Oct 212020


The Citrix WAN optimization policy (or “low bandwidth” policy) aims to compress and reduce the bandwidth used by the ICA protocol by lowering the visual quality for users with slow and unreliable connections. This article will benchmark the best possible configuration for the low bandwidth policy in a Citrix 7.15 LTSR CU3 environment.

Testing Protocol

In order to determine the most efficient WAN optimization policy in the Citrix environment (7.15 LTSR CU3), a benchmark tool will be used to execute a predefined set of actions for accurate data collection across the different tests run. The tool used for this documentation is PCMARK10 on Windows 2016. The test is composed with two specific configurations:

Web (Browsing + Multimedia): automated testing of HTML5 content rendered in a web browser, including video playback and rich media web browsing.

Office (Writing + Spreadsheets): automated testing of documents writing, with text typing simulation, images and text blocks pasting, pages scrolling, spreadsheets generation with large number of cells and graphics.

Web Browsing and Office tests are executed separately to measure the encoder performance in each context (multimedia or text).

Default configuration baseline

The ICA protocol configuration baseline for remote access by default is set to medium quality.

Specific settings excluded from configuration

Enable Extra Color Compression:
This setting will add extra picture compression at the expense of visually degraded quality. The measurements during the benchmark showed that this option added an interesting gain in term of bandwidth reduction, but the visual impact, especially on text, was not negligible. As you can see on the picture below, some text outputs are blurry and difficult to read.

The test is blurry beyond user acceptance when using Extra Color Compression

This option will be removed from the scope of the low bandwidth policy.

Target Minimum Frame Rate
The “Target minimum Frame Rate” setting is associated with the legacy mode (Adaptive Display or Progressive display configuration) but still referenced in 7.15 LTSR when using the compatibility mode. It is not clear how this setting is influencing the bandwidth compression when reaching low FPS and will not be included in the benchmark. The default value of 10 fps is used in all configurations.

Testing parameters

Different parameters are tested for a total number of six “Low Quality” tests (LQ1 to LQ6).

Test results

LQ5 is the most efficient configuration in this benchmark, with 65% gain in multimedia and web browsing testing and 47% gain in office and text testing, compared to the standard medium quality (MQ), and without noticeable compression artefacts and pixelisation. The use of selective H.264 encoding (LQ1 to LQ4) is slightly more efficient for web and multimedia activities, but will give less gain in office and text editing activities, and will add noticeable compression artefacts. For office and text editing, the “Compatibility mode” in LQ5, which use a traditional JPEG compression, is more stable (less artefacts) and more efficient for compression in this scenario. The 8-bit mode is interesting for office and text bandwidth compression but offers poor performances with web browsing and multimedia, and will substantially degrade the user experience in this mode.

WAN optimization user policy settings

The settings used in the policy are detailed below:

Desktop UI



Visual Display

Multimedia (redirection)

Low Bandwidth Policy Diagram

Sep 192020

 I recently converted from VMware to AHV, and I wanted to show how I did Nutanix Files 3.7 with FSlogix. While I haven’t moved everything over yet, but I have tested this very hard, and it’s solid as iron. I still use VMware for my datacenter servers, but we wanted our Citrix Environment on all Nutanix because it’s a solid product, and it’s simplified so that we can focus in other areas. This is how I did it, and I have learned a lot so far in the process. I am by far no expert and this is for beginners like myself. I had a lot of help from the Nutanix Slack EUC channel, and especially Jarian Gibson.  This is a single site, which is 3 FSVM only. 

In regard to setting up Nutanix Files, this video is very useful.

Nutanix Files – Shares are not accessible from clients that are on the same subnet with Nutanix Files storage network


*****Client access network must not be on the Storage network. ****

Does not work:

File Client

Files Access Network

Files Storage Network


File Client

Files Access Network

Files Storage Network

Make sure that either the client is on a subnet different from the Storage Network or that all three the client, Files access Network, and Files storage network IP addresses belong to the same subnet.

The screenshot on deploying Files is very high level. The video will help you understand more.

For me, all I wanted was SMB. Then insert a username and password so it can join AD

I left this blank

For the DNS and Naming, at first, I did this (automatic)

But I had some bad reverse PRT issues. So, I fixed them, then went and manually added it.

I mad them Static Records. 

Then I clicked on verify, and it was good.

Here is a Pic I found from Christainn Binkhoff site that gave a logical understanding of the layout.

Machine generated alternative text:
Outlook OST, 
Windows Search DB, 
OneDrive Cache, S4B 

I read a lot of material on 3.6 and one of the things I found was this


Ensure that the client and storage networks use a tagged VLAN. The client and storage networks must have separate subnets if the networks are not the same. If the same network is used for both clients and storage, then IP addresses must be unique. Clients on the same subnet as the storage network will not be able to access the shares or exports.

I am not 100% if this applies to 3.7, But I followed it anyway to make sure I had no issues.

Overview of the bigger picture.

The CVM and FSVM layer

Nutanix Files VMs have access to two networks:

  • External network – it is used by clients and external services communication
  • Storage or internal network – it is used for communication between Files VM and the Nutanix cluster.

The FSVM layer and communication

I used Prism element to configure this

Create the Nutanix Files – File Share

open the file server menu in Prism Element and click on Create a Share/Export in the top right-hand corner

You need to open the file server menu in Prism and click on Create a Share/Export to get in the list 

The name of the share will be the share name within the UNC path to the share of the Files

An example of my File Share is “FSLogix_Office_Containers”

After putting in the information above, you have the option to configure Access Based Enumeration to hide other FSLogix Office 365 folders/User Profiles from other users.

ABE can be compared with the Access Based Enumeration setting within Windows File Services as well


The CLI run afs smb.set_conf “restrict nonamdin access” “no” section=global” isn’t needed for Files 3.7. I reached out to Jarian Gibson to confirm this as well. Thanks, Jarian!

 As I learned you will want to use distributed for Profiles. The explanation is below, and it is explained well.

