Citrix Profile Management 2411

Last Modified: Dec 7, 2024 @ 3:22 am

Navigation

This article applies to all versions of Profile Management: 2411, 2402 LTSR CU1, 2203 LTSR CU5, 1912 LTSR CU9, etc.

💡 = Recently Updated

Change Log

Planning

Profile Management Versions

Profile Management is included with the installation of Virtual Delivery Agent. To upgrade Profile Management, simply upgrade your VDA software. Here are the currently supported versions of VDA:

Or you can download the individual Profile Management component and install/upgrade it separately from the VDA software. You can even install it on non-VDA machines (e.g., PCs accessed by licensed Citrix users).

For LTSR VDAs, for LTSR support compliance, only install the Profile Management version that is included with your VDA installer. Don’t upgrade to a newer Current Release version.

The latest release of Citrix Profile Management is version 2411, which can be downloaded from Citrix Virtual Apps and Desktops 2411. To find it, click Components that are on the product ISO but also packaged separately.

Profile Management Configuration Options

Profile Management consists of a Service (installed on the VDAs), a file share, and configuration settings.

There are four methods of delivering configuration settings to the Citrix Profile Management service:

If a UPM setting is not configured in GPO, Citrix Policy, or WEM, then the default setting in the UPMPolicyDefaults.ini file takes effect. The .ini file is located in C:\Program Files\Citrix\User Profile Manager on every machine that has Profile Management service installed.

Microsoft Group Policy (ADMX file) is probably the most reliable method of delivering configuration settings to the Profile Management services. This method uses the familiar Group Policy registry framework. Just copy the Profile Management ADMX files to PolicyDefinitions and start configuring. The configuration instructions in this article use the GPO ADMX method.

The Citrix Policies configuration method requires Citrix Studio, or Citrix Group Policy Management Plug-in. On the Profile Management service side, only VDAs can read the Citrix Policies settings.

  • Citrix Policies has settings for Folder Redirection. If you use Citrix Policy to configure Folder Redirection, then the Folder Redirection settings only apply to VDAs that can read Citrix Policies. To apply to Folder Redirection to more than just VDAs, configure Folder Redirection using normal Microsoft Group Policy as detailed below.
  • If you’re going to use Microsoft Group Policy to configure Folder Redirection, then you might as well use Microsoft Group Policy to also configure Citrix Profile Management.

Citrix Workspace Environment Management can also deliver configuration settings to the Profile Management services. This option requires the WEM Agent to pull down the settings from the WEM Brokers and apply them to Profile Management. It can sometimes be challenging to troubleshoot why WEM is not applying the settings.

Try not to mix configuration options. If you use both WEM and GPO, which one wins?

Multiple Datacenters

For optimum performance, users connecting to Citrix in a particular datacenter should retrieve their roaming profiles from a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will need file servers in each datacenter.

DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-datacenter designs.

For active/active datacenters, split the users such that different users have different home datacenters. Whenever a particular user connects, that user always connects to the same datacenter, and in that datacenter is a file server containing the user’s roaming profile. StoreFront uses Active Directory group membership to determine a user’s home datacenter.

For users that connect to Citrix in multiple datacenters, there are a couple options:

  • The user’s roaming profile is located in only one datacenter – If the user connects to a remote datacenter, then the roaming profile must be transmitted across the WAN. To optimize performance, disable Active Write Back, and make sure Profile Streaming is enabled.
  • The user has separate profiles for each datacenter – There is no replication of profiles between datacenters. This scenario is best for deployments where different applications are hosted in different datacenters.

Disaster Recovery – For disaster recovery scenarios, the user’s roaming profile data (and home directories) must be recovered in a different datacenter. Here are some considerations:

  • Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
  • Use VMware SRM or similar to recover the entire file server in the DR datacenter.
  • A datacenter failover might result in multiple file servers accessed from a single VDA, especially if you have users split across datacenters. Use DFS Namespaces as detailed below.

DFS Namespace

DFS Namespace for central user store – The Citrix Profile Management user store path is a computer-level setting, meaning there can only be one path for every user that logs into a particular VDA. If you have different users with roaming profiles on different file servers, then you must use Active Directory user attributes and DFS namespaces to locate the user’s file server. Here is an overview of the configuration:

  • Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1 – Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more information.
  • Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS replication. See Scenario 2 – Multiple folder targets and replication at Citrix Docs for more information.
  • Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
  • Set the Profile Management user store path to \\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!. This pulls the user’s l attribute from Active Directory and appends that to the DFS share. The folder that matches the attribute value is linked to a file server. For example, if the user’s l attribute is set to Omaha, then the user’s profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha folder is linked to a file server in the Omaha datacenter.

Create User Store

This procedure could also be used to create a file share for redirected profile folders.

Create and Share the Folder

  1. Make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.

  3. Right-click the folder, expand Give Access to (Windows Server 2019) or expand Share with (Windows Server 2016) and select Specific people.

  4. Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click Share, and then click Done.
  5. Go to the Properties of the folder.
  6. On the Sharing tab, click Advanced Sharing.
  7. Click Caching.
  8. Select No files or programs. Click OK, and then click Close.

Folder NTFS Permissions

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry, and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

Access Based Enumeration

With this setting enabled, users can only see folders to which they have access:

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it. Or perform a refresh.
  3. Right-click the new share and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration.

GPO ADMX Policy Template

  1. You can find the GPO ADMX templates on the main Citrix Virtual Apps and Desktops 2411 ISO in the \x64\ProfileManagement\ADM_Templates\en folder.

    • Or they are included in the standalone Profile Management download in the \Group Policy Templates\en folder.
  2. Copy the file ctxprofile.admx to the clipboard.
  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing the .admx file does not affect your existing Profile Management configuration. The template only defines the available settings, not the configured settings.
  5. Go back to the Citrix Profile Management Group Policy Template files.
  6. Copy ctxprofile.adml to the clipboard.
  7. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
  8. If you have an older version of the ctxprofile.adml file in the en-US folder in either location, delete it.

CitrixBase:

  1. Go up a folder and then open the CitrixBase folder.
  2. In the CitrixBase folder, copy the file CitrixBase.admx to the clipboard.
  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. Go back to the Citrix Profile Management Group Policy Templates and copy CitrixBase.adml to the clipboard.
  5. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.

Group Policy Settings

  1. Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.
  2. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management.
    • Note: if you did not install the CitrixBase.admx file, then you can find Profile Management directly under the Administrative Templates node instead of under Citrix Components.
  3. Enable the setting Enable Profile management. Profile Management will not function until this setting is enabled.
  4. If desired, enable the setting Process logons of local administrators.
  5. Enable Path to user store.
  6. Specify the UNC path to the folder share. An example path = \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!

    1. Profile Versions– Different OS versions have different profile versions. Each profile version only works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.
      1. Windows 10 Profile Versions – Windows 10 has two different profile versions. Windows 10 build 1511 and older use v5 profiles. Windows 10 build 1607 and newer use v6 profiles. v5 and v6 profile versions are incompatible so they should be separated.
      2. Resolved variables – With the example user store path shown above, if the user logs into Windows 2012 R2 RDSH, the profile folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10 build 1607, the profile folder will be \\server\share\user01\Win10RS1v6.
      3. Windows 10 v6 vs Windows 2016 v6 – Both Windows 10 (1607 and newer) and Windows Server 2016 use v6 profiles. Do you want to use the same profile for both platforms? If so, remove !CTX_OSNAME! from the Path. Note: Windows 10 supports Store apps while Windows 2016 does not. If you’re allowing Store apps, then it’s probably best to use different profiles for both OS platforms.
      4. Windows 2012 R2 warning: in older versions of Citrix Profile Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isn’t correct. v2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug was fixed in Profile Management 5.4 and newer. If you have existing Windows 2012 R2 profiles based on the !CTX_PROFILEVER! variable set to v2, after upgrading to 5.4 or newer, then your profiles might stop working . See http://discussions.citrix.com/topic/374111-psa-upm-54-ctx-osname-server-2012-value-change/ for more details.
    2. Windows 10 and !CTX_OSNAME!: Profile Management sets !CTX_OSNAME! to different strings for different Windows operating system versions, especially different versions of Windows 10: (RS = Redstone, which is a Microsoft codeword)
      • Windows Server 2019 sets !CTX_OSNAME! to Win2019v6.
      • Windows Server 2016 sets !CTX_OSNAME! to Win2016v6.
      • Windows 10 version 1903 and 1909 set !CTX_OSNAME! to Win10RS6.
      • Windows 10 version 1809 sets !CTX_OSNAME! to Win10RS5.
      • Windows 10 version 1803 sets !CTX_OSNAME! to Win10RS4.
      • Windows 10 version 1709 sets !CTX_OSNAME! to Win10RS3.
      • Windows 10 version 1703 sets !CTX_OSNAME! to Win10RS2.
      • Windows 10 version 1607 sets !CTX_OSNAME! to Win10RS1.
    3. If you use !CTX_OSNAME! in your profile store path, then different CTX_OSNAMEs will have different profiles, which means users will lose their profile settings whenever you upgrade Windows 10.
      • Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can alleviate this problem.
    4. Multiple Domains – If you have multiple domains, in the user profile store path, change #SAMAccountName# to %username%.%userdomain% (e.g. \\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!). That way you can have the same account name in multiple domains and each account will have a different profile.
    5. Hard Code Store Path – Instead of using variables, you can specify a hard coded path. However, the profile incompatibility restrictions listed above still apply. To avoid applying a single profile across multiple operating system versions, place VDAs with different OS versions in different OUs, and then use different Profile Management GPOs on those OUs to specify different Profile Management user store paths.
    6. Migrate User Store – Profile Management 1909 and newer can move profiles from an old profile path to a new profile path.

    7. User-level overrides – Profile Management 2305 and newer support user-level overrides. First, configure Enable user-level policy settings under Advanced Settings. Then add registry keys for user group SIDs with override settings. See Enable and configure user-level policy settings at Citrix Docs.

  7. Disable Active write back. This feature places additional load on the file server and is only needed if users login to multiple machines concurrently and need mid-session changes to be saved, or if users never log off from their sessions. Note: if you don’t disable this, then it is enabled by default.

