How to Get the Fastest Possible Citrix Logon Times?

© eG Innovations, Inc | www.eginnovations.com© eG Innovations, Inc | www.eginnovations.com
How to get the fastest possible Citrix Logon times with James Rankin will begin shortly...
Have you seen an explosion in WFH
users due to the COVID-19 crisis?
eG Innovations can help!
• Help WFH employees continue to be productive
• Give employees fast logon and response times and allocate bandwidth
efficiently by user requirements
• Help the Help Desk handle more calls and resolve in minutes, not hours
• Same day implementation

How to Get the
Fastest Possible
Citrix Logon Times
The first impression customers have of any
digital workspace is simply logging onto the
desired application or desktop.

eG Innovations’ Citrix Logon Simulator
https://www.eginnovations.com/citrix-monitoring/free-logon-simulator
• Simulates the exact same process that users go
through when they logon to XenApp or
XenDesktop
• Tracks every step of the Citrix logon process:
browser access, authentication, enumeration,
HDX session establishment, and application
launch
• Detects logon issues proactively and helps solve
them before users are affected
• Monitors the availability of published
applications, such as Cerner, Epic, SAP, Outlook,
Office 365, etc.
• Tests if the entire Citrix delivery infrastructure is
working in concert

eG Innovations has been helping customers answer the question,
“Why is my application slow?”
for two decades
2001
• Universal agent monitor
• Support for 100+ applications,
devices and IT components
• Automated root cause diagnosis
• Self-learning baselines
Unified
Monitoring
2008
• Extended support for
virtualization platforms
• Inside-outside visibility of VMs
• Virtualization-aware root cause
diagnosis
Virtualization
2005
• Business service management
• End-to-end service topology
• Automatic dependency mapping
Business Service
Management
2014
• Monitoring support for public,
private and hybrid cloud
• Cloud-aware root cause
diagnosis
• SaaS deployment
Cloud
2016-17
• Real user monitoring
• Distributed transaction tracing
• Application code-level visibility
for Java and .NET applications
APM Major Product Release:
2019
• Digital workspace monitoring
enhancements
• Web app simulation
• Support for Docker and
Kubernetes
• Expanded APM capabilities
(PHP, Node.js)
• Monitoring DevOps toolsets
User
Experience

eG Express Cloud for Citrix
• Monitor business-critical Citrix services without
requiring any on-premises monitoring software
• Get built-in domain expertise to identify even the
most complex performance issues
• Be the first to know when your users experience
slow logons, slow app launches, disconnects,
session latency, network latency, etc.
• Gain actionable and prescriptive alerts that tell you
how to triage your Citrix problem
• Out-of-box reports provide historical analytics for
rightsizing and optimization
https://www.eginnovations.com/citrix-monitoring/cloud

Every layer, every component.
Code to bare metal.
Public, private and hybrid.
The Digital Performance Management Company

8 April 2020
@james____rankin james-rankin.com https://www.youtube.com/channel/UCwldtJW6M7yhdBZH26Tmjtw

8
User experience and monitoring
These are vitally important when considering logon times

UX and AX
• Employee dissatisfaction
• Security and data loss issues as users resort to using “shadow IT”
solutions
• Loss of productivity and wasted work time
• Delays to processing of business functions
• Increased employee stress
• Problems with employee retention
What happens if these are bad?

Key performance indicators
10
What are the KPIs that users measure their “user
experience” by?
• Logon times
• Application launch times
• Key application interaction times
(e.g. browsing to the Open File
dialog)
• Common admin tasks (such as
running reports)
• Printing

11
Put user experience at the
heart of everything

The importance of monitoring
12
Client-end monitoring is the most common “missing” part
of the equation we see

The importance of monitoring
13
Options around client-side monitoring

14
Client-side monitoring is
vitally important

15
What happens at logon?
Let’s dive into the anatomy of a logon

16
The Citrix logon process
What happens during the user logon?

The Citrix logon process
17
What happens during the user logon?
5
Brokering and
session
initialization
User profileAuthentication
Group Policy ShellUserinit
Resource connection brokered,
Citrix license validated, client
server subsystem launches
winlogon.exe, which launches
logonui.exe
Logon dialog presented, user logs
on and is validated. Logon
duration measurement begins,
RDSH license validated
User’s profile is located and loaded,
or created and loaded
User Group Policy processing is
fetched, run and completed
Prepares for shell or program
launch, establishes network
connections, runs Active Setup,
maps printers
Runs specified shell (usually
explorer.exe) or program from
command line

