Citrix Profile Management 2411

Last Modified: Dec 7, 2024 @ 3:22 am

Navigation

This article applies to all versions of Profile Management: 2411, 2402 LTSR CU1, 2203 LTSR CU5, 1912 LTSR CU9, etc.

💡 = Recently Updated

Change Log

Planning

Profile Management Versions

Profile Management is included with the installation of Virtual Delivery Agent. To upgrade Profile Management, simply upgrade your VDA software. Here are the currently supported versions of VDA:

Or you can download the individual Profile Management component and install/upgrade it separately from the VDA software. You can even install it on non-VDA machines (e.g., PCs accessed by licensed Citrix users).

For LTSR VDAs, for LTSR support compliance, only install the Profile Management version that is included with your VDA installer. Don’t upgrade to a newer Current Release version.

The latest release of Citrix Profile Management is version 2411, which can be downloaded from Citrix Virtual Apps and Desktops 2411. To find it, click Components that are on the product ISO but also packaged separately.

Profile Management Configuration Options

Profile Management consists of a Service (installed on the VDAs), a file share, and configuration settings.

There are four methods of delivering configuration settings to the Citrix Profile Management service:

If a UPM setting is not configured in GPO, Citrix Policy, or WEM, then the default setting in the UPMPolicyDefaults.ini file takes effect. The .ini file is located in C:\Program Files\Citrix\User Profile Manager on every machine that has Profile Management service installed.

Microsoft Group Policy (ADMX file) is probably the most reliable method of delivering configuration settings to the Profile Management services. This method uses the familiar Group Policy registry framework. Just copy the Profile Management ADMX files to PolicyDefinitions and start configuring. The configuration instructions in this article use the GPO ADMX method.

The Citrix Policies configuration method requires Citrix Studio, or Citrix Group Policy Management Plug-in. On the Profile Management service side, only VDAs can read the Citrix Policies settings.

  • Citrix Policies has settings for Folder Redirection. If you use Citrix Policy to configure Folder Redirection, then the Folder Redirection settings only apply to VDAs that can read Citrix Policies. To apply to Folder Redirection to more than just VDAs, configure Folder Redirection using normal Microsoft Group Policy as detailed below.
  • If you’re going to use Microsoft Group Policy to configure Folder Redirection, then you might as well use Microsoft Group Policy to also configure Citrix Profile Management.

Citrix Workspace Environment Management can also deliver configuration settings to the Profile Management services. This option requires the WEM Agent to pull down the settings from the WEM Brokers and apply them to Profile Management. It can sometimes be challenging to troubleshoot why WEM is not applying the settings.

Try not to mix configuration options. If you use both WEM and GPO, which one wins?

Multiple Datacenters

For optimum performance, users connecting to Citrix in a particular datacenter should retrieve their roaming profiles from a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will need file servers in each datacenter.

DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-datacenter designs.

For active/active datacenters, split the users such that different users have different home datacenters. Whenever a particular user connects, that user always connects to the same datacenter, and in that datacenter is a file server containing the user’s roaming profile. StoreFront uses Active Directory group membership to determine a user’s home datacenter.

For users that connect to Citrix in multiple datacenters, there are a couple options:

  • The user’s roaming profile is located in only one datacenter – If the user connects to a remote datacenter, then the roaming profile must be transmitted across the WAN. To optimize performance, disable Active Write Back, and make sure Profile Streaming is enabled.
  • The user has separate profiles for each datacenter – There is no replication of profiles between datacenters. This scenario is best for deployments where different applications are hosted in different datacenters.

Disaster Recovery – For disaster recovery scenarios, the user’s roaming profile data (and home directories) must be recovered in a different datacenter. Here are some considerations:

  • Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
  • Use VMware SRM or similar to recover the entire file server in the DR datacenter.
  • A datacenter failover might result in multiple file servers accessed from a single VDA, especially if you have users split across datacenters. Use DFS Namespaces as detailed below.

DFS Namespace

DFS Namespace for central user store – The Citrix Profile Management user store path is a computer-level setting, meaning there can only be one path for every user that logs into a particular VDA. If you have different users with roaming profiles on different file servers, then you must use Active Directory user attributes and DFS namespaces to locate the user’s file server. Here is an overview of the configuration:

  • Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1 – Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more information.
  • Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS replication. See Scenario 2 – Multiple folder targets and replication at Citrix Docs for more information.
  • Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
  • Set the Profile Management user store path to \\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!. This pulls the user’s l attribute from Active Directory and appends that to the DFS share. The folder that matches the attribute value is linked to a file server. For example, if the user’s l attribute is set to Omaha, then the user’s profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha folder is linked to a file server in the Omaha datacenter.

Create User Store

This procedure could also be used to create a file share for redirected profile folders.

Create and Share the Folder

  1. Make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.

  3. Right-click the folder, expand Give Access to (Windows Server 2019) or expand Share with (Windows Server 2016) and select Specific people.

  4. Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click Share, and then click Done.
  5. Go to the Properties of the folder.
  6. On the Sharing tab, click Advanced Sharing.
  7. Click Caching.
  8. Select No files or programs. Click OK, and then click Close.

Folder NTFS Permissions

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry, and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

Access Based Enumeration

With this setting enabled, users can only see folders to which they have access:

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it. Or perform a refresh.
  3. Right-click the new share and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration.

GPO ADMX Policy Template

  1. You can find the GPO ADMX templates on the main Citrix Virtual Apps and Desktops 2411 ISO in the \x64\ProfileManagement\ADM_Templates\en folder.

    • Or they are included in the standalone Profile Management download in the \Group Policy Templates\en folder.
  2. Copy the file ctxprofile.admx to the clipboard.
  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing the .admx file does not affect your existing Profile Management configuration. The template only defines the available settings, not the configured settings.
  5. Go back to the Citrix Profile Management Group Policy Template files.
  6. Copy ctxprofile.adml to the clipboard.
  7. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
  8. If you have an older version of the ctxprofile.adml file in the en-US folder in either location, delete it.

CitrixBase:

  1. Go up a folder and then open the CitrixBase folder.
  2. In the CitrixBase folder, copy the file CitrixBase.admx to the clipboard.
  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. Go back to the Citrix Profile Management Group Policy Templates and copy CitrixBase.adml to the clipboard.
  5. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.

Group Policy Settings

  1. Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.
  2. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management.
    • Note: if you did not install the CitrixBase.admx file, then you can find Profile Management directly under the Administrative Templates node instead of under Citrix Components.
  3. Enable the setting Enable Profile management. Profile Management will not function until this setting is enabled.
  4. If desired, enable the setting Process logons of local administrators.
  5. Enable Path to user store.
  6. Specify the UNC path to the folder share. An example path = \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!

    1. Profile Versions– Different OS versions have different profile versions. Each profile version only works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.
      1. Windows 10 Profile Versions – Windows 10 has two different profile versions. Windows 10 build 1511 and older use v5 profiles. Windows 10 build 1607 and newer use v6 profiles. v5 and v6 profile versions are incompatible so they should be separated.
      2. Resolved variables – With the example user store path shown above, if the user logs into Windows 2012 R2 RDSH, the profile folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10 build 1607, the profile folder will be \\server\share\user01\Win10RS1v6.
      3. Windows 10 v6 vs Windows 2016 v6 – Both Windows 10 (1607 and newer) and Windows Server 2016 use v6 profiles. Do you want to use the same profile for both platforms? If so, remove !CTX_OSNAME! from the Path. Note: Windows 10 supports Store apps while Windows 2016 does not. If you’re allowing Store apps, then it’s probably best to use different profiles for both OS platforms.
      4. Windows 2012 R2 warning: in older versions of Citrix Profile Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isn’t correct. v2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug was fixed in Profile Management 5.4 and newer. If you have existing Windows 2012 R2 profiles based on the !CTX_PROFILEVER! variable set to v2, after upgrading to 5.4 or newer, then your profiles might stop working . See http://discussions.citrix.com/topic/374111-psa-upm-54-ctx-osname-server-2012-value-change/ for more details.
    2. Windows 10 and !CTX_OSNAME!: Profile Management sets !CTX_OSNAME! to different strings for different Windows operating system versions, especially different versions of Windows 10: (RS = Redstone, which is a Microsoft codeword)
      • Windows Server 2019 sets !CTX_OSNAME! to Win2019v6.
      • Windows Server 2016 sets !CTX_OSNAME! to Win2016v6.
      • Windows 10 version 1903 and 1909 set !CTX_OSNAME! to Win10RS6.
      • Windows 10 version 1809 sets !CTX_OSNAME! to Win10RS5.
      • Windows 10 version 1803 sets !CTX_OSNAME! to Win10RS4.
      • Windows 10 version 1709 sets !CTX_OSNAME! to Win10RS3.
      • Windows 10 version 1703 sets !CTX_OSNAME! to Win10RS2.
      • Windows 10 version 1607 sets !CTX_OSNAME! to Win10RS1.
    3. If you use !CTX_OSNAME! in your profile store path, then different CTX_OSNAMEs will have different profiles, which means users will lose their profile settings whenever you upgrade Windows 10.
      • Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can alleviate this problem.
    4. Multiple Domains – If you have multiple domains, in the user profile store path, change #SAMAccountName# to %username%.%userdomain% (e.g. \\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!). That way you can have the same account name in multiple domains and each account will have a different profile.
    5. Hard Code Store Path – Instead of using variables, you can specify a hard coded path. However, the profile incompatibility restrictions listed above still apply. To avoid applying a single profile across multiple operating system versions, place VDAs with different OS versions in different OUs, and then use different Profile Management GPOs on those OUs to specify different Profile Management user store paths.
    6. Migrate User Store – Profile Management 1909 and newer can move profiles from an old profile path to a new profile path.

