There are a lot of optimising tips and best practices that can be searched for on the internet for your Citrix environments. This article will collate some of these suggestions and then I would like to get down to some tests to see the improvements that can be made. I will use a new tool called Login PI which is made by those clever people at LoginVSI. This tool can log the speed of your Xenapp connections and session initialisation.
First thing is first – I would like to thank the amazing people out there who have already tested and provided optimisations. To this end I will provide the following links and they are all worth a good read. I have no doubt more recommendations will be added to this post over time.
http://benpiper.com/2011/12/7-ways-speed-citrix-xenapp-logons/
https://support.citrix.com/article/CTX101705
https://xenappblog.com/2016/optimize-logon-times/
https://lalmohan.co.nz/2015/10/07/citrix-xenapp-long-logon-times-and-potential-fixes/
https://wilkyit.com/2017/04/28/citrix-xenapp-and-windows-server-2016-optimisation-script/
https://virtualfeller.com/2016/04/18/microsoft-windows-10-citrix-xendesktop-and-logon-time/
https://msdn.microsoft.com/en-us/library/windows/hardware/dn567648(v=vs.85).aspx
https://support.microsoft.com/en-us/help/3147099/recommended-hotfixes-and-updates-for-remote-desktop-services-in-windows-server-2012-r2
https://support.citrix.com/article/CTX142357
http://www.carlstalhood.com/citrix-profile-management/#exclusions
https://www.loginvsi.com/blog/732-windows-server-2016-performance-tuning
My Generic Recommendations to apply are taken from all the above.
Generic Recommendations
Install all the recommended Security Microsoft Patches.
https://support.microsoft.com/en-us/help/3147099/recommended-hotfixes-and-updates-for-remote-desktop-services-in-windows-server-2012-r2
https://support.citrix.com/article/CTX142357
-
Set logon time expectation with users without session pre-launch or linger and this is from the point of application click after logon. Setting expectation is paramount. Why would you expect sub 10 seconds for a logon if your normal workstation cannot achieve this?
-
Design your profiles with folder redirection (User Configuration > Policies > Windows Settings > Folder Redirection.
-
Streamline your profile and use UPM exclusions - http://www.carlstalhood.com/citrix-profile-management/#exclusions .
Check the recommended exclusions after every UPM release.
-
Do not map every printer! Use default printer only if possible.
Start this application without waiting for printers to be created. "Set-BrokerApplication APPNAME -WaitForPrinterCreation:0"
https://support.citrix.com/article/CTX218333
-
Consolidate your GPO and enable Block Policy inheritance. Fewer GPO objects the faster logon will be.
-
Use Load throttling.
-
Use latest Receiver Client.
-
Use Director to provide you with valuable insights as to what parts of the logon process are causing issues.
-
Check logon scripts. Check for old mapped drives, printers that no longer exist.
-
Check for old, stale user profiles (not deleted after logoff). Configure profiles to be deleted after logoff (This does not enhance log on but is best practice).
-
Make sure users have full permission on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \MSLicensing registry key.
-
Disable virtual channels not in use (client drives, audio, printing, com ports, USB redirection) in the Citrix policies.
Disable unused parts of your GPO (Computer or User).
https://technet.microsoft.com/en-us/library/cc733163(v=ws.11).aspx
Disable or prevent apps from running once shell initialises. Use msconfig or right click app in task manager\Start up and set to disable.
Use Autoruns . This tool highlights what runs when a user logs in to a Windows Server. Run this and disable all that is not required for your environment.
Disable not delete all that is not required under the following:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components.
-
Remove Delay. VDAs based on Windows 8.x and Server 2012and 2016 Microsoft introduced a delay of 5-10 seconds for operating systems starting from Windows 8. To remove the delay, add the registry value StartupDelayInMSec (REG_DWORD) to 0 in HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\Explorer\Serialize (You can add the key “Serialize” if not present already). This will greatly reduce “interactive logon” delays.
Exclude the whole of \AppData\Local\Google\Chrome. Include the following as a start:
AppData\Local\Google\Chrome\User Data\First Run AppData\Local\Google\Chrome\User Data\Local State
AppData\Local\Google\Chrome\User Data\Default\Bookmarks
AppData\Local\Google\Chrome\User Data\Default\Favicons
AppData\Local\Google\Chrome\User Data\Default\History
AppData\Local\Google\Chrome\User Data\Default\Preference
Slow Initial Login When Using Folder Redirection
Modify the following registry entry, which controls the time wait.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
FolderRedirectionWait (REG_DWORD) in milliseconds
Default value is 5000 milliseconds or 5 seconds for each folder.
Valid values would be from 0 to as high as you want to go which would be the DWORD maximum.
AntiVirus
Recommend turning OFF Real-time scanning for MCS/PVS created images as they are only read only.
Run Real-time scanning on the network shares that hosts the profiles/home folders and also on the Write Cache location in case of PVS images. Run a full scan on writable images only.
In the system Control Panel, click the Environment In the System Variables section, click the variable Path. Add the following to the end of the string in the Value field at the bottom of the panel:
;%SystemRoot%\Fonts
Click Set. The changes take effect immediately.
IPv6 turned off if not in use. Slow boots could occur due to IPv6. See also this TechNet article.
To disable IPV6 I would recommend using the registry key instead since there is known issue when you unselect it in the network adapter settings.
Black screen – Might not be relevant after 7.9
https://support.citrix.com/article/CTX205179
Remove the full path from the AppInit_DLLs key.
