Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (2025)

Navigation

  • Change Log
  • Create Group Policy Objects (GPOs)
  • Windows Group Policy ADMX Templates
  • Microsoft Edge (Chromium)
  • Microsoft Teams
  • Microsoft FSLogix
  • OneDrive ADMX Template
  • Group Policy Computer Settings for VDAs
  • VDAReceiver Configuration
  • Group Policy User Settings for VDAs (separate article)

๐Ÿ’ก = Recently Updated

Change Log

Create Group Policy Objects

  1. Within Active Directory Users and Computers (dsa.msc), create a parent Organizational Unit (OU) to hold all VDAcomputer objects.
  2. Then create sub-OUs, one for each Delivery Group. The VDA computer objects for each Delivery Group should be placed in these sub-OUs. Notes:
    • The only objects that belong in these VDA OUs are the VDA computer accounts.
      • Thereโ€™s no need to put any user accounts in these VDA OUs since Group Policy Loopback Processing mode will handle user settings.
      • The computer objects for the Citrix brokering infrastructure machines (Controllers, StoreFront, Director, etc.) should go in normal server OUs, and not in the VDA OUs.
    • Separate VDA sub-OUs for each Delivery Group lets you apply different GPO settings to each Delivery Group.
    • Grant Citrix Admins the permission to add computer objects to the VDA OUs.
    • Grant Citrix Admins the permission to link GPOs to the VDA OUs.
    • Master images should be placed in the VDA OUs so the VDA GPO Computer Settings can be burned into the master image. This avoids timing issues when non-persistent machines reboot and GPO settings havenโ€™t applied yet.
  3. Move the VDAsfrom the Computers container to one of the Delivery Group OUs.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (1)
  4. Within Group Policy Management Console (gpmc.msc), create a Group Policy Object (GPO) called Citrix VDAComputer Settings, and link it to one of the Citrix OUs. This particular GPO usually applies to all Delivery Groups, and thus should be linked to the parent OU. Or you can link it to Delivery Group-specific sub-OUs.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (2)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (3)
  5. On the left, click the new VDA Computer Settings GPO to highlight it.
  6. On the right, switch to the Details tab.
  7. Change theGPO Status drop-downtoUser configuration settings disabled. This GPO will only contain computer settings.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (4)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (5)
  8. Create and link two new Citrix-specific GPOs (in addition to the Citrix VDAComputer Settings GPO).
  9. One of the GPOs is called Citrix VDAAll Users (including admins), and the other is called Citrix VDANon-Admin Users (lockdown).
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (6)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (7)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (8)
  10. Modify the Details page of both of these GPOs, and set GPO Status to Computer configuration settings disabled. These GPOs will only contain user settings.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (9)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (10)
  11. On the left, click the Citrix VDA Non-Admin Users GPO to highlight it.
  12. To delegate administration of this GPO to Citrix Admins:
    1. On the right, switch to the Delegation tab, and click Add.
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (11)
    2. Find your Citrix Admins group, and click OK.
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (12)
    3. In the Add Group or User window, change the Permissions to Edit settings, and click OK.
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (13)
  13. To prevent the user lockdown GPO from applying to administrators:
    1. On the Delegation tab, click Advanced.
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (14)
    2. On the top half, click theCitrix Admins group to highlight it.
    3. Scroll down to reveal the Apply Group Policy row, and thenplace a check mark in the Deny column.
    4. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins.
    5. Click OK to close theSecurity Settings window.
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (15)
    6. Click Yes when asked to continue.
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (16)
  14. To delegate the other two GPOs, add theCitrix Adminsgroup with Edit Settingspermission. But donโ€™t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (17)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (18)

Windows Group Policy Templates

The latest Windows 10 or Windows 11 GPO templates includes the GPO settings for Windows Server.

  1. Download the Administrative Templates (.admx) for Windows 10 2022 Update (22H2) or Administrative Templates (.admx) for Windows 11 2023 Update (23H2).
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (19)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (20)
  2. Run the downloaded Administrative Templates (.admx) for Windows.msi file.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (21)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (22)
  3. In the Welcome to the Administrative Templates (.admx) for Windows Setup Wizard page, click Next.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (23)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (24)
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (25)
  5. In the Custom Setup page, record theLocation field since youโ€™ll need to go there later.Click Next.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (26)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (27)
  6. In the Ready to install Administrative Templates (.admx) for Windowspage, click Next.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (28)
  7. In the Completed the Administrative Templates (.admx) for Windows Setup Wizardpage, click Close.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (29)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (30)
  8. In File Explorer, go to C:\Program Files (x86)\Microsoft Group Policy\Windows 11 October 2023 Update (23H2)or C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2).
  9. Copy the PolicyDefinitions folder.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (31)
  10. Go to your domainโ€™s sysvol (e.g., \\corp.local\sysvol) and in the corp.local\Policies folder, paste the PolicyDefinitions folder. If you donโ€™t have this folder, then you can create it. Or copy the files to C:\Windows\PolicyDefinitions as detailed next.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (32)
    • If prompted, replace the existing files.
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (33)
  11. If your Sysvol does not have a PolicyDefinitions folder, then instead go to C:\Windows\ and paste the folder. Overwrite the existing files.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (34)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (35)