    7. User-level overrides – Profile Management 2305 and newer support user-level overrides. First, configure Enable user-level policy settings under Advanced Settings. Then add registry keys for user group SIDs with override settings. See Enable and configure user-level policy settings at Citrix Docs.

  7. Disable Active write back. This feature places additional load on the file server and is only needed if users login to multiple machines concurrently and need mid-session changes to be saved, or if users never log off from their sessions. Note: if you don’t disable this, then it is enabled by default.

    1. Profile Management 2303 and newer have an option to only perform Active write back on session lock and disconnection.
  8. On the left, go to the Advanced settings node.
  9. If Microsoft Teams 2.1 or newer, and if Teams is installed per machine, then simply make sure Profile Management is version 2402 or newer. See Enable roaming for the new Microsoft Teams at Citrix Docs.
    • If Teams 2.1 is installed per-user, then enable UWP app roaming, which requires Profile Management 2308 or newer. See CTX585013 Microsoft Teams 2.1 supported for VDI/DaaS.
    • Profile Management 2411 and newer have the setting named Enable AppX package load acceleration. It requires a file share to store the VHDX files.

  10. Enable the setting Process Internet cookie files on logoff. This is probably only for Internet Explorer.
  11. The Replicate user stores setting replicates to multiple file shares. Note: this slows down logoffs. Profile Management 2209 and newer supports replicating profile containers, which seems to use robocopy.exe.

    • In Profile Management 2407 and newer, for the container-based profile solution, the Enable in-session policy container failover among user stores policy is automatically enabled to ensure profile redundancy for the entire session.
  12. Customer Experience Improvement Program (CEIP) is enabled by default. It can be disabled here.
  13. See https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#ceip for additional places where CEIP is enabled.
  14. Profile Management 2206 adds Enable asynchronous processing for user Group Policy on logon. This might speed up logons. This feature requires you to disable Always wait for the network at computer startup and logon and enable Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services. More details at Citrix Docs.
  15. Profile Management 2311 and newer support Enable OneDrive container. It works the same way as search index roaming as detailed next. See Citrix Tech Zone Deployment Guide: Citrix Profile Management – OneDrive Container.
  16. Profile Management 7.18 and newer have Enable search index roaming for Outlook.

Notes on Outlook OST and Search roaming:

  1. Microsoft FSLogix is another Outlook search index roaming product that is now free. For details, see the FSLogix section in the computer group policy article.
  2. Profile Management 1906 and newer support 64-bit Outlook 2016 and Office 2019.
  3. VDA 1906 or newer are recommended for the bug fixes for this feature. You can upgrade the VDA without upgrading your Delivery Controllers.
  4. After the first user logon, Profile Management 1811 and newer creates a template VHDX file in a folder named UpmVhd at the root of the user store. The template file is copied to new users, thus speeding up VHDX creation.

  5. In the user’s profile location, a new folder called VHD is created.

    • You can override the VHDX path by configuring Customize storage path for VHDX files as detailed at Citrix Docs.
  6. Inside the \VHD\Win2016 folder are two new thin provisioned .vhdx files – one for OST, one for Search. The per-user .vhdx files are copied from the parent template.
  7. UPM grants Domain Computers Full Control of the VHDX files. Users must have Full Control to the Profile Share, and UPM Folder to be able to grant this permission. Modify permissions are not sufficient. (Source = Robert Steeghs The Citrix Profile management could not mount virtual disk)
  8. When the user logs into a Citrix session, the two VHDXs are mounted to %localappdata%\Microsoft\Outlook and %appdata%\Citrix\Search. This means that OST files and Search Indexes are stored in the VHDX instead of in the user’s profile.


  9. eastwood357 at Outlook OST and Search vhdx not unmounting after log off at Citrix Discussions says that the Profile Management Path to User Store must be all lower case or else the VHDX files will not unmount at logoff.
  10. Only enable this feature for users with new Outlook profiles. If the user already has an .ost file, then you’ll see an error about missing .ost when Outlook is launched.
  11. The Search roaming feature is only supported with specific versions of Windows Search service. Event Log will tell you if your Windows patches are too new.
  12. Profile Management 2206 and newer have an option for Enable concurrent session support for Outlook search data roaming.

    • In older Profile Management, VHDX files can only be mounted on one machine at a time. If you login to two VDAs, and if both try to mount the same VHDX files, then you’ll see errors in Event Viewer.
  13. Search Index Backup – Profile Management 1909 and newer have a GPO setting named Outlook search index database – backup and restore that can provide automatic recovery of the search index if it becomes corrupted. The backup consumes more of the available storage space of the VHDX files.
  14. For a detailed explanation of how the per-user Search Index works, see CTX235347 Citrix Profile Management: VHDX-based Outlook cache and Outlook search index on a user basis.
  15. Profile Management 2109 and newer can Automatically reattach detached VHDX disks. In Profile Management 2203 and newer, it’s available as a group policy setting under the Profile Management | Advanced Settings node.
  16. Profile Management 2303 and newer have a Profile Container GPO setting to Enable VHD disk compaction on user logoff. See Citrix Docs.

    • Additional disk compaction settings can be found under Advanced Settings.

Exclusions, Synchronization, and Mirroring

  1. Profile Management 2209 and newer have File Deduplication > Files to include in the shared store for deduplication. You must specify which files to delete from each user’s profile and instead store in a shared location. See Citrix Docs. Profile Management 2311 support Files deduplication of profile containers.
  2. Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion List – directories.
  3. You can use checkboxes to not exclude some folders.
  4. Then edit Exclusion list – directories.
  5. Enable the setting, and click Show.

  6. For Edge Chromium, see Avanite Roaming Edge Chromium.
  7. For Chrome, use the same list as Edge but change \Microsoft\Edge to \Google\Chrome.
  8. Add the following to the list.
    AppData\Local\Microsoft\Windows\INetCache
    AppData\local\Microsoft\Windows\IEDownloadHistory
    AppData\Local\Microsoft\Internet Explorer\DOMStore
    AppData\Local\Google\Software Reporter Tool
    AppData\Roaming\Microsoft\Teams\media-stack
    AppData\Roaming\Microsoft\Teams\Logs
    AppData\Roaming\Microsoft\Teams\Service Worker\CacheStorage
    AppData\Roaming\Microsoft\Teams\Application Cache
    AppData\Roaming\Microsoft\Teams\Cache
    AppData\Roaming\Microsoft\Teams\GPUCache
    AppData\Roaming\Microsoft\Teams\meeting-addin\Cache
  9. Newer versions of Office Click-to-run let you roam the shared computer activation licensing token. See Overview of shared computer activation for Office 365 ProPlus and search for “roam”. The licensing tokens also last 30 days instead of 2-3 days. Source = Rick Smith in the comments. Ideally you should have ADFS integration so users can seamlessly re-activate Office.
  10. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  11. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of exclusions for IE in Enterprise Mode.
    appdata\local\microsoft\internet explorer\emieuserlist
    appdata\local\microsoft\internet explorer\emiesitelist
    appdata\local\microsoft\internet explorer\emiebrowsermodelist
  12. Then click OK twice to return to the Group Policy Editor.
  13. usrclass.dat*.
    1. Profile Management 1909 and newer automatically include usrclass.dat* in the Files to Synchronize. UPM 2103 and newer add it for Windows 10 but not for RDSH. If added to the exclusion list, then Profile Management 1909 and newer automatically removes it from the exclusion list. See Start menu roaming at Citrix Docs.
    2. usrclass.dat* contains file type associations. For roaming file type associations, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
  14. Clean up excluded folders –  If you add to the exclusions list after profiles have already been created, Profile Management 5.8 has a feature that can delete the excluded folders at next logon. See To enable logon exclusion check at Citrix Docs. In Profile Management 7.15 and newer, Logon Exclusion Check is configurable in group policy under the File System node.

    1. Also see Muralidhar Maram’s post at Citrix Discussions for a tool that will clean up the existing profiles.
    2. Also see Jeremy Sprite Clean Citrix UPM Profiles.

Directories to Synchronize

  1. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  2. Edit the setting Directories to synchronize.
  3. Enable the setting, and click Show.
  4. Profile Management 7.16 Fixed Issues says that AppData\Local\Microsoft\Windows\Caches should be synchronized. Also see CTX234144 Start Menu Shows Blank Icons on VDA 7.15 LTSR CU1/7.16/7.17 with UPM Enabled.
  5. CTX489573Office 365 – Account Error: Sorry, we can’t get to your account right now says that Appdata\local\microsoft\identitycache should be synchronized.
  6. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Microsoft\Credentials
    Appdata\local\Microsoft\identitycache
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  7. Start Menu and File Type Associations:
    1. If Windows 10 1703 or newer, see James Rankin Roaming profiles and Start Tiles (TileDataLayer) in the Windows 10 1703 Creators Update for information on the new location for Tile data. Citrix Profile Management 5.8 and newer should handle this automatically.
    2. See David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
    3. To roam Start Menu and/or File Type Associations in Windows 10 or Windows Server 2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for info on why this is difficult.
    4. Instead of roaming usrclass.dat, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
    5. Daniel Feller at Sync the Windows 10 Start Menu in VDI says that configuring SettlementPeriodBeforeAutoShutdown might improve reliability of Start Menu roaming, assuming users log out of the virtual desktop instead of rebooting the virtual desktop. On a Delivery Controller, open PowerShell, and run the following:
      asnp citrix.*
      Set-BrokerDesktopGroup -Name "NAME_OF_DESKTOP_GROUP" -SettlementPeriodBeforeAutoShutdown 00:00:15
    6. With VDA 7.15 Update 1, the icons on the Start Menu of Windows 2012 R2 and Windows 2016 are sometimes blank.

