How to prevent users from deleting desktop icons using Group policy
Navigation
= Recently Updated Show Change Log
User LockdownThe following is a list of Group Policy Settings recommended by Microsoft to lockdown a Remote Desktop Session Host / Citrix Session. These settings should go in the Citrix VDA Non-Admin Users GPO. All settings are located at User Configuration > Policies. This pageassumes the GPOs have already been createdand Loopback Processing has already been enabled. Some of the settings in this section might require the newer Windows Group Policy Templates. Control Panel GPO Settings
Settings Page VisibilityThe September 2018 patches for Windows 2016 and Windows 10 add control of Settings Page Visibility in both the Computer half of the GPO (applies to all users), and now in the User half of the GPO (can apply to non-admin users).
Desktop GPO Settings
If you prevent access to the Properties of the Computer icon then users might not be able to determine the name of the machine they are connected to. On Windows Server 2016, screen saver idle time does not work.Arjan Mensch developed a tool to lock the screen after a period of idle time. Launch the tool from a Group Policy login script. Download the tool fromEnforcing lock screen after idle time Windows Server 2016 RDS Session Host. Start Menu and Taskbar GPO Settings
If you hide common program groups, then you will need some other method of creating application shortcuts for each user. Group Policy Preferences Shortcuts is the typical method. Removing the Run menu prevents users from entering UNC paths or drive letters in Internet Explorer. Start Menu pinned tiles
CTP James Rankin Dynamic Start Menu on Server 2016/2019 and Windows 10 using FSLogix App Masking CTP James Kindon AppMasking The Windows Start Menu using FSLogix Kasper Johansen The Windows Server 2019 Start Menu Is Playing Nice:
CTP James Kindon Windows 10 Start Menu: declutter the default:
CTP James RankinManagement of Start Menu and Tiles on Windows 10 and Server 2016, part #1contains the following:
CTP Eric Haavarstein Customize Windows 10 Start Screen and Optimize for Higher User Densitycontains the following:
Microsoft Technet Customize Windows 10 Start with Group Policy. System GPO Settings
Disabling registry editing tools also disables reg.exe. This is true even if silently is set to No. Explorer GPO Settings
Borders Windows Server 2019 File Explorer does not show borders around File Explorer. To add borders, see Geir Dybbugt Microsoft Server 2019: No window border/allwhite issue To hide specific drive letters:
CTP Dave Brett Secure Local Drive Access On Your EUC Endpoints explains how to block C: drive access from Chrome. Windows Update GPO Settings
File ExplorerHideFavorites, Libraries, Network and redirected local drivesWinhelponline Removing Quick access from Windows 10 File Explorer details the following registry value to remove Quick Access from File Explorer in Windows 10, or Windows Server 2016 and newer. (h/t Sean Bolding)
Terence LukHide Favorites, Libraries, Network and redirected local drives for Citrix and RDS published RemoteApp applications: See the Blog Post for instructions to edit the registry on the VDA to hide these items. Similar instructions are provided byDavid Wilkinson atRemove Quick Access from File Explorer in Windows Server 2016. Explorer NotificationsFrom TenForumsHow to Hide or Show Sync Provider Notifications within File Explorer in Windows 10: Windows 10 1607 adds notifications inside File Explorer. To stop these, use Group Policy Preferences to set the following registry value:
WindowsSpotlightWindows 10 1703 and newer shows suggestions, tips and ads on various parts of Windows (Start Menu, lock screen, Action Center, Explorer, etc.). These notifications are configurable at User Configuration | Policies | Administrative Templates | Windows Components | Cloud Content. Also see Richard HayWindows 10 Creators Update: Turn Off Suggestions, Tips, and Ads Throughout the Operating SystemandChris Hoffman How to Disable All of Windows 10s Built-in Advertising. Explorer ReplacementInstead of locking down Windows File Explorer, you can run a 3rd party Explorer likeTablacus Explorer. The tool is detailed by Marco Hofmann atTablacus Explorer is an awesome replacement for explorer.exe as a #XenApp published Application!. Flickering IconsIf you published a desktop on Windows Server 2016, and if you redirected the Desktop folder to a network share, then desktop icons might flicker. Helge Turk atXenApp 7.12/13, Server 2016 desktop icons flickering at Citrix Discussions resolved it becreatingthe following Registry Keyusing Group Policy Preferences:
ChromeUse Chrome Group Policy to push the Chrome plug-in for Citrixs Browser Content Redirection feature in Citrix Virtual Apps and Desktops (CVAD) 1808 and newer. Chrome 77+ Audio IssueNo Audio on Google Chrome version 77.x and newer inside ICA session. Newer Google Chrome ADMX templates let you disable the audio sandbox. User Configuration | Policies | Administrative Templates | Google | Google Chrome | Allow the audio sandbox to run = Disabled. Another workaround is to use Group Policy Preferences to deploy the following registry value: (source = CTX261992 Citrix Virtual Apps and Desktops: No Audio on Google Chrome version 77.x inside ICA session) If the new Chrome-based Microsoft Edge consumes 100% CPU, then CTP James Kindon Deploying Brave and Microsoft Edge Dev Browsers in Citrix CVAD environments says a similar registry value is needed for the new Edge.
