Attempted installation of XenApp or XenDesktop Delivery Controller or Virtual Delivery Agent software returns the following warning: 
We cannot start the Citrix service that enables you to enroll in Call Home.

Note: This is applicable to XenDesktop & XenApp 7.12 and later.

This warning is most frequently encountered because an Active Directory GPO with the policy setting 'Log on as a service' is applied to the server where the XenApp or XenDesktop Delivery Controller software is being installed. There are several ways of resolving this. Choose one of the following methods.

Method 1: Local Policy

Place the Active Directory accounts for the Delivery Controllers into an OU with inheritance blocking enabled. Ensure that no policies are being applied directly against this OU, perform a group policy update, and then browse to the local policy configurations on each Delivery Controller. Browse to the location 'Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment' in the local policy editor and ensure that 'Deny log on as a service' is not prohibiting 'NT SERVICE\CitrixTelemetryService' from running as a service. Finally, ensure that either 'NT SERVICE\CitrixTelemetryService' and/or ‘NT SERVICE\ALL SERVICES’ are defined under the 'Log on as a service' policy setting.

Method 2: Active Directory GPO, NT SERVICE\ALL SERVICES

Create an Active Directory GPO with the Log on as a service policy setting and extend rights to 'NT SERVICE\ALL SERVICES'.

Method 3: Active Directory GPO, Service Account SID

Note: This can be done only on a Delivery Controller with the Group Policy Management feature installed where the CitrixTelemetryService account has been created by the installer.

The process of adding the service account into an Active Directory GPO must be performed locally because Active Directory cannot detect the local CitrixTelemetryService account.

1. Click Start, point to Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. In Add/Remove Snap-in, click Add, and then, in Add Standalone Snap-in, double-click Group Policy Object Editor.

4. In Group Policy Object, click Browse, browse to the Group Policy object (GPO) that you want to modify, click OK, and then click Finish.

5. Click Close and then click OK.

6. In the console tree, click User Rights Assignment. (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment)

7. In the details pane, double-click Log on as service right.

8. If the security setting has not yet been defined, select the Define these policy settings check box.

9. Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log on as a service right.

10. In the Add User or Group box select Browse.

11. Click Locations and select the machine account of the local Delivery Controller.

12. Enter 'NT SERVICE\CitrixTelemetryService' in the object names field and click OK.

1. Manually start the Citrix Telemetry Service.
2. If the Call Home page in the installation wizard is still open, click Next. On the Finish page, click Back to return to the Call Home page. Select I want to participate in Call Home (Recommended) and then click Connect.

   If you closed the installation screen, run the following PowerShell cmdlets to enroll in Call Home:
   $cred = Get-Credential
   Enable-CitrixCallHome -Credential $cred

Method  4: Cumulative Update

This message is also displayed when:

• Upgrading XenApp and XenDesktop 7.15 LTSR with a Cumulative Update, and
• The Citrix Telemetry Service has been stopped or disabled, and
• The Cumulative Update does not contain an updated Telemetry Service component.

Problem Cause

The service account for 'Citrix Telemetry Service' has insufficient privileges at the time of XenApp or XenDesktop installation. The XenApp or XenDesktop installation associates the service account 'NT SERVICE\CitrixTelemetryService' with 'Citrix Telemetry Service'; typically, rights to log on as a service are extended to 'NT SERVICE\ALL SERVICES'. Editing the local or domain policy 'Log on as a Service' such that the newly created 'NT SERVICE\CitrixTelemetryService' is not defined with sufficient rights generates the installation failure on the 'telemetryserviceinstaller_x64.msi'. This occurs because services configured to run under the Local System, Local Service, or Network Service accounts have a built-in right to log on as a service. Any service that runs under a separate user account must be assigned the right. The Citrix Telemetry Service is implemented as of the XenDesktop 7.6 Feature Pack 3 release and is responsible for collecting diagnostic information to support AoT CDF Tracing.