Citrix Study Guide

Citrix CCA-V: Certified Associate - Virtualization Study Guide

The Citrix CCA-V (Certified Associate - Virtualization) exam validates the ability to install, configure, and manage a Citrix Virtual Apps and Desktops (CVAD) or Citrix DaaS environment, covering FMA architecture, site setup, machine catalogs and delivery groups, image provisioning with MCS and PVS, HDX policies, profile management, StoreFront and Citrix Gateway, and monitoring with Director. It is aimed at administrators and engineers responsible for deploying and operating Citrix virtualization environments. The exam is 90 minutes long with a passing score of 620 on a scaled scale.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6 Domain 7 Domain 8

Practice Citrix CCA-V questions free Create free account

Domain 1: CVAD Architecture and Components

Key concepts you must know · 103 practice questions

The FMA (FlexCast Management Architecture) launch path is Citrix Workspace app -> StoreFront -> Delivery Controller -> VDA, with the HDX session ultimately established directly to the VDA.
StoreFront authenticates users, queries the Delivery Controller's XML/Broker service for entitlements (enumeration), aggregates resources into a store, and delivers the ICA file at launch - but it does not itself broker sessions.
The Broker Service on the Delivery Controller makes the brokering decision: it selects an appropriate registered VDA based on Delivery Group entitlement, load, and session-sharing rules, and returns its address.
Only VDAs that are currently registered with a Delivery Controller can be assigned sessions; powered-on but unregistered VDAs are treated as unavailable, so launches fail even when enumeration succeeds.
VDA registration requires correct Controller discovery (typically Active Directory-based auto-update or a registry/policy list), accurate time sync, and the registration port (TCP 80/443 to the Controller) being open.
Enumeration is the listing of apps and desktops a user is entitled to; launch is the act of establishing the HDX session to a brokered VDA.
The ICA file StoreFront delivers contains connection parameters (server address, launch ticket/STA ticket, protocol settings); the launch ticket securely authorizes the client to connect to that specific brokered VDA.
A CVAD site uses three SQL Server databases: the Site (Configuration) database, the Configuration Logging database, and the Monitoring database.
Creating the site database requires sysadmin (or the combination of dbcreator and securityadmin) server-role permissions on the SQL Server instance.
Citrix Director queries the Monitoring database for session and machine data, and administrative changes are recorded in the Configuration Logging database (viewed via the Logging report).
For high availability, deploy at least two Delivery Controllers per site so brokering continues if one Controller fails.
In Citrix DaaS the Delivery Controllers are Citrix-managed in the cloud control plane; Cloud Connectors deployed in the resource location act as the proxy, establishing outbound-only TLS connections for brokering, AD, and machine management.
The VDA's role is to register with a Controller and host the user's session, delivering the desktop or published app over the HDX protocol.
Citrix Gateway (running on Citrix ADC/NetScaler) provides secure remote access, and the Workspace Experience service / Citrix Workspace provides the unified access plane.

Domain 2: Site Setup and Administration

Key concepts you must know · 103 practice questions

A hosting connection stores the management address and credentials of the hypervisor or cloud; the associated resources (resource pool) object maps the cluster, storage repositories, and guest networks used for provisioning.
Supported hosting platforms include VMware vSphere (vCenter), Microsoft Hyper-V via System Center Virtual Machine Manager (SCVMM), Nutanix AHV, Microsoft Azure, Amazon AWS (EC2), and Google Cloud.
A VMware vSphere hosting connection uses the vCenter Server SDK endpoint as its address, in the form https://<vcenter-fqdn>/sdk, with a vCenter service account.
You must install or trust the vCenter Server certificate on the Delivery Controllers (or Cloud Connectors) managing a vSphere connection, or the connection will fail.
An Azure hosting connection authenticates with a Microsoft Entra ID app registration (service principal) using its application ID and client secret, assigned a role such as Contributor scoped to the subscription or resource group.
An AWS hosting connection uses an IAM access key ID and secret access key with the required EC2 permissions; a Google Cloud connection uses a service account key (JSON) with the required IAM roles.
Connecting to platforms with no power management (physical machines or third-party provisioning) uses a connection type with no hosting resources, so Citrix does not power-manage the machines.
Each hosting connection exposes advanced throttling settings (absolute and percentage simultaneous actions, and maximum new actions per minute) to prevent overloading the hypervisor or cloud API.
Storage selections on an existing resource cannot be changed in place; you must add a new resource (or recreate it) with the correct storage.
To add a Cloud Connector or a Controller to an existing site, you point the installer at the address of an existing Delivery Controller (or the Site database server) already in the site.
For DaaS high availability, deploy at least two Cloud Connectors per resource location and ensure they can reach Active Directory and the cloud management endpoints.
Before deleting, editing, or maintaining a hosting connection's resources, place the connection into maintenance mode; verify a connection's health by confirming it can enumerate clusters, networks, and storage and shows as reachable.
Non-persistent write-back cache data can be placed on the machine's local temporary disk (for example, an Azure ephemeral OS disk or temporary disk) to reduce cost and IOPS on shared storage.

