Update of the existing article to the latest requirements and features.

Microsoft Teams

User Based Microsoft Teams

The standard installation that the user can perform, e.g. via the Microsoft365 Apps portal, is a user-based installation. In the Citrix environment, this is only recommended for desktop operating systems (pooled or personal desktop).

A User-Based Installation can be detected very quickly in the User Profile, because data are then located under AppData\Local\Microsoft\Teams.

This type of installation in a worker with server operating system has many cons:

• No control over the installed version
• Several different versions possible installed on the same worker
• Complete data (~1 GB) are in the user profile

To correct this and clean up the user profile the following script can be used.

UserBased CleanUp

The script must be executed in the user context. Either via GPO logon script or WEM External Task.

To prevent such an installation directly, the path AppData\Local\Microsoft\Teams can simply be blocked via FSLogix AppMasking, or another tool.

Example files for disabling via FSLogix AppMasking Rules:

Download FSLogix AppMasking Rules

Installation Machine Based

To make Teams work properly in server operating systems (multi-user capable), the Machine Based Installer must be used.

In this case, the part of the data that is stored normally in the path AppData\Local\Microsoft\Teams during the User Based Installation is stored in the folder C:\Program Files (x86)\Microsoft\Teams.

This has the consequence that Teams is no longer updated automatically. As soon as a new version is available, this must be installed manually or script-based. Therefore, you have control over which version of Teams is made available in the Worker.

This mode is recommended for non-persistent environments.

• First of all download the current MSI package for the Machine-Based Install

Latest Teams MSI version (At the moment 1.4.00.32771)

32 bit

64 bit

Important!
If there is still a Teams installation on the system, it must be uninstalled prior to this.

• Start an Administrative CMD
• The installation is performed with the following command

Example:

The ALLUSER=1 parameter installs Teams (Machine-Based) to the Program Files (x86) folder on a 64-bit operating system and to the Program Files folder on a 32-bit operating system.

But even with the parameter, the Teams MSI still does not use Windows Installer for installing all files. Instead, Microsoft created additional custom actions in the MSI that unpack all the files from Teams.exe to the Program Files (x86) folder.

If the ALLUSERS=1 parameter is set, Teams Machine-Wide Installer will appear under Programs and Features in Control Panel and under Apps and Features in Windows Settings for all users of the computer. All users can then uninstall Teams if they have admin credentials.

We can perform the complete installation (with the correct parameters), of course, script controlled.

With my following Evergreen Script, it can be checked at every opening of the Golden Master, if there is a new version and it can be installed afterwards.

Evergreen Script – Update your Software, the lazy way

Installation with AppLayering

If Citrix AppLayering is used or Citrix VDA Agent is not yet installed on the worker, the following error message is displayed during manual installation.

To solve this, a new key named PortICA must be provided to the registry under the following path before teams can be installed with the machine based parameter ALLUSER = 1.

Or

This should also be considered when you need to package Teams Machine-Based!

Uninstall Machine Based

To upgrade to the latest Teams version, the current version must first be uninstalled.

There are two ways to do this:

• Via the installer
  • Right-click on the installer and press Uninstall

• Command line
  • This command uninstalls Teams from the Program Files (x86) folder or from the Program Files folder.

Example:

This is how it should look right afterwards under Apps and Features.

If it appears like this, you have installed a user-based install of Microsoft Teams. This should never be visible on a machine where you want to install Microsoft Teams Machine-Wide !

I also created CleanUp scripts for the different installation methods.

UserBased CleanUp

MachineBased CleanUp

Antivirus exclusions

The following processes should be excluded from access scanning:

• %ProgramFiles (x86)%\Microsoft\Teams\current\teams.exe
• %ProgramFiles (x86)%\Microsoft\Teams\current\squirrel.exe
• %ProgramFiles (x86)%\Microsoft\Teams\update.exe

Profile Management recommendations

Inclusions

The Teams directory must be included in the existing profiles solution (UPM, Roaming Profile, etc.).

• Roaming\Microsoft\Teams

Exclusions

Following directories and file types should still be excluded from the profile. Excluding these items helps to reduce the size of the user profile.