  8. Click OK twice.

Files to Synchronize

  1. Edit Files to synchronize.
  2. Enable the setting, and click Show

  3. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  4. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  5. Citrix’s Start Menu Roaming documentation says that Appdata\Local\Microsoft\Windows\UsrClass.dat* should be added to the list. Profile Management 1909 and newer automatically add Appdata\Local\Microsoft\Windows\UsrClass.dat* to the Files to Synchronize list.

    • You can disable the automatic inclusion of these folders by enable the setting Disable automatic configuration located under Advanced Settings.
  6. Then click OK twice to return to the Group Policy Editor.

Folders to mirror

  1. Under File System, in the Synchronization node, enable the setting Folders to mirror.
  2. Enable the setting, and click Show.

  3. Add the following:
    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\TileDataLayer
    AppData\Local\Microsoft\Vault
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Packages
    AppData\Local\Google\Chrome\User Data\Default
  4. Click OK.
  5. Profile Management 2106 and newer have a setting called Accelerate folder mirroring that stores the mirrored folders in a VHDX file instead of copying back and forth at login and logoff.

    • UPM creates a folder named MirrorFolders in the user’s UPM path and creates a couple thin-provisioned VHDX files in that path.
    • Disk Management shows that the mounted Diff disk has a 50 GB capacity limit.
    • Logging into multiple sessions concurrently results in multiple Diff disks.
    • If the file server is unavailable then unpredictable behavior occurs. After the file server is back up, the session continues to misbehave and won’t recover until users log off and log back on. Plan for file server high availability that can handle always-open VHDX files. DFS won’t help you.
    • Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
  6. According to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Configuration > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.

Profile Container

Profile Management 2407 and newer have new Container features, including:

  • In-session profile container failover among multiple user stores – Citrix Docs
  • Registry exclusion and inclusion support extended to container-based profile solution – Citrix Docs
  • Reset container-based profiles without the risk of losing user data – Citrix Docs
  • Collects statistical data on VHD compaction actions and provides it to Workspace Environment Management (WEM) for reporting

To configure profile container:

  1. Profile Management 1903 and newer have a Profile container setting.
    • In Profile Management 2009 and newer, the Profile container setting moved to its own node.
    • In older versions of Profile Management, Profile Container is located under File System | Synchronization.
  2. Click the Show button to specify profile paths that should be placed in the mounted file share profile disk (VHDX file) instead of copied back and forth at logon and logoff.
    • In Profile Management 2009 and newer, you can specify * to put the entire profile in the Container. Then use the other two settings to exclude folders from the Container. See Profile Container at Citrix Docs.

    • In Profile Management older than version 2009, this setting is for large cache files (e.g. Citrix Files cache) and is not intended for the entire profile.
  3. Profile Management 2103 and newer have a setting to Enable local caching for profile containers. Combine this with Profile Streaming for faster logons. The entire profile should be stored in the profile container.
  4. Profile Management 2311 and newer can Log off users when profile container is not available during logon.
  5. On the left, under Advanced Settings, Profile Management 2103 and newer have a setting to Enable multi-session write-back for profile containers. This setting applies to both UPM Profile Container and Microsoft FSLogix Profile Container. If the same user launches multiple sessions on different machines, changes made in each session are synchronized and saved to the user’s profile container disk.
  6. Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
  7. Citrix recommends using Profile Container for Microsoft Teams.
  8. See CTX247569 Citrix Profile Management: Troubleshooting Profile Containers.
  9. Profile Management 2209 and newer can replicate the profile container to multiple shares. 

    • In Profile Management 2407 and newer, for the container-based profile solution, the Enable in-session policy container failover among user stores policy is automatically enabled to ensure profile redundancy for the entire session.
  10. Profile Management 2308 and newer can auto-expansion the container.

    • Advanced settings node has additional auto-expansion settings.
  11. On the CVAD 2311 and newer ISO, at \x64\ProfileManagement\Tools is a script that can migrate profiles from FSLogix to Citrix Profile Container. Prior to CVAD 2311 the Tools folder is not on the CVAD ISO but is instead included with the separately downloaded Profile Management. See Migrate user profiles at Citrix Docs.

Registry Exclusions

  1. On the left, under Profile Management, click Registry.
  2. On the right, open Enable Default Exclusion List.
  3. Enable the setting. You can use the checkboxes to control which registry keys you don’t want to exclude.
  4. According to Citrix CTX221380 Occasionally, File Type Association (FTA) Fails to Roam with Profile Management 5.7 on Windows 10 and Windows Server 2016, Software\Microsoft\Speech_OneCore should be unchecked. Click OK.
  5. The setting Exclusion List under Registry lets you exclude registry keys from the roaming profile.
  6. Nick Panaccio in the comments says that if Office with ADFS constantly prompts for login, then you should exclude the following:
    Software\Microsoft\Office\16.0\Common\Identity
  7. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of registry exclusions for IE in Enterprise Mode.
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieUserList
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieSiteList
  8. Click OK when done.
  9. For the NTUSER.DAT backup setting, which is disabled by default, you can enable it to provide some resiliency against profile corruption.

Log Settings

  1. In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot problems with Profile Management. The logfile is located in C:\Windows\System32\LogFiles\UserProfileManager.
  2. Edit the Log settings setting.
  3. Enable the setting and check the boxes next to Logon and Logoff. Click OK.
  4. If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To change the log file path, edit the Path to log file setting.


  5. CTX123005 Citrix UPM Log Parser
  6. CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

Profile Streaming

  1. Go to the Profile handling node under Profile Management.
  2. Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can migrate existing profiles when you upgrade the version of Windows 10. This setting requires the !CTX_OSNAME! variable in your profile store path.
  3. Enable the setting Delete locally cached profiles at logoff. Note: this might cause problems in Windows 10.

    Helge Klein has a tool to delete locally cached profiles on a session host. http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/. This tool should only be needed if profiles are not deleting properly.
  4. For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User Logs off recommends setting Delay before deleting cached profiles to 40 seconds.

  5. Enable the setting Migration of existing profiles and set it to Local and Roaming.  Citrix CTX221564 UPM doesn’t migrate local user profile since version 5.4.1.

  6. Enable the setting Local profile conflict handling, and set it to Delete local profile. Note: this might cause problems on Windows 10.

  7. For fastest logons, Citrix recommends Profile streaming + Enable profile streaming for folders + Accelerate folder mirroring all enabled, or only enable Profile Container for the entire user profile. More details at CTX463658 Reduce logon time with Profile Management.
    1. Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
    2. Profile Management 2103 and newer have a setting to Enable profile streaming for folders, which should speed up logons. In Profile Management 2402 and newer, profile streaming for folders is enabled by default.
    3. Profile Management 2106 and newer have a setting under File System > Synchronization called Accelerate folder mirroring that stores the mirrored folders in a VHDX file instead of copying back and forth at login and logoff.
    4. Profile Management 2206 adds Enable profile streaming for pending area. Enable this setting if users run multiple Citrix sessions concurrently and you have Active Write Back enabled.
  8. Profile Management 7.16 and newer have XenApp Optimization (aka Citrix Virtual Apps Optimization) feature, which uses Microsoft UE-V templates to define specific settings that should be saved and restored at logoff and logon. See George Spiers XenApp Optimization (new in CPM 7.16+) for details.

  9. After modifying the GPO, use Group Policy Management Console to update the VDAs.
  10. Or run gpupdate /force on the VDAs, or wait 90 minutes.

App Access Control

Profile Management 2303 and newer support app access control. This is similar to FSLogix App Masking.

Citrix WEM Tool Hub has a GUI-based Rule Generator.

  1. In Workspace Environment Management Web Console, various places in the console have a link to download the WEM Tool Hub. For example, in a Configuration Set > Printers, click Add from print server.
  2. Extract the WEM Tool Hub and run Citrix.WEM.AdminToolHub.exe.
  3. Click Rule Generator for App Access Control.
  4. Click Create app rule. WEM 2411 adds Redirect as an option. Otherwise choose Hide.
  5. Redirect lets you redirect Files, Folders, Registry keys or Registry values.
  6. If Hide:
    1. Click Scan to select an app installed on the local machine.
    2. The tool scans the selected app and automatically adds rules for the app. Click Add when done.
    3. Give the app a name and click Next.
    4. Assign the rule to users, computers, or processes. 2411 and newer let you specify Exclusions. Click Done.
  7. Select the app rules and click Generate raw data.
  8. Click Save to file.
  9. Use WEM or Group Policy to push the string to the VDAs. App Access Control is currently a preview feature. Enable it in Citrix Cloud > Workspace Environment Management > Manage > Web Console > Home page > Preview features.

