Logon Time Budget Calculator
Allocate logon time across stages to hit your <10 second target.
Total Logon Time:
0.0s
0s10s target20s
Logon Optimization Quick Wins
1. FSLogix Container Size
Keep VHDX <15 GB. Run
frx list-profile-size weekly. Add redirections.xml for browser caches.2. Async Group Policy
Enable Async GP processing. Run
gpresult /h report.html to identify slow CSEs. Disable Software Install from VDI GPOs.3. DC in Same AD Site
Domain controller latency >5ms to VMs = Kerberos delays. Verify:
nltest /dsgetsite4. OS Optimization Tool
VMware OS Optimization Tool (Horizon) or Citrix Optimizer. Disables 50+ unnecessary services. Run before sealing gold image.
5. Printer Enumeration
Background printer discovery GPO. Citrix: Disable Universal Printer until needed. Async via DEM/WEM.
6. NTP Sync
Kerberos fails silently if skew >5 min. Check:
w32tm /query /status. VMs should sync to PDC emulator.Storage IOPS Estimator
Estimate VDI storage IOPS requirements. Profile storage is separate from OS storage.
Adjust sliders to calculate...
VDI Event ID Reference
Critical Windows and VDI event IDs for troubleshooting. Filter by platform.
| Event ID | Source / Log | Platform | Meaning | Action |
|---|---|---|---|---|
| 27 | FSLogix-Apps/Operational | FSLogix | Profile container mounted successfully | Normal β confirm user, container path, size |
| 43 | FSLogix-Apps/Operational | FSLogix | Profile container unmounted at logoff | Normal β check if unmount takes >5s (Cloud Cache flush) |
| 47 | FSLogix-Apps/Operational | FSLogix | Profile container failed to attach | Check VHDLocations/CCDLocations path, SMB permissions, network connectivity |
| 50 | FSLogix-Apps/Operational | FSLogix | Could not attach container β using temp profile | Set PreventLoginWithTempProfile=1. Check storage availability. |
| 60 | FSLogix-Apps/Operational | FSLogix | Container is in use by another session | Concurrent sessions? Check ProfileType. Force-release with frx. |
| 28 | FSLogix-Apps/Operational | FSLogix | Cloud Cache provider health changed | One CCD provider unhealthy. Check SMB path, Azure Files connectivity. |
| 1004 | VMware VDM | Horizon | Horizon Agent service started | Normal. Verify version matches Connection Server. |
| 1007 | VMware VDM | Horizon | Agent cannot connect to Connection Server | Check CS FQDN in ListOfDDCs registry. Verify TCP 443/80 VDAβCS. Test: vdmadmin -A -getDomains. |
| 5003 | Blast / Agent | Horizon | Blast session failed to establish | UDP 8443 blocked? Test with Blast TCP first. Check UAG blastExternalUrl config. |
| 1003 | Citrix Delivery Svcs | Citrix | VDA registered with Delivery Controller | Normal. Confirm DDC FQDN. Check Port 80 VDAβDDC. |
| 1004 | Citrix Delivery Svcs | Citrix | VDA deregistered | DDC unreachable? Check TCP 80/443 VDAβDDC. Review DDC health in Studio. |
| 7010 | Citrix WEM | Citrix | WEM agent connected to infrastructure server | Normal. Confirm WEM infra server address in agent config. |
| 7016 | Citrix WEM | Citrix | WEM agent failed to connect | Check WEM Infrastructure Service port (8286). Firewall between agent and WEM server. |
| 1101 | Security | Windows | Audit policy change | GPO audit policy applied. Normal in VDI. |
| 4624 | Security | Windows | Successful logon | Correlate logon time with FSLogix event 27. Identify slow logon stages. |
| 6006 | System | Windows | Event log service stopped (clean shutdown) | Normal for IC recompose. If unexpected β check power state changes in vCenter. |
| 41 | Kernel-Power | Windows | Unexpected reboot (no clean shutdown) | BSOD or hard power off. Check minidump: %SystemRoot%\Minidump. Review vSphere hardware events. |
| 1129 | System/GroupPolicy | Windows | Group Policy processing failed β network | DC unreachable at logon. Check DC connectivity, AD site config, NTP skew. |
PowerShell Quick Reference
Production-ready snippets. Copy and run β tested in real deployments.