• Roaming\Microsoft\Teams\*.txt
• Roaming\Microsoft\Teams\media-stack
• Roaming\Microsoft\Teams\Service Worker\CacheStorage
• Roaming\Microsoft\Teams\Application Cache
• Roaming\Microsoft\Teams\Cache
• Roaming\Microsoft\Teams\GPUCache
• Roaming\Microsoft\Teams\Logs
• Roaming\Microsoft\Teams\meeting-addin\Cache

Better Profiles solution for Microsoft Teams

The better profile solution in combination with Microsoft Teams is FSLogix. With it, existing profile solutions (UPM, Roaming Profile etc.) can be extended via FSLogix Office Container or completely replaced with FSLogix Profile Container. More information about the FSLogix Profile solution can be found in the following article.

FSLogix Container (Office/Profile) in Citrix Environments

Configuration

GPOs

The default behavior of the Teams installation is that Teams starts automatically when a user logs in. If this is not desired, it must be defined using Group Policy.

Important!
With the current version of Teams, this intervention via GPO only works the first time Microsoft Teams is started per user. Once the user has started Microsoft Teams, Teams is automatically started again each time the session is started.

• Downoad the ADMX files for Microsoft 365 Apps

• Copy the extracted files to your Policy Central Store and create a GPO to edit the autostart behavior of Teams (Prevent Microsoft Teams from starting automatically after installation under User Configuration\Policies\Administrative Templates\Microsoft Teams).

If a GPO cannot be used for this, the following registry key must be defined.

The key type for PreventFirstLaunchAfterInstall is REG_DWORD and the value should be set to 1. This means that Teams will not be launched automatically after installation.

If Teams has already been rolled out and only the above policy is activated afterwards, two scripts for resetting the autostart flag still need to be executed in the user and machine context.

Script for machine context– This must be run in an Administrative PowerShell once per machine (or Golden Master).

Script for user context – This only needs to be run once for the user, after the machine context script has been run.

desktop-config.json

The following script can be used to define the settings from the desktop-config.json file per user if they have already opened teams.

Script desktop-config.json

The following settings can be defined here:

• Auto-start application (openAtLogin)
• Open application in background (openAsHidden)
• On close, keep the application running (runningOnClose)
• Disable GPU hardware acceleration (disableGpu)
• Register Teams as the chat app for Office (registerAsIMProvider)

Important!
You can edit this only with the script, if teams was started initially once. Only then the desktop-config.json file is available in its final version in the profile.

If the settings should be stored before the first start, a pre-configured file must be created and stored in the default profile (C:\users\default\AppData\Roaming\Microsoft\Teams) or created via GPP Rule during profile creation.

For this purpose, a desktop-config.json file should be created with the required settings.

Deposit in the default path on the worker.

Or setup via Group Policy Preferences.

Important!
The following settings should always be configured for better performance.

Disable GPU hardware acceleration should be enabled if no vGPU solution (nvidia, etc.) is used on the worker, because Teams then require fewer resources.

Register teams as the chat app for Office should be disabled for the same reason.

If you are fast enough, you can see the newly created file in the fresh new profile.

And when Teams starts up for the first time, the desired settings are also set directly.

Registry

Disable Autostart

To permanently disable Autostart in Microsoft Teams, the following registry key should be deleted.

Microsoft Teams invitation links without prompt

So that Teams initial always starts the invitation links directly without prompt, you can set the following registry entries via GPP or WEM Registry Entry.

Enable optimization of Microsoft Teams

Software Requirements

• Microsoft Teams version 1.2.00.31357 or higher
• CVAD Delivery Controller & VDA version 1906.2 or higher
• Windows 10 64-bit version 1607 or higher / Windows Server 2019 / Windows Server 2016 / Windows Server 2012 R2
• Installed Browser Content Redirection (BCR_x64.msi)
• Citrix Workspace app for Windows 1909 or newer / Citrix Workspace app for MAC 2009 or newer / Citrix Workspace app for Linux 2010 or newer
• Citrix Policy Setting
  • Microsoft Teams redirection Allowed

Network Requirements

Important key points regarding the network would be:

Metric	Endpoint to Microsoft 365
Latency (one way)	< 50 msec
Latency (RTT)	< 100 msec
Packet Loss	< 1% during any 15 s interval
Packet inter-arrival jitter	< 30 ms during any 15 s interval

Type	Bandwidth	Codec
Audio (each way)	~ 90 kbps	G.722
Audio (each way)	~ 60 kbps	Opus
Video (each way)	~ 700 kbps	H264 360p @ 30 fps 16:9
Screen sharing	~ 300 kbps	H264 1080p @ 15 fps