Citrix logon is not just Windows
18
Brokering and session initialization has its own processes
Citrix broker infrastructure has to perform
tasks such as:-
• Validate license
• Assess load
• Assess worker uptime
• Assess connection status
• Identify VDA type (multi-session or
single)
• Identify persistence type
• If persistent, assess power and
registration status
• If required, initiate power on
This is why it is essential to measure
logons from a “Citrix” rather than just
“Windows” perspective

Persistent or non-persistent?
19
Most CVA is non-persistent, and a significant proportion
of CVD as well
Persistent resources
Persistent resources (desktops only) maintain a
locally-cached copy of the user’s session state on
the VDA. This is normally used in one-to-one
(sometimes referred to as “dedicated” or “non-
pooled”) Citrix Virtual Apps and Desktops
environments, as the user must reconnect to a
dedicated VDA in order to have their session state
“persisted”.
Non-persistent resources
Non-persistent resources (either desktops or
applications), conversely, do not maintain a
cached copy of the user’s session state on the
VDA. Their changes are discarded from the VDA at
the point of logoff. This is not to say, however, that
user session state changes cannot be persisted in
this fashion – they can be saved at logoff to a
network location and then re-injected when a user
launches a new instance of an application or
desktop. These methods are commonly used in
multi-user environments or single-user
environments where new machines are
provisioned at each logon (“shared”, or “pooled”).

How long is a “good” logon?
20
Most monitoring providers (and
Citrix) class 30 secs or less as
“Good”
I always aim for 10 secs or less
Ideally, no single logon should take
more than a minute even when there
are infrastructure issues

A standard logon
21
Some baselines
5
Windows
10 1909
261.4 seconds
average
Windows
Server
2019
52.7 seconds
average

History of Citrix Windows logon times
Windows versions have exponentially increased logon
times and sizes of profiles
0
50
100
150
200
250
300
Windows NT4 Windows 2000 Windows XP/2003 Windows 7/2008 R2 Windows 8.1/2012
R2
Windows 10 Windows Server
2016
Windows Server
2019
Windows logon times and profile sizes (non-persistent)
Size of profile (MB) Non-persistent logon time (secs)

23
Most logon issues occur
through Group Policy or
profile

24
General issues
Factors that affect logons in general

Storage
25
Get your VMs on the quickest available storage!
5

MCS and PVS
26
Use caching optimizations

Hypervisors
27
Tune your hypervisors for best performance!
VSphere
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/performance/v
sphere-esxi-vcenter-server-67-performance-best-practices.pdf
Citrix Hypervisor (XenServer)
https://www.citrix.com/blogs/2013/12/02/xenserver-performance-tuning-top-5-recommended-
guides/
Hyper-V
https://docs.microsoft.com/en-us/windows-server/administration/performance-tuning/role/hyper-
v-server/

Networks
28
Quick networking is always essential!

Active Directory
29
Ensure fast logon authentication and GP processing by
ensuring AD is optimal
5
AD underpins far more than just authentication
and integrates with all technologies in the EUC
stack
• Check domain and forest functional levels
• All DCs should be Global Catalog servers
• Have no manually created Connection
Objects in Sites and Services
• Make sure all subnets are correctly defined
in Sites and Services
• Create reverse DNS lookup zones for all
subnets
• Remove orphaned DCs
• Configure the PDCe to be the domain
authoritative time server

Active Directory
30
Domain and forest functional levels

Active Directory
31
Global Catalog servers and RODCs

Active Directory
32
Subnet definitions
How does a client find a
domain controller to
validate a logon?
1. DCs register SVR and A
records in DNS
2. Client requests a DC by
providing its site name
to DNS
3. DNS uses the client’s
site name to find a DC
in that site or closest
site
4. DNS provides the IP
address of DC to client

