Citrix Goddess

FSLogix vs. CPM Containers

Everyone knows that I have been a huge promoter of FSLogix since its inception many years ago. However, Citrix Profile Management (CPM) has come along way. It offers profile containers similar to FSLogix but with more advantages. See the table later in the article for key feature differences. One of the biggest selling points of CPM is that it comes with Citrix. There is nothing additional that you need to install to get it to work, and it works pretty effectively out of the box.

Features	CPM Containers	FSLogix
Multiple Locations for Profiles	Yes	Yes
Office Data Handling	Yes	Yes
AppxPackage Handling	Yes	Yes
Asynchronous GPO Processing	Yes	No, Synchronous
Auto Expansion	Yes	Yes
Multi-Session Access	Yes	Yes
Profile Exclusions	Yes	Yes
Deduplication	Yes	No
Large File Handling	Yes	No

As you can see CPM stands up against FSLogix pretty well including the ability to do Synchronous GPO processing which makes logons much faster from a CPM perspective over FSLogix.

I am not saying go out and switch but I would definitely try it out.

Citrix FAS - Why do I need it?

So, my customers often ask me why I need Citrix FAS when I'm trying to decrease the number of servers I manage when going from Citrix On-Prem to Citrix Cloud.

Simply put, you don't need it unless you use a 3rd-party authentication solution that Windows will not recognize. This includes Entra ID.

Federated Authentication Service (FAS) allows Windows to not prompt the user when the desktop launches for additional credentials. FAS uses a smart card like certificate to log the user on using the credentials they have already specified. FAS works for both on-prem and Citrix Cloud environments. So looking to implement Entra ID and MFA for your users? Then FAS will help that really awful pain point that you will discover when you've turned it on but start getting Windows prompts stating you entered bad credentials.

So what do you need to start?

At least two servers running the FAS software
Best practices, you should have a two-tier PKI environment in place

one Offline Root
one Online Sub

Run the FAS wizard to configure your PKI to work with FAS

Deploy the Certificate Templates
Set up the Certificate Authorities
Authorize FAS to use the CAs
Configure the rules
Connect FAS to the Cloud if needed

Install the FAS ADMX and ADML files on your DCs
Create a GPO at the root of your Citrix OU so that all Citrix machines receive the FAS information.
Add the FAS servers to the list of FAS servers
If you are using on-prem Storefront, then you will need to configure your Storefront to work with FAS.

Run this script to enable FAS on the Storefront server.
Modify the variable $StoreVirtualPath to reflect the organizations true store name.
Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module $StoreVirtualPath = "/Citrix/Store" $store = Get-STFStoreService -VirtualPath $StoreVirtualPath $auth = Get-STFAuthenticationService -StoreService $store Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory" Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

After you have completed the above and your FAS is showing all steps as Green, then you can proceed to testing successful logins using your third party authentication solution. Happ

LTSR Woes

Don't stop upgrading...

I have noticed over time that many organizations are picking LTSR and forgetting to upgrade. I have updated quite a few environments from 7.15 LTSR because they were so far behind the upgrade path.

What is LTSR?

LTSR (Long Term Service Release) provides stability and long-term support. It offers 5 years of mainstream and extended support.

Is this a good thing?

For organizations that wait a while between upgrades like 3 to 5 years, yes because during that time you are still within the support cycle.

Why is this becoming a bad thing?

Organizations are going beyond the 3 to 5 years cycle and also not keeping up with the cumulative updates. For instance, to upgrade to 2203 LTSR, you must be on at least 7.15 CU 5. If an organization installed 7.15, then it must choose a path to upgrade to the latest LTSR. Recently, this update required two separate maintenance windows. One to upgrade to 7.15 CU 5 and the 2nd to update to 2203 LTSR.

Choosing whether or not LTSR is the right path for you and your organization doesn't have to be a difficult decision. However, choosing LTSR does not mean you stop updating your environment. Consider Citrix CUs as Windows Updates. We patch to keep our environments healthy.

Don't let LTSR be a phrase that causes woes when it was meant to cause relief.

Storefront Update Errors...Is Telemetry running?