  10. Then edit a Configuration Set. Go to Profiles > Profile Management Settings and find App access control. Browse to the .rule file saved earlier.

If you don’t have access to WEM Cloud, then the PowerShell Rule Generator is on the CVAD 2311 or newer ISO under \x64\ProfileManagement\Tools. Prior to CVAD 2311, the Tools folder is in the downloaded standalone Profile Management.

  1. The CPM_App_Access_Control_Config.ps1 PowerShell script is in the Tools folder.
  2. The Rule Generator script lists all locally installed apps and asks you choose one.
  3. The tool auto-generates some rules for the app and asks you to edit the rules or go to the next step to manage assignments.
  4. You can assign groups that can view the app. When done, press 4 to generate the rules for deployment.
  5. The script can push the rules to a GPO. Or you can press 3 to generate the string that you then must configure yourself in the GPO.
  6. The GPO setting is at Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management | App Access Control. Enable the setting named App access control and paste the string that the Rule Generator provided. 

Also see CTP James Rankin QuickPost – Citrix UPM App Access Control

Mandatory Profile – Citrix Method

Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method. Also see CTP James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703).

  1. Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to Administrators.
  2. Login to the VDA machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4.  
  5. Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that. Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.

    1. You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  6. Open the AppData folder and delete the Local and LocalLow folders.
  7. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file, and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  8. Open regedit.exe.
  9. Click HKEY_LOCAL_MACHINE to highlight it.
  10. Open the File menu and click Load Hive.
  11. Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not use NTUSER.MAN and instead the file must be NTUSER.DAT.
  12. Name it a or similar.
  13. Go to HKLM\a, right-click it, and click Permissions.
  14. Add Authenticated Users and give it Full Control. Click OK.
  15. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ and http://appsensebigot.blogspot.ru/2014/10/create-windows-mandatory-profiles-in.html?m=1 for some suggestions.
  16. Citrix CTX212784 Slow User Logon When Using Mandatory Profiles – set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
  17. Highlight HKLM\a.
  18. Open the File menu, and click Unload Hive.
  19. Go back to the file share and delete the NTUSER.DAT log files.
  20. Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy template is loaded.
  21. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Profile Management > Profile handling. Edit the setting Template profile.
  22. Enable the setting and enter the path to the Mandatory profile.
  23. Check all three boxes. Then click OK.

Redirected Profile Folders

  1. Make sure loopback processing is enabled on your VDAs.
  2. Edit a GPO that applies to all VDA users, including Administrators.
  3. Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents, and click Properties.
  4. In the Setting drop down, select Basic.
  5. In the Target folder location drop down, select Redirect to the user’s home directory.
  6. Switch to the Settings tab.
  7. On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move the contents to the new location might cause issues in some deployments.
  8. Click Yes to acknowledge this message.
  9. Right-click Desktop and click Properties.
  10. Change the Setting drop-down to Basic.
  11. Change the Target folder location to Redirect to the following location.
  12. In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC path and not a mapped drive. Also, since we’re using home directory variables, all users must have home directories defined in Active Directory.
  13. Switch to the Settings tab.
  14. Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.
  15. Click Yes when prompted that the target is not a UNC path. You get this error because of the variable. It doesn’t affect operations.
  16. Repeat for the following folders:
    • Documents = Redirect to the User’s Home Directory
    • Desktop = %HOMESHARE%%HOMEPATH%\Desktop
    • Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
    • Downloads = %HOMESHARE%%HOMEPATH%\Downloads
  17. Redirect the following folders but set them to Follow the Documents folder.
    • Pictures
    • Music
    • Videos

Folders not redirected will be synchronized by Citrix Profile Management.

Verify Profile Management

  1. Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.
  2. Logoff and log back in.
  3. Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the log for logon and logoff events.

Profile Management Troubleshooting

UPM Troubleshooter

Citrix Blog Post – UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application that examines the live User Profile Management-enabled system in a single click, gives Profile Management Configurations, information on the Citrix products installed, facility to collect and send the logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier manner. See the blog post for more details.

Profile Management Configuration Check Tool

UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has been configured optimally for the environment in which it is being run, taking into account:

  • Hypervisor Detection– The presence or absence of supported hypervisors (for example, Citrix XenServer, VMware vSphere, or Microsoft Hyper-V)
  • Provisioning Detection– The presence or absence of a supported machine-provisioning solution (for example, Machine Creation Services or Provisioning Services)
  • XenApp or XenDesktop– Whether it is running in a XenApp or a XenDesktop environment
  • User Store – Determines that the expanded Path to User Store exists.
  • WinLogon Hooking Test – Verifies that Profile management is correctly hooked into WinLogon processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and requires the user running the Configuration Check Tool to have permission to access the relevant registry keys, or an error may be returned.
  • Verify Personal vDisk enabled / disabled – Whether the Personal vDisk feature of XenDesktop is enabled
  • Miscellaneous – Other factors that it is able to determine through registry or WMI queries, such as whether the computer running Profile management is a laptop

Profile Size

Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile share.

Log Parser

CTX123005 Citrix UPM Log Parser

View Log Files using Excel

CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

1,148 thoughts on “Citrix Profile Management 2411”

  1. Hi Carl, even if I enabled “Process logons of local administrators”, when I connect with administrator account into my random VDI enviroment the profile of it still is local and not in user sotre path. I tried also to delete local profile of administrator and re-login, but the problem persist.
    With user account everythings works fine.
    I checked if there are other GPO or Citrix Policies that maybe going in conflit, and there aren’t.
    Is fresh installation into small windows domain without complex policies.
    Can you help me about this behaviour?
    Thanks in advance

      1. Hi Carl, thanks for your answer.
        In the meantime, I tried to create a new domain admin “citrixadm” and with this user the UPM works fine.
        The problem is only for administrator.
        Have you ever seen this issue?
        Thanks you in advance

        1. Yes, usually there’s a conflict between an existing UPM profile and the local profile. The UPM log will show you the issue.

      2. Hi,Carl
        Why domain users’ logon are not recorded in the UPM log, when they are logging in.

        Is it right as below?
        If user login as local administrator. We can obviously see as local administrator.
        If the user login as domain administrator. Trace will show as local group administrator.

  2. Carl,

    just a quick update I discovered:
    Starting with 7.15 it is no longer required to set the LogonExclusionCheck in the .ini-file as this is now configurable via GPO.

    Cheers

  3. Hi Carl,
    we are facing a strange problem where the Citrix UPM keeps copying some redirected folders when we’ve reset the profile via Director.

    It is creating the backup of the profile folder as expected but it also creates a backup of redirected folders like Downloads, Contacts, Links, etc.

    Redirected folders are located on different shares.

    Documents = %HOME%
    Music = %HOME%\My Music
    Downloads = %HOME%\Downloads

    For example it is creating a backup of the “Downloads” folder but not the “My Music” folder.
    Both are set up exactly the same via GPO folder redirection and both are excluded in UPM.

    The problem exists since last year. Citrix once told us that the bug will be fixed in the future but as far as we know the bug is still there in 7.15.

    Any thoughts?

    Thansk for your help

    Regards

    Marlene

  4. Hi Carl,

    currently running VDA 7.9 with UPM 5.4, with 5.4 GPO templates in production .

    Working on new windows 10 image and want to use UPM 7.15, VDA is still 7.9 .

    Can i upgrade the UPM GPO templates to 7.15 or will that effect my current production 5.4 installation and current UPM GPO settings ?

    Thanks;
    RP

    1. The newer templates do not change any of the values so go for it. The templates merely provide possible settings; upgrading them does not change any actual settings.

  5. Hi Carl,

    we are using Xenapp 6.5 and Profile Manager 5.4.
    We have to move our profile share to another file Server. I would like Change this Setting per user (Group), not for all users for the same time. I tried 2 GPOs at the same OU and played with the “excluded Group Setting”, but no luck.
    Is it possible to change the share for a group of users ?
    Regards,
    Michael

    1. Path to User Store is a computer setting. To approximate a per-user path, you would need to insert a per-user variable, which is usually retrieved from AD User Attributes. See the multi-datacenter UPM instructions for an example of an AD Attribute in the path.

  6. IE11 Download Manager Not Working with Citrix Profile Management

    My scenario:

    Citrix XenDesktop 7.15
    Citrix Profile management (ultimate version)
    Windows 10
    Internet Explorer 11

    When I try save some file, the download boxis with the buttons without actions. “CRTL + J” does not open the box.

    Edge and others browsers no problem.

  7. Hi Carl.
    What is the best way to migrate UPM data ( citrix 6.5) to 7.15?
    Should i setup proper policies,gpo etc as you described and then use robocopy to copy data over to new location?

    1. Same OS version? Or different OS version?

      If same, point UPM to the existing share. If different OS, then you’ll need scripts to backup the data you want to save and restore to the new profiles.

      1. 6.5 is running on 2008 R2. New 71.5 is running on 2012R2.
        file server where profiles are stored stays the same – 2008R2

      2. Hi Carl, as always a great article on configuring mandatory user profile.

        I have a question for you on whether it would be prudent to not use any profile management for a non-persistent Call centre VDI use case where users have a standard set of application and they log in using generic user id’s based on desk id’s and furthermore user do not needs to save any personal files or even IE favourites. In this secnario if one was to simply let WIndows create the local profiles which get flushed at log off. Or should one employ a mandatory profile as a minimum. I was thinking of using Citrix App layering for building the MCS images for the about use case. Your thoughts on this please.