Active Directory
33
DNS configuration

34
Optimizing AD is crucial –
pay particular attention to
subnets and DNS

Antivirus
36
Key points
If using UPM, exclude c:users from session host scanning if it is enabled on the file
server end
Put ALL available exclusions in for both Citrix infrastructure and session host servers
Turn off all unneeded parts of the AV suite (they all try to do far too much these days!)
Concentrate on detection and response (without overloading the image with agents)
Use application whitelisting such as WEM/AppLocker/Ivanti Application Control
Use lower-level detections if possible (such as host-level AV)

Image optimization
38
Free optimization tools are available that can further
enhance logon times
5
Citrix Optimizer
VMware Operating System
Optimization Tool
Base Image Script Framework

Pre-boot
39
Particularly helpful on Windows 10
5
Very applicable to Windows 10 XD, as this OS
will present the logon dialog long before
background processing is finished
Power management can be done in many
different ways – for VDI, both Citrix and
VMware have hypervisor-integrated power
management features, allowing you to start up
machines ahead of time
Physical machines can handle this through
solutions such as Wake-On-LAN, can easily
be done through SCCM
For Windows 10, advise powering machines
on ten minutes before they are required to get
optimal logon performance
AutoScale can be used to help in cloud
environments

Auto logon
40
Especially in VDI environments, the second logon is often
much quicker than the first, even when profiles aren’t
retained
5
• To remediate this, first configure Windows auto-logon by creating a Startup Script that
sets the Registry keys that control it, or that calls the SysInternals tool AutoLogon
(SysInternals tool better because it encrypts the password). Use a specific user called
autologon or similar
• Create a batch command that deletes the DefaultPassword Registry value, and then
runs the logoff command
• Create a Scheduled Task and set it to run when the autologon user logs on
• Call the batch script you created earlier from the Scheduled Task
• When you boot the machine up, the Startup Script configures it for auto-logon, then
when the auto-logon succeeds, the Scheduled Task removes the auto-logon password
and then logs the user out
• You should now have a machine that boots up ready for a “second” logon every time
• With persistent VDI, you can even extend this so that each user is automatically logged

Applications preload
41
Can increase logon times – and other KPIs
5
A Scheduled Task triggered at startup should be configured with entries similar to below
and run, this preloads applications into memory and improves not just logon times but
application launch KPIs
start notepad.exe
timeout /t 1
start iexplore.exe
timeout /t 1
start C:Program Files (x86)Microsoft OfficeOffice16WINWORD.exe
timeout /t 1
start C:Program Files (x86)Microsoft OfficeOffice16EXCEL.exe
timeout /t 1
start C:Program Files (x86)Microsoft OfficeOffice16POWERPNT.exe
timeout /t 1
start C:Program Files (x86)AdobeAcrobat Reader DCReaderAcroRd32.exe
timeout /t 3
taskkill /IM notepad.exe
timeout /t 1
taskkill /IM iexplore.exe
timeout /t 1
taskkill /IM WINWORD.exe
timeout /t 1
taskkill /IM EXCEL.exe
timeout /t 1
taskkill /IM POWERPNT.exe
timeout /t 1
taskkill /IM AcroRd32.exe

Firewall rules
42
Windows 10 seems to have an odd way of dealing with
firewall rules
5
• Firewall rules are created for each AppX application on a per-user basis
• These rules are not removed when a profile is deleted, and often duplicates are
created
• At boot, Windows appears to iterate through these rules and takes longer
dependent on how many there are
• Update – now a Registry key to fix this:-
• HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPol
icy, set a DWORD called DeleteUserAppContainersOnLogoff to 1

43
Brokering and session phase

Citrix-related tips
44
Get your Citrix infra running sharp
5
• Check custom load evaluator policies aren’t set
erroneously
• Session Pre-Launch and Linger will help
• Ensure you have resiliency in each infrastructure
component role
• Upgrade Citrix infrastructure as much as possible to
improve brokering (7.15+ advised)
• Use zones to group VDAs and DDCs together to
minimize traffic
• Disable unused virtual channels – this can make a big
difference
• Use Concurrent Logons Tolerance policy setting to
avoid logon storms on particular VDAs

What is the Windows user profile?
48
Profile
Apps Data
Configuration
‣ Config items
‣ Shortcuts
‣ MRU lists
‣ Supplementary data
‣ AutoComplete files
‣ History
‣ View settings
‣ …and much more!
What does it hold?