SeeGroup Policy Settings Reference Spreadsheet for Windows 11 2023 Update (23H2) for a spreadsheet containingall GPO settings in Windows.
Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (36)

The spreadsheet can be filtered to only show the newest settings.
Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (37)

Microsoft Edge (Chromium)

Download and install Microsoft Edge for Business on your VDA machines or Horizon Agent machines.
Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (38)

Installation and Configuration instructions can be found at Kasper Johansen Microsoft Edge in Citrix โ€“ Revamped. The article details group policies for Edge.

Avanite Roaming Edge Chromium details the folders that should be roamed by Citrix Profile Management (UPM) or VMware Dynamic Environment Manager (DEM).

Microsoft Teams

Prevent the per-user version of Teams from installing with Office 365 (aka Microsoft 365 apps). Configure this GPO setting before installing Office. Then you can later install the machine-wide version of Teams. More details at Microsoft Docs.

This setting requires the latest Office GPO templates to be installed.

  • Edit a GPO that contains Computer Settings.
  • Updates โ€“ Computer Configuration | Policies | Administrative Templates | Microsoft Office 2016 (Machine) | Updates
    • Donโ€™t install Microsoft Teams with new installations or updates of Office = enabled
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (39)

Prevent Microsoft Teams from starting automatically after installation. Set this GPO setting before you install Teams. This setting requires the latest Office GPO templates to be installed.

  • Edit a GPO that contains User Settings. These User Settings probably wonโ€™t apply unless you enable Group Policy Loopback Processing in a computer settings GPO.
  • Teams โ€“ User Configuration | Policies | Administrative Templates | Microsoft Teams
    • Prevent Microsoft Teams from starting automatically after installation = enabled
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (40)

Install Teams using the machine-based installer. See Manuel Winkel Install Teams & OneDrive in Citrix (Machine-Based) and CTP James Rankin Microsoft Teams on Citrix Virtual Apps and Desktops, part #1 โ€“ installing the damned thing.
Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (41)

  • The Machine-wide installer does not update itself. You must periodically download the latest version, uninstall the Machine-wide installer, and install the latest version.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (42)

Microsoft recommends excluding the Media-Stack folder from roaming. Add the exclusion for AppData\Roaming\Microsoft\Teams\media-stack\ to Citrix Profile Managementโ€™s Exclusion List โ€“ Directories setting.
Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (43)

If your VDAs donโ€™t have GPUs, then disable GPU in Teams to reduce CPU. Citrix has a PowerShell script that can disable this setting for each user. Also see:

Microsoft FSLogix

If you need to roam the userโ€™s Outlook .OST file (Outlook Cached Mode), Outlook Search Index, OneDrive cache, OneNote data, SharePoint data, Skype data, and/or Teams data, then download, install, and configureMicrosoft FSLogix. FSLogix has more Office roaming features than Citrix Profile Management. A common architecture is to enableFSLogix Office Containerfor the Office cache files and useCitrix Profile Managementfor all other roaming profile files and registry keys.

Microsoft FSLogix is free for all Microsoft RDS CALs, Microsoft Virtual Desktop Access per-user CALs, and all Microsoft Enterprise E3/E5 per-user licenses. Notice that per-device licenses are excluded. SeeLicensing Requirementsat Microsoft Docs.

G0-EUC tested FSLogix Profile Container (not Office Container) and found that it reduces capacity by 27%. (source =The impact of managing user profiles with FSLogix)

Do the following to install Microsoft FSLogix on the VDA machine:

  1. Go tohttps://aka.ms/fslogix_download.
  2. Extract the downloaded .zip file.
  3. In the FSLogix\x64\Releasefolder, runFSLogixAppsSetup.exe.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (44)
  4. Check the box next toI agree to the license terms and conditionsand clickInstall.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (45)
  5. In theSetup Successfulpage, clickRestart.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (46)

FSLogix is configured through Group Policy or byediting registry values on each FSLogix Agent machine. Here is some info on group policy configuration:

