This article describes how to deploy or upgrade the Virtual Desktop Agent msi package using Microsoft Active Directory Group Policy (GPO).

The article also explains how to configure the following items in Group Policy:

• Desktop Director requirements for Virtual Desktop - Desktop Director is the web-based helpdesk and operations console introduced in XenDesktop 5.

  To enable real-time diagnostics information to appear for the desktop machine, WinRM must be configured.

  When troubleshooting a user or desktop, the operator is able to shadow the end user by starting a Remote Assistance connection to the desktop machine. In order to enable the function, Remote Assistance must be configured.

• Machine Identity Service Agent msi is installed on new Virtual Machines (VMs) possibly being used as a master image. Main functions of Machine Identity service are:

  • Setting a computer’s hostname and Active Directory password during operating system boot.
  • Assigning a virtual disk to a VM.
  • Management of the VM’s difference disk.

• TargetOptimizer tool - Re-configures various Windows functions to optimize the performance of the operating system for virtual desktops. Optimization of the master VM is typically performed before the desktop catalog is created.

• Citrix Online and Citrix Offline Plug-ins.

Requirements

• Administrators must be familiar with Microsoft Active Directory and Group Policy Objects.

• XenDesktop 5 DVD media or XenDesktop 5.5 DVD media

Assumptions

Administrators should create GPOs on specific Organization Units (OUs), which contain those machine accounts to be configured.

---

Instructions

Creating a Network Share

Create a network share with appropriate user/group to have read permissions for that share. The location must be accessible to all clients being targeted for the deployment.

Creating Transform File

A Transform (*.MST) file allows you to modify a MSI package. Therefore, in a GPO deployment scenario, a Transform file can be effectively used to specify the MSI command line parameters, which must be passed to the installer.

Transforms can be created by using tools like Orca.exe or MsiTran.exe, which are free utilities from Microsoft. The following Microsoft KB and MSDN articles tell you how to obtain and use these tools:
How to use the Orca database editor to edit Windows Installer files
Msitran.exe

The properties in the following table should be specified to create the Transform file.
Note: Transform file should include either the value for the FARM_GUID or the CONTROLLER_NAMES property. Do not include both properties.

Property	Description
INSTALLDIR	Change the default install location
FARM_GUID=<GUID> Do not use with CONTROLLER_NAMES	Object GUID of the XD farm. Should be used if AD based discovery is desired. Specifies the name of the OU the VDA should search for controller SCPs.
CONTROLLER_NAMES=<DNS Name> Do not use with FARM_GUID	Should be used if Registry based discovery is desired. This holds a space separated list of the Fully Qualified Domain Names of the controllers (FQDNs|) the VDA is to register with.
ENABLE_HDX_PORTS (0 to not add value, 1 to add value)	Can be set to 0 or 1. When set to 1, adds the broker port exceptions (TCP Ports 80, 1494 and 2598) to the firewall for VDA.
* ENABLE_UDP_PORTS	Opens UDP ports 16500-16509 in Windows firewall, required for HDX Real-time Transports for Audio.
* GPU_ON_SERVER	Installs Pro Graphics VDA
* KEY_FILE	Path to Key File required for installing Pro Graphics VDA
* HDXFLASHV2ONLY	Prevents the installation of Flash RAVE V1 binaries (security feature)
CITRIXWDDM (0 to disable, 1 to enable)	Can be used to suppress the installation of the Citrix WDDM Driver (CITRIXWDDM=0) on an otherwise supported configuration.   The default (CITRIXWDDM=1) does not force the installation but does not prevent it when the configuration is supported
CITRIXWDDMONHYPERV (0 to disable, 1 to enable)	Default is 0, which means the Citrix WDDM driver is not installed on  HyperV on an otherwise supported configuration. Use 1 to override that.
INSTALLONWDDM (0 to disable, 1 to enable)	Can be set to 0 or 1. When set to 1, tells the installer not to downgrade the WDDM driver if any is present and continue installation of the display driver side by side. This option should be used only with the GPU_ON_SERVER option for enabling Pro Graphics.
WCF_PORT (Optional)	The port used for registration with the controller (80 is the default)

* Options can only be used with XenDesktop 5.5 version.

