Teams Slimcore optimization on Citrix - Deep Dive

Microsoft started rolling out General Availability for Citrix customers on December 09, 2024.

Fernando Klurfan (PM for Cloud Services, virtual desktops (VDI) and multimedia at Microsoft) wrote a detailed community article about this on December 13, 2024:

“New Teams Optimization for VDI Now Generally Available in Citrix Environment” | Microsoft Community Hub

This eliminates the need to enroll users in the beta channel in the Teams admin center, and Slimcore gets activated if all prerequisites are met. For those of us in the EUC field who have been smashing our heads against the wall with the new Teams, this finally brings good news — and it’s a welcome relief.

Slimcore still has a few limitations; for example, since it is an MSIX Package, it is currently limited to Windows only. macOS and Linux are on the roadmap.

Table of Contents

Benefits

SlimCore means better performance and updates are now handled exclusively by Microsoft. The Workspace app is fully decoupled, allowing faster feature rollouts and seamless updates.

Features only available with Slimcore on Citrix
1080p
Hardware acceleration on endpoint
Gallery View 3x3 and 7x7
Quality of Service
Noise suppression
Voice isolation
HID
Presenter mode
Teams Premium (Pending: Watermark, Townhalls, Decorate my Background)
Organizational custom backgrounds (Teams Premium license required)
Zoom +/-
Media bypass, Location-based routing, Operator connect
Call quality dashboard and Teams admin center

General Requirements

CategoryRequirement
Teams Version24295.605.3225.8804 (verify in Teams under Settings -> About Teams).
VDA Version2203 LTSR CU3 or later, 2305 CR or later.
Citrix Workspace App2203 LTSR (any CU), 2402 LTSR (any CU), or 2302 CR or later.
MsTeamsPluginCitrixVersion 2024.41.1.1.
Endpoint OSWindows 10 version 1809 or later (SlimCore minimum requirement).
GPO ConfigurationGPOs must not block MSIX installations for SlimCore.
Hardware RequirementsMinimum CPU: Intel Celeron (or equivalent) @ 1.10 GHz, 4 cores.
Minimum RAM: 4 GB.
Supported EndpointsSlimCore Optimization is currently available only for Windows endpoints. macOS and Linux support is planned.
Published ApplicationsSlimCore Optimization is not yet supported for published (seamless) Teams applications. Use Citrix HDX Optimization for published apps.
Virtual Channel Allow List MSTEAMS,C:\Program Files\WindowsApps\MSTeams*8wekyb3d8bbwe\ms-teams.exe
MSTEAM1,C:\Program Files\WindowsApps\MSTeams*8wekyb3d8bbwe\ms-teams.exe
MSTEAM2,C:\Program Files\WindowsApps\MSTeams*8wekyb3d8bbwe\ms-teams.exe

Note for the VDA

VDA Version must be at least 2203 LTSR CU3, 2402 LTSR (any CU) or 2305 CR. However, these versions are now outdated and no longer supported (except 2402 LSTR, as the newest CU is CU1). It is strongly recommended to upgrade to the latest version to ensure security and compatibility.

LSTR 2203 CU3 and CR 2305 are affected by a critical vulnerability (CVE-2024-6151) that allows local privilege escalation. For more details, refer to the Citrix security bulletin: CTX678035.

OS for the General Usage of Teams 2.0 on your Worker/VDI

Please do not use Server 2019 anymore; it will save you a lot of headaches when using Teams or OneDrive. We are talking about an LTSC OS with a feature level of 1809. This version was developed in September 2018, which speaks for itself.

Version of Teams 2.0 on your Worker/VDI

Teams 2.0 must be version 24295.605.3225.8804 on Citrix. This version was released on November 18, 2024.
Teams 2.0 on the Worker/VDI should not update itself automatically, so keep this in mind and ensure you manage updates manually to maintain compatibility and avoid unexpected issues.

See: Version update history for Teams app deployments – Office release notes | Microsoft Learn

Updating and deploying Teams 2.0 on VDI can be challenging, but there are effective solutions available.

Any supported OS: Deyda/NeverRed: NeverRed’s focus is to provide a simple solution to keep standard software up to date without having to package it or search and compare versions on vendor sites. https://www.deyda.net/index.php/en/neverred/

Server 2019: Powershell-Scripts/install-new-teams-srv2019.ps1 at main · Koetzing/Powershell-Scripts
Server 2022, Windows 10 and Windows 11 Multi-User: https://github.com/Koetzing/Powershell-Scripts/blob/main/install-new-teams.ps1

Note for the Virtual Channel Allow List

Virtual Channel Allow List must be configured as follows:

a) Enabled:
Include the following exclusions:

MSTEAMS,C:\Program Files\WindowsApps\MSTeams*8wekyb3d8bbwe\ms-teams.exe

MSTEAM1,C:\Program Files\WindowsApps\MSTeams*8wekyb3d8bbwe\ms-teams.exe

MSTEAM2,C:\Program Files\WindowsApps\MSTeams*8wekyb3d8bbwe\ms-teams.exe

If you’re also using other Virtual Channels, such as ControlUp, Webex, or Zoom, make sure to include those exclusions in your allow list.

b) Disabled:
This configuration is not recommended as it poses a significant security risk.

