Written by: Apoorva Shukla (March 4, 2026)
Many Citrix customers running non-persistent desktops via Machine Creation Services (MCS) or Provisioning Services (PVS) face the same frustrating problem:
After provisioning, every virtual desktop sends logs to Splunk using the exact same GUID from the master image. Result? Splunk sees hundreds of machines as one single forwarder → duplicate events, lost per-machine visibility, broken dashboards, and painful troubleshooting.
With MCS and PVS, the machine GUID for the operating system is generated individually during provisioning. However, the Splunk Universal Forwarder GUID is not regenerated automatically per clone.
This solution ensures that each VM generates and maintains a unique, persistent Splunk GUID at startup, addressing an issue that is often overlooked and not widely implemented in standard deployments.
Quick 4-Step Solution
Install Splunk forwarder
On the gold/master image, Install Splunk Universal Forwarder and configure outputs.conf, inputs.conf, etc.
Stop the Splunk Forwarder service
Run the following command in elevated command prompt from bin folder inside installation directory) to wipe clone-specific data
splunk clone-prep-clear-configAdd a startup script
Create a scheduled task (run at startup, highest privileges) that executes this short PowerShell script before Splunk starts:
# Paths
$CfgPath = "C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg"
# Use hostname as deterministic identity
$hostname = $env:COMPUTERNAME.ToUpper()
# Generate SHA-256 hash
$bytes = [System.Text.Encoding]::UTF8.GetBytes($hostname)
$sha256 = [System.Security.Cryptography.SHA256]::Create()
$hash = $sha256.ComputeHash($bytes)
# Create a proper strongly-typed byte array (16 bytes for GUID)
[byte[]]$guidBytes = $hash[0..15]
# Cast to byte[] manually to avoid argument expansion
$guid = [System.Guid]::new($guidBytes)
# Ensure directory exists
$folder = Split-Path $CfgPath
if (!(Test-Path $folder)) {
New-Item -ItemType Directory -Path $folder -Force | Out-Null
}
# Write instance.cfg
$content = "[general]`nguid = $guid"
Set-Content -Path $CfgPath -Value $content -Force
# Configure the service startup type for Splunk Forwarder service as Automatic and start it
Set-Service -Name "SplunkForwarder" -StartupType Automatic
Start-Service -Name "SplunkForwarderNOTE: Ensure PowerShell execution policy allows it.
Seal the image
Shut down cleanly (no reboot after, another reboot of master image will require repeat of clone-prep-clear-config command) take snapshot and use it for MCS catalog / PVS vDisk.
Provision & verify
New desktops boot → script runs → unique GUID written → Splunk sees distinct forwarders → clean, per-machine logging. This small change delivers accurate monitoring, better security visibility, and far less noise in Splunk, all while keeping the speed and scalability of non-persistent Citrix desktops.
For any consulting requirement around one-stop EUC solution i.e. CITRIX, feel free to reach out.
#Citrix #MCS #PVS #Splunk #SplunkForwarder #VDI #NonPersistentDesktops #ASEAN
