the System Drive with respect to NVIDIA corporation. I have already submitted the case with NVIDIA and provided feedback to Microsoft as well to adjust the binaries on Azure backend, so that with VM extension feature, proper version of drivers could be installed directly on the client VDIs. This will avoid hassle for admins to install the drivers directly on the image. However, my preferred way would be to install the drivers locally on the image, so all the subsequent newly provisioned VDIs will get the latest version installed on the VDIs. Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/hpccompute-gpu-windows Provision Catalog and Create VDIsFollow the process below to provision catalog and VDIs: 1. Shutdown the master image in Azure. 2. Login to Azure portal to Create Snapshot from the Native Azure Image. 3. Login to Citrix DAAS console, navigate to the Machine Catalogs. 4. Create a machine catalog by pointing to the respective snapshot and machine profile for the Azure Image. 5. Follow through the catalog creation process, review the summary and monitor the VDI deployments. Configure Licensing on Client VDIsIn this section, I walk through how to configure the license on the client VDIs to communicate successfully with the CLS (Cloud License Server). Ensure to have communication out to internet allowed over 443. Step 1 - Add the registry Key for FeatureType on the client VDIs. Open PowerShell as administrator and run the following command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\nvlddmkm\Global\GridLicensing" -type DWORD -Name FeatureType -value "2" Step 2 - Download the configuration token file from NVIDIA Licensing Portal and copy it to the default location: %SystemDrive%:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken folder Step 3 - Restart the NvDisplayContainer service. Step 4 - On the client machine you will notice a notification stating that Acquiring NVIDIA License RTX Virtual Workstation, depending on the OS, immediately followed by the notification NVIDIA License acquired. All the above Step 1 - Step 3 could be easily scripted and triggered remotely on the newly provisioned VDIs, either by running Script Based Action Triggers using ControlUp or Scripted Tasks using WEM. Note: Log location for NVIDIA licensing: This could help in troubleshooting issues related to the license acquiring process. C:\Users\Public\Documents\NvidiaLogging From Start menu open NVIDIA Control Panel and select Manage License under Licensing, it will display the licensing status. References: License System User Guide - NVIDIA Docs Azure VM sizes - GPU - Azure Virtual Machines | Microsoft Learn NCv3-series - Azure Virtual Machines | Microsoft Learn NVIDIA Virtual GPU Software License Server End of Life Notice (August 31, 2022) :: NVIDIA Virtual GPU Software News and Updates Client Licensing User Guide :: NVIDIA Virtual GPU Software Documentation NVIDIA GPU Driver Extension - Azure Windows VMs - Azure Virtual Machines | Microsoft Learn Latest CUGC blogs:

by Ray Davis, CTA, Jacksonville CUGC Leader I have written blogs about how to run Zoom and how to optimize Teams in a Citrix Environment. This blog will highlight the necessary components that are needed to run Webex within Citrix Virtual Desktops environments. Many organizations run Webex and at times, if not setup correctly, your users will notice issues with screensharing, voice jitter and even Webex trying to auto update itself in a non-persistent. We all understand that there are many optimizations at times that go into any VDI solution that isn’t just Citrix related. It could be AVD, Horizon, Citrix, Frame and good old RDSH/TS. I wanted to ensure that the audience understands it’s not a Citrix related requirement, but how VDI works inside the hardware layer. I have been writing the quick guide for some time now and using it for clients. I wanted to share it out with the community to help close the gaps. Webex releases updates every two months. At the time of writing this, I was using 42.12 and I noticed they are on 43.4 now. This is a high level blog that will help you in your direction of Installing Webex in a Citrix VDI environment. In-Depth LevelThere needs to be a Webex VDI installer in the Citrix VDI (VDA) machines. The installer requires the VDI parameters I have listed below. It tells the Citrix VDI devices that it's a VDI install. A Webex App VDI plugin and a Webex Meeting VDI plugin will also need to be installed on local clients such as laptops, desktops, etc. The Webex VDI plugin and Webex Meeting VDI plugin will talk to the VDI backend with the VDI installer and optimize the call quality through the Citrix ICA virtual channels. Webex App VDI fallback mode offers short-term support for basic audio and video calls when VDI can't establish the virtual channel. By default, Webex App on the HVD checks for version compatibility with the Webex VDI plugin on the thin client. The plugin version should not be more than 3 bi-monthly releases behind the Webex App. For example, if Webex App on the HVD is version 43.4 (April 2023), then the following plugin versions are compatible: Fallback mode supports standard calls and call recording. The full feature set isn't supported. Call quality is lower because of the server or network issues that cause the switch to fallback mode but remember that when users either don't use the VDI optimized solution or are in fall back mode, HD video is disabled and Webex App shows a notification that you may see a media quality issue. At times users use VDI in unoptimized or fallback mode. Their camera or headset may not work, and they may experience poor media quality. More on Fallback mode and the details.Procedure Command or ActionPurposeStep 1Configure one of the following types of Hosted Virtual Desktop: Configure hosted virtual desktop and install Webex App Configure Azure Virtual Desktop for the Webex AppTo prepare for your users wanting to access the Webex App remotely from thin client devices, set up the Webex App on the centralized hosted virtual desktop (HVD) environment.Step 2Configure VDI optimization for Webex App in Control HubIn Control Hub, you can use an organization-level setting to either enable or disable VDI optimization and detection for your Webex App users. By default, the setting is enabled.Step 3Install the Webex App VDI plugin on thin client machines for the following platforms: Windows—Install the Webex App VDI plugin on Windows thin client systems Linux—Install the Webex App VDI plugin on Linux thin client systems macOS—Install the Webex App VDI plugin on macOS thin client systemsAfter Webex App is installed on your central HVD environment, you next get your users to install a Webex App VDI plugin on their thin client devices. Thin clients are typically lightweight or repurposed computers that users use to establish a remote connection with a centralized HVD server where Webex App is hosted. The thin client plugins for supported platforms are available at https://www.webex.com/downloads/teams-vdi.html.Step 4(Optional) Install Webex Meetings VDI plugin on thin client systems(Optional) For full featured meetings with the Webex App, you or your users must install two separate VDI plugins on a thin client. In addition to the Webex App VDI plugin already installed in the previous step, you must also install the Webex Meetings VDI plugin on the same machine. (You only need to install the Webex App on the virtual desktop.)Webex has two VDI plugins that you need to install on the clients, then the Webex HVD installer on the VDI itself. Webex VDI plugin.Webex meeting VDI plugin.How I install the Webex VDI pluginMsiexec /I "LocationofMSI" ALLUSERS=1 ENABLEVDI=2 AUTOUPGRADGEENABLED=0 ROAMINGENABLED=1https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cloudCollaboration/wbxt/vdi/wbx-teams-vdi-deployment-guide/wbx-teams-vdi-deployment_chapter_010.html#id_127338Automated removal and installIn VDI I use the Cisco Webex Removal Tool. Upgrades in the past have broken Webex in VDI with the virtual channel.##Remove Previous Version of Webex###C:\Users\Admin\Desktop\42.6.3.10\CiscoWebexRemoveTool.exe /stimeout 30 ##Installs new version###msiexec /i webexapp.msi /qn ALLUSERS=1 ENABLEVDI=2 AUTOUPGRADEENABLED=0 ROAMINGENABLED=1 /log install.logtimeout 300 If you wanted to remove the ICON on the desktop-Not needed unless the environment calls for it.::## Removes the Icon on public desktop##del "C:\Users\Public\Desktop\Cisco Webex Meetings.lnk"Webex VDI install on Citrix and Webex App VDI plugin/Webex meeting plugin on local clients = HDX audio/Video optimized quality High Level flowWebex VDI plugin Prepare Your Environment for Webex for VDIDeployment Guide for Cisco Webex for Virtual Desktop Infrastructure (VDI) - Prepare Your Environment for Webex for VDI [support] - CiscoDeployment guide for Webex App for Virtual Desktop Infrastructure (VDI) (cisco.com)Deployment guide for Webex App for Virtual Desktop Infrastructure (VDI)Deployment guide for Webex App for Virtual Desktop Infrastructure (VDI) - Deploy Webex App for VDI [Webex App] - CiscoAdmin GuideAdministration Guide for Cisco Webex Meetings Virtual Desktop Software Release 41.x - Install the Cisco Webex Meetings Virtual Desktop Software [support] - CiscoVideo that goes into it very well from a VDI aspect Example of the Installer on the VDI devices. This puts Webex in a VDI mode that knows it is Citrix and uses the client's plugin through the HDX ICA virtual channel.msiexec /i webexapp.msi /qn ALLUSERS=1 ENABLEVDI=2 AUTOUPGRADEENABLED=0 ROAMINGENABLED=1 /log install.logSwitchesDeployment Guide for Cisco Webex for Virtual Desktop Infrastructure (VDI) - Deploy Webex for VDI [support] - CiscoWebex DownloadsWebex VDI available for downloadThe bundles are all in one for each flavor of the OS. You have one for Webex app for each OS, and Bundle VDI plugin.Webex meetings VDI plugin (the second plugin that is needed on the clients as well)Admin guideHow to confirm VDI is setAfter the install or upgrade, you can check to back sure WebEx is in “VDI” mode.Registry: New ICA virtual Channel SecurityPut in ICA Virtual channels in Citrix Studio Policy. This will allow you to use the ICA virtual channels Webex made to hook into Citrix and offload the audio/Video, AKA out of band audio/video.How to verify WebEx is optimizedWhile in a meetingThat's a good status with the VDI plugin enabled and working. If it's not optimized, there will be an error in Health Status mentioning VDI.Two different Health Checkers - this screenshot is from the Webex app.The below screenshot is from within a meeting: Troubleshooting LogsIf you need to Troubleshoot WebEx and ICA virtual channel. The Log location is below.UPM/Roaming: C:\users\%username%\Appdata\Local\Temp\WebExMeetingLogsFSLogix: C:\users\local_%username%\Appdata\Local\Temp\WebExMeetingLogsSide note in my testing-Citrix Studio - If you set the policy called MultiMedia to prevent (in this case, we were trying to block the webcams from redirecting), it will lock up WebEx and make it crash resulting in unusable. ResourcesDeployment guide for Webex App for Virtual Desktop Infrastructure (VDI) (cisco.com) Webex_VDI.pdfWebex_VDI.pdf I hope this helps someone out, and if you noticed something is updated and the instructions I gave out are older, please let me know so I can update the documentation around what I may have missed since writing this blog post. Many thanks! See more posts by Ray Davis. Are you a member of CUGC? Join free today!