        Thanks!

        1. Since VDI refreshes after logoff, no need for any profile configuration. If RDSH, then Mandatory deletes the profile at logoff.

  8. Hi carl!
    I have a little problem with a 7.15 infrastructure and UPM profiles management. The enviroment i’ve configured worked correctly since 2 days ago. Then I’ve installed the WEM module on DDC and the WEM agent on my VDAs only to manage CPU spikes settings. I continue to manage the rest of other setting (folder redirection, profiles management ecc) by Windows GPO. Now my issue is that:
    – roaming profiles doesn’t work! When I logon with a user on a VDA (Windows server Shared Desktop) the folder of user profile is not create on the profiles filesrv but only locally on the VDA. The folder redirection instead still works correctly. If I uninstall WEM agent on VDA the UPM profile begin to work correctly. If I reinstalla the WM agent the UPM profile still not work!! How can I resolve this?
    thanks

  9. Great Article, again. Thanks. But after updating, there is one problem for us. Our users often switch between Thinclients. In the past, they just lgged into another one and the open session moved there. Thats what should be. But now, the system begins to log them in and then hangs in the windows login screen.

    Anyone experienced something like that`?

    Kind regards, Christian

          1. Ok. Ill try and report back. This has been activated ever since. Did something change there?

  10. Hi Carl, Once again i have turned yto your site for guidance when setting up UPM on our new XenApp 7.15 LTSR deployment…. I have come across an issue with profile conflict handling which i am hoping you might have some insight on…. I configured the setting “4.Enable the setting Local profile conflict handling and set it to Delete local profile. ” as per your document. But what i find is, if for some reason a local tmppoarray profile exists for the user, they just cant launch an application, It runs throguh the launch process and then just fails to open the app.. 🙁 As soon as I manually delete the local temporary profile on the server it all works again….

    1. If you’re getting temporary profiles, then you need to troubleshoot that. Event Viewer > Application log usually has events from User Profile service indicating a Temporary Profile being created. The UPM logs will indicate what failed, thus forcing a temporary profile to be created.

      1. Yup, i found that particular issue causing the creation of temp profiles (incorrect permissions) however I was a little concerned that if in the fufutre a user had an issue at logon and a temporary profile was created – they would then be unable to use anything until the profile was manually deleted by an admin. 🙁 I thought the point of this policy setting was exactly that?

        1. Temporary profiles should be deleted automatically at logoff. If not, then some process is keeping the files open. Temp profiles are a Windows thing, and are not managed by UPM.

  11. Great Article Carl, I have a question when I try to assign Creator OWNER Full Control, all ticks reset when I hit apply but it works when I assign EVERYONE Full Control. Am I doing something wrong?

  12. Hi, maybe anyone can help here. Using the recommended settings I do get a very strange error. my users do not have a store app neither they have the photo app which is used by many of my users. Os is 1703
    disabling upm does make the apps available again. any recommendations or maybe do I have a folder / file setting in my upm config causing this issue?
    I can not see any erros in upm log file.
    Thx Chris

  13. Hi guys! Anybody knows where to find detailed info about UPM, and what is the difference between “Folders to exclude”, “Folders to mirror” and “Folders to syncronize”. I’m implementing UPM for a customer, where the majority af users have large user profiles (locally on Citrix server), and need to understand exactly how to configure UPM, in order to minimize profile size, and to insure no vital data is lost.

  14. Hi Carl,

    Is UPM v5.8 compatible with XenApp 6.5?

    If not, which newest version for XenApp 6.5?

    Regards,

    Elaine

    1. I can’t think of any reason why it wouldn’t work since it’s compatible with Windows 2008 R2. There’s no real connection between UPM and XenApp.

  15. Is it redundant to have the UPM Settings in a GPO and in WEM? Meaning should I remove them from the GPO since I set them also set in the Policies & Profiles section of WEM.

  16. Hi Carl,

    Hoping you can help me here, I have a few windows 10 64bit (1607) Unidesk v4.3 created machines deployed through PVS that are not loading UPM correctly (see below). As a test I created a static Windows 10 and move that machine to the same OU with the same UPM policies and it seems to be working correctly. I have a case open with Citrix and they’re saying Unidesk might be causing the issue? any suggestions? Thanks in advance!

    -Start Menu and Search box not working.
    -New profiles are created every time users login.

  17. Carl, Do you have any recommendations for OneDrive for Business and Xenapp? Any GPOs that should be placed related to OneDrive and Office Document Upload Center? I am having a few users that consistently have cache issues and need the repair option appears.

      1. Is there anything new regarding using OneDrive with CVAD (apps / XenApp)? Or is Citrix still only recommending ShareFile?

  18. Hey Carl,
    Your site is amazing. The amount of info and detail you go into has been incredibly helpful.

    That being said, Microsoft seems to have changed how the start menu on Server 2016 is handled yet again so your instructions are out of date. No long is it just TileDataLayer that needs to by synced with UPM. The symptom is the start menu not opening and tons of errors in the event logs related to shellexperiencehost, cortana, and searchui appearing when the start menu is clicked on.

    I found the following blog post that identifies additional appdata\local folders to sync for Windows 10 1703 but that does not seem to resolve the issue for Server 2016.
    https://4sysops.com/archives/roaming-profiles-and-start-tiles-tiledatalayer-in-the-windows-10-1703-creators-update/

    I have narrowed the issue down to the non-default file and directory exclusions from your article above. I haven’t been able to isolate exactly what exclusion/s are causing the problem but if a strip out the exclusions down to the default exclusions, I can successfully roam the start menu on Server 2016.

    I thought you’d like to know so you can investigate as well.
    Cheers,
    Matt

      1. That had crossed my mind as well so I have that added to files to synchronize using the string “!ctx_localappdata!\Microsoft\Windows\UsrClass.dat*” but the problem persisted until I removed the non-default exclusions.

        I should mention, I’m running 7.14.1 so profile management is at 5.8. I suspect that’s the only reason I can roam the start menu with only the default exclusions.

        1. I have very few exclusions in my article. Actually, most of them are additions/inclusions.

          Inetcache is an added exclusion.

    1. Matt – I noticed this in Windows 10 1809. If you have appsense installed, add shellexperienchost.exe in the exclusions

      HKEY_LOCAL_MACHINE\SOFTWARE\AppSense\Environment Manager\AsModLdr\Exceptions

      Append the REG_MULTI_SZ and add ShellExperienceHost.exe

  19. Hi Carl,

    i have an issue during implement citrix xenapp on my customer, i already following your article but user profile can’t be create at file sharing (path to user store). user profile still in xenapp server. any suggestion for this issue?

    thanks a lot,
    Hendra

    1. What are you seeing in the UPM log file? By default, it’s at C:\Windows\System32\Log Files\User Profile Manager. Look for a Logon event.

      1. Hey Carl! I am trying to figure out how to enable adding folder short cuts into the “Windows Explorer” Favorites (not IE) . I have got Citrix UPM configured with a Published Desktop XenApp 7.6LTSR CU1 (WS2012R2) and users are not able to add any favorites. Am I right to think users do not have permissions in the redirected UPM Profile\Links path. At one time I could add the shortcuts by logging of the user and copying the shortcuts into the UPM Profile\Links folder but it was very painful and for some reason this has stopped working.

        1. Can Links be redirected to a network share?

          When you log into Windows the first time, it creates a folder under C:\Users\%username%. When you log out, UPM backs up the local folder to a file share. When you log in again, UPM restores the folder to C:\Users.

          Folder Redirection removes folders from C:\Users\%username%. Redirected folders are not restored to the C: drive when the user logs in again. Instead, when a program wants to access a file in a redirected folder, the read request is sent to the network share. All other profile folders are on the C: drive.

          I’m not aware of anything in UPM that would prevent the Links folder from working. While the user is logged in, the Links folder should be on the C: drive and UPM will back it up when the user logs off.

          1. Yes I have tested it with a brand new profile and it is creating the Links folder on C:\users\%username%\Links and when the user logs off the Link folder is created on the network profile share.

            However, this is a published desktop and the C:\ is hidden using GPO therefore under the user context in the Windows Explorer Navigation pane although the Favorites Link is created along with the Desktop and Recent Links it is not possible to add any favorites. I beleive this is because the user has no write/read access to drive C:\ because it is blocked by GPO (hidden drives).

            So what I tried this – logged off the user and wait to unload from C:\Users and than manually create a couple of shortcuts in the Links folder on the network profile share. But when the user logs on for some reason the UPM does not seem to be restoring the contents to C:\Users\%username%\Links folder.

      2. i seeing log after user login access apps ms.word and then save file but i check folder shared (path to user store) still not yet create user profile.

