Remote PC Access
Remote PC Access allows an end user to log on remotely from anywhere to the physical Windows PC in the office.
The Virtual Delivery Agent (VDA) is installed on the office PC. The VDA registers with the Cloud Connector or Delivery Controller and manages the HDX connection between the PC and the end user client devices.
Remote PC Access supports a self-service model. After you set up the machine catalog and add the machines to a Delivery Group that users are permitted to access, those users are automatically assigned to their machines when they log on locally to the PC. This logon occurs without administrator intervention. The Citrix Workspace app running on their client device enables access to the applications and data on the office PC within the Remote PC Access desktop session.
A user can have multiple desktops, including more than one physical PC or a combination of physical PCs and virtual desktops.
Note: For on-premises deployments, Remote PC Access is valid only for Citrix Virtual Apps and Desktops Advanced or Premium licenses. Sessions consume licenses in the same way as other Citrix Virtual Desktops sessions. For Citrix Cloud, Remote PC Access is valid for the Citrix Virtual Apps and Desktops Service and Workspace Premium Plus.
Active Directory considerations
Before configuring the Remote PC Access deployment Site, set up your Organizational Units (OUs) and security groups, and then create user accounts. This is typically already in place prior to deploying Remote PC Access.
If you modify Active Directory after a machine has been added to a machine catalog, Remote PC Access does not reevaluate the assignment. If needed, you can manually reassign a machine to a different catalog.
If you move or delete OUs, catalog associations are affected and VDAs might no longer be in the most appropriate machine catalog. Make sure to migrate or move Remote PC Access assignments before OU manipulation.
Machine catalog and Delivery Group considerations
- A machine can be assigned to only one machine catalog and one Delivery Group at a time.
- When choosing machine accounts for a catalog, select the lowest applicable OU to avoid potential conflicts with machines in another catalog. For example, in the case of bank/officers/tellers, select tellers. If that level of granularity is not required for machine catalogs, it is appropriate to select a higher level OU.
- We recommend a single Delivery Group per machine catalog. This configuration allows for greater organization, manageability, and flexibility around filtering policies for different user groups based on their needs or requirements.
- If your IT infrastructure assigns responsibility for servicing users based on geographic location, department, or some other category, consider grouping machines accordingly using machine catalogs and Delivery Groups to facilitate delegated administration. Doing so helps ensure that each administrator obtains access only to the corresponding machines.
- You can create a Remote PC Access deployment and then add traditional Virtual Desktop Infrastructure (VDI) desktops or applications later.
- You can add Remote PC Access desktops to an existing VDI deployment.
- Consider whether to enable the Windows Remote Assistance check box when installing the VDA on the office PC. This option allows help desk teams using Director to view and interact with a user sessions using Windows Remote Assistance.
- Consider how you will deploy the VDA to each office PC. We recommend using electronic software distribution solutions such as Active Directory scripts and Microsoft System Center Configuration Manager. The installation media contains sample Active Directory scripts.
- Review the security considerations for Remote PC Access deployments.
Technical requirements and considerations
- The following are not supported for Remote PC Access devices:
- KVM switches or other components that can disconnect a session.
- Hybrid PCs, including All-in-One and NVIDIA Optimus laptops and PCs.
- Secure Boot for Remote PC Access is supported on Windows 10 only.
- Each office PC must be domain-joined.
- Each office PC must have an active network connection. We recommend using a wired connection for increased reliability and bandwidth availability.
- If using Wi-Fi, do the following:
- Set the power settings to leave the wireless adapter turned on.
- Configure the wireless adapter and network profile to allow automatic connection to the wireless network before the user logs on. Otherwise, the VDA does not register until the user logs on and the PC isn’t available for remote access until a user has logged on.
- Ensure that the Delivery Controllers or Cloud Connectors can be reached from the Wi-Fi network.
- If using Wi-Fi, do the following:
- You can use Remote PC Access on most laptop computers. To improve accessibility and deliver the best connection experience, ensure the laptop is connected to a power source instead of running on the battery. Configure the laptop power options to match a desktop PC. For example:
- Disable the hibernate feature.
- Disable the sleep feature.
- Set the close lid action to Do Nothing.
- Set the “press the power button” action to Shut Down.
- Disable video card and NIC energy-saving features.
If using a docking station, you can undock and redock laptops. When you undock the laptop, the VDA reregisters with the Delivery Controllers or Cloud Connectors over Wi-Fi. However, when you redock the laptop, the VDA doesn’t switch to use the wired connection unless you disconnect the wireless adapter. Some devices provide built-in functionality to disconnect the wireless adapter upon establishing a wired connection. The other devices require custom solutions or third-party utilities to disconnect the wireless adapter. Review the Wi-Fi considerations mentioned previously.