π¦ FSLogix Diagnostics
# List all profile containers on share
frx list-profiles -filename \\server\share
# Check profile size by user
frx list-profile-size -vol \\server\share\ `
-username jsmith
# Show current service status
Get-Service frxsvc, frxdrv | Select Name, Status, StartType
# Enable verbose FSLogix logging
reg add HKLM\SOFTWARE\FSLogix\Logging `
/v LoggingEnabled /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\FSLogix\Logging `
/v LogLevel /t REG_DWORD /d 4 /f
# Logs: C:\ProgramData\FSLogix\Logs\
# Check Cloud Cache provider health
Get-EventLog -LogName 'Microsoft-FSLogix-Apps/Operational' `
-Source 'Microsoft-FSLogix-Apps' `
-EntryType Error,Warning -Newest 50 |
Select TimeGenerated, EventID, Messageπ£ Horizon / vdmadmin
# Check Connection Server domain trusts
vdmadmin -A -getDomains
# List license status
vdmadmin -L
# Check VDM service status
vdmadmin -S -s [CS-FQDN]
# Horizon REST API β pool status (PowerShell)
$cs = "https://cs.corp.com"
$cred = @{ username="admin"; password="pass"; domain="CORP" }
$token = (Invoke-RestMethod -Uri "$cs/rest/login" `
-Method POST -Body ($cred|ConvertTo-Json) `
-ContentType "application/json").access_token
$header = @{Authorization="Bearer $token"}
$pools = Invoke-RestMethod `
-Uri "$cs/rest/inventory/v8/desktop-pools" `
-Headers $header
$pools | Select displayName, enabled,
@{N='Provisioned';E={$_.provisioningStatusData.numProvisioned}}π΅ Citrix CVAD
# Load Citrix snap-ins
Add-PSSnapin Citrix* -ErrorAction SilentlyContinue
# Check all unregistered VDAs
Get-BrokerDesktop -Filter {RegistrationState -eq 'Unregistered'} |
Select MachineName, RegistrationState, LastDeregistrationTime |
Sort LastDeregistrationTime -Descending
# Check license status
Get-LicInventory | Select PldName, LicensesInUse, LicensesAvailable
# Active session count by delivery group
Get-BrokerDesktopGroup | Select Name,
@{N='Sessions';E={(Get-BrokerSession -DesktopGroupName $_.Name).Count}},
TotalDesktops, DesktopsInUse
# Find sessions over 8 hours old
Get-BrokerSession | Where {$_.EstablishmentTime -lt (Get-Date).AddHours(-8)} |
Select UserName, MachineName, EstablishmentTime, SessionStateβοΈ AVD / Azure
# Check AVD session hosts (Az module required)
Get-AzWvdSessionHost -ResourceGroupName "rg-avd" `
-HostPoolName "hp-prod" |
Select Name, Status, UpdateState, LastHeartBeat
# Get active sessions count
(Get-AzWvdUserSession -ResourceGroupName "rg-avd" `
-HostPoolName "hp-prod" -SessionHostName "vm-prod-0").Count
# Log Analytics KQL: FSLogix mount time
AzureDiagnostics
| where Category == "Checkpoint"
| where OperationName == "FSLogix Profile Loaded"
| summarize avg(durationMs) by bin(TimeGenerated, 1h)
| render timechart
# Check autoscale plan status
Get-AzWvdScalingPlan -ResourceGroupName "rg-avd"π Group Policy / Logon
# Generate GPO report for logon analysis
gpresult /h "C:\Temp\GPReport.html" /f
Start-Process "C:\Temp\GPReport.html"
# Check GPO processing time (event log)
Get-WinEvent -FilterHashtable @{
LogName='System'; ProviderName='Microsoft-Windows-GroupPolicy'
Id=@(8001,8002,8003,8004,8005,8006)} -MaxEvents 20 |
Select TimeCreated, Id, Message
# Find slow logon scripts
Get-WinEvent -FilterHashtable @{
LogName='Application'; ProviderName='Userenv'} -MaxEvents 50
# NTP sync check
w32tm /query /status
w32tm /query /peersπ Network / Connectivity
# Test all critical VDI ports from VM
$tests = @(
@{H="cs.corp.com"; P=443; Name="Horizon CS HTTPS"},
@{H="uag.corp.com"; P=8443; Name="Blast UDP (use UDP test)"},
@{H="dc01.corp.com"; P=389; Name="LDAP to DC"},
@{H="storage.file.core.windows.net"; P=445; Name="Azure Files SMB"},
@{H="ddcserver.corp.com"; P=80; Name="Citrix DDC"}
)
foreach ($t in $tests) {
$result = Test-NetConnection -ComputerName $t.H -Port $t.P -WarningAction SilentlyContinue
[PSCustomObject]@{
Test = $t.Name
Host = $t.H
Port = $t.P
Result = if($result.TcpTestSucceeded){"β
PASS"}else{"β FAIL"}
}
} | Format-Table -AutoSizeVDI Port Reference β All Platforms
Critical firewall rules for VDI deployments. Print this and hand it to your network team.
