Reduce Citrix logon times by up to 75%

This post covers several recommendations that increased by logon times by more than 75%, even on non-persistent machines where the user profile is not permanently cached.

♣ What is Interactive Session Time?
♣ My testing environment
♣ Non-optimised image vs optimised image – logon time results
♣ Serialize/StartupDelayInMSec – logon time results
♣ Autologon account/the second logon is quicker – logon time results
♣ UPMEvent – logon time results – Saving the best to last

Citrix Director is great at recording logon times per session and logon averages over periods of time. We can even produce logon reports and show them off to managers or other teams within the organisation to show them how good (or bad) the virtual workspace performs! Though without any effort you’ll likely be wowing everyone for the wrong reasons until you put in the background work to get logon times down to a low number. Citrix unfortunately doesn’t magically make logons quicker than any other desktop.

Many of the logon friendly optimisations and best practices out there today are straight forward and common sense and help to get you started:

  • Keep GPOs at a minimum (don’t be GPO happy).
  • Don’t map tonnes of drives, especially to users who do not need them.
  • Don’t map tonnes of printers. Joe who prints to two printers doesn’t need 13 printers mapped to his machine.
  • Avoid using logon scripts, these are only going to add time to the logon.
  • Move Group Policy settings to Citrix WEM.

There are more, and I’ll cover off some additional ones in this post to really reduce logon times. If you’re interested in some more tips, see http://www.jgspiers.com/citrix-tips-tricks-tweaks-suggestions/

Also, if you’re interested in finding out more about the logon process see http://www.jgspiers.com/digging-in-to-citrix-logon-process/

So you’ve performed all of the above and more, you’re timings tells you that logon times are no longer than 20 seconds. You look at Director and the logon times are double. Why? There is still one recorded metric that:

  1. Not everyone knows what exactly it is and or struggles to understand it.
  2. Takes a bit of work getting the metric value to reduce, although once you know what it does it’s easier to shave the seconds off.

That metric is: Interactive Session Time.

What is Interactive Session Time?

From https://www.citrix.com/blogs/2016/08/19/interactive-session-of-logon-duration-in-citrix-director-explained/

It is the time taken to handoff keyboard and mouse control to the user after the profile of the user is loaded for a session.

Event ID 2 is initially logged on the VDA shortly after the desktop/application icon is clicked within Receiver client or Receiver for Web. This event triggers the Interactive Session timer which ends once Event 1000 is logged to indicate that the session is ready for use. Event ID 1000 is logged by the Citrix Profile Management service.

So whilst Director records logon times, it is important to understand that this is the time taken from clicking to launch a resource until the machine is actually usable even though the actual logon may have completed some time before that. This produces innacurate results in Director for true logon times so let me show you how you can almost eliminate Interactive Session times, get overall logon times reduced and get Director logging much more accurate data.

My testing environment

For the following logon tests, I used XenDesktop 7.13, running PVS 7.13 and a 7.13 VDA configured with 2GB RAM and 2vCPU. The VDA runs Windows Server 2016 with no optimisations to start however as you will see later it does become optimised and improves logon times. The Target Device Write-Cache is configured as RAM w/overflow to HDD (which is on SSD storage).

Note: The following configurations can be applied to both Server and Desktop OS in persistent and non-persistent environments. You don’t have to implement all of them, consider each one individually. Logon times will also fluctuate based on factors such as load (busy periods), VDA performance and underlying hardware used.

Non-optimised image vs optimised image – logon time results

I built a brand new Windows Server 2016 VDA streaming from PVS. Nothing else was performed on the image. Logged on three times. The average logon time is 68 seconds. That time has advantages such as being able to go and make coffee or produce a logon time report from Director to show your boss, which probably won’t go down all that well. Add applications, larger profiles, Group Policies in to the mix and more seconds get added.

So I’ve gone and optimised my image using the Server 2016 optimisation script. You know optimising an image brings a great sense of satisfaction, not to mention the average time is now down to 38 seconds! That is 20 seconds shaven off just by optimising the image.  Notice also that the Interactive Session time has been greatly reduced, that is because the image is a lot more leaner and can get a session ready more quickly.

Serialize/StartupDelayInMSec – logon time results

It was blogged about here https://xenappblog.com/2016/optimize-logon-times/. Windows Server 2012 and Windows 8 introduced a startup delay for applications which has a negative effect on Interactive Session times. By disabling this delay we can start the applications immediately, not an issue if you have only a few. On the write-mode PVS/MCS gold image or Citrix App Layering OS Layer, launch RegEdit -> HKEY_USERS -> File -> Load Hive.

Load the default user hive by navigating to C:\Users\Default and double-clicking NTUSER.DAT.

Give the hive a name and click OK.

Within the hive navigate to SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer and create a new key called Serialize.

Create a new DWORD 32-bit value within the Serialize key.

Give the value a name of StartupDelayInMSec and a data value of 0x0.

Click File -> Unload Hive.

Click Yes. Finalise the image.

Note: You could have done this through Group Policy, but since it applies to all users we want to reduce the need for Group Policy processing and extra logon processing.

The results of this optimisation show logon time averages down to 27 seconds. An 11 second drop. Remember that each logon here is on a non-persistent machine. The machine is restarted between each logon so as to mimic a first-time session logon (post restart) to VDA where no profile is cached. These current logon times look a lot better and are good for a first-time logon after VDA restart.

Autologon account/the second logon is quicker – logon time results

When a VDA restarts as part of scheduled reboots for example or when non-persistent desktops reboot to reset, the first logon is generally always the longest. So I thought of the idea to use an auto-logon account to be the guinea pig and be the one who first logs on when a VDA restarts. This works well particularly in server OS since the autologon account when it logs off doesn’t trigger any sort of restart to the VDA.

You can use Autologon as pointed out by Chris in the comments. This tool easily configures an autologon account and encrypts the password. https://technet.microsoft.com/en-us/sysinternals/autologon.aspx

When launching autologon, enter the credentials to your autologon account and click Enable.

Click OK. The Winlogon Registry Key will be configured with DefaultUsername/DefaultDomainName string values and so on however the DefaultPassword will not be present and is encrypted.

Restart the VDA. If autologon does not work the first time run through the Autologon tool again and it should work on second attempt.

You can now configure the logoff procedure as described below.

