Remote PC Access
Remote PC Access is a feature of Citrix Virtual Apps and Desktops that enables organizations to easily allow their employees to access corporate resources remotely in a secure manner. The Citrix platform makes this secure access possible by giving users access to their physical office PCs. If users can access their office PCs, they can access all the applications, data, and resources they need to do their work. Remote PC Access eliminates the need to introduce and provide other tools to accommodate teleworking. For example, virtual desktops or applications and their associated infrastructure.
Remote PC Access uses the same Citrix Virtual Apps and Desktops components that deliver virtual desktops and applications. As a result, the requirements and process of deploying and configuring Remote PC Access are the same as those required for deploying Citrix Virtual Apps and Desktops for the delivery of virtual resources. This uniformity provides a consistent and unified administrative experience. Users receive the best user experience by using Citrix HDX to deliver their office PC session.
The feature consists of a machine catalog of type Remote PC Access that provides this functionality:
- Ability to add machines by specifying OUs. This ability facilitates the addition of PCs in bulk.
- Automatic user assignment based on the user that logs into the office Windows PC. We support single user and multiple users assignments.
Citrix Virtual Apps and Desktops can accommodate more use cases for physical PCs by using other types of machine catalogs. These use cases include:
- Physical Linux PCs
- Pooled physical PCs (that is, randomly assigned, not dedicated)
For on-premises deployments, Remote PC Access is valid only for Citrix Virtual Apps and Desktops Advanced or Premium licenses. Sessions consume licenses in the same way as other Citrix Virtual Desktops sessions. For Citrix Cloud, Remote PC Access is valid for the Citrix Virtual Apps and Desktops Service and Workspace Premium Plus.
While all the technical requirements and considerations that apply to Citrix Virtual Apps and Desktops in general also apply to Remote PC Access, some might be more relevant or exclusive to the physical PC use case.
While planning the deployment of Remote PC Access, make a few general decisions.
- You can add Remote PC Access to an existing Citrix Virtual Apps and Desktops deployment. Before choosing this option, consider the following:
- Are the current Delivery Controllers or Cloud Connectors appropriately sized to support the additional load associated with the Remote PC Access VDAs?
- Are the on-premises site databases and database servers appropriately sized to support the additional load associated with the Remote PC Access VDAs?
- Will the existing VDAs and the new Remote PC Access VDAs exceed the number of maximum supported VDAs per site?
- You must deploy the VDA to office PCs through an automated process. The following are two of options available:
- Review the Remote PC Access security considerations.
Machine catalog considerations
The type of machine catalog required depends on the use case:
- Remote PC Access
- Windows dedicated PCs
- Windows dedicated multi-user PCs
- Single-session OS
- Static - Dedicated Linux PCs
- Random - Pooled Windows and Linux PCs
Once you identify the type of machine catalog, consider the following:
- A machine can be assigned to only one machine catalog at a time.
- To facilitate delegated administration, consider creating machine catalogs based on geographic location, department, or any other grouping that eases delegating administration of each catalog to the appropriate administrators.
- When choosing the OUs in which the machine accounts reside, select lower-level OUs for greater granularity. If such granularity is not required, you can choose higher-level OUs. For example, in the case of Bank/Officers/Tellers, select Tellers for greater granularity. Otherwise, you can select Officers or Bank based on the requirement.
- Moving or deleting OUs after being assigned to a Remote PC Access machine catalog affects VDA associations and causes issues with future assignments. Therefore, make sure to plan accordingly so that OU assignment updates for machine catalogs are accounted for in the Active Directory change plan.
- If it is not easy to choose OUs to add machines to the machine catalog because of the OU structure, you don’t have to select any OUs. You can use PowerShell to add machines to the catalog afterward. User auto-assignments continue to work if the desktop assignment is configured correctly in the Delivery Group. A sample script to add machines to the machine catalog along with user assignments is available in GitHub.
- Integrated Wake on LAN is available only with the Remote PC Access type machine catalog.
Linux VDA considerations
These considerations are specific to the Linux VDA:
- Use the Linux VDA on physical machines only in non-3D mode. Due to limitations on NVIDIA’s driver, the local screen of the PC cannot be blacked out and displays the activities of the session when HDX 3D mode is enabled. Showing this screen is a security risk.
- Use machine catalogs of type single-session OS for physical Linux machines.
- The integrated Wake on LAN functionality is not available for Linux machines.
Technical requirements and considerations
This section contains the technical requirements and considerations for physical PCs.
- The following are not supported:
- KVM switches or other components that can disconnect a session.
- Hybrid PCs, including All-in-One and NVIDIA Optimus laptops and PCs.
- Connect the keyboard and mouse directly to the PC. Connecting to the monitor or other components that can be turned off or disconnected, can make these peripherals unavailable. If you must connect the input devices to components such as monitors, do not turn those components off.
- The PCs must be joined to an Active Directory Domain Services domain.
