Friday, April 26, 2013

Blocking security banner for Citrix XenApp Servers

A common problem that many Citrix administrators come across is when an Active Directory GPO is configured to present a security banner to users who log onto domain joined servers or workstations.  The problem this poses is that applications published on Citrix XenApp servers will present a window with this security warning to users and will require them to interactively acknowledge the message by clicking on the OK button before the application begins to launch:


One of the ways around this is to block the policy all together by using the Block Inheritance option for an OU where the Citrix XenApp servers are placed but if doing so means having to reapply various policies that are inherited, creating a new GPO to disable the security banner may be more desirable.  As simple this task may seem, I’ve been asked quite a few times on how to do this so the following outlines the steps required.

Begin by either creating a new policy or editing an existing one is applied to the XenApp server computer objects.  Edit the policy and navigate to:

Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Local Policies –> Security Options.  The 2 settings we’re interested in are:

  • Interactive logon: Message text for users attempting to log on
  • Interactive logon: Message title for users attempting to log on


The question I often get asked is how can I disable this policy if the only option is to select Define this policy setting in the template:

clip_image001[4] clip_image001[6]

Looking at the policy settings would lead many to believe that by enabling the policy and not defining a message may present users with a blank window to confirm but this is actually not the case so proceed with enabling both settings but not enter any content:



Once this policy has been set and applied to the XenApp servers, proceed with executing gpupdate /force on the servers then try to launch an application again.


Unknown said...

Thank you for posting this trick. Helps a lot.

Unknown said...

I'm a bit confused as to why you think asking a user to click OK to acknowledge a security banner would be a problem?