For an alternative method of autologon (this section includes the autologoff procedure):

Open the gold PVS/MCS image again or the OS Layer (Citrix App Layering). On the C:\ drive, create a batch file and call it something like AutoLogon.bat.Within the batch file, enter the following:

Now open RegEdit and navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrrentVersion\Winlogon.

Set the AutoAdminLogon value to 1.

Set DefaultDomainName to your domain name as below.

Set DefaultUserName to a user account (service account) which has rights to log on to each VDA. This user account should be secured with a strong password and be a Domain User only. If this DefaultUserName REG_SZ string does not exist, create it.

Set DefaultPassword to the password of the autologon account. Click OK.

Right-click the Winlogon key and select Permissions.

Click Add. Search and add the autologon account.

Give Full Control permissions. This allows the autologon account to delete the DefaultPassword string after each logon. Finalise the image.

Now using Group Policy, create a GPO which is filtered to the autologon account as below. Edit the Group Policy obejct.

Expand User Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7).

Under General specify a name. Specify Run only when user is logged on and run the task under the autologon account. For Configure for choose Windows 7 or the highest possible OS.

On the Triggers tab click New.

For Begin the task choose At log on. Check Specific user or group and select the autologon account. Click OK.

On the Actions tab click New.

For Action choose Start a program. Under Program/script enter the path of your batch file which resides on the gold image. Click OK.

Your scheduled task is now created.

Now when the VDA boots up, an autologon occurs. The Scheduled Task runs a batch file which deletes the DefaultPassword string immediately for security and then logs off. The machine is then ready for real user logons.

As a result, the average logon time has dropped to 20 seconds. A 7 second drop. Interactive Session times are a lot lower than when we started these optimisations, over a 40 reduction!

UPMEvent – logon time results – Saving the best to last

Note: This really only applies now to VDA 7.13 and below. Citrix made a change in 7.14.1 that allows upmEvent.exe to run quickly out of the box. To read more visit http://www.jgspiers.com/reduce-citrix-director-interactive-session-time/

For VDA 7.13 and below:

If you had implemented what I am about to show you first, you probably could have cut Interactive Session time by more than 60% immediately.

The Interactive Session time is calculated once Event ID 1000 is logged on the VDA. The faster UPMEvent.exe runs the quicker Event 1000 is logged and the calculation is complete.

So ideally we want the UPMEvent.exe to run once we see that desktop wallpaper screen as that is when the logon is complete. By default, it instead runs some time after the profile has loaded.

The StartupDelayInMSec key added earlier simply speeds up when run keys (startup applications) are started. Hence why the Interactive Session time is decreased because UPMEvent.exe is started quicker since we removed the startup delay.

So what is faster than startup applications specified within run? Removing the upmEvent.exe run key and moving it to the Userinit string as described in http://www.jgspiers.com/reduce-citrix-director-interactive-session-time/

What else is faster than startup applications specified within run? A log on Scheduled Task.

Open your gold image or Citrix App Layering Platform Layer (the Platform Layer should contain your VDA). Launch RegEdit and navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Delete the Citrix UPM UserMsg string. Finalise the image.

Now using Group Policy, create a new GPO which applies to all users logging on to the VDA.

Within the GPO expand User Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7).

On the General tab specify a name. Keep the task running under %LogonDomain%\%LogonUser%. Set Configure for to Windows 7 or the highest available OS.

On the Triggers tab click New.

For Begin the task choose At log on and for Any user. Click OK.

On the Actions tab click New.

Under Action select Start a program. Under Program/script enter “C:\Program Files\Citrix\Virtual Desktop Agent\upmEvent.exe” and beside Add arguments (optional) enter wait. Click OK.

Click OK to finish creating the Scheduled Task. Now UPMEvent.exe will be run by the Scheduled Task immediately when the desktop shell has loaded.

With UPMEvent.exe being ran now by the Scheduled Task the average logon time has dropped to 13 seconds. A further 7 second drop. Notice the Interactive Session times are all at 3 seconds, more than 50 seconds lower than when we first started. Director is logging true logon times and our future reports will be much more accurate.

Note: In VDA versions before 7.7, upmEvent was called upmUserMsg.


104 Comments

  • Jeremy Saunders

    May 6, 2017

    Outstanding article George. And there are so many other things too. I do all this accept for the Autologon task. I’ll give that a try.

    I find that a Scheduled Task that runs at startup to start each app (process), such as winword.exe, etc, loads the executable and libraries into memory/cache, and then terminate each process, speeds up launching of the published apps (and logon times) after a reboot.

    Cheers,
    Jeremy

    Reply
    • George Spiers

      May 6, 2017

      Thanks Jeremy. Yes, definitely solid advice to start main applications up as you say. All part of a good machine preparation process.

      Reply
    • Jeremy McAtee

      July 7, 2017

      hey Jeremy, do you have specific settings in your scheduled task you could share?

      Reply
      • George Spiers

        July 7, 2017

        If you want my two-cents, I’m running a script similar to the below:

        start notepad.exe
        timeout /t 1
        start iexplore.exe
        timeout /t 1
        start C:\”Program Files (x86)”\”Microsoft Office”\Office16\WINWORD.exe
        timeout /t 1
        start C:\”Program Files (x86)”\”Microsoft Office”\Office16\EXCEL.exe
        timeout /t 1
        start C:\”Program Files (x86)”\”Microsoft Office”\Office16\POWERPNT.exe
        timeout /t 1
        start C:\”Program Files (x86)”\Adobe\”Acrobat Reader DC”\Reader\AcroRd32.exe
        timeout /t 3
        taskkill /IM notepad.exe
        timeout /t 1
        taskkill /IM iexplore.exe
        timeout /t 1
        taskkill /IM WINWORD.exe
        timeout /t 1
        taskkill /IM EXCEL.exe
        timeout /t 1
        taskkill /IM POWERPNT.exe
        timeout /t 1
        taskkill /IM AcroRd32.exe

        I’ve reached out to Jeremy and alerted him to your comment so you should hopefully hear something soon.

        Reply
        • Ronnie Pedersen

          November 16, 2017

          Hi George (and others), and thank your for the helpfull article.

          I now have a working setup for our persistent W2016 Xenapp 7.15 VDA’s, but even though the most common applications are loaded and later taskkilled, it doesn’t seem like there is a noticable improvement in load speed, for new users.

