Navigation
This article applies to all versions of Profile Management: 2407, 2402 LTSR CU1, 2203 LTSR CU5, 1912 LTSR CU9, etc.
- Change Log
- Planning:
- Create User Store (File Share)
- GPO ADMX Policy Template
- Group Policy Settings
- Mandatory Profile – Citrix Method
- Redirected Profile Folders (Folder Redirection)
- Verify Profile Management
- Troubleshooting
💡 = Recently Updated
Change Log
- 2024 Aug 20 – Updated Versions section for version 2402 LTSR CU1
- 2024 Aug 4 – New features listed in Profile Container section
- 2024 July 31 – Updated Versions section for version 2407
- 2024 April 18 – added link to Citrix Tech Zone Deployment Guide: Citrix Profile Management – OneDrive Container
- 2024 April 17 – Updated Versions section for version 2402 LTSR
- Added link to Enable roaming for the new Microsoft Teams at Citrix Docs
- 2023 Dec 23 – Profile Container – updated screenshots for 2311
- 2023 Dec 18 – added info from CTX585013 Microsoft Teams 2.1 supported for VDI/DaaS.
- 2023 Sept 14 – Profile Container auto-expansion
- 2024 April 30 – Updated Versions section for version 1912 LTSR CU9
- 2023 June 2 – added Enable and configure user-level policy settings at Citrix Docs
- 2023 Apr 4 – App Access Control – added GUI Rule Generate from WEM Cloud
- 2023 Apr 1 – App Access Control
- 2023 Mar 21 – added info from CTX489573 Office 365 – Account Error: Sorry, we can’t get to your account right now
- 2022 Sep 30 – Updated Versions section for version 2209. See New Features.
- 2022 Aug 17 – added info from CTX463658 Reduce logon time with Profile Management.
- 2022 June 30 – Updated Versions section for version 2206
- For new features, search this article for 2206.
- Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
- 2021 Mar 19 – Profile Streaming – Enable profile streaming for folders
- Profile Container – Enable local caching for profile containers and Enable multi-session write-back for profile containers.
Planning
Profile Management Versions
Profile Management is included with the installation of Virtual Delivery Agent. To upgrade Profile Management, simply upgrade your VDA software. Here are the currently supported versions of VDA:
- VDA Current Release 2407
- VDA Long Term Service Release (LTSR) 2402 CU1
- VDA Long Term Service Release (LTSR) 2203 Cumulative Update 5 (CU5)
- VDA Long Term Service Release (LTSR) 1912 Cumulative Update 9 (CU9)
Or you can download the individual Profile Management component and install/upgrade it separately from the VDA software. You can even install it on non-VDA machines (e.g., PCs accessed by licensed Citrix users).
For LTSR VDAs, for LTSR support compliance, only install the Profile Management version that is included with your VDA installer. Don’t upgrade to a newer Current Release version.
The latest release of Citrix Profile Management is version 2407, which can be downloaded from Citrix Virtual Apps and Desktops 2407. To find it, click Components that are on the product ISO but also packaged separately.
Profile Management Configuration Options
Profile Management consists of a Service (installed on the VDAs), a file share, and configuration settings.
There are four methods of delivering configuration settings to the Citrix Profile Management service:
- Microsoft group policy
- Profile Management GPO settings are provided by an ADMX file
- Citrix Policies
- Either in Citrix Studio > Policies node
- Or in a Group Policy Object Editor > Citrix Policy (assuming Citrix Group Policy Management Plug-in is installed)
- Citrix Workspace Environment Management (WEM)
- UPMPolicyDefaults.ini file
If a UPM setting is not configured in GPO, Citrix Policy, or WEM, then the default setting in the UPMPolicyDefaults.ini file takes effect. The .ini file is located in C:\Program Files\Citrix\User Profile Manager on every machine that has Profile Management service installed.
Microsoft Group Policy (ADMX file) is probably the most reliable method of delivering configuration settings to the Profile Management services. This method uses the familiar Group Policy registry framework. Just copy the Profile Management ADMX files to PolicyDefinitions and start configuring. The configuration instructions in this article use the GPO ADMX method.
The Citrix Policies configuration method requires Citrix Studio, or Citrix Group Policy Management Plug-in. On the Profile Management service side, only VDAs can read the Citrix Policies settings.
- Citrix Policies has settings for Folder Redirection. If you use Citrix Policy to configure Folder Redirection, then the Folder Redirection settings only apply to VDAs that can read Citrix Policies. To apply to Folder Redirection to more than just VDAs, configure Folder Redirection using normal Microsoft Group Policy as detailed below.
