Citrix CCE-V: Certified Expert - Virtualization Practice Exam

What the Citrix CCE-V exam covers

• Methodology and Assessment106 questions
• User Layer: Endpoints, Workspace App, and Authentication106 questions
• Access Layer: StoreFront and Citrix Gateway Design106 questions
• Resource Layer: Images and Provisioning105 questions
• Resource Layer: Applications, Profiles, and Printing105 questions
• Control Layer: Controllers, Database, Licensing, and Zones105 questions
• Hardware/Compute, Security, and Operations105 questions

Free Citrix CCE-V sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 738.

1. Question 1Methodology and Assessment

   During a CVAD design engagement, an architect documents that the finance department requires single sign-on from unmanaged BYOD endpoints over the internet using multifactor authentication. In the Citrix design methodology, which layer should capture this requirement?

   • AUser layer
   • BAccess layerCorrect
   • CResource layer
   • DControl layer
   ✓ Correct answer: B

   The Access layer defines how users authenticate to and connect with their resources, including authentication mechanisms, remote-access technology, and single sign-on behavior. A requirement combining unmanaged BYOD endpoints, internet-based connectivity, MFA, and SSO is fundamentally about the path and security of the connection, which the Access layer owns. Decisions such as Citrix Gateway placement, authentication policies, and StoreFront configuration all live here.

   Why the other options are wrong

   • AUser layer documents user groups, work habits, locations, and business-level requirements that drive segmentation, not the mechanics of authentication and remote connectivity.
   • CResource layer covers the applications, desktops, images, personalization, and profiles delivered to users, not how those users connect to them.
   • DControl layer covers the brokering infrastructure - Delivery Controllers, StoreFront servers, SQL databases, and licensing - that manages sessions, not the endpoint-to-Gateway connection security.
2. Question 2Methodology and Assessment

   A customer wants to deliver a modern line-of-business application to non-persistent VDI desktops provisioned with Citrix Provisioning. The packaging team prefers a Microsoft-supported, modern container format that mounts the application as a virtual disk attached at logon, keeping the base image lean. Which delivery method best matches these requirements on a Windows 10/11 platform?

   • AApp-V sequenced package with the App-V client
   • BMSIX app attachCorrect
   • CInstalled into the Citrix Provisioning vDisk base image
   • DUser-installed via per-user MSI
   ✓ Correct answer: B

   MSIX app attach is Microsoft's modern application-delivery technology that stores an application as an MSIX package inside a VHD or CIM disk image and dynamically attaches it to the session at logon, presenting the application without installing it into the base image. This keeps the Citrix Provisioning vDisk lean and allows the packaging team to manage applications independently of image updates, which is ideal for non-persistent VDI. Because MSIX is the strategic successor to App-V and is actively supported by Microsoft on Windows 10 and Windows 11, it meets the requirement for a current Microsoft-supported container format.

   Why the other options are wrong

   • AAn App-V sequenced package with the App-V client works functionally but App-V is a legacy technology that Microsoft has placed on a deprecation path, so it does not satisfy the requirement for a modern, strategically supported Microsoft format.
   • CInstalling into the Citrix Provisioning vDisk base image makes the image larger and couples every application update to a full image maintenance cycle, the opposite of the lean, independently managed delivery the team requires.
   • DA per-user MSI install does not produce a container that mounts at logon, would not persist cleanly on non-persistent desktops provisioned from a streaming vDisk, and defeats the lean-image goal.
3. Question 3User Layer: Endpoints, Workspace App, and Authentication

   An enterprise wants the Citrix Workspace app on iOS and Android tablets to present the same favorites/subscribed apps a user pinned on their Windows desktop client. Which design element delivers this cross-device consistency?