See: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/virtual-channel-security#adding-virtual-channels-to-the-allow-list


  • The Virtual Channel Allow List is enabled by default with 2203 LTSR (any CU) and above or 2109 CR and above.
  • Wildcards for the Virtual Channel Allow List policy are supported starting with 2203 LTSR CU2 or 2206 CR and later. The use of recent versions is crucial once again.

Now we are getting to the crucial part - the endpoint

There are several options to deploy this to the endpoint. Please do NOT install the plugin manually, as it will not receive automatic updates, leaving you responsible for manually updating the plugin.

You don’t want to do that.

However, if your endpoint really cannot have any connection to Microsoft’s CDN, installing it manually is your only option. In this case, you should ask yourself why you’re even using Teams.

Install the plugin via Citrix Workspace App

  • Installation via Command Line:

    • For managed devices, deploy the Citrix Workspace app with the /installMSTeamsPlugin parameter. This method is compatible with deployment tools such as SCCM, Intune, XenMobile, Baramundi, Workspace ONE, etc.
    • Minimum Versions Required:
      • Citrix Workspace app 2203 LTSR or any cumulative update (CU)
      • Citrix Workspace app 2402 LTSR or any cumulative update (CU)
      • Citrix Workspace app 2302 CR or later
				
					CitrixWorkspaceApp.exe /installMSTeamsPlugin

				
			
  • Installation via Graphical User Interface (GUI):

    • During a fresh installation of the Citrix Workspace app, the installer provides an option to install the Microsoft Teams VDI plugin:
      • On the Add-on(s) page, select the Install Microsoft Teams VDI plug-in checkbox, then click Install.
    • Important Considerations:
      • The GUI option to install the plugin is available during a fresh installation with Citrix Workspace app 2402 LTSR.
      • For in-place upgrades to present this option, Citrix Workspace app 2405 CR or higher is required.

Install the plugin via Global App Configuration Service (GACS)

This is a great use case for BYOD. As mentioned before, the Teams plugin can currently only be installed on Windows. To achieve this, you need an active Citrix Cloud account. GACS allows centralized configuration and deployment for both managed and unmanaged endpoints.

Requirement
Citrix Cloud AccountYou must have a valid Citrix Cloud account. If you don’t have one, refer to the Citrix documentation to create it.
Network AccessThe following addresses must be contactable:
- https://discovery.cem.cloud.us
- https://gacs-discovery.cloud.com
- https://gacs-config.cloud.com
StoreFront URL (On-Premises)For on-premises StoreFront deployments, the StoreFront URL must be claimed before configuration.
Citrix Workspace App VersionThe minimum supported version is Workspace App 2405 CR. GACS does not support older versions.
Auto-UpdateAuto-update must be enabled for the Workspace App.

Step-by-Step Settings for claiming your URL

  • Claim Your Gateway URL in Citrix Cloud

    • Log in to your Citrix Cloud account.
    • Navigate to the Workspace Configuration, App Configuration section.
    • Claim your Gateway URL (e.g., xyz.customer.com).
  • Create a Responder Action

    • On your Netscaler, create a Responder Action.
  • Bind the Responder Action to a Responder Policy

    • Attach the Responder Action to a Responder Policy.
  • Apply the Responder Policy to Your Gateway

    • Assign the Responder Policy to your on-premises Gateway
  • Verify Your Gateway URL

    • Confirm that your Gateway URL has been successfully claimed and is functional within your Citrix Cloud environment.

Configuration settings

Compare your changes (I have enabled the update option for macOS as well)

Virtual Channel plugin manager

With 2407 and later, you can use the Virtual Channel Plugin Manager. This is another great usecase for BYOD.

The plugin manager detects the Teams app running on the VDA and prompts the user with a notification to install the plugin on their endpoint. 

Steps

Check Microsoft Teams redirection policy (enabled by default)

Edit Virtual channel plugin manager policy and add:

  • Microsoft Teams

On VDA 2407, you need to add the following registry key:

				
					$RegPath = "HKLM:\SOFTWARE\Citrix\HDXMediaStream"
$RegName = "EnableAppDetector"
$RegType = "DWORD"
$RegValue = 1
				
			

This can be automated and verified using tools like ControlUp. For further details, see the Troubleshooting section.

With VDA 2411, this registry key is no longer required.

Sources:

Virtual Channel Plugin Manager Overview

Virtual Channel Plugin Manager Configuration

Networking considerations

MsTeamsVdi.exe is the process that makes all the TCP/UDP network connections to the Teams relays/conference servers or other peers.

SlimCore MSIX manifest adds the following rules to the Firewall: <Rule Direction="in" IPProtocol="TCP" Profile="all" /> <Rule Direction="in" IPProtocol="UDP" Profile="all" />

Endpoint connectivity to the following addresses and ports is crucial.