- Secure Boot is supported on Windows 10 only.
- The PC must have an active network connection. A wired connection is preferred for greater reliability and bandwidth.
- If using Wi-Fi, do the following:
- Set the power settings to leave the wireless adapter turned on.
- Configure the wireless adapter and network profile to allow automatic connection to the wireless network before the user logs on. Otherwise, the VDA does not register until the user logs on. The PC isn’t available for remote access until a user has logged on.
- Ensure that the Delivery Controllers or Cloud Connectors can be reached from the Wi-Fi network.
- You can use Remote PC Access on laptop computers. Ensure the laptop is connected to a power source instead of running on the battery. Configure the laptop power options to match the options of a desktop PC. For example:
- Disable the hibernate feature.
- Disable the sleep feature.
- Set the close lid action to Do Nothing.
- Set the “press the power button” action to Shut Down.
- Disable video card and NIC energy-saving features.
- Remote PC Access is supported on Surface Pro devices with Windows 10. Follow the same guidelines for laptops mentioned previously.
If using a docking station, you can undock and redock laptops. When you undock the laptop, the VDA reregisters with the Delivery Controllers or Cloud Connectors over Wi-Fi. However, when you redock the laptop, the VDA doesn’t switch to use the wired connection unless you disconnect the wireless adapter. Some devices provide built-in functionality to disconnect the wireless adapter upon establishing a wired connection. The other devices require custom solutions or third-party utilities to disconnect the wireless adapter. Review the Wi-Fi considerations mentioned previously.
Do the following to enable docking and undocking for Remote PC Access devices:
- In the Start menu, select Settings > System > Power & Sleep, and set Sleep to Never.
- Under the Device Manager > Network adapters > Ethernet adapter go to Power Management and clear Allow the computer to turn off this device to save power. Ensure that Allow this device to wake the computer is checked.
- Multiple users with access to the same office PC see the same icon in Citrix Workspace. When a user logs on to Citrix Workspace, that resource appears as unavailable if already in use by another user.
- Install the Citrix Workspace app on each client device (for example, a home PC) that accesses the office PC.
This section contains an overview of how to configure Remote PC Access when using the Remote PC Access type machine catalog. For information on how to create other types of machine catalogs, see the Create machine catalogs.
On-premises site only - To use the integrated Wake on LAN feature, configure the pre-requites outlined in Wake on LAN.
If a new Citrix Virtual Apps and Desktops site was created for Remote PC Access:
- Select the Remote PC Access Site type.
- On the Power Management page, choose to enable or disable power management for the default Remote PC Access machine catalog. You can change this setting later by editing the machine catalog properties. For details on configuring Wake on LAN, see Wake on LAN.
- Complete the information on the Users and Machine Accounts pages.
Completing these steps creates a machine catalog named Remote PC Access Machines and a Delivery Group named Remote PC Access Desktops.
If adding to an existing Citrix Virtual Apps and Desktops site:
- Create a machine catalog of type Remote PC Access (Operating System page of the wizard). For details on how to create a machine catalog, see Create machine catalogs. Make sure to assign the correct OU so that the target PCs are made available for use with Remote PC Access.
- Create a Delivery Group to provide users access to the PCs in the machine catalog. For details on how to create a Delivery Group, see Create Delivery Groups. Make sure to assign the Delivery Group to an Active Directory group that contains the users that require access to their PCs.
Deploy the VDA to the office PCs.
- We recommend using the single-session OS core VDA installer (VDAWorkstationCoreSetup.exe).
- You can also use the single-session full VDA installer (VDAWorkstationSetup.exe) with the
/remotepcoption, which achieves the same outcome as using the core VDA installer.
- Consider enabling Windows Remote Assistance to allow help desk teams to provide remote support through Citrix Director. To do so, use the
/enable_remote_assistanceoption. For details, see Install using the command line.
- To be able to see logon duration information in Director, you must use the single-session full VDA installer and include the Citrix User Profile Manager WMI Plugin component. Include this component by using the
/includeadditionaloption. For details, see Install using the command line.
- For information about deploying the VDA using SCCM, see Install VDAs using SCCM.
- For information about deploying the VDA through deployment scripts, see Install VDAs using scripts.
After you successfully complete steps 2–4, users are automatically assigned to their own machines when they log in locally on the PCs.
Instruct users to download and install Citrix Workspace app on each client device that they use to access the office PC remotely. Citrix Workspace app is available from
https://www.citrix.com/downloads/or the application stores for supported mobile devices.
Features managed through the registry
Caution: Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
Disable multiple user auto-assignments
On each Delivery Controller, add the following registry setting:
- Name: AllowMultipleRemotePCAssignments
- Type: DWORD
- Data: 0
Sleep mode (minimum version 7.16)
To allow a Remote PC Access machine to go into a sleep state, add this registry setting on the VDA, and then restart the machine. After the restart, the operating system power saving settings are respected. The machine goes into sleep mode after the preconfigured idle timer passes. After the machine wakes up, it reregisters with the Delivery Controller.