  1. The FSLogix .zip file containsfslogix.admxandfslogix.admlfiles for configuration of FSLogix through Group Policy. Copy these files to yourPolicyDefinitionsfolder. The .adml file goes in theen-USfolder.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (47)
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (48)
  2. Find the settings in Group Policy Editor atComputer Configuration| Policies | Administrative Templates |FSLogix
  3. Note that FSLogix 2210 Hotfix 2 (2.9.8612.60056) and newer have a different group policy structure than older versions.
  4. The ODFC Containers node controls Office Containers only. The Profile Containers node lets you capture the entire profile and not just Office. You can also configure both as detailed at FAQ: How to use Office 365 Containers and Profile Containers together. Citrix environments typically combine FSLogix Office Containers with Citrix Profile Management. VMware Horizon environments typically use FSLogix Profile Container to replace DEM Personalization.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (49)
  5. Youโ€™ll need a file share withappropriate permissions to store the Office containers or Profile Containers.
  6. SetVolume TypetoVHDX.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (51)
  7. The .vhdx files are thin provisioned and can grow up to the maximumSize in MBs, which defaults to 30 GB. Newer versions of FSLogix let you increase this size later.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (52)
  8. UnderContainer and Directory Naming enable the settingFlip Flop Profile Directory Name.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (53)
  9. For Office Containers, back in the ODFC Containersnode, review each of theIncludesettings and enable whichever data you want to include in the Office Container. More details atConfigure ODFC Containerat Microsoft Docs.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (54)
  10. Since an FSLogix Container can only be mounted on one machine, consider setting Prevent login with failure. This causes the user to see a window if the container is already mounted and the user will have to call the help desk to clear the other session.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (55)
  11. FSLogix 2210 and newer automatically compact .vhdx files when they have free space. Itโ€™s enabled by default and is configurable on the left, directly under the FSLogix node. On the right, configure the VHD Compact Disksetting.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (56)
  12. In a Group Policy that applies to Citrix users, you might want to configure Cached Exchange Mode Sync Settings to reduce the size of the .ost files. Youโ€™ll need to install the Office GPO templates if you havenโ€™t already. Then find the setting at User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 (also applies to 365 and 2019) | Account Settings | Exchange | Cached Exchange Mode.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (57)

Other FSLogix Configurations and Links

Full Profile Container(not just Office):

OneDrive ADMX Template

See CTP James Rankin Managing OneDrive on Citrix Virtual Apps and Desktops ๐Ÿ’ก

Microsoft has a per-machine installation of the OneDrive sync client. To reduce the size of your roaming profiles, the per-machine install is strongly recommended over the normal per-user install of OneDrive.
Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (60)

To enable Files-on-demand, youโ€™ll need the OneDrive ADMX Template.

  1. Go to a Windows 10 1709 or Windows Server 2019 or newer machine that has OneDrive installed.
  2. If machine-wide installation, go to C:\Program Files (x86)\Microsoft OneDrive.
    • If per-user installation, go to %localappdata%\Microsoft\OneDrive.
  3. Double-click the latest version.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (61)
  4. Then open theadm folder.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (62)
  5. Right-click theOneDrive.admx file and copy it.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (63)
  6. If your domain hasPolicyDefinitionsin SYSVOL (\\corp.local\sysvol\corp.local\Policies\PolicyDefinitions), paste the .admx file there.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (64)
    • If you donโ€™t have SysVol PolicyDefinitions, then go toC:\Windows\PolicyDefinitionsand paste the .admx file.
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (65)
  7. Go back to the OneDrive files and copyOneDrive.adml.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (66)
  8. If your domain has a PolicyDefinitions central store in SYSVOL, paste the .adml file to theen-usfolder in PolicyDefinitions in SYSVOL.en-US is a subfolder of thePolicyDefinitionsfolder.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (67)
    • If you donโ€™t have SysVol PolicyDefinitions,, then go toC:\Windows\PolicyDefinitions\en-USand paste the .adml file. en-US is a subfolder of thePolicyDefinitionsfolder.
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (68)

Group Policy Computer Settings

Edit the Citrix VDAComputer Settings GPO and enable the settings shown below. All settings are located under Computer Configuration > Policies.
Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (69)

Some of the settings in this section might require the newer Windows Group Policy Templates.

