Product Documentation

Remote PC Access

May 25, 2016

Remote PC Access allows an end user to log on remotely from virtually anywhere to the physical Windows PC in the office. The Virtual Delivery Agent (VDA) is installed on the office PC; it registers with the Delivery Controller and manages the HDX connection between the PC and the end user client devices. Remote PC Access supports a self-service model; after you set up the whitelist of machines that users are permitted to access, those users can join their office PCs to a Site themselves, without administrator intervention. The Citrix Receiver running on their client device enables access to the applications and data on the office PC from the Remote PC Access desktop session.

A user can have multiple desktops, including more than one physical PC or a combination of physical PCs and virtual desktops.

Note: Sleep mode & Hibernation mode for Remote PC Access is not supported. Remote PC Access is valid only for XenDesktop licenses; sessions consume licenses in the same way as other XenDesktop sessions.

Active Directory considerations

Before configuring the Remote PC Access deployment Site, set up your Organizational Units (OUs) and security groups and then create user accounts. Use these accounts to specify users for the Delivery Groups you will use to provide Remote PC Access.

If you modify Active Directory after a machine has been added to a Machine Catalog, Remote PC Access does not reevaluate that assignment. You can manually reassign a machine to a different catalog, if needed.

If you move or delete OUs, those used for Remote PC Access can become out of date. VDAs might no longer be associated with the most appropriate (or any) Machine Catalog or Delivery Group.

Machine Catalog and Delivery Group considerations

A machine can be assigned to only one Machine Catalog and one Delivery Group at a time.

You can put machines in one or more Remote PC Access Machine Catalogs.

When choosing machine accounts for a Machine Catalog, select the lowest applicable OU to avoid potential conflicts with machines in another catalog. For example, in the case of bank/officers/tellers, select tellers.

You can allocate all machines from one Remote PC Access Machine Catalog through one or more Delivery Groups. For example, if one group of users requires certain policy settings and another group requires different settings, assigning the users to different Delivery Groups enables you to filter the HDX policies according to each Delivery Group.

If your IT infrastructure assigns responsibility for servicing users based on geographic location, department, or some other category, you can group machines and users accordingly to allow for delegated administration. Ensure that each administrator has permissions for both the relevant Machine Catalogs and the corresponding Delivery Groups.

For users with office PCs running Windows XP, create a separate Machine Catalog and Delivery Group for those systems. When choosing machine accounts for that catalog in Studio, select the checkbox indicating that some machines are running Windows XP.

Deployment considerations

You can create a Remote PC Access deployment and then add traditional Virtual Desktop Infrastructure (VDI) desktops or applications later. You can also add Remote PC Access desktops to an existing VDI deployment.

Consider whether to enable the Windows Remote Assistance checkbox when you install the VDA on the office PC. This option allows help desk teams using Director to view and interact with a user sessions using Windows Remote Assistance.

Consider how you will deploy the VDA to each office PC. Citrix recommends using electronic software distribution such as Active Directory scripts and Microsoft System Center Configuration Manager. The installation media contains sample Active Directory scripts.

Review the security considerations for Remote PC Access deployments.

Secure Boot functionality is currently unsupported. Disable Secure Boot if intending to deploy the workstation VDA.

Each office PC must be domain-joined with a wired network connection.

Windows 7 Aero is supported on the office PC, but not required.

Connect the keyboard and mouse directly to the PC or laptop, not to the monitor or other components that can be turned off. If you must connect input devices to components such as monitors, they should not be turned off. 

If you are using smart cards, see Smart cards.

Remote PC Access can be used on most laptop computers. To improve accessibility and deliver the best connection experience, configure the laptop power saving options to those of a desktop PC. For example:

  • Disable the hibernate feature.
  • Disable the sleep feature.
  • Set the close lid action to Do Nothing.
  • Set the press the power button action to Shut Down.
  • Disable video card energy saving features.
  • Disable network interface card energy saving features.
  • Disable battery saving technologies.

The following are not supported for Remote PC Access devices:

  • Docking and undocking the laptop.
  • KVM switches or other components that can disconnect a session.
  • Hybrid PCs, including All-in-One and NVIDIA Optimus laptops and PCs.

The following XenDesktop features are not supported for Remote PC Access deployments:

  • Creating master images and virtual machines
  • Delivering hosted applications
  • Personal vDisks
  • Client folder redirection

Install Citrix Receiver on each client device that remotely accesses the office PC.

Multiple users with remote access to the same office PC see the same icon in Citrix Receiver. When any user remotely logs on to the PC, that resource appears as unavailable to other users.

By default, a remote user’s session is automatically disconnected when a local user initiates a session on that machine (by pressing CTRL+ATL+DEL). To prevent this automatic action, add the following registry entry on the office PC, and then restart the machine.

Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

HKLM\SOFTWARE\Citrix\PortICA\RemotePC "SasNotification"=dword:00000001

To further customize the behavior of this feature under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\RemotePC

RpcaMode (dword):

1 = The remote user will always win if he does not respond to the messaging UI in the specified timeout period.

2 = The local user will always win. If this setting is not specified, the remote user will always win by default.

RpcaTimeout (dword):

The number of seconds given to the user before the type of mode to enforce is determined. If this setting is not specified, the default value is 30 seconds. The minimum value here should be 30 seconds. The user must restart the machine for these changes to take place.