    1. Profile Management 2303 and newer have an option to only perform Active write back on session lock and disconnection.
  8. On the left, go to the Advanced settings node.
  9. If Microsoft Teams 2.1 or newer, and if Teams is installed per machine, then simply make sure Profile Management is version 2402 or newer. See Enable roaming for the new Microsoft Teams at Citrix Docs.
    • If Teams 2.1 is installed per-user, then enable UWP app roaming, which requires Profile Management 2308 or newer. See CTX585013 Microsoft Teams 2.1 supported for VDI/DaaS.
    • Profile Management 2411 and newer have the setting named Enable AppX package load acceleration. It requires a file share to store the VHDX files.

  10. Enable the setting Process Internet cookie files on logoff. This is probably only for Internet Explorer.
  11. The Replicate user stores setting replicates to multiple file shares. Note: this slows down logoffs. Profile Management 2209 and newer supports replicating profile containers, which seems to use robocopy.exe.

    • In Profile Management 2407 and newer, for the container-based profile solution, the Enable in-session policy container failover among user stores policy is automatically enabled to ensure profile redundancy for the entire session.
  12. Customer Experience Improvement Program (CEIP) is enabled by default. It can be disabled here.
  13. See https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#ceip for additional places where CEIP is enabled.
  14. Profile Management 2206 adds Enable asynchronous processing for user Group Policy on logon. This might speed up logons. This feature requires you to disable Always wait for the network at computer startup and logon and enable Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services. More details at Citrix Docs.
  15. Profile Management 2311 and newer support Enable OneDrive container. It works the same way as search index roaming as detailed next. See Citrix Tech Zone Deployment Guide: Citrix Profile Management – OneDrive Container.
  16. Profile Management 7.18 and newer have Enable search index roaming for Outlook.

Notes on Outlook OST and Search roaming:

  1. Microsoft FSLogix is another Outlook search index roaming product that is now free. For details, see the FSLogix section in the computer group policy article.
  2. Profile Management 1906 and newer support 64-bit Outlook 2016 and Office 2019.
  3. VDA 1906 or newer are recommended for the bug fixes for this feature. You can upgrade the VDA without upgrading your Delivery Controllers.
  4. After the first user logon, Profile Management 1811 and newer creates a template VHDX file in a folder named UpmVhd at the root of the user store. The template file is copied to new users, thus speeding up VHDX creation.

  5. In the user’s profile location, a new folder called VHD is created.

    • You can override the VHDX path by configuring Customize storage path for VHDX files as detailed at Citrix Docs.
  6. Inside the \VHD\Win2016 folder are two new thin provisioned .vhdx files – one for OST, one for Search. The per-user .vhdx files are copied from the parent template.
  7. UPM grants Domain Computers Full Control of the VHDX files. Users must have Full Control to the Profile Share, and UPM Folder to be able to grant this permission. Modify permissions are not sufficient. (Source = Robert Steeghs The Citrix Profile management could not mount virtual disk)
  8. When the user logs into a Citrix session, the two VHDXs are mounted to %localappdata%\Microsoft\Outlook and %appdata%\Citrix\Search. This means that OST files and Search Indexes are stored in the VHDX instead of in the user’s profile.


  9. eastwood357 at Outlook OST and Search vhdx not unmounting after log off at Citrix Discussions says that the Profile Management Path to User Store must be all lower case or else the VHDX files will not unmount at logoff.
  10. Only enable this feature for users with new Outlook profiles. If the user already has an .ost file, then you’ll see an error about missing .ost when Outlook is launched.
  11. The Search roaming feature is only supported with specific versions of Windows Search service. Event Log will tell you if your Windows patches are too new.
  12. Profile Management 2206 and newer have an option for Enable concurrent session support for Outlook search data roaming.

    • In older Profile Management, VHDX files can only be mounted on one machine at a time. If you login to two VDAs, and if both try to mount the same VHDX files, then you’ll see errors in Event Viewer.
  13. Search Index Backup – Profile Management 1909 and newer have a GPO setting named Outlook search index database – backup and restore that can provide automatic recovery of the search index if it becomes corrupted. The backup consumes more of the available storage space of the VHDX files.
  14. For a detailed explanation of how the per-user Search Index works, see CTX235347 Citrix Profile Management: VHDX-based Outlook cache and Outlook search index on a user basis.
  15. Profile Management 2109 and newer can Automatically reattach detached VHDX disks. In Profile Management 2203 and newer, it’s available as a group policy setting under the Profile Management | Advanced Settings node.
  16. Profile Management 2303 and newer have a Profile Container GPO setting to Enable VHD disk compaction on user logoff. See Citrix Docs.

    • Additional disk compaction settings can be found under Advanced Settings.

Exclusions, Synchronization, and Mirroring

  1. Profile Management 2209 and newer have File Deduplication > Files to include in the shared store for deduplication. You must specify which files to delete from each user’s profile and instead store in a shared location. See Citrix Docs. Profile Management 2311 support Files deduplication of profile containers.
  2. Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion List – directories.
  3. You can use checkboxes to not exclude some folders.
  4. Then edit Exclusion list – directories.
  5. Enable the setting, and click Show.

  6. For Edge Chromium, see Avanite Roaming Edge Chromium.
  7. For Chrome, use the same list as Edge but change \Microsoft\Edge to \Google\Chrome.
  8. Add the following to the list.
    AppData\Local\Microsoft\Windows\INetCache
    AppData\local\Microsoft\Windows\IEDownloadHistory
    AppData\Local\Microsoft\Internet Explorer\DOMStore
    AppData\Local\Google\Software Reporter Tool
    AppData\Roaming\Microsoft\Teams\media-stack
    AppData\Roaming\Microsoft\Teams\Logs
    AppData\Roaming\Microsoft\Teams\Service Worker\CacheStorage
    AppData\Roaming\Microsoft\Teams\Application Cache
    AppData\Roaming\Microsoft\Teams\Cache
    AppData\Roaming\Microsoft\Teams\GPUCache
    AppData\Roaming\Microsoft\Teams\meeting-addin\Cache
  9. Newer versions of Office Click-to-run let you roam the shared computer activation licensing token. See Overview of shared computer activation for Office 365 ProPlus and search for “roam”. The licensing tokens also last 30 days instead of 2-3 days. Source = Rick Smith in the comments. Ideally you should have ADFS integration so users can seamlessly re-activate Office.
  10. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  11. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of exclusions for IE in Enterprise Mode.
    appdata\local\microsoft\internet explorer\emieuserlist
    appdata\local\microsoft\internet explorer\emiesitelist
    appdata\local\microsoft\internet explorer\emiebrowsermodelist
  12. Then click OK twice to return to the Group Policy Editor.
  13. usrclass.dat*.
    1. Profile Management 1909 and newer automatically include usrclass.dat* in the Files to Synchronize. UPM 2103 and newer add it for Windows 10 but not for RDSH. If added to the exclusion list, then Profile Management 1909 and newer automatically removes it from the exclusion list. See Start menu roaming at Citrix Docs.
    2. usrclass.dat* contains file type associations. For roaming file type associations, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
  14. Clean up excluded folders –  If you add to the exclusions list after profiles have already been created, Profile Management 5.8 has a feature that can delete the excluded folders at next logon. See To enable logon exclusion check at Citrix Docs. In Profile Management 7.15 and newer, Logon Exclusion Check is configurable in group policy under the File System node.

    1. Also see Muralidhar Maram’s post at Citrix Discussions for a tool that will clean up the existing profiles.
    2. Also see Jeremy Sprite Clean Citrix UPM Profiles.

Directories to Synchronize

  1. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  2. Edit the setting Directories to synchronize.
  3. Enable the setting, and click Show.
  4. Profile Management 7.16 Fixed Issues says that AppData\Local\Microsoft\Windows\Caches should be synchronized. Also see CTX234144 Start Menu Shows Blank Icons on VDA 7.15 LTSR CU1/7.16/7.17 with UPM Enabled.
  5. CTX489573Office 365 – Account Error: Sorry, we can’t get to your account right now says that Appdata\local\microsoft\identitycache should be synchronized.
  6. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Microsoft\Credentials
    Appdata\local\Microsoft\identitycache
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  7. Start Menu and File Type Associations:
    1. If Windows 10 1703 or newer, see James Rankin Roaming profiles and Start Tiles (TileDataLayer) in the Windows 10 1703 Creators Update for information on the new location for Tile data. Citrix Profile Management 5.8 and newer should handle this automatically.
    2. See David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
    3. To roam Start Menu and/or File Type Associations in Windows 10 or Windows Server 2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for info on why this is difficult.
    4. Instead of roaming usrclass.dat, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
    5. Daniel Feller at Sync the Windows 10 Start Menu in VDI says that configuring SettlementPeriodBeforeAutoShutdown might improve reliability of Start Menu roaming, assuming users log out of the virtual desktop instead of rebooting the virtual desktop. On a Delivery Controller, open PowerShell, and run the following:
      asnp citrix.*
      Set-BrokerDesktopGroup -Name "NAME_OF_DESKTOP_GROUP" -SettlementPeriodBeforeAutoShutdown 00:00:15
    6. With VDA 7.15 Update 1, the icons on the Start Menu of Windows 2012 R2 and Windows 2016 are sometimes blank.

  8. Click OK twice.

Files to Synchronize

  1. Edit Files to synchronize.
  2. Enable the setting, and click Show

  3. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  4. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  5. Citrix’s Start Menu Roaming documentation says that Appdata\Local\Microsoft\Windows\UsrClass.dat* should be added to the list. Profile Management 1909 and newer automatically add Appdata\Local\Microsoft\Windows\UsrClass.dat* to the Files to Synchronize list.

    • You can disable the automatic inclusion of these folders by enable the setting Disable automatic configuration located under Advanced Settings.
  6. Then click OK twice to return to the Group Policy Editor.

Folders to mirror

  1. Under File System, in the Synchronization node, enable the setting Folders to mirror.
  2. Enable the setting, and click Show.

  3. Add the following:
    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\TileDataLayer
    AppData\Local\Microsoft\Vault
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Packages
    AppData\Local\Google\Chrome\User Data\Default
  4. Click OK.
  5. Profile Management 2106 and newer have a setting called Accelerate folder mirroring that stores the mirrored folders in a VHDX file instead of copying back and forth at login and logoff.