        2017-07-20;10:57:16.109;INFORMATION;;;18;6364;DispatchLogonLogoff: ———- Starting logon processing…
        2017-07-20;10:57:16.110;INFORMATION;;;18;6364;IsRunningInTerminalServerSession: Terminal services installed.
        2017-07-20;10:57:16.110;INFORMATION;;;18;6364;IsRunningInTerminalServerSession: ICA session.
        2017-07-20;10:57:16.110;INFORMATION;SM;s-vdicitrix;18;6364;DispatchLogonLogoff: UserSID = S-1-5-21-571726049-81199670-1474062468-41368
        2017-07-20;10:57:16.183;INFORMATION;SM;s-vdicitrix;18;6364;DispatchLogonLogoff: Triggered policy evaluation for
        2017-07-20;10:57:16.189;INFORMATION;SM;s-vdicitrix;18;6364;DispatchLogonLogoff: Updated Group Policy Extension history for
        2017-07-20;10:57:16.189;INFORMATION;SM;s-vdicitrix;18;6364;CheckUserExistsInGroup: No Entries Found In ExcludedGroups
        2017-07-20;10:57:16.189;INFORMATION;SM;s-vdicitrix;18;6364;CheckIfUserNeedsToBeProcessed: User is member of the local group administrators and per configuration administrators are not to be processed.
        2017-07-20;10:57:16.189;INFORMATION;SM;s-vdicitrix;18;6364;CheckIfUserNeedsToBeProcessed: Logon/logoff will not be processed.
        2017-07-20;10:57:16.189;INFORMATION;SM;s-vdicitrix;18;6364;DispatchLogonLogoff: ———- Finished logon processing successfully in [s]: .
        2017-07-20;10:58:27.191;INFORMATION;;;18;5576;DispatchLogonLogoff: ———- Starting logoff processing…
        2017-07-20;10:58:27.193;INFORMATION;;;18;5576;IsRunningInTerminalServerSession: Terminal services installed.
        2017-07-20;10:58:27.193;INFORMATION;;;18;5576;IsRunningInTerminalServerSession: Console session.
        2017-07-20;10:58:27.193;INFORMATION;SM;s-vdicitrix;18;5576;DispatchLogonLogoff: UserSID = S-1-5-21-571726049-81199670-1474062468-41368
        2017-07-20;10:58:27.193;INFORMATION;SM;s-vdicitrix;18;5576;CheckUserExistsInGroup: No Entries Found In ExcludedGroups
        2017-07-20;10:58:27.193;INFORMATION;SM;s-vdicitrix;18;5576;CheckIfUserNeedsToBeProcessed: User is member of the local group administrators and per configuration administrators are not to be processed.
        2017-07-20;10:58:27.193;INFORMATION;SM;s-vdicitrix;18;5576;CheckIfUserNeedsToBeProcessed: Logon/logoff will not be processed.
        2017-07-20;10:58:27.194;INFORMATION;SM;s-vdicitrix;18;5576;DispatchLogonLogoff: ———- Finished logoff processing successfully in [s]: .

        1. I see this in the log:

          “User is member of the local group administrators and per configuration administrators are not to be processed.”

          1. After I enable “process logon of local administrator” policy, and trying to access xenapp. It is show up “There was a problem setting up your profile. You will be logged off when you click OK. Changes you make during this session will not be saved. Please contact your administrator to resolve the problem”. Im login as user domain not as member of the local group admin. Any suggestion ?

          2. Hi Carl sorry for late reply, it is the log file for next error after I enable “process logon of local administrator” policy.
            Do I need configure UPM policy on file server too ?

            2017-07-24;11:09:14.438;INFORMATION;;;41;3936;DispatchLogonLogoff: ———- Starting logon processing…
            2017-07-24;11:09:14.438;INFORMATION;;;41;3936;IsRunningInTerminalServerSession: Terminal services installed.
            2017-07-24;11:09:14.438;INFORMATION;;;41;3936;IsRunningInTerminalServerSession: ICA session.
            2017-07-24;11:09:14.438;INFORMATION;SM;s-vdicitrix;41;3936;DispatchLogonLogoff: UserSID = S-1-5-21-571726049-81199670-1474062468-41368
            2017-07-24;11:09:14.531;INFORMATION;SM;s-vdicitrix;41;3936;DispatchLogonLogoff: Triggered policy evaluation for
            2017-07-24;11:09:14.547;INFORMATION;SM;s-vdicitrix;41;3936;DispatchLogonLogoff: Updated Group Policy Extension history for
            2017-07-24;11:09:14.547;INFORMATION;SM;s-vdicitrix;41;3936;CheckUserExistsInGroup: No Entries Found In ExcludedGroups
            2017-07-24;11:09:14.547;INFORMATION;SM;s-vdicitrix;41;3936;CheckUserExistsInGroup: No Entries Found In ProcessedGroups
            2017-07-24;11:09:14.547;INFORMATION;SM;s-vdicitrix;41;3936;CheckIfUserNeedsToBeProcessed: Logon/logoff will be processed.
            2017-07-24;11:09:14.547;INFORMATION;SM;s-vdicitrix;41;3936;GetUserStorePath: User Store: Path In: \\SMJKT-PRFS02\CitrixProfile\#SAMAccountName#
            2017-07-24;11:09:14.547;INFORMATION;SM;s-vdicitrix;41;3936;CADUser::Init: Determined user and DNS domain name: ,
            2017-07-24;11:09:14.547;INFORMATION;SM;s-vdicitrix;41;3936;CADUser::Init: Determined the ADsPath of user: :
            2017-07-24;11:09:14.547;INFORMATION;SM;s-vdicitrix;41;3936;GetUserStorePath: User Store: Path Out: \\smjkt-prfs02\citrixprofile\s-vdicitrix
            2017-07-24;11:09:14.547;ERROR;SM;s-vdicitrix;41;3936;CJitSupport::JitAvailable: Unable to start UPM driver. UPM users will be given temporary profiles.
            2017-07-24;11:09:14.562;INFORMATION;SM;s-vdicitrix;41;3936;SessionCount::RealTimeCount – User: s-vdicitrix, Domain: SM, Session Count: 1.
            2017-07-24;11:09:14.562;INFORMATION;SM;s-vdicitrix;41;3936;NTUSER.DAT.LASTGOODLOAD not found in User store
            2017-07-24;11:09:14.562;INFORMATION;SM;s-vdicitrix;41;3936;QueryLocalProfile: Profile directory read from registry: c:\users\s-vdicitrix
            2017-07-24;11:09:14.562;INFORMATION;SM;s-vdicitrix;41;3936;QueryLocalProfile: Local profile is a UPM profile.
            2017-07-24;11:09:14.562;INFORMATION;SM;s-vdicitrix;41;3936;User store not found : The system cannot find the path specified.
            2017-07-24;11:09:14.562;ERROR;SM;s-vdicitrix;41;3936;ProcessLogon: A local UPM profile has been found but the corresponding profile can not be found in the userstore. Switching to a temporary profile.
            2017-07-24;11:09:14.562;INFORMATION;SM;s-vdicitrix;41;3936;DispatchLogonLogoff: Updated Group Policy Extension history for
            2017-07-24;11:09:14.562;INFORMATION;SM;s-vdicitrix;41;3936;DispatchLogonLogoff: ———- Finished logon processing successfully in [s]: .
            2017-07-24;11:09:27.511;INFORMATION;;;41;3936;DispatchLogonLogoff: ———- Starting logoff processing…
            2017-07-24;11:09:27.511;INFORMATION;;;41;3936;IsRunningInTerminalServerSession: Terminal services installed.
            2017-07-24;11:09:27.511;INFORMATION;;;41;3936;IsRunningInTerminalServerSession: Console session.
            2017-07-24;11:09:27.511;INFORMATION;SM;s-vdicitrix;41;3936;DispatchLogonLogoff: UserSID = S-1-5-21-571726049-81199670-1474062468-41368
            2017-07-24;11:09:27.511;INFORMATION;SM;s-vdicitrix;41;3936;CheckUserExistsInGroup: No Entries Found In ExcludedGroups
            2017-07-24;11:09:27.511;INFORMATION;SM;s-vdicitrix;41;3936;CheckUserExistsInGroup: No Entries Found In ProcessedGroups
            2017-07-24;11:09:27.511;INFORMATION;SM;s-vdicitrix;41;3936;CheckIfUserNeedsToBeProcessed: Logon/logoff will be processed.
            2017-07-24;11:09:27.511;INFORMATION;SM;s-vdicitrix;41;3936;SessionCount::RealTimeCount – User: s-vdicitrix, Domain: SM, Session Count: 1.
            2017-07-24;11:09:27.511;INFORMATION;SM;s-vdicitrix;41;3936;DispatchLogonLogoff: ———- Finished logoff processing successfully in [s]: .

          3. “A local UPM profile has been found but the corresponding profile can not be found in the userstore. Switching to a temporary profile.”

            Login to the machine as a different user and delete the local profile. Then login again as the original user and it should create a new profile and upload it to the file share at logoff.

  20. Can you use variables like !CTX_OSNAME! and !CTX_OSBITNESS! on the Template Profile option? If not, how can you configure it properly the template profile (since profiles versions are different between OS and you cannot interchange)?

    1. I’m not sure about the variables.

      But you could always put different OSs in different OUs and configure a different GPO with different path for each OU.

  21. Hi Carl,
    Many thanks for your article.
    I want to use different paths for profile and user data (folder redirection).
    Is it possible to configure that in the same GPO or 2 GPOs are needed ?
    Thank you

    1. Are you asking about both profile central store and folder redirection? They are separate settings. You can either configure them in the same GPO or separate GPOs. UPM settings are Computer Settings, while Folder Redirection are User Settings.