GPO ADMX Templates
Roam Chrome SettingsYou can optionally enable Chromes roaming profile support. For details, seeUse Chrome Browser with Roaming User Profiles at Google Help.
Browser Content Redirection ExtensionTo force install the Chrome Extension needed for Browser Content Redirection in Citrix Virtual Apps and Desktops (CVAD) 1808 and newer:
Internet Explorer / Edge SettingsThis sectionassumes the GPOs have already been created. Internet Explorer First Run WizardWhen a new user launches Internet Explorer, the first run wizard appears. To prevent this from occurring, edit the Citrix VDA All Users GPO. Internet Explorer First Run GPO Settings
Enhanced Protected Mode might disable Internet Explorer add-ons. Read the text to determine if it should be disabled. Users might see a message that Protected mode is turned off for the Local intranet zone. To prevent this message, do the following:
IE 11 in Windows 10 1703 and newer has a new button to open Edge.
4SysOpsDisable Welcome to Microsoft Edge page and default browser prompt in Windows 10 1607: registry keys and PowerShell script to disable it. Published Internet Explorer Settings RunonceIf a user launches Internet Explorer as a published application, then Internet Explorermight not be fully configured and thus some websites wont work. By default, Windows runs per-user configuration (ActiveSetup) of Internet Explorer only when the user connects to a full desktop, which doesnt happen when only launching published apps. To override this behavior so it works with published IE evenif the user never connects to a full desktop, do the following:
Windows 8.1/2012 R2 might not run the script at logon. Configure the following GPO computer settings to enable the script (configure these in the Citrix VDA Computer Settings GPO): Logon ScriptGPO Settings
Internet Explorer Group Policy PreferencesThe Internet Explorer Maintenance settings in group policy (User Configuration > Windows Settings > Internet Explorer Maintenance) have been removed in Internet Explorer 10 and Windows Server 2012. If you run group policy editor on Windows Server 2008 R2 and try to add an Internet Settings object using Group Policy Preferences, notice there is no option to configure Internet Settings for Internet Explorer 9 or Internet Explorer 10. If you use group policy editor in Windows 8 or Windows 2012, then Internet Explorer 10 is an option. If you have access to Windows 8/2012, you can add an Internet Settings object for Internet Explorer 10. When configuring a setting, notice the red or green lines (and red or green circles). Only green settings are applied. To change a setting to green, press F6 on your keyboard. To disable a setting, press F7 on your keyboard. As you look through the tabs, youll see a bunch of green items. These green items will be applied and might not be the behavior you expect. To disable all settings on a particular tab, press F8. To turn them back on, press F5. On the Common tab you can check the box to Apply once and do not reapply. Internet Explorer Security Zone ConfigurationThere is a group policy setting at User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page | Site to Zone Assignment List that can be used to put Internet sites in Internet Explorer security zones. However, users cannot add their own sites (the user interface in Internet Explorer is grayed out). This section details an alternative procedure for administrator-configured zones while allowing users to add their own Trusted Sites. Note: Zones cant be configured using a Group Policy Preferences Internet Settings object so instead youll need to configure registry keys as detailed below.
Internet Explorer Home PageIf you dont have access to Windows 8/2012 group policy editor, configure the default home page using a registry key.
Proxy SettingsIf you dont have access to Windows 8/2012 group policy editor, configure Proxy Settings using registry keys. Proxy Settings are stored under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings. Use Group Policy Preferences or similar to distribute the registry keys. To prevent users from changing proxy settings, also configure the following group policy setting.
Internet Explorer PerformanceJulian Mooren at XenApp & Internet Explorer Improving User Experience details how to enable Tracking Protection in Internet Explorer to reduce XenApp CPU. The procedure uses Group Policy Preferences to set registry keys, and adds a folder to Citrix Profile Management synchronization. LoginVSI Web Browsing & Advertising Impact on VDI Performanceis a 33 page paper detailing how to enable Tracking Protection in Internet Explorer and Firefox, plus ad blocking plugin for Chrome. Microsoft 365 Apps / Office 365 / Office 2021 / Office 2019 / Office 2016Microsoft 365 Apps (aka Office 365) PlanningMicrosoft 365 Apps ProPlus is supported on Windows Server 2019. Microsoft FSLogix can roam Office cache files (e.g. Outlook .ost file) and Search Index. FSLogix is free for most customers. CTP Marius SandbuGuide to Deploying Office 365 in RDSH and VDI Enviromentcontains:
Citrix Implementation Guide Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x contains:
VMwareBest Practices for Delivering Microsoft Office 365 in VMware Horizon 7contains:
Office 2021 / 2019Office 2021 and Office 2019 are Perpetual version of Office, which means no new features until the next Office LTSC is released.