   • APer-device local profiles on each tablet
   • BStoreFront subscription (favorites) synchronization, replicated across the StoreFront server group and surfaced to all of the user's Workspace app clientsCorrect
   • CFSLogix profile containers stored on the tablet
   • DApp Layering elastic layers assigned to mobile sessions
   ✓ Correct answer: B

   StoreFront stores each user's subscribed (favorited) resources in the subscription store, and that data is replicated across the server group and returned to whichever Citrix Workspace app the user signs in from, including iOS and Android. As a result, apps pinned on Windows appear automatically on the tablets, giving the cross-device consistency the enterprise wants. This roaming of favorites is a core StoreFront and Workspace experience feature designed for multi-device users.

   Why the other options are wrong

   • APer-device local profiles keep favorites isolated to each device and cannot roam pinned apps between platforms.
   • CFSLogix profile containers manage the Windows user profile inside the VDA session; they do not synchronize Workspace app favorites to mobile clients.
   • DApp Layering delivers applications into VDA images at image-composition time and has nothing to do with synchronizing a user's subscribed-app list across endpoints.
4. Question 4Access Layer: StoreFront and Citrix Gateway Design

   A multi-datacenter design uses GSLB to direct users to the geographically nearest Citrix Gateway and StoreFront pair. The architect needs users authenticating through the Datacenter A Gateway to launch sessions that proxy through the SAME Gateway they authenticated to, rather than a remote one, to avoid trombone routing. Which StoreFront configuration achieves this?

   • ASet optimal Gateway routing to always use the Datacenter A Gateway for all resources
   • BMap each zone/deployment to its co-located Gateway in optimal Gateway routingCorrect
   • CDisable optimal Gateway routing so the authentication Gateway is reused by default
   • DConfigure subscription synchronization between the two StoreFront groups
   ✓ Correct answer: B

   Optimal Gateway routing in StoreFront lets you associate a specific Gateway with a delivery controller zone or deployment so that, at launch, HDX traffic is proxied through the Gateway nearest the back-end resource. By mapping the Datacenter A zone to the Datacenter A Gateway and the Datacenter B zone to its co-located Gateway, sessions are kept local to their datacenter and avoid hairpinning across the WAN. This is the design intent of optimal routing in a GSLB topology: align the proxy path with the resource location regardless of where the user first authenticated, since the mapping is evaluated at session launch independently of the authentication Gateway.

   Why the other options are wrong

   • AForcing all resources to always use the Datacenter A Gateway would send Datacenter B sessions back across the WAN, reintroducing the trombone routing the design is specifically trying to eliminate.
   • CDisabling optimal Gateway routing causes StoreFront to default to the Gateway used for authentication, which under GSLB can still mismatch the resource location after failover or proximity changes.
   • DSubscription synchronization replicates favorites between StoreFront groups and has no influence on which Gateway proxies the HDX session at launch.
5. Question 5Access Layer: StoreFront and Citrix Gateway Design

   A design must ensure that if a user's endpoint fails the post-authentication EPA scan (for example, antivirus not running), the user is still allowed to connect but in a restricted mode with no client drive mapping. Which Citrix Gateway feature delivers this graceful, posture-based degradation rather than outright denial?

   • AQuarantine group with a bound restrictive session policy combined with SmartAccess filtersCorrect
   • BAuthentication denial at the LDAP factor
   • CStoreFront resource subscription limits
   • DA global ICA policy that blocks all access
   ✓ Correct answer: A

   Citrix Gateway can place endpoints that fail a post-authentication EPA scan into a quarantine group, and a session policy bound specifically to that group can enforce restrictions such as disabling client drive mapping while still permitting a limited connection. SmartAccess filters then expose only the appropriate reduced set of resources to those quarantined sessions. This mechanism delivers graceful, posture-based degradation - allowing a restricted connection - rather than blocking the non-compliant user entirely.

   Why the other options are wrong

   • BDenying authentication at the LDAP factor blocks the user outright at the credential stage, which is the opposite of the graceful restricted access that the design requires.
   • CStoreFront resource subscription limits control which resources appear in a user's favorites list and are not a posture-based security control tied to EPA results or drive mapping.
   • DA global ICA policy that blocks all access denies every user universally and cannot selectively restrict only the quarantined, non-compliant endpoints while permitting compliant ones.
6. Question 6Resource Layer: Images and Provisioning

   During an assessment the architect must explain to the storage team how MCS consumes capacity for a pooled-random catalog so they can size a datastore correctly. Which description of the MCS per-catalog disk footprint is accurate?