          In other words, even though I log into a “prepared” desktop, there is still a very noticable speed difference between the first and second run of any given app.

          Am I expecting to much, or should I be able to get “first run” application load times on a desktop where the autologon has run (with app startup) comparable to regular “second run” times, on a Desktop where there has been no prep?

          No, I haven’t collected any hard metrics, and am only working on feel. So there may in fact be a measurable improvement – even though the WOW factor isn’t present 🙂

          Reply
          • Ronnie Pedersen

            November 16, 2017

            Non-persistent VDA of course…

          • George Spiers

            November 16, 2017

            Hey, do you mean published Citrix apps or applications within a shared desktop i.e. Chrome, Office etc.?
            For published apps, have a look at session prelaunch http://www.jgspiers.com/citrix-application-session-prelaunch/

          • Ronnie Pedersen

            November 17, 2017

            I’m talking apps within a shared desktop, Chome, IE, Office and so in, installed directly on the golde image.

          • George Spiers

            November 17, 2017

            I wouldn’t spend too much time on those as personally I’ve not had any noticeable gains. I prefer to spend more time reducing logon speeds.

      • Jeremy Saunders

        July 7, 2017

        Hey Jeremy,
        I’ve written a PowerShell script that runs as a standard Computer Startup Scheduled Task as the System account. The script references an XML file that holds a list of all the processes, wait times, sub processes to also terminate, etc. If you e-mail me at jeremy@jhouseconsulting.com I will be happy to supply it.
        Cheers, Jeremy

        Reply
    • Alex G.

      December 21, 2017

      Thanks – this is great. You don’t have any script available for 2012 R2 though?

      Also, since the Serialize/StartupDelayinMSec value is stored in HKLM/Software, do we really need to change the default profile?

      Reply
  • Chris

    May 8, 2017

    Hi George,
    Great article, i’ll definitely be looking to implement some of these soon.
    Regarding autologon, Sysinternals have a tool that encrypts the password so deleting it wouldn’t be necessary
    https://technet.microsoft.com/en-us/sysinternals/autologon.aspx

    In my experience, the first time it is run doesn’t always work but a second run through directly after the first does.

    Chris

    Reply
  • LUIS

    May 8, 2017

    Thank you George
    — Jorge

    Reply
  • Mark

    June 17, 2017

    Thank you George for sharing this article – I have been scratching my head with finding a easy to implement solution for my XA7.6 VDAs which get rebooted using a script and the first user who logs on always takes a long time and also the CPM also seems to be failing. This is only casuing an issue for the first user only.

    I tested the steps in my lab but I used the Autorun utility instead of the batch file method and i am somewhat confused as to whether I should just have Call logoff in the batch file? I tried this and even used Shutdown.exe /l but when I restart the VDA the user autologons but for some reason the logoff is not happening. I followed exactly the same steps as in your article.

    Thanks
    -Mark

    Reply
    • George Spiers

      June 17, 2017

      Hi Mark
      You don’t need the batch file at all. In your scheduled task, under Program/Script type logoff

      Reply
      • Mark

        June 19, 2017

        Hi George,
        Thank you for your prompt reply. I tried it but for some reason it doesn’t seem to log off. Just curious I take it I do not need to configure the Winlogon Key and Permissions etc when using the Autlogon tool?

        I deleted the GPP policy and recreated it but for some reason it is not applying. My Lab DC is WS2008R2 and the Test VDA is 2012R2 could this be the reason it is not working?

        Reply
  • George Spiers

    June 19, 2017

    No you won’t need to configure permissions and it will just be a standard domain user account you use. Should also not make any difference the OS versions you use. When the autologon account logs on, look at the scheduled task run result code.

    Reply
  • Mark

    June 20, 2017

    I tested it by creating a task schedule in the VDA and it works perfectly, but using the GPO the settings do not seem to be taking affect – but the concept is working so I will do some troubleshooting of my Lab AD and try and get it to work.

    Just wanted to touch on Jeremy’s point about starting up applications as part of the logon process. Do I simply add all the office apps such as Winword, Excel, Powerpoint etc as triggers and place the logoff at the end. But will that work because the apps will be forcefully closed at log off. Would that be okay?

    Reply
    • George Spiers

      June 20, 2017

      A do a bit of testing should be performed yourself to visually see how applications behave after their processes are terminated. Don’t use the logoff task to kill the processes but rather use taskkill and then logoff afterwards. I’ve not encountered any issues with doing this.

      Reply
      • Mark

        June 22, 2017

        Thank you for the Taskkill tip. I will do some testing with it as I am quite new to XenApp7.
        I haven’t been able to get the logoff to work using the GPP settings. Not sure why it is not working. Could it be, when using the Autologon utility it requires a different GPO configuration? I can run the scheduler in the VDA but that is not going to be ideal to bake it in the image.

        Reply
        • George Spiers

          June 22, 2017

          No the GPO either using batch file to logoff or explicitly specifying a logoff switch in the Scheduled Task is all that is requried. You need to determine why it is not applying.

          Reply
  • Kevin Kutzera

    July 6, 2017

    This is remarkable work. I’ve moved forward with a new XD 7.14 deployment using a Windows 10 Enterprise that has been highly optimized (lots of services off, lots of bloatware removed). Very satisfying to see 9 second logon in Director! Interactive Session went from 48 seconds to 3!~
    The only challenge is that the actual time from “click on the icon” to useable desktop is about 40 seconds. Now this is within acceptable range for our goals here, but I’m curious if there’s any other steps I could take to align Director with actual login? I’ve implemented everything listed in this document except the Autologon process . WEM is wonderful by the way! So the logon process spends about 30 of the 40 seconds at the Window Welcome wheel, then about 10 seconds at the splash screen for WEM. Again this is great, but just wondered about the Directory Reporting which I understand is based on certain events occurring. This is a completely new system , not yet in production, so I have the luxury of full control including server reboots, and recreating catalogs (we’re using MCS). There’s currently only 3 vms in the catalog I’m testing. Hosted on XenServer, shared iSCSI storage is SSD based, on a 10GB connection. UPM Profiles with test uers’s profile nearly non-existant. No AV installed yet.