- If you’re going to use Microsoft Group Policy to configure Folder Redirection, then you might as well use Microsoft Group Policy to also configure Citrix Profile Management.
Citrix Workspace Environment Management can also deliver configuration settings to the Profile Management services. This option requires the WEM Agent to pull down the settings from the WEM Brokers and apply them to Profile Management. It can sometimes be challenging to troubleshoot why WEM is not applying the settings.
Try not to mix configuration options. If you use both WEM and GPO, which one wins?
Multiple Datacenters
For optimum performance, users connecting to Citrix in a particular datacenter should retrieve their roaming profiles from a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will need file servers in each datacenter.
DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-datacenter designs.
For active/active datacenters, split the users such that different users have different home datacenters. Whenever a particular user connects, that user always connects to the same datacenter, and in that datacenter is a file server containing the user’s roaming profile. StoreFront uses Active Directory group membership to determine a user’s home datacenter.
For users that connect to Citrix in multiple datacenters, there are a couple options:
- The user’s roaming profile is located in only one datacenter – If the user connects to a remote datacenter, then the roaming profile must be transmitted across the WAN. To optimize performance, disable Active Write Back, and make sure Profile Streaming is enabled.
- The user has separate profiles for each datacenter – There is no replication of profiles between datacenters. This scenario is best for deployments where different applications are hosted in different datacenters.
Disaster Recovery – For disaster recovery scenarios, the user’s roaming profile data (and home directories) must be recovered in a different datacenter. Here are some considerations:
- Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
- Use VMware SRM or similar to recover the entire file server in the DR datacenter.
- A datacenter failover might result in multiple file servers accessed from a single VDA, especially if you have users split across datacenters. Use DFS Namespaces as detailed below.
DFS Namespace
DFS Namespace for central user store – The Citrix Profile Management user store path is a computer-level setting, meaning there can only be one path for every user that logs into a particular VDA. If you have different users with roaming profiles on different file servers, then you must use Active Directory user attributes and DFS namespaces to locate the user’s file server. Here is an overview of the configuration:
- Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1 – Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more information.
- Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS replication. See Scenario 2 – Multiple folder targets and replication at Citrix Docs for more information.
- Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
- Set the Profile Management user store path to
\\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!
. This pulls the user’s l attribute from Active Directory and appends that to the DFS share. The folder that matches the attribute value is linked to a file server. For example, if the user’s l attribute is set to Omaha, then the user’s profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha folder is linked to a file server in the Omaha datacenter.
Create User Store
This procedure could also be used to create a file share for redirected profile folders.
Create and Share the Folder
- Make sure file and printer sharing is enabled.
- On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.
- Right-click the folder, expand Give Access to (Windows Server 2019) or expand Share with (Windows Server 2016) and select Specific people.
- Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click Share, and then click Done.
- Go to the Properties of the folder.
- On the Sharing tab, click Advanced Sharing.
- Click Caching.
- Select No files or programs. Click OK, and then click Close.
Folder NTFS Permissions
- Open the properties of the new shared folder.
- On the Security tab, click Edit.
- For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
- Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
- Now click Advanced.
- Highlight the Everyone permission entry, and click Edit.
- Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.
Access Based Enumeration
With this setting enabled, users can only see folders to which they have access:
- In Server Manager, on the left, click File and Storage Services.
- If you don’t see Shares then you probably need to close Server Manager and reopen it. Or perform a refresh.
- Right-click the new share and click Properties.
- On the Settings page, check the box next to Enable access-based enumeration.
GPO ADMX Policy Template
- You can find the GPO ADMX templates on the main Citrix Virtual Apps and Desktops 2407 ISO in the \x64\ProfileManagement\ADM_Templates\en folder.
- Or they are included in the standalone Profile Management download in the \Group Policy Templates\en folder.
- Copy the file ctxprofile.admx to the clipboard.
- If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.
- If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
- If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
- If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing the .admx file does not affect your existing Profile Management configuration. The template only defines the available settings, not the configured settings.
- Go back to the Citrix Profile Management Group Policy Template files.
- Copy ctxprofile.adml to the clipboard.
- If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.
- If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
- If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
- If you have an older version of the ctxprofile.adml file in the en-US folder in either location, delete it.
CitrixBase:
- Go up a folder and then open the CitrixBase folder.
- In the CitrixBase folder, copy the file CitrixBase.admx to the clipboard.
- If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.
- If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
- If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
- Go back to the Citrix Profile Management Group Policy Templates and copy CitrixBase.adml to the clipboard.
