Citrix Workspace app Desktop Lock
You can use the Citrix Workspace app Desktop Lock when you do not need to interact with the local desktop. You can use the Desktop Viewer (if enabled), however it has only the following set of options on the toolbar:
Citrix Workspace app for Windows with Desktop Lock works on domain-joined machines that are single sign-on enabled and store configured. It doesn’t support PNA sites. Previous versions of Desktop Lock aren’t supported when you upgrade to Citrix Receiver for Windows 4.2 or later.
When using Citrix Workspace app for Windows with Desktop Lock, a user is signed in to the first desktop that is alphabetically sorted with the name of all the desktops that are available to the user. Currently, there is no option to selectively choose which desktop the user must sign in. Also, this feature supports only desktops and doesn’t support apps.
Install Citrix Workspace app for Windows with the
/includeSSON flag. Configure the store and single sign-on, either using the adm/admx file or command line option. For more information, see Install.
Then, install the Citrix Workspace app Desktop Lock as an administrator using the
CitrixWorkspaceDesktopLock.msi available in the Citrix Downloads page.
- Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package. For more information, see the Microsoft Download page.
- Supported on Windows 10 (Anniversary update included), and Windows 11.
- Connects to StoreFront through native protocols only.
- Domain-joined end points.
- User devices must be connected to a LAN or WAN.
Local App Access
Enabling Local App Access might allow local desktop access unless a full lockdown has been applied with the Group Policy Object template or a similar policy. For more information, see the Configure Local App Access and URL redirection section in the Citrix Virtual Apps and Desktops documentation.
Working with Citrix Workspace app Desktop Lock
- You can use Citrix Workspace app Desktop Lock with the following Citrix Workspace app features:
- 3Dpro, Flash, USB, HDX Insight, Microsoft Lync 2013 plug-in, and Local App Access
- Domain, two-factor authentication, or smart card authentication only
- Disconnecting the Citrix Workspace app Desktop Lock session logs out the end device.
- Flash redirection is disabled on Windows 8 and later versions. Flash redirection is enabled on Windows 7.
- The Desktop Viewer is optimized for Citrix Workspace app Desktop Lock with no Home, Restore, Maximize, and Display properties.
- Ctrl+Alt+Del is available on the Desktop Viewer toolbar.
- Most windows shortcut keys are passed to the remote session, except for Windows+L.
- Ctrl+F1 triggers Ctrl+Alt+Del when you disable the connection or Desktop Viewer for desktop connections.
- A local user profile is created at the end device when the user logs in to the system. The profile is retained at the end device even when the user logs out and based on the profile management configurations.
With the Desktop Lock installed, and
LiveInDesktopDisconnectOnLockset to False in the registry path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Dazzle, the active session gets disconnected when the end-point wakes up from hibernation or standby mode.
Install Citrix Workspace app Desktop Lock
This procedure installs Citrix Workspace app for Window so that virtual desktops appear using Citrix Workspace app Desktop Lock. For deployments that use smart cards, see Smart card.
Log on using a local administrator account.
At a command prompt, run the following command:
CitrixWorkspaceApp.exe /includeSSON STORE0="DesktopStore;https://my.storefront.server/Citrix/MyStore/discovery;on;Desktop Store" <!--NeedCopy-->
The command is available in the Citrix Workspace app and Plug-ins > Windows > Citrix Workspace app folder on the installation media. For command details, see the Citrix Workspace app install documentation at Install.
In the same folder on the installation media, double-click
CitrixWorkspaceDesktopLock.msi. The Desktop Lock wizard appears. Follow the prompts.
When the installation completes, restart the user device. If you have permission to access a desktop and you log on as a domain user, the device appears using Citrix Workspace app Desktop Lock.
You can allow administration of the user device after installation, the account used to install
CitrixWorkspaceDesktopLock.msi is excluded from the replacement shell. If that account is later deleted, you can’t log on and administer the device.
To run a silent install of Citrix Workspace Desktop Lock, use the following command line:
msiexec /i CitrixWorkspaceDesktopLock.msi /qn
Configure Citrix Workspace app Desktop Lock
When you’ve logged in as a non-administrator, Desktop Lock automatically launches an assigned desktop session.
Using Active Directory policies prevent users from hibernating virtual desktops.
Use the same administrator account to configure Citrix Workspace app Desktop Lock as you did to install it.