Machine generated alternative text:
Create a share/export 
use "Distributed" share/export type instead of "Standard" 
aest suited for home directories. user profiles and application folderx This 
option distributes top-level directories across Fileserver VMS and allovvs for 
increased capacity and user connectionx 
Note that only folders can be created at the root and these top-level folders must 
be managed using Nutanix Files MMC plugin and can be downloaded from 
ated. a distributed share/export cannot be downgraded to standarff 
Enable Self Service Restore 
Enable File System Compression 
Enable Access Based Enumeration (ABE) 
Blocked File Types 
You can also block file types on the file serveNaII shares) from file server update 
Encrypt SMB3 Messages 
Machine generated alternative text:
Create a share/export 
File Server 
Share/export Name 
Share/export Path 
Max Size 
Share/export Type 
File System Compression 
Encrypt SMB3 Messages 
Citrix Profiles 
'Citrix Profiles 
Not Enabled
Machine generated alternative text:
Protocol Settings 
Client Access 
Self Service 
Kerberos {AD) 


Machine generated alternative text:
Ck access 
Disk C:) 

Now Download MMC from Nutanix to manage permissions. I found out that I still could manage permission for what I was trying to achieve. Once again I reached out to slack around this and it for TLD permission as René Bigler explained it to me. Thank you again


Share permission you can’t change. You will need to control it with NTFS. I was updated by Jarian that you can modify shares.  But you need to open MMC and add the Share Snapin. 

“if you want to change share permissions from the default of Everyone full control you have to use Shared Folders MMC snap-in. If you don’t change default share permissions, then NTFS permissions will take precedence.”

Typically, on a windows file share, I removed everyone, and lock it down with a group instead. It’s just something I have always done, and it just me. However, it’s not needed if the NTFS permission is set up correctly. 

Screenshot from an example that was shown to me.

As you can see now, You can do this.

Set the NTFS Permissions on the Nutanix Files share

Make sure that the following best practices NTFS rights are set on the Nutanix Files – file share location. The procedure is the same as for a normal Windows File Server but now on the Nutanix Files namespace folder share

Open the File Share and open the Security properties

 NTFS permission Table

Machine generated alternative text:
User Account 
Subfolders and Files Only 
This Folder, Subfolders and Files 
This Folder, Subfolders and Files 
This Folder Only 
This Folder Only 
This Folder Only 
This Folder On 
Full Control 
Full Control 
Full Control 
Create Folder/write Data 
List Folder/Read Data 
Read Attributes 
Traverse Folder/Execute File

This is how did it below

Machine generated alternative text:
Advanced Security Settings for 
dministrators) Change 
For additional information, 
Permission entries: 
Effective Access 
double-click a permission entry. To modify a permission entry, select the entry and click Edit (if available). 
Domain Admins 
IT Service Desk Maint 
Authenticated Users 
Full control 
Full control 
Full control 
Full control 
Read, write & execute 
Inherited from 
Applies to 
This folder, subfolders and files 
Subfolders and files only 
This folder, subfolders and files 
This folder, subfolders and files 
This folder, subfolders and files 
This folder only 
Enable inheritance 
Replace all child object permission entries wuith inheritable permission entries from this object

Here is my GPO for around Fslogix (Again this is for RDSH 2016 and windows 10 1607/1809. Remember Server 2019 will be different. So please don’t enable Search in the GPO for Server 2019. 

Machine generated alternative text:
nclude Outkok geronalizatbn data in container 
nclude Outbok personalization data in container 
nclude Sharecoint data in container 
nclude Sharepoint data in container 
nclude Skype data in container 
nclude Skype data in container 
NW-tier of ger&ssBn VH DS to persist 
Nunter of ger&ssion VH DS to persist 
Store earch databaæ in Of-fee 365 container 
sync OST to VFD 
VH D kcatBn 
VH D bcation 
Virtual disk type 
Offwe 365 and Directory Naning 
Swap dirætory n.ane 
Swap directory nanz convonents 
Sing I equser sea n: h 
Move OST to VHO
Machine generated alternative text:
Profik &ntainers 
Albw concurrent uær essBns 
Alknv conculEnt uær sessions 
Déte kcal profik when FSLcgix Profik shouh appt}' 
Déte kcal profik when FSLcgix Profik should appt} 
VH D-pq alkcatBn 
Dynaröc VH DOq allocation 
Profik type 
VH D kcatBn 
VH D bcation 
Profik &ntainersl &ntainer and Naning 
Swap dirætory n.ane 
Swap directory nanz convonents 
Virtual disk type 
T for pmfile and fallback to readonly 

Profile I logged in and my profile was created.

Machine generated alternative text:
Quick access 
Date modified 
File folder

ODFC (Didn’t set the flipflop here-missed by mistake) 

Machine generated alternative text:
FSLogix_Office Containers 
Quick access 
Date modified 
9/1 7/2020 10:32 AM 
File folder

Lets Test Access base enumeration

Machine generated alternative text:
Test Citrix 
Test Citrix Properties 
Remote control 
Remote Desktop Services Profile 
General Address Account 
Member Of 
Published Certificates 
T elephones 
Password Replication Dial-in Obiect 
Member of: 
Domain users 
Active Directory Domain Services Folder 
Machine generated alternative text:
Excel 2016 
First Data 
Fiserv SCO 
Test Citrix 
Account Settings 
Log off 

I can’t see davism from my test citrix account.

Machine generated alternative text:
Organize • 
New folder 
Quick access 
Microsoft. Word 
This pc 
File name: 
No items match your search. 
All Word Documents 

Test NTFS permission on davism. I forced it so I could test the NTFS.

Machine generated alternative text:
ODFC davism.VHDX 
Destination Folder Access Denied 
You need ermission to 
Date modified 
efform this actio 
Type: File folder 
Hard Disk Image 
200, 704 KB 
Date modified: 9/1 7/2020 10:32 AM 

I must admit, it a very good feature Nutanix has, and I look forward to learning more around continuous availability (tech preview) and expanding this out to a DR site so the data can all replicate. I don’t know how to do this yet. But I will learn it soon.