49
41%Total of support calls during
Windows 10 migration that
related to user profile
issues

Windows profile types
50
Windows user profiles normally come in four specific
types
Local profile
A local profile is stored only on the device. Every
user logging on to a Windows endpoint will
normally receive a local profile unless another
type is defined for them.
Roaming
profile
A roaming profile is stored on a file server share
and is copied down to the device at logon and
back to the share at logoff, allowing users to
persist their profile changes. This is defined in
AD.
Mandatory
profile
A mandatory profile is a roaming profile that is
not saved back to the file share and discarded
at logoff. Users cannot persist profile changes
and always receive the same profile settings.
Temporary
profile
If there is a problem loading a profile or the
user’s profile is unavailable, then the system will
create a temporary profile for the user which is
discarded at logoff.
1
2
3
4

Profile versions
51
Checklist of profile versions and which operating systems
they apply to
v1 profile v2 profile v3 profile
v4 profile v5 profile v6 profile
‣ Windows NT
‣ Windows 2000
‣ Windows XP
‣ Windows Server 2003
‣ Windows Vista
‣ Windows 7
‣ Windows Server 2008 R2
‣ Windows 8
‣ Windows 8.1
‣ Windows Server 2012 R2
‣ Windows 10 RTM
‣ Windows 10 1511
‣ Windows Server 2016 Technical
Preview
‣ Windows 10 1607+
‣ Windows Server 2016 RTM

Roaming profile problems - summary
52
Roaming profiles can be used to manage the user profile,
but they have a number of drawbacks
Last writer wins
Large profiles and
load times
%LOCALAPPDATA%
not included *
Quotas may
cause issues
Without Folder Redirection or GPO quotas, profiles can
grow very large and affect logon/logoff performance
Windows 10 and many applications save settings to
%LOCALAPPDATA%, which is excluded from a roaming
profile
GPO quotas, when set too low, are known to cause
profile failure
Redirecting folders like APPDATA can have a detrimental
effect on application performance
Redirection can
affect app
performance **
As mentioned earlier, last writer wins can cause
inconsistency of settings application
Roaming profiles only work on the OSes that match the
profile version
Limited to profile
version

53
Don’t use roaming profiles
unless you really have no
other choice

Profiles - considerations
54
What profile type and management technique is best?
5
Local profiles are fastest to load
However this is not usually suitable for Citrix
environments unless you’re doing persistent
FSLogix Profile Containers is an excellent
halfway house – OS treats them as local,
centrally manageable, multi-session
If you have to use mandatory or Citrix
template profiles, store them locally in the
golden image and update with a file copy on
boot
You can do FSLogix Profiles across multiple
OS types by leveraging an injection
technology like UE-V
File-based solutions like UPM are really

Profiles - Windows file sizes
55
How are KPIs affected by the size of files involved?
Logon time
Relative to sizes of files making up profile
0
20
40
60
80
100
120
140
160
180
200
1GB in 1GB chunk 1GB in 100MB chunks 3MB in 1KB chunks

Profiles - exclusions
56
Keeping profile size down reduces logon times (if file-
based management) and storage capacity requirements
Only use aggressive exclusions when using file-
based profile management solutions
For VHD-based solutions, target large files or caches
only to reduce storage requirements
Don’t go crazy with this – it can be easy to exclude
something that causes an issue (like GPO caching)

Profiles – UWP apps
57
By default, many UWP apps are provisioned to the user
5

58
Removing the provisioned apps
5
Get-AppxProvisionedPackage -online | Out-GridView -PassThru |
Remove-AppxProvisionedPackage -online

59
Install Windows ADK
Run Windows Imaging and Configuration Designer
Advanced Provisioning
Runtime settings | Policies | Authentication | Fast First
Sign-In | Set to Enabled
EnableSharedPCMode – TRUE
Account Model – domain-joined only
Export the provisioning package
Save it to a location
Execute this from elevated PowerShell –
Install-ProvisioningPackage -PackagePath
“NameOfPackage.ppkg” -QuietInstall
Optionally, enable “Fast First Sign-In”

Profiles – customization
60
Customizing your base user profile is probably the #1 way
you can speed up logons
5
Boot into Audit Mode as
shown
Perform all customizations as
necessary
Create unattend.xml (either
from Windows ADK, or just
use the one on my site)
Sysprep with the switch to
copyprofile, referencing XML
file
Allow machine to restart