Destination Port	Description
UDP 49152 – 65535 (High Ports)	Optimized Traffic (P2P Connections)
UDP 3478	Transport Relay MUX
UDP 3479	Audio
UDP 3480	Video
UDP 3481	Screen Sharing
TCP / TLS 443	Fallback

Destination IP
13.107.64.0 / 18
52.112.0.0 / 14
52.120.0.0 / 14

Enable optimization

To enable optimization for Microsoft Teams, use the Studio policy Microsoft Teams redirection (Enabled by default). In addition to enabling this policy, HDX checks whether the Citrix Workspace app version is equal to or greater than the minimum required version. If you have enabled the policy and the Citrix Workspace app version is supported, the registry key MSTeamsRedirSupport on the VDA is automatically set to 1. The Microsoft Teams application reads the key to load in VDI mode.

This can also be activated manually via registry key on the worker. This may be necessary when using newer VDA versions in conjunction with older controller versions (e.g. version 7.15).

Via Settings > Info > Version it is possible to check what the status of the optimization is at the moment.

If Citrix HDX Optimized is displayed, the session is optimized. If this is not the case, Citrix HDX Not Connected is displayed.

On the client you can check this via the Task Manager. The process HdxRtcEngine.exe should be running locally.

The worker should be running the WebSocketAgent.exe process, if so, the Microsoft Teams session is optimized.

Traffic flow

Here you can see the basic flow of an optimized Microsoft Teams session.

• Launch of Microsoft Teams by the user.
• Teams authenticates to Microsoft Azure and the tenant policies are pushed down to the client.
• Relevant TURN and signaling channel information is relayed to the app.
• Teams detects that it is running in a VDA and makes API calls to the Citrix JavaScript API.
• Citrix JavaScript in Teams opens a secure WebSocket connection to WebSocketService.exe running on the VDA (127.0.0.1:9002), which spawns WebSocketAgent.exe inside the user session.
• WebSocketAgent.exe instantiates a generic virtual channel by calling into the Citrix HDX Teams Redirection Service (CtxSvcHost.exe).
• Citrix Workspace app’s wfica32.exe (HDX engine) spawns a new process called HdxTeams.exe, which is the new WebRTC engine used for Teams optimization.
• HdxTeams.exe and Teams.exe have a 2-way virtual channel path and can start processing multimedia requests.
• User 1 clicks the call button. Teams.exe communicates with the Teams services in Microsoft Azure establishing an end-to-end signaling path with User 2.
• Teams on the VDA asks HdxTeams (on the client) for a series of supported call parameters (codecs, resolutions, etc.), which is known as a Session Description Protocol (SDP) offer.
• These call parameters are then relayed using the signaling path to the Teams services in Microsoft Azure and from there to the other User.
• The SDP offer / answer (single-pass negotiation) takes place through the signaling channel.
• The ICE connectivity checks (NAT and Firewall traversal using Session Traversal Utilities for NAT (STUN) bind requests) complete.
• Then, Secure Real-time Transport Protocol (SRTP) media flows directly between HdxTeams.exe and the other User or Microsoft Azure conference servers if it is a meeting.

Installing Microsoft 365 Apps without Teams (User-Based)

In order not to install Teams (User-Based Install) with the Microsoft 365 Apps installation, the existing Configuration.xml must be extended by the following:

The Configuration.xml should then look like this.

Known limitations

Citrix limitations

Limitations on Citrix Workspace app:

• DTMF tones are not supported
• HID buttons – Answer and end call are not supported
• When doing screen sharing in multi-monitor setups, only the main monitor is shared
• Support of only one video stream from an incoming camera or screen share stream. When there’s an incoming screen share, that screen share is shown it instead of the video of the dominant speaker.
• Secondary ringer (Teams > Settings > Devices) is not supported
• QoS settings in Admin Center for Microsoft Teams do not apply for VDI users
• App protection add-on feature for the Citrix Workspace app prevents outgoing screen sharing
• The zoom in and zoom out function in Teams is not supported

Limitation on the VDA:

• When you configure the Citrix Workspace app High DPI setting to Yes or to No, use the native resolution, the redirected video window appears out of place when the monitor’s DPI scaling factor is set to anything above 100%.