Slack: Jarian Gibson and Nutainx-euc




Dec 232019

This is an older upgrade, but you can still use it as a reference point.

There are a lot of guides out there, and this isn’t to repeat any of them, but how I did it.

Great blogs



WEM Upgrade Process

*NOTE*I use BISF for all my images, In this post, you will see I don’t run these. BISF will do it for me when I seal up my image

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe eqi 3

WEM Upgrade layout

Infrastructure Services

  1. Run the installer of the Infrastructure Services version you want to upgrade to. 
    1. This may not be needed, but I do it as a safety net.
  2. You should manually stop the Norskale Infrastructure Services service before upgrading to ensure the upgrade is successful.
Machine generated alternative text:
ices (L 
Norskale Infrastructure Service 
Stop the service 
Restart the service 
Norskale Infrastructure Broker Service 
Net.Tcp Port Sharing Service 
Network Connection Broker 
Network Connections 
Network Connectivity Assistant 
Network List Service 
Network Location Awareness 
Network Setup Service 
Norskale Infrastructure Service 
Ice can cmmcn lent o ution 
OfficeScan NT Listener 
OfficeScan NT RealTime Scan 
Offline Files 
Optimize drives 
Performance Counter DLL Host 
Performance Logs & Alerts 
Phone Service 
Plug and Play 
Portable Device Enumerator Service 
Print Spooler 
Printer Extensions and Notifications 
All Tasks 
P rope rties 
Problem Reports and Solutions Control Panel Support 
Provides ability to share TCP ports cn.'er 
Maintains a secure channel between thin. 
Brokers connections that allow Window... 
Manages objects in the Network and Din. 
Provides DirectAccess status notification. 
Identifies the networks to which the co... 
Collects and stores configuration infor... 
The Network Setup Service manages th... 
This service delivers network notification. 
Infrastructure Broker Service 
advanced solutions and featur... 
commands and notifications fr... 
Real-time, Scheduled, and Ma... 
ne Files service performs maint... 
e computer run more efficientl... 
emote users and 64-bit process... 
nce Logs and Alerts Collects 
the telephony state on the dev... 
computer to recognize and ad... 
group policy for removable 
power policy and power polic... 
ice spools print jobs and handl... 
This service opens custom printer dialo... 
This service provides support for viewin...
Machine generated alternative text:
Agent Group Policies 
Configuration Templates 
Citrix Workspace Environment Management Agent Setup.exe 
Citrix Works ce Environment Mana ement Infrastructure Services Setu .exe 
Ope n 
Run as administrator 
Pin to Start 
Restore previous versions 
Send to 
Create shortcut 
Pro perties 
Date modified 
1/2/2019 2:48 PM 
1/2/2019 2:50 PM 
1/2/2019 2:48 PM 
1/2/2019 2:48 PM 
1/2/2019248 PM 
File folder 
File folder 
71,557 KB 
66,610 KB
Machine generated alternative text:
Citrix Workspace Environment Management Infrastructure Services - InstallShieId X 
Welcome to the InstallShield Wizard for Citrix 
Workspace Environment Management 
Infrastructure Services 
The InstallShieId(R) Wizard will install Citrix Workspace 
Environment Management Infrastructure Services on your 
computer. To contnue, dick Next. 
WARNING: This program is protected by copyright Ian and 
internatonal treates. 
Next >
<img src="https://lh5.googleusercontent.com/KuesNN5mrm5CYACOhR1zT0AAzgwo3gS_uxyavyEWM3h6YHjk9jmt8WO0JGI62hkt7wd-0JbqRrZx7Kdpfvp-6h7sdgAElhYIw_SjYI3ml7E4dbEox6QFe6iN-CWdTDdcaLX-ZUg" alt="Machine generated alternative text: Citrix Workspace Environment Management Infrastructure Services License Agreement Please read the following license agreement careMIy. CITRIX LICENSE AGREEMENT – InstallShieId This is a legal agreement ("AGREENENT") between the end-user customer ("you"): the providing Citrix entity (the applicable providing entity is hereinafter refe«ed to as "CITRIX"). Your location of receipt of the Citrix pro duct (hereinafter "PRODUCT") an maintenance (hereinafter "NIANTENANCE") detennines the providing entity as identified at
Machine generated alternative text:
Citrix Workspace Environment Management Infrastructure Services - Instal[ShieId 
Customer Information 
Please enter your information. 
user Name: 
Qrganiza bon: 
"star CLI 
Next >
Machine generated alternative text:
Citrix Workspace Environment Management Infrastructure Services 
Setup Type 
Choose the setup type that best suits your needs. 
Please select a setup type. 
- InstallShieId 
All program features will be installed. (Requires the most disk 
O custo 
Choose which program features pu want installed and where they 
will be installed. Recommended for advanced users. 
Next >
Machine generated alternative text:
Citrix Workspace Environment Management Infrastructure Services 
Ready to Install the Program 
The wizard is ready to begin installation. 
Click Install to begin the installation. 
- InstallShieId 
If pu want to review or change any of your installation settings, dick Back. Click Cancel to 
exit the wizard. 
Machine generated alternative text:
Citrix Workspace Environment Management Infrastructure Services - InstallShieId 
InstallShield Wizard Completed 
No rkspæe 
The InstallShieId Wizard has installed Citrix 
Workspace Environment Management Infrastructure Services. 
Click Finish to exit the wizard. 
[Z Start the Database Management utility.
  1. Now start the Database Management Utility which will lead in 5b.