- Check if the receiver.admx (or receiver.adml) and receiver_usb.admx (.adml) files are loaded into Group Policy (where the policies appear in Computer Configuration or User Configuration > Administrative Templates > Classic Administrative Templates (ADMX) > Citrix Components). The .admx files are in %Program Files%\Citrix\ICA Client\Configuration\.
- USB preferences - When a user plugs in a USB device, that device is automatically remoted to the virtual desktop and no user interaction is required. The virtual desktop controls the USB device and displaying it in the user interface.
- Enable the USB policy rule.
- In Citrix Workspace app > Remoting client devices > Generic USB Remoting, enable and configure the Existing USB Devices and New USB Devices policies.
- Drive mapping - In Citrix Workspace app > Remoting client devices, enable, and configure the Client drive mapping policy.
- Microphone - In Citrix Workspace app > Remoting client devices, enable, and configure the Client microphone policy.
Configure smart cards for use with Windows Desktop Lock
- Configure StoreFront.
- Configure the XML Service to use DNS Address Resolution for Kerberos support.
- Configure StoreFront sites for HTTPS access, create a server certificate signed by your domain certificate authority, and add HTTPS binding to the default website.
- Make sure that pass-through authentication with the smart card is enabled (enabled by default).
- Enable Kerberos.
- Enable Kerberos and pass-through authentication with smart card.
- Enable Anonymous access on the IIS Default website and use Integrated Windows Authentication.
- Ensure that the IIS Default website doesn’t require SSL and ignores client certificates.
- Use the Group Policy Management Console to configure Local Computer Policies on the user device.
- Import the Receiver.admx template from %Program Files%\Citrix\ICA Client\Configuration\.
- Expand Administrative Templates > Classic Administrative Templates (ADMX) > Citrix Components > Citrix Workspace > User authentication.
- Enable Smart card authentication.
- Enable Local user name and password.
- Configure the user device before installing Citrix Workspace app Desktop Lock.
- Add the URL for the Delivery Controller to the Windows Internet Explorer Trusted Sites list.
- Add the URL for the first Delivery Group to the Internet Explorer Trusted Sites list. Add the URL in the form desktop://delivery-group-name.
- Enable Internet Explorer to use automatic logon for Trusted Sites.
When Citrix Workspace app Desktop Lock is installed on the user device, it enforces a consistent smart card removal policy. For example, if the Windows smart card removal policy is set to Force logoff for the desktop, the user must log off from the user device, regardless of the Windows smart card removal policy set on it. Desktop Lock ensures that the user device isn’t left in an inconsistent state. This applies only to user devices with the Citrix Workspace app Desktop Lock.
Remove Desktop Lock
Be sure to remove both of the components listed as follows:
- Log on with the same local administrator account that was used to install and configure Citrix Workspace app Desktop Lock.
- From the Windows feature for removing or changing programs:
- Remove Citrix Workspace app Desktop Lock.
- Remove Citrix Workspace app for Windows.
Passing Windows shortcut keys to the remote session
Most windows shortcut keys are passed to the remote session. This section highlights some of the common ones.
- Win+D - Minimize all windows on the desktop.
- Alt+Tab - Change active window.
- Ctrl+Alt+Delete - via Ctrl+F1 and the Desktop Viewer toolbar.
- Windows+All Character keys
- Win+C - Open charms.
- Win+Q - Search charm.
- Win+H - Share charm.
- Win+K - Devices charm.
- Win+I - Settings charm.
- Win+Q - Search apps.
- Win+W - Search settings.
- Win+F - Search files.
Windows 8 apps
- Win+Z - Get to app options.
- Win+. - Snap app to the left.
- Win+Shift+. - Snap app to the right.
- Ctrl+Tab - Cycle through app history.
- Alt+F4 - Close an app.
- Win+D - Open desktop.
- Win+, - Peek at desktop.
- Win+B - Back to desktop.
- Win+U - Open Ease of Access Center.
- Ctrl+Esc - Start screen.
- Win+Enter - Open Windows Narrator.
- Win+X - Open the system utility settings menu.
- Win+PrintScrn - Take a screenshot and save to pictures.
- Win+Tab - Open switch list.
- Win+T - Preview open windows in taskbar.
In this article
- System requirements
- Local App Access
- Working with Citrix Workspace app Desktop Lock
- Install Citrix Workspace app Desktop Lock
- Configure Citrix Workspace app Desktop Lock
- Configure smart cards for use with Windows Desktop Lock
- Remove Desktop Lock
- Passing Windows shortcut keys to the remote session
- Windows 8
- Windows 8 apps