| Port | Protocol | Flow | Platform | Purpose | Priority |
|---|---|---|---|---|---|
| 443 | TCP | Client β UAG/CS/NetScaler | All | HTTPS β Horizon console, HDX/ICA proxy, AVD broker, Workspace App | Critical |
| 8443 | UDP | Client β UAG | Horizon | Blast Extreme UDP β primary display protocol. MUST be UDP not just TCP. | Critical |
| UDP 443 | UDP | Client β NetScaler | Citrix | EDT (Enlightened Data Transport) β QUIC-based. Must be open for WAN performance. | Critical |
| 4172 | UDP+TCP | Client β UAG/VDA | Horizon PCoIP | PCoIP protocol (legacy thin clients only) | If PCoIP used |
| 1494 | TCP | Client β VDA (internal) | Citrix | ICA protocol β primary session (internal direct). Must be open clientβVDA on LAN. | Critical |
| 2598 | TCP | Client β VDA | Citrix | CGP β Session Reliability (reconnect without re-auth). Enable always. | Critical |
| 22443 | UDP+TCP | Client β Agent (internal) | Horizon | Blast Extreme β internal/LAN direct connect | Internal |
| 389 / 636 | TCP | CS/DDC β DC | All | LDAP / LDAPS β Active Directory authentication | Critical |
| 902 | TCP | CS/DDC β ESXi | Horizon / CVAD | Instant Clone provisioning, VM power operations via vSphere | Critical |
| 445 | TCP | VMs β Profile Storage | All (FSLogix) | SMB 3.0 β FSLogix container mount. Block this = no profiles. | Critical |
| 1433 | TCP | DDC β SQL | Citrix | SQL Server β CVAD site database, Logging database | Critical |
| 27000 | TCP | DDC β License Server | Citrix | Citrix License Server β block = sessions stop after grace | Critical |
| 8286 | TCP | VDA β WEM Infra | Citrix WEM | WEM agent β WEM Infrastructure Service | If WEM on-prem |
| 3389 | TCP | Client β VDA (admin) | All | RDP β admin access. Never expose externally. Restrict to management VLAN. | Internal mgmt only |
Critical Registry Keys Reference
Key registry settings for FSLogix, Horizon Agent, and VDI optimization. All confirmed for 2026 versions.
π¦ FSLogix Profile Container
| Key (under HKLM\SOFTWARE\FSLogix\Profiles) | Type | Value | Purpose |
|---|---|---|---|
| Enabled | DWORD | 1 | Enable FSLogix (0 = installed but inactive) |
| VHDLocations or CCDLocations | MULTI_SZ | \\server\share | Storage path. Use CCDLocations for Cloud Cache HA. Never mix both. |
| VolumeType | REG_SZ | VHDX | Always VHDX (not VHD). VHDX resizable + more reliable. |
| SizeInMBs | DWORD | 30720 | Max container size (30 GB default). VHDX auto-compacts. |
| ProfileType | DWORD | 0 | 0=Normal (recommended). 3=RO+Merge for non-persistent. Avoid 3 with Cloud Cache. |
| FlipFlopProfileDirectoryName | DWORD | 1 | Folder = %username%_%sid% (readable). Default 0 = %sid%_%username% (hard to browse). |
| DeleteLocalProfileWhenVHDShouldApply | DWORD | 1 | Remove local profile if FSLogix available. Prevents corruption fallback. |
| PreventLoginWithTempProfile | DWORD | 1 | Block logon if falls back to temp profile. Critical for non-persistent. |
| PreventLoginWithFailure | DWORD | 1 | Block logon if container fails to mount entirely. |
βοΈ FSLogix Cloud Cache
| Key (under HKLM\SOFTWARE\FSLogix\Profiles) | Type | Value | Purpose |
|---|---|---|---|
| CCDLocations | MULTI_SZ | type=smb,name="Name",connectionString=\\server\share | 1β4 Cloud Cache providers. First listed = read preference. |
| CacheDirectory | REG_SZ | C:\ProgramData\FSLogix\Cache | Local write-back cache. Use NVMe/ephemeral SSD. Fast local I/O critical. |
| ClearCacheOnLogoff | DWORD | 1 | Delete local cache at logoff. Always 1 for non-persistent VMs. |
| HealthyProvidersRequiredForRegister | DWORD | 1 | Minimum healthy providers to allow logon. 1 = allow if any provider up. |