Upgrade Database

Machine generated alternative text:
WEM Database Management Utüt-y 
Database Management 
täB*e r Stibn : 
ÜætöbSSe pdzte 
Workspace Environment Management
Machine generated alternative text:
Citrix Workspace Environment Management Console - Install... 
Installing Citrix Workspace Environment Management Console 
The program features you selected are being installed. 
Please wait while the InstallShieId Wizard installs Citrix Workspace 
Environment Management Console. This may take several minutes. 
Removing backup files 
  1. Now launch the Infrastructure Services Configuration Utility again:
  1. C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Norskale Broker Service Configuration Utility.exe”
  1. Repopulate with all values that you took the note off in the initial tests and allow the services to restart

Service account used here.

Machine generated alternative text:
Configuraton Management 
Load Configuration 
Database Settngs 
Save Con figuration 
Net'A•ork Settngs 
Advanced Settngs 
Da tabase Main tenance 
@ Enable scheduled database maintenance 
Stabsbcs retention period (days): 
System monitoring re ten ton period (days): 
Agent registrations retention period (days): 
Execution time (HH:MM): 
Machine generated alternative text:
WEM Infrastructure Service Configurabon 
Configuraton Management 
Load Configuration 
Database Settings 
Save Con figuration 
Advanced Settings 
Database Maintenance 
Administr a bon por t: 
Agent service port: 
Cache synchr onizaton port: 
WEM monitoring port: 
Machine generated alternative text:
Configuration Management 
L oad Con figura bon 
ave Configuraton 
Net'A'ork Settings 
Infrastructure Service Configuration 
Broker Service will be restarted to apply settngs, Do you vvant to proceed? 
Machine generated alternative text:
Configure license server 
L;cense Mar,aoemerit 
NeF•vork Drives 
Virtual Drives 
Registry Enmes 
Envir onrnen t Variables 
e ports 
System Optimization 
Policies and-profiles 
Get Help Options 
Support Local Settng: 
About Ctrtx Workspace Environment Management Console 
Citrix Workspace Environment Management Console 
Version 1808.0.1.1 
@ 2018 Citrix Systems, Inc. All rights reserved. 
Version 1808.0.1.1 
@ 2018 Citrix Systems, Inc. All rights reserved.

Upgrade Admin Console

Machine generated alternative text:
Application Tools 
* Quick access 
[e Pictures 
This pc 
Netwo rk 
Workspace- Environment- Management-ve 1808-00-01-01 
Citrix WEM 1808-Latest 
Network jaxnavy.org data 
Agent Group Policies 
Configuration Templates 
IT Software Installs 
vsl ctxwen, 
Workspace- Environment- Management-ve 1808-00-01-01 
Date modified 
1/2/2019 2:48 PM 
1/2/2019 2:30 PM 
1/2/2019 2:48 PM 
1/2/2019 248 PM 
1/2/2019 2:48 PM 
Workspace-Erwironment-Management-'F 1808-00-01-01 
Citrix Workspace Environment Management Agent Setup.exe 
Citrix Workspace Environment Management Console Setup.exe 
Citrix Workspace Environment Management Infrastructure Services Setup.exe 
File folder 
File folder 
71,557 KB 
60610 KB 
55,992 KB
Machine generated alternative text:
Citrix Workspace Environment Management Console - InstallShieId Wizard 
Preparing to InstaH.„ 
Citrix Workspace Environment Management Console Setup is 
preparing the InstallShieId Wizard, which will guide you 
through the program setup gruess. Please wait. 
Extractng : Citrix Workspace Environment Management 
Console msi

Upgrade Agent host

I just do the basic install, I use to tell it to install the Cache on the D drive. But that’s really not needed anymore. I use BISF, and tell it to move it for me. I like to have a D drive on my machines (PVS).

You can read here in the comments


<img src="https://lh3.googleusercontent.com/y_7dA9IAdcwNO_befM2TzorfgrO2_S4EePHhRS2odleNFuS9k2vHwPZ2HZ_4k3viOxmVF9iX3nnOskjxhCPsRj__eO0n1Py0yYI1z9_xhYKESAL6XbsQuB2JpCFZNWjG8Ygtklo" alt="Machine generated alternative text: Home Share View Application Toolr Workspace-Em.'lronment-Managernent-'F 1808-00-01-01 Manage
Machine generated alternative text:
Citrix Workspace Environment Management Agent - InstallShieId Wizard 
Welcome to the InstallShield Wizard for Citrix 
Workspace Environment Management Agent 
Wo rkspace 
The InstallShieId(R) Wzard will allon pu to modify, repair, or 
remove Citrix Workspace Environment Management Agent. To 
continue, dick Next. 
Next >

Then just follow the basic prompts

Update new ADMX and ADML Files

For me, it’s this


Changes In 1903 and up

Keep this in mind

Now If your upgrading beyond 1903 Remember the paths have changed


James Kindon, has done the work for you, Use his scripts.

The following changes are going to occur so be ready:

  1. A new clean installation of the WEM Agent will result in a complete change of Service Names and Folder Structures as below 
  • The new Service name is: Citrix WEM Agent Host Service 
  • The new process name is: Wem.Agent.Service.exe 
  • The new path structure is: %ProgramFiles%\Citrix\Workspace Environment Management Agent
  1. An upgraded installation of the WEM agent will result in partial changes to your environment: 
  • The new Service name is: Citrix WEM Agent Host Service 
  • The new process name is: Wem.Agent.Service.exe 
  • The path on the file system will not be altered and will remain as it was: %ProgramFiles%\Norskale\Norskale Agent Host

Be aware also that in both clean and upgraded deployments, the Windows Event logs will change from Norskale Agent Service to WEM Agent Service

Old (Pre Cloud Service 1903 and On-Prem 1909)New (Post Cloud Service 1903 and On-Prem 1909)
Installation path%ProgramFiles%\Norskale\Norskale Agent Host%ProgramFiles%\Citrix\Workspace Environment Management Agent
Service nameNorskale Agent Host ServiceCitrix WEM Agent Host Service (WemAgentSvc)
Process nameNorskale Agent Host Service.exeCitrix.Wem.Agent.Service.exe
Event LogsNorskale Agent ServiceWEM Agent Service

1912 has introduced some new changes as well.