by Ray Davis, CTA, Jacksonville CUGC Leader Most of everyone that does Citrix understands that security of the XML traffic between Delivery Controllers/Citrix Cloud Connectors and StoreFront typically is a must. There may be some situations where some folks may not need it, but that is rare. Things like: It's only used internally and has no gateway.Gateway is used, but again it's all internally.VPN is used from laptop setup, and they hit the internal Citrix Environment.The organization is new to Citrix and may not understand all the moving parts. To them, things work, and it may be out of sight, and out of mind.I am sure there are many other cases. But I ran into a few in the last year or so. I also secure it in the bullets I listed above to cover any bases. I found out that in some cases, the company security team will scan the environment with their tools, and it will show up in a report, which will cause you to secure it anyway. My thoughts are to do it in the beginning, and it is completed. Some may disagree, but that is ok 😊. When doing Citrix deployments for clients, I always try to follow Citrix Security best practices. I will list a comprehensive list of what I follow that I put together through the years at the end of the blog. Long wayI would say most of you understand this way, and this is not anything new. However, I will review it anyway and give you a working example, just in case. Many blogs will cover this same concept online. It's a typical case, and many folks have written it up. This is assuming you don't have your Director Servers in the DDC as well. I have seen some occasions where this was the case. Some folks say that is bad, and others say it's ok. In my opinion, it all depends on the environment's size and resources. I would preach to separate them from my perspective around security considerations, no need to put IIS on a delivery controller IMHO. Enroll for a Computer Cert, but at the time, this is what I had. So, I request a Cert in my case. Note: WebServer does not have to be selected. At the time, It was what I used. Pick the CA based on the location that will match your environment. Open PowerShell and run this Grab the Thumprint Set-Location Cert:\LocalMachine\My Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint -AutoSize You can also get it a bit cleaner with this. (Either way works)Get-ChildItem -Path Cert:\LocalMachine\my | Select-Object FriendlyName, Thumbprint, Subject, NotBefore, NotAfterLocate the App ID of the Citrix Broker Services (Cloud Connector). You can do it with "broker" or "Citrix broker Service" it depends on if you are using the command for the older CVAD version vs CR version. However, this is a cloud connector either one works—just extra information.Get-WmiObject -Class Win32_Product | Select-String -Pattern "broker." Get-WmiObject -Class Win32_Product | Select-String -Pattern "citrix broker service."Within PowerShell, do this:netsh http>If you have an existing cert, run this to remove it:delete sslcert ipport=0.0.0.0:443 (use option C if you don't want to do this) Otherwise:add sslcert ipport=0.0.0.0:443 certhash=17BE86B8271FF234662D47DBAC61D688D4A6C0FA appid= {ff8980ed-53ce-dcf4-3879-4ee77227aaab}If you get an error and don't want to delete the old one, use this instead. Update sslcert ipport=0.0.0.0:443 certhash=17BE86B8271FF234662D47DBAC61D688D4A6C0FA appid={ff8980ed-53ce-dcf4-3879-4ee77227aaab}Show sllcertExamples CTXCC01.Lab.local add sslcert ipport=0.0.0.0:443 certhash= BCD7BF8EA1C491E7D4FFF3086975B10A67CDA4E7 appid= {DE0898FF-EC35-4FCD-8397-E47E2772AABA} In the Registry, you will see two keys in this location. If you want to ignore the HTTP traffic, Create a DWORD with the name XMLServicesEnableNonSSL and value 0x0 Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\DesktopServer XmlServicePort = 80XmlServicesSslPort = 443Add XMLServicesEnableNonSSL and value 0x0Short way and much more manageable.I had a couple of questions and reached out to the World of EUC on things. James Kindon sent me a Github script that does all this in one shot. I was amazed, and I chose to do this to show you the ease of automation. The script is located here and does this "Handles the assignment of certificates required for both Citrix Brokers and Citrix Cloud Connectors as well as enabling or disabling HTTP based XML AccessCombines some of the work from Stephane Thirion found here https://www.archy.net/enable-ssl-on-xendesktop-7-x-xml-service/ as well as some misc code snippets picked up along the way"Citrix/EnableSSL.ps1 at master · JamesKindon/Citrix · GitHubPull down the script, and put it in a location on the DDC/CC. There are many parameters with different options. The one I needed was this. .\EnableSSL_XML.ps1 -EnableSSL -DisableHTTPLine 29 - PS C:\> .\EnableSSL.ps1 -EnableSSL -DisableHTTPThe above example will prompt for a certificate and, once selected, will create the appropriate SSL binding. It will also disable answering XML requests on HTTPAssing the DDC/CC a machine cert and follow this.Note: I did this on an on-prem Delivery Controller this time around. The same applies to the Cloud Connector, though.Then you can run “.\EnableSSL_XML.ps1 -ValidateSSLStatus” to check the status. That's all! 😊 I use this method for all my clients now, it quick and does the job very well. I want to test it over port 80 and get some essential network traffic findings. I would like to see the outcome and show you as well. What I expect to happen is when I launch a Desktop/App, the StoreFront server will contact the DDC in this example over port 80, as I specified above, to show you that the script disabled it from working even though I said in the SF console to use it. It should error out and offer something in the logs. This is a packet capture. You can see SF tried to reach out over port 80 Then I received this nice but nasty error. Ok, so we knew that would happen. Now I will put it back to 443. Reference: How to Enable SSL on Cloud Connectors to Secure XML Traffic (citrix.com) Citrix Cloud - Enabling SSL on Cloud Connector to secure XML/STA Traffic. - David Wilkinson This is what I always followed as I applied it to the cloud connectors as well. HowTo: Enable SSL and Secure XML Traffic on Citrix Delivery Controllers - Easy Method (ferroquesystems.com) Biggest reference was this (One stop show- that does it all) Citrix/EnableSSL.ps1 at master · JamesKindon/Citrix · GitHub As promised, here are the security checks that I follow, the list grows as I discover new things. High level of security checksUser Layer Device LockdownGPO hardening- Security baselines guide | Microsoft LearnAuditing for event logs – Security auditing (Windows 10) | Microsoft LearnRecommended advanced audit logging - TruesecEndpoint logging with a SIEMProper path cycle (Patch Tuesday goes to test/dev, next week is prod-unless it’s a Zero day)Windows Server Patching: Best Practices - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)Citrix Workspace App SecuritySecure communications | Citrix Workspace app for WindowsSecurity update SSON CWAWindows TLS Ciphers-Cipher Suites in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft LearnCWA App protection (Workspace side)Tech Brief: App protection | Citrix Tech ZonePoC Guide: App protection policies | Citrix Tech ZoneConfigure | Citrix Workspace app for WindowsPossible issues - screen sharing on applications (Teams, WebEx and GoToMeeting) will not display screen properly until Workspace is minimized. (citrix.com)CWA Secure ICA File session launchEnabled "Secure ICA File Session launch" This will block the ICA files from being opened by browsers that can't use the ICA in memoryICA File Settings > RemoveICAFile (remove ICA files, if downloaded)Improved ICA file securityCWA TLS SupportTLS settingsAccess layer NetScaler Gateway URL scansSecurity headersAnalyse your HTTP response headers (securityheaders.com)Citrix ADC - Latest Insights about Security Headers - Julian JakobSSL Labs - Qualys SSL LabsLegacy ciphers - legacy ciphers (SSL2, SSL3, DES, 3DES, MD5 and RC4)Use TLS 1.2 \ TLS 1.3VIP and Services need certs for End to End encryption.Change default nsroot, LOM, NsrecoverReplace default self-signed SSL cert (NSIP, LOM SDX)Keep Firmware updated around CVE- applies to LOM as well.Separate NSIP traffic from SNIP (PBR)Separating NetScaler Management and Data Traffic for DISA STIGs | Citrix BlogsUse LDAPS for Admin login at least.Send logs to Log server.Configuring Citrix ADC appliance for audit logging | Citrix ADC 13.1Addressing Security headers –NetScaler Security Best Practices and TLS Best PracticesBest practices for Citrix ADC MPX, VPX, and SDX securityTech Paper: Networking SSL / TLS Best Practices | Citrix Tech ZoneStrong AuthenticationMFA\2factorLDAPS only – not ldap by all meansEncryption- XLM TrafficEnsure that your XML traffic from the Delivery Controller or Cloud Connector to StoreFront servers is always encryptedSecure XML traffic between StoreFront and Delivery Controller 7.x (citrix.com)https://docs.citrix.com/en-us/citrix-daas/secure.html#enforce-https-or-http-trafficEnforce HTTPS traffic only SSL configuration on VDA (citrix.com)3a. Cloud Connector ( Windows) https://docs.citrix.com/en-us/citrix-daas/secure.html#xml-trusthttps://docs.citrix.com/en-us/citrix-daas/secure.html#enforce-https-or-http-traffic4. Store Front SSL Where possible add SSL on BaseURL for storefront.Unless doing SSL offloading(but make sure the NS service had SSL/update Ciphers)End-to-end EncryptionSecure your StoreFront deployment | StoreFront 2203 (citrix.com)5. VDA/HDX Encryption SSL configuration on VDA (citrix.com) Resource layer Harding Windows ImagesHide Admin sharesOn Windows systems, there are typically “admin” shares called c$ (for example) for admins to connect to the c: drive remotely. However, these shares are now by default open to all interactive users, which includes users logged on to Citrix Virtual Apps systems. This means a user can access the local drive by browsing to \\LOCALHOST\C$ or the network loopback address of \\127.0.0.1\C$In order to prevent this, it is recommended to set a Registry value via GPO or in the image so that the behavior reverts to that used previously. The Registry value is a hexadecimal entry so should be imported from a .reg file rather than entered by handOnce this is in place, users will no longer be able to connect to these hidden shares and gain entry to local drives. It will also block these connections from Chrome, Internet Explorer, Microsoft Edge or Edge ChromiumAdministrators can still connect to these shares remotely, which was the original purpose of these hidden sharesAdmin shares available to non-administrative users over loopback address (microsoft.com)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity] "SrvsvcShareAdminConnect"=hex:01,00,04,80,64,00,00,00,70,00,00,00,00,00,00,00,\ 14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,\ 00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,\ 00,05,20,00,00,00,25,02,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,00,\ 05,20,00,00,00,27,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,\ 00,00,00,05,12,00,00,00 Set WinRM HTTPS(if