Advanced Settings

At Setup > Advanced Settings, you can configure general settings for your Workspace Control environment. Below an overview of the different settings.



# minutes until AutoRefresh check

Specifies the time frame in which active users’ sessions should automatically refresh after clicking the button Refresh active. For instance, if you have 10 active user sessions in your environment and the interval is set to 10 minutes, approximately every minute a user session is forced to refresh.

# days to keep log files

Specifies for how long log files should be kept. This applies to the following logs:

  • Security > Applications > Managed Applications

  • Security > Applications > User Installed Applications

  • Security > Applications > Websites

  • Security > Data > Removable Disks

  • Security > Data > Files and Folders

  • Security > Data > Read-Only Blanketing

  • Security > Authorized Certificates

  • Security > Network Connections

  • Security > User Sessions

  • Diagnostics > Workspace Analysis/User Sessions > Event Logs

  • Diagnostics > Errors

  • Administration > Performance > Access Balancing

  • Administration > Performance > CPU Optimization

  • Administration > Performance > Instant LogOff

  • Administration > Performance > Memory Optimization

  • Setup > Integration > LANDesk

  • Setup > Integration > Microsoft System Center

  • Setup > Integration > Ivanti Products > Automation

Remove obsolete log files every day at

Specifies the time when log files should be cleaned up, for example after office hours. A cleanup can only run once a day. When a user starts a session, Workspace Control will check whether it has already performed a cleanup that day. If it has not, Workspace Control will check whether the time the session was started is less than one hour after the specified time when the log files should be cleaned up. If it is, Workspace Control will perform a cleanup of the log files. If not, the cleanup will be performed the next day.

For Relay Servers that are connected directly to the Datastore, the duration of the daily cleanup can be specified with the registry value DBCleanupDuration. See the Workspace Control Administration Guide for more information.

# seconds until timeout "Application Not Responding"

Specifies when the user will be notified about an unresponsive application. This setting only applies if you selected Notify user about not responding applications at Composition > Desktop > Lockdown and Behavior.

# seconds to wait before refreshing after network change or resume

Allows you to configure a delay before the Workspace Composer will perform a Workspace refresh after a network connectivity change or system resume occurred. Such a delay may be helpful in situations where a laptop changes network connectivity several times within a short period of time, for example when switching from a LAN connection to a WiFi connection. This might result in two changes in network connectivity:

  • LAN connection > No connection (triggers a Workspace refresh)

  • No connection > WiFi connection (triggers a Workspace refresh)

In this situation, configuring a delay can limit the number of Workspace refreshes.



Backtrack passthrough sessions to originating client for Zones

Allows Workspace Control to use the IP address of the originating client to resolve Zones if a published application on a Terminal Server is launched from another Terminal Server.

By default do not grant concurrent/seat license when database is not available

Specifies the default setting for application licenses for new applications. If selected, access to an application will be denied if licenses and seats cannot be checked by Workspace Control because there is no database connection.

Bypass composer for accounts and groups

You can specify local/domain administrator accounts, users, and/or groups to exempt particular users from getting Workspace sessions when they log on to an Agent, even when the Agent is configured to run the Workspace Composer automatically. This can be useful when troubleshooting. For example, enter <DomainName>\<SecurityGroup>, to allow members of the local administrator group to log on to a machine without starting a Workspace Control session (=bypassing the Workspace Composer).

Multiple entries can be separated by a semicolon (;).

Please note that the asterisk wildcard (*) is only supported for user or group names. Also, nested groups are only supported if they are within the same domain as the logged-on user account.

Valid formats for this field:

  • domain\username

  • .\username

  • domain\use*

  • domain\*

Example: demo\domain admins; demo\admin-gt; win10-1234\root; resqa\support*

Check validity of TEMP location at logon

If the location of the TEMP folder is invalid, Workspace Control will try to find a valid location and log it when found.

Do not allow reset of user sessions

Disables the possibility to remotely reset User Sessions from the Console.

Do not attempt to resolve printer name when adding network printers

This may prevent naming issues.

Do not establish communication with any Workspace Extender

Specifies that the Workspace Extender should not be used.

This option is only available if Enterprise or Standard licenses (RES PowerFuse 2010) are active within your environment.

Do not log security events for Workspace Control program folders and subfolders

If Security restrictions prevent a user from accessing the Workspace Control program folders, legitimate access to these folders by the Workspace Composer is also logged as a security event. Select this option to keep the log free of security events reporting access to the Workspace Control program folders by anyone.

Selecting this option will also keep the log clear of the security events that are triggered by the Workspace Control installation and/or cache folders.