    • UPM creates a folder named MirrorFolders in the user’s UPM path and creates a couple thin-provisioned VHDX files in that path.
    • Disk Management shows that the mounted Diff disk has a 50 GB capacity limit.
    • Logging into multiple sessions concurrently results in multiple Diff disks.
    • If the file server is unavailable then unpredictable behavior occurs. After the file server is back up, the session continues to misbehave and won’t recover until users log off and log back on. Plan for file server high availability that can handle always-open VHDX files. DFS won’t help you.
    • Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
  6. According to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Configuration > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.

Profile Container

Profile Management 2407 and newer have new Container features, including:

  • In-session profile container failover among multiple user stores – Citrix Docs
  • Registry exclusion and inclusion support extended to container-based profile solution – Citrix Docs
  • Reset container-based profiles without the risk of losing user data – Citrix Docs
  • Collects statistical data on VHD compaction actions and provides it to Workspace Environment Management (WEM) for reporting

To configure profile container:

  1. Profile Management 1903 and newer have a Profile container setting.
    • In Profile Management 2009 and newer, the Profile container setting moved to its own node.
    • In older versions of Profile Management, Profile Container is located under File System | Synchronization.
  2. Click the Show button to specify profile paths that should be placed in the mounted file share profile disk (VHDX file) instead of copied back and forth at logon and logoff.
    • In Profile Management 2009 and newer, you can specify * to put the entire profile in the Container. Then use the other two settings to exclude folders from the Container. See Profile Container at Citrix Docs.

    • In Profile Management older than version 2009, this setting is for large cache files (e.g. Citrix Files cache) and is not intended for the entire profile.
  3. Profile Management 2103 and newer have a setting to Enable local caching for profile containers. Combine this with Profile Streaming for faster logons. The entire profile should be stored in the profile container.
  4. Profile Management 2311 and newer can Log off users when profile container is not available during logon.
  5. On the left, under Advanced Settings, Profile Management 2103 and newer have a setting to Enable multi-session write-back for profile containers. This setting applies to both UPM Profile Container and Microsoft FSLogix Profile Container. If the same user launches multiple sessions on different machines, changes made in each session are synchronized and saved to the user’s profile container disk.
  6. Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
  7. Citrix recommends using Profile Container for Microsoft Teams.
  8. See CTX247569 Citrix Profile Management: Troubleshooting Profile Containers.
  9. Profile Management 2209 and newer can replicate the profile container to multiple shares. 

    • In Profile Management 2407 and newer, for the container-based profile solution, the Enable in-session policy container failover among user stores policy is automatically enabled to ensure profile redundancy for the entire session.
  10. Profile Management 2308 and newer can auto-expansion the container.

    • Advanced settings node has additional auto-expansion settings.
  11. On the CVAD 2311 and newer ISO, at \x64\ProfileManagement\Tools is a script that can migrate profiles from FSLogix to Citrix Profile Container. Prior to CVAD 2311 the Tools folder is not on the CVAD ISO but is instead included with the separately downloaded Profile Management. See Migrate user profiles at Citrix Docs.

Registry Exclusions

  1. On the left, under Profile Management, click Registry.
  2. On the right, open Enable Default Exclusion List.
  3. Enable the setting. You can use the checkboxes to control which registry keys you don’t want to exclude.
  4. According to Citrix CTX221380 Occasionally, File Type Association (FTA) Fails to Roam with Profile Management 5.7 on Windows 10 and Windows Server 2016, Software\Microsoft\Speech_OneCore should be unchecked. Click OK.
  5. The setting Exclusion List under Registry lets you exclude registry keys from the roaming profile.
  6. Nick Panaccio in the comments says that if Office with ADFS constantly prompts for login, then you should exclude the following:
    Software\Microsoft\Office\16.0\Common\Identity
  7. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of registry exclusions for IE in Enterprise Mode.
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieUserList
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieSiteList
  8. Click OK when done.
  9. For the NTUSER.DAT backup setting, which is disabled by default, you can enable it to provide some resiliency against profile corruption.

Log Settings

  1. In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot problems with Profile Management. The logfile is located in C:\Windows\System32\LogFiles\UserProfileManager.
  2. Edit the Log settings setting.
  3. Enable the setting and check the boxes next to Logon and Logoff. Click OK.
  4. If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To change the log file path, edit the Path to log file setting.


  5. CTX123005 Citrix UPM Log Parser
  6. CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

Profile Streaming

  1. Go to the Profile handling node under Profile Management.
  2. Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can migrate existing profiles when you upgrade the version of Windows 10. This setting requires the !CTX_OSNAME! variable in your profile store path.
  3. Enable the setting Delete locally cached profiles at logoff. Note: this might cause problems in Windows 10.

    Helge Klein has a tool to delete locally cached profiles on a session host. http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/. This tool should only be needed if profiles are not deleting properly.
  4. For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User Logs off recommends setting Delay before deleting cached profiles to 40 seconds.

  5. Enable the setting Migration of existing profiles and set it to Local and Roaming.  Citrix CTX221564 UPM doesn’t migrate local user profile since version 5.4.1.

  6. Enable the setting Local profile conflict handling, and set it to Delete local profile. Note: this might cause problems on Windows 10.

  7. For fastest logons, Citrix recommends Profile streaming + Enable profile streaming for folders + Accelerate folder mirroring all enabled, or only enable Profile Container for the entire user profile. More details at CTX463658 Reduce logon time with Profile Management.
    1. Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
    2. Profile Management 2103 and newer have a setting to Enable profile streaming for folders, which should speed up logons. In Profile Management 2402 and newer, profile streaming for folders is enabled by default.
    3. Profile Management 2106 and newer have a setting under File System > Synchronization called Accelerate folder mirroring that stores the mirrored folders in a VHDX file instead of copying back and forth at login and logoff.
    4. Profile Management 2206 adds Enable profile streaming for pending area. Enable this setting if users run multiple Citrix sessions concurrently and you have Active Write Back enabled.
  8. Profile Management 7.16 and newer have XenApp Optimization (aka Citrix Virtual Apps Optimization) feature, which uses Microsoft UE-V templates to define specific settings that should be saved and restored at logoff and logon. See George Spiers XenApp Optimization (new in CPM 7.16+) for details.

  9. After modifying the GPO, use Group Policy Management Console to update the VDAs.
  10. Or run gpupdate /force on the VDAs, or wait 90 minutes.

App Access Control

Profile Management 2303 and newer support app access control. This is similar to FSLogix App Masking.

Citrix WEM Tool Hub has a GUI-based Rule Generator.

  1. In Workspace Environment Management Web Console, various places in the console have a link to download the WEM Tool Hub. For example, in a Configuration Set > Printers, click Add from print server.
  2. Extract the WEM Tool Hub and run Citrix.WEM.AdminToolHub.exe.
  3. Click Rule Generator for App Access Control.
  4. Click Create app rule. WEM 2411 adds Redirect as an option. Otherwise choose Hide.
  5. Redirect lets you redirect Files, Folders, Registry keys or Registry values.
  6. If Hide:
    1. Click Scan to select an app installed on the local machine.
    2. The tool scans the selected app and automatically adds rules for the app. Click Add when done.
    3. Give the app a name and click Next.
    4. Assign the rule to users, computers, or processes. 2411 and newer let you specify Exclusions. Click Done.
  7. Select the app rules and click Generate raw data.
  8. Click Save to file.
  9. Use WEM or Group Policy to push the string to the VDAs. App Access Control is currently a preview feature. Enable it in Citrix Cloud > Workspace Environment Management > Manage > Web Console > Home page > Preview features.

  10. Then edit a Configuration Set. Go to Profiles > Profile Management Settings and find App access control. Browse to the .rule file saved earlier.

If you don’t have access to WEM Cloud, then the PowerShell Rule Generator is on the CVAD 2311 or newer ISO under \x64\ProfileManagement\Tools. Prior to CVAD 2311, the Tools folder is in the downloaded standalone Profile Management.

  1. The CPM_App_Access_Control_Config.ps1 PowerShell script is in the Tools folder.
  2. The Rule Generator script lists all locally installed apps and asks you choose one.
  3. The tool auto-generates some rules for the app and asks you to edit the rules or go to the next step to manage assignments.
  4. You can assign groups that can view the app. When done, press 4 to generate the rules for deployment.
  5. The script can push the rules to a GPO. Or you can press 3 to generate the string that you then must configure yourself in the GPO.
  6. The GPO setting is at Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management | App Access Control. Enable the setting named App access control and paste the string that the Rule Generator provided. 

Also see CTP James Rankin QuickPost – Citrix UPM App Access Control

Mandatory Profile – Citrix Method

Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method. Also see CTP James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703).

  1. Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to Administrators.
  2. Login to the VDA machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4.  
  5. Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that. Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.

    1. You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  6. Open the AppData folder and delete the Local and LocalLow folders.
  7. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file, and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  8. Open regedit.exe.
  9. Click HKEY_LOCAL_MACHINE to highlight it.
  10. Open the File menu and click Load Hive.
  11. Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not use NTUSER.MAN and instead the file must be NTUSER.DAT.
  12. Name it a or similar.
  13. Go to HKLM\a, right-click it, and click Permissions.
  14. Add Authenticated Users and give it Full Control. Click OK.
  15. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ and http://appsensebigot.blogspot.ru/2014/10/create-windows-mandatory-profiles-in.html?m=1 for some suggestions.
  16. Citrix CTX212784 Slow User Logon When Using Mandatory Profiles – set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
  17. Highlight HKLM\a.
  18. Open the File menu, and click Unload Hive.
  19. Go back to the file share and delete the NTUSER.DAT log files.
  20. Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy template is loaded.
  21. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Profile Management > Profile handling. Edit the setting Template profile.
  22. Enable the setting and enter the path to the Mandatory profile.
  23. Check all three boxes. Then click OK.