Do the following to enable docking and undocking for Remote PC Access devices:
- In the Start menu, select Settings > System > Power & Sleep, and set Sleep to Never.
- Under the Device Manager > Network adapters > Ethernet adapter go to Power Management and clear Allow the computer to turn off this device to save power. Ensure that Allow this device to wake the computer is checked.
- Connect the keyboard and mouse directly to the PC or laptop, not to the monitor or other components that can be turned off. If you must connect input devices to components such as monitors, do not turn them off.
- We support Remote PC Access on Surface Pro devices with Windows 10. To improve accessibility and deliver the best connection experience, follow the same guidelines for laptops mentioned previously.
- Install the Citrix Workspace app on each client device (for example, a home PC) that accesses the office PC. Citrix Workspace app is also available in the Apple and Google Play stores for mobile follow me roaming needs.
- Multiple users with remote access to the same office PC see the same icon in Citrix Workspace app. When any user remotely logs on to the PC, that resource appears as unavailable to other users.
Features managed through the registry
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
Disable multiple user auto-assignments
On each deliver controller, add the following registry setting:
- Name: AllowMultipleRemotePCAssignments
- Type: DWORD
- Data: 0
Sleep mode (minimum version 7.16)
To allow a Remote PC Access machine to go into a sleep state, add this registry setting on the VDA, and then restart the machine. After the restart, the operating system power saving settings are respected. The machine goes into sleep mode after the preconfigured idle timer passes. After the machine wakes up, it reregisters with the Delivery Controller.
- Name: DisableRemotePCSleepPreventer
- Type: DWORD
- Data: 1
By default, a remote user’s session is automatically disconnected when a local user initiates a session on that machine (by pressing CTRL+ATL+DEL). To prevent this automatic action, add the following registry entry on the office PC, and then restart the machine.
- Name: SasNotification
- Type: DWORD
- Data: 1
By default, the remote user has preference over the local user when the connection message is not acknowledged within the timeout period. To configure the behavior, use this setting:
- Name: RpcaMode
- Type: DWORD
- 1 - The remote user always has preference if he or she does not respond to the messaging UI in the specified timeout period. This behavior is the default if this setting is not configured.
- 2 - The local user has preference.
The timeout for enforcing the Remote PC Access mode is 30 seconds by default. You can configure this timeout but do not set it lower than 30 seconds. To configure the timeout, use this registry setting:
- Name: RpcaTimeout
- Type: DWORD
- Data: number of seconds for timeout in decimal values
When a user wants to forcibly get the console access: The local user can press Ctrl+Alt+Del twice in a gap of 10 seconds to get local control over a remote session and force a disconnect event.
After the registry change and machine restart, if a local user presses Ctrl+Alt+Del to log on to that PC while it is in use by a remote user, the remote user receives a prompt asking whether to allow or deny the local user’s connection. Allowing the connection disconnects the remote user’s session.
Wake on LAN
Wake on LAN is not supported with Remote PC Access in Citrix Cloud.
Remote PC Access supports Wake on LAN, which gives users the ability to turn on physical PCs remotely. This feature enables users to keep their office PCs turned off when not in use, saving energy costs. It also enables remote access when a machine has been turned off inadvertently, such as during weather events.
The Remote PC Access Wake on LAN feature is supported on:
PCs that have the Wake on LAN option enabled in the BIOS. This support includes wake-up proxy and raw magic packets, and is available when using Microsoft System Center Configuration Manager (ConfigMgr) 2012, ConfigMgr 2012 R2, and ConfigMgr 2016.
Configure ConfigMgr to use the Wake on LAN feature. Then, when you create a Remote PC Access deployment through Studio (or when you add another power management connection to be used for Remote PC Access), enable the power management feature and specify ConfigMgr access information.
Configuration Manager and Remote PC Access Wake on LAN
To configure the Remote PC Access Wake on LAN feature, complete the following before installing a VDA on the office PCs.
- Configure ConfigMgr 2012, 2012 R2, or 2016 within the organization. Then deploy the ConfigMgr client to all Remote PC Access machines, allowing time for the scheduled SCCM inventory cycle to run (or force one manually, if necessary). The access credentials you specify in Studio to configure the connection to ConfigMgr must include collections in the scope and the Remote Tools Operator role.
- For ConfigMgr Wake Proxy and/or magic packet support:
- Configure Wake on LAN in each PC’s BIOS settings.
- For Wake Proxy support, enable the option in ConfigMgr. For each subnet in the organization that contains PCs that will use the Remote PC Access Wake on LAN feature, ensure that three or more machines can serve as sentinel machines.
