LTSR Woes

Don't stop upgrading...

I have noticed over time that many organizations are picking LTSR and forgetting to upgrade. I have updated quite a few environments from 7.15 LTSR because they were so far behind the upgrade path.

What is LTSR?

LTSR (Long Term Service Release) provides stability and long-term support. It offers 5 years of mainstream and extended support.

Is this a good thing?

For organizations that wait a while between upgrades like 3 to 5 years, yes because during that time you are still within the support cycle.

Why is this becoming a bad thing?

Organizations are going beyond the 3 to 5 years cycle and also not keeping up with the cumulative updates. For instance, to upgrade to 2203 LTSR, you must be on at least 7.15 CU 5. If an organization installed 7.15, then it must choose a path to upgrade to the latest LTSR. Recently, this update required two separate maintenance windows. One to upgrade to 7.15 CU 5 and the 2nd to update to 2203 LTSR. 

Choosing whether or not LTSR is the right path for you and your organization doesn't have to be a difficult decision. However, choosing LTSR does not mean you stop updating your environment. Consider Citrix CUs as Windows Updates. We patch to keep our environments healthy.

Don't let LTSR be a phrase that causes woes when it was meant to cause relief.

Storefront Update Errors...Is Telemetry running?

It is the middle of your maintenance window and you are updating Storefront Servers...

All of sudden, you receive one of those helpful errors that mean absolutely nothing to you!!!!

Now what?

In my experience, all roads lead to the Telemetry service. I stop this service before any upgrade on Storefront Servers. It has fixed the issue and helped me finish my upgrade each time.

Why?

No clue, but at least if you run into this at 2 a.m. and you are really sleepy...you can try it and save you hours of researching via Google!!! You're welcome!!!

XPS Printers causing log off to fail on Windows 2019

Built a new 2019 server. Installed the same software as the 2016 Server. Users log on but do not successfully log off. You try uninstalling the VDA and reinstalling the VDA, but you get the same result. Note the Event Logs and you may see Metaframe warnings. If you see Metaframe warnings for XPS printers, then this may be your culprit.

Open your Citrix Policies and check your XPS Session Printer filter. The default rule for the XPS printer does not include an asterisk (*). This means there can be a conflict between the one on the 2019 server and the one on the user's machine.

 

Edit the XPS Document Writer to include "*". Try having users log off and log back in. This should resolve the issue.

ADC PCoIP Gateway + Cisco DUO

So for this configuration, I used Carl's article (https://www.carlstalhood.com/netscaler-gateway-12-pcoip-proxy/) and Duo Radius Configuration (https://duo.com/docs/radius). 

When configuring the Duo Auth Proxy, use the Auto instead of iFrame. iFrame will give you the Duo auth page only via the web, but you will also not be able to see the apps after the login. The Horizon Client will not never show the iFrame.

ADC (NetScaler) Upgrade - LDAPS go bye bye???

So you upgraded to 13.0 79.64 and your LDAPs stopped working?

So, there are few options to fix this.

You can modify your LDAP to use 389. 👎👎👎 This is not a good idea and please don't do that.

You can edit your LDAP monitor and remove the secure checkbox. 👎👎 I wouldn't do this either, but if you must! Just don't tell anyone that I said it.

The best solution and what worked for me is to make sure in your monitor, you have a filter, cn=builtin. If this doesn't fix the issue, then also make sure your service account isn't locked out. After the upgrade, the monitor tries to do its job and it fails (likely locking the account out). 

Update: This is still an issue in future builds. I've seen some forums state that also changing the Bind username from DN to UPN or from UPN to DN also fixed the issue. Neither of these worked for me.

What's in your profile management solution?

 So one of my most frequently asked questions is....(drum roll) which profile management solution do you use?

My answer today is always FSLogix! Why? It's truly the simplest way to deliver a persistent profile solution in a non-persistent environment!

If you combine FSLogix with Folder Redirections, then you can provide a great experience for users.

FSLogix is a small agent that can be installed within all VDI/Published Apps environments. It is the default profile management solution for Microsoft's Azure Virtual Desktop.

FSLogix settings can be applied via registry keys or Group Policy. The preferred and easier method would be to use Group Policy which requires copying the admx/adml files that come with the download into your domain environment.

If you've never used FSLogix, then it is worth noting it does require a storage location. It works great on most storage solutions, but do not place FSLogix on a DFS with Replication enabled.