Redirected Profile Folders

  1. Make sure loopback processing is enabled on your VDAs.
  2. Edit a GPO that applies to all VDA users, including Administrators.
  3. Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents, and click Properties.
  4. In the Setting drop down, select Basic.
  5. In the Target folder location drop down, select Redirect to the user’s home directory.
  6. Switch to the Settings tab.
  7. On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move the contents to the new location might cause issues in some deployments.
  8. Click Yes to acknowledge this message.
  9. Right-click Desktop and click Properties.
  10. Change the Setting drop-down to Basic.
  11. Change the Target folder location to Redirect to the following location.
  12. In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC path and not a mapped drive. Also, since we’re using home directory variables, all users must have home directories defined in Active Directory.
  13. Switch to the Settings tab.
  14. Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.
  15. Click Yes when prompted that the target is not a UNC path. You get this error because of the variable. It doesn’t affect operations.
  16. Repeat for the following folders:
    • Documents = Redirect to the User’s Home Directory
    • Desktop = %HOMESHARE%%HOMEPATH%\Desktop
    • Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
    • Downloads = %HOMESHARE%%HOMEPATH%\Downloads
  17. Redirect the following folders but set them to Follow the Documents folder.
    • Pictures
    • Music
    • Videos

Folders not redirected will be synchronized by Citrix Profile Management.

Verify Profile Management

  1. Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.
  2. Logoff and log back in.
  3. Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the log for logon and logoff events.

Profile Management Troubleshooting

UPM Troubleshooter

Citrix Blog Post – UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application that examines the live User Profile Management-enabled system in a single click, gives Profile Management Configurations, information on the Citrix products installed, facility to collect and send the logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier manner. See the blog post for more details.

Profile Management Configuration Check Tool

UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has been configured optimally for the environment in which it is being run, taking into account:

  • Hypervisor Detection– The presence or absence of supported hypervisors (for example, Citrix XenServer, VMware vSphere, or Microsoft Hyper-V)
  • Provisioning Detection– The presence or absence of a supported machine-provisioning solution (for example, Machine Creation Services or Provisioning Services)
  • XenApp or XenDesktop– Whether it is running in a XenApp or a XenDesktop environment
  • User Store – Determines that the expanded Path to User Store exists.
  • WinLogon Hooking Test – Verifies that Profile management is correctly hooked into WinLogon processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and requires the user running the Configuration Check Tool to have permission to access the relevant registry keys, or an error may be returned.
  • Verify Personal vDisk enabled / disabled – Whether the Personal vDisk feature of XenDesktop is enabled
  • Miscellaneous – Other factors that it is able to determine through registry or WMI queries, such as whether the computer running Profile management is a laptop

Profile Size

Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile share.

Log Parser

CTX123005 Citrix UPM Log Parser

View Log Files using Excel

CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

1,148 thoughts on “Citrix Profile Management 2411”

  1. Hi Carl,

    we use your tutorial for building our new XenDektop 7.15 LTS Environment with Windows 10 1709 (Fully patched).

    We use UPM for Profile Management. Everything works fine except Google Chrome Bookmarks sync.

    We tried different things but had no luck. The User Profiles are synching fine but upm does not sync Bookmarks.

    Folder to mirror, Files to synchronize. Nothing works.

    Do you know if there is a bug oder something else within this Citrix Version?

      1. Yeah i know. The Google Chrome Profile is syncing fine without Google account. Only the bookmarks are not syncing.

          1. I had the same problem on Win 10 – 1803 with VDA 7.15 CU2 and UPM 7.15.2001.

            The file AppData\Local\Google\Chrome\User Data\Default\bookmarks just not roaming. Everything else is working fine.

            After adding AppData\Local\Google\Chrome\User Data\Default to mirror folder list it works.

  2. Hi Carl,
    When using mandatory profil, the path of the ShellFolders(HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) are not updated with the UserName path, wich cause error in some applications.
    To correct you need de recreate theses keys in type Reg_Expand_SZ with %Username% in path.
    here a script that doing the job :
    #charger la ruche à modifier en tant que “Ipop”
    $RegKey = “HKU:\Ipop\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”

    $KeysToChange = @{
    ‘{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Libraries’
    ‘{374DE290-123F-4565-9164-39C4925E467B}’=’C:\Users\%UserName%\Downloads’
    ‘{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}’=’C:\Users\%UserName%\Saved Games’
    ‘{56784854-C6CB-462B-8169-88E350ACB882}’=’C:\Users\%UserName%\Contacts’
    ‘{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}’=’C:\Users\%UserName%\Searches’
    ‘{A520A1A4-1780-4FF6-BD18-167343C5AF16}’=’C:\Users\%UserName%\AppData\LocalLow’
    ‘{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}’=’C:\Users\%UserName%\Links’
    ‘Administrative Tools’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools’
    ‘AppData’=’C:\Users\%UserName%\AppData\Roaming’
    ‘Cache’=’C:\Users\%UserName%\AppData\Local\Microsoft\Windows\Temporary Internet Files’
    ‘CD Burning’=’C:\Users\%UserName%\AppData\Local\Microsoft\Windows\Burn\Burn’
    ‘Cookies’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Cookies’
    ‘Desktop’=’C:\Users\%UserName%\Desktop’
    ‘Favorites’=’C:\Users\%UserName%\Favorites’
    ‘History’=’C:\Users\%UserName%\AppData\Local\Microsoft\Windows\History’
    ‘Local AppData’=’C:\Users\%UserName%\AppData\Local’
    ‘My Music’=’C:\Users\%UserName%\Music’
    ‘My Pictures’=’C:\Users\%UserName%\Pictures’
    ‘My Video’=’C:\Users\%UserName%\Videos’
    ‘NetHood’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Network Shortcuts’
    ‘Personal’=’C:\Users\%UserName%\Documents’
    ‘PrintHood’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts’
    ‘Programs’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs’
    ‘Recent’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Recent’
    ‘SendTo’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\SendTo’
    ‘Start Menu’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu’
    ‘Startup’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup’
    ‘Templates’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Templates’
    }

    #création du provider Reg
    New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS | Out-Null

    #Chargement de la ruche
    Try
    {
    If (Get-Item -Path $RegKey)
    {
    Write-Host “Debut modification des clés …”

    #iteration des clés à modifier
    $KeysToChange.Keys | % {
    # suppression de la clé existante
    Remove-ItemProperty -Path $RegKey -Name $_

    # recréation de la clé en Reg_Expand_SZ
    New-ItemProperty -Path $RegKey -Name $_ -PropertyType “ExpandString” -Value $KeysToChange.$_ | Out-Null
    }
    Write-Host “Recréation de toutes les clés OK !”
    }
    Else {Write-Host “clé $RegKey introuvable”}
    }
    Catch {Write-Host “Erreur : ” $_}

    #deconexion PSDrive
    Remove-PSDrive -Name HKU -PSProvider registry | Out-Null

    Write-Host “— Fin du script —“

  3. Carl can you suggest definitively what needs to be excluded/included to get outlook to work on server 2016 /7.15 CU2. User profiles are on a server and I have a policy that currently saves to Outlook folder outside the UPM but inside the user profile folder. I followed this: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/deployment-guide-office-365-for-xenapp-and-xendesktop.pdf

    However UPM keeps recreating my OST . When I turn UPM off and just apply the outlook policy that points OST to the network share, ost files are saved and reused.

    Do you have any ideas?

    1. How are you configuring your policies, are they separated? I am running a similar setting to yours with Folder Redirection. Try this GPO setting: Microsoft Outlook 2016/Miscellaneous/PST Settings and specify where you want it to be saved. I’d be using PST instead of OST.

  4. Hi Carl

    I have upgraded to 7.18 which has somehow broken UPM on the server I upgraded, roll back to 7.17 no issues

    Any ideas

  5. Hello, just one question, why Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites and not Favorites = %HOMESHARE%%HOMEPATH%\Favorites ? (folder redirection). Thanks for you website, it’s my bible.

  6. suggestion for the file exclusion list:
    use !ctx_localappdata!\Microsoft\Windows\UsrClass.dat{* instead (mind the bracket)

    this way the trashy regtrans-ms files are deleted while the file associations are preserved

  7. HI Carl i want to build a new site based on 7.15 ltsr on the same domain as the old 7.6 site, my questions is can i use citrix profile management 7.15 with a 7.6 site?( 7.6 deilvery controllers, 7.6 xenapp servers), i need to update the xenapp servers with 7.15 profile management and also copy the new templates to my policy definitions folder, and redo the exclusions based on your guide for the 5.5 and newer recommendations? , also i can specify 2 different user path for each site so like 2 different domain OU and security groups to which the policies are applied to, so they dont interfere with each other even if they are on the same domain?

      1. yeah i understand but i can upgrade to 7.6.500 from 7.6.300 if i dont have a an ltsr contract?also if vms are on different OU and i applied a computer policy with UPM 7.15 which is only linked to that OU and on another OU i do the same but with a different path it will work? do i need to use dfs share? the OU ‘s are on the same on the same domain , is that UPM 7.15.100 from the 7.6.500 same as the one found on 7.15 xenapp LTSR instalation

        1. If you are OK with different paths on different machines, then you can certainly link different GPOs to different machines.

          1. so in the end i could update my old 7.6.300 xenapp vda with profile management 7.15 template, put the template in the policy definitions folder , rename the win2012x64 folders in user profiles to win2012r2x64 and redo the exclusions according to 5.5 and above guide and i should be ok

          2. Sure. Or you can put the updated machines in a different OU and put a new GPO on that OU. The path in the profile store would need to be different if you want to start over.

  8. Any drawbacks to mirroring ‘AppData\Local\Packages’ for the purpose of roaming UWP app data? That path is excluded by default, and I can’t find a single source online where somebody covers mirroring it to allow UWP shortcuts to roam in Profile Manager. I was considering leaving the default Windows 10 Calculator UWP app installed in App Layering 4.11, since it’s now supported, but the UWP shortcut winds up disappearing after the first logon. You also can’t search for Calculator after that initial logon.

    1. I recently had to stop excluding that folder so Store Apps would roam.

      Another option is to write a login script that reinstalls the store apps on every logon.

  9. Hello,

    To reduce (or hopefully eliminate), we are looking at excluding everything and working with inclusions to ensure only the data we want to persist will enter the roaming profile.

    Reading through comments here and on Reddit, this appears to be something others have done.
    To avoid having to re-invent the wheel with regards to inclusion lists, is anyone aware of any comprehensive inclusion lists that cover the Windows operating system (7×64, 2012R2), MS Office applications?

