In the past months, I have had to deploy Microsoft Teams and OneDrive from the Office365 portfolio in Citrix environments, in addition to the standard office applications in numerous projects.

Microsoft Teams

The standard installation, that the user can perform through the Office365 portal, is a user-based installation. In a Citrix environment, this is only recommended for desktop operating systems (pooled or personal desktop).

A user-based installation can be detected very quickly in the User Profile, since data is then located under AppData\Local\Microsoft\Teams.

This type of installation in a worker with server operating system has many disadvantages:

• No control over the installed version
• Several different versions possible on the same worker
• Complete data (~1 GB) is stored in the user profile

To correct this and clean up the User Profile the following script can be used.

UserBased CleanUp

The script must be executed in user context. Either by GPO logon script or WEM External Task.

To prevent such an installation, the path AppData\Local\Microsoft\Teams can be blocked by FSLogix AppMasking or another tool.

Installation Machine Based

In order for Teams to function in server operating systems (multi-user capable), the Machine Based Installer must be used. The part of the data that is stored in the AppData\Local\Microsoft\Teams path in the User Based Installer is stored in the C:\%PROGRAMFILES%\Microsoft\Teams folder. However, teams can no longer be updated automatically once a new version is available. This mode is recommended for non-persistent environments.

• First we download the MSI package

Newest Teams MSI Version (at the moment 1.4.0.2879)

32 bit

64 bit

• If there is still a Teams installation on the system, it must be uninstalled first
• Start an Administrative CMD
• The installation is performed with the following command

Example:

The Parameter ALLUSER=1 install Teams (Machine-Based) to the Program Files (x86) folder on a 64-bit operating system and to the Program Files folder on a 32-bit operating system. With this parameter, the Teams MSI still does not use a Windows Installer to install all files. Instead, Microsoft created additional custom actions in the MSI, that extract all files from Teams.exe to the Program Files folder.

When you set the parameter ALLUSERS=1, Teams Machine-Wide Installer appears in Programs and Features in Control Panel and in Apps & features in Windows Settings for all users of the computer. All users can then uninstall Teams if they have admin credentials.

We can perform the complete installation (with the correct parameters) script controlled.

With my following Evergreen Script, it can check at every opening of the Golden Master, if there is a new version and install it thereupon.

Deyda/Evergreen (github.com)

Installation with AppLayering

If Citrix App Layering is used or the Citrix VDA Agent is not yet installed on the worker, the following error message is displayed

To solve this, a new key named PortICA must be provided under the following path of the registry before teams with the machine based parameter ALLUSER = 1 can be installed.

Or

This should also be considered if you need to package Teams machine-based.

Uninstallation

To update to the latest Teams version, first uninstall the current version so that the new one can be installed again.

There are two possibilities for this:

• Via the installer
  • Right click on the installer and click Uninstall

• Command line
  • This command uninstalls Teams from the Program Files (x86) folder or from the Program Files folder

Example:

For the different installation methods I have also created CleanUp Scripts.

UserBased CleanUp

MachineBased CleanUp

Directory inclusion for profile solution

The Teams directory must be included in the existing profile solution.

• Roaming/Microsoft/Teams

Directory exclusion for profile solution

The following directory and file typ should be excluded from the profile. Excluding these elements helps to reduce the size of the user profile.

• Roaming/Microsoft/Teams/*.txt
• Roaming/Microsoft/Teams/media-stack
• Roaming/Microsoft/Teams/Service Worker/CacheStorage
• Roaming/Microsoft/Teams/Application Cache
• Roaming/Microsoft/Teams/Cache
• Roaming/Microsoft/ Teams/GPUCache
• Roaming/Microsoft Teams/Logs

Configuration

GPOs

The default behavior of the Teams installation is to automatically start teams as soon as a user logs in. If this is not desired, it must be defined using group policies.

Important: With the current version of Teams, this intervention via GPO no longer works.