Domain 3: Delivering Resources: Catalogs, Delivery Groups, and Applications

Key concepts you must know · 103 practice questions

A Single-session OS catalog uses a desktop OS (Windows 10/11), serves one user per machine at a time, and supports either random (pooled) or static (dedicated) assignment - this is the model for full VDI desktops.
A Multi-session OS catalog uses a server OS (e.g., Windows Server 2022 with the RDS role) and hosts many concurrent sessions per machine - the model for shared hosted apps and shared hosted desktops.
A Remote PC Access catalog installs the VDA on existing physical office PCs and brokers users back to the same workstation they use on-site, often via automatic assignment on first connection.
Random (pooled) assignment hands out any available machine at logon and resets non-persistent machines to the master image at logoff - the most storage-efficient, stateless model.
Static (dedicated) assignment permanently binds each user to one VM where all changes (apps, files, settings) persist across reboots - the model for developers and power users.
MCS with dedicated static machines saves persistent user changes to a separate identity disk and differencing disk so each dedicated machine retains its state.
Machine Creation Services (MCS) is built into the Delivery Controller, uses the hypervisor/cloud snapshot and cloning APIs, and requires no separate streaming infrastructure (no PVS servers, vDisk store, or PXE/TFTP).
The Delivery Type setting on the wizard determines whether a Delivery Group delivers desktops, applications, or both; a single-session group can deliver both, with each app session consuming a machine.
A Delivery Group's VDA functional level is determined by the lowest VDA version among its machines and limits which features are available; after upgrading VDAs, use the Upgrade option to raise the functional level.
To entitle a group of users, add the AD group (for example CAD-Engineers) as the assigned users on the Delivery Group; newly added members may need their Kerberos tokens to refresh (re-logon) before access works.
Machines that are not power-managed (physical PCs or those provisioned by other tools) are placed in catalogs configured for no power management.
User-to-machine allocation for static desktops is set on the Desktop Assignment / Machine Allocation step, or left to assign on first use.
A PVS-provisioned image used by a single dedicated target is delivered by a vDisk in Private (read/write) image mode; shared targets use Standard image mode.
MCS catalogs are sourced from a snapshot (or a template) taken from a prepared master/golden image VM in the hosting resource.