It is the middle of your maintenance window and you are updating Storefront Servers...

All of sudden, you receive one of those helpful errors that mean absolutely nothing to you!!!!

Now what?

In my experience, all roads lead to the Telemetry service. I stop this service before any upgrade on Storefront Servers. It has fixed the issue and helped me finish my upgrade each time.

Why?

No clue, but at least if you run into this at 2 a.m. and you are really sleepy...you can try it and save you hours of researching via Google!!! You're welcome!!!

XPS Printers causing log off to fail on Windows 2019

Built a new 2019 server. Installed the same software as the 2016 Server. Users log on but do not successfully log off. You try uninstalling the VDA and reinstalling the VDA, but you get the same result. Note the Event Logs and you may see Metaframe warnings. If you see Metaframe warnings for XPS printers, then this may be your culprit.

Open your Citrix Policies and check your XPS Session Printer filter. The default rule for the XPS printer does not include an asterisk (*). This means there can be a conflict between the one on the 2019 server and the one on the user's machine.

Edit the XPS Document Writer to include "*". Try having users log off and log back in. This should resolve the issue.

ADC PCoIP Gateway + Cisco DUO

So for this configuration, I used Carl's article (https://www.carlstalhood.com/netscaler-gateway-12-pcoip-proxy/) and Duo Radius Configuration (https://duo.com/docs/radius).

When configuring the Duo Auth Proxy, use the Auto instead of iFrame. iFrame will give you the Duo auth page only via the web, but you will also not be able to see the apps after the login. The Horizon Client will not never show the iFrame.

ADC (NetScaler) Upgrade - LDAPS go bye bye???

So you upgraded to 13.0 79.64 and your LDAPs stopped working?

So, there are few options to fix this.

You can modify your LDAP to use 389. 👎👎👎 This is not a good idea and please don't do that.

You can edit your LDAP monitor and remove the secure checkbox. 👎👎 I wouldn't do this either, but if you must! Just don't tell anyone that I said it.

The best solution and what worked for me is to make sure in your monitor, you have a filter, cn=builtin. If this doesn't fix the issue, then also make sure your service account isn't locked out. After the upgrade, the monitor tries to do its job and it fails (likely locking the account out).

Update: This is still an issue in future builds. I've seen some forums state that also changing the Bind username from DN to UPN or from UPN to DN also fixed the issue. Neither of these worked for me.

What's in your profile management solution?

So one of my most frequently asked questions is....(drum roll) which profile management solution do you use?

My answer today is always FSLogix! Why? It's truly the simplest way to deliver a persistent profile solution in a non-persistent environment!

If you combine FSLogix with Folder Redirections, then you can provide a great experience for users.

FSLogix is a small agent that can be installed within all VDI/Published Apps environments. It is the default profile management solution for Microsoft's Azure Virtual Desktop.

FSLogix settings can be applied via registry keys or Group Policy. The preferred and easier method would be to use Group Policy which requires copying the admx/adml files that come with the download into your domain environment.

If you've never used FSLogix, then it is worth noting it does require a storage location. It works great on most storage solutions, but do not place FSLogix on a DFS with Replication enabled.

My favorite and suggested GPO settings:

Swap component names: Please make sure to do this. If you do not do this before your deployment, then it show the user's SID first and then their samAccountName. So basically, you will sort on their SID which can be very difficult to manage.
Do separate out the Profile and Office containers. FSLogix allows you to use only the Profile Container or the Office Container. My recommendation is to use both. This configuration allows you to be able to remove the Office Container without having to remove their other Profile data or vice versa.
Move temp, tmp, and inetcache to the local profile. This setting reduces bloat in the profile.
Use Dynamic instead of Fixed. Unless you just have storage to waste, then do not set the profile to fixed. Also use VHDX if your storage solution supports it.
DO NOT use the Windows Search feature for any Windows 10/Windows 2016 and above. It will just work if you don't use this feature.
Use the redirections.xml file to reduce the amount of data within the Profile Container.