*One thing to note on Port*

Cache synchronization port. (Applicable to Workspace Environment Management 1909 and earlier; replaced by Cached data synchronization port in Workspace Environment Management 1912 and later.) The port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. The cache synchronization port must be the same as the port you configured for the cache synchronization port (WEM Infrastructure Service Configuration > Network Settings) during the infrastructure services configuration. The port defaults to 8285 and corresponds to the AgentCacheSyncPort command-line argument.

Cached data synchronization port. (Applicable to Workspace Environment Management 1912 and later; replaces Cache synchronization port of Workspace Environment Management 1909 and earlier.) The port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. The cached data synchronization port must be the same as the port you configured for the cached data synchronization port (WEM Infrastructure Service Configuration > Network Settings) during the infrastructure services configuration. The port defaults to 8288 and corresponds to the CachedDataSyncPort command-line argument. Alternatively, you can specify the port using a command-line option in the silent installation of the WEM agent

Wayne Lui states its backward compatible and still listens, But I would add this into your Firewall Ruleset.

Port information


Jul 292019

Update: Added cli functionality.
Update: Added 2nd pass of defrag to fix the profile ballooning issue that sometimes occurs.
Update: Added ability to target profiles over “X” size for compacting
Update 3/31/2020: Fixed a bug that didn’t allow the new tool to run as a scheduled task. Fixed in version 2003.1
Update 4/21/2020: Fixed bug that didn’t assign drive letters to vhd(x) files when running via CLI. Which breaks the defrag, and in turn doesn’t free up any space for diskpart to shrink. Fixed version is 2004.1.
Update 4/23/2020: Added the ability to sort profiles in the GUI. Clicking the stop button should dismount vhd(x) files automatically. Uses optimize-volume instead of defrag – should be MUCH faster. Also does not need drive letters anymore. Version 2004.2
Update 4/27/2020: Tool now detects RW disks and will not attempt to compact multi session profile disks if in use. Version 2004.4
Update 4/29/2020: Tool will find hidden .vhd(x) files. Version 2004.5
Update 5/26/2020: Fixed the optimize-volumes to use “retrim” after defraging the volume. This will increase processing time, but shrink the vhd(x) files much more. Version 2005.1

Update 6/24/2020: Added defrag back – which seems to do a lot better at freeing up space. Instead of giving a drive letter it sets the drive up as a mount point in the TEMP directory of the user running it (random named folder that will start with “_FSL”). With this I have updated the command line so you can process more than one vhd(x) at a time. TAKE NOTE OF THE NEW COMMAND LINE OPTIONS AS THEY HAVE CHANGED! Version 2006.1
UPDATE 6/25/2020: Bug fix – the 2006.1 version would leave the last vhd(x) attached when using the -tasks # switch. No, popups in cli to stop processing if it doesn’t find any vhd(x), and instead of “N/A” it will show the file size if the file is locked in the after column. Fixed in version 2006.3.
Edit: Version 2006.4 now – last bug fix for the day hopefully. Forgot to add the check for RW.VHD(X) files.

Do not use this tool if you are doing any differencing disks!
Diff disks, no problem!

This post is an updated version of my original profile compacting script ( http://www.citrixirc.com/?p=829). I wrote it using Powershell Studio and converted it into an executable. This version does not require the Hyper-V powershell module as it diskpart to perform the shrink function.


  1. Administrative rights on the machine running the tool, and read/write to the profiles.
  2. .Net 4.5
  3. Recommend not running from a machine which has any .vhd(x) attached

Instructions/How it works:

  1. The program will remember the last directory selected (via an .ini file – if it exists), or you can click the “…” button at the top left to browse to the root directory of your profile share.
  2. Once a directory is selected it will list all .vhd and .vhdx files along with their current size and their current locked status in descending order by size. (this can take a little while depending on how many vhd(x) files are present – be patient)
  3. Select the profile(s) you wish to compact (you can select multiple using ctrl and shift+click)
  4. Click the compact button, and the program will process each profile selected one at a time
    1. Checks one more time to make sure the file is not locked
      1. If it is, it will skip on to the next one
    2. Gets the current size again before processing
    3. Attaches the vhd(x) in R/W mode
    4. Creates a random named folder in the user’s temp directory starting with “_FSL”
    5. Mounts the vhd(x) to that folder
    6. defrags the volume
    7. Detaches and re-attaches as read only
    8. Uses diskpart to compact the vhd(x)
    9. Gets the size of the file post processing
    10. Updates the results pane
  5. After it has run through all the selected profiles it will display the total reduction in MB at the bottom.
  6. Update: To run via CLI simply run from command prompt with the following options
    -path \\servername\share (path to the root vhd(x) share)
    -size 4096 (minimum size to touch in MB – will skip any vhd(x) smaller)
    -tasks # (number of concurrent vhd(x) files to compact – there is no limit, so be careful not to overload the machine you’re running this on)

    Run against all vhd(x) files one at a time
    ShrinkFSL.exe -path \\servername\share\

    Run against all vhd(x) files 2 at a time
    ShrinkFSL.exe -path \\servername\share -tasks 2

    Run against all vhd(x) files over 5GB
    ShrinkFSL.exe -path \\servername\share -size 5120

    Run against all vhd(x) files over 5GB AND process 2 at a time
    ShrinkFSL.exe -path \\servername\share -size 5120 -tasks 2
    1. A log file in csv format will be generated in the same directory that ShrinkFSL is run from. Shrink_MMddyyy_HHmmss.log
    2. If you stop the process make sure you disconnect any vhd(x) file that may be lingering, and delete _FSL folders in the temp directory!

You can keep track of the .vhd(x) attaching/detaching via diskmgmt.msc if you want. If for some reason the program hangs up you can click the stop button. It will detect if there is a vhd(x) attached, and detach it.

Always test new tools in Development/UAT environments prior to running in production! If you have any questions/comments please post here, and I will respond as soon as I can.