    I might setup a process monitor to capture the logon process, see what’s going on.
    Thanks
    Kevin

    Reply
    • George Spiers

      July 6, 2017

      30-40 seconds is too long to be sat at Welcome to Windows. Try disabling the Citrix Telemetry Service and see if that has any improvements, remove as much UWP apps as possible, remove as much Active Setup registry keys as possible. Even see if the same symptoms exist on a standard Windows 10 machine with nothing else performed, then gradually apply optimisations and changes whilst continuing to track logon times. Also as you say Procmon would be a good tool to see what is going on.

      Reply
      • Kevin

        July 7, 2017

        Thanks George!

        Reply
    • Mikael

      September 7, 2017

      Mind providing the way you have removed Win10 bloatware and managed to keep the start menu intact with search functions etc working?

      Reply
      • Kevin Kutzera

        September 8, 2017

        A scripts I found on the Internet. I will submit more details early next week. I didn’t save search functionality, but I know the script can be modified to leave that alone. Start menu works but is mostly blank. We provide the user’s with the approved applications as desktop shortcuts.

        Reply
      • Kevin Kutzera

        September 11, 2017

        Hello,
        So I found the specific script I used. Carl Luberti shared his work with a Powershell script named ConfigAsVDI.ps1. It’s rather extensive and per his recommendations you should review what it does carefully. You also need to make sure you’re using the correct Enterprise build of Windows 10. Several other people have shared their scripts that all do similar things removing software that cannot be conventionally uninstalled.
        Personally I think WEM (vs. AD Group Policies) was the most significant performance improvement. It would be valuable to test a single Windows 10 setup in the two different environments.
        Regards
        Kevin

        Reply
  • Ryan

    July 6, 2017

    When trying to run the scheduled task to run upmevent, the scheduled task fails for my users with an “access denied” error, but it runs fine for my admin account which of course is an admin on the image. Any ideas?

    Reply
    • George Spiers

      July 6, 2017

      Did you check “run with highest privileges” when creating the task? If so, uncheck that. If you haven’t checked it, what’s the scheduled task run result code and what OS? As a logged in user who fails, try manually browsing and running upmevent.exe.

      Reply
      • Ryan

        July 7, 2017

        I believe this actually turned out to be AV related. Once I added upmevent.exe as an exception it appears to be working now.

        Reply
  • Pingback: Image Optimization Analysis – Citrix XenApp | James Kindon

  • Jan Goormans

    October 3, 2017

    Top article. We use Ivanti Environment Manager. Would it be better to implement the UPMEvent.exe scheduled task at logon through Appsense?

    Reply
    • George Spiers

      October 3, 2017

      Thanks. I would pick the method which runs quickest after the shell has loaded.

      Reply
  • Glenn Jacobsen

    October 11, 2017

    Hey George

    We are an Application Service Provider providing a Citrix solution for our customers. We have a broad range of applications installed, not only a barebones installation.

    Our logon time is 37 seconds, where the Interactive Session is on average 32 seconds, mainly due to the first logon, but around 20-23 seconds for every consecutive user.

    Do you think we could reduce this to 10 seconds based on your optimizations?

    Reply
    • George Spiers

      October 11, 2017

      Hi Glenn. Can’t say fully that it will reduce as much as 10 seconds because all environments are different and GPOs, Profile loading and so on have impacts on the Interactive Session Time. I would bet there is some reduction. There is only one way to find out. Perform the optimisations in your testing environment and report back with results?

      Reply
  • mike

    October 12, 2017

    Hello George,
    The scheduled task configured with group policy preferences should be visible in task scheduler, right? For some reason the change does not seem to work for me and when troubleshooting I’m not able to see the task? Using Window Server 2012 R2

    Reply
    • George Spiers

      October 12, 2017

      That’s correct. Sounds like the policy isn’t applying. Run a GP Result or RSOP when logged in to confirm if it is.

      Reply
  • Matheen

    November 9, 2017

    Hi, Excellent post,
    Do you have any article or reference on how to improve graphics performance with in the session? I have 7.15 LTSR with 2008 R2 VDA performing poorly over VPN connection. Users using standard application feel the interface is bit clunky
    Tried setting up default policy (citrix policy) but it is not helping.

    Reply
    • George Spiers

      November 9, 2017

      Did you have a look at policy templates to get started such as the Optimized for WAN template? They are good starting points. For 2008 R2 you have to use Legacy Graphics Mode.

      Reply
  • Mike

    November 13, 2017

    Hi there,
    I am trying to improve the logon performance for a non-persistent WIn7 64bit Enterprise built using Citrix App Layering. Since this Image is for call center users I have decided not to use User Profile Management. I have opted for a reboot after logoff option. Each time when a user logs freshly it is taking about 60 secs to being able to start using it.

    I have disabled the Active Setup using the Citrix App Layering Optimiser which is part of the tools but hasn’t made much of a difference. The Image has been optimized for VDI using a script for Win7 from VMware View but I am using it in XenDesktop. I have not tried the AutoLogon option within the Optimizer. (Has any one tried it?)

    Anyone got any ideas as to how I could improve the logon times.

    Reply
    • George Spiers

      November 13, 2017

      Have you Citrix Director configured? If so, look at the logon statistics to see what exactly is taking the time. It could be Group Policy, Logon Tasks, profile loading etc. Have you moved UPMEvent to a Scheduled Task? Have you looked at WEM? http://www.jgspiers.com/citrix-workspace-environment-manager/

      Reply
  • Mike

    November 13, 2017

    Thank you for the reminder on getting Director configured. Mine is a test lab and I didn’t install Director as yet it was in the back of my mind .. So I got it working and I am getting 49 sec logon duration timing. GPOs are taking 5 sec, Profile load is 2 sec and Interactive session is showing as between 29 to sometimes up to 35 sec. I have got the WEM setup but not configured any policies as yet.

    The actual timings starting by clicking on the Storefront Launch using a split stopwatch timings is as follow:

    Windows – 8.5 secs
    Preparing your Desktop – 17 sec
    Start Menu – 25 sec

    Active Setup has been disabled by deleting the stubs in registry,

    Not sure why the interactive delay is so long when in actual fact there is no UPM/Network Mandatory profile in use. The use case is for call center users and they only need to run a few local apps (layered) and the others are WEB url shortcuts. No user personalization.

    I know the first time a user profile is created it takes longer than subsequent logons. My aim is to ensure have the least amount of network dependency in order launch the session and to simplify DR.