Profiles – customization
61
Customizing your base user profile is probably the #1 way
you can speed up logons
5
Allow machine to boot and log
on
Perform sanitization (as on
left)
Insert any settings or files you
require
Don’t forget to Unload the
user Registry hive (or you will
lock it!)
Either leave it in the image as
a standard default profile, or
copy to NETLOGON share or
UPM template share
Profile sanitization process
Set permissions on Registry and filesystem
(don’t forget to give All Application Packages
Full Control)
Make Administrators the NTFS owner of the
filesystem entries
Remove Restricted group from ACL for
Registry
Remove any references to username or SID
(use psgetsid) from the Registry file
Remove extraneous Registry keys and values
Remove extraneous filesystem data – be
careful not to remove the Shell or WInX or
SendTo folders from LOCALAPPDATA though!
Insert common GPO Registry settings????

62
Remove UWP apps and use
a custom default profile

Group Policy
65
Architecture
5

Group Policy
66
CSE processing order
5
Administrative templates
GUID: 35378EAC-683F-11D2-A89A-00C04FBBCFA2
Wireless Group Policy
GUID: 0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63
Citrix Group Policy
GUID: 0D0C7034-2EBD-4A87-A9B9-9015E3F2E6E0
Group Policy Environment
GUID: 0E28E245-9368-4853-AD84-6DA3BA35BB75
Central Access Policy Configuration
GUID: 16BE69FA-4209-4250-88CB-716CF41954E0
Group Policy Local Users and Groups
GUID: 17D89FEC-5C44-4972-B12D-241CAEF74509
Group Policy Device Settings
GUID: 1A6364EB-776B-4120-ADE1-B63A406A76B5
Folder Redirection
GUID: 25537BA6-77A8-11D2-9B6C-0000F8080861
Citrix Profile Management
GUID: 26F29E43-DA55-459d-A045-5FEB25F8AB15
Microsoft Disk Quota
GUID: 3610EDA5-77EF-11D2-8DC5-00C04FA31A66
Group Policy Network Options
GUID: 3A0DBA37-F8B2-4356-83DE-3E90BD5C261F
QoS Packet Scheduler
GUID: 426031c0-0b47-4852-b0ca-ac3d37bfcb39
Scripts
GUID: 42B5FAAE-6536-11d2-AE5A-0000F87571E3
Remote Desktop USB Redirection
GUID: 4BCD6CDE-777B-48B6-9804-43568E23545D
Internet Explorer Zonemapping
GUID: 4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3
RemoteApp and Desktop Connections
GUID: 4D2F9B6F-1E52-4711-A382-6A8B1A003DE6
Work Folders
GUID: 4D968B55-CAC2-4FF5-983F-0A54603781A3
Group Policy Drive Maps
GUID: 5794DAFD-BE60-433f-88A2-1A31939AC01F
Group Policy Folders
GUID: 6232C319-91AC-4931-9385-E70C2B099F0E
Group Policy Network Shares
GUID: 6A4C88C6-C502-4f74-8F60-2CB23EDC24E2
Group Policy Files
GUID: 7150F9BF-48AD-4da4-A49C-29EF4A8369BA
Group Policy Data Sources
GUID: 728EE579-943C-4519-9EF7-AB56765798ED
Group Policy Ini Files
GUID: 74EE6C03-5363-4554-B161-627540339CAB
Windows Search Group Policy Extension
GUID: 7933F41E-56F8-41d6-A31C-4148A711EE93
Internet Explorer User Accelerators
GUID: 7B849a69-220F-451E-B3FE-2CB811AF94AE
Security
GUID: 827D319E-6EAC-11D2-A4EA-00C04F79F83A
Deployed Printer Connections
GUID: 8A28E2C5-8D06-49A4-A08C-632DAA493E17
Group Policy Services
GUID: 91FBB303-0CD5-4055-BF42-E512A681B325
Group Policy Folder Options
GUID: A3F3E39B-5D83-4940-B954-28315B82F0A8
Group Policy Scheduled Tasks
GUID: AADCED64-746C-4633-A97C-D61349046527
Group Policy Registry
GUID: B087BE9D-ED37-454f-AF9C-04291E351182
802.3 Group Policy
GUID: B587E2B1-4D59-4e7e-AED9-22B9DF11D053
Windows To Go Startup Options
GUID: BA649533-0AAC-4E04-B9BC-4DBAE0325B12
Group Policy Printers
GUID: BC75B1ED-5833-4858-9BB8-CBF0B166DF9D
Windows To Go Hibernate Options
GUID: C34B2751-1CF4-44F5-9262-C3FC39666591
Group Policy Shortcuts
GUID: C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7
Microsoft Offline Files
GUID: C631DF4C-088F-4156-B058-4375F0853CD8
Software Installation
GUID: C6DC5466-785A-11D2-84D0-00C04FB169F7
TCPIP
GUID: CDEAFC3D-948D-49DD-AB12-E578BA4AF7AA
Internet Explorer Machine Accelerators
GUID: CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D
IP Security
GUID: E437BC1C-AA7D-11D2-A382-00C04F991E27
Group Policy Internet Settings
GUID: E47248BA-94CC-49c4-BBB5-9EB7F05183D0
Group Policy Start Menu Settings
GUID: E4F48E54-F38D-4884-BFB9-D4D2E5729C18
Group Policy Regional Options
GUID: E5094040-C46C-4115-B030-04FB2E545B00
Group Policy Power Options
GUID: E62688F0-25FD-4c90-BFF5-F508B9D2E31F
Audit Policy Configuration
GUID: F3CCC681-B74C-4060-9F26-
CD84525DCA2A
Group Policy Applications
GUID: F9C77450-3A41-477E-9310-9ACD617BD9E3
Enterprise QoS
GUID: FB2CA36D-0B40-4307-821B-
A13B252DE56C
ProcessConnectivityPlatform
GUID: FBF687E6-F063-4D9F-9F4F-
FD9A26ACDD5F