   • AEach VM holds a full-size independent copy of the master image plus a personal vDisk
   • BA single read-only base disk is shared, and each VM has a thin differencing (delta) disk that grows with writes plus a tiny identity diskCorrect
   • CEach VM streams the OS over the network so no per-VM disk is created
   • DAll VMs write directly into the shared base disk, which grows with aggregate writes
   ✓ Correct answer: B

   MCS copies the master snapshot into a read-only base disk on each chosen storage repository, then derives every VM from that base by attaching a thin differencing disk that records writes and grows as the OS and applications write data, and a small identity disk that carries the machine-account name, machine SID, and domain-join details. For pooled-random machines the differencing disk resets at reboot, so capacity planning centers on peak intra-session delta growth multiplied by the number of concurrent VMs rather than permanent accumulation. Communicating this base-plus-delta-plus-identity model lets the storage team provision capacity accurately.

   Why the other options are wrong

   • AEach VM holding a full-size independent copy of the master image is wrong because MCS uses thin differencing disks derived from a shared base, not full clones; Personal vDisk was a removed legacy feature.
   • CEach VM streaming the OS over the network so no per-VM disk is created describes the Citrix Provisioning (PVS) model, not MCS, which always creates per-VM disks on the storage repository.
   • DAll VMs writing directly into the shared base disk is wrong because the base disk is read-only; each VM's writes are isolated in its own differencing disk, which is what prevents sessions from corrupting each other.
7. Question 7Resource Layer: Applications, Profiles, and Printing

   An architect is deciding how to associate applications and Delivery Groups for a new tenant. Best practice in CVAD generally favors creating Delivery Groups of a single delivery type and then using Application Groups for entitlement. Which Delivery Group configuration aligns with this guidance when an organization needs both a published desktop and a curated set of published apps from the same machines?

   • ACreate a Delivery Group whose delivery type is set appropriately and use Application Groups to publish and entitle the curated apps from itCorrect
   • BCreate dozens of Delivery Groups, one per application, each with one machine
   • CDisable the site database and publish apps directly to endpoints
   • DPublish every application as a separate machine catalog
   ✓ Correct answer: A

   The recommended CVAD pattern is to configure a Delivery Group with the correct delivery type and then layer Application Groups on top to publish and entitle the curated application set. This cleanly separates machine capacity assignment in the Delivery Group from application entitlement and properties in the Application Group, allows the same machines to serve both a published desktop and tailored apps, and scales far better than encoding entitlement in many narrow Delivery Groups.

   Why the other options are wrong

   • BCreating dozens of Delivery Groups, one per application, each with one machine fragments capacity and management overhead and directly contradicts the recommended separation of machine pools from application entitlement.
   • CDisabling the site database is impossible in a functioning CVAD site because the database stores all site configuration, brokering state, and session information.
   • DPublishing every application as a separate machine catalog confuses catalogs, which define machine sets, with application entitlement and is not a valid or supported delivery model.
8. Question 8Resource Layer: Applications, Profiles, and Printing

   A profile-store HA design must survive the loss of the active file server without a logon outage for 6,000 roaming users, while keeping the SMB namespace constant for FSLogix. The team rejects asynchronous-only replication because the recovery point after a failure must be near-zero for profile data. Which back-end profile-store HA design BEST meets a near-zero RPO with transparent failover for FSLogix containers?

   • AHost the containers on a Windows Server Failover Cluster file server (Scale-Out File Server / SOFS on clustered shared storage) presenting a continuously available SMB share, so failover is transparent and there is no replication lag for the dataCorrect
   • BUse a standalone file server with a nightly backup of the VHDX files as the only resiliency
   • CUse DFS-R between two standalone file servers and point FSLogix at the DFS namespace
   • DStore containers on each VDA's local disk and copy them to a central share once per day
   ✓ Correct answer: A

   A Windows Server Failover Cluster running a Scale-Out File Server (SOFS) or clustered file server role keeps a single authoritative copy of all container data on shared storage and fails the SMB share over between cluster nodes transparently using SMB Continuous Availability. Because both nodes access the same underlying storage volume there is no asynchronous replication lag, so the recovery point objective is effectively zero - no profile writes are lost during a node failure. The cluster namespace stays constant, meaning FSLogix configuration does not change, and VDA sessions can reattach seamlessly. This is the correct on-premises pattern for near-zero RPO with transparent failover for container stores.