used)How to configure WINRM for HTTPS - Windows Client | Microsoft LearnSet Auditing policy Best practice on VDAAudit Policy Recommendations | Microsoft LearnLocked down TLS and Windows TLS CiphersCipher Suites in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft LearnNartac Software - IIS CryptoPathing and updatesTest/Dev/QA/Prod approachAntivirus SoftwareAV is needed on all products to continue to provide a first line of defense.Tech Paper: Endpoint Security, Antivirus, and Antimalware Best Practices (citrix.com)Common Criteria Certification Information - Citrix Securing Citrix Virtual Apps and Desktops Environments - Citrix System Hardening Guidance for XenApp and XenDesktop (citrix.com) VDA Hardening - Tech Paper: Citrix VDA Operating System Hardening Guide Citrix Lock down policiesVDI Broker Security Analysis Q4 2022 - VDISECCitrix Offers Template for securing Citrix Polices within Citrix StudioVirtual channel security enforcement > 2203 and higherVirtual Channel names and process allowing stepsMaking Your Citrix Policies SecureCitrix Session RecordionsSession Recording provides IT teams with the ability to record and replay video of what transpired during a given users sessionThis ability may not be needed for all users. It can be enabled for key individuals, user groups, or when accessing sensitive applications, desktops, or resources. Many takeaways can be gleaned from these recordings that might not be possible with just Windows event and application logsScalability considerations | Session Recording 2203 LTSR (citrix.com)Scalability considerations | Session Recording 2210 (citrix.com)TLS and ciphers security still applies.Security recommendations | Session Recording 2210 (citrix.com)Security recommendations | Session Recording 2203 LTSR (citrix.com)WatermarkingFor sessions that have a user accessing sensitive data, a great deterrent to having the data be stolen is a watermark. Especially if the watermark can uniquely identify the user. Citrix enables admins to configure what to display. You can display: User logon nameClient IP addressVDA IP addressVDA host nameLogin timestampCustomized text.Session watermark policy settings | Reference (citrix.com)VDA Security Hardening CitrixTech ZoneControl Layer Ensure AvailabilityWhen deploying any solution, components must be deployed in a highly available manner. Having services that are suffering constant outages due to single points of failure is poor practice. Therefore, using the N+1 approach to capacity ensures that there is enough resource available during logon and log off storms. But there is an acceptable level of component loss to retain the ‘good’ user experience. Now, most customers follow N+1 in terms of planning the amount of resources that need to be available. However, depending on the tolerable level of risk, this may be N+2. Also, to ensure there are enough resources available to handle the user load, components should be separated off onto dedicated virtual machines. It is bad practice to run shared components on virtual machines, not only from a performance perspective, but also security. Key components from a Citrix perspective are as follows, but not limited to: StoreFrontDelivery ControllersSQL ServerFederated Authentication ServiceDirectorLicense ServerChange Self-Signed CertCloud ConnectorsCitrix Printing securityBest practices, security considerations, and default operations (citrix.com)Citrix FAS securityhttps://docs.citrix.com/en-us/federated-authentication-service/config-manage/security.html#security-considerationsThe Enrollment agents list contains only FAS servers (remove everyone)Security access controls listList only SF serversIf possible, list on the VDAs (create groups if needed)If Possible, list users that use the SF serversChange the Cryptogrpahy Key Size from 1024 to 2048 BitModify the Extended Key Usage (EKU) from “All” to “Smart Card Logon” onlyDCOM FirewallHost Layer Hardware SeparationSeparate workloads into unique clusters and ensure that workloads hosting the same data classification are retained within those unique clusters. If an attacker broke into the hypervisor layer somehow, higher classifications of data are not compromised.Network SeparationBreaking down workloads into individual subnets that are logically separated, can dramatically reduce the impact, or spread of an attack. Usually, these subnet layouts are a perfect place to start: Access Components. Small subnet compromising of the ADC IP addresses and call-back gateway.Citrix Infrastructure. The Citrix infrastructure subnet depending on the infrastructure being deployed would include the following; StoreFront, Cloud Connectors/Controllers, Director servers, Citrix ADM.Supporting Infrastructure. Depending on which infrastructure components are required, these services are prime examples for separation; SQL servers, Jump servers, and Licensing servers. This is dependent on your compliance needs.VDA Subnets. There is no right or wrong answer when sizing the VDA subnets. In the past, we have used historical data to guide us around PVS subnet sizing. Over time, PVS recommended practices have evolved. The main thing to note is that subnet sizing must be allocated based on the number of users and VDAs and the security context that they are accessing. Placing users with a similar risk profile into a single subnet can also ensure that each of these subnets can be separated by a firewall.FirewallsFirewalls are one of the primary elements of implementing security in an environment. Implementing host-based and network-based firewalls will introduce significant operational overhead. Implementing two levels of firewalls from both a host-based and network-level will allow for separation of duties. This step allows an application to communicate from one server to another. Any firewall rules must be well documented and clearly marked as to which roles or functions are assigned. This detail will assist you in getting approvals for exceptions from your security and network teams. Secure Citrix Cloud platform Secure Deployment Guide for the Citrix Cloud Platform Citrix DaaS Technical Security Overview Technical security overview | Citrix DaaS Delegated administration | Citrix DaaS Citrix Site Analytics Delegated Admins https://docs.citrix.com/en-us/citrix-daas/monitor/permissions.html Citrix DaaS Reference Architecture Reference Architecture: Citrix DaaS | Citrix Tech Zone

by James Kindon, CTP Way back in 2017, Hal and I sat down over a few months and wrote up a series for CUGC based on Citrix Workspace Environment Management. We badged the 3-piece series of articles as “WEM Advanced Guidance”, the aim of them was to shed some light on all the ins and outs of WEM and roll through some fundamentals of the solution. You can find the original articles below: WEM Advanced Guidance Part 1WEM Advanced Guidance Part 2: User InteractionWEM Advanced Guidance Part 3-The Leftovers: Good, Bad, UglyThat series, believe it or not, wrapped up in February 2018 which means it’s been over 5 years. That means it’s most definitely time for a refreshed WEM Advanced Guidance 2023, because the solution has not sat still, and there are a lot of changes to discuss, including updated guidance and changed logic. Let’s get cracking. WEM Architecture and Deployment OptionsBack in the old days, there was one client-server architecture for WEM which required a database server, an application broker(s) a load balancer and several agents. Whilst this model still exists, we also now have a Cloud version of WEM delivered “As a Service” as part of the Citrix Cloud DaaS offering. When deploying on-premises, the following architecture applies: When deploying the cloud service, things change up a little: The service has a considerably faster release cadence, additional features, and a more enjoyable administration experience via the web console. Amazingly, despite the documentation there still seems to be a significant amount of forum posts and customer challenges associated with WEM Agent communications to the cloud. To summarize how things work with the cloud service: The Cloud Connectors are there to proxy the agent registration with the WEM service and to allow the WEM service to understand Active Directory.The Agents themselves must have 443 outbound access to the WEM Services. They do not proxy to the cloud service via the Cloud Connectors. Never have.The service offered means that Citrix managed your database (Azure SQL), the Broker Roles, and the Console, both Web (modern) and full (legacy). You simply manage Cloud Connectors and Agents. Configuration SetsThings change a little with configuration sets. The ability to now have dynamic optimization settings negated that as a requirement to split out configuration sets. VMware persona features being deprecated and then removed also negated that as a segmentation requirement. Citrix also addressed the ability to synchronize settings across multiple configuration sets, meaning that you can now have full export and import capability including AD group assignments. This was a major win for multi-config set scenarios. Cache, Cache, CacheStill the number one misunderstood function of WEM, the cache is getting (yet another) special mention. This is the single biggest challenge I see in the field. There are three cache points: The broker stores a Cache of the Database so that the SQL server doesn’t get pounded and a level of resiliency for SQL outages is in place. This is the default behavior of WEM and a cache exists on each broker server.Cache number two is the cache that exists on the Agent itself once offline mode is enabledThis is a constant point of misconfiguration. All deployments should use Offline Mode. This means that a cache will be created locally which provides both resiliency and faster processing by removing the load from the brokers. The “use Cache to Accelerate Actions Processing” drastically reduces load, as the Cache is used 100% to process the user actions, of which there are typically a lot. What often gets missed is that the cache is updated based on the Agent Cache Refresh Delay which is 30 minutes randomized so as to avoid load storms.You can read more on Cache via a blog post released in 2020 by Wayne Liu. The third cache is the user-based tracking cache. This cache lives in the user registry itself and tracks how, and when application processing occurs per user. This is the cache that tracks things like “run once” or “Automatic Self Healing” tasks. You can read more about this cache where I developed a quick PowerShell script to help reset these cache objects to help with re-processing actions. Luckily that script is no longer needed as the WEM team took the concept and built it into the product. The setting you want is “Allow users to reset actions” which enables the user to right-click on their WEM agent, select reset actions and choose what to reset (printers for example). The next time the user hits refresh on the agent, their environment is processed as if for the first time. The cache world is not hard, but it’s often misconfigured. Here is a post on how It worked historically before some code changes were