1. Start Orca, click File/Open, navigate to the XdsAgent.msi file and click Open.

2. Click Transform and select New Transform from the menu.

   

3. In the Tables pane, click Property.

   

4. Click Tables/Add Row. The Add Row dialog box opens.

5. Click the Property row and enter the property name and click the Value row to enter property value.

   

6. Click OK. The value, which was just added, is shown highlighted in the following screen shot:

   

7. Using the same procedure, enter all the other property names and values you wish to specify for this deployment.

8. Click Transform/Generate Transform and save the MST file with a descriptive name. It is a good idea to keep the MST file in the same network share location created in Step 1.

Deploying Virtual Desktop Agent Using GPO

Note: If you are deploying the XdsAgent to a brand new VM image with no XdsAgent already configured, you must install the MachineIdentityServiceAgent msi as well.

The MachineIdentity Service Agent does not require an MST file and can be deployed at the same time as the XdsAgent msi deployment from GPO. The following Step 13 shows GPO configuration details.

Note: For XenDesktop 5.5, apply XdsAgent_ja-JP.mst Or XdsAgent_zh-CN.mst when deploying Virtual Desktop Agent to Japanese or Simplified Chinese operating systems.

For XenDesktop 5, use XdsAgent_ja-JP.msi instead of XdsAgent.msi.

The relevant MSI’s and MST's can be found in the following location on the DVD: (assuming DVD drive letter is d:\)
d:\x86\Virtual Desktop Agent\XdsAgent_x86.msi
d:\x64\Virtual Desktop Agent\XdsAgent_x64.msi
d:\x86\Virtual Desktop Agent\MachineIdentityServiceAgent_x86.msi
d:\x86\Virtual Desktop Agent\MachineIdentityServiceAgent_x64.msi

XenDesktop 5.5 DVD with MST files:

d:\x86\Virtual Desktop Agent\XDsAgent_x86_ja-JP.mst
d:\x64\Virtual Desktop Agent\XDsAgent_x64_ja-JP.mst
d:\x86\Virtual Desktop Agent\XDsAgent_x86_zh-CN.mst
d:\x64\Virtual Desktop Agent\XDsAgent_x64_zh-CN.mst

1. Copy the relevant XdsAgent msi file (x86 or x64 msi) from the XenDesktop DVD to network share already created. See Creating a Network Share section.

2. If not already done, copy the transform file you wish to apply to this package to the network share. See Creating a Transform File section.

3. Copy the appropriate localization transform from the same location as the MSI’s, if you are deploying on Japanese Or Simplified Chinese systems.

4. You can either create a separate OU in the Active Directory for this deployment or add the new policy settings to an existing OU where the current Virtual Desktop Agent machines are located (example: if there is currently a XenDesktop4 Virtual Desktop Agent, which now requires the new XenDesktop5 Virtual Desktop Agent version.).

   The following section is based on a new OU created, you can make relevant changes as required on an existing OU if required.

   

5. Start Group Policy Management and create a GPO on this OU and name it (for example, “VDA Install”).

   

6. Edit the VDA Install GPO. To assign an application to a computer, navigate through the group policy console to Computer Configuration > Software Settings > Software Installation.

   

7. Right-click and select New Package.

   

8. Navigate to the network share created in Step 1, select the package and click Open.
   Note: The specified path must be in UNC format (\\servername\share)

   

9. Select Advanced and click OK.

   

10. Select the Modifications tab and click Add.

11. Navigate to the Network Share created in Step 1, select the transform(s), and click Open.

    

12. Click OK.

    

13. There should be no errors encountered at this stage and the package details should show up as shown in the console editor:

    

14. This step is only required if you are deploying to a new VM possibly being used as a master image.
    To deploy the MachineIdentityServiceAgent msi file, copy the relevant MachineIdentityServiceAgent.msi (x86 or x64) to the Network share already created at the beginning of this article.
    Follow preceding Steps 4 through 7 to add MachineIdentityServiceAgent msi file to the Software Installation.