• Download the ADMX files for Office365

• Copy the extracted files to your Policy Central Store and create a GPO to edit the autostart behavior of teams (Prevent Microsoft Teams from starting automatically after installation under User Configuration\Policies\Administrative Templates\Microsoft Teams)

If GPO cannot be used for this, the PreventFirstLaunchAfterInstall key must be defined under HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Teams. The key type for PreventFirstLaunchAfterInstall is REG_DWORD and the value should be set to 1, which means that teams are not automatically started after installation.

If teams have already been rolled out and the above policy is activated afterwards, 2 scripts must be run, to reset the autostart flag in the user and machine context.

Script for machine context – This must be done once per machine (or Golden Master) with an Administrative PowerShell.

Script for user context – This only needs to be done once for the user after the machine context script has been executed.

desktop-config.json

The following script can be used to define the settings from the desktop-config.json file per user if they have already opened Teams.

Script desktop-config.json

The following settings can be defined using this script:

• Auto-start application (openAtLogin)
• Open application in background (openAsHidden)
• On close, keep the application running (runningOnClose)
• Disable GPU hardware acceleration (disableGpu)
• Register Teams as the chat app for Office (registerAsIMProvider)

Important is here that you can edit this only with the Script, if teams was started initially once. Only then the desktop-config.json file is available in its final version in the profile.

If the settings should be stored before the first start, a pre-configured file must be created and stored in the default profile (c:\users\default\AppData\Roaming\Microsoft\Teams) or created via GPP Rule during profile creation.

For this purpose, a desktop-config.json file should be created with the required settings.

Storage in the default path on the worker.

Or configuration via Group Policy Preferences.

The following settings should be configured for better performance.

Disable GPU hardware acceleration should be activated if no vGPU solution (nvidia etc.) is used on the worker, because teams need less resources then.

Register teams as the chat app for Office should be disabled for the same reason.

If you are fast enough, you can see in the fresh new profile, the file we created.

And when Teams starts up for the first time, the desired settings are also set directly.

Registry

To make sure that Teams initial always starts the invitation links directly without a prompt, you can set the following registry entries via GPP or WEM Registry Entry.

Enable optimization of Microsoft Teams

• Microsoft Teams Version 1.2.00.31357 or higher
• CVAD Delivery Controller & VDA Version 1906.2 or higher
• Windows 10 64-bit Version 1607 or higher / Windows Server 2019 / Windows Server 2016 / Windows Server 2012 R2
• Browser Content Redirection installed (BCR_x64.msi)
• Citrix Workspace app for Windows 1909 or newer / Citrix Workspace app for MAC 2009 or newer / Citrix Workspace app for Linux 2010 or newer
• Citrix Policy Setting
  • Microsoft Teams redirection Allowed
    • Key: HKEY_CURRENT_USER\Software\Citrix\HDXMediaStream
    • Name: MSTeamsRedirSupport
    • Value: DWORD (1 – on, 0 – off)

Installation of Office365 without Teams (User-Based)

To not also install Teams (User-Based Install) with the Office365 installation, the existing Configuration.xml must be extended by the following:

The Configuration.xml should then look like this

OneDrive for Business

The standard installation, that the user can perform through the Office365 portal, is a user-based installation. In a Citrix environment, this is only recommended for desktop operating systems (pooled or personal desktop).

If the User-Based Install is used, it loads the profile with ~500MB of data.

Installation

In order for OneDrive to work in server operating systems (multi-user capable), the Machine Based Installer must be used. A part of the data is stored in the folder C:\%PROGRAMFILES%\Microsoft OneDrive. This mode is recommended for non-persistent environments.

• First download the installer

• Start an Administrative CMD
• The installation is performed with the following command

Example:

Directory inclusion for profile solution

The OneDrive directory must be included in the existing profiles solution.

• Local/Microsoft/OneDrive

Configuration

The default behavior of the OneDrive installation, is to allow the user to sync the entire OneDrive account to the local machine (up to 1TB). Since this may not be desired (Set the maximum size of a user’s OneDrive that can download automatically), this must be limited using Group Policy.