- If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.
- If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
- If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
Group Policy Settings
- Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.
- Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management.
- Note: if you did not install the CitrixBase.admx file, then you can find Profile Management directly under the Administrative Templates node instead of under Citrix Components.
- Enable the setting Enable Profile management. Profile Management will not function until this setting is enabled.
- If desired, enable the setting Process logons of local administrators.
- Enable Path to user store.
- Specify the UNC path to the folder share. An example path =
\\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!
- Profile Versions– Different OS versions have different profile versions. Each profile version only works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.
- Windows 10 Profile Versions – Windows 10 has two different profile versions. Windows 10 build 1511 and older use v5 profiles. Windows 10 build 1607 and newer use v6 profiles. v5 and v6 profile versions are incompatible so they should be separated.
- Resolved variables – With the example user store path shown above, if the user logs into Windows 2012 R2 RDSH, the profile folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10 build 1607, the profile folder will be \\server\share\user01\Win10RS1v6.
- Windows 10 v6 vs Windows 2016 v6 – Both Windows 10 (1607 and newer) and Windows Server 2016 use v6 profiles. Do you want to use the same profile for both platforms? If so, remove !CTX_OSNAME! from the Path. Note: Windows 10 supports Store apps while Windows 2016 does not. If you’re allowing Store apps, then it’s probably best to use different profiles for both OS platforms.
- Windows 2012 R2 warning: in older versions of Citrix Profile Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isn’t correct. v2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug was fixed in Profile Management 5.4 and newer. If you have existing Windows 2012 R2 profiles based on the !CTX_PROFILEVER! variable set to v2, after upgrading to 5.4 or newer, then your profiles might stop working . See http://discussions.citrix.com/topic/374111-psa-upm-54-ctx-osname-server-2012-value-change/ for more details.
- Windows 10 and !CTX_OSNAME!: Profile Management sets !CTX_OSNAME! to different strings for different Windows operating system versions, especially different versions of Windows 10: (RS = Redstone, which is a Microsoft codeword)
- Windows Server 2019 sets !CTX_OSNAME! to Win2019v6.
- Windows Server 2016 sets !CTX_OSNAME! to Win2016v6.
- Windows 10 version 1903 and 1909 set !CTX_OSNAME! to Win10RS6.
- Windows 10 version 1809 sets !CTX_OSNAME! to Win10RS5.
- Windows 10 version 1803 sets !CTX_OSNAME! to Win10RS4.
- Windows 10 version 1709 sets !CTX_OSNAME! to Win10RS3.
- Windows 10 version 1703 sets !CTX_OSNAME! to Win10RS2.
- Windows 10 version 1607 sets !CTX_OSNAME! to Win10RS1.
- If you use !CTX_OSNAME! in your profile store path, then different CTX_OSNAMEs will have different profiles, which means users will lose their profile settings whenever you upgrade Windows 10.
- Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can alleviate this problem.
- Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can alleviate this problem.
- Multiple Domains – If you have multiple domains, in the user profile store path, change #SAMAccountName# to %username%.%userdomain% (e.g.
\\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!
). That way you can have the same account name in multiple domains and each account will have a different profile. - Hard Code Store Path – Instead of using variables, you can specify a hard coded path. However, the profile incompatibility restrictions listed above still apply. To avoid applying a single profile across multiple operating system versions, place VDAs with different OS versions in different OUs, and then use different Profile Management GPOs on those OUs to specify different Profile Management user store paths.
- Migrate User Store – Profile Management 1909 and newer can move profiles from an old profile path to a new profile path.
- User-level overrides – Profile Management 2305 and newer support user-level overrides. First, configure Enable user-level policy settings under Advanced Settings. Then add registry keys for user group SIDs with override settings. See Enable and configure user-level policy settings at Citrix Docs.
- Profile Versions– Different OS versions have different profile versions. Each profile version only works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.
- Disable Active write back. This feature places additional load on the file server and is only needed if users login to multiple machines concurrently and need mid-session changes to be saved, or if users never log off from their sessions. Note: if you don’t disable this, then it is enabled by default.
- Profile Management 2303 and newer have an option to only perform Active write back on session lock and disconnection.
- Profile Management 2303 and newer have an option to only perform Active write back on session lock and disconnection.
- On the left, go to the Advanced settings node.
- If Microsoft Teams 2.1 or newer, and if Teams is installed per machine, then simply make sure Profile Management is version 2402 or newer. See Enable roaming for the new Microsoft Teams at Citrix Docs.
- If Teams 2