Process tracking for Director

  • Audit Policy โ€“ Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

Idle Time to Lock Session

  • Security Options โ€“ Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options
    • Interactive logon: Machine inactivity limit โ€“ Windows 8/2012 and newer โ€“ published desktops only โ€“ seconds of idle time before session locks

Control Panel

  • Settings Page Visibility โ€“ Computer Configuration | Policies | Administrative Templates | Control Panel
    • Settings Page Visibility
      • Windows Server 2016 and Windows 10 1607 support was added with the September 2018 Windows patches. Otherwise, itโ€™s only available in Windows 10 1703 and newer.
      • Also with the September 2018 patches, the Settings Page Visibility setting is added to the User half of the GPO. Seehttps://www.carlstalhood.com/group-policy-objects-vda-user-settings/#settingspage for details. Before September 2018, this setting is Computer half only, which means it applies to all users, including administrators.
      • WinaeroHow To Hide Settings Pages in Windows 10 describes this new setting. Also see TechNetHiding pages in Settings with Windows 10 1703.
        Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (70)

Teams

Prevent the per-user version of Teams from installing with Office 365 (aka Microsoft 365 apps). Configure this GPO setting before installing Office. Then you can later install the machine-wide version of Teams. More details at Microsoft Docs.

This setting requires the Office GPO templates to be installed.

  • Updates โ€“ Computer Configuration | Policies | Administrative Templates | Microsoft Office 2016 (Machine) | Updates
    • Donโ€™t install Microsoft Teams with new installations or updates of Office = enabled
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (71)

Network

OneDrive Files-on-demand

For Windows 10 1709 and newer or Windows Server 2019 and newer. Make sure the OneDrive .admx file is installed first.

  • OneDrive โ€“ Computer Configuration | Policies | Administrative Templates | OneDrive
    • Use OneDrive Files On-Demand= enabled

Verbose Messages

  • System โ€“ Computer Configuration | Policies | Administrative Templates | System
    • Display highly detailed status messages = enabled. Windows 10. Shows whatโ€™s happening during logon.

Group Policy Settings

  • Group Policy โ€“ Computer Configuration | Policies | Administrative Templates | System | Group Policy
    • Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 and newer setting
    • Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 and newer setting.
    • Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result

User Group Policy loopback processing mode changes in Windows Server 2008 R2. Make sure the VDAcomputer accounts have Read access to the loopback user GPOs, even if those GPOs only contain user settings.

LogonSettings

To get rid of the Windows 10 โ€œweโ€™re happy youโ€™re hereโ€ message:

  • Logon โ€“ Computer Configuration | Policies | Administrative Templates | System |Logon
    • Show first sign-in animation =disabled
    • Show clear logon background = enabled โ€“ for Win10 1903 and newer โ€“ source = Citrix Discussions

DelayedDesktopSwitchTimeout. Create a Group Policy Preferences Registry Item (Computer Configuration | Preferences | Windows Settings | Registry) to setHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DelayedDesktopSwitchTimeout (REG_DWORD) = 2. On Windows 10, this might cause the desktop to appear sooner. (Source = VMware Communities)
Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (72)

Power Settings

The following are more applicable to virtual desktops than session hosts:

  • Hard Disk Settings โ€“ Computer Configuration | Policies | Administrative Templates | System | Power Management | Hard Disk Settings
    • Turn Off the hard disk (plugged in) = enabled, 0 seconds
  • Sleep Settings โ€“ Computer Configuration | Policies | Administrative Templates | System | Power Management | Sleep Settings
    • Specify the system hibernate timeout (plugged in) = enabled, 0 seconds
    • Specify the system sleep timeout (plugged in) = enabled, 0 seconds
    • Turn off hybrid sleep (plugged in) = enabled, 0 seconds
  • Video and Display Settings โ€“ Computer Configuration | Policies | Administrative Templates | System | Power Management | Video and Display Settings
    • Turn off the display (plugged in) = enabled, 0 seconds

Remote Assistance Settings

Configure the following so you can shadow users using Director:

  • Remote Assistance โ€“ Computer Configuration | Policies | Administrative Templates | System | Remote Assistance
    • Configure Solicited Remote Assistance = disabled
    • Configure Offer Remote Assistance = enabled, specify the Help Desk and Administrator groups that can offer remote assistance
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (73)

User Profiles Settings

  • User Profiles โ€“ Computer Configuration | Policies | Administrative Templates | System | User Profiles
    • Add the Administrators security group to roaming user profiles = enabled
    • Delete cached copies of roaming profiles = enabled (only enable on persistent session hosts)
    • Do not check for user ownership of Roaming Profile Folders = enabled
    • Set maximum wait time for the network if a user has a roaming user profile or remote home directory = enabled, 0 seconds

Cloud Content

  • Cloud Content โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components |Cloud Content (Windows 10 1511 and newer)

File Explorer Settings

CitrixCTX203658Start Menu Icons Set to Default (Blank Document) After Update to Receiver 4.3.100โ€“ Windows 8 and newer

  • File Explorer โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components |File Explorer
    • Allow the use of remote paths in file shortcut icons = enabled

Event Viewer Settings

If you are using Provisioning Services, it might be desirable to move the event logs to a persistent cache disk. This allows you to review the event logs even after the Target Device reboots. Use Group Policy Preferences to create the folder on the cache disk.