  22. Carl, i am getting App Crashed for soem users and seeing Error Source “Folder Redirection” “Failed to apply policy and redirect folder”RoamingAppData” to “\\server\xahome\user\appdataa\roaming”
    When i look in the folder for the user who is experiencing crashes the roaming folder is missing. I have compared Security settings to that of a working user who has the roaming folder and they appear to be the same
    Any ideas ?

    1. While logged in as the user, go to that folder and try to create the roaming subfolder. Does it work?

        1. The User has Full Control to the share and folder?

          When you configured Folder Redirection, did you leave the box checked to grant the user exclusive access?

          1. Yes, Full control. I did speak to Microsoft and they are telling me if there is no data directed to this folder it will not be created.
            I did discover this directory had no bearin gon my Citrix environment
            What i am discovering now is I had over committed cores to my VDA’s that caused the unexpected results in my XenApp environment. After bringing that back into spec it seems the users are working fine, no app crash.
            Tomorrow will be the real test under load

  23. Hi Carl,

    are the exclusions you list here also recommended for XenApp? I would personally exclude the whole appdata\local and appdata\locallow folder from the xenapp-profiles. Any reason why I should not do that?

    Also, do you have any recommendations for Firefox exclusions?

  24. hey Carl, I have my Farm setup using Citrix Profile manager and redirecting everything to the users Home Path. I noticed the way i have my shares setup that a user can potentially see each others home directories and all its content if they browse to the home share “\\server\XAHome” . I have GPO set on the redirections for “Grant user exclusive rights” on the appdata share to enable
    Path: \\server\XAHome\%USERNAME%\AppData\Roaming
    Grant user exclusive rights to AppData(Roaming) Enabled
    Move the contents of AppData(Roaming) to the new location Enabled

    But on the Desktop, Documents, downloads and Favorites i have the setting disabled
    Grant user exclusive rights to Documents Disabled
    Move the contents of Documents to the new location Enabled

    any advise as to where i have made a mistake in setting up these shares ?

    thanks in advance

    1. Maybe permissions on the \\server\XAHome have Users (or similar) in the list but propagation is not set to “This Folder Only”.

  25. Hello Carl, do you generally not redirect AppData Roaming? I normally do for better user experience, but I have an application that is trying to access the AppData roaming folder at first start up and doesn’t have permissions to do so – it errors out. Exclusions seem to have no affect as redirecting AppData Roaming is all or nothing. Any ideas on how to get around that. Thanks in advance.

    1. I’ve been burned by AppData redirection in the past so now I avoid it. Apps assume AppData is local so they don’t limit their I/O. With redirected AppData, all of that I/O goes across the network to your file server.

      Exclusions only apply to profile files that are being backed up and restored. Since you’re redirecting, which doesn’t need backup/restore, there’s nothing to exclude.

      1. Thanks Carl, so if you don’t redirect AppData Roaming, have your users complained about some settings not being persistent between servers and reboots?

        1. UPM by default saves almost everything in AppData. If not, you’ll need to locate the application’s data and make sure UPM is configured to back it up.

          1. Ok, thank you Carl, I wasn’t aware of that. I have had to work with applications that stuff things into the wrong locations (bad code) and having to capture settings and registry keys. In case anyone is not familiar, there is a tool called Regshot that is handy for those pesky applications settings that are not persistent. It allows you to take a snapshot of the registry before and after making a change to an application and then running a compare to see what the differences are (changes were made).

          2. Hello Carl, I stopped redirecting AppData Roaming like mentioned above, but I have found several applications so far where I have had to add AppData Roaming exceptions to the Directories to synchronize or Files to synchronize settings in the File System–>Synchronization part of the UPM GPO. This was required in order for some settings to be persistent. I know you said “almost everything”, but I just thought I would follow up in case other folks might be seeing this. It has required more exceptions than I would have liked.

          3. Unless you excluded AppData\Roaming somewhere, by default, it should be roaming everything under AppData\Roaming.

  26. Hi All,

    Just a heads up to say that the Citrix documentation for UPM 5.8 “LogonExclusionCheck” is wrong. To enable LogonExclusionCheck within the UPM 5.8 .INI file – set one of the following values within the [General] section:

    LogonExclusionCheck=0
    LogonExclusionCheck=1
    LogonExclusionCheck=2

    Citrix documentation (https://docs.citrix.com/en-us/profile-management/5/upm-tuning-den/upm-logon-exclusioncheck.html) states to set the values as “EnableLogonExclusionCheck=n”. This does not work.

    Paul

    1. Also, for UPM 5.8, when using the “LogonExclusionCheck” with a value of 1 (do not download ‘Excluded Folders’ from the UPM Store) or 2 (delete ‘Excluded Folders’ from the UPM Store). UPM 5.8 does not seem to honour includes from “Directories to Synchronise” or “Folders to Mirror” if the parent folder is configured within the “Exclusion List – Directories” setting.

      Normally, UPM would exclude any folders/files configured within UPM exclusion settings and then include any files/folders explicitly included via UPM inclusion settings.

      e.g.
      Exclusion List – Directories = AppData\Local & AppData\LocalLow
      Folders to Mirror = AppData\Local\Microsoft\Windows\INetCookies & AppData\Local\Microsoft\Windows\WebCache
      “LogonExclusionCheck”=1

      This does not download the AppData\Local\Microsoft\Windows\INetCookies or AppData\Local\Microsoft\Windows\WebCache folders.

      If the “LogonExclusionCheck” value is set to 0 (disabled) then the Exclusions and Inclusions work as expected.

      Hopefully Citrix can amend the “LogonExclusionCheck” processing to support inclusions in the same way as existing exclusions/inclusions.

      Paul

  27. I would like to upgrade from UPM 4.1.2.2 to 5.8. I am using PVS for my XD image and wanted to know if I can create a new version and upgrade without affecting the rest of the environment. Will the upgrade effect the user store? Anything else to be aware of?

    1. There shouldn’t be any problem upgrading the service. But I would review the exclusions to match them with today’s standards.

      Optionally, you can upgrade the GPO templates and configure the new features.

  28. Carl you are the best,thanks man,i had a question if i applied local profile in xen application server when i updated the master image and then updated the catalog all the profile in xen applications servers
    were deleted,any ideas ?!

    1. Local profile?

      Did you enable Profile Management? If so, then it should be saving the profiles at logoff to a remote file share. If that’s not working, then we need to look in the log files to troubleshoot it.

      1. Thanks for your answer carl ,I mean Local profile not roaming nor upm ,locally on xen app server ,but when i updated the machine catalog (master image) all the profiles on xen app servers are deleted,so how can local profiles can be useful?!!

        citrix recommended three:
        Local Profiles
        Mandatory Profiles
        Roaming Profiles

        and i think my environment best practice is local profile because we are not very big organization,but this scenario is not good because every time i make change to the master image and update xen application with this changes from the master image all profile are deleted and this normal because the master image doesn’t have the local users profiles ,if u get my point ,is there any police or configuration don’t to delete the profile when i update the xen application machine catalog ?

        1. The whole point of roaming profiles is to back them up at logoff so they can be restored at logon. Enable UPM, and your problem will be solved.

          1. Hi Carl,

            This is regarding page file size on a Citrix VDA template server.
            memory :24 GB
            C drive space : 70 GB
            server os: Windows Server 2012
            What should be the size of Paging file?

            At the moment it is set to “automatically manage paging size”, but I believe thats not the recommeneded way when creating MCS machines from the template.

            Please advise.

            Thanks,
            Arshi

          2. Automatic has a minimum equal to the size of memory. If you don’t fill your memory, then you probably don’t need a large pagefile, and thus can shrink it.

  29. Hey Carl, question about Office 365 shared computer activation and UPM. Under “Exlusions – 5.5 and newer” you recommended excluding the licensing folder. I am wondering why the recommendation? According to the Citrix Office 365 deployment article, “The Shared Computer Activation does not impact the user’s ability to install Office 365 Pro Plus on 5 different machines.” Unfortunately our environment doesn’t have ADFS setup at the moment. We are about to push out O365 pro plus 2016 but want to make sure we do it right. Thank you!

    1. I believe the activation tickets expires in a couple days so there’s no point in roaming it.

      1. So this would require them to log in to license office daily anyway? Really appreciate the quick answer!

  30. Hi Carl, thanks a lot for writing such a detailed article.

    Please help me with following Question.

    We have XenApp 7.6 with Windows Server 2012 VDAs and Citrix UPM 5.4.1. Policies are configured from Studio.

    Now we need to upgrade UPM from 5.4.1 to 5.7. Is it correct that all I have to do is install UPM 5.7 on all VDAs? There are only 12-15 profile related policies that are similar to policies in UPM 5.7 so I don’t think I have to be worried about the policy changes. I, of course, will take the back up of the profiles on NAS.

  31. I had to add AppData/Local/Packages to the Mirror list to get the Start Menu to work on Windows Server 2016/XA 7.13

    Without it the Start Menu wouldn’t appear.

      1. It was my own experimentation,

        I was getting these errors in Application log when I clicked on the start menu or search button;

        Failure to load the application settings for package Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy. Error Code: 5
        Failure to load the application settings for package Microsoft.Windows.Cortana_cw5n1h2txyewy. Error Code: 5

        and in the UPM log there was an error when logging on to the server.