Here is a link to the tool (Updated 6/25/2020)

Oct 022018

According to this article, they say ” SAML with Microsoft Azure is only supported if you are using AD FS”. We are not using ADFS in our environment. We are simply using Azure AD Connect to do Password Synchronization into Azure AD from our on-premises Active Directory Domain Services. I figured out a way to make this work without using ADFS.

Log into your Azure instance, click on “Azure Active Directory” and select “Enterprise Applications”. Click “New Application” and select “Non-gallery application”

Call it something and hit “Add”

While this is configuring, log into your ConnectWise Manage server and go to the URL (https://{site}/v4_6_release/auth/{companyId}/metadata) This will download a metadata file. Save it somewhere.

Back in the Azure portal, your Enterprise Application should now be up. Click on “Users and Groups” and add a group that you would like and hit “Select”, then “Assign”. I am going to select a group with all of our Active Directory users her. (Remember: Our environment is setup using Azure AD Connect with password sync)

Next, click on “Single sign-on” and select “SAML”

I’m using the “New Experience” here. You can switch to and from it with the following button at the top.

Click edit on “Basic SAML Configuration”. Then click “Upload metadata file” at the top and upload the metadata file you downloaded above. It will add the top two lines. I have added the “Sign on URL” manually by just adding the base URL. After you are done with all of this, click “Save”

Next, download the Base64 cert (Under “SAML Signing Certificate”) and save it somewhere.

Under #4, copy both the “Login URL” and the “Azure AD Identifier” into notepad somewhere.

Next, select the “old experience” using the button at the top.  Set “User Identifier” to “user.employeeid” and click “Save” at the top.

You can switch back to the “New Experience” now. You should see your change here:

Log into Manage and go to “System” and “Setup Tables” then “SSO Configuration”. Click “+” to add a new one.

Enter a description and put in “SSO Type” of “SAML” (You may want to set this to inactive while you are screwing with it). Select the location in the top right.

Enter “Login URL” in the “Login URL” field

Enter “Azure AD Identifier” in the “Identity Provider ID” Field

Upload the Base64 certificate from above.

Click “Save”

When you are ready to test it, uncheck the “Inactive” button, and save the configuration.   The login will look like this now:

One last tidbit.  If somehow you DO lock yourself out of your environment, you can change your SSO configuration directly in the database. Just find dbo.SSO_Configuration, and set your “Inactive_Flag” to True.  Not that I did that or anything.  🙂 🙂

Sep 272017

Tick tock, tick tock. June 30th, 2018 is fast approaching and will be here before we know it. If you are anything like me, you still have plenty of old 2008R2 XenApp 6.5 farms lying around. I’m sure you have seen all the articles like this, this, this, and this. These are great resources on how to migrate your XenApp 6.5 farm information into a 7.x site collection. However, everything I have read is missing a critical piece of information that I needed in my environment. How do I get my existing session hosts migrated into this 7.x site collection? I have seen this Citrix article that states the basic premise, however most things I have read/heard state that you should always install a clean VDA and reinstall your applications.  For my environment, this just is not feasible.  I have hundreds of applications across dozens of customers and Active Directory forests. Many of these applications were difficult to install on XenApp in the first place. Some of them required software vendor coordination to install. There is the issue of license key transfer, etc. etc. Too many issues arise for this to work in any sane amount of hours. For my needs, I needed to figure out a consistent way to move my workers from 6.5 to 7.x. I needed to upgrade my hosts, plain and simple. If you have ever tried to uninstall XenApp 6.5, it does not do a very good job, sadly.  It leaves a lot of remnants that the 7.x installation detects and then fails to install the VDA.  A LOT.

I developed a process that does the following:

  • Uninstalls XenApp 6.5 (For real)
  • Upgrades 2008R2 to 2012R2
  • Installs the VDA

I will be sharing with you the uninstallation of XenApp 6.5.  I spend countless hours (less than my estimate of fresh install, exponentially, of course) on this process figuring out what pieces 7.x detects and going back to the uninstallation to add the removal of that piece to the script.  A lot of the things I found needed to be uninstalled in a specific order, or other pieces would fail.

The first part of this script uninstalls all 7 Rollup Packs, in reverse order.

start-process -ea 0 -Filepath "msiexec" -Argumentlist "/uninstall {D23001A2-7FF8-EAFD-7E32-58B3A003F5B5} /package {1471A89F-8CAB-4C46-89AB-942432D1DD3D} /passive REBOOT=ReallySuppress" -wait
start-process -ea 0 -Filepath "msiexec" -Argumentlist "/uninstall {6534B232-8426-2242-316E-D9B1F5A46E1A} /package {1471A89F-8CAB-4C46-89AB-942432D1DD3D} /passive REBOOT=ReallySuppress" -wait
start-process -ea 0 -Filepath "msiexec" -Argumentlist "/uninstall {ED7485F0-8579-F605-3326-9D058656F2B0} /package {1471A89F-8CAB-4C46-89AB-942432D1DD3D} /passive REBOOT=ReallySuppress" -wait
start-process -ea 0 -Filepath "msiexec" -Argumentlist "/uninstall {D511345D-32F8-8940-8B55-398DBDE50F66} /package {1471A89F-8CAB-4C46-89AB-942432D1DD3D} /passive REBOOT=ReallySuppress" -wait
start-process -ea 0 -Filepath "msiexec" -Argumentlist "/uninstall {38D5B4B1-08DD-E8BA-3D9C-AEE979D52A7C} /package {1471A89F-8CAB-4C46-89AB-942432D1DD3D} /passive REBOOT=ReallySuppress" -wait
start-process -ea 0 -Filepath "msiexec" -Argumentlist "/uninstall {B1CF9796-DC5D-2498-CA8D-E03BF20DDD70} /package {1471A89F-8CAB-4C46-89AB-942432D1DD3D} /passive REBOOT=ReallySuppress" -wait
start-process -ea 0 -Filepath "msiexec" -Argumentlist "/uninstall {B4A6E274-BC1D-D17F-17AE-B7BB94FE8493} /package {1471A89F-8CAB-4C46-89AB-942432D1DD3D} /passive REBOOT=ReallySuppress" -wait
start-process -ea 0 -Filepath "msiexec" -Argumentlist "/uninstall {343BE097-0B21-F62C-9D0A-886C9D142DBF} /package {1471A89F-8CAB-4C46-89AB-942432D1DD3D} /passive REBOOT=ReallySuppress" -wait