Key Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Entry Name: AppInit_DLLs
Entry Type: String
New Entry Value: mfaphook64.dll
Old Entry Value: C:\Program Files\Citrix\System32\mfaphook64.dll
Key Location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Entry Name: AppInit_DLLs
Entry Type: String
New Entry Value: mfaphook.dll
Old Entry Value: C:\Program Files (x86)\Citrix\System32\mfaphook64.dll
Delete entry HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC. This can be achieved by a login script.
REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC /va /f
Redused logon time from 55 seconds to 16-17 seconds. (KB 3161390)
OR
…add the location to the registry exclusion list in Citrix Profile Manager.
For memory consumption, you should consider the following:
Verify that DLLs loaded by an app are not relocated.
Relocated DLLs can be verified by selecting Process DLL view, as shown in the following figure, by using Process Explorer.
Here we can see that y.dll was relocated because x.dll already occupied its default base address and ASLR was not enabled
If DLLs are relocated, it is impossible to share their code across sessions, which significantly increases the footprint of a session. This is one of the most common memory-related performance issues on an RD Session Host server.
Disable NTFS Last Access Timestamps
By default, Windows keeps track of the last time a file was accessed through the “last access” time stamp. If you use this time stamp for backup purposes or you make frequent use of the Windows search function base on time stamp, then you may actually have a use for it.
In other cases you can disable the update and it will speed up Windows by avoiding having to update (write) that time stamp every time a file is read.
fsutil behavior set disablelastaccess 1
OR
Navigate to the following registry location:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystem
Right-click the right-side panel and select New > DWORD Value. Call it NtfsDisableLastAccessUpdate and give it a value of 1.
Here are some other optimizations you can add in to GPO preferences taken from Erics Xenapp Blog.
CtxStartMenuTaskbarUser – Windows 7 look on WS08R2 & XenApp 6.5
StatusTray – Provisioning Services
vDesk VDI – Personal vDisk
DisableStatus – Slow logon with black screen (Citrix XenApp 7.6 Slow Logon)
Generic AV recommendations
Recommend turning OFF Real-time scanning for MCS/PVS created images as they are only read only.
Run Real-time scanning on the network shares that hosts the profiles/home folders and also on the Write Cache location in case of PVS images.
Virtual environments
Remove CD-ROM drives from your virtual Citrix servers.
Hide VMware Tools Systray Icon –
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
“ShowTray”=dword: 00000000
Note all your optimisations that are not out of the box!
Be careful when fully optimising an image as it might inadvertently break other stuff. I would go through my generic recommendations and if this proves a suitable logon time leave it there.
It might be better to trick user expectation by using session pre-launch or linger than go through a completely optimised image as if stuff does break troubleshooting might be difficult.
As with everything proof is in the pudding.
LOGIN PI Tests
I will reveal the tests of 3 scenarios using a tool called LOGIN PI in a future post.
1) Out of box Xenapp 2016 image.
2) My Rule of thumb recommendations applied.
3) 2016 optimisation using the Citrix Optimiser Tool.
Let’s see what we get!
Once you have installed the pre-requisites and downloaded the PI software click on the .exe and run it.
The below highlights that I am using SQL1 as a server and I input my administrative credentials.
Now we are at the stage where we are ready to configure LOGIN PI.
Browse to your License file and upload.
This will generate a powershell script for you to run on your Domain Controller.
Copy script to DC and run. The script should generate a new OU (LoginPI) with a subfolder and some target users as shown below.
Next, we return to our LOGIN PI configuration console.
The various types of connections you can do are highlighted here:
Now configure your environment settings.
Choose your workload
You have two options. Default workload - native windows apps will use applications already native to your O/S like notepad, calculator etc. Default workload – office apps will use word, outlook, Excel etc. The following office versions are supported. This can be seen under the office version tab within Environment Settings.
Next scroll down and you configure your connections.
Click the + icon and input a username and password (Previously generated via script or any other account that can launch sessions) and click CREATE. You can add as many accounts as you wish to test session launches.
To edit these settings, you can click the area highlighted in yellow above. Next highlight the yellow edit area shown below and fill in your connection settings. The example I have below is using a Storefront connection. For the Storefront URL use the Store URL. Put in your domain and the resource name is the name of your Published Desktop Resource.
Advanced settings you should not have to change.
Download the launcher setup file that is appropriate for your machine (32 or 64 bit).
Run the launcher.
In the next screen shot it is best to put the name of the LOGIN PI server you are connecting to if the machine is not the LOGIN PI server. Remember launchers can be put on multiple sites to test connectivity.
You will now have a new application icon
The above reminds me that your launcher machine must also have Receiver installed. (Try to use latest). Now when you launch this it will not work straight away. We still have some actions to carry out and then we need to approve the launcher machine.
We can choose the hours we want the launcher tasks to run using the accounts we set up previously and to start this we need to tick the Enable scheduling box and choose an interval of time between session launches.
Highlight your launcher by selecting the tick box and then hit ACCEPT.
Now when we click the LOGIN PI LAUNCHER we will initiate a connection to your desired published desktop resource and it will launch the native apps. This will be logged and recorded as part of your defined schedule for you to analyse in the LOGIN PI DASHBOARD. You should now see a desktop launch and initiate applications and then close. If you have an issue with the session connecting but no launching of applications the following needs to be installed on your Xenapp image.