When user wants to forcibly get the console access: The local user can press Ctr+Alt+Del twice in a gap of 10 seconds to get local control over a remote session and force a disconnect event.

    After the registry change and machine restart, if a local user presses CTRL+ALT+DEL to log on to that PC while it is in use by a remote user, the remote user receives a prompt asking whether or not to allow or deny the local user's connection. Allowing the connection will disconnect the remote user's session.

Wake on LAN

Remote PC Access supports Wake on LAN, which gives users the ability to turn on physical PCs remotely. This feature enables users to keep their office PCs turned off when not in use, saving energy costs. It also enables remote access when a machine has been turned off inadvertently, such as during weather events.

The Remote PC Access Wake on LAN feature is supported on both of the following:

  • PCs that support Intel Active Management Technology (AMT)
  • PCs that have the Wake on LAN option enabled in the BIOS

You must configure Microsoft System Center Configuration Manager (ConfigMgr) 2012 to use the Wake on LAN feature. ConfigMgr provides access to invoke AMT power commands for the PC, plus Wake-up proxy and magic-packet support. Then, when you use Studio to create a Remote PC Access deployment (or when you add another power management connection to be used for Remote PC Access), you enable power management and specify ConfigMgr access information.

Additionally:

  • Using AMT power operations is preferred for security and reliability; however, support is also provided for two non-AMT methods: ConfigMgr Wake-up proxy and raw magic packets.
  • On AMT-capable machines only, the Wake on LAN feature also supports the Force-Shutdown and Force-Restart actions in Studio and Director. Additionally, a Restart action is available in StoreFront and Receiver.

For more information, see Configuration Manager and Remote PC Access Wake on LAN.

For information about an experimental Wake on LAN SDK that enables you or a third party Wake on LAN solution to create a connector without the requirement of System Center 2012 R2, see CTX202272.

Configuration sequence and considerations

Before you create the Remote PC Access Site:

If you will use the Remote PC Access power management feature (also known as Remote PC Access Wake on LAN), complete the configuration tasks on the PCs and on Microsoft System Center Configuration Manager (ConfigMgr) before creating the Remote PC Access deployment in Studio. See Configuration Manager and Remote PC Access Wake on LAN for details.

In the Site creation wizard:

  • Select the Remote PC Access Site type.
  • On the Power Management page, you can enable or disable power management for the machines in the default Remote PC Access Machine Catalog. If you enable power management, specify ConfigMgr connection information.
  • On the Users and Machine Accounts pages, specify users and machine accounts.

Creating a Remote PC Access Site creates a default Machine Catalog named Remote PC Access Machines and a default Delivery Group named Remote PC Access Desktops.

If you create another Machine Catalog for use with Remote PC Access:

  • On the Operating System page, select Remote PC Access and choose a power management connection. You can also choose not to use power management. If there are no configured power management connections, you can add one after you finish the Machine Catalog creation wizard (connection type = Microsoft Configuration Manager Wake on LAN), and then edit the Machine Catalog, specifying that new connection.
  • On the Machine Accounts page, you can select from the machine accounts or Organizational Units (OUs) displayed, or add machine accounts and OUs.

Install the VDA on the office PCs used for local and remote access. Typically, you deploy the VDA automatically using your package management software; however, for proof-of-concept or small deployments, you can install the VDA manually on each office PC.

When installing the VDA from the command line, include the /remotepc option. This prevents the installation of the following components on a desktop (workstation) OS:

  • App V Component - Citrix Personalization for App-V - VDA
  • UpmComponent - Citrix User Profile Manager
  • UpmVdaPlugin Component - Citrix User Profile Manager WMI Plugin
  • Mps Component - Machine Identity Service
  • VDisk Component - Personal vDisk

During an upgrade, if any of the above components are installed, the installer detects and upgrades them.

After the VDA is installed, the next domain user that logs on to a console session (locally or through RDP) on the office PC is automatically assigned to the Remote PC Access desktop. If additional domain users log on to a console session, they are also added to the desktop user list, subject to any restrictions you have configured.

To use RDP connections outside of your XenApp or XenDesktop environment, you must add users or groups to the Direct Access Users group.

Instruct users to download and install Citrix Receiver onto each client device they will use to access the office PC remotely. Citrix Receiver is available from http://www.citrix.com or the application distribution systems for supported mobile devices.

Configure advanced connection settings

You can edit a power management connection to configure advanced settings. You can enable:

  • Wake-up proxy delivered by ConfigMgr.
  • Wake on LAN (magic) packets. If you enable Wake on LAN packets, you can select a Wake on LAN transmission method: subnet-directed broadcasts or Unicast.

The PC uses AMT power commands (if they are supported), plus any of the enabled advanced settings. If the PC does not use AMT power commands, it uses the advanced settings.

Troubleshooting

The Delivery Controller writes the following diagnostic information about Remote PC Access to the Windows Application Event log. Informational messages are not throttled. Error messages are throttled by discarding duplicate messages.

  • 3300 (informational) - Machine added to catalog
  • 3301 (informational) - Machine added to delivery group
  • 3302 (informational) - Machine assigned to user
  • 3303 (error) - Exception

When power management for Remote PC Access is enabled, subnet-directed broadcasts might fail to start machines that are located on a different subnet from the Controller. If you need power management across subnets using subnet-directed broadcasts, and AMT support is not available, try the Wake-up proxy or Unicast method (ensure those settings are enabled in the advanced properties for the power management connection).