Office 2021 and Office 2019 require volume licenses. See Microsoft Office 2019 Volume License Pack for KMS server or Active Directory activation. There is no MSI installer for Office 2021 or Office 2019. Instead, you use Office Deployment Tool to download and install the Click-to-run version of Office 2021/2019 Volume License. See Deploy Office LTSC 2021 or Deploy Office 2019 (for IT Pros). The Office 2021/2019 icons/shortcuts do not say 2021 or 2019 on the end. Theres no year designation. File > Account shows the version info. As does Apps and Features. Office Group Policy TemplatesDownload the Microsoft 365 Apps / Office LTSC 2021 / Office 2019 / Office 2016 group policy templates. The same templates are used for all Office versions 2016 and newer. Microsoft renamed Office 365 to Microsoft 365 Apps. Choose the bitness that you installed. The default for Microsoft 365 Apps is x64. Microsoft 365 Apps, Office 365, Office 2021, Office 2019, Office 2016
Group Policy and TweaksThis sectionassumes the Group Policy Objectshave already been created. For Teams, edit the Citrix VDA Computer Settings GPO and enable the Group Policy settings shown below. Prevent the per-user version of Teams from installing with Office 365 (aka Microsoft 365 apps). Configure this GPO setting before installing Office. Then you can later install the machine-wide version of Teams. More details at Microsoft Docs.
Edit the Citrix VDA All Users GPO and enable the Group Policy settings shown below. All are located under User Configuration > Policies. Office 2013 group policy settings are different than the group policy settings for Office 2016, Office 2019, Office 365, and Microsoft 365 Apps. If you want to copy Office 2013 settings to Office 365 / 2019 / 2016 settings, see Microsofts Copy-OfficeGPOSettingsPowerShellscript. Microsoft 365 Apps, Office 365, Office 2019, and Office 2016 are all version 16.0, thus the same GPO settings work for all of these versions. In Group Policy Editor, the GPO settings are under the Office 2016 folders.
Office Click-to-Run Accept EULA WindowTo get rid of the Accept Office License Agreement button/window Use Group Policy Preferences to set the following registry values:
Office temp file errorsTo prevent Office tempfile errors:
Outlook and Windows SearchWhen launching Outlook, you might see the message Please wait while Windows configures Microsoft Office 64-bit Components. To fix the Outlook search problem, you can either installWindows Search Service (Windows Feature). Or enable the GPO setting: Computer Config | Policies | Administrative Templates | Windows Components | Search | Prevent indexing Microsoft Office Outlook. Office VL Activation not workingIf Office 2016+ Volume License is not activating correctly, set the following registry value as detailed at Microsoft Office cant find your license for this application at Citrix Discussions:
Adobe ReaderAdobe Reader Group Policy
Disable RepairIn Adobe Reader, users can open the Help menu and click Repair Adobe Reader Installation. Then users are prompted to reboot. Obviously this is not good. Even non-admins can reboot.
Disable UpdatesFor Acrobat Reader DC, you must edit the registry to disable Updates. This also works for Adobe Reader XI.
In Adobe Reader XI, there is a GUI method of disabling updates:
Other OptimizationsRick van Soest Removing The Cloud from Adobe Acrobat Reader DC:
Adobe.com Citrix Deployments: Before deployment, the product should be configured as needed. In particular, you will want to disable features and behaviors that should not be accessible to end users in an IT-managed environment. For example:
Scrolling performance If scrolling performance is poor in graphic intensive documents, try the following:
Distiller performance
Citrix FilesCitrix Files allows you to access your files in ShareFile directly through a mapped drive providing a native Windows Explorer experience. Citrix FIles replaces ShareFile Drive Mapper. Citrix Files instructions:
To install Citrix Files:
Session Lingering:
To configure Citrix Files:
File Type AssociationFor the official Microsoft method of handling file type associations in Windows 10 and Windows Server 2016, seeWindows 10 How to configure file associations for IT Pros? at TechNet Blogs. This article details DISM, XML, and Group Policy. Christoph Kolbicz at SetUserFTA: UserChoice Hash defeated Set File Type Associations per User or Group on Windows 10 and 2016 developed a tool to set specific File Type Associations. No DISM or XML needed. Also see the following:
Next Steps
|