    Thanks in advance

  10. Hello together,

    I installed a 7.15 LTSR farm and use Citrix Profile Management. When a user has already an old profile no settings (e.g. Favorites, Outlook profile) will be “migrated”. I can see the profiles in the new 7.15 userstore but nothing is migrated. I set “migration of existing profiles”. What can I do next?

    Thanks a lot!

    Norman

  11. Hi Carl, I am having issues with Startmenu Tiles not appearing on second login on windows servers 2016 with 7.16 UPM. here is the configuration I have set currently on Citrix UPM GPO.

    Citrix Components/Profile Management/File system
    Policy Setting Comment
    Enable
    Default Exclusion List – directories Enabled
    !ctx_internetcache! Enabled
    !ctx_localappdata!\Google\Chrome\User Data\Default\Cache Enabled
    !ctx_localappdata!\Google\Chrome\User Data\Default\Cached Theme Images Enabled
    !ctx_localappdata!\Google\Chrome\User Data\Default\JumpListIcons Enabled
    !ctx_localappdata!\Google\Chrome\User Data\Default\JumpListIconsOld Enabled
    !ctx_localappdata!\GroupPolicy Enabled
    !ctx_localappdata!\Microsoft\AppV Enabled
    !ctx_localappdata!\Microsoft\Messenger Enabled
    !ctx_localappdata!\Microsoft\Office\15.0\Lync\Tracing Enabled
    !ctx_localappdata!\Microsoft\OneNote Enabled
    !ctx_localappdata!\Microsoft\Outlook Enabled
    !ctx_localappdata!\Microsoft\Terminal Server Client Enabled
    !ctx_localappdata!\Microsoft\UEV Enabled
    !ctx_localappdata!\Microsoft\Windows Live Enabled
    !ctx_localappdata!\Microsoft\Windows Live Contacts Enabled
    !ctx_localappdata!\Microsoft\Windows\Application Shortcuts Enabled
    !ctx_localappdata!\Microsoft\Windows\Burn Enabled
    !ctx_localappdata!\Microsoft\Windows\CD Burning Enabled
    !ctx_localappdata!\Microsoft\Windows\Notifications Enabled
    !ctx_localappdata!\Packages Disabled
    !ctx_localappdata!\Sun Enabled
    !ctx_localappdata!\Windows Live Enabled
    !ctx_localsettings!\Temp Enabled
    !ctx_roamingappdata!\Microsoft\AppV\Client\Catalog Enabled
    !ctx_roamingappdata!\Sun\Java\Deployment\cache Enabled
    !ctx_roamingappdata!\Sun\Java\Deployment\log Enabled
    !ctx_roamingappdata!\Sun\Java\Deployment\tmp Enabled
    $Recycle.Bin Enabled
    AppData\LocalLow Enabled
    Tracing Enabled

    Policy Setting Comment
    Exclusion list – directories Enabled
    List of directories to exclude:
    AppData\Local\Microsoft\Windows\INetCache
    AppData\Local\Microsoft\Internet Explorer\DOMStore
    !ctx_localappdata!\Microsoft\Office\16.0\Licensing
    AppData\Local\Microsoft\Windows\Burn
    AppData\Local\Microsoft\Windows Live
    AppData\Local\Microsoft\Windows Live Contacts
    AppData\Local\Microsoft\Windows\Temporary Internet Files
    AppData\Local\Microsoft\Terminal Server Client
    AppData\Local\Microsoft\Messenger
    AppData\Local\Microsoft\OneNote
    AppData\Local\Microsoft\Outlook
    AppData\Roaming\Microsoft\AppV\Client\Calalog
    AppData\Local\Microsoft\AppV
    AppData\LocalLow
    AppData\Local\Temp
    AppData\Local\Sun
    AppData\Roaming\Sun\Java\Deployment\cache
    AppData\Roaming\Sun\Java\Deployment\log
    AppData\Roaming\Sun\Java\Deployment\tmp
    AppData\Local\Microsoft\Windows\webcache
    AppData\Local\Microsoft\Windows\webcache.old
    AppData\Local\Microsoft\Internet Explorer
    AppData\Local\Microsoft\Windows\PriCache
    AppData\Local\Microsoft\Windows\WER
    AppData\Local\Microsoft\OneDrive
    AppData\Local\Microsoft\PlayReady
    AppData\Local\Microsoft\windows\GameExplorer
    appdata\local\microsoft\internet explorer\emieuserlist
    appdata\local\microsoft\internet explorer\emiesitelist
    appdata\local\microsoft\internet explorer\emiebrowsermodelist
    AppData\Local\Windows Live
    AppData\Local\Google\Chrome\User Data\Default\Cache
    AppData\Local\Microsoft\Internet Explorer\Recovery
    AppData\Local\Microsoft\Windows Mail
    AppData\Local\Downloaded Installations
    AppData\Roaming\Microsoft\Templates\LiveContent
    AppData\Local\Microsoft\Windows\Themes
    AppData\Roaming\Microsoft\Internet Explorer\UserData
    AppData\Local\TileDataLayer\Database
    AppData\Local\Packages
    AppData\Local\Microsoft\Windows\Caches

    Policy Setting Comment
    Exclusion list – files Enabled
    List of files to exclude:
    !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*

    Policy Setting Comment
    Logon Exclusion Check Enabled
    If profile in the user store contains files or folders
    that have been excluded: Delete excluded files or folders

    Citrix Components/Profile Management/Registry
    Policy Setting Comment
    Enable Default Exclusion list Enabled
    Software\Microsoft\AppV\Client\Integration Enabled
    Software\Microsoft\AppV\Client\Publishing Enabled
    Software\Microsoft\Speech_OneCore Enabled

    I had to exclude AppData\Local\TileDataLayer\Database folder otherwise my start menu was not even opening. We do not have startmenu roaming but I have still tried to resetCache registry on logon but still no luck.

    Thanks

    Kind Regards
    Mayur

      1. HI Carl,

        Thanks for your prompt reply as always !!

        I have applied AppData\Local\Microsoft\Windows\Caches in exclusion list of directories and also Included in directory to sync but still no luck with tile issues. I am using windows servers 2016 1607 build.I have currently below settings

        I have also looked at https://4sysops.com/archives/roaming-profiles-and-start-tiles-tiledatalayer-in-the-windows-10-1703-creators-update/ article and applied mentioned folders to Mirror folder list.

        Here is my current GPO

        Citrix Components/Profile Management/File system
        Policy Setting Comment
        Enable Default Exclusion List – directories Enabled

        Policy Setting Comment
        Exclusion list – directories Enabled
        List of directories to exclude:
        AppData\Local\TileDataLayer\Database
        AppData\Local\Packages
        AppData\Roaming\Microsoft\Internet Explorer\UserData
        AppData\Local\Microsoft\Windows\INetCache
        AppData\Local\Microsoft\Internet Explorer\DOMStore
        AppData\Local\Microsoft\Windows\Burn
        AppData\Local\Microsoft\Windows Live
        AppData\Local\Microsoft\Windows Live Contacts
        AppData\Local\Microsoft\Windows\Temporary Internet Files
        AppData\Local\Microsoft\Terminal Server Client
        AppData\Local\Microsoft\Messenger
        AppData\Local\Microsoft\OneNote
        AppData\Local\Microsoft\Outlook
        AppData\Roaming\Microsoft\AppV\Client\Calalog
        AppData\Local\Microsoft\AppV
        AppData\LocalLow
        AppData\Local\Temp
        AppData\Local\Sun
        AppData\Local\Microsoft\Windows\webcache
        AppData\Local\Microsoft\Windows\webcache.old
        AppData\Local\Microsoft\Internet Explorer
        AppData\Local\Microsoft\Windows\PriCache
        AppData\Local\Microsoft\Windows\WER
        AppData\Local\Microsoft\OneDrive
        AppData\Local\Microsoft\PlayReady
        AppData\Local\Microsoft\windows\GameExplorer
        appdata\local\microsoft\internet explorer\emieuserlist
        appdata\local\microsoft\internet explorer\emiesitelist
        appdata\local\microsoft\internet explorer\emiebrowsermodelist
        AppData\Local\Windows Live
        AppData\Local\Google\Chrome\User Data\Default\Cache
        AppData\Local\Microsoft\Internet Explorer\Recovery
        AppData\Local\Microsoft\Windows Mail
        AppData\Local\Downloaded Installations
        AppData\Roaming\Microsoft\Templates\LiveContent
        AppData\Local\Microsoft\Windows\Caches

        Policy Setting Comment
        Exclusion list – files Enabled
        List of files to exclude:
        !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*

        Citrix Components/Profile Management/File system/Synchronization
        Policy Setting Comment
        Directories to synchronize Enabled
        List of directories to synchronize:
        AppData\Local\Microsoft\Windows\Caches

        Folders to mirror Enabled
        List of folders to mirror:
        AppData\Local\Microsoft\Windows\CloudStore
        AppData\Local\Microsoft\Windows\Explorer

        Citrix Components/Profile Management/Registry
        Policy Setting Comment
        Enable Default Exclusion list Enabled
        Software\Microsoft\AppV\Client\Integration Enabled
        Software\Microsoft\AppV\Client\Publishing Enabled
        Software\Microsoft\Speech_OneCore Disabled

        I have tried 4 times after first login and I had only once broken tiles on 3rd attempt showing 3 tiles out of 9 default.

        Thanks

        Kind Regards

        Mayur

  12. I am unable to use “Template profile” and “Path to user store” policy simultaneously. My objective is to create profile for users who are logging in for the 1st time from “template profile” and the same profile with changes should migrate to “Path to user store” when they log off.
    Next time onwards when user logs in, Their profile should be used from “path to user store” instead of applying new template profile agian.

  13. Hi Carl, thank you very much for your brilliant work! Question regarding a GPO problem…

    We have a provisioned VDI environment using Citrix XenServer 7.4 on several Dell Poweredge R740 systems including Nvidia Tesla P4 cards. That comes in combination with Citrix Profilemanagement 7.15 / WEM 4.06.0000 infrastructure servers with Netscaler load balancing. The version of our provisioning server is 7.15 and so are the Citrix Target Device Driver as well as the Citrix Virtual Desktop Agent.