The next part of the script does the uninstallation of on XenApp 6.5.

start-process -ea 0 -Filepath "msiexec" -Argumentlist "/x {1471A89F-8CAB-4C46-89AB-942432D1DD3D} /L*v c:\output.log CTX_MF_FORCE_SUBSYSTEM_UNINSTALL=Yes /passive REBOOT=ReallySuppress" -wait

The next part of the script does uninstallation of all of the crap that is left after this uninstall.

start-process -ea 0 -Filepath "msiexec" -Argumentlist "/x {68376322-B36A-47CE-A637-37943D56476A} /passive REBOOT=ReallySuppress" -wait
start-process -ea 0 -Filepath "msiexec" -Argumentlist "/x {C4567AFA-6577-46C6-9153-457509317506} /passive REBOOT=ReallySuppress" -wait
blah blah blah A ton more uninstallation crap here

During testing I ran through this uninstallation at least 50 times. I took a snapshot of the XenApp 6.5 system, tested the uninstall, reverted to the snapshot and tested again. The insane thing is that I would get different results, and different failures, randomly throughout my testing. What is the definition of insanity? “Doing the same thing over and over again expecting different results” Well, I guess I’m officially insane. Due to this, I added 2 more XenApp 6.5 servers to my testing in order to see what other failures this process may uncover. This was a smart idea, because I found many more things that needed to be scripted in an attempt to catch them all. So many orphaned services, registry keys and files left, randomly after each uninstall. Frustrating! Most were only found until after the 2012R2 upgrade and trying to install the VDA and digging into the logs for specific failures. VERY frustrating! I was tempted to hit the bottle many times at work during this process.

This next part was annoying and odd, and may not be necessary in your environment. I had a bitch of a time getting some of the C++ redistributables uninstalled. These are a critical component of XenApp 6.5 AND 7.x. If these are not removed cleanly, the VDA installation process fails miserably. I was not able to uninstall mine as they kept pointing to the original installation directory that did not exist anymore. I ended up downloading the installation files to a directory on the C: and changing the registry to point the installation to that location. Sigh.

This portion uses the PowerShell module Expand-ZIPFile to extract the installation files to the C:. I have attached everything at the end of the article. You can use whatever method you would like to extract the files. Please note the .reg file sets the install (uninstall) directory to C:\.

Expand-ZIPFile –File "C:\uninstallme.zip" –Destination "C:\"
REG IMPORT C:\fixme.reg

After these files are in place, I am able to successfully uninstall these C++ components.

start-process -ea 0 -Filepath "msiexec" -Argumentlist "/x {1D8E6291-B0D5-35EC-8441-6616F567A0F7} /passive REBOOT=ReallySuppress" -wait
start-process -ea 0 -Filepath "msiexec" -Argumentlist "/x {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} /passive REBOOT=ReallySuppress" -wait
start-process -ea 0 -Filepath "msiexec" -Argumentlist "/x {743C9F75-F327-4D1C-9016-6C573930ADC1} /passive REBOOT=ReallySuppress" -wait

After this portion. Reboot. Finally. This process takes a good half hour, at least, depending on your hardware.

Lastly, there is a cleanup script that removes all the orphaned services, registry keys, and files that I found to be left during multiple uninstall attempts. It also removed the Remote Desktop Services role.

$Ctxmemop = Get-WmiObject -Class Win32_Service -Filter "Name='Citrix 64-bit Virtual Memory Optimization'"
$CtxAudioSvc = Get-WmiObject -Class Win32_Service -Filter "Name='CtxAudioSvc'"
Blah blah remove more crap here
Remove-Item "C:\Program Files (x86)\Citrix" -recurse -force
Remove-Item "C:\Program Files (x86)\Common Files\Citrix" -recurse -force
Blah blah delete more crap here
Import-Module ServerManager
Remove-WindowsFeature Remote-Desktop-Services

Reboot. This part of the script doesn’t take long at all. This should now give you a clean slate (tabula rasa) in which you can upgrade and install the VDA.

The rest of the process is pretty self-explanatory. You do an in-place upgrade of 2008R2 to 2012R2. Then install the VDA. There is a lot more to it, and I can post a write-up if comments demand it.

I have attached the scripts/files to github. Thanks to braynyac (Tim Riegler) for posting them for me.

I hope this has been helpful to some of you. This was very time consuming and I hope I have saved some of you a ton of time who are in the same situation as we are in our XenApp 6.5 environment.

Have fun!

Link to all github with all files.

Aug 252017

(See the new tool Here)

I recently switched from Citrix Profile Management to FSLogix! For those of you who do not know how it works… it mounts a virtual hard drive at the C:\Users\%UserName% folder for each user who connects. A huge advantage to this is that it is not copying the profile in at logon (or out at logoff), which greatly reduces logon times. Depending on how you have things setup you can literally (not figuratively) expect logon times of around 15 seconds reported in director no matter how your users decide to bloat their profiles.

There is one “problem” with dynamic vhd/vhdx profiles… they don’t shrink on their own. For instance, if you were to copy a 4GB file into a dynamic vhd file you would obviously see it grow by about that much. If you delete that 4GB file the vhd stays the same size! This isn’t really that big of a deal to me, but it might be to my storage administrator.

I wrote a script to compact the vhd profiles not in use.