   Why the other options are wrong

   • BA standalone file server with only nightly backups leaves up to 24 hours of profile data at risk and requires a manual, outage-laden restore process after failure, which directly violates the near-zero RPO requirement.
   • CDFS-R is explicitly unsupported for replicating open VHDX container files - it is asynchronous and can corrupt in-use containers, so it cannot deliver near-zero RPO or safe failover.
   • DStoring containers on each VDA's local disk with a daily copy to a central share eliminates roaming, creates a large data-loss window, and provides no transparent SMB failover mechanism.
9. Question 9Control Layer: Controllers, Database, Licensing, and Zones

   In a CVAD 7 LTSR site, an administrator wants new VDAs in a satellite zone to register with the local zone's Controllers instead of the primary zone's Controllers to avoid cross-WAN registration. Which approach correctly achieves this VDA registration locality?

   • AAssign the machine catalog to the satellite zone in Web Studio, so its VDAs register with that zone's Controllers via the auto-update registration listCorrect
   • BManually edit each VDA's hosts file to point only to the local Controllers
   • CMove the site database to the satellite zone
   • DDisable Local Host Cache so VDAs default to the nearest Controller
   ✓ Correct answer: A

   When a machine catalog is associated with a satellite zone in Web Studio, the broker and the VDA auto-update mechanism scope registration so those VDAs register with the Controllers or Connectors in their own zone. This keeps VDA registration traffic local and is the supported, design-correct approach, eliminating the need to manually configure registration lists on individual machines.

   Why the other options are wrong

   • BManually editing each VDA's hosts file to point only to local Controllers is brittle and unsupported as a registration strategy, and it breaks the auto-update list maintenance that the broker performs automatically.
   • CMoving the site database to the satellite zone does not change which Controllers the VDAs register with and would disrupt the rest of the site that depends on the primary zone database.
   • DDisabling Local Host Cache removes outage resiliency for the zone entirely and does not influence which Controllers a VDA registers with - the two features are independent.
10. Question 10Hardware/Compute, Security, and Operations

    A bank requires that user data on persistent (dedicated) MCS desktops survive hypervisor host hardware failure with no data loss and support automatic VM restart on another host. Which storage design satisfies this requirement?

    • ALocal NVMe on each host with nightly file-level backups of user data
    • BShared, redundant storage (SAN/NFS) presented to all hosts in the clusterCorrect
    • CPVS Cache on server persistent on the PVS server's local disk
    • DCache in device RAM with overflow to local hard disk
    ✓ Correct answer: B

    Persistent dedicated desktops contain unique per-user data that must survive a hypervisor host hardware failure, and automatic VM restart on another host (hypervisor HA) requires the VM's disks to be accessible from the surviving hosts. Shared, redundant storage presented to every host in the cluster satisfies both requirements: the disk data persists on resilient storage independent of any single host, and any cluster member can power the VM back on after a failure event. This is the canonical storage placement for persistent MCS catalogs.

    Why the other options are wrong

    • ALocal NVMe with nightly backups loses all data written since the previous backup and cannot satisfy a zero-data-loss requirement, nor does it support automatic cross-host restart because the disks are inaccessible from other hosts.
    • CPVS Cache on server persistent is a streaming provisioning concept used with PVS non-persistent images; it does not provide a protected, per-user persistent storage volume for dedicated desktop data.
    • DCache in device RAM with overflow to local disk is explicitly non-persistent and discarded at reboot; it cannot retain self-installed applications or user data across sessions.

Citrix CCE-V practice exam FAQ