    That combination works well!

    Unfortunately I had installed the Citrix VDA before I had installed the Nvidia Graphics driver and assigned the GPU resources. Therefore the VDA had been provided without the HDX 3 Pro options which leads to the Nvidia Graphics adapter not being applied in our Windows 10 client virtual machines.

    No problem, I thought. Opened the golden image in private mode, uninstalled and cleaned the VDA, reinstalled it (same version) with the HDX 3 Pro option which had been offered now, rebooted and have the Nvidia Graphics adapter shown when accessing the Windows 10 client via Storefront.

    But… From that point onwards I have an error ( 7320 Computer determined to be not in a site. Error code 0x77F ) loading the user group policies. And that, at the end, causes the Profilemanagement/WEM infrastructure not to provide the profile stores anymore, because the neccessary GPO could not be loaded…

    We do not have any network or domain controller trouble.

    Is it so critical to reinstall the VDA to correct a VHD?

    Any ideas?

    Kind regards,
    Bernd

  14. Hello,

    Do you already know something about this ? : When you log on a non persistent VM, some apps likes Calculator are not loaded at logon. W10 1703 and 1709

    Cheers

  15. Hello,

    since 7.15 LTSR CU1/CU2 I see the following error in the UPM Logfile.

    “error updating perfmon logon/logoff counters failed”

    what does this error mean? The profile will not be loaded correctly (missing background, settings ..) and also on logoff the profile will not be deleted.

    This issue we don’t have without CU1/CU2. I already contacted Citrix support af few months ago and they said that this issue will be resolved with CU2. Unfortunately this is not the case and I am wondering wy no other users have this problem. Maybe there is a special setting in the UPM profile manager that is missing in our configuration?

    Any help would be greatly appreciated,

    best regards,

    1. Hi, Like Bambi used to say : “You are not alone”. With a 300 Win7 pooled machines delivery group provisioned by PVS, I also face the very same issue. VDA and PVS are 7.15 LTSR CU1. I used the UPM Log parser and the only error found is the one you mentioned. The machines are protected by Deep Security 10 (agentless) on an ESXi 6.0 cluster, this only could be the culprit because it gave me already a lot of weird side effects. Do you use a such antimalware solution ?

  16. Hi Carl, i have environment which is running xenapp 7.6 sp3, i want to build a new site inside the same domain with 7.15, is it possible to load 2 different admx profile management files and settings into the same AD and use one for the old site and policies attached to that site OU and the new ones only for the new site separate ou i am building?i want to build separate site so i can test it properly before deploying it into production
    Files wil be both located under policy definitions folder, can those admix files and settings work separately without interfering with each other?

    1. or i can only import one adm template and that is the 7.15 currently running with 5.2 admx template? na di have to redo all the settings and change the network path of the profile folders and i have no ideea how 7.15 will work with 7.6.300 xenapp vms with folder redirection and roaming profiles… woul dlike to be a way to have the iold site using 5.2 and its poclicies with old 5.2 admx template and the new one same domain but with new ou and its own policies if its possible

  17. Hi Carl,

    I am not sure if mandatory profiles would help in that case.
    We have eg. two servers called server07/server08, Citrix installed and Citrix Receiver on some workstations.
    I have defined a so called “IE10 Settings GPO” user and computer based in GPO editor eg. to define some trusted sites in IE10 and to enable Active Scripting and Cookies for these trusted sites. ProfileManagement is enabled but no profile template file is defined
    GPO is applied as usual to authenticated users.

    So far so good… and when I log directly by RDP ( without Citrix in between ) to server07/server08 and use a tool like rsop.msc then I can also see that GPO apply perfectly to all needed users and I can see the browser settings are correct.

    BUT! Now when people access server07/server08 by Citrix Receiver and open their browser none of the trusted sites are visible, it also does not make a difference if I do gpupdate / force , they have none of my GPO settings.

    That tells me that Citrix receiver uses any other profile where my GPO is not applied but I have no idea which profile Citrix is using?

    Strange is some users have then maybe my settings and some not and when I delete the ts profile from a user where it seems to work and he logs in again then again he does not see any of my IE settings.

    I don´t get it. I want to be sure that new users and existing users get my IE-GPO settings no matter what but I do not understand why it currently works for some and for some not and for some it works with 1 or 2 days delay.

    I guess Citrix uses then any kind of local profile but no idea which one it uses.

    Do you have an idea what possibly is wrong. Do I need to define a mandatory profile in order to force these GPO settings no matter what and to be sure that all users have my predefined GPO IE10 settings? Right now I do not understand why some of my GPO settings hit direclty the user and some others not and never.

    1. What OS version?

      Is IE ESC enabled? GPO settings apply to ESC or non-ESC. On older OS, I’ve seen users get the IEHarden registry key when they shouldn’t.

      Isn’t there a setting or registry or something that copies per-computer settings to per-user? Why not configure the settings in the user half of the GPO?

      1. Hi Carl, both servers have Windows 2012 OS installed. Citrix is also installed and we access the apps from any workstation by Citrix Receiver 4.11. On both servers Internet Explorer Enhanced Security Configuration (IE ESC) is and was DISABLED in Server manager. I tried to define the IE settings as explained by GPO as pr. computer setting and tried it as pr. user setting. Citrix seems to ignore that and uses any profile where these IE settings do not get applied. Even when it sometimes works for some of my co-workers and just for testing I delete their ts profile and do gpupdate /force again and they logon by Citrix then it seem to be have forgotten all IE settings. I thought there was a way for force new and existing users to have some special IE settings but “pr. user” and / or pr. computer GPO seems not to be the solution. It is actually only about to have a couple of trusted pages predefined for IE and to enable Active Scripting and Cookies in Trusted zone but my GPO seems not be the way to do that. I still think ProfilManagement has maybe any wrong setting or uses any default profile which does not know my GPO and some users get then my settings and some not.

  18. If UPM is configured in standalone VDA of win10 and version of win10 is upgraded, will it effect my profiles? How to make profile seamless across all platform?

  19. Hey Carl, again KUDOs for your work
    i have an issue in my folder redirection. i have the Documents GPO set to REdirect everyone’ folder to the same location path: %HOMESHARE%HOMEPATH%
    the share is populating many of the users in a folder named “Documents” instead of a folder with “username” for example
    “Share\user1\documents” would be expected. i am getting “share\documents” over and over and the only way to tell whose folder it is , is to look at the securites properties
    my expectation was to see a Documents folder under each username
    Thoughts ?

    1. The issue is desktop.ini and you having administrator permissions. Google this and you’ll find many workarounds.

      1. thanks Carl, yes i have been doing the permission based work around and am a bit nervous to change the document path to redirect everyone’s folder to the same location.and use \\servername\%USERNAME%\Documents or would you suggest a different unc ?
        the permission method is a bit tiring

  20. Hi Carl,

    First I want to thank you for all the knowledge you share with us.

    I’m having a problem deploying a profile template. I followed all the steps on your tutorial to create a mandatory profile (except for making it mandatory, I only need it to be the default profile) but I was unable to make it work. Checking the UPM log i see the following:

    2018-04-04;14:31:48.842;INFORMATION;CIXTEC;test3;4;6360;GetUserStorePath: Template Path: Path Out: \\profileserver\xd\perfiles.v4\plantilla.v4

    2018-04-04;14:31:49.623;ERROR;DOMAIN;test3;4;6360;RecurseRegistry: Opening the key failed with: Access denied.
    2018-04-04;14:31:49.623;ERROR;DOMAIN;test3;4;6360;CRegistryHive::ResetSecurity: Failed to reset security on registry hive .
    2018-04-04;14:31:49.623;ERROR;DOMAIN;test3;4;6360;CreateLocalProfileFromTemplate: Could not create a local profile from a template: Access denied.

    I’ve found this Citrix KB article https://support.citrix.com/article/CTX135766 which seems similar to the error I’m getting.

    My problem is that the solution presented in the article (update owner on a reg subkey) fails because I have no permissions to edit that subkey “Can’t establish a new owner on ProtectedRoots. Access Denied”. any idea about why I get that error on first place or in what to do to be able to edit owner of file?

    Thx for your help

  21. Hi Carl,

    Thanks for all the info Carl. Really respects your works here and knowledge sharing.

    Have a quick question though, currently I’ve profile redirection share hosted on a single file-server VM, and published to users via DFS. If this VM is down or rebooted for patches, Citrix clients will lose access to their roaming profiles and folder redirection.

    What do most folks typically do to make the profile shares highly available?

    Is DFS-R an option? Is that the best way to go, or do you know of other methods?

    Please help!

    1. You’re welcome to replicate, but the main requirement is that you must ensure there is no multi-master. The common option is to make sure the Namespace only points to one Target.

      Otherwise, you can backup and recover your file server VM using normal VM backup/recovery methods.

  22. Hello Carl,

    Huge fan of your work…I’m deploying 7.15 LTSR environment and I’ve been asked to deploy persistent desktops. I’ve looked at using App Layering User Layers for persistence but it looks like the feature is still in beta/labs. That really leaves me with one option which is to go with PvD which I know is deprecated on 7.17+. I’m using PVS for provisioning.

    What is the best way to configure UPM with PvD enabled? Do I need to set the regkey EnableUserProfileRedirection to “0” so the profile doesn’t redirect to P:\ and only stores on UPM. I’ve looked at the following articles but its a bit confusing.

    https://www.citrix.com/blogs/2012/05/21/beware-the-5050-split-with-pvd/

    https://www.citrix.com/blogs/2012/11/30/to-cache-or-not-to-cache-that-is-the-question/

    Your insights would be greatly appreciated.

    Thanks!

    1. I believe that’s correct. But most people that have tried PvD have given up due to issues. And it won’t even install on Windows 10 1709.

      How do you manage your physical PCs? Can you use the same method to manage persistent virtual desktops?

  23. Hi Guys!
    Have an issue with some User Group Policy Registry settings not applying when user logs in to Citrix server.
    It’s almost like the User Profile ntuser file is overwriting the GPO settings fra DC!
    Are using UPM 7.15 on Citrix server, and It works perfect, except fir this odd issue.
    Am I missing something here in regards to UPM vs GPO settings.