My favorite and suggested GPO settings:

• Swap component names: Please make sure to do this. If you do not do this before your deployment, then it show the user's SID first and then their samAccountName. So basically, you will sort on their SID which can be very difficult to manage. 
• Do separate out the Profile and Office containers. FSLogix allows you to use only the Profile Container or the Office Container. My recommendation is to use both. This configuration allows you to be able to remove the Office Container without having to remove their other Profile data or vice versa.
• Move temp, tmp, and inetcache to the local profile. This setting reduces bloat in the profile. 
• Use Dynamic instead of Fixed. Unless you just have storage to waste, then do not set the profile to fixed. Also use VHDX if your storage solution supports it.
• DO NOT use the Windows Search feature for any Windows 10/Windows 2016 and above. It will just work if you don't use this feature.
• Use the redirections.xml file to reduce the amount of data within the Profile Container.

Because you will reduce the amount of data in the profile container almost immediately with Folder Redirections and redirection of temp files, you will want to come up with a strategy to handle the white space created within each VHDX. There are scripts and other options out there to do this, my personal choice is ShrinkFSL.exe. It is a GUI and a command-line executable. I set it to run nightly against the root folders and this helps to shrink the file through Task Scheduler. The file can be downloaded here.

VDI - What's the right size?

So I get customers asking me this all the time. Here's what I will tell you right away...it is NOT 2vCPUs!!! 2vCPUs with Windows 10/Windows Server 2016/Windows Server 2019 will just make your users unhappy. Why? Because if they are using Chrome and/or Office, then the CPU will be grinding away using just those apps.

Suggestions? At a minimum, for a Single Session VDI, use 4vCPUs and 8 GB of RAM. This specification is for your average (non-power) user. If you are an Azure VDI user, then I would suggest the Burstable VM B4MS. It is cheaper than your other options and still gives the user the power they need to do their work. 

What about multiple session VMs like Azure Virtual Desktop/Citrix/Horizon? You want to ensure each user logged in has at least 1.5 to 2 vCPUs. So on a 10 vCPU box, you are looking at about 6 users per box if you are virtualizing for the experience. Your users will complain a lot less if they have the CPU power to do their work.

Most customers will believe they need more RAM as a resource. Sometimes that is true, but oftentimes the user experience is improved by vCPU adjustments. Trust me, you will thank me later!! 

By the way, you will likely never see the spikes or the issues by using monitoring tools outside of the VM so don't try that.

Citrix Cloud - My Machines Are Shutdown

This issue actually occurs on-prem as well, but I have only seen it recently with my customers who have machines in Azure and in their on-prem vSphere datacenter.

They set their machines to perform a reboot. The interval doesn't appear to matter. The symptom is that by the morning, some of the machines are still shut down. They must be manually powered back on and then everything operates normally. It will continue to occur and the machines that are shut down are never the same.

The reason this occurs is Citrix has an internal time-out where if an action doesn't occur, then it stops the action. When you set a Citrix Delivery Group to reboot, Citrix sends a signal to the Hosting Connection to perform a shutdown. Once, the hosting connection sends the signal that the machine has been shut down, then Citrix sends another signal to power the machine back on. If the shutdown signal is not received before the time out, then Citrix never sends another signal to turn the machine back on.

To resolve this issue:

Login to the Citrix Cloud Connector (it already has the Citrix Cloud PowerShell SDK installed)

Open Powershell

Run asnp Citrix*

Run Get-XDConnection (login with your Citrix Cloud credentials)

Select the appropriate customer account if connected to multiple accounts

Run the following commands:

Set-BrokerServiceConfigurationData 'HostingManagement.MaxRegistrationDelayMin’ –SettingValue 60

Set-BrokerServiceConfigurationData 'RebootSchedule.MaxShutdownDelayMin’ –SettingValue 50

Reference article: https://support.citrix.com/article/CTX272494

Citrix Optimizer - DO NOT REMOVE THE STORE

So I bet you are wondering why?

So there's a bug. You may never encounter the bug. But if you do, then you will regret removing the Windows Store. 

Let me start by saying, the Citrix Optimizer is by far one of the best around. I use it even when I'm not optimizing for Citrix. However, if you are using it on a Windows 10 machine then it will likely try to optimize by removing the Windows Store. DO NOT LET IT!!!

What should you do? Remove all other apps and use a GPO to disable the Windows Store. 

What happens if I remove it? Well, the symptoms are pretty widespread, and unfortunately opening a ticket may not lead you to this conclusion.