15. At Step 8, click Assigned and click OK.

    

    You should now see two software installations assigned, as shown in the following screen shot:

    

Close the GPO Editor and the Group Policy Management Console. Virtual Desktop Agent is now ready to be deployed. The installation takes effect next time the computer is restarted.

Important: After the machine is started and the GPO has been applied, it must be restarted to complete the installation. To see more information on the status of the policy, run RSOP.msc (Resultant Set of Policies) on the VM. RSOP will show you the status of the policy.
Note: RSOP is only available on Pro, Enterprise, and Ultimate

Redeploying a Package

Refer to How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003 if you would like to Redeploy a Package (example, if there is a new release agent which must be distributed again).

Desktop Director Requirements for Virtual Machines

For the Desktop Director to work with VMs, the following features must be enabled:

• WinRM

• Remote Assistance

WinRM

WinRM is used to collect detailed information from the virtual desktop when it is shown on the desktop director details page. The information collected is:

Hardware specification:

• Citrix Profile Management details

• HDX status

• Citrix policies

• Performance metrics

Prerequisites

• WinRM 1.1 or later is required to be installed on the virtual desktop.

• Windows XP: WinRM 1.1 update or WinRM 2.0 update must be installed.

• Vista: WinRM 1.1 pre-installed. WinRM 2.0 update can be installed.

• Windows 7: WinRM 2.0 pre-installed.

Remote Assistance

No prerequisites required.

Configuring WinRM using Group Policy

The GPO can be added to GPO already created from previous steps in this article.

Note: If you do move a computer to another OU, the policy will not take effect and you must configure a new Group policy on the relevant OU.

1. Start Group Policy Management and enable the Allow automatic configuration of listeners by going to following policy setting:
   Computer Configuration > Administrative Templates > Windows components > Windows Remote Management (WinRM) > WinRM Service

2. Click Enabled.

3. Type * to allow all messages from any IP address or add the appropriate IPv4 or IPv6 filter if required and click OK.

   

   After enabled, the policy should look like the following screen shot:

   

4. To configure the policy Enable the Windows Remote Management to Start up automatically, go to the following policy:
   Computer Configuration > Windows Settings > Security Settings > System Services > Windows Remote Management (WS-Management)

5. Set the Service startup mode to Automatic and click OK.
   After enabled, the policy should look like the following screen shot:

   

   Note: Windows Firewall exceptions might also need to be configured using Group Policy.

Configuring Remote Assistance using Group Policy

1. To enable Offer Remote Assistance, access the following policy:Computer Configuration > Administrative Templates > System > Remote Assistance

2. Set Offer Remote Assistance to Enabled.

   

3. To allow helpers to provide Remote Assistance, click Show, to specify the list of users or user groups who are allowed to offer remote assistance.

   

4. This policy requires appropriate firewall exceptions to allow Remote Assistance communications.

   For Vista and later, enable the policy Windows Firewall: Allow inbound remote administration exception:
   Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile

   Windows Firewall: Allow inbound remote administration exception

   

   For Windows XP, enable the above policy but also enable the policy Windows Firewall: Define inbound port exceptions and Windows Firewall: Define inbound program exceptions.

   Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
   Windows Firewall: Define inbound port exception

   

5. Click Show to define port exceptions:

   

6. Access following policy to enable the inbound program exceptions:
   Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile

   Windows Firewall: Define inbound program exceptions

   

7. Click Show to define program exceptions:

   

For further information on Windows XP remote assistance settings, see Windows XP SP2 Firewall blocks offers of Remote Assistance.

Configuring TargetOptimizer adm Policy

Optimizations are applied either through changes to the Windows registry or programmatically by disabling specific features. Some optimizations are only applicable to certain versions of Windows or, for physical machines, specific hardware such as particular network adapters.

1. The Targetoptimizer tool, when run manually, displays the following screen:

   

2. Select the appropriate settings and click OK.

   To use Group Policy to distribute TargetOptimizer settings, an adm file has been created, XDOptimizer.adm. The adm file is based on the reg keys, which are used to enable or disable the options in the preceding screen shot.

