Users may experience: 

• Intermittent connection failures 

• "No resources available" errors despite having entitlements 

• Access working from some locations but not others (if zones are geo-distributed) 

• Sessions launching successfully sometimes but failing other times 
  
  

Scenario 1: EntitlementPolicyRule with Tag Restriction 

Initial Setup: 

Delivery Group: "Sales-VDI" 

├── Zone: "US-East" 

│   ├── Machine1 (Tags: Location-US, Department-Sales) 

│   ├── Machine2 (Tags: Location-US, Department-Sales) 

│   └── Machine3 (Tags: Location-US, Department-Sales) 

└── Zone: "US-West" 

    ├── Machine4 (Tags: Location-US) 

    └── Machine5 (Tags: Location-US) 

EntitlementPolicyRule: "Sales-US-Access" 

├── DesktopGroupUid: Sales-VDI 

└── RestrictToTag: "Department-Sales" 

The Problem: 

• US-East zone: ✅ Has machines with "Department-Sales" tag (Machine1, Machine2, Machine3) 

• US-West zone: ❌ Has NO machines with "Department-Sales" tag (Machine4, Machine5 lack the tag) 

Requirement Violation: When using RestrictToTag: "Department-Sales", both zones must have at least 1 machine with this tag. US-West zone has 0 machines with the required tag. 

Impact: 

Users routed to US-East zone → ✅ Can access desktops 

Users routed to US-West zone → ❌ Cannot access desktops (even though machines exist) 

How It Happens: 

This commonly occurs when: 

1. Expanding to a new zone and forgetting to apply tags to new machines 

1. Removing tags from machines without verifying zone coverage 

1. Moving machines between zones without updating tags 

1. Cloning machine catalogs across zones with different tag configurations 

Scenario 2: ApplicationGroup with Tag Restriction 

Initial Setup: 

 Delivery Group 1: "Finance-RDS-East" (Zone: US-East) 

├── Machine1 (Tags: Location-US-East, App-Finance) 

└── Machine2 (Tags: Location-US-East, App-Finance) 

Delivery Group 2: "Finance-RDS-West" (Zone: US-West) 

├── Machine3 (Tags: Location-US-West) 

└── Machine4 (Tags: Location-US-West) 

ApplicationGroup: "Finance-Apps" 

├── AssociatedDesktopGroupUids: [Finance-RDS-East, Finance-RDS-West] 

├── RestrictToTag: "App-Finance" 

└── Applications: Excel, Accounting Software, etc. 

The Problem: 

• US-East zone: ✅ Has machines with "App-Finance" tag (Machine1, Machine2) 

• US-West zone: ❌ Has NO machines with "App-Finance" tag (Machine3, Machine4 lack the tag) 

Requirement Violation: When using RestrictToTag: "App-Finance", all zones spanning the associated Delivery Groups must have at least 1 machine with this tag. US-West zone has 0 machines with the required tag. 

Impact: 

• Users routed to US-East zone → ✅ Can launch Finance applications 

• Users routed to US-West zone → ❌ Cannot launch Finance applications (even though RDS machines exist) 

How It Happens: 

This commonly occurs when: 

1. Adding a new Delivery Group to an existing ApplicationGroup without applying required tags 

1. Creating disaster recovery zones without maintaining tag parity 

1. Consolidating multiple ApplicationGroups and inheriting RestrictToTag without verifying machine tags 

1. Decommissioning tagged machines in one zone while keeping untagged machines 

What is the Issue? 

Unsupported Zone-Based Tag Restrictions occur when: 

• You have a Delivery Group with machines distributed across multiple zones 

• An EntitlementPolicyRule or ApplicationGroup uses the RestrictToTag property 

• One or more zones contain machines from the Delivery Group, but none of those machines have the required tag 

Core Requirement: When using RestrictToTag, each zone must have at least one machine with that tag. If any zone lacks machines with the required tag, users routed to that zone cannot access resources. 

Why is This a Problem? 

When users are routed to a zone that has no machines with the required tag, they cannot access their entitled resources even though: 

• They have valid entitlements 

• Machines exist in the Delivery Group 

• Machines with the correct tag exist in other zones 

This creates an inconsistent user experience where access depends on which zone the user is routed to. 

Detection 

Using PowerShell Cmdlets 

For EntitlementPolicyRules 

# Step 1: Get all EntitlementPolicyRules with RestrictToTag 

$eprs = Get-BrokerEntitlementPolicyRule -Property DesktopGroupUid,RestrictToTag,Name -Filter { RestrictToTag -ne $null } 

foreach ($epr in $eprs) { 

    if (-not $epr.DesktopGroupUid) { continue } 

    # Step 2: Group machines by zone for this desktop group 

    $zoneGroups = Group-BrokerMachine -DesktopGroupUid $epr.DesktopGroupUid -Property ZoneUid -ReturnTotalRecordCount 

    # Step 3: Check if multiple zones exist 

    if ($zoneGroups.Count -gt 1) { 

        foreach ($zoneGroup in $zoneGroups) { 

            # Step 4: Check if any machines in this zone have the required tag 

            $machinesWithTag = Get-BrokerMachine -ZoneUid $zoneGroup.ZoneUid -DesktopGroupUid $epr.DesktopGroupUid -Filter "Tag -eq '$($epr.RestrictToTag)'" -ReturnTotalRecordCount 