Group Policy
67
What sort of approach should you take to setting up your
Group Policy Objects?
5
Administrators must choose between
having “one setting per GPO” as in the
image, or one GPO with many settings
defined
“One setting per GPO” makes
administration and troubleshooting much
easier (they can be disabled individually)
However, GPOs are processed more
quickly if the number of GPOs is smaller
For performance reasons, it is advised to
load multiple CSE settings into single
GPOs where possible

Group Policy
68
Changing GPO Status is commonly used to improve
performance, but…
5
These settings are commonly used to
disable Computer Configuration or User
Configuration elements for GPOs that
only have settings from one or the other
It is believed that disabling the “other”
settings improves the performance of the
Group Policy engine
It actually makes no difference to
processing
It is advised to leave the settings as
“Enabled”

Group Policy
69
Loopback processing
5

Group Policy
70
Group Policy Preferences Printers
5

Group Policy
71
Computer Configuration versus User Configuration items
5

Group Policy
72
Filters are crucial to GPO processing
5
Security filtering is done by
permissions on the GPOs
WMI filters (especially LDAP or
product queries) adversely affect GP
processing, remove where possible
In Group Policy Preferences, using
Item-Level Targeting (particularly
OU, LDAP Query, Domain, Site, or
Computer Security Groups) also
increases the required processing
time, although it can be difficult to
replace this with Security Filtering

Group Policy
73
Design and structure
5
Try and keep AD structure as simple as
possible
Try to separate objects by AD security
groups and OUs
Avoid complex filtering
Avoid flat structures
Review Group Policies on an ongoing
basis
Minimize use of Group Policy
Preferences where possible
Remove GPOs that are unlinked or
unapplicable
Use AGPM if possible for change

Citrix Policies
74
Take the same approach with Citrix policies
• Use them in AD rather than FMA where possible
• Take care with filters (monitor and assess)

Group Policy
75
Synchronous or asynchronous?
5

Group Policy
76
What are asynchronous and synchronous processing
modes?
5

Group Policy
77
Foreground and background processing
5
Foreground processing
occurs when users logs in
Background processing
occurs when a Group Policy
refresh is initiated
Background processing is
ALWAYS asynchronous
Foreground processing can
be synchronous or
asynchronous