   Because of Group Policy limitations, the following settings can only be set by running a startup or shutdown script:

   • Disable Hibernate

   • Disable Vista/7 ScheduledDefrag

This following section shows how to deploy the batch and reg files for Windows XP and Vista/Windows 7 using a startup/shutdown script.

Windows XP only - Disable Hibernate

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

1. Create a batch file and a .reg file. In the following example, the batch file is called targetoptimzer.bat and the reg file is called hibernateoff.reg.
   Note: The "Disable Hibernate" reg file is for Windows XP. The XDOtimizer.adm file is for Vista and Windows 7.

2. For Windows XP, create a file called hibernateoff.reg and add the following key:
   Windows Registry Edit Version 5.0:
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power]
   "Heuristics"=hex:05,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,3f,42,0f,00

3. Save the file in the network share created at the beginning of this article.

4. Create a batch file and add the following line to it:
   regedit /s \\networklocation\share\hibernateoff.reg

5. Save the file in the network share created at the beginning of this article.

6. On the batch file you created, right-click and select Copy.

7. Copy this file to the startup location on the Group policy, which is described in the next step.

8. Open up Group Policy Management console; edit the group policy where you want to apply this settings.

9. To add the batch file to the startup script, access:
   Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)

10. Double-click on the startup option and click Add:

    

11. Click Browse.

    

12. Right-click and paste, the batch file should then be copied to the Startup location for this Group policy.

    

13. Highlight the batch file and click Open.

    

14. Click OK.
    You should see the batch file appear; see the following screen shot:

    

15. Click OK to close the screen.

Vista and Windows 7 Only - Disable Scheduled Defragmenting

1. Create a batch file and add the following line to it:
   schtasks /change /tn "microsoft/windows/defrag/scheduleddefrag" /disable

2. Save the batch file in the network share created earlier in this article.

3. On the batch file you just created, right-click and select Copy. Copy this file to the startup location on the Group policy, described in next step.

4. Follow instructions from Step 3 in previous section for the Windows XP deployment of the startup script.

Adding the XDOptimizer.adm File to Group Policy

The XDOptimer.adm file has policies for both User and Computer configurations.

Most of the configurations are based on the Computer configuration. The User configuration has three policies:

Reduce Internet Explorer Temporary File Cache - 5.0 \Cache\Content Key

Reduce Internet Explorer Temporary File Cache - \Cache\Content Key

Disable Move to Recycle Bin (Windows Vista and Windows 7)

To Add the XDOptimizer.adm file

1. Copy the XDOptimizer.adm file to a relevant location. Usually the location is c:\windows\inf and where the policy is being managed.

2. Open the Group Policy Management console; edit the group policy where you want to apply these settings.

3. Add the XDOptimizer.adm file by opening Computer Configuration > Administrative Templates

4. Right-click on Administrative Templates and select Add/Remove Templates.

5. Click Add, browse to the location of the XDOptimizer.adm file and click Open to add the file.

   

6. Click Close.

You should see a new Folder showing: Classic Administrative Templates (ADM) with another Folder underneath showing "Win7/XP Optimization for XenDesktops". The following example shows the policies enabled:

Go through all relevant settings and enable them. By enabling them, you are actually disabling the setting.

Note: Some settings only apply to Windows XP or Vista and Windows 7. You must configure the settings.

Deploying Citrix Plug-in Tool

To deploy the Citrix Plug-in, open http://support.citrix.com/proddocs/index.jsp?topic=/online-plugin-120-windows/ica-client-deploy-active-dir.html

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

This article describes on how to deploy or upgrade the Virtual Desktop Agent msi package using Microsoft Active Directory Group Policy (GPO).

Further information on Group Policy software distribution and Managing Group Policy administrative templates can be found on the following Microsoft website:

For Windows 2008: http://support.microsoft.com/kb/816102

For WinRM: http://support.microsoft.com/kb/555966

Windows XP Remote Assistance: http://support.microsoft.com/kb/300546

For managing Group Policy administrative templates (.adm): http://support.microsoft.com/kb/816662