  24. Carl,

    We recently upgraded from Windows 10 1607 to Windows 10 1703 and for some reason UPM (version 7.15.1) stops retaining Internet Explorer 11 user data and IE Download Manager is also not working. When users download a file they cannot open, save, or save as. Clicking on any of the options does not do anything. Trying to view downloads using CTRL +J does not work as well. Have you seen anything like this or advise? There is nothing in the event or UPM log. I’ve already opened a support ticket with both Microsoft and Citrix with no luck so far..

    Environment:

    Windows 10 1703 created with Citrix App Layering
    Citrix App Layering v4.9
    7.15.1 VDAs
    Citrix PVS 7.15.1

  25. Hi Carl,

    we are running CPM 4.1.1.5 with XenApp 6.5, now we plan to upgrade to 5.8. How can I upgrade as smooth as possible?

    Cheers
    Nico

    1. Just update the service. The old GPO settings should still apply. The one exception is Active Write Back, which is enabled by default in newer versions.

      You can then update the .admx files at your leisure and configure the newer settings.

  26. You can ignore my previous post. We found an issue and we were able to resolve it. Roaming the license token folder per that MS article was simply masking the break because the roamed token didnt force MS to reauthenticate.

    1. How did you resolve the issue? Roaming ‘AppData\Local\Microsoft\Office\16.0\Licensing’ is the only way that I’ve been able to get O365 to stay activated between non-persistent VDI devices, though all of this testing has been done within the 30 day license window.

  27. Carl. First thanks for all your help.

    We started having an issue in our non-persistent VDI enviornment with Office 365 that only occurred in updated versions of office. Opening a case with MS didn’t get us very far, and we are using Ivanti’s UEM (formerly AppSense Enviornment Manager) for user personalization.

    We kept getting activation errors.

    I came across an MS article here stating that they changed some things with Office 365 1704 and forward and they suggest you roam or offload the shared token.

    https://docs.microsoft.com/en-us/deployoffice/overview-of-shared-computer-activation-for-office-365-proplus

    Licensing token roaming Starting with Version 1704 of Office 365 ProPlus, you can configure the licensing token to roam with the user’s profile or be located on a shared folder on the network. Previously, the licensing token was always saved to a specific folder on the local computer and was associated with that specific computer. In those cases, if the user signed in to a different computer, the user would be prompted to activate Office on that computer in order to get a new licensing token. The ability to roam the licensing token is especially helpful for non-persistent VDI scenarios.

    I added this folder to AppSense Personalization as a Windows Settings group to occur at logon\logoff and locked it to our VDI environment. Everything is now working again without issues.

    Hope this helps anyone having a similar issue.

    Rick

    1. This works but will cause issues with Visio / Project Activation if you have those in your environment. Excluding the Office Licensing folder in AppData\Roaming

      We have non-persistent with Visio and Project, only way to get things to work consistently between logins was excluding that folder.

      1. We are running into the same issue (Microsoft 365 2102) even with FsLogix Profile Container and shared computer licensing. Did excluding the %localappdata%\Microsoft\Office\16.0\Licensing directory work for you?

        1. What issue are you seeing with 2102? We are seeing an issue with O365 2102 where its asks users to sign back in and when you try to it shows an error, “Sorry, another account from you organization is already signed in on the computer.” The only way to resolve the issue is to sign out and back into O365 completely. The issue does not occur on version 2008.

          1. We are seeing issues that the token is not automatically being renewed before 30 days is up and the user needs to sign out/in to refresh the token. We currently have a case opened with MS and Citrix. A workaround we are currently testing is to use gpo or a script to delete HKCU:\Software\Microsoft\Office\16.0\Common\Identity and Appdata\Local\Microsoft\Office\16.0\Licensing after x amount of days.

  28. Just after some advice please, also love the guide by the way, it was just what i needed. Would you say redirecting the AppData Roaming folder is a good choice, also does it cause any performance issues if it is redirected. Also any advice on how to manage the Windows Web Cache.

    1. I usually avoid redirecting AppData. I’ve experienced performance problems in the past.

      Where do you see that AppData Roaming is a “good choice”?

      1. I was wondering if it was redirected, would it have an impact on improving login times, one of our issues at the moment is slow login times.

  29. When creating a mandatory profile, newly created profiles will fail to copy to the network drive if AppData\local is not there. Since Office saves the activation token to that directory by default.

  30. Hello ,

    I am hardcore fan of your blogs/Post

    Getting below error in configuring UPM profile in 7:15 , Can you please share your suggestion .

    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;ImpersonateClientStart: Successfully impersonated a client.
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;CheckUserExistsInGroup: No Entries Found In ExcludedGroups
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;CheckUserExistsInGroup: No Entries Found In ProcessedGroups
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;CheckIfUserNeedsToBeProcessed: Logon/logoff will be processed.
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;GetUserStorePath: User Store: Path In: \\Server1\CtxProfileStr$\%username%
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;CADUser::Init: Determined user and DNS domain name: ,
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;GetUserStorePath: User Store: Path Out: \\Server1\ctxprofilestr$\user1
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;ImpersonateClientStop: Successfully stopped client impersonation.
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;SessionCount::RealTimeCount – User: user1, Domain: Domain, Session Count: 0.
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;ImpersonateClientStart: Successfully impersonated a client.
    2018-02-10;09:01:20.836;INFORMATION;Domain;user1;5;1768;NTUSER.DAT not found in userstore, try to load NTUSER.DAT.LASTGOODLOAD.
    2018-02-10;09:01:20.836;ERROR;Domain;user1;5;1768;UpmUserStore::UpdateNtuserDatWithLastGoodLoad: There is no NTUSER.DAT.LASTGOODLOAD in the path:\\Server1\ctxprofilestr$\user1\UPM_Profile\NTUSER.DAT.LASTGOODLOAD 0x2. The system cannot find the file specified.
    2018-02-10;09:01:20.836;INFORMATION;Domain;user1;5;1768;ImpersonateClientStop: Successfully stopped client impersonation.
    2018-02-10;09:01:20.836;INFORMATION;Domain;user1;5;1768;QueryLocalProfile: Profile directory read from registry: c:\users\user1
    2018-02-10;09:01:20.836;INFORMATION;Domain;user1;5;1768;QueryLocalProfile: Local profile is a UPM profile.
    2018-02-10;09:01:20.836;INFORMATION;Domain;user1;5;1768;User store not found : The system cannot find the path specified.
    2018-02-10;09:01:20.836;ERROR;Domain;user1;5;1768;ProcessLogon: A local UPM profile has been found but the corresponding profile can not be found in the userstore. Switching to a temporary profile.
    2018-02-10;09:01:20.852;INFORMATION;Domain;user1;5;1768;CreateLocalProfile: Profile directory initialized: .
    2018-02-10;09:01:20.852;INFORMATION;Domain;user1;5;1768;ImpersonateClientStart: Successfully impersonated a client.
    2018-02-10;09:01:21.524;INFORMATION;Domain;user1;5;1768;ImpersonateClientStop: Successfully stopped client impersonation.
    2018-02-10;09:01:21.524;INFORMATION;Domain;user1;5;1768;SetFileAttributesAPIWrapper: Set attributes on .
    2018-02-10;09:01:21.524;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.524;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;IsFSPathExcluded: Excluding file/directory because it is excluded by configuration (default/policy settings).
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateDirectoryAPIWrapper: Created the directory:
    2018-02-10;09:01:21.539;ERROR;Domain;user1;5;1768;GetFileAttributesAPIWrapper: GetFileAttributes of failed with: The system cannot find the file specified.
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateDirectoryAPIWrapper: Created the directory:
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.758;ERROR;Domain;user1;5;1768;RecurseRegistry: Opening the key failed with: Access is denied.
    2018-02-10;09:01:21.758;ERROR;Domain;user1;5;1768;CRegistryHive::ResetSecurity: Failed to reset security on registry hive .
    2018-02-10;09:01:21.758;ERROR;Domain;user1;5;1768;CreateLocalProfileFromTemplate: Could not create a local profile from a template: Access is denied.
    2018-02-10;09:01:21.789;INFORMATION;Domain;user1;5;1768;CRegistryHive::Unload: Unloaded registry hive .
    2018-02-10;09:01:21.805;INFORMATION;Domain;user1;5;1768;CRegistryHive::Load: RegLoadKey of to succeeded.
    2018-02-10;09:01:21.883;INFORMATION;Domain;user1;5;1768;CRegistryHive::Unload: Unloaded registry hive .
    2018-02-10;09:01:21.883;INFORMATION;Domain;user1;5;1768;DispatchLogonLogoff: Updated Group Policy Extension history for
    2018-02-10;09:01:21.883;INFORMATION;Domain;user1;5;1768;DispatchLogonLogoff: ———- Finished logon processing successfully in [s]: .
    2018-02-10;09:46:09.167;INFORMATION;;;;2192;ReadINIValue: Read: =.
    2018-02-10;09:46:09.167;INFORMATION;;;;2192;PeriodicCEIPCheck, bSendCeip=0, bNotExceedMaxFailed=1, llLastSentTime=0
    2018-02-10;09:46:09.167;INFORMATION;;;;2192;PeriodicCEIPCheck, llInstallationDateInSes=1517064362, lCurrentTime=1518252369,iRandSeconds=6348
    2018-02-10;10:32:52.044;INFORMATION;;;;2184;RefreshPolicy: Got a Full Armour policy update.
    2018-02-10;10:32:52.044;INFORMATION;;;;2184;UpmEnvironmentDefaults::Refresh: Checking environment to set configuration defaults…
    2018-02-10;10:32:52.075;INFORMATION;;;;2184;UpmEnvironmentDefaults::Refresh: Detected environment: Personal Vdisk: FALSE, Running on XenDesktop: TRUE, Assigned: FALSE, Is VM: TRUE, OS changes persist: TRUE
    2018-02-10;10:32:52.075;INFORMATION;;;;2184;ReadPolicy: Configuration value PathToLogFile set neither in policy nor in INI file. Defaulting to:

    1. Login to the machine as a different user. In Control Panel, find Profiles. Delete your local profile. Then login again.