What I've seen in the field is this: Customer has OneDrive files on-demand GPO in place and customer is using Office 365 with SSO. If OneDrive loads first, then Office prompts for credentials no matter what. It will literally never SSO. If the customer turns off files on-demand GPO, then the SSO works properly.

If you reinstall the Windows Store (it is a pain to do as you must use the Inbox Apps iso), then the SSO and OneDrive files on-demand all work fine. 

So that means to me, just don't remove it. Yes, you've heard it helps to reduce login times. However, that is still true if you remove all the apps and only keep the Store. 

You can "Turn off the Store" via GPO and remove the ability to use it. But at least it is still there for when random odd things like the above occur.

FSLogix + Citrix App Layering

 After pounding my head against the wall a few times, I figured I might save others the same frustration.

What happens?

You set up Citrix App Layering. 

You set up FSLogix.

You create a published image.

App Layering is working great. You see the FSLogix VHDs getting created. However, no profile data is being saved. Basically, you get an FSLogix VHD completely formatted with no data.

Why is this happening?

Fun times in Microsoft world?!?! No, not funny?? Ok, so ultimately, it is all a matter of timing. The app layering driver is called prior to the FSLogix driver in an order that Microsoft calls Altitude. The prevent this from occurring in that order, you have set the altitude for FSLogix to occur before App Layering.

Yeah ok, How do I fix it?

Open up the layer, you installed FSLogix on

HKLM\System\CurrentControlSet\Services\frxdrvvt\Instances\frxdrvvt\Altitude

Set the value 138010

Then reboot the machine.

Yeah, if you banged your head against the wall, then join the club. If you found this post, then it was my pleasure to save you the pain.

Citrix App Layering

So if you haven't had an opportunity to work with Citrix App Layering, then you should totally check it out. This particular product was acquired by Citrix when it purchased Unidesk a few years ago. Since then, the original product has definitely evolved. At the time of this blog, Citrix App Layering is at version 4 and the appliance can be deployed to most of the common backend hypervisors.

Overview

Citrix App Layering allows an organization to separate the typical image into separate parts: Platform, OS, and Applications; which creates management separated from the infrastructure. This allows the management of updates to be separate and once finalized created a whole image. For more information on Citrix App Layering, head over to Citrix Docs. I won't go into details regarding deploying the appliance as that information is within the Citrix Docs.

Working with Citrix App Layering

So as you may already know, I build images onto of XenServer. This is intentional as it is easier to package Citrix on top of Citrix versus the other hypervisors. Basically, I've seen less driver compatibility with XenServer than other hypervisors. However to work with Citrix App Layering, the hypervisor you choose really doesn't matter when you are creating these layers.

In order to begin, you will create an OS Layer. You can create multiple OS Layers based on the Operating Systems used within your organization ie. Windows 2012 R2 and Windows 2016.  So let's login and take a look at App Layering. Important note: Citrix App Layering is not supported inside of Chrome due to Silverlight . As a workaround, I use IE Tab inside of Chrome. Once you navigate to your App Layering appliance, you will see the login screen.

Select Layers->OS Layers

Create OS Layer. Give it a simple Layer Name and provide a description (avoid periods if using PVS). I would start with version 1 and a version description of something like “Base”.  You can leave the Max Layer Size as 60GB.

If this is a new appliance deployment, then you will likely only have a network file share option. If you click New, then you can select your backend platform. For the purposes of this blog, it will be XenServer.

   

A new window will open for you to configure your XenServer Connector. Give a Config Name like “XenServer-HostName or PoolName”. You will want to fill in the information from left to right. Please note: You need to have at least one virtual machine template inside the pool/host selected without a virtual disk attached.  You can use a hostname or ip address for the XenServer Address. Enter the credentials for the host/pool. I always choose to ignore the certificate errors and select “Check Credentials”.

 

Once the credentials are verified, then you can select the template for the OS Layer. For selection of templates (PVS only), make sure that your OS layer and Platform Layers match or at least the OS Layer CPUs are larger than the ones specified via the Platform Layer. After you’ve entered the appropriate information, then select Test. Then Save.

The next screen, you must select the OS Disk Virtual Machine. If you click Select Virtual Machine, then it will open a new screen for you to select a VM within the Pool/Host.

  

After you select a virtual machine, the screen updates with the OS Machine Name and Disk Size.

You can select an existing icon or if you have your own icon you’d like to use then you can select Browse.

The last screen gives you a summary of your selections. If everything looks good, then select Create Layer.

To be continued….