Do not ping print server before connecting printers

This is useful if the print server uses a different network protocol.

Do not prevent applications in the Run key or RunOnce key from starting

In Microsoft Windows, applications set in HKEY_CURRENT_USER\...\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\...\Windows\CurrentVersion\RunOnce will automatically run at start up.


By default, this mechanism is disabled in sessions running the Windows Shell where Windows Shell shortcut creation is set to Replace all unmanaged shortcuts (at Composition > Applications > Settings). Select this option to allow applications to run automatically from the Run and RunOnce keys.


The Run and RunOnce mechanism is always:

  • enabled in sessions running the Windows Shell with Windows Shell shortcut creation is set to Do nothing or to Merge with unmanaged shortcuts.

  • disabled in sessions running the Workspace Control Shell.

Applications started from the Run key or RunOnce key are always unmanaged applications.

Do not set up workstation license virtual channel

When starting a terminal session from a desktop, Workspace Control sets up a virtual channel (either Citrix ICA or Microsoft RDP) to communicate with the terminal session. Workspace Control uses the virtual channel to acquire licenses from the Workspace Composer.

Establishing a virtual channel prevents multiple licenses from being reserved in the following scenarios:

  • A user logged into a local Workspace Control session starts a remote session using a different user.

  • A user logged into a local Workspace Control session starts a remote session in a different Workspace Control environment.

Enabling this option prevents Workspace Control from setting up a virtual channel.

By the default, when configuring a new Datastore, this option is enabled and Workspace Control does not establish a virtual channel to communicate with the terminal session.

Do not verify UNC path of security rules when offline

If selected, Workspace Control will not try to verify availability of the UNC path in a security rule if the connection state of a computer is offline. Instead, it will assume that the server can be reached. This setting is selected by default when a new Datastore is created. This setting requires an unqualified server name (e.g. \\server instead of \\server.domain) that can be resolved at DNS level. Alternatively, the authorization rule must be changed so that it contains a fully qualified domain name in the UNC path.

Exclude processes from blocking the logoff sequence

In Workspace Control sessions, Citrix published applications are started as separate full-screen sessions without a taskbar. When such applications are closed, Workspace Control also closes the session. To prevent the session from closing while sub-processes started by the application are still running, Workspace Control compares the processes running at session end against the processes running at session start. If Workspace Control finds additional running processes, the session remains opened.

Select this option to exclude processes from preventing Workspace Control to close the session. The session now ends even if the excluded processes are still running.

After selecting the option, the Exclude Processes window appears. Populate the list using Add and Remove, and then select OK. The configured processes will not prevent the Workspace Control session from closing.

  • Process names must be up to 255 characters in length, contain only alphanumeric characters, and end in .exe as the extension. For example: crss.exe.

  • If the ExcludeProcesses registry setting is already configured, enabling the Exclude processes from blocking the logoff sequence option overrules the registry setting.

  • When enabled, the option applies to all Workspace Control managed sessions.

Ping file server to verify UNC path of security rules when online

If selected, Workspace Control will ping the file server in an UNC path in a security rule, to determine whether the server can be reached, before it will verify the entire UNC path. By default, this setting is not selected when a new Datastore is created. This setting requires an unqualified server name (e.g. \\server instead of \\server.domain) that can be resolved at DNS level. Alternatively, the authorization rule must be changed so that it contains a fully qualified domain name in the UNC path.

Remove policy based registry keys before logging off

Prevents registry tattooing for policies set by Workspace Control. After logging off, all policy-based registry keys will be removed by Workspace Control. Windows will take care of recreating Group Policies and NT4-based policies, while Workspace Control will reprocess the policies as configured in the Management Console.

Use all valid IP addresses when evaluating Zones

Uses all valid IP addresses on all network interfaces to evaluate Zone rules. This is useful when using e.g. multi-homed computers (a computer with more than one IP address).

Use cached user context if latency to AD is above: x ms

If at session start the network latency to the domain controller is above the specified threshold, the Ivanti Workspace Composer will use the cached user context. The user may experience a session refresh due to changes in context. This is useful when high latency connections to Active Directory cause long delays in the retrieval of user context at session logon or refresh.

Use computer's FQDN instead of domain\computername in Logs and Usage Tracking

Enables you to identify computers by their Fully Qualified Domain Name (FQDN), rather than having identical names in Log and Usage Tracking reports. At Administration > Agents and Diagnostics > Agents, an extra column is displayed with the FQDN name.

Lift policy restrictions for current user

Removes all policy-related registry keys and values for the current user of the Management Console.