See: New VDI solution for Teams – Microsoft Teams | Microsoft Learn

CategoryRequired for EndpointAddressesPortsNotes
Optimize requiredYes 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/38 UDP: 3478, 3479, 3480, 3481 Media Processors and Transport Relay:
3478 (STUN), 3479 (Audio), 3480 (Video), 3481 (Screenshare)
Allow requiredYes *.lync.com, *.teams.microsoft.com, teams.microsoft.com
52.112.0.0/14, 52.122.0.0/15,
52.238.119.141/32, 52.244.160.207/32,
2603:1027::/48, 2603:1037::/48,
2603:1047::/48, 2603:1057::/48,
2603:1063::/38, 2620:1ec:6::/48,
2620:1ec:40::/42
TCP: 443, 80 Required for communication with Teams services
Default requiredNo*.office.netTCP: 443, 80 Used for SlimCore downloads and background effects
Default requiredNo*.skype.comTCP: 443, 80 Used for legacy Skype for Business services

Troubleshooting and deep dive on the whole magic

Please note: If the above steps are not met, Teams will fall back to WebRTC mode (HDX Optimized).

MSTeamsPluginCitrix.dll

The staging and registration relies on the App Readiness Service (ARS) on the endpoint.

By default, even after meeting all the minimum requirements, launching the new Teams for the first time will still start in WebRTC optimized mode.

For the new SlimCore optimization to take effect, two application restarts are required during the initial setup.

The plugin (MsTeamsPluginCitrix.dll) handles downloading the media engine and SlimCore, which is deployed as an MSIX package. This process runs silently without requiring admin privileges or reboots and installs at:

C:\Program Files (x86)\Citrix\ICA Client\MsTeamsPluginCitrix.dll

To verify the installation, execute the following PowerShell code:

				
					Test-Path "C:\Program Files (x86)\Citrix\ICA Client\MsTeamsPluginCitrix.dll"
				
			

If the plugin was manually installed previously, the installation process can sometimes fail. I haven’t been able to reproduce this issue under all circumstances, but if it happens, follow these steps:

  1. Use the Citrix Cleanup Utility to clean up the previous installation.

  2. Reconfigure the Workspace app by running the following command:

				
					CitrixWorkspaceApp.exe /cleaninstall
				
			

Also note:
Citrix does not handle the uninstallation of the plugin, regardless of how the plugin was installed. In case of uninstall scenarios, make sure to remove the plugin separately.

 

 

Verify the Appx Package

Microsoft stores up to 12 versions of SlimCoreVdi on the endpoint. This ensures compatibility, particularly in Citrix environments where users may access:

  • Persistent environments: Where the new Teams can auto-update itself.
  • Non-persistent environments: Where auto-updates for new Teams are disabled.
				
					Get-AppxPackage *slimcore* | ft name, installlocation, version
				
			

As soon as the virtual channel is established, the MSIX installation is triggered. You can verify this in the Event Viewer logs under

  • AppxPackagingOM: Microsoft-Windows-AppXDeploymentServer/Operational
  • AppXDeployment-Server: Microsoft-Windows-AppXDeploymentServer/Operational

Verify your Virtual Channel Allow list

				
					(Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Policies\Citrix\VCPolicies" -Name "VirtualChannelWhiteList" -ErrorAction SilentlyContinue).VirtualChannelWhiteList
				
			

Bridge to the local client

As soon as the connection to the virtual channel is established, the bridge to the local MsTeamsVdi.exe process is created.

If you’re optimized in Citrix, you can see MsTeamsVdi.exe running on your endpoint as a child process of wfica32.exe.

To confirm optimization, use Process Explorer:

  1. Select wfica32.exe in Process Explorer.
  2. Under the View menu, enable Show the lower pane.
  3. Switch to the DLL tab in the bottom pane.

Here, you should see the plugin (MsTeamsPluginCitrix.dll) being loaded.

Logfile creation

If the optimization still does not work, you can generate a log file on the VDA using the following key combination:

				
					Ctrl + Alt + Shift + 1
				
			

Known Issues

  • Screen Capture Protection (SCP) causes the presenter's screen to show as a black screen with only the mouse cursor visible on the receiving side.
  • Calls drop on Teams running on the local machine that has an HID peripheral connected if a user launches a virtual desktop from that same local machine and logs into Teams.
  • Camera self-preview isn't supported at this time (either under Settings > Devices or while on a call when selecting the down arrow on the camera icon).
  • In the Control Panel > Apps > Installed apps on the endpoint, users will see multiple "Microsoft Teams VDI" entries (one for every SlimCore package installed).
  • When doing full monitor screen sharing, the call monitor window is visible for the other participants (without any video content inside).
  • App sharing sessions might freeze for other participants if the presenter is using both VDA version 2402 and CWA for Windows 2309.1 (or higher versions).
    • The issue occurs when a video element is destroyed (e.g., a participant turns off their camera in the middle of the app sharing session).
    • If someone turns their camera on, there's no issue because the video element is created, not destroyed.
    • If the presenter maximizes the call monitor (which destroys the self-preview of what the presenter is sharing), stopping and resharing the window resolves the issue.

Sources and additional links

I hope the individual steps are helpful. As always, feedback is welcome 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Leave a Reply

Your email address will not be published. Required fields are marked *