Domain 4: Image Provisioning with MCS and PVS

Key concepts you must know · 103 practice questions

MCS provisions VMs from a snapshot of the master image; if you select a powered-off VM, MCS automatically takes a snapshot of it before provisioning.
Each MCS VM is attached three disks: the shared read-only base disk, a small identity (ID) disk holding the unique computer name, machine account password, and SID information, and a differencing (delta) disk capturing all writes.
MCS copies a full base disk (consolidated from the snapshot) to each storage location the catalog uses.
For pooled (non-persistent) MCS machines, the differencing disk is reset on restart, returning the VM to the base image and discarding session changes; for dedicated machines the differencing disk persists across reboots.
MCSIO (MCS I/O storage optimization) caches writes in RAM first and overflows to a temporary write-cache disk, reducing IOPS against the shared base image - a common default is 256 MB RAM cache with a 20 GB temporary write-cache disk.
Update Machines (rollout of a new master image snapshot) builds a new base disk and transitions VMs to it; each machine switches individually on its next shutdown or scheduled restart, avoiding a forced mass reboot.
The previous base disk is retained after an update specifically to support rollback; use Rollback Machine Update to return machines to the prior base disk if the new image causes problems.
Best practice for updates is to test the new snapshot on a small test catalog or a few machines, validate, then roll out to production while keeping rollback available.
Always seal and shut down the master image cleanly before snapshotting so the base disk is consistent and does not capture transient running-state data.
When updating MCS catalogs, the machines' AD computer accounts and identity disks are preserved; only the base disk changes.
The Machine Identities / AD computer accounts settings (target OU and naming scheme) are configured when creating the catalog and govern how MCS creates the computer accounts.
The Delivery Controller (relayed by the Cloud Connector in DaaS) drives provisioning by calling the hosting connection's hypervisor or cloud APIs.
If a rolled-out image is faulty, fix and re-seal the master image, take a new snapshot, and run Update Machines again to deploy the corrected image.
Citrix Provisioning (PVS) streams a shared vDisk over the network to target devices and does require streaming servers, a vDisk store, and PXE/TFTP (or BDM) boot infrastructure - the key contrast with MCS.

Domain 5: Citrix Policies and HDX

Key concepts you must know · 103 practice questions

Citrix policies can be authored in two independent places: the Site database (managed in Web Studio's Policies node) or Active Directory GPOs (managed in GPMC with the Citrix Group Policy extension).
Web Studio displays and edits only Site-database policies; settings defined in a GPO are invisible in Web Studio and vice versa.
In policy resolution, Active Directory GPOs carry the highest precedence, so when the same setting conflicts across sources, the AD GPO value wins over the Site (Web Studio) value, with the standard LSDOU order applying within AD.
Among policies of the same scope, the policy with the higher priority (lower priority number, where 1 is highest) wins for any conflicting setting.
A setting left in the Not Configured state is ignored by that policy; its effective value comes from other policies or the system default.
Citrix policy filters include User or Group, Access Control (e.g., connections via Citrix Gateway), Client IP Address, Tag, Client Name, and more; an unfiltered policy applies to all connections in the site.
To target Finance users connecting through the gateway, combine a User or Group filter for Finance with an Access Control filter for Citrix Gateway connections.
Computer (machine) policy settings apply at machine boot and during the machine's Group Policy refresh; user policy settings apply to the user's session.
GPO-based Citrix computer settings refresh on the standard AD Group Policy cycle (by default roughly every 90 minutes) or at reboot.
The Citrix Group Policy Modeling Wizard predicts the resultant set of Citrix policies for a given user/machine combination, useful for troubleshooting conflicts.
If Citrix policy options do not appear in GPMC, the Citrix Group Policy Management plug-in is not installed on the machine running GPMC.
Creating a policy from a built-in template (such as Optimized for WAN, which favors bandwidth conservation) copies the template's settings into a new policy; the original built-in template remains unchanged and reusable.
You can save a configured set of settings as a new custom policy template to reuse as a starting point for future policies.
An unexpected policy result is often caused by a conflicting Citrix policy in an AD GPO overriding the Web Studio Site policy.