- Name: DisableRemotePCSleepPreventer
- Type: DWORD
- Data: 1
By default, a remote user’s session is automatically disconnected when a local user initiates a session on that machine (by pressing CTRL+ATL+DEL). To prevent this automatic action, add the following registry entry on the office PC, and then restart the machine.
- Name: SasNotification
- Type: DWORD
- Data: 1
By default, the remote user has preference over the local user when the connection message is not acknowledged within the timeout period. To configure the behavior, use this setting:
- Name: RpcaMode
- Type: DWORD
- 1 - The remote user always has preference if he or she does not respond to the messaging UI in the specified timeout period. This behavior is the default if this setting is not configured.
- 2 - The local user has preference.
The timeout for enforcing the Remote PC Access mode is 30 seconds by default. You can configure this timeout but do not set it lower than 30 seconds. To configure the timeout, use this registry setting:
- Name: RpcaTimeout
- Type: DWORD
- Data: number of seconds for timeout in decimal values
When a user wants to forcibly get the console access: The local user can press Ctrl+Alt+Del twice in a gap of 10 seconds to get local control over a remote session and force a disconnect event.
After the registry change and machine restart, if a local user presses Ctrl+Alt+Del to log on to that PC while it is in use by a remote user, the remote user receives a prompt. The prompt asks whether to allow or deny the local user’s connection. Allowing the connection disconnects the remote user’s session.
Wake on LAN
Integrated Wake on LAN is available only in on-premises Citrix Virtual Apps and Desktops and requires Microsoft System Center Configuration Manager (SCCM).
Remote PC Access supports Wake on LAN, which gives users the ability to turn on physical PCs remotely. This feature enables users to keep their office PCs turned off when not in use, saving energy costs. It also enables remote access when a machine has been turned off inadvertently. For example, because of a power outage.
The Remote PC Access Wake on LAN feature is supported with PCs that have the Wake on LAN option enabled in the BIOS/UEFI.
SCCM and Remote PC Access Wake on LAN
To configure the Remote PC Access Wake on LAN feature, complete the following before deploying the VDA.
- Configure SCCM 2012 R2, 2016, or 2019 within the organization. Then deploy the SCCM client to all Remote PC Access machines, allowing time for the scheduled SCCM inventory cycle to run (or force one manually, if necessary).
- For SCCM Wake Proxy or magic packet support:
- Configure Wake on LAN in each PC’s BIOS/UEFI settings.
- For Wake Proxy support, enable the option in SCCM. For each subnet in the organization that contains PCs that use the Remote PC Access Wake on LAN feature, ensure that three or more machines can serve as sentinel machines.
- For magic packet support, configure network routers and firewalls to allow magic packets to be sent, using either a subnet-directed broadcast or unicast.
After you install the VDA on office PCs, enable or disable power management when you create the connection and the machine catalog.
- If you enable power management in the catalog, specify connection details: the SCCM address, access credentials, and connection name. The access credentials must have access to collections in the scope and the Remote Tools Operator role.
- If you do not enable power management, you can add a power management (Configuration Manager) connection later and then edit a Remote PC Access machine catalog to enable power management.
You can edit a power management connection to configure advanced settings. You can enable:
- Wake-up proxy delivered by SCCM.
- Wake on LAN (magic) packets. If you enable Wake on LAN packets, you can select a Wake on LAN transmission method: subnet-directed broadcasts or Unicast.
The PC uses AMT power commands (if they are supported), plus any of the enabled advanced settings. If the PC does not use AMT power commands, it uses the advanced settings.
Monitor blanking not working
If the Windows PC’s local monitor is not blank while there is an active HDX session (the local monitor displays what’s happening in the session) it is likely due to issues with the GPU vendor’s driver. To resolve the issue, give the Citrix Indirect Display driver (IDD) higher priority than the graphic card’s vendor driver by setting the following registry value:
- Name: CitrixIDD
- Type: DWORD
- Data: 3
For more details about display adapter priorities and monitor creation, see the Knowledge Center article CTX237608.
Diagnostic information about Remote PC Access is written to the Windows Application Event log. Informational messages are not throttled. Error messages are throttled by discarding duplicate messages.
- 3300 (informational): Machine added to catalog
- 3301 (informational): Machine added to delivery group
- 3302 (informational): Machine assigned to user
- 3303 (error): Exception
If power management for Remote PC Access is enabled, subnet-directed broadcasts might fail to start machines that are on a different subnet from the Controller. If you need power management across subnets using subnet-directed broadcasts, and AMT support is not available, try the Wake-up proxy or Unicast method. Ensure those settings are enabled in the advanced properties for the power management connection.
The following are other resources for Remote PC Access:
- Solution design guidance: Remote PC Access Design Decisions.
- Examples of Remote PC Access architectures: Reference Architecture for Citrix Remote PC Access Solution.