      1. Sorry to say that , still have the same problem.Any clue of letting me know what is the problem.

          1. In order to have that , What all the stuffs in need to check in my environment or in my UPM configuration

          2. In order to have that ntuser.dat file , what i should need to be aware of the configuration in UPM 7:15

  31. Your documentation is incredible as always, Carl. My “N” production farm is XenApp 6.5 on W2K8R2, and I’m currently running RDS profiles with content redirection to RDS home dirs

    I’ve been trying to determine if CPM 7.16 supports XA65, but heretofore have no clear answer. Are you able to provide any insight here?

    Thanks, Carl!

    1. There is no dependency between UPM and XenApp. However, UPM only works on certain operating systems, of which Windows 2008 R2 is one of them. So, as long as UPM supports Windows 2008 R2, it doesn’t matter what XenApp version is running on top of it.

  32. Carl,
    I am having a few issues with desktop items not staying put when users move them around. OS is Windows 10. I have followed your guides on profile exclusions/inclusions. Running 7.15 LTSR. Any ideas?

    1. I’m having users complaining about the same problem. We’re using same version that you are using. It seems like a silly thing to complain about, but I would like to resolve it as well.

      1. Have you found a resolution to this? My users are experiencing the same issues with Server 2016 and XA/XD 7.16.

  33. Hi Carl, in simple terms what are the risks when upgrading 7.7 to 7.16 when it comes to profile management. I had no issues following your awesome instructions for the delivery controllers etc. i just can’t seem to see any information on the internet regarding upgrading the profile management (are their only risks upgrading between different versions aka 2 to 5) or how to upgrade the AD Citrix plugin to enable the check the new policies (on studio machines). Which order should this be done in?

    1. Assuming there are no bugs, then Profile Management should continue functioning normally after the upgrade. Profile Management has a GPO admx template that you can upgrade at your leisure.

      What’s in 7.16 that you find compelling? Most are staying on 7.15 Update 1.

  34. Carl, I wanted to do folder redirection for appdata wherein the target is a user share on a fileserver .(1) How to do that ?
    (2) If I want client connections from the terminal server to share the same TCP/IP connection to the fileserver or multiple TCP/IP connection . How to do that

    1. Are you asking how to redirect AppData? You can do that in Microsoft GPO just like redirecting the other folders. Or is there something special about “user share” that I’m missing?

      Regarding TCP/IP connection, are you trying to configure firewall rules? Various firewall vendors and Microsoft should have documentation on how to allow SMB through firewalls.

  35. Carl, i am a bit confused and need your well trained eye/brain. My folder redirection is set to have “Documents”
    Setting: Basic (Redirect everyone’s folder to the same location)hide
    Path: %HOMESHARE%%HOMEPATH%
    My AD user setting under REmote Desktop Services Profile has the home folder set as “Connect H: to \\sever\xahome\%username%”
    My result is i have a directorys in my home share that read as \\server\xahome\documents for each users document directory and each user also has a \\server\xahome\username that has their appdata and outlook folders in it
    i am thinking i have a setting somewhere with a path typo or a security setting wrong but am not finding it.
    Possibly you have seen this before and can point me/open my eyes in the right direction
    thanks for what you do

    1. Login to a VDA. In command prompt, type “set h”. What do you see for the HOMESHARE and HOMEPATH variables?

      1. lol, thanks for the quick reply carl. apparently i have the c prompt access denied and will check the setting when i figure out were i denied that access
        in the mean time i also noticed i had “grant user exclusive rights” enabled on the Appdata(roaming) profile which i have directed to the \\server\xahome\%username% folder and am thinking it coulb be the cause

  36. Hi Carl. long time reader, first time poster. great site!

    Of the pofile inclusions\exclusions you have listed “fixes” for, can you advise what setting you have working for roaming appx package settings (sticky notes, edge), start menu and task bar?
    the closest i have gotten is with https://4sysops.com/archives/roaming-profiles-and-start-tiles-tiledatalayer-in-the-windows-10-1703-creators-update/
    adding these folders to mirror:
    AppData\Local\Microsoft\Windows\CloudStore
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Microsoft\Windows\Explorer
    AppData\Local\tiledatalayer.

    i also have the exclusion\inclusion list you pointed to from https://www.htguk.com/everything-you-wanted-to-know-about_23/

    XenDesktop 7.14, VDA 7.16, UPM 7.16. tried 1703 and 1709 windows fully patched.

    first login start menu is fine, as has been set and now enforced by the layout.xml in group policy.
    second logon may or may not be fine, retaining the cusom layout. but every logon past that point has the start menu reoganising itself and duplicating pinned icons and losing the default groups.

    i added the 15 second delay too from controller but this has not made a difference.
    removing tiledatalayer from mirror just makes all non provisioned app packages shortcuts disappear from start menu.

    any ideas?

      1. Thanks Nick
        Trying it out now. Initial results is that it hasn’t broken anything further but doesn’t restore the start to original layout. Will have to test with fresh user profile too.
        I had always brushed this solution aside as it was server 2016 and 1607 related which I thought could never be my issue.

        Will see how I go with it and it you know.
        Any help with my other issues, you roaming edge?

        Thanks again

  37. Hi Carl: I have a 7.13 Catalog of about 600 pooled machines; they boot from a VMware snapshot that contains recent updates. We are getting reports that sometimes Users boot up and they’re getting a Default User Profile instead of their own, while other times they get their personalized, custom Profile. I have found — from having the User share their Desktop via Skype — that in the cases where the Profile is GOOD, the Citrix UPM Service is registered and running; the ones where the Profile is DEFAULT (they don’t get their Printers, they don’t see their Home folder, etc.), the Citrix UPM Service is NOT running and is not even registered. For machines booting from a Pool, how could this happen? It’s mystifying. Any suggestions?

    1. Your VDA is 7.13? The easiest way to upgrade UPM is to upgrade the VDA. I would upgrade the VDA to 7.15 Update 1 and see if that fixes it. You can upgrade the VDA without upgrading the Controllers.

    1. Mirror: This setting specifies which folders relative to a user’s profile root folder to mirror. Configuring this policy setting can help solve issues involving any transactional folder (also known as a referential folder), that is a folder containing interdependent files, where one file references others.

      Synchronization: This setting specifies any files you want Profile management to include in the synchronization process that are located in excluded folders. By default, Profile management synchronizes everything in the user profile. It is not necessary to include files in the user profile by adding them to this list.

      https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-settings-wrapper/xad-policies-settings-pm/xad-policies-settings-pm-file-system/xad-policies-settings-pm-file-system-sync.html

      1. @ citrixguyblog or @ Carl

        Just so I can understand the logic.

        If I say Exclude Appdata\local ( Of course its going to Exclude all data here)

        But If I say (Sync directories)
        appdata\local\google\Chome (this will sync Chrome folder and data with all the junk below the chrome folder correct?)

        or if I say

        Sync a File only example
        appdata\local\google\chrome\user data\Default\bookmarks ( it will only sync this bookmark file)

        Mirroring ( will grab all data and folders you tell it too.
        Example:
        AppData\Local\Microsoft\Windows\INetCookies

  38. Citrix upm or rds roaming profiles… Which one is better?
    Can’t seem to find a good answer. Anybody have any opinions?

    Carl what is your experience?

    1. The whole point of UPM is to be better than RDS roaming profiles.

      Some UPM highlights: Profile Streaming, can save entire profile (including AppData/Local) with specific exclusions, merge ntuser.dat instead of overwriting, etc.

  39. Hi Carl – I’d like to ask for your opinion on an alternative config for DFS for profiles, if I might?
    I have a live Citrix site, with DR Failover to a second DC, DFS for roaming profiles. I previously had single target DFS which was manually updated when we failed over, as in your article, but I now use multi-master, but with the following option in DFSn enabled:

    Exclude Targets from outside the client’s site

    This blocks DFSn referrals from different AD sites. As my Primary and Fail-over resources are in different AD sites, including my XA/XD hosts and users don’t have access to both at once, this allows for fail-over & data sync without the need for any manual adjustments to DFS. Aside from an AD issue that prevented a server from registering in the correct site, it has worked well.

    1. That’s an interesting approach. Thanks for sharing. But ultimately, it’s up to the vendor to decide what they will support. 🙂

  40. Thanks Carl,

    This is a great article and I used it exactly for my setup but I’m having the same problem as my old setup.

    If I log on to a pc I have 2 desktop folders one is c:\users\username\Desktop and one is \\domain\profile\username\Desktop. (the one I want always)

    It always displays the generic one from c: and I want the other one. If I log into a thin client, I get the right one.

    Also, the documents folder shows \\Client\C$\users\username and is populated with all of the docs from c:

    I want strictly the desktop and documents from the redirected location no matter what I log in with.

    TB

    1. “Also, the documents folder shows \\Client\C$\users\username and is populated with all of the docs from c:”

      There is a known issue When you redirect the Documents folder on a Windows Vista-based or Windows 7-based computer to a network share, the folder name unexpectedly changes back to Documents

      https://support.microsoft.com/en-us/help/947222/when-you-redirect-the-documents-folder-on-a-windows-vista-based-or-win

      I ran into this recently with 2012r2 and had to mitigate it with an GPP, delete .ini

  41. I’m looking to fix the user file associations but cannot find the location in the registry, HKCU\SOFTWARE\Classes\Applications, on the Win2k16 server. Am I missing something?

  42. HI,

    After nen VDA Upgrade from 7.15LTSR der Profile Management dosn´t work. The Users get not thier Profile from the Profilestore. Replay the Snapshot bevor the VDA Upgrade everything is fine. Have anyone this Problem too?

      1. I will check this.

        In my envierment I have 3 new aditional VDA Server, with fresh installed 7.16 VDA. everything is fine.

  43. Thanks Carl,
    You always have the best solutions out there. I do have a question regarding server 2012 R2 and the pinned taskbar items not roaming. Do you know where I can have that included in the UPM profile management?

  44. Carl, is the UPM still a separate downloaded component or is it integrated with the VDA?
    …and is the WEM console a good place to manage the UPM configuration versus GPO?

    1. I’m actually adding this content to the UPM article now.

      It’s both in the VDA and separate. Usually you just need to install the VDA.

      I don’t recommend Workspace Environment Management because it adds complexity. GPOs are much simpler.

Leave a Reply

Your email address will not be published. Required fields are marked *