Domain 6: Profile Management and Workspace Environment Management

Key concepts you must know · 103 practice questions

The user store is the central network location (SMB file share or Azure Files) where Profile Management keeps the master copy of each user's profile, loaded at logon and merged back at logoff.
Citrix Profile Management requires at minimum that you Enable Profile management and configure the Path to user store before it takes effect.
Profile streaming fetches files and registry entries from the user store only on first access, leaving a local placeholder with metadata - this significantly reduces logon time.
Active write-back synchronizes modified files and folders to the user store during the session (not just at logoff), protecting against data loss if a session ends abnormally.
With concurrent sessions sharing one standard profile, last write wins: the session that logs off and writes a given file back to the store last overwrites the other session's version.
Use variables such as !CTX_OSNAME! and !CTX_OSBITNESS! in the user store path to separate profiles by OS version and architecture so incompatible profiles are not mixed.
The Profile streaming exclusion list - directories names folders that should NOT be streamed; instead they are fetched in full when the profile loads (useful when an app needs the whole folder present immediately).
The Exclusion list - directories tells Profile Management to ignore folders entirely - they are neither fetched at logon nor written back at logoff (used for caches and machine-specific transient data).
Common folders to exclude or redirect include the Outlook OST, AppData\Local\Microsoft\Windows\INetCache, and AppData\Local\Temp.
For large files, enable Always cache with a size threshold so files above that size are pre-fetched in the background rather than fetched on demand.
To keep cached profiles between sessions on a dedicated VDA, disable 'Delete locally cached profiles on logoff'.
The default exclusions / Citrix-recommended exclusions option removes a set of Citrix-recommended directories from profile processing without manual entry.
The Profile Management log file pm.log on the VDA is the primary source for troubleshooting profile load, streaming, and write-back issues.
Profile container / VHDX-based profiles mount the profile as a virtual disk so large folders (such as the Outlook cache) are available immediately, rather than being copied file-by-file.

Domain 7: StoreFront, Workspace App, and Citrix Gateway

Key concepts you must know · 102 practice questions

When adding a Delivery Controller to a StoreFront store you supply the Controller's FQDN or IP address, the transport type (HTTP, HTTPS, or SSL Relay), and the matching port; StoreFront uses the XML Service to enumerate resources and request launches.
List multiple servers within a single Delivery Controller entry (treated as one Site) so StoreFront can fail over to the next listed server if the first is unavailable.
For multiple separate Sites/farms, create a separate Delivery Controller entry per Site, each listing that Site's controllers; the entry's friendly name should match the farm name where aggregation requires it.
Configuring HTTPS to the Controllers requires a valid server certificate bound on each Controller and the Citrix XML Service configured to listen on the HTTPS port.
A Workspace for Web (Receiver for Web) site is the browser-accessible front end tied to a store; without one, users cannot reach the store from a web browser.
You can create two Workspace for Web sites pointing to the same store and customize each independently (for example, different branding for different user groups).
Beacons let Citrix Workspace app determine network location: if the internal beacon (by default the StoreFront base URL, resolvable only internally) is reachable, the client connects directly to StoreFront.
If the internal beacon is unreachable but an external beacon is reachable, Workspace app concludes it is outside the network and connects through Citrix Gateway.
Configure at least two external beacons (highly available public URLs reachable from the internet) so Workspace app can still confirm an external location if one beacon goes offline.
Enable Remote Access on the store and select the Citrix Gateway appliance to allow external users to reach published resources through the gateway.
StoreFront maintains the store's subscription (Favorites) data, the user's set of favorited apps and desktops.
Use the Test Configuration / connectivity test in the Manage Delivery Controllers dialog to validate StoreFront-to-Controller communication.
In Citrix DaaS, StoreFront (or Workspace) communicates with the Citrix Cloud Connectors in the resource location rather than with on-premises Controllers.
Users add an account in Workspace app via the store URL or email-based account discovery, which resolves using a DNS service (SRV) record or the global App Configuration Service.