Group Policy
78
Enabling policies for asynchronous mode
5

Group Policy
79
Caveats for asynchronous processing – prior logons
5
If a user has not previously logged on to a machine, then user policy
processing is ALWAYS synchronous
User prior logon is NOT measured by the presence of a profile or cached
credentials
Registry keys in the user’s ntuser.dat file indicate whether there has been a
prior logon
Set the following in the default user profile:-
KEY - HKCUSoftwareMicrosoftWindowsCurrentVersionGroup
PolicyState
Value – NextRefreshMode REG_DWORD 2
Value – NextRefreshReason REG_DWORD 0

Group Policy
80
Caveats for asynchronous processing – user object
settings
5

Group Policy
81
Caveats to asynchronous processing – other CSEs
5

Group Policy
82
Asynchronous processing – Citrix UPM considerations
5

Group Policy
83
Asynchronous processing – logging and testing
5

Group Policy caching
84
Used to speed up foreground synchronous processing
only

Group Policy
85
Asynchronous processing – summary
5
• Ensure that the GPOs are set to allow asynchronous processing (one policy on clients, two
on RDSH servers)
• Ensure your default profile or template profile has the Registry values added at
HKCUSoftwareMicrosoftWindowsCurrentVersionGroup PolicyState for
NextRefreshMode and NextRefreshReason
• On a server OS, make sure the RDSH role is installed, otherwise every logon will be
synchronous (1-to-1 you’re out of luck)
• If you need Folder Redirection policies, use Group Policy Preferences Registry Items to set
the UserShellFolders values directly, rather than using GPO CSEs. Note for some folders
(like Downloads) you may need to look up the GUID reference. Easiest way to do this is
actually configure the redirection policy through the CSE, and then check the Registry to see
what the GUID name is, then set it up as a GPP instead.
• NEVER use Software Installation Policies via GPO, if you can at all avoid them
• Don’t worry about defining home folders, profile paths and logon scripts on the user object -
this doesn’t affect processing, in my testing (although bear in mind I did all of it on Server
2016 and Windows 10)
• If you’re using UPM, don’t use the home drive as part of the user profile path
• If you do need to use synchronous CSEs, update them as little as possible
• Group Policy Preference Drive Maps won’t cause a problem unless you’re on an older (pre
Win-8/2012) OS. If you are on the older versions, find a better way to deal with mapped
drives

86
On CVA, enabling
asynchronous processing
will make the most
difference to logons

Logon scripts
87
Using logon scripts (either AD user object or through
GPOs) can cause delays
5
Since Server 2012 logon scripts do not
actually execute at logon anyway, a GPO
needs to be configured to make them
execute at logon
Logon scripts should be avoided (or at
least minimized) and configuration items
handed off to GPP or another tool
Synchronous logon GPO only applies to
multiple scripts
Drive mappings can be avoided by using
EFSS tools and Folder Redirection
Run logon scripts in PowerShell
preferably

Logon scripts
88
If you can’t get rid of them, at least disable them on your
Citrix environments!
5
Filter out any Logon Script GPOs
Save the following script
@echo off
set UserInitLogonScript=
start %systemroot%system32userinit.exe
exit
Save the script somewhere local to the image
Replace the contents of HKLMSoftwareMicrosoftWindows
NTCurrentVersionWinlogon – Userinit with the path to the script
Any user object logon scripts will then be ignored entirely

Drive mappings
92
Problems
5
Drive mappings always insist on
validating the drive when it is
mapped, and also when it is
rendered within the shell
Drive mappings use letters of the
alphabet, and as such are
restricted in their scope
Often scripts or applications have
references to drive letters hard-
coded
Often other configuration items
are dependent on the existence of
the drive mapping

Drive mappings
93
Home drives
5
Don’t use home drives!
Either use OneDrive/ShareFile or
other EFSS solution, or…
…just redirect the Documents
folder!

Drive mappings
94
How can we deal with departmental drives?
5
Use document management systems instead (like
SharePoint)
Use the method specified in this article - https://james-
rankin.com/articles/dealing-with-network-drive-mappings-
in-citrix-environments/ - to create shortcuts to network
locations that show in the shell without mapping drives
If you can’t do that, you can reduce the amount of drive
mappings required by using a single root and ABE

Rather than mapping multiple drives, map to the root
of a filesystem structure once
Then control each department’s access through
NTFS and ABE
ABE ensures folders the user can’t access don’t
appear even in the view
This will decrease the amount of mapped drives
required if they can’t be gotten rid of entirelyOld method
New method

96
Review and remediate your
organization’s use of
mapped drives

97
XenApp/XenDesktop
File server
Fast storage
%USERPROFILE%
{Downloads}
Redirection for Documents, Pictures, etc.
(either standard or to EFSS)
Folder Redirection
Try and move away from redirected folders if possible
High-volume access
Low-volume access

Folder redirection - summary
98
What are the key takeaways?
• When redirecting, use Registry direct – don’t redirect to mapped drives – don’t
map Documents to the root of home drives
• Use “normal” Folder Redirection or EFSS to handle low-volume areas like
Documents, Pictures, etc.
• Don’t redirect Downloads – use it as a scratch area
• Think very carefully about how you handle possible redirection of Desktop. May
be best to encourage users away from it
• For high-volume areas like AppData, Recent Items, etc., use a VHD mounting
tool
• Ideally, redirect the user profile root to a VHD, to allow captures of
LOCALAPPDATA etc.
• Other large files (SFB GAL, Outlook OST, Search database, etc.) can also
possibly be handled by VHD mounts

99
Use VHD mounting to
replace Folder Redirection
in most areas

UserInit – Active Setup
101
Removing or disabling these can also reduce first logon
times
5
Active Setup is a mechanism for executing commands once per user
early during logon. Active Setup is used by some operating system
components like Internet Explorer to set up an initial configuration for
new users logging on for the first time. It is a way of hard-coding user-
specific data
Active Setup runs before the desktop appears. Commands started by
Active Setup run synchronously, blocking the logon while they are
executing
Active Setup employs neither a timeout nor any other mechanism to
determine if a StubPath process it started is still alive, so if it hangs,
the entire logon will stop
You can disable Active Setup entries by removing the StubPath entries
from all [GUID] subkeys under
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive
SetupInstalled Components and
HKEY_LOCAL_MACHINEWow6432NodeSOFTWAREMicrosoftActi
ve SetupInstalled Components
Alternatively you can disable them by using the SysInternals AutoRuns
tool
It is recommended to check all the Active Setup entries and remove as

102
Shell phase
In-session performance can affect *new* logons

Performance management
103
Take steps to ensure server or desktop performance is
always good
MONITOR!
Use WEM or UWM or other tool to
manage performance
Don’t forget these tools are band-aids –
always address underlying issues
Use ad-blockers
Pay attention to hungry applications like
Skype, Teams, Slack, Chrome, etc.
Use optimizations from Citrix
Redirection policies can help

Printing
104
Don’t forget about printers!

SysInternals AutoRuns
105
Should be run on base image and verified
5

Scheduled Tasks
106
Validate all existing Scheduled Tasks so that
unnecessary processes don’t run during logon
5

Understand impact of new apps
107
Ensure you dissect any new applications added

Tools to help troubleshooting
108
When you’re struggling, you need to dig deeper

109
Image optimization is
crucial – do it well and do it
often

Logon times comparison
110
Windows 10 1809 on CVD and Windows Server 2016 on
CVA
Windows
10 1909
Before After
261.4 seconds
average
Windows
Server
2019
10.1 secs average
52.7 seconds
average
8.2 secs average

Summary
111
Key takeaways rundown
Use fast storage and
make sure your
hardware is running
without issue
Ensure AD is optimal
(particularly subnets
and DNS configuration)
Avoid networked
profiles, adopt
appropriate solution to
handle user settings if
smooth roaming is
required (if Win10,
ditch the UWP crap
with that ADK trick)
Configure AV correctly
(or get rid of it!)
Put UX at the heart of
all designs and
planning, make sure do
proactive holistic
monitoring, adopt
software to do this if
necessary
Rationalize and
optimize your Group
Policy – get
asynchronous user
processing enabled if
possible
Ditch logon scripts,
folder redirection and
drive mappings and
replace with other
configuration methods
All other image
optimizations should all
be applied where
possible

+1 (866) 526 6700 www.eginnovations.cominfo@eginnovations.com
Thank You

How to Get the Fastest Possible Citrix Logon Times?

More Related Content

What's hot (18)

Similar to How to Get the Fastest Possible Citrix Logon Times? (20)

More from eG Innovations (20)

Recently uploaded (20)

How to Get the Fastest Possible Citrix Logon Times?