introduced, but it is important to understand. Additionally, the WEM documentation now outlines both the Agent Startup behaviour and some detail around the Agent Cache Utility. The biggest takeaway from all those articles is this: “When Citrix WEM Agent Host Service starts, it automatically verifies that the agent local cache has been recently updated. If the cache has not been updated for more than two configured cache synchronization time intervals, the cache is synchronized immediately. For example, suppose the default agent cache sync interval is 30 minutes. If the cache was not updated in the past 60 minutes, it is synchronized immediately after Citrix WEM Agent Host Service starts.” The final note on the cache side of things is this. I have done more deployments of WEM than I can count, and I have zero issues with Cache. The reason for this is twofold: In legacy environments, before the code was updated to handle bad conditions, I used a startup scriptOnce I moved deployments (or implemented new ones) using the updated logic within the product, I removed the scripts and let the product do its thing. I do, however, deploy BIS-F in every single deployment I have done. With BIS-F I always enable the WEM processing as below If you are not using BIS-F in your environment, then go and slap yourself and then get it done. If you screw up the way the cache works or don’t configure the environment to allow it to work properly, you will not have a fun journey with WEM. Sort this, you sort 99% of issues. System OptimizationWEM offers a range of system optimization tools: CPU, Memory, I/O, Fast Logoff and Citrix Optimizer integration. For CPU Optimization, way back in the old days, you typically had to tell WEM what sort of configurations it was going to use using a core/percentage-based formula. This meant you were limited to one size of machine per configuration set which was a bit rubbish. Luckily, this is now automatic, and you should be allowing WEM to dynamically figure this out using the Auto Prevent CPU Spikes setting. WEM Memory Management is still the same as it was conceptually and is something to be wary of. At its core, Memory Management is forcing the paging of idle memory to disk. This is aggressive and can be extremely punishing on your disk configurations. In 99% of deployments I have done in the field, I do not enable Memory Management. If your VMs need more memory to handle the load and reach the density, then give them more memory, or deploy more VMs. My colleague Dave Brett recently pushed some Nutanix benchmarking on WEM impacts which is well worth a read and aligns with what I have experienced and configured in the field. Well worth a look as he did a great job with the write-up. A new feature that was introduced into both cloud and on-prem deployments is Memory Usage Limit which lets you limit the memory usage of a process by setting an upper limit for the memory the process can consume. Note, the above image is really a joke as far as processes defined – don’t do that, they are just the first two processes that came to mind that I would like to slap. The modern web console view is shown below, this is applicable to cloud deployments only as of the time of writing. Multi-Session Optimization is quite a handy addition to the stack, allowing you to apply optimizations only when sessions are in a disconnected state. This is a very powerful feature and one that I have been using since it came out. Citrix Optimizer integration was one of the first feature enhancements that started to bring WEM into the Citrix world, though to be fair, it’s not really a feature that adds a lot of value unless you are post-optimizing images created by third-party tools and not including optimization as part of your build (which we would hope is not a real thing). Security FeaturesWEM moved forward heavily in the security space. When we wrote the original series, AppLocker support had just been released in addition to basic process whitelist and blacklist. Things got a lot smarter from there. A summary below of what’s available: Application Security is simply AppLocker with more fine-grained control delivered by WEM.Process Management is a whitelist/blacklist stamp on processes.The privilege elevation feature lets you elevate the privileges of non-administrative users to an administrative level necessary.Process hierarchy control controls whether certain child processes can be started from their parent processes in parent-child scenarios.Auditing of everything associated with elevation is captured and viewable in the WEM console.Actions, Conditions, Rules and FiltersThere have been some minor changes in action types, primarily the biggest addition was that of Action Groups. These things reduced the assignment complexity by allowing you to define a grouping of actions (get it?) and then apply this group to users. A prime use case of this was handling GPO migrations into WEM actions. I’ve worked on a number of projects where sucking in a GPO to WEM actions, and then Action Groups provided a nice easy way to organise and apply settings. File Type Associations got fixed! Previously due to Microsoft changing the ball game with Modern OS, WEM was not able to process FTA properly and we had to use tools like SetUserFTA. The WEM team, as per usual, fixed this and we can now process FTA assignments selectively on modern OS all from within the system natively. Huzzah. External Tasks became the beneficiary of a load of enhanced triggers, allowing for all sorts of advanced functions and trigger points. An External Task for WEM was pretty much the go-to for anything not native in the product (PowerShell Scripts etc), so the ability to execute these on a list of predefined triggers in the on-prem world, or more advanced triggers in a cloud deployment (think scheduled triggers or windows event log triggers, etc.). Custom triggers can be defined in the Cloud Console for WEM service deployments. Filters and Conditions are updated to understand modern Operating Systems all the way up to Windows 11 and Windows Server 2022. For Service deployments, OR filtering is now available at the filter level (previously you had to get funky with the conditions) with a nice web model to help you understand the overall impact and end state. Group Policy ManagementLots of enhancements and changes with group policy and WEM capability. First, I think it’s important to note the amount of work and tooling that Arjan Mensch created which laid the foundations for what we now have in the product (his stuff still has more advanced features). His work which can be found here was the first real way of being able to export content from a GPO, convert them into WEM actions, and then import them into WEM. It was massively impressive work and really allowed some crazily complex migration projects to go smoothly. Some of that work, conceptually at least, is now in the product natively. The “Migrate” option in the console is specifically designed to import a backed-up GPO and convert supported settings into WEM actions. From there you can suck them in via the import option. With the new Group Policy Settings action type, you can define a “group policy” that will be assigned to either users or computers. For on-premises deployments, these group policies are effectively a collection of registry-based settings. Below is an example of FSLogix settings being deployed by WEM using the registry-based settings GPO type: For Computer objects to get group policy settings applied (which is handled by the service, not the agent), the machine objects must live in an Active Directory Group. With the WEM Service deployment, you can target Azure Active Directory groups also. For WEM Service customers, they get template-based GPO Settings which are ADMX settings, the same as you would get in a normal GPO object. You can import your own (for example, FSLogix) or you can use the built-in templates which are kept up to date by the WEM Service. Looking at the same policy we referenced above using registry-based configurations, we can see that template / ADMX-based configurations are way better. WEM Service also supports non-domain joined machines out in the wild (think Intune-managed devices etc). WEM GPO processing offers a stack more control and assignment options for these devices, allowing for the same management tooling across all devices. WEM, UPM, FSLogix and Process InsightsThis is still something that is worded badly all the time when some people are talking to customers or prospects – WEM is NOT a profile management tool. It drives Citrix Profile Management configuration as well as enhances FSLogix with some visibility and reporting functionality. WEM sits under the same team as CPM within Citrix and is tightly coupled, however, it is not a profile management solution. In fact, I still do not drive CPM configuration via WEM anywhere, preferring Citrix Policy to drive that bus for several reasons that aren’t in the scope of this post. So, for anyone calling WEM a profile management tool, please stop it. Container reporting is cool, for on-prem deployments there are some baseline FSLogix and CPM Container insights, and with the WEM Service, there is enhanced visibility into application and optimization reporting. Worth turning all these features on and checking them out. Agent Auto Update FunctionalityFor persistent VDI workloads, managing agents meant having 3rd party tooling in the mix to push these upgrades out. The WEM team brought this capability into the Cloud Service natively, meaning that for persistent VDI, WEM can self-update and manage its agent releases. CVAD integration, and then not?Some experiments were had, and only some are still in play. The agent installer was combined with the CVAD installation media, and then quickly backed out – that plan didn’t really work out too well. There are configuration set assignment integrations for the WEM Service with Catalogs in CVAD, but I haven’t had a lot of luck with this. OU assignments tick the box and never fail, so this is the model I run with. The community initiative to product gap closesThere have been a few community initiatives started to try and fill in some gaps in the product, but things changed, and the product got better, below is a list of known initiatives and their current relevance: The WEM hydration kit – A quick population tool. This is still of use to get you up and going quickly, supported on both on-prem and service deployments.The Citrix.WEMSDK PowerShell Module by Arjan Mensch. This was a beast of a module that was (and is) filling a huge gap in the automation world for WEM, however, it was halted due to the progression of the solution and the amount of time it took to maintain and test. It still does a great job on most configuration points for on-prem deployments but is no longer maintained.A GPO conversion PowerShell Module for Citrix WEM by Arjan Mensch. Still, one of the most useful tools out there, whilst mostly replaced with WEM functionality inbuilt, it still fills in the gaps and offers more advanced migration functionality.PowerShell Module for Citrix WEM – Part 1 – Application