Limitations on Citrix Workspace app and the VDA:

• Outgoing screen sharing: Application sharing is not supported
• You can only control the volume of an optimized call using the volume bar on the client machine – not on the VDA

Microsoft limitations

• The options to blur or customize the background aren’t supported
• A 3×3 gallery view is not supported
• Interoperability with Skype for Business is limited to audio calls, no video modality
• Incoming and outgoing video stream maximum resolution is 720p
• PSTN call ringback tone is not supported
• Media bypass for Direct Routing is not supported

Citrix and Microsoft limitations

• When doing screen sharing, the option include system audio is not available
• Pop out chat is not supported
• Breakout rooms are supported for VDI participants. Teams doesn’t support breakout rooms if the organizer is a VDI user.
• Give control and take control: Not supported during a desktop screen sharing or application sharing session. Supported only during a PowerPoint sharing session.
• E911 and Location-Based Routing are not supported

OneDrive for Business

User Based OneDrive for Business

The standard installation that the user can perform via the Microsoft 365 portal is a user-based installation of OneDrive. This is only recommended in the Citrix environment for desktop operating systems (Pooled or Personal Desktop).

A user-based installation can be detected very quickly in the User Profile, as data is then located under AppData\Local\Microsoft\OneDrive.

If the User-Based Install is used, it loads the profile with >500MB of data.

This type of installation in a worker with server operating system has other disadvantages:

• No control over the installed version
• Several different versions possible on the same worker

Installation Machine Based

In order for OneDrive to work in server operating systems (multi-user capable), the Machine Based Installer must be used. In this case, part of the data is stored in the folder C:\Program Files\Microsoft OneDrive. This mode is recommended for non-persistent environments.

• First download the Installer

• Start an Administrative CMD
• The installation is performed with the following command

Example:

We can perform the complete installation (with the correct parameters), of course, script operated.

With my following Evergreen Script, it can be checked at every opening of the Golden Master, if there is a new version and it can be installed afterwards.

Evergreen Script – Update your Software, the lazy way

Antivirus exclusions

The following processes should be excluded from access scanning:

• %ProgramFiles%\Microsoft OneDrive\OneDrive.exe

Profile Management recommendations

Inclusion

The OneDrive installation directory must be included in the existing profiles solution.

• Local\Microsoft\OneDrive

Better Profiles solution for OneDrive for Business

The better profile solution in combination with Microsoft OneDrive for Business is FSLogix, because here not only the installation files, but also the user data are persistently stored without extended login times.

This can be used to extend existing profile solutions (UPM, Roaming Profile, etc.) via FSLogix Office Container or to replace them completely with FSLogix Profile Container. More information about the FSLogix Profile solution can be found in the following article.

FSLogix Container (Office/Profile) in Citrix Environments

Configuration

The default behavior of the OneDrive installation is to allow the user to synchronize the entire OneDrive account to the local machine (up to 1 TB). Since this may not be desired, this (Set the maximum size of a user’s OneDrive that can download automatically) and other settings must be defined using Group Policy.

These and other settings are only possible under Windows Server 2019 and Windows 10 (version 1709 or newer), as Files On Demand is only available then. With older operating systems, the complete OneDrive data is always downloaded.

• Connect to a Worker on which the OneDrive for Business client is now installed
• In the directory %ProgramFiles%\Microsoft OneDrive\<BuildNumber>\adm, go to the subdirectory of the language you need. (You can find the BuildNumber in the About tab of the client).
• Copy the ADML file located there and the ADMX file from the adm folder to your GPO Central Store

Computer GPO

Create a GPO to edit the OneDrive configuration in the computer path (Computer Configuration\Policies\Administrative Templates\OneDrive).

• Use OneDrive Files On-Demand

One of the most important settings for systems using Windows Server 2019 or higher. When this setting is enabled, Files On-Demand is enabled by default and this means that the entire OneDrive folder is not downloaded, but they are only present as a link in the folder and therefore do not consume space locally.

A blue cloud icon next to a OneDrive file or folder indicates that the file is only available online. Online-only files don’t take up space on your computer and the file doesn’t download to your device until you open it. You can’t open online-only files when your device isn’t connected to the Internet.

When you open an online-only file, it downloads to your device and becomes a locally available file. You can open a locally available file anytime, even without Internet access. If you need more space, you can change the file back to online only. Just right-click the file and select “Free up space.”

With Storage Sense turned on, these files will become online-only files after the time period you’ve selected.

Only files that you mark as “Always keep on this device” have the green circle with the white check mark. These always available files download to your device and take up space, but they’re always there for you even when you’re offline.

