With the launch of Citrix Receiver 4.2, Citrix has brought back their desktop to thin client converter “Desktop Lock”.

Citrix Desktop Lock was dropped from support back in Citrix Receiver 3.4 as it relied on the PNAgent functionality that was killed off in the last release of Receiver 3.4 Enterprise.

With Desktop Lock’s return, it now fully supports the latest and greatest Receiver versions and Citrix StoreFront communication.

Fellow CTP Andrew Morgan and I spent some time looking at Desktop Lock to write this article.  Below you’ll find a review of the product along with an installation guide on how to get Desktop Lock up and running.

How was Desktop Lock before this upgrade?

Before we look at the new version, lets look at why the previous Citrix Desktop Lock was a very fundamental solution with some gaps.

For example:

  • The machines you convert need to be on the corporate domain.
  • The user needed to sign in as themselves on the local end point.
  • There was no “choice in the matter”.  If you had more than one desktop available, Desktop Lock would just fire one desktop session alphabetically.
  • User profiles on the local machine quickly became an issue in a shared kiosk environment as they are not cleaned up.
  • No Hotkey pass through.  By default ctrl alt and del and [Win] + [L] lock the local workstation, not the remote workstation.
  • Local applications like flash/media player redirection may not work or local hardware may not work. (Desktop Lock does not run active setup, or the run keys which are needed by a number of applications).
  • If you are a local administrator, you cannot use the solution as Desktop Lock closes and logs in locally.

With the return of Desktop Lock, we were hoping some of these drawbacks would be resolved in the return.  Sadly, that’s not the case.  Unfortunately there are new ones we weren’t expecting to add to the list:

  • Citrix Desktop Lock does not allow for desktops in maintenance mode, it just hangs and eventually logs the user off again.
  • Citrix Desktop Lock will prompt users if it has a difficult time connecting to restart the machine.  But the restart button on the menu just restarts the local machine!

Desktop Lock for Receiver is simply an update to the previous version to add StoreFront support.  None of the previous gotcha’s seem to have been addressed.

In Review:

Desktop Lock is a clever utility in the tool belt for Citrix Deployments but has some limiting drawbacks.

If SSO isn’t an immediate requirement and if you are comfortable just publishing a browser, then consider the Desktop Appliance site from StoreFront (with some configuration):

  • Can deliver a better experience
  • Can offer desktop choices
  • Have no domain or SSO requirement
  • Has better handling of errors

Reviewing your options:

There are a number of free products for Windows like ThinKiosk available with greater functionality out of box than desktop lock but the customers use case will determine your course of action.

Installation Guide:

Installing Receiver and Desktop Lock

Citrix Desktop Lock requires a number of key installation settings in order to function correctly, below we’ve documented them step by step for ease of configuration.

Citrix receiver must be installed with the SSON functionality

When installation Citrix Receiver, specify the SSON and storefront details here to save some heartache: CitrixReceiver.exe /includeSSON /ENABLESSON=Yes /silent STORE0=”Store;https://storefront.domain.local/Citrix/Store/discovery;on;Store”

SSON must be enabled in Group Policy

Import the icaclient.adm file locally (or via gpo) in the Citrix ICA Client installation directory\configuration.

Browse to Administrative Templates > Citrix Components > Citrix Receiver > User authentication and Enable Local username and password as below:

If Trusted Sites, the Trusted Sites Zone must be configured to allow SSO pass through**
**Computer Policies > administrative templates > Internet Explorer > Internet Control Panel > Security Page > Trusted sites zone:

Enable Automatic logon with current username and password.

Storefront SSO

SSO must be configured in the StoreFront Receiver is connecting to. In the StoreFront, make sure your site is configured to allow SSO:

Testing it before installing Desktop lock

So there you have it, with a bit of know how and a pinch of luck, it’s time for testing.

Note: Test this as a user or users.  Ensure Receiver opens as the user when they log in without providing login details. If it works, you’re good to go.

Installing Desktop Lock

Installing Desktop Lock is a fairly trivial matter.  Just fire up the installer and next, next, finish. You’ll then be prompted to restart.

For reference, Desktop Lock works by taking control of the Shell key in HKLM\Software\Microsoft\Windows NT\Current Version\WinLogon.

Desktop Lock also uses ImageFileExecutionOptions to redirect all calls to task manager to Citrix’s own task manager.

Once finished, Desktop Lock should now be installed.  Restart.

Note: If Desktop Lock detects an administrator logged in, it will revert the shell value to explorer, launch explorer in full desktop mode, and then revert the key again.

Testing Desktop Lock

Logging in as a user, the user is presented with the familiar login screen for desktop lock then get forwarded to their session:

Note: The log off and restart buttons action locally.

Admin Login

If you log in as an administrator with UAC controls, you will receive the following:

Once you click OK, you will be logged into the full Windows shell.

So now you have some initial thoughts to Citrix Receiver Desktop Lock 4.2 and how to configure it.

If you have found this article interesting or if you have any insights, please feel free to contact me via email.