    Reply
    • George Spiers

      November 13, 2017

      What is “Start Menu”? Is that a policy? It’s too long. Also normally I find that Interactive Session time can be reduced by tuning the OS. I know you already have performed optimisations, but I like to use various sources and not just a single script for VMware View. Also, if you are using PVS then use cache method “Cache on RAM with overflow to HDD”. If you are using MCS make use of I/O Optmisations.

      Reply
  • Mike

    November 13, 2017

    I think there seems to be a problem with my layer which has the optimizations.

    I checked the registry settings by disabling the locked down GPOs and found that the Active Setup stubs for things like Windows Mail are still being created. I know the reason “Preparing your desktop” is taking a lot of time is because of the Active Setup.

    I have created a separate layer in which I have run the Win7 Optimization script and deleted the Active setup stubs using the Unidesk Optimizer but I ran these optimizations on a non-domain joined packaging VM.

    Since I am using Citrix XenDesktop MCS should I be running all the optimization on my Platform Layer?

    Reply
    • George Spiers

      November 13, 2017

      I usually recommend performing all possible optimisations in the Platform Layer. This means nothing will overwrite it, since that Layer gets the highest priority.

      Reply
  • Mike

    November 13, 2017

    Thank you for your quick reply. I will create a new version of the MCS Platform layer which in the case of XenDesktop is a domain joined layer. I am a bit confused as to how I should apply the optimizations because there is no Sysprep being run.

    Should I start with the Optimizer tool found in the Windows\Setup folder? Can you please recommend what is the best way to do it correctly considering I am using App Layering to build the pooled desktop image.

    Reply
    • George Spiers

      November 13, 2017

      Yes the Platform Layer is the domain joined layer. You pick tools of your choice. Citrix Optimizer, VMware Optimization Tool and so on. Look at what each optimisation is going to to and achieve, determine if you need an optimisation and if so include it in the Platform Layer. Once you have finalised the Platform Layer you push the complete image out to MCS for distribution. There is no need for sysprep because here you have multiple XenDesktop VMs all working of a single fully configured Gold Image. Sysprep used to be required for the old Unidesk solutions.

      Reply
  • Mike

    November 13, 2017

    I have just spun up a new Platform Layer, and the Citrix VDA is already installed in it from the previous layer. I think I will first start with using the built in Optimiser (ver 5.3) and see how it performs. I wish to also select the Autologon option so should I run Optimizer batch file on the packaging VM without joining it to the domain?

    Reply
    • George Spiers

      November 14, 2017

      Don’t use “Optimize.hta” from C:\Windows\Setup\Scripts. Instead use the Citrix Optimizer – https://support.citrix.com/article/CTX224676 – Also your Platform Layer has to be joined to the domain, and if you wish to use autologon then follow the steps from this blog post.

      Reply
      • Mike

        November 14, 2017

        I was actually wondering if in v4.x the “Optimize.hta” and its output batch file customizations.cmd is even being used at build time? I know in v2.9 the unattend.xml used to run the different batch files at boot time. I created a new Platform layer yesterday using the Optimizer.hta and only added the Autologon settings but haven’t got round to testing the image. I will report back later today.

        The point Victor made about having some issues with using the Autologon method in this blog post for VDI use. What I was thinking is if I was to follow the below steps for creating the Platform Layer would it not achieve the same goal. The image should get primed with the user account and it should speed up the new user logons for a non-persistent desktop which flushes the state at log off. What are your thoughts on this?

        1. Install the VDA
        2. Join the Domain
        3. Log on as a  network user (this can be the autologon account) and “don’t” delete the user profile.
        4. Reboot
        5. Finalize

        Reply
        • George Spiers

          November 14, 2017

          No App Layering does not use Customizations.cmd during the finalisation of layers or when publishing a layer. You have to run it manually, but I recommend exploring other tools such as the Citrix Optimiser to perform your optimisations on the Platform Layer. Your process would work but I still found that when the image was published out, the first logon always took longest, so I used autologon to get around that. Note that autologon for me was configured manually via RegEdits and not by using Optimize.hta.

          Reply
  • Victor O

    November 14, 2017

    Thank you very much for this post! I’ve implemented much of it with great success, but I’ve encountered an odd issue that I would appreciate your input on.

    One of my implementations is the AutoLogon. I implemented this on a non-persistent environment, and the default reboot-after-use behaviour. Everything is fine for most VMs most of the time. Unfortunately, some VMs reboot after the AutoLogon account logs off, and keep cycling through re-initializing and autologon for minutes or hours. Eventually, they’ll stop that behaviour and sit at the logon screen as an available VM. I checked flags of a problematic VM, and the AutoLogon account is resulting in WillShutDownAfterUse being True.

    Should the AutoLogon tweak on non-persistent reboot-after-use VMs work (like 90% of the time in my environment)? If so, any ideas why it seems to be misbehaving ~10% of the time?

    Thank you.

    Reply
    • George Spiers

      November 14, 2017

      I wouldn’t normally have advised to use autologon for VDI machines and I wouldn’t have expected it to work at all due to the behaviour of a machine rebooting after logoff. At the same time though I’m wondering if the 10% are rebooting because they had registered with a Delivery Controller which sent the restart power action to the VDA once the autologon account had logged off. Is it possible you can configure the “Citrix Desktop Service” service to “Automatic (Delayed Start)” on the VDAs and see if autologon works for all desktops after? My thinking is that we want to get autologon to do its piece before the VDA registers with a Delivery Controller. I might be wrong and it might restart regardless of registration state. In that case it’s best not using it for VDI.

      Reply
      • Victor O

        November 15, 2017

        I had thought it odd when it worked during my testing, but just went with it because it improved logon times. I’ll give your suggestion a shot and let you know how it goes. Thank you.

        Reply
      • Victor O

        November 23, 2017

        I tried your suggestion, but even setting to Automatic/Delayed seemed to be running before the AutoLogon got in there – perhaps something else was inducing a start.

        So, I set the service to Disabled on the Master image, and I Enable/Start the service during the logout call on the AutoLogon user. The issue has not re-appeared on the updated images. It seems like a viable method to use AutoLogon to optimize a random image.

        Reply
        • George Spiers

          November 23, 2017

          Sounds like a viable method indeed. Nice one!