These and other settings are only possible under Windows Server 2019 and Windows 10 (Version 1709 or newer), because only then Files On Demand is available. With older operating systems, the complete OneDrive data is downloaded.

• Connect to a worker who now has the OneDrive for Business Client installed
• In the directory C:\Program Files (x86)\Microsoft OneDrive\<BuildNumber>\adm, go to the subdirectory of the language you need (the BuildNumber can be found in the About tab of the client)
• Copy the ADML file and the ADMX file from the adm folder to your GPO Central Store

• Create a GPO to edit the OneDrive configuration (Computer Configuration\Policies\Administrative Templates\OneDrive)

• Set the maximum size of a user’s OneDrive that can download automatically

This setting define how to handle with OneDrive accounts that are larger than the specified value (in MB). These accounts will prompt the user to select the folders to be synchronized, before the sync client downloads the files. In the GPO setting, the Tenant ID and the Maximum size in MB must be defined.

• Silently sign in users to the OneDrive sync app with their Windows credentials

When this setting is enabled, users logged on to a worker connected to Azure AD, can set up the client without entering their credentials. Users will still see OneDrive Setup, allowing them to select the folders to be synchronized and the location of the OneDrive folder.

• Specify SharePoint Server URL and organization name
• Specify the OneDrive location in a hybrid environment

The settings “Specify SharePoint Server URL and organization name” and “Specify the OneDrive location in a hybrid environment” are for customers with SharePoint Server 2019 instances.

• Allow syncing OneDrive accounts for only specific organizations

The setting “Allow syncing OneDrive accounts for only specific organizations” prevents a proliferation of connections to non-company OneDrive instances (private or from other companies) by specifying a list of allowed Tenant IDs. If users now try to log in to a non-permitted Tenant ID, they will receive an error message. If users are already logged on to other Tenant IDs, they will not be synchronized further.

This setting has a higher priority than the “Block syncing OneDrive accounts for specific organizations” setting, which can be used to block specific tenant IDs.

• Block file downloads when users are low on disk space

The setting “Block file downloads when users are low on disk space” can be used to prevent users from crippling the system with OneDrive Sync. It defines the minimum disk size at which the OneDrive Client will stop the synchronization. The user is then presented with a window with options to free up memory.

• Limit the sync app upload rate to a percentage of throughput

The “Limit the sync app upload rate to a percentage of throughput” define the maximum bandwidth of the synchronization (upload). Therefore a maximum percentage, of the total bandwidth of the computer, is defined for this purpose. The lower the percentage, the slower files are uploaded. Microsoft recommends a value of 50% or higher. Even though the bandwidth is limited by this setting, the app will periodically synchronize files without limitation for 1 minute. This ensures that small files are uploaded quickly, despite the limitation. This setting should be defined for low bandwidths.

If this setting is “Disable” or “Not Configure”, the user can control the limit directly from the OneDrive Client (in KB/second) or configure it to “Adjust automatically” (defines upload to 70% of bandwidth)

• Prompt users to move Windows known folders to OneDrive

The setting “Prompt users to move Windows known folders to OneDrive” can be used to define whether the following window appears.

This defines that the folders Documents, Pictures and Desktop are synchronized to OneDrive. This option is only available from client version 18.111.0603.0004.

Installation of Office365 without OneDrive (User-Based)

To not also install OneDrive (User-Based Install) with the Office365 installation, the existing Configuration.xml must be extended by the following:

The Configuration.xml should then look like this

OneDrive for Business as Published App

When OneDrive for Business is opened during a Citrix Published App session, it ensures that there is no logout. Adding the binary name of the OneDrive EXE-file to the LogoffCheckSysModules registry key does not help.

---

Solution

Perform the following steps:

• Start Regedit
• Go to the following Registry directory and create a new entry

Save Important Folder in OneDrive

If you want to use the OneDrive for Business feature “Important Folder Backup”, when Folder Redirection is enabled, you cannot enable it because it cannot synchronize the data.

Solution

Perform the following steps:

• Activate the feature manually or via GPO
• Start the script below and copy the Desktop and Documents folders to your OneDrive

Script to copy the data