Installing Connection Quality
Indicator in an AppLocker Environment
Citrix recently released the Connection Quality Indicator utility,
it is comprehensively documented under article https://support.citrix.com/article/CTX220774.
This guide provides a summary of installing the utility in a Microsoft
AppLocker hardened deployment.
In summary the steps are:
- Install Connection Quality Indicator
- Copy Policy Definition Files
- Create AppLocker Rule
- Configure Connection Quality Indicator via Group Policy
Install Connection Quality
Indicator
Check to ensure
installed
Group
Policy
Copy the Group Policy definitions
If using
Local Policy as follows:
admx:
From : <Installation Directory>\Configuration\CitrixCQI.admx
To : %systemroot%\policyDefinitions
From : <Installation Directory>\Configuration\CitrixCQI.admx
To : %systemroot%\policyDefinitions
From
: <Installation Directory>\Configuration\CitrixBase.admx
To : %systemroot%\policyDefinitions
adml:
From: <Installation Directory>\Configuration\[MUIculture]CitrixCQI.adml
To: %systemroot%\policyDefinitions\[MUIculture]
To : %systemroot%\policyDefinitions
adml:
From: <Installation Directory>\Configuration\[MUIculture]CitrixCQI.adml
To: %systemroot%\policyDefinitions\[MUIculture]
From :
<Installation Directory>\Configuration\[MUIculture]\CitrixBase.adml
To : %systemroot%\policyDefinitions\[MUIculture]
To : %systemroot%\policyDefinitions\[MUIculture]
If using domain based
group policy:
admx:
From : <Installation Directory>\Configuration\CitrixCQI.admx
To : %domainname%\sysvol\%domainname%\policyDefinitions
From : <Installation Directory>\Configuration\CitrixCQI.admx
To : %domainname%\sysvol\%domainname%\policyDefinitions
From
: <Installation Directory>\Configuration\CitrixBase.admx
To : %domainname%\sysvol\%domainname%\policyDefinitions
adml:
From: <Installation Directory>\Configuration\[MUIculture]CitrixCQI.adml
To: %domainname%\sysvol\%domainname%\\[MUIculture]
To : %domainname%\sysvol\%domainname%\policyDefinitions
adml:
From: <Installation Directory>\Configuration\[MUIculture]CitrixCQI.adml
To: %domainname%\sysvol\%domainname%\\[MUIculture]
From :
<Installation Directory>\Configuration\[MUIculture]\CitrixBase.adml
To : %domainname%\sysvol\%domainname%\\[MUIculture]
To : %domainname%\sysvol\%domainname%\\[MUIculture]
AppLocker
Exception Group Policy
The guide details that:
“For
Server OS Virtual Delivery Agents, the AppSetup registry value is modified and
CQI’s Launcher.cmd script is appended to it. The location of the registry key
containing this value is as follows: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon”
Effectively this just calls the Citrix.CQI
EXE from within “C:\Program Files (x86)\Citrix\Connection
Quality Indicator” via a batch file.
Rather than running this via batch file simply create a
shortcut to eh Citrix.CQI exe file and add it to the default startup apps.
To allow this EXE to run create an
AppLocker exception for C:\Program Files (x86)\Citrix\Connection Quality
Indicator\Citrix.CQI.exe
Configuring
Connection Quality Group Policy
Navigate to Computer Configuration \ Administrative Templates
\ Citrix Components \ Virtual Desktop Agent \ CQi
Configure the options for Enable CQI and Notification
Display Settings, configure the Connection Threshold settings as required for
the environment
Connection Quality Indicator - In Use
Via LAN using Thin Client and Citrix Receiver 4.6
Via Surface Pro 3, WiFI, NetScaler and Citrix Receiver 4.6