  • Application โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Application
    • Control the location of the log file = enabled, D:\EventLogs\Application.evtx
  • Security โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | Security
    • Control the location of the log file = enabled, D:\EventLogs\Security.evtx
  • System โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Event Log Service | System
    • Control the location of the log file = enabled, D:\EventLogs\System.evtx
  • Folder โ€“ Computer Configuration | Preferences | Folder
    • Action = update
    • Path = D:\EventLogs

Microsoft Account โ€“ Windows 10 (1703 and newer)

  • Microsoft account โ€“Computer Configuration | Policies | Administrative Templates | Windows Components | Microsoft account
    • Block all consumer Microsoft account user authentication = Enabled

OneDriveSettings โ€“ Windows10

  • OneDrive โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components |OneDrive
    • Prevent the usage of OneDrive for file storage = enabled

Remote Desktop Services Settings

  • Connections โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Connections
  • Device and Resource Redirection โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Device and Resource Redirection
    • Allow time zone redirection = enabled
    • Do not allow smart card device redirection = enabled
  • Licensing โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing
    • Set the Remote Desktop license mode = enabled, Per User
    • Use the specified Remote Desktop license servers = enabled, your RDS Licensing Servers (e.g. the XenDesktop Controllers)
  • Remote Session Environment โ€“Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host |Remote Session Environment
  • Security โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security
    • Always prompt for password upon connection = disabled (to override other GPOs where it might be enabled)
  • Session Time Limits โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Session Time Limits
    • Set a time limit for active but idle Terminal Services sessions = enabled, 3 hours or similar
    • Set time limit for disconnected sessions = enabled, 3 hours or similar
    • CVAD 2206 and newer also let you set RDSH timers in the user half of a Citrix Policy under the Server Limits category. Citrix Docs says: Timer settings for multi-session machines configured using Citrix policies are expected to override timer settings configured through Microsoft Group Policies. To avoid unexpected behavior, we recommend you configure timer settings using one of the two methods.
      Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (74)

Search Settings โ€“ Windows 8.1 / 2012 R2, Windows 10

  • Search โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Search
    • Allow Cortana = disabled (Windows 10)
    • Donโ€™t search the web or display web results in search = enabled
    • Additional search settings can be found here

Store Settings โ€“ Windows 8.1 / 2012 R2, Windows 10

Windows Update Settings

  • Windows Update โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update
    • Allow non-administrators to receive update notifications = disabled
  • Windows Update for Business โ€“ Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update | Windows Update for Business
    • Select when Preview Builds and Feature Updates are received= Enabled, Semi-Annual Channel, 365 day deferral

Additional Settings

Windows 10 group policy settings for controlling Internet connectivity and Privacy Settings can be found at Microsoft Technet Manage connections from Windows operating system components to Microsoft services.

James Rankin Five tips for dealing with Windows 10 telemetry:disable Modern apps, disable Cortana, disable services, block DNS domains.

After modifying the GPO, use Group Policy Management Console to update the VDA machines.
Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (75)

Or run the command gpupdate /force. Or wait 90 minutes.
Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (76)

Citrix Receiver

If you want pass-through authentication for the Citrix Receiver that is installed on your VDAs, usereceiver.admxtoenable pass-through authentication.

  1. See the instructions athttps://www.carlstalhood.com/receiver-for-windows/#admx to copythereceiver.admx file toPolicyDefinitions.
  2. Edit the Citrix Computer SettingsGPO.
  3. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Receiver > User Authentication. On the right, open Local user name and password.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (77)
  4. Enable the setting.
  5. Check the top two boxes and click OK.
    Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (78)

Next Steps

Group Policy Objects โ€“ VDA User Settings

Group Policy Computer Settings for VDAs โ€“ Carl Stalhood (2025)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Rueben Jacobs

Last Updated:

Views: 5843

Rating: 4.7 / 5 (77 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Rueben Jacobs

Birthday: 1999-03-14

Address: 951 Caterina Walk, Schambergerside, CA 67667-0896

Phone: +6881806848632

Job: Internal Education Planner

Hobby: Candle making, Cabaret, Poi, Gambling, Rock climbing, Wood carving, Computer programming

Introduction: My name is Rueben Jacobs, I am a cooperative, beautiful, kind, comfortable, glamorous, open, magnificent person who loves writing and wants to share my knowledge and understanding with you.