            # Step 5: Report if no machines have the tag 

            if ($machinesWithTag.TotalRecordCount -eq 0) { 

                Write-Warning "EPR '$($epr.Name)': Zone '$($zoneGroup.ZoneUid)' has no machines in DesktopGroupUid: '$($epr.DesktopGroupUid)' with tag: '$($epr.RestrictToTag)'" 

            } 

        } 

For ApplicationGroups 

# Step 1: Get all ApplicationGroups with RestrictToTag 

$ags = Get-BrokerApplicationGroup -Property AssociatedDesktopGroupUids,RestrictToTag,Name -Filter { RestrictToTag -ne $null } 

foreach ($ag in $ags) { 

    if (-not $ag.AssociatedDesktopGroupUids -or $ag.AssociatedDesktopGroupUids.Count -eq 0) { continue } 

    # Step 2: Build filter for all associated desktop groups 

    $filterParts = $ag.AssociatedDesktopGroupUids | ForEach-Object { "DesktopGroupUid -eq $_" } 

    $dgFilter = $filterParts -join ' -or ' 

    # Step 3: Group machines by zone across all associated desktop groups 

    $zoneGroups = Group-BrokerMachine -Property ZoneUid -Filter $dgFilter -ReturnTotalRecordCount 

    # Step 4: Check if multiple zones exist 

    if ($zoneGroups.Count -gt 1) { 

        foreach ($zoneGroup in $zoneGroups) { 

            # Step 5: Check if any machines in this zone have the required tag 

            $combinedFilter = "($dgFilter) -and Tag -eq '$($ag.RestrictToTag)'" 

            $machinesWithTag = Get-BrokerMachine -ZoneUid $zoneGroup.ZoneUid -Filter $combinedFilter -ReturnTotalRecordCount 

            # Step 6: Report if no machines have the tag 

            if ($machinesWithTag.TotalRecordCount -eq 0) { 

                $associatedDesktopGroupUids = $ag.AssociatedDesktopGroupUids -join ',' 

                Write-Warning "AppGroup '$($ag.Name)': Zone '$($zoneGroup.ZoneUid)' has no machines in AssociatedDesktopGroupUids: '$associatedDesktopGroupUids' with tag '$($ag.RestrictToTag)'" 

            } 

        } 

    } 

} 

Option 1: Add Missing Tags to Machines (Recommended) 

This ensures each zone has at least one machine with the required tag, satisfying the core requirement for tag-based restrictions. 

Goal: Every zone must have ≥ 1 machine with the RestrictToTag value. 

Steps: 

1 Identify affected zone and tag: 

# From the warning message, note the ZoneUid and Tag 

# Example: Zone '12345678-90ab-cdef-1234-567890abcdef' missing tag 'Department-Sales' 

2 List machines in the affected zone: 

$zoneUid = "12345678-90ab-cdef-1234-567890abcdef"  # Replace with actual ZoneUid 

$desktopGroupUid = 123  # Replace with actual DesktopGroupUid 

$missingTag = "Department-Sales"  # Replace with actual tag 

# Get machines that need the tag 

$machinesToTag = Get-BrokerMachine -ZoneUid $zoneUid -DesktopGroupUid $desktopGroupUid 

# Display machines that will be tagged 

$machinesToTag | Select-Object MachineName, Tags, ZoneUid | Format-Table 

3 Add the tag to machines: 

foreach ($machine in $machinesToTag) { 

    Add-BrokerTag -Machine $machine -Name $missingTag 

    Write-Host "Added tag '$missingTag' to machine: $($machine.MachineName)" -ForegroundColor Green 

} 

4 Verify the tag was applied: 

# Check if machines now have the tag 

Get-BrokerMachine -ZoneUid $zoneUid -DesktopGroupUid $desktopGroupUid -Filter "Tag -eq '$missingTag'" -MaxRecordCount 10 |  

    Select-Object MachineName, Tags 

Option 2: Remove Tag Restriction from the EntitlementPolicyRule or ApplicationGroup 

If the tag restriction is not necessary, or if you cannot ensure at least one tagged machine exists in every zone, you can remove the RestrictToTag from the EntitlementPolicyRule or ApplicationGroup. 

For EntitlementPolicyRule: 

$ruleName = "Sales-US-Access"  # Replace with actual rule name 

# Remove the RestrictToTag 

Set-BrokerEntitlementPolicyRule -Name $ruleName -RestrictToTag $null 

# Verify 

Get-BrokerEntitlementPolicyRule -Name $ruleName | Select-Object Name, RestrictToTag 

For ApplicationGroup: 

$appGroupName = "Sales-Apps"  # Replace with actual application group name 

# Remove the RestrictToTag 

Set-BrokerApplicationGroup -Name $appGroupName -RestrictToTag $null 

# Verify 

Get-BrokerApplicationGroup -Name $appGroupName | Select-Object Name, RestrictToTag 

Option 3: Consolidate Machines to Single Zone

If tag-based restrictions are required and you cannot add tags to all zones, consider moving all machines to a single zone. 

This article describes a configuration issue that can occur in multi-zone Citrix DaaS deployments when using tag-based restrictions on EntitlementPolicyRules or ApplicationGroups. When misconfigured, users may be unable to access their entitled desktops or applications. 

Related Citrix Documentation 

• About Zones in Citrix DaaS 

• Tag Restrictions and Filters 

• Tag Restrictions in LHC 

• Tech Zone article 

Key Cmdlets Reference