Domain 8: Monitoring, Troubleshooting, and Printing

Key concepts you must know · 102 practice questions

Citrix Director (the Monitor tab in DaaS) reads from the Monitoring database via the Monitor Service OData API exposed by the Delivery Controllers; the data is collected from the VDAs.
The Director Dashboard is the real-time landing page showing connected session counts, recent connection failures, machines in failed/unregistered state, and infrastructure alerts.
The Logon Duration drill-down decomposes a session logon into discrete phases - brokering, VM start, HDX connection, authentication, GPO processing, logon scripts, and profile load.
The Trends view presents historical data over selectable time ranges (Sessions tab charts concurrent sessions; Filters/Machines views break down failures by Failure Type or other criteria).
Monitoring data grooming (retention) periods are governed by the license edition: Premium (formerly Platinum) edition unlocks extended detailed retention up to 365 days.
Change Monitor Service data retention with the Set-MonitorConfiguration PowerShell cmdlet, subject to the limits allowed by the license edition.
In Citrix Cloud DaaS, Monitor data retention is fixed by the service; for long-term history, use Monitor data export or Citrix Analytics.
Session Details surfaces ICA RTT / latency, and Machine Details with Machine Utilization (Resource Utilization) shows CPU, memory, and disk usage for a machine.
Director session control actions include End Application/Process (to kill a hung process), Log Off, Disconnect, and Shadow (to observe a user's session, with view-only available).
Connection failures are categorized by reason, including No Capacity Available, which indicates the Capacity Management / Machine Usage view should be checked.
Application Probing (application and desktop probes) proactively launches resources on a schedule to detect failures before users report them.
Configure Alerts and Notifications policies with email notification recipients to be alerted on threshold breaches.
Search by the user's name or account in the Director Search box to jump straight to that user's session and activity.
If expected historical machine metrics are missing, check whether the data collection retention period has elapsed and whether the license edition supports historical machine data.

Citrix CCA-V exam tips

Memorize the FMA launch path cold (Workspace app -> StoreFront -> Controller/Broker -> VDA) and be able to say exactly which component does enumeration, brokering, and HDX session hosting - many questions are scenario-based on which component failed.
Know the three site databases (Site/Configuration, Configuration Logging, Monitoring) and what each stores; also know the SQL permission needed to create them (sysadmin, or dbcreator + securityadmin).
Be precise on the MCS disk model (base + identity + differencing) and on the difference between pooled (reset on reboot) and dedicated (persistent) assignment - and contrast MCS (no streaming infra) against PVS (vDisk streaming, PXE/TFTP).
For policy questions, apply the precedence rules deterministically: AD GPO beats Site, lower priority number wins, and Not Configured defers to other policies/defaults; remember Web Studio cannot see GPO-based policies.
Watch for the on-premises CVAD vs. Citrix DaaS distinction throughout: in DaaS the Controllers are Citrix-managed in the cloud and Cloud Connectors (deploy two per resource location) bridge to local resources.

Study guide FAQ

What is the difference between MCS and PVS, and when would I choose each?

Machine Creation Services (MCS) is built into the Delivery Controller and clones VMs from a hypervisor/cloud snapshot using the platform's own storage and snapshot APIs, so it needs no extra infrastructure - making it the simplest option for most environments. Citrix Provisioning (PVS) streams a shared vDisk over the network to target devices and requires streaming servers, a vDisk store, and PXE/TFTP (or BDM) boot, which scales well for very large, identical fleets where network-streamed images and reduced per-VM storage are advantageous.

When does a VDA fail to host sessions even though it is powered on?

The Broker Service only assigns sessions to VDAs that are currently registered with a Delivery Controller. A powered-on but unregistered VDA is treated as unavailable, so launches fail even if enumeration succeeds. Common causes are incorrect Controller discovery, time skew between the VDA and Controller, or a firewall blocking the registration port. Check the machine's registration state in Web Studio and the machine details in Director.

How do Citrix policies authored in Web Studio interact with policies in Active Directory GPOs?

They are stored in separate places: Web Studio reads and writes only Site-database policies, while GPO-based Citrix policies live in Active Directory and are managed with the Citrix Group Policy extension in GPMC. Each location is invisible to the other tool. When the same setting conflicts, the Active Directory GPO value takes precedence over the Site (Web Studio) value, and within a single scope the policy with the lower priority number wins.

How does Citrix Workspace app decide whether to connect directly or through Citrix Gateway?

It uses beacons - URL probes that detect network location. If Workspace app can reach the internal beacon (by default the StoreFront base URL, which normally resolves only inside the corporate network), it concludes the device is internal and connects directly to StoreFront. If the internal beacon is unreachable but an external beacon is reachable, it concludes the device is external and routes the connection through Citrix Gateway. Configuring at least two external beacons provides resilience if one public URL goes offline.

Test yourself: 822 Citrix CCA-V practice questions