actionsPowerShell Module for Citrix WEM – Part 2 – GPO Import and morePowerShell Module for Citrix WEM – Part 3 – EnvironmentalSettings and MicrosoftUsvSettings from GPO and much, much morePowerShell Module for Citrix WEM – Part 4 – Import Published applicationsThe WEM Documentation Script – This stopped in line with Arjans PowerShell Module halting. The database got too complex to work against and there was no access to the Cloud Service, so this tooling effectively stopped.WEM Startup Scripts – these are now defunct if you configure your environment properly.A PowerShell Script to selectively delete the user tracking cache – This is now defunct and part of the product natively.I’ve seen some posts online about using WEM to manage start menus combined with FSLogix AppMasking. My advice here is to simplify where you can. Mixing and matching tools to manage start menus isn’t the best idea. Stick with a solution and manage it accordingly, my personal preference is AppMasking the entire thing, and using machine-level configurations. Additionally, so we are clear, WEM pinning to the start menu (tiles) is still not something that is reliable. This, again, is not a WEM problem, it’s a Microsoft issue. Troubleshooting known problem scenariosWithout going too far into the weeds (you can lead the horse to water….), here are some high-level considerations/advice on how/where/why things may be a challenge in some environments: If you don’t understand how the cache works, and its impact on the processing of the environment, then you are doomed. Go read and learn it.If you deploy the WEM Service and don’t understand the networking requirements, you are again in some trouble. Go read and learn it.If you don’t understand the context in which WEM action processing takes place, then you are fighting an uphill battle (hint, it’s the user context).If you choose to deploy CPM configurations via WEM and haven’t dealt with Cache and startup considerations, then it’s on you if things don’t work. Citrix policy never has a challenge…If you make dumb AD decisions, then WEM can be a victim, not the problem. Go fix it.If you do silly things like AppData redirection, then WEM can be impacted. Stop it.If you do silly things like Start Menu redirection on Modern OS, then go slap yourself.If you don’t know how to enable logging, read log output or where to start…then go read more, the first series still has plenty of valid getting started considerations.Summary and ClosingIn the first series of articles, we made statements about WEM being almost the poor cousin to the list of AppSense etc, however, over time those gaps have closed making WEM a first-class citizen. Whilst not everything is available, the WEM team is constantly looking for ways to improve the solution, so if anything is not there, that you think should be, feel free to get in touch and we can get it on the list. Stay up to date with changes in the solution, I track feature releases below as a starting point, however, RTFM never goes astray: Citrix WEM Service The Evolution of Citrix Workspace Environment Management Service (jkindon.com)Citrix WEM On-Prem The Evolution of Citrix Workspace Environment Management (jkindon.com)

by Ray Davis, CTA & Tampa CUGC Leader I wanted to take the time and list the optimizations I try to follow wherever I can when helping clients tune images and make login faster. I also wanted to state that these tips and tricks are gathered from a collection of EUC sources I follow. I can't take any credit for these, and this blog is to try to put them all in one place for the community. There are many folks out there that have blogs that go deep into this. One that always comes to mind is James Rankin. I have been following his hat tricks for many years. He has a great "Ultimate guide to Windows Login time" series, and I recommend you read it. As I go through and list out these optimizations, please note that some of this is my opinion based on my experience and the other is EUC help from the community. I also understand that each environment is different, and some may or may not apply, and some people may not agree with these. I still try to use all I can within the control given during the situation. As you read this, remember these are helpful tips and aren't intended for you to go out and start changing things right away. Take your time and test, test, and test. I did not focus on the storage aspect, as ideally, using SSD or NVMe storage is something you would want to stay within any VDI environment. UEM ToolIt would be beneficial to obtain a UEM tool with system optimizations for CPU, Memory, and I/O. By just doing Citrix WEM, it has a magic formula (simplified a lot). By setting four options, you will achieve more of a scalable approach for the images, which means you will get more out of the Hypervisor around CPU cycle, CPU wait time, and CPU response. Memory management can be beneficial because it takes a working optimization set and clamps the usage if needed. The next question folks ask is, what about the disk I/O or disk latency that could occur? Sure, that could happen, but 13k-18k IOPS per disk at 3gpbps-6gbps is very unlikely. In today's technology times, I don't run into disk constraints as I used to 6-8 years ago. But it's still likely to happen. Citrix Tech Insight - WEM Logon Optimization - YouTubeCitrix WEM Performance Optimizations - YouTubeUser Environment Manager Software | IvantiTuning GPOGPO is an essential part. There is nothing wrong with the older mindset around away GPP and client-side extension, login scripts, item-level targeting, and WMI filters. But ideally, to get the best user experience, they would need to go away or be open to change if user performance is the key. It does work very well, but it also adds much overhead. But this is the #1 thing I've cleaned up at many companies. You move these to a UEM tool. GPO Functional vs. MonolithicNumber 2 leads me to number 3, get rid of functional GPO and do the monolithic layout. Too many single-liners GPOs will make logins slow from my experience. One or two main GPO objects will make GPO processing a lot better. Yes, it will contain a lot of GPO in one, but it processes faster. The gentleman in this blog is Trentent Tye. He works for ControlUp, and I occasionally talk to him about custom ControlUp script base actions. He is very sharp and has helped me many times. Another good on on this list is James Rankin. https://theorypc.ca/2018/04/09/group-policy-monolithic-vs-functional-design-and-performance-evaluation/How to get the fastest possible Citrix logon times – JAMES-RANKIN.COMLoopback ProcessingGPO loopback Processing is something I have seen done wrong in so many places. In a Citrix XA-XD or even RDSH environment, ideally, you also want to do a loopback replacement. You do not want GPO from other OUs applying. This can be a hot topic because you might have your OU laid out where users are in one OU with user policies and computers in another OU with computer policies. But in my last 15 years, the approach has been computer GPOs, and if you want the user's GPO applied, you need a loopback enabled and then set replace, not merge. Taking this approach means doing GPO additions or OU re-org. This is a debatable factor, and some may not agree. Computer GPO over user GPOOne crucial piece is always if you can choose computer GPO when available. Suppose you have a user and computer GPO that do the same thing. Go with computer GPO. It will apply at a startup making the GPO faster. You might be thinking that we have specific user settings that apply to users. Yea, I get that. But again, use a UEM tool and get away from what I listed in #2. Keep nested groups to a minimum, or logins will be impacted. But again, each setup may not be able to do this based on the environment's complexity. The not-so-hidden tax of granular Group based application presentation with Citrix WEM (jkindon.com)Asynchronous GPO processingEnsure you have Asynchronous GPO processing on. Always wait for the networking at computer Startup and logon" Disabled Computer Config > Admin Templates > System > Logon > Always wait for the network at computer startup and logon: DisabledAllow asynchronous user Group Policy processing when logging on through Remote Desktop Services – EnabledComputer Config > Admin Templates > System > Group Policy > Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services: EnabledHow to get the fastest possible Citrix logon times – JAMES-RANKIN.COMMake Citrix logons use asynchronous user Group Policy processing mode – JAMES-RANKIN.COMThe ultimate guide to Windows logon time optimizations – part #4 – JAMES-RANKIN.COMOS optimizationWindows OS optimizations, such as Citrix Optimizer and bolt-ons from Citrix marketplace, for 3rd party applications such as Edge, Chrome, Office, etc. It's essential to tune the image. VMware OSOT vs Citrix Optimizer Optimizer Smackdown | GO-EUC Citrix_Optimizer_Community_Template_Marketplace/templates at master · ryancbutler/Citrix_Optimizer_Community_Template_Marketplace · GitHubCreating a custom template for Citrix Optimizer - Dennis Span Minimize Application from StartupRemove all applications at startup, except for the key elements. An example would be the CU agent, UEM Agent, and AV. Autoruns helps in this manner. Nothing needs to run in the hklm\run or Run once. If it needs to run at startup, you use a UEM tool to call it a day. Application tuningIn my experience, this can be a daunting task. Many companies will have custom software for the businesses. Some are in-house, and some are 3rd party and some are used universal across many companies. In any case, try to reference the documentation where possible. Most but not all will have guides on applying best practices in RDSH/XenApp/VDI. As an example, here are some that come to mind. There are many more I am sure. TeamsPoC Guide: Citrix Workspace App for Microsoft TeamsZoomGetting started with VDI – Zoom SupportAdobeWindows Virtual Deployment Overview — Acrobat Desktop Virtualization Guide (adobe.com)WebEx Administration Guide for Cisco Webex Meetings Virtual Desktop Software Release 41.x - Install the Cisco Webex Meetings Virtual Desktop Software [support] - CiscoO365https://docs.citrix.com/en-us/tech-zone/toc/by-product/citrix-virtual-apps-and-desktops/design-guidance.html#step-6-microsoft-365Microsoft EdgeTech Paper: Deployment Guide Microsoft Edge | Citrix Tech ZoneGoogle ChromeTech Paper: Deploying Google Chrome | Citrix Tech ZoneMicrosoft 365 with CVADDeployment Guide: Microsoft 365 with Citrix Virtual Apps and DesktopsActive SetupActive Setup was another legacy hook from MS that they kept around. Remove active setup keys from Registry, and these bloat the unserint and shell from loading, causing delays. I have details and data on this I can provide. Citrix TechZone highlights this in their best practices for deploying Google Chrome. Although the topic isn't about Chrome, it gives you an idea.Tech Paper: Deploying Google Chrome | Citrix Tech ZonePreferred method - Add this into Citrix Optimizer:Creating a custom template for Citrix Optimizer - Dennis SpanAnother method - Run James Rankin's script: echo Querying and deleting 32bit STUB paths... setlocal EnableDelayedExpansion :: Queries the Registry and searches for specific strings. In this case 'STUBPATH' set KEY="HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components" set FND=find /i %KEY% for /f "Tokens=*" %%a in ('reg query %KEY% /s^|%FND%') do ( set SP=N for /f "tokens=*" %%b in ('reg query "%%a"^|find /i " STUBPATH"^|find "REG_"') do ( set SP=Y ) :: Runs an if statement, stating that if a key matching 'STUBPATH' is true, it should be deleted. if "!SP!" EQU "Y" reg delete "%%a" /V STUBPATH /F ) echo Querying and deleting 64bit STUB paths... endlocal setlocal EnableDelayedExpansion :: Queries the Registry and searches for specific strings. In this case 'STUBPATH' set KEY="HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" set FND=find /i %KEY% for /f "Tokens=*" %%a in ('reg query %KEY% /s^|%FND%') do ( set SP=N for /f "tokens=*" %%b in ('reg query "%%a"^|find /i " STUBPATH"^|find "REG_"') do ( set SP=Y ) :: Runs an if statement, stating that if a key matching 'STUBPATH' is found, it should be deleted. if "!SP!" EQU "Y" reg delete "%%a" /V STUBPATH /F ) endlocal PVS vDisk maintenance ( if PVS is used)PVS offline vDisk maintenance. Yea, it would help if you defragged the VHDX. It doesn't matter how fast your storage is. Disk fragments will occur, reducing performance by 20-40%, in my experience. There are ways to do this without downtime and automation. The more versions you create, the more it happens. I have blogs on this if you are interested. How I Run a Defrag on a PVS Target vDisk (mycugc.org)Extra VDA Image tweaksSometimes I would like to squeeze more out of the optimizations. Being in the community means many talented folks have many tricks. Here is another blog I go through to see where it can help. I encourage you to ensure you understand what this is doing. If you implement it, it would be a good idea to make a list of running optimizations. It will allow you to have source control for yourself and your peers, helping support the image/environment. Citrix Virtual Delivery Agent (VDA) Post Install Script | J House Consulting - DevOps, Microsoft, Citrix & Desktop Virtualisation (VDI) Specialist - +61 413 441 846 This key has been around since 2012/Win8 days. I still implement it today.StartupDelayInMSec"=dword:00000000Add this into GPO or WEM ( this helps Citrix Director get the correct times)[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Serialize]Optimize Logon Times - Part 1: Citrix Director - xenappblogReduce Citrix logon times by up to 75% – JGSpiers.com Another little nugget I stumbled on was DisableAcrylicBackgroundOnLogonHKLM\SOFTWARE\Policies\Microsoft\Windows\SystemDisableAcrylicBackgroundOnLogonDWORD Value: 1 (Enabled)GPO method – ComputerConfig>Admin Templates>System>Logon>Show Clear logon Backgroup =EnabledRemove extra UWP/AppX packageGet-AppxProvisionedPackage -online | Out-GridView -PassThru | Remove-AppxProvisionedPackage -onlinehttps://james-rankin.com/articles/how-to-remove-uwp-apps-on-windows-10-v1803/Windows Welcome screen spinning waiting, or slowHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemValue = DelayedDesktopSwitchTimeoutType = DWORDData = 5 or 1This key I always test this in the environments.Windows 10 VDA exhibits slow logon at Welcome screen (citrix.com)The ultimate guide to Windows logon time optimizations, part #6 – JAMES-RANKIN.COM Finalizing or SealingRemember that Finalizing or Sealing the image is very important. I have been using BIS-F by Matthias Schlimm for many years now. I have a good working relationship with him from my CTA experience. This is another critical element. If you currently have your Image Sealing scripts, then no problem. We can combine them, and the results are even better. Base Image Script Framework ( BIS-F) 6.1 (eucweb.com) Here are some key elements I always use in my Golden Image: Disable IPv6Run DelProf2Run CCleanerRun AV Scan ( it depends on the AV product at times)Configuration CTX OptimizationConfigure Citrix PVS Target ( Set my Write Cache drive for me)Run a Defrag ([issue]: Defrag not performed, not defined based on DiskMode VDAPrivate · Issue #369 · EUCweb/BIS-F · GitHub)Run .NET OptimzationsRebuild Performance CounterEnable WinSxS optimization with a Max of 480 minutes( Execute on base Disk only)Disable "Delete allUsersStartMene Content" I do this because It will ask you, and I have seen folks say yes and not read the messages.Remove ghost devices ( be carefull, and understand this)Configure Desktop shortcutShutdown Base Image after sealingIf using FSLogix AppMasking, "Copy FSLogix rules (*.frx), assignments (*.fxa) and URL (*.xml) from central share during Device Personalization on System Startup" You can use GPP, but this approach I like more.Azure AD (If using this) PREP: Azure AD leave doesn't work · Issue #330 · EUCweb/BIS-F · GitHubRearm MS Office once ( you need to evaluate this for your environment)Rearm MS Windows once ( you need to evaluate this for your environment)Enable RDP support ( allows you to execute BIS-F within a RDP session)Configure logging to a UNC path Here are some key elements I run on the GPO for the VDAs but not limited to: Configure Citrix WEMVDA Configuration "Delay Citrix Desktop Service" this helps when you modify the List of DDCs as well as the purpose of the DelayConfigure Page file Bake GPO in Image or use GPMCThis is another hot topic that I have had many conversations about with the community. I say it depends on the setup and the use case. Bake the GPO in the images to get the best processing and logins. Doing it from GPMC from AD seems better. Make the change 90 minutes later with a 30-minute offset GPO applied or do a GPUpdate /force remotely, mostly completed. But if you bake it in the image, the GPO processing is super-fast. But the downside is you have to crack the image open for any GPO change. Unless it is a computer GPO, a reboot may be needed to reflect the HKLM\policy hive. Good profile management.Profile containers seem to be everyone's go-to here. But that is not always the case. However, UPM is still great in my humble opinon. FSLogix Office container is geared around Office 365 and roaming the container's search database. You can stick it in the profile container or split it in an Office container. Server 2019/Win10 Multi-session and above do not set the search to roam anymore in the ADMX file for the GPO. Windows natively do this now, and it will cause issues if you do. It's the FSLogix docs, and I'm sure you also know. I did a webinar about one year ago, and the advice I gave was to be careful with exclusions. Exclusions are not treated as they were in the UPM days. Citrix Profile Container (not UPM), but Profile containers are also perfect. They are giving FSLogix a run. Well-respected James Kindon has broken this down very nicely. Citrix UPM and FSLogix Containers (jkindon.com)The Evolution of Citrix Profile Management (jkindon.com)What is FSLogix and how to monitor FSLogix? | eG InnovationsShrink Scripts /Deduplication/ExclusionsJim Moyle is an FSLogix genius, and he preaches this all the time. Yes, you will need a shrink script to shrink the VHDX. When I did this, I would do it weekly with Jim Moyles' script. Another add and if you use any Windows server to host them. Enable data deduplication. I have also written a blog to show savings and shrink scripts. When you do exclusions, be aware that the first login will impact the PVS write cache. In today's deployments, the use case is Write cache to Ram with Disk overflow. I wish there were a magical number or a T-shirt size that would fit all. (Maybe there is, and I been living under a rock.) Disk overflow would be the D drive it creates when using the XenDesktop wizard from PVS, or automation works. The older rule of thumb was for desktop operating systems, starting with 256-512MB, and for server operating systems, starting with 2-4GB. Anyway, from my testing, it would only happen on the first login of the profile creation and will not happen again. Exclusions do not make the VHDX mount faster, and it plays no part in making logins faster. I used to use 20GB drives for disk overflow, but it may seem that just isn't cutting it for today's applications. However, this is environment based in most cases. FSLogix 2210 now has a compaction feature they introduced. I have only used it on a lab setup. It seemed to work well, but I still stick with Jim's script for now. Matthias Schlimm released a blog giving a great inside look at what is going on. I suggest you read it. Microsoft FSLogix VHDX Compaction on Citrix Virtual Apps and Desktops - EUCweb.com | focused on Citrix and Microsoft TechnologiesWindows 2016 Deduplication on FSLogix Containers and ODFC – Part 1 (mycugc.org)Windows 2016 Deduplication on FSLogix Containers and ODFC – Part 2 (mycugc.org)QuickPost – how to stop FSLogix Profile Containers bloating when running Microsoft Teams – JAMES-RANKIN.COM AV ExclusionsMaking sure the proper AV exclusions are in place is extremely important. I would also verify and check in the Registry if the AV product allows it. Most do, from what I have seen. https://docs.citrix.com/en-us/workspace-environment-management/service/system-requirements.html#antivirus-exclusionsTech Paper: Endpoint Security, Antivirus, and Antimalware Best Practices (citrix.com) Turning RDS/Virtual AppsTSFairShareFair Share technologies for CPU resources were introduced in Windows Server 2008 R2. Remote Desktop Services (RDS) server, Windows 10 Enterprise multi-session, and Windows 11 Enterprise multi-session use Fair Share technology to manage resources. RDS builds on the Fair Share technologies to add features for allocating network bandwidth and disk resources. Fair Share technologies are enabled by default, but you can disable them using Windows PowerShell and WMI. I would disable these settings to get the best user experience. Make sure to test this beforehand. On March 2023 on the VirtualExpo, you can see that this indeed helped login and application launch times. Rory Monaghan on Twitter: "Application launch time went from 40 seconds to 20 seconds when changing the TSFairShare setting. Great tip! I haven't had this come up before. #VirtualExpo https://t.co/GdKGqvZA42" / TwitterFair Share technologies are enabled by default in Remote Desktop Services - Windows Server | Microsoft LearnSlow application on Citrix / RDS - TSFairShare - Wedel ITDisable fair sharing in Windows Server – Ryslander.comCTP Bart Jacobs talks about this as well here: QuickPost #0004: Disable DFSS (cloudsparkle.be)These registry keys exists for CPU, DISK, and Network, all enabled by default. Disk: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TSFairShare\DiskNetwork:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TSFairShare\NetFSCPU: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\QuotaSystem Hardware LayerUnderstanding the CPU architecture is another good topic to pay attention to. In my experience, most places now have SSD or NVMe for the storage aspect of things. The hypervisors that I see are Nutanix and VMware. Nutanix has a wonderful HCI solution, and VMware offers