Because you will reduce the amount of data in the profile container almost immediately with Folder Redirections and redirection of temp files, you will want to come up with a strategy to handle the white space created within each VHDX. There are scripts and other options out there to do this, my personal choice is ShrinkFSL.exe. It is a GUI and a command-line executable. I set it to run nightly against the root folders and this helps to shrink the file through Task Scheduler. The file can be downloaded here.

VDI - What's the right size?

So I get customers asking me this all the time. Here's what I will tell you right away...it is NOT 2vCPUs!!! 2vCPUs with Windows 10/Windows Server 2016/Windows Server 2019 will just make your users unhappy. Why? Because if they are using Chrome and/or Office, then the CPU will be grinding away using just those apps.

Suggestions? At a minimum, for a Single Session VDI, use 4vCPUs and 8 GB of RAM. This specification is for your average (non-power) user. If you are an Azure VDI user, then I would suggest the Burstable VM B4MS. It is cheaper than your other options and still gives the user the power they need to do their work.

What about multiple session VMs like Azure Virtual Desktop/Citrix/Horizon? You want to ensure each user logged in has at least 1.5 to 2 vCPUs. So on a 10 vCPU box, you are looking at about 6 users per box if you are virtualizing for the experience. Your users will complain a lot less if they have the CPU power to do their work.

Most customers will believe they need more RAM as a resource. Sometimes that is true, but oftentimes the user experience is improved by vCPU adjustments. Trust me, you will thank me later!!

By the way, you will likely never see the spikes or the issues by using monitoring tools outside of the VM so don't try that.

Citrix Cloud - My Machines Are Shutdown

This issue actually occurs on-prem as well, but I have only seen it recently with my customers who have machines in Azure and in their on-prem vSphere datacenter.

They set their machines to perform a reboot. The interval doesn't appear to matter. The symptom is that by the morning, some of the machines are still shut down. They must be manually powered back on and then everything operates normally. It will continue to occur and the machines that are shut down are never the same.

The reason this occurs is Citrix has an internal time-out where if an action doesn't occur, then it stops the action. When you set a Citrix Delivery Group to reboot, Citrix sends a signal to the Hosting Connection to perform a shutdown. Once, the hosting connection sends the signal that the machine has been shut down, then Citrix sends another signal to power the machine back on. If the shutdown signal is not received before the time out, then Citrix never sends another signal to turn the machine back on.

To resolve this issue:

Open Powershell

Run asnp Citrix*

Run Get-XDConnection (login with your Citrix Cloud credentials)

Select the appropriate customer account if connected to multiple accounts

Run the following commands:

Set-BrokerServiceConfigurationData 'HostingManagement.MaxRegistrationDelayMin’ –SettingValue 60

Set-BrokerServiceConfigurationData 'RebootSchedule.MaxShutdownDelayMin’ –SettingValue 50

Reference article: https://support.citrix.com/article/CTX272494

Citrix Optimizer - DO NOT REMOVE THE STORE

So I bet you are wondering why?

So there's a bug. You may never encounter the bug. But if you do, then you will regret removing the Windows Store.

Let me start by saying, the Citrix Optimizer is by far one of the best around. I use it even when I'm not optimizing for Citrix. However, if you are using it on a Windows 10 machine then it will likely try to optimize by removing the Windows Store. DO NOT LET IT!!!

What should you do? Remove all other apps and use a GPO to disable the Windows Store.

What happens if I remove it? Well, the symptoms are pretty widespread, and unfortunately opening a ticket may not lead you to this conclusion.

What I've seen in the field is this: Customer has OneDrive files on-demand GPO in place and customer is using Office 365 with SSO. If OneDrive loads first, then Office prompts for credentials no matter what. It will literally never SSO. If the customer turns off files on-demand GPO, then the SSO works properly.

If you reinstall the Windows Store (it is a pain to do as you must use the Inbox Apps iso), then the SSO and OneDrive files on-demand all work fine.

So that means to me, just don't remove it. Yes, you've heard it helps to reduce login times. However, that is still true if you remove all the apps and only keep the Store.

You can "Turn off the Store" via GPO and remove the ability to use it. But at least it is still there for when random odd things like the above occur.