Windows 10 – Powershell v5
Hyper-V module (Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All) – reboot required
Powershell run as Administrator

What this script does:

  1. Checks to make sure the above requirements are met
  2. Loads functions and variables (you will have to edit some of them for your environment – see the script for more info)
  3. Gets a list of all vhd/vhdx files in the root of your profile share
  4. Runs a for each loop
    1. Tests to see if the vhd file is currently locked (in use)
      1. If yes it will display a message on your screen saying it is locked and that it is being skipped (in the report the Success column will be marked with locked)
      2. If no then it will move on
    2. Tries to mount the vhd in read only mode
      1. If it fails it will send you an alert email and end the script as something is not right
      2. If it mounts then the script moves on
    3. Tries to optimize the vhd file (compact)
      1. Gets the original size in MB, size after compact in MB, computes the total reduction in MB, and notes failure/success
    4. Tries to dismount the vhd
      1. If it fails it will send you an alert email and end the script
  5. Once finished it will email you a report like the one below (names, paths, and sids are masked obviously)

Here is the script

Sep 302016


XenApp 7.6

700+ Delivered (published) Applications

60+ Windows servers (2008 R2 and 2012 R2)



Recently I had a request to replicate 100+ applications from PROD to QA, using QA server configured with identical applications and identical application locations/paths. Obviously all paths to EXE files need to be the same in order for this to work 100% (unless I missed a memo and XA can now support publishing of identical applications from various paths.  As far as I know, this was not yet available in 7.6).  If QA server has some of the applications in different paths, not all is lost. You can still use this process and script to migrate large number of applications between delivery groups and then modify paths later in Studio.

While I could add few more lines to my PoSH script to actually replicate each application at a time, amount of time it took me to create this script and ability to duplicate applications in Studio seemed unnecessary.

My goal was to replicate, or proper Citrix term would be duplicate all applications and then assign them to another delivery group. Seems simple enough for Citrix and PoSH guru. But for those who are just getting their feet wet could use following process to speed up their delivery time to less than 5 mins and go look for the end of the Internet, while telling client it took you hours 😉



1 – I will be duplicating all requested applications using ol’ Citix Studio.

2 – I will run script below to change Delivery Group and application folder, as visible by the user (you mileage might vary, depending on your requirements)

This script/process is no rocket science, but might help someone to quickly replicate applications and migrate them to another delivery group, instead of publishing them over again.  Modify script below according to your environment before running it.  (WARNING: It is fairly simple script, so review and try to understand exactly what this script is doing, before executing it.)  Also, I am no expert when it comes to creating powershell scripts, but just another Citrix admin.  So, pardon if you can make it better.  Please do improve and share!  I am all for helping fellow Citrix admins anyway I can.  Even if it’s buying a pint!


Step 1

citrixirc1Create alternative application folder in Studio.  For our scenario I am going to create folder named “QA” inside already created “Europe” folder.

Right-click on all applications that you need to replicate in QA (you can select multiple applications at once).

Click Duplicate Application 

Now select all duplicates and drag them over to QA folder.  In my scenario I will be dragging these to Europe\QA.

Step 2

Below script will prompt for the admin folder name where all the duplicates reside (that’s the new folder you just created.  In my example it’s called Europe\QA).  I repeat- do not select your production applications folder, as script will move all your production apps to new delivery group.  Use newly created QA folder where you moved all duplicate applications to in step 1 above.

It is assumed that new delivery group is already created.

Another item to note; there is an optional line (in yellow) to change client-side folder location of newly created applications.  This is to help users identify whether they are running PROD or QA applications. It also looks cleaner in Storefront or WI.  You can add more commands into Foreach loop.  Things like modifying users who have access, or changing actual name of the application and etc.  My goal was to keep all the same and just deliver from QA server.


asnp Citrix*

$adminfolder = (Get-BrokerApplication -MaxRecordCount 10000).AdminFolderName | sort | select -unique | Out-GridView -Title "Select Admin Folder Name" -OutputMode Single
$applist = Get-Brokerapplication -AdminFolderName $adminfolder
$originalDG = (Get-BrokerDesktopGroup -MaxRecordCount 10000).Name | sort | Out-GridView -Title "Select Original Delivery Group Name" -OutputMode Single
$newDG = (Get-BrokerDesktopGroup -MaxRecordCount 10000).Name | sort | Out-GridView -Title "Select New Delivery Group Name" -OutputMode Single

Write-Host "Migrating all applications in $adminfolder`nFrom $originalDG Delivery Group to $newDG Delivery Group" -ForegroundColor Green

foreach ($app in $applist.ApplicationName){
                Write-host "Migrating $app"
                Get-BrokerApplication -ApplicationName $app | Add-BrokerApplication -DesktopGroup $newDG
                Get-BrokerApplication -ApplicationName $app | Remove-BrokerApplication -DesktopGroup $originalDG
                Get-BrokerApplication -ApplicationName $app | Set-BrokerApplication -ClientFolder "Europe\QA" #optional to show all applications inside QA folder and not in the same folder with production apps


BTW, using similar add-brokerapplication command you can publish, or rather deliver same application from multiple delivery groups.  Just comment out remove-brokerapplication command and it will now launch from servers in prod and qa, or any other DG of your choice.  Comes really handy when you have multiple DGs that host different applications, but some of the applications are identical.  You can spread the load across multiple DGs.  Think of it as a worker groups concept in XA 6.x with server groups.   I had such requirement that was easily achievable in XA 6.x, but not so much in XA 7.x.  I paid for someone’s case of beer when they told me that I can use above mentioned command to deliver same application from multiple DG’s, as it’s not clearly documented by Citrix. There is a surprise…

That’s all folks. My first ever citrixirc blog.  Whoo-hoo!

Over and out.

Feb 242016

Have you ever looked at director and saw a user had a very long login, and wondered how the hell you could find out who that was?  I wrote a script to help you out a bit!

Here is the script

Read it!  There are places you will have to edit to allow it to run in your environment.  Search for ##### to find the spots to pay attention to.

In the end it will output a .htm file to your my documents\logon_logs and open after it finishes.


Note: I have no idea if this works for XA, but I know it works for XD 7.6