an HCI solution and an traditional 3-tier layout for things like UCS, PowerEdge box, etc. Whatever flavor you are running, it is vital to understand the VM sizing for the workloads. The answer around what size is mostly "it depends" However you can follow guidance from Techzone for a Scalability aspect. "On older chips, such as Broadwell and Haswell, Intel connected processors using a ring-based architecture. But as the number of cores increased, access latency increased and bandwidth per core diminished so Intel would mitigate this by splitting the chip into two halves and adding a second ring to reduce distances. And this invisible split was something that needed to be factored into CVAD SSS to provide optimal results. This has been referred to in the past as "NUMA" or Non-Uniform Memory Access. And the leading guidance was to ensure that you are sizing CVA VMs as large as possible but not crossing NUMA nodes, sub-NUMA clusters or rings at the same time. If you sized your CVA VMs too large and they effectively spanned NUMA nodes or rings, it can lead to NUMA "thrashing" by accessing non-local resources and this would yield reduced SSS. Fast-forward to today and Intel has moved from a ring-based architecture to a mesh-based architecture. And this new mesh architecture introduced in Skylake does not have the same limitations as before where we have to split chips, divide cores or add rings. And this changes the way we size CVA servers in particular. So it's important to understand the specific chip that is being used in the hardware you purchase and how the underlying microprocessor architecture is designed and constructed" I do see this a lot at times, client/company throwing more CPU at things hoping it will speed up the back in workloads. Sure there are times it will help. But I try to pay heavy attention to these. CPU wait time and CPU ready time are both terms used in the context of CPU scheduling and resource management in operating systems. CPU wait time: refers to the amount of time that a process is waiting in a queue, ready to run but unable to do so because the CPU is currently executing another process. During this time, the process is waiting for the CPU to become available so that it can start executing. Example, a virtual machine did get scheduled but the processors have nothing to process and so the CPU simply waits while the scheduled time for the virtual machine clicks by. CPU ready time: on the other hand, refers to the amount of time that a process spends in a ready queue, waiting to be allocated CPU resources. This includes the time that the process spends waiting for its turn to use the CPU, as well as any time that it spends waiting for input/output (I/O) operations to complete. Example, virtual machine was ready, but could not get scheduled to run on the physical CPU. Bascially cpu ready means the guest is waiting on the host, cpu wait means the host is waiting on the guest In summary, CPU wait time refers specifically to the time a process spends waiting for the CPU to become available, while CPU ready time encompasses all the time a process spends waiting for CPU and other resources. Design Decision: Single Server Scalability | Citrix Tech ZoneChoosing the suitable Provision methodMCS or PVSDesign Decision: Single Server Scalability | Citrix Tech ZoneMCS considerationsMachine Creation Services (MCS) Storage Considerations (citrix.com)https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/machine-catalogs-create.html#mcs-storage-considerationsPVS ConsiderationsTech Brief: Citrix Provisioning | Citrix Tech Zonehttps://docs.citrix.com/en-us/tech-zone/learn/tech-briefs/citrix-provisioning.html#citrix-provisioning-optimizationOther considerations to optimize write cacheThis concludes the tips and tricks. Remember, this was more of a catch-all source blog showing links and summarizing what many of the EUC folks use to optimize logins. Please let me know if I missed something you believe can be helpful, and I'll update the blog to include it.

by Stephanie Boozer, CUGC HQ On May 4, 2023 (aka Star Wars Day), Liquidware VP of Product Marketing & Alliances Jason E. Smith showed how Stratusphere UX User Experience solutions can inventory all applications installed and then report on only the ones being used, helping you identify and eliminate unused software and potentially save on license costs. He also demonstrated FlexApp's first-to-market features such as "Click-to-Layer," fully automated packaging, and FlexApp One. FlexApp enables you to streamline your application delivery, reduce base images, and manage your applications more efficiently in your Citrix environment. View and download the slide deck:May4thBeWithYourAppStrategyLiquidware05042023.pdfMay4thBeWithYourAppStrategyLiquidware05042023.pdfWatch the recorded session here:

by Stephanie Boozer, CUGC HQ On April 27, 2023, CTPs Dave Brett and Jarian Gibson from Nutanix talked about Citrix on Nutanix Cloud Clusters (NC2) on Azure and AWS. It was a great session & demo, with a bevy of resources for more information. Big thanks to Dave, Jarian and Nutanix for another great session! Citrix on Nutanix Resource Links:Citrix Virtual Apps and Desktops Resources - https://www.nutanix.com/solutions/vdi/citrixCustomer Case StudiesWhitepapers for Citrix Virtual Apps and Desktops on Nutanix, Citrix Virtual Apps and Desktops on AHV, etc.Nutanix Portal – https://portal.nutanix.comReference Architecture GuidesBest Practices GuidesNutanix Cloud Clusters - https://www.nutanix.com/clustersBursting 2K Citrix Desktops to AWS in Under 2 Hours with Nutanix Cloud Clusters - https://www.nutanix.com/blog/bursting-2000-citrix-desktops-to-aws-in-under-2-hrs-with-nutanix-clustersTest Drive - https://www.nutanix.com/test-driveCitrix Cloud on the Nutanix Hybrid Cloud Platform Delivers Choice, Simplicity, and Performance -https://www.nutanix.com/blog/citrix-cloud-on-nutanix-hybrid-cloud-platformCitrix Ready – Nutanix Cloud Clusters for AWS - https://citrixready.citrix.com/nutanix/nutanix-clusters-for-aws.htmlCitrix Ready – Nutanix Cloud Clusters for Azure - https://citrixready.citrix.com/nutanix/nutanix-cloud-clusters-on-azure.htmlView and download the slide deck here.Citrix-on-NC2-2023.pdfCitrix-on-NC2-2023.pdfWatch the Replay on our YouTube Channel More recent CUGC blogs:

by Ray Davis, CTA, Jacksonville CUGC Leader In my recent work with a client, I introduced a powerful sealing tool called BIS-F. If you're not familiar with BIS-F, don't worry, many of my clients aren't either. But that's okay because I'm here to explain it and show how it can be useful. BIS-F is particularly helpful for those working on the end-user computing side of things. During this project, I wanted to automate as much as possible, and one way to do that was to use Citrix Optimizer with custom templates in combination with BIS-F. This is a tool that allows you to optimize various applications and tools for use in a Citrix environment. I have seen many people build custom templates with Citrix Optimizer to do some pretty cool things. When I help deploy Citrix, I always introduce my clients to Citrix Optimizer and give them a range of templates to use. These templates cover a variety of applications, including Edge, Chrome, SCCM task, O365, Adobe, and much more. All of these templates have been gathered from various sources in the EUC community, with some of my own additions. In this quick blog post, I won't be going into detail on how to create a Citrix Optimizer template. Instead, I'll focus on how to add it to BISF to ensure that your golden image, when opened, will continue to have the Citrix Optimizer template applied without needing to run it in the GUI or via another script. To get started, you'll need to download and install the BIS-F installer on your golden image. Then, upload the ADMX files to your repository, and you're ready to start sealing! If you're interested in learning more about setting up BIS-F, I'll provide some helpful links below. Installer docsInstallation (eucweb.com)ADMX docsGPO Configuration - EUCweb.com | focused on Citrix and Microsoft TechnologiesInstaller MSIDownload BIS-F - EUCweb.com | focused on Citrix and Microsoft TechnologiesBe kind and donate to help this tool continue to get love. Many hours have gone into this tool that many of us use for free. Show some love and give back by donating. Small amounts add up.Donation BIS-F - EUCweb.com | focused on Citrix and Microsoft TechnologiesHow to create a custom Citrix Optimzaer TemplateDennis Span covers this well if you want to learn more about creating your own Citrix Optimizer template. Creating a custom template for Citrix Optimizer - Dennis Span. Always test your optimizations to ensure they are correct for your environment. One optimization may work well in one setting, but that may not work well in another environment. Each set has parts that need to be accounted for within your environment.As you can see, a fellow CTP, Mathias Schlimm, did a great job breaking it down. I must admit I had to reach out to him to get some clarification. For some reason, my brain was not allowing me to do certain things at that time until he explained things a bit further. I suppose it happens to us all at times. But the light bulb went off 😊. Thank you Mathias Schlimm. The EUCWeb site contains essential data on this tool—the links I am posting cover much more information than this quick blog. High levelCitrix Optimizer (eucweb.com) More in-depth informationCitrix Optimizer Archives - EUCweb.com | focused on Citrix and Microsoft Technologies There is another source of 3rd party templates here that you can use.GitHub - ryancbutler/Citrix_Optimizer_Community_Template_Marketplace: Citrix Optimizer Community Template Marketplace There are three templates I use regularly: User_profile_optimization_RobZylowskiAutoselect or custom Windows 10Windows Server Template for the needs. Read more about AutoSelect here"AutoSelect with Multiple Templates:""For Autoselection of the OS Template in combination with multiple Templates please use:"“AutoSelect,PVS_Optimization.xml,3rd_Party.xml” "AutoSelect is a hardcoded string and must be used in the GPO, BIS-F will trigger the right OS template for Citrix Optimizer"JohnBillekens_3rd_Party_ComponentsDownload Citrix Optimizer if not already done. Download the Template and place this in the following location. CitrixOptimizer\Templates. Or create your own, which will save here as well.Once your templates are created and downloaded, you must take the Citrix Optimizer program and put it on the Golden image. The GPO describes where to put it, but "C:\Program Files" is one accepted location. So, it will look like this.Back within the BISF GPO (Depending on what you called it when you created the GPO), Edit it and navigate to Computer Configuration > Administrative Templates> Base Image Script Framework (BIS-F) > Citrix>Configure Citrix OptimizerAs you can see above, you can enter a customer search folder and list (Optional) TemplatesI kept it simple for this use case.I got all my templates in the Templates folder of Citrix OptimizerCopied Citrix Optimizer into C:\Program Files. It reads like this now.C:\Program Files (x86)\CitrixOptimizer. Then you list your template names.Lab_Windows_10_21H2.xml,JohnBillekens_3rd_Party_Components.xml,User_Profile_Optimizations_RobZylowski.xmlOnce you are ready to run this on your golden image, execute the BIS-F script, and it will implement it for you. As shown below, my three Templates are running.Run the icon here or browse to the location C:\Program files (x86)\Base Image Script Framework (BIS-F) and open "PrepareBaseImage"Details on the three XML files it calls from GPO.Once completed, it will log them to the location where you set up the logs and the file output showing it was run. To set up Logging, enable this GPO.Computer Configuration > Administrative Templates> Base Image Script Framework (BIS-F) > Global>Configure Logging. More information on this can be found here. Configure Logging (eucweb.com)Back in my logging locations, you will see logs it put things on order from the GPO that was configured for Logging. You will also see the Citrix Optimizer XML files that it executed. I like this very much!Once it is completed, my image will shut down, ready to be pushed out. That concludes this quick write-up on how to run Citrix Optimizer inside BIS-F. I hope it helps. Base Image Script Framework (BIS-F) Archives - EUCweb.com | focused on Citrix and Microsoft Technologies