          Reply
  • Mike

    November 16, 2017

    Yes, I am of the same opinion as you George. I started to look at it for VDI because I had used it in Unidesk 2.x but now since v4.x i believe it has been deprecated.

    While on the topic of log on performance improvements, I wanted to get your thoughts on the correct steps for creating a Citrix MCS platform layer and adding the Citrix Optimizer settings followed by joining it to the domain followed by a log on using a domain account and a reboot. This process should create all the first logon files on the OS. Then delete the network account profile and finalize. But I am not too sure whether the packaging VM must be disjointed from the domain before finalizing the Platform layer using local admin. The reason why I ask is that is how I had created my platform layer previously because it requires to be joined to the domain. Could do with your thoughts.

    Reply
    • George Spiers

      November 16, 2017

      Hi Mike. To create Platform Layer follow these steps:

      1. Install VDA
      2. Join Platform Layer to domain
      3. Run Citrix optimisations
      4. Log on to Platform Layer as a domain joined account, log off, remove profile from Platform Layer
      5. Perform final reboot of Packaging Machine
      5. Finalise Platform Layer

      Platform Layer remains joined to the domain.

      Reply
  • MIke

    November 17, 2017

    Thanks George. I will give it a try and report back.

    Reply
  • Nate W

    November 17, 2017

    I’ve tried to follow the UPMevent part of this for my Windows 10 VDI desktops. I removed it from the registry, have a GPO that runs UPMEvent.exe, have checked on the task scheduler to see if it is there and runs but no information gets recorded on Director about the login time and it doesn’t seem to improve the login. Right now with a bare bones test user I am at 33-40 seconds. I’m not sure what I am doing wrong…

    Reply
    • George Spiers

      November 18, 2017

      The reason you aren’t getting login time stats in Director is because UPMEvent is not running, even though your scheduled task is running. Double check the scheduled task configuration and when UPMEvent does run, you will get a “Desktop Ready” event log (ID 1000).

      Reply
  • Mike

    November 18, 2017

    Hi George,

    I followed the steps and it works great perfectly. Thank you so much for putting on the right track!

    I tested the Citrix optimiser and VMware optimization tools but what I don’t quite like about the canned optimizations scripts almost always I have users complain about how plain and bland their Windows 7 VDI desktops look. The problem is with the settings for Visual Effects :

    For Best Performance.
    reg ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects” /v VisualFXSetting /t REG_DWORD /d 0x2 /f

    For Custom which means no visual enhancements.

    reg ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects” /v VisualFXSetting /t REG_DWORD /d 0x3 /f

    I would like to set the default profile for all uses to be either set to Best Performance or custom but with have the “Use visual styles on windows and buttons” option enabled.

    I have tried everything but failed to configure this setting for all users when using the optimization script. I will be grateful if you can shed any light on how to script the reg settings into either a batch or powershell script.

    Thanks!

    Reply
    • George Spiers

      November 19, 2017

      Hi Mike

      There is no point running a script and/or optisization tools that add registry entries to HKCU. Reason being is that the HKCU hive used to add these optimisations will be on the account you are running the optimisations from. So it will be only affect that account and no other account.

      When you want to apply optimisations to all users I prefer to use Citrix Workspace Environment Management or else on a layer such as when using App Layering, load NTUSER.DAT from C:\Users\Default and create the optmisations in there. That means all users will receive them when they log on.

      Using a template machine, set the visual effects to custom and then uncheck/check the effects you want/don’t want. Then grab the value of “UserPreferencesMask” under “HKCU\Control Panel\Desktop”.

      You then want to make sure this UserPreferencesMask binary value is created for all users via WEM/GPO or else by using the NTUSER.dat method. You also want to make sure VisualEffects is set to 0x3 using the same methods.

      Reply
  • Mike

    November 20, 2017

    At the moment I am trying to get my first Citrix App Layering v4.4 Win7 Image for a call centre use case working with just local user profiles and I have gotten stuck with this one issue.

    Thank you for your tip on how to pipe the HKCU settings into NTUSER.DAT. I am doing the same thing but what I am seeing is when I load the default profile hive the settings are all registered. But when I logon as a new user in the packaging VM the Visual effect is very inconsistent most times it is set for Best Performance (like the Win2k8). The UserPreferences Binary value I have in my reg script is 9012038010000000 but it changes to 9e3e078012000000 and as a result it reverts it “Let Windows choose what’s best for my computer”.

    Ideally I would have liked to use the Citrix Optimiser tool but for some reason it sets it to Best Performance making the desktop very bland. If anyone knows how to reliably apply the “Use visual styles on windows and buttons” to all users either using a script or GPP I would like to hear from them.

    I think I will have apply the settings using GPP and see if it is consistently applied and later I can spend more time in getting the optimization script to apply all the settings for Visual Effects correctly.

    Reply
  • Matheen

    November 20, 2017

    Hi,
    I have windows 2008 r2 VDA on 7.15 VDA. It is taking around 30+ seconds to login. The bulk of the time (12 seconds) has taken for “Preparing for Desktop” (HSD) and preparing for application for Published Application. The interactive session in Director is showing as 18 sec.
    I followed the article and it has not made any difference on the logon duration (not sure if your article is more for 2012 and above)
    Is there anything you can suggest to bring logon duration down?

    Reply
    • George Spiers

      November 20, 2017

      There are several recommendations:
      Optimisations including disabling all unneeded Services, Scheduled Tasks, removing Active Setup keys and so on.
      If using PVS, make sure you are using RAM Cache with overflow to HDD. Also assign 2GB to RAM cache.
      If using PVS, use 1GB NICs and above
      If using MCS, make sure you are using XenApp/XenDesktop 7.9+ to make use of RAM cache
      Use flash storage for HDD Overflow disks
      If using App Layering, take care when using Elastic Layers as they add to logon time
      Run UPMEvent.exe as a Scheduled Task rather than a Starup Program
      If you can, size the VMs with vCPU and RAM appropriately
      Check logon profiles are not too large. Use a user profile solution like Citrix Profile Management to stream the profile rather than cache, and keep the profile light
      Use folder redirection

      Refer to here for more tips: http://www.jgspiers.com/citrix-tips-tricks-tweaks-suggestions/

      If all the above fails, maybe 2012 R2 is simply faster.