        2017-05-09;14:39:42.523;ERROR;—-;——;19;8792;ResetSecurityForRS1StartMenu: target file C:\Users\———–\Appdata\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\ac does not exist

        1. Chris did you ever find a solution for this? I am getting the exact same error in my logs. My start menu will not work at all. Only time it work is when I remove the delivery group from my Citrix Profile Management Policy.

  32. Should Creator Owner have Full Control on Subfolders and Files? The very last screenshot show Creator Owner with Modify permissions on Subfoldres and Files.

    1. I tried it again and it showed Modify instead of Full Control. To avoid confusion, I forced it to Full Control and updated the screenshot. Thanks for noticing.

    1. Optional. I include it because some home folders are in a subdirectory. There’s no harm in having two backslashes in the path.

  33. Hi Carl,
    i must say that your blog has really been very beneficial to me.
    now i do have a question, please guide me on how to configure a GPO for defining the user home directory in the Active Directory so that i can redirect folders like my documents, desktop etc.

    Thanks in advance

    1. There’s a GPO setting for RDS: Computer Config > Admin Templates > Windows Components > RDS > RDSH > Profiles. But this is only for RDS.

      I’m not aware of a GPO setting for non-RDSH.

      Most companies use scripts to create users and home directories. Or an Identity Management tool to automate user creation with home directory.

      1. HI Carl,

        for citrix Xendesktop MCS, i need to create a startup program or create a shortcut on users desktop using group policy for only users in a certain security group.How should I do this, is it user configuration/or computer config?
        eg; for creating a shortcut, how do I specify the target path? As users will be logging on to any one of the 5 MCS servers, i cant specify any one server in the target path!
        or should I just put C:\xxxxx in the target path and add all the servers in the item level targeting?

        is there any other way?

        1. Group Policy Preferences lets you create Shortcuts with Item Level Targeting. Is that what you’re asking?

  34. Hi Carl,

    in your section “Exclusions – 5.5 and newer”, Point 15 you wrote that the folders start menu and/or FTA have to be included in the “directories to synchronize”. One of these folders is “AppData\Local\TileDataLayer”.
    In Point 26 you state that TileDataLayer should be put into “Folders to Mirror”.
    I’m a little bit confused at the moment – where should I put this folder?
    Maybe you can explain the difference between “directories to synchronize” and “folders to mirror”?

    Thank you,
    Holger

    1. Citrix has several articles on roaming Start Menu and they are not consistent. Since both settings end up synchronizing the folder, I don’t see any harm in specifying both. Mirroring is for specific types of folders containing .dat files.

  35. Hi Carl. First thanks for the guide.

    Im having an issues. I have a program which work with data in appdata/locallow folder. But somehow i can’t get UPM to roam the folder no matter what i do, do you have any solution or quick guide that explains what to do?

    best regard Brian C.

    1. Adding the folder to Folders to Sync should work. There’s a separate policy for Files to Sync. You can also try Folders to Mirror.

        1. Just upgrade the service on each VDA. As for GPO, replace the ADMX templates and configure whatever new settings you want to enable.

  36. Hi Carl,
    I would like to implement the mandatory profile.
    If I understand correctly, the mandatory profile would make sure that any user who logs on to the vm, will always have the same profile (Mandatory) loaded, in my case, locally (it’s possible on local disk ?).

    eg .:
    User01 logged in to VM and its profile is the folder c: \ users \ mandatory;
    User02 logged in to VM and its profile is always the folder c: \ users \ mandatory;

    In this way the login performance improves, because the profile is already created when the user logs on, right?

    Now after doing the steps in the section “Mandatory Profile – Citrix”, I do also those of the redirect etc etc, or not?

    Thanks for all.

      1. Hi Carl , thanks for your reply.
        Another question.
        If I do not create the Folder Redirection, the Mandatory Profile, even redirect the Desktop folder, Documents, etc., in the same Mandatory profile folder for all users ?

        Thanks.

        1. If no folder redirection, when the user logs off, it’s deleted. Each user gets a different copy of the mandatory profile.

  37. Hi Carl

    Though I could configure GPO but I have a limited access to the “Domain Controller to copy the admx templates over”. The other option left would be to use “citrix policy” node with GPO to configure UPM. I understood GPO is preferable to citrix-policies wherever possible.

    However since “adm” template is also available for “ctxprofile”, this could be imported and used for UPM configuration. But is there anywhere I could find “adm template” for “CitrixBase” also. It seems not to be on XendDesktop ISO.

  38. Carl,

    Do you have a recommendation for creating default user profiles in windows 10? We are a government agency that is required to use applications provided by the state. Quite a few of those applications require the use of Internet Explorer and have OCX and controls that need to be installed as the user. We would like to go through the process of installing all of these once and keep them in a default profile so future users get access without getting prompted to install controls they do not have access rights to install.

    Thanks!

    John

  39. Hi Carl,

    I noticed that, in the Citrix Policies node in an Active Directory policy, settings for Profile Management also exist. Can they be used to configure the Profile Management environment? I am trying but having some problems. If they cannot be used, why is it there?

    1. I can’t think of any advantage of using Citrix Policies to configure UPM instead of regular GPO ADMX template. The only reason they are available in Citrix Policies is for environments that are not allowed to use group policies. You can also use Citrix WEM to configure UPM.

  40. Hi Carl,

    we were running one VDA server with around 80 plus users. Now thinking of moving to a citrix Farm. We created a VDA template and using the provisioning service we create 3 VDAs.
    I added a test user to the new delivery group that points to one of the 3 VDAs, everything except the outlook works. When we open outlook, it gives, outlook cannot be open, system resources are crtically low, etc..
    I tried the user to the old delivery group which pointed to the only one original VDA, still got the same error.
    So , somehow it had currupted the user profile. I re-created the profile, still same error.
    So I had to remove the user from new deliverygroup (pointing to PVS VDAs), re-create the profile,-> so user logge don to the old VDA and it works again fine.

    Why is only outlook affected when moving user to new delivery group? User profiles are stored on only 1 single server.

    Is there any settings need to be done on the profile management setting? Please advise!!

    Thanks,
    Arshi

    1. If you still have the corrupted profile, can you get procmon traces of a good Outlook and bad Outlook and compare them?

      1. Carl, thanks for replying. I figured that if I rdp to one of the VDA and open outlook, i get the same error. So, i think its more windows. Is there any Citrix recommendation on installing outlook on VDA templates?
        Please help

  41. Carl ,UPM 5.7 Is not working with my XA6.5 Environment .You no longer have the post for 5.4 .That has always worked for me .

    1. The instructions are the same for both versions, except for the Default Exclusions in 5.5 and newer. I left the exclusions config for 5.4 and older.

      1. The profile for user ‘NAFT\testuser’ is managed by Citrix Profile management, but the user store ‘\\localfs.org\localfs-ns\ctx-userprofile\testuser’ could not be found. A temporary profile will be created for this user and no changes will be saved to their profile in this user store. Cause: The Citrix Profile Management Service on this computer could not find the profile in the specified user store. This may be because of a network issue or because the server hosting the user store is unavailable, but it may also be because the profile in the user store has been deleted or moved, or the path to the user store has changed and no longer correctly points to an existing profile in the user store. Action: Ensure the server hosting the user store is available, the network between this computer and the server is operational and the path to the user store points to an existing profile. If the profile in the user store has been deleted, delete the profile on the local machine.

        What could be causing this .I am using UPM 5.4 ,Please advise . Folders are redirecting fine .

        1. Login to the machine as a different user. Delete the local profile for testuser. Then login as testuser again.

  42. Hello Carl,

    first thanks for your great tutorials!

    We are using XenDesktop 7.6.300 with Citrix UPM 5.3.0. At the moment we have issues with “WebCacheLocal” errors when users log on.

    Do you have any recommendations to install/upgrade UPM to the latest version und test it parallel with some users?

    best regards,

    1. There shouldn’t be any problem upgrading UPM on a VDA and testing it with your existing profiles. One method of updating is to upgrade your VDA to 7.6.3000, which comes with UPM 5.6.

  43. I installed VDA 7.6 Base then 7.6.300 then CU3, I am getting an issue with “there was a problem setting up your profile” when I log on. Not sure which part caused this?

  44. Sorry….it is win 10. No.v2 or .v6 at the end.
    Ran a Procmon (via psexec) and found out some weird stuff. System is owner and has full control of the follow keys and yet it gets access denied:
    HKLM\System\CurrentCountrolSet\Services\WinSock2\Parameters
    HKU\.Default\SOFTWARE\Microsoft\ADs\Providers\LDAP\CN=Aggregate……

  45. Hi Carl,
    is it possible to configure Profile Management using the Citrix Policy GPO plug-in on a separate machine which contains only the GPMC ?
    Regards,
    Martin

      1. Hi Carl, Yet another great article. I’m struggling with what I feel like should be a straight forward solution. I have one VDA running Server 2012 R2 which I’m publishing IE11. I’m doing this as a workaround for some Java web apps that require an older version of Java. That part is working well. Now I want to create a short list of Favorites that will be used for everyone who needs this app. I create a GPO that redirects the favorites folder to a local path on the VDA. I also created a filter that will only apply to this computer name and the AD group which these users are members. The GPO is only applied to the OU where the computer is. The user accounts nor the user group are in the same container.

Leave a Reply

Your email address will not be published. Required fields are marked *