by Marco Hofmann, CTA In 2016 Ryan Butler created a PowerShell script to update a NetScaler configuration to score an A+ at the SSL Labs SSL test. I updated this script to score an A+ in 2023.CreditsThis blog post would not be possible without the groundwork from Ryan Butler and Carl Stalhood. Ryan created the initial script and Carl provided me with a current SSL cipher list for Q2 2023. Updates and testsLast year, I had a few new Citrix NetScaler Gateway VPX setups, and needed a fast way to get the SSL settings right. Most of the time I used the script by Ryan, but in the meantime it was outdated. I grabbed the script and the provided SSL cipher list by Carl and got a working copy that immediately scored an A+ at SSL Labs. Sadly, I did not take my time to create a pull request over at Ryan’s GitHub to give back. Today I took my time, to tidy up the code, thanks to the Visual Studio Code PowerShell formatter and write up the changelog. I tested the latest version of the script against a NetScaler 13.1 VPX (NS13.1 33.47.nc) without any issues. The instance was pre-configured with the previous version of the script. The previous script provided me a B at SSL Labs. SSL Labs BeforeAfter I let the latest version of the script optimize the VPX appliance, we are back to an A+. Example: .\set-nsssl.ps1 -nsip "192.168.0.5" -adminpassword "secret" -enablesslprof -nolb -nocsw -ciphergroupname "custom-ssllabs-cipher-2022" -sslprofile "custom-ssllabs-profile-2022" -nosave SSL Labs AfterThe scriptThe latest version of the script that contains my Pull Request can be found over at Ryan’s GitHub. Recent CUGC blogs:

by Uddave Jajoo, CTA & Indianapolis CUGC Leader Recently there is a huge uptake in deployments in the public cloud environment, as every enterprise is taking their first step forward to the cloud journey. In similar way, there is also change of mindset within the business organization to adopt for these cloud technologies and migrate their apps and servers to cloud. Whenever it comes to migration of any app or infrastructure to cloud, always consider the 6 R's of migration: The "6 R" Requirements Azure Subscription to host workloads in any region.Service Principal in Azure (granted contributor access on subscription)Shared Image Gallery in Azure.Allow Policy exemption for subscription in case there is any policy restrictions applied from the management group level.Citrix Cloud Connector servers configured within the Azure Subscription.Allowed communication from Azure vNet to the Citrix Cloud Services. Considering Refactoring as one of the strategies of migration, I started working on a project to integrate Citrix Cloud with Azure and enable to provision MCS persistent desktops in cloud. In this blog, I am going to highlight some options available within the MCS catalog creation wizard, which lets admins provision catalogs in two different ways. Environment details are below for reference: 2 Cloud connector servers pointing to Central US based resource locationHosting connection created in Citrix DAAS console pointing to Central US regionCreated image version from the Win10 22H2 Image in dedicated resource group using Image definition within the shared image galleryDedicated Persistent machine catalog with 5 desktops in the pool, dedicated delivery group with AutoScale enableNote - Before I share the steps on deploying a catalog using SIGs or snapshots, I would like to highlight one specific issue observed in Azure while creating catalogs with higher number of VMs. I did create a case with #Citrix and #Microsoft for this issue and currently they are working on increasing the throttling value from the Azure end. I was running with errors every time while deploying more than 40+ VDIs in a machine catalog. So, if you are targeting to deploy more than 40 machines at once in Azure with MCS provisioning, please select the option to Place image in Shared Gallery while deploying the catalog. Create MCS Persistent Catalog Using the Shared Image Gallery Option This setting is documented within the Citrix Article - create-machine-catalog-citrix-azure. James Kindon also created a very good article on this: Shared Image Gallery - citrix-mcs-and-azure-shared-image-gallery/ Azure Shared Image Gallery (SIG) is a repository for managing and sharing images. It lets you make your images available throughout your organization. It's recommended to store an image in SIG when creating large non-persistent machine catalogs because that enables faster resets of VDA OS disks. After you select Place image in Azure Shared Image Gallery, the Azure Shared Image Gallery settings section appears, letting you specify more SIG settings: Ratio of virtual machines to image replicas lets you specify the ratio of virtual machines to image replicas that you want Azure to keep. By default, Azure keeps a single image replica for every 40 non-persistent machines. For persistent machines, that number defaults to 1,000. Maximum replica count lets you specify the maximum number of image replicas that you want Azure to keep. The default is 10. Follow through the steps outlined in the below section: Create MCS Catalog Pointing to the Image Snapshot (with the exception of step 8 when utilizing the Shared Image Gallery): In the Storage and License Types tab, select the default options for Premium SSD or Standard HDD (for better cost savings select the Standard HDD) & Use My Windows Client Licenses. Check the option for Place Image in Azure Shared Gallery and set the Ratio to 40 to 10. Note: It refers to the image replica being created for N number of VMs to be created within the catalog. Based on the setting above, it would utilize 1 replica to provision 4 VDIs at a time. Click Next. Create MCS Persistent Catalog Using Image SnapshotLogin to Citrix cloud console and navigate to Machine Catalogs tab.Select Create Machine Catalog, click Next. In the Machine Type select Single Session OS.Click Next. In the Machine Management tab, select the required hosting connection pointing to Azure subscription.Select Option: This machine catalog will use machines that are power managed. Select Option: Deploy machines using Citrix Machine Creation Services (MCS). Click Next. Select the correct resource for the machine catalog. In Desktop Experience Tab Select below options:Static Desktop Pool Provisioning: I want users to connect to the same (static) desktop each time they log on Yes, create a dedicated virtual machine and save changes on the local disk Random Desktop Pool Provisioning: I want users to connect to a new (random) desktop each time they log on. No, discard all changes and clear virtual desktops when the user logs off. Click Next In the Master Image tab, select a managed disk, snapshot of VHD that you want to use as master image for all the machines in this catalog.Click on Select an ImageIn Select an Image tab, expand the required Azure resource group to point to the respective Image snapshot. It will display the list of OS disks, snapshot and any image versions created within your shared image gallery. Example: Resource group name: udjajoo-ctx-cs-win10 Shared Image gallery: udjajooctxsharedimagegallery Image Definition name: udwin1022h2 Version: 3.23.2023 Select the respective Snapshot within the resource group and click Done Note: If vTPM is enabled on the master image, it would prompt to select the Machine profile as well.(Highly recommended to secure the OS with the trusted platform module.) Select the image profile pointing to the master image. In the Master Image tab, select the Minimum functional level for this catalog as 2206 (or later), this would be dependent on VDA version installed on the image.In Storage and License Types tab, select the default options for Premium SSD (For better cost savings please select the Standard HDD) & Use My Windows Client Licenses.Leave the option unchecked for Place Image in Azure Shared Gallery. Click Next. In the Virtual Machines tab, select the below:Number of Virtual Machines: 5 (For my testing) Machine Size: Select Standard D2s v5 (2 vcpus, 8 GiB memory) Click Save. In the availability zone, depending on the availability, we could select all three or just one or two. Click Next. In the NICs tab, select the required VNET with free IPs.In the Disk Settings, check the box for Enable Storage Cost Savings. This helps in downgrading storage type for VMs during shutdown deallocation process and change it back to regular during power on. Thus, more cost saving. In the Resource Group tab, select the option to Use an existing resource group to provision machines.Click Next. In Machine Identities Tab, select the below:Identity Type: On Premises Active Directory Select an Active Directory account option: Create New Active Directory Accounts Specify the name for the machine accounts you want to be created- udjajooctxw10-## ===================== In Domain Credentials tab, enter the required credentials to authenticate to Active Directory. Click Enter Credentials. In the next window, use the required account with privileges to create the AD computer account. Click Done. Click Next. ===================== In Scopes tab, leave with Default All. Click Next. In the WEM (Optional) tab, select the required configuration set for the machine catalog.Or, leave it default without selecting any configuration set and select later post Machine Catalog creation in the Citrix Cloud Console. Click Next. In VDA Upgrade (Optional) tab, select the options to enable automatic VDA upgrade depending on the CR or LTSR VDA version. Click Next. In Summary tab, review all the configurations and enter the Machine Catalog Name: UD-CTX-W10-22H2-Test and Description: Test Pool.Click Finish. References: create-machine-catalog-citrix-azure citrix-mcs-and-azure-shared-image-gallery/ See more posts about MCS creation on the CUGC blogs.