• Silently sign in users to the OneDrive sync app with their Windows credentials

If this setting is enabled, users will be logged in with the Windows account that is logged in on the machine, as far as it is known in Azure AD. The users will still be shown OneDrive Setup so that the folders to be synchronized and the location of the OneDrive folder can be selected.

• Set the maximum size of a user’s OneDrive that can download automatically

This setting defines how OneDrive accounts larger than the specified threshold (in MB) are handled. For these, the user is prompted to select the folders to sync before the Sync Client downloads the files. In the GPO setting, the Tenant ID and the Maximum size in MB must be defined.

• Allow syncing OneDrive accounts for only specific organizations

The setting “Allow syncing OneDrive accounts for only specific organizations” prevents a proliferation of connections to non-company OneDrive instances (private or from other companies) by specifying a list of allowed tenant IDs. If users now try to log in to a non-allowed tenant ID, they will receive an error message. If users are already logged in to other tenant IDs, they will not be synchronized further!

This setting has a higher prioritization than the “Block syncing OneDrive accounts for specific organizations” setting, which can be used to block specific tenant IDs.

• Block file downloads when users are low on disk space

This setting can be used to prevent users from paralyzing the system through the OneDrive sync. The minimum memory size is defined, from which the OneDrive client stops the synchronization. The user then gets a window with options to free up memory.

• Limit the sync app upload rate to a percentage of throughput

“Limit the sync app upload rate to a percentage of throughput” defines the maximum bandwidth of the synchronization (upload). A maximum percentage of the total bandwidth of the computer is defined for this. The lower the percentage, the slower files are uploaded. Microsoft recommends a value of 50% or higher. Despite limiting the bandwidth via this setting, the app will synchronize files periodically without limit for 1 minute. This ensures that small files are uploaded quickly despite the limitation. This setting should be defined for low bandwidths.

If this setting is “Disable” or “Not Configure”, the user can control the limitation directly through the OneDrive client (in KB/second) or configure it to “Adjust automatically” (defines upload to 70% of bandwidth)

• Exclude specific kinds of files from being uploaded

This setting can be used to define that files with the file names or file extensions specified here are not uploaded. Normally I recommend the following settings:

*.pst
*.iso
*.mkv
*.avi

The files remain locally in the OneDrive folder, but are simply not uploaded to the cloud!

• Prompt users to move Windows known folders to OneDrive

The setting “Prompt users to move Windows known folders to OneDrive” can be used to define whether the following window appears.

This defines that the folders Documents, Pictures and Desktop are synchronized to OneDrive. This option is only available from client version 18.111.0603.0004.

• Always use the user’s Windows display language when provisioning known folders in OneDrive

This setting is important for multi-language environments. Should the Known Folders be copied to the cloud in the language selected by the user or in the primary language of the operating system (Example: English Documents or German Dokumente).

• Require users to confirm large delete operations

The user is prompted if he marks many files for deletion at the same time. If the user does not confirm this query within 7 days, the files will not be deleted.

User GPO

Create another GPO, or extends the existing one with the OneDrive configuration in the user path (User Configuration\Policies\Administrative Templates\OneDrive)

• Prevent users from changing the locations of their OneDrive folder

Here you should define that the user is not allowed to choose where his OneDrive folder is stored. However, it is not enough to activate the setting. Under Change location setting the Tenant ID must be specified and in the Value Field the setting must be activated by entering a 1.

• Disable animation that appears during OneDrive Setup

This should be enabled so that the animations do not appear in the OneDrive setup.

• Disable the tutorial that appears at the end of OneDrive Setup

This should be enabled so that the tutorial does not appear at the end of the OneDrive setup.

Installing Microsoft 365 Apps without OneDrive (User-Based)

In order not to install OneDrive (User-Based Install) with the Microsoft 365 Apps installation, the existing Configuration.xml must be extended by the following:

The Configuration.xml should then look like this.

OneDrive for Business as a Published App

When OneDrive for Business is opened during a Citrix Published App session, it ensures that there is no logoff. Adding the binary name of the OneDrive exe file to the LogoffCheckSysModules registry key does nothing.

Solution

Perform the following steps:

• Start Regedit
• Go to the registry directory and create a new entry

Important Folder Backup in OneDrive

If you want to use the OneDrive for Business feature “Important Folder Backup” with Folder Redirection enabled, you cannot enable it because it cannot synchronize the data.

---

Solution

Perform the following steps:

• Activate the feature manually or via GPO
• Run the script linked below and use it to copy the Desktop and Documents folders to your OneDrive

Script to copy data