- For magic packet support, configure network routers and firewalls to allow magic packets to be sent, using either a subnet-directed broadcast or unicast.
After you install the VDA on office PCs, enable or disable power management when you create the connection and the machine catalog.
- If you enable power management in the catalog, specify connection details: the ConfigMgr address and access credentials, plus a name.
- If you do not enable power management, you can add a power management (Configuration Manager) connection later and then edit a Remote PC Access machine catalog to enable power management and specify the new power management connection.
You can edit a power management connection to configure advanced settings. You can enable:
- Wake-up proxy delivered by ConfigMgr.
- Wake on LAN (magic) packets. If you enable Wake on LAN packets, you can select a Wake on LAN transmission method: subnet-directed broadcasts or Unicast.
The PC uses AMT power commands (if they are supported), plus any of the enabled advanced settings. If the PC does not use AMT power commands, it uses the advanced settings.
Configuration sequence and considerations
Before creating the Remote PC Access Site:
On-premises site only - To use the Remote PC Access power management feature (also known as Remote PC Access Wake on LAN), complete the configuration tasks on the PCs and on Microsoft System Center Configuration Manager (SCCM) before creating the Remote PC Access deployment in Studio.
In the Studio Site creation wizard:
- Select the Remote PC Access Site type.
- On the Power Management page, you can enable or disable power management for the machines in the default Remote PC Access machine catalog. If you enable power management, specify ConfigMgr connection information.
- Complete the information on the Users and Machine Accounts pages.
Creating a Remote PC Access Site creates a default machine catalog named Remote PC Access Machines and a default Delivery Group named Remote PC Access Desktops.
If adding to an existing site:
- In Studio, create a machine catalog of type Remote PC Access (Operating System page of the wizard). For details on how to create a machine catalog, see Create machine catalogs. Make sure to assign the correct OU so that the target PCs are made available for use with Remote PC Access.
Create a Delivery Group to provide users access to the PCs in the machine catalog. For details on how to create a Delivery Group, see Create Delivery Groups. Make sure to assign the Delivery Group to an Active Directory group that contains the users that require access to their PCs.
If a power management connection is not configured when the machine catalog is created, you can create it later.
Install the VDA on the office PCs used for local and remote access. Typically, you deploy the VDA automatically using your software distribution tools. However, for proof-of-concept or small deployments, you can install the VDA manually on each office PC. There are several ways you can install a desktop VDA for a Remote PC Access deployment. For details about installing the VDA, see Install VDAs. We recommend using the Single-Session OS Core Services package for Remote PC Access deployments. Alternatively, you can use the full Single-Session OS VDA installer with the remotepc option. For more information, see Install using the command line page.
If you use the full-product or
- Graphic interface: Select Remote PC Access on the Environment page of the wizard. The components on the Additional Components page are not selected by default. They are not required for Remote PC Access operation.
- Command-line interface: specify the /remotepc option. This option prevents the installation of more components. Alternatively, you can use the /exclude option to exclude each of these components. For details, see the command-line option descriptions
We recommend using the
VDAWorkstationCoreSetup.exeinstaller. However, neither Citrix Workspace app nor any additional components (for example, App-V, Citrix Provisioning Services, and Machine Creation Services) can be installed with this installer.
If the Active Directory Groups with Delivery Group and OU with machine catalog meet the criteria, after the VDA is installed, the next domain user that logs on to a console session (locally or through RDP) on the office PC is automatically assigned to the Remote PC Access desktop. If more domain users log on to a console session, they are also added to the desktop user list. Those users are subject to any restrictions you have configured, or settings in the registry key described earlier in this article to restrict on first logon.
To use RDP connections outside of your Citrix Virtual Apps and Desktops environment, you must add users or groups to the Direct Access Users group.
Instruct users to download and install Citrix Workspace app onto each client device they will use to access the office PC remotely. Citrix Workspace app is available from https://www.citrix.com or the application distribution systems for supported mobile devices.
Diagnostic information about Remote PC Access is written to the Windows Application Event log. Informational messages are not throttled. Error messages are throttled by discarding duplicate messages.
- 3300 (informational): Machine added to catalog
- 3301 (informational): Machine added to delivery group
- 3302 (informational): Machine assigned to user
- 3303 (error): Exception
If power management for Remote PC Access is enabled, subnet-directed broadcasts might fail to start machines that are on a different subnet from the Controller. If you need power management across subnets using subnet-directed broadcasts, and AMT support is not available, try the Wake-up proxy or Unicast method. Ensure those settings are enabled in the advanced properties for the power management connection.