      Reply
  • Mike

    November 23, 2017

    Hi George, I finally managed to get the Visual Effects working in the App Layer, but I must say the only way I was able to get it to work is by creating the “UserPreferencesMask” settings in the default profile manually as what you suggested. I was trying to use a batch script method to create the default profile HKU values but it just didn’t work reliably for new users.

    I have just tested the new image with the optimization layer which includes the visual effects so all good but I seem to have run into another problem. Director is measuring the logon time as below:

    VM start =11 sec
    GPO =0.47 (it is failing to load the settings)
    Profile Load = 1 sec (using local profile)
    Interactive session =4 sec

    I am a bit confused as to what is taking the 11 sec for VM start. Although, it is a non-persistent pool and set to reboot at log off but there are surplus powered on VMs in the pool (3 VMs).

    I haven’t gotten around to troubleshoot why the GPO settings are no longer being applied after updating the catalog with the newly created image. The VM’s are in the same OU as before. Any pointers?

    Reply
    • George Spiers

      November 23, 2017

      Is the time on the 3 VMs in sync with Domain Controller to receive GPOs?
      Have you actually logged on to one of the VMs and checked that GPOs have not applied?

      Reply
  • Mike

    November 23, 2017

    Yes the time appears to be correct and when I log on to the VMs it doesn’t pull the background from the netlogon share (I am going to copy the image locally later) and the Start Menu is all unlocked and I did a quick check by running GPUPDATE /FORCE logged in as a user but that did not seem to update the GPO. I will do some troubleshooting today.

    You know in v2.9 we had the option of loading the GPO into the image but now I am not sure how we can do that in v4.x is there a settings or a method you know off. I would like to bake the GPOs when the MCS creates the VMs.

    Reply
    • George Spiers

      November 23, 2017

      When you are creating your Platform Layer you can move the machine to an OU of your choice so it receives all the computer related GPOs.

      Reply
  • Mike

    November 23, 2017

    Thanks, now that I have the optimized app layer figured out I will now transfer the settings into the Platform layer and test if it improves the performance and reliability.

    Reply
    • George Spiers

      November 23, 2017

      Good luck 🙂

      Reply
      • Mike

        November 24, 2017

        I managed to troubleshoot the reason why the GPO settings were not applying. I ran the GPRESULT /R and found in the Computer settings the Domain Name was CITRXale002 and the Domain Level as NT4. Under the user settings the Domain Name was the same as the actual NetBIOS name of my Domain. The name CITRXale002 would have come from the packaging machine of a layer. Although the machine is joined to the domain and logged in as a network user but the Computer Name is wrong as far as the Active Directory registration is concerned. So I suspect there is some corruption of the layer(s) in the image.

        Secondly, I came across another issue relating to the VDA registration with the DDCs. The VMs are erratically unregistering or not registering. The network trace is indicating the VDA are doing a tcp-reset. I am not sure what is causing it but I wanted to ask you if whether disabling the firewall profiles would interfere with the VDA communications with the DDCs because when I installed the VDA I had the firewall profiles ON and chose the Automatic option during the installation.

        Reply
        • George Spiers

          November 24, 2017

          There should be no firewall issues. The fact it registers in the first place would indicate this is not a firewall issue. It is likely caused by whatever is causing GPOs to fail also. I would recreate your Platform Layer and join it to the domain at the beginning of layer creation, and keep it joined to the domain. MCS should then create identity disks which allow the VMs to receive different unique identities.

          Reply
  • Mike

    November 26, 2017

    Hi George, I finally got round to create a new domain joined platform layer with the optimizations.

    I published the new image with the newly created platform layer but the image update failed with the error: InternalErrorMessage : Operating System Licensing Rearm failed

    Is this because I forgot to rearm the platform layer again using C:\Windows\System32\slmgr /rearm ? If so do I now need to re-create a new platform layer all over again again or simply add another version?
    Thanks!

    Reply
  • Mike

    November 28, 2017

    Thanks George, I will read up your post on KMS. The problem turned out to be with the time being 8 hrs ahead so the activation wasn’t working. So in the end I powered on the image and manually ran the runaipkato.cmd and checked the runato.log to make sure the OS was activated before updating the MCS catalog.
    For some strange reason my packaging VM always has its time 8hrs advanced. Have you come across this behaviour. I just can’t put my hand on it, since the VMTools are installed in my OS. Every other new non-domain joined VM I spin up in VMware has the correct time.

    Reply
    • George Spiers

      November 29, 2017

      No I haven’t witnessed that before. Once you join the domain your Packaging VM should contact any domain controller for time. Try running command “w32tm /resync” manually on the Packaging VM.

      Reply
  • Mike

    December 1, 2017

    The problem is with the non domain joined app layer packaging machines. I just correct the time and restart the VM.

    I ran into another issue this time with the Citrix Receiver app layer, in the image along with a Java app layer etc. It was working fine suddenly I started to get an error:

    Please run reset receiver to resolve lockdown conflict for Disabled Drivers (error 2320)

    So when I do reset the receiver and try again to launch the XenApp session, the circle spins but doesn’t launch the app. The fqdn is in the trusted zone of IE11 but for some reason the ICA file association is broken. I must say after I installed IE11 on top of IE8 from the Windows 7 ISO I have been having this problem. Not sure if it is being caused by the Java layer and its Add-On.

    Because in this POC that I am trying to get working does not require SSO I decided not to install Receiver into the Platform layer and or the first time created an App layer for Receiver Client.

    Reply
  • Mike

    December 1, 2017

    I will give that a try when I republish the image again.

    I ran into another issue this time with not being able to launch a XenApp published app from IE11 connecting to a Storefront. It was working before but on this new image it is giving me the below error:

    Please run reset receiver to resolve a lockdown conflict for disabled drivers (err0r 2320)

    If I try resetting the receiver the error disappears but I can’t launch the published app, the circle spins and nothing happens.

    The VM Image also contains a Java Layer. I think the problem is to do with the IE Add-ons Java plug-in 2 SSV and SSV Helper be enabled or disabled.

    Any ideas?

    BTW: Because I am not using SSO so I decided (right/wrongly) to create a separate layer instead of installing it in the platform layer.

    Reply
    • George Spiers

      December 2, 2017

      Publish an image with just the OS Layer, Receiver Layer and Platform Layer together. If Receiver works then you know that another layer is causing this conflict.

      Reply
      • Mike

        December 10, 2017

        Sorry I was offline for a few days and for double posting.. Not sure why but when I posted the first time it just disappeared so I thought I try again.

        Thank you for the tip, the problem was in actual fact being caused by the Citrix Receiver GPO in which I had enabled “Do not map drives” A-Z drives and by changing it to C only the Launching error was resolved.

        Going back to the logon performance reported by Director, I am still seeing VM start up time being added to the stats when in actual fact the VMs are already powered on (they are random and set to reboot at logoff). So not sure why I am seeing the Start time being added.

        Reply
  • markinh

    December 13, 2017

    For nearly instant login i was thinking of creating a simple win32 app that will authenticate, map a drive, store credentials in the vault. Starts as custom shell and in turn starts explorer.exe+shell after authentication. This works well with windows 10. Not so good with Windows TS. If only Anonymous logon was supported with windows 10 …

    I tried but it seems difficult to publish a custom authentication as anonymous app on a TS and from there get a desktop.

    Reply
    • George Spiers

      December 14, 2017

      Interesting. Would be nice if you found out how to get it working on TS!

      Reply
    • Mikael Laine

      December 14, 2017

      How would you renew your tokens without login off first?

      Reply
      • markinh

        December 14, 2017

        No tokens. Using the Anonymous session. The time to desktop is the time the custom auth-app takes plus time to start explorer.exe/shell. E.g. 3 seconds with classic storage. Yes this breaks all services depending on AD/Kerberos. But depending on the scenario this could even be desired. Like kiosk print stations.

        Reply
  • Jake

    December 17, 2017

    What would you expect to happen if the “Citrix UPM UserMsg” string wasn’t deleted but you had created the scheduled task based on your instructions? I’m only asking because I updated from 7.13 to 7.15 CU1 and realized that string was probably recreated after updating. My logons jumped from an average of 11 seconds to about 18-22 seconds. I’m going back into my master image to delete the string, but still curious about what is happening under the hood.

    Reply
    • George Spiers

      December 19, 2017

      I would have thought that since the Scheduled Task would run quicker, there would be no change to logon times. Let me know if deleting the string resolves the longer logon times you are getting.

      Reply
  • Pingback: Image Optimization Tools Comparison Matrix - Dennis Span

  • Alex G.

    December 21, 2017

    Thanks – this is great. You don’t have any script available for 2012 R2 though?

    Also, since the Serialize/StartupDelayinMSec value is stored in HKLM/Software, do we really need to change the default profile?

    Reply
    • George Spiers

      December 21, 2017

      http://www.jgspiers.com/windows-server-2016-optimisation-script/
      Although the script was designed for 2016, some people have ran it on 2012 R2 and reported that it had worked fine.
      StartupDelayInMSec is stored in HKCU, which is why I put it in the default profile. It can also be distributed by Citrix WEM or GPO for example.

      Reply
      • Alex G

        December 21, 2017

        Thanks, I guess I saw it wrong on some other site.

        Do you know of any tool to mass load and modify ntuser.dat for multiple users? I have 5 servers without centralized profiles, and I don’t want to delete everyone’s profile again since I did that already fairly recently 🙂

        Thanks again.

        Reply
        • George Spiers

          December 21, 2017

          You should just use Group Policy which will import the key in to the users HKCU hive! Easy enough done.

          Reply
  • Kyrian

    January 4, 2018

    George,

    you stated the following about your lab: “For the following logon tests, I used XenDesktop 7.13, running PVS 7.13 and a 7.13 VDA configured with 2GB RAM and 2vCPU. The VDA runs Windows Server 2016 with no optimisations”.
    how is your broker / Storefront / PVS configured in terms of hardware?

    great article btw!

    Reply
    • George Spiers

      January 4, 2018

      They are all just standard 2vCPU and 2-4GB RAM. Nothing special, running on a Hyper-V host.

      Reply
  • Jeff

    January 6, 2018

    Hi, love your Blog, thank you very much for all the hints!

    But I got also a problem with the UPM event. The task from the GPO gets created and tries to start but it fails with “wrong parameter (0x80070057)”. (Maybe the right translation is invalid argument as the original error is in german.)
    I also tried “-wait” instead of “wait” only but it didn’t work. Any hints?
    The task itself is not configured to run at highest privileges. If I run the exe by clicking on it, I don’t see any errors but also no time in Citrix Director (seems to be OK as the logon is finished at the time i click on it manually)

    Reply
    • Jeff

      January 6, 2018

      Never mind, just found it.
      The path to the exe should not have ” around it. So it works as soon as I removed the ” in the task.
      Logon time 20 seconds, perfect!

      Reply
      • George Spiers

        January 8, 2018

        Nice! Thanks for sharing how these tips resulted in an improved logon experience for you.

        Reply
  • DaveG

    January 9, 2018

    Great blog George! I’m using Environment Manager to test these tweaks before updating our gold image and am having an issue with the UPMevent. I’m seeing 2x “eventid 1000 – the session is ready for use” in the eventlog? I’ve removed the reg value in HKLM\Run area (using Environment Manager computer startup action) and added it to Environment Manager, Desktop Created trigger/action. After a reboot, the VDA has the reg value removed.
    Disabling the Desktop Created action UPMEvent, and I still get 1x “eventid 1000 – the session is ready for use” in the eventlog? Any idea where this is coming from?

    Using XenApp 7.6+PVS and our logons are already very quick (10s, 5s interactive), but thought I’d do any tweaks to further improve!
    Thanks

    Reply
    • George Spiers

      January 9, 2018

      Thanks Dave. Sounds like there is something cached on the VDAs running upmEvent.exe.. I would disable Environment Manager actions etc. and then try running a ProcMon trace to see what exactly is running upmEvent.exe?

      Reply
  • Alan

    January 10, 2018

    Hi George,

    Love your blogs a lot! Using upmEvent in GPO Task Schedule can save 30 seconds in interactive sessions. But when I use External Task for upmEvent in WEM, the interactive session increase 70 seconds. Any reason causes this? My goal is to use WEM instead of GPO.
    Thanks

    Reply
    • George Spiers

      January 10, 2018

      Thanks! Yes that is because WEM is too slow to run upmEvent. It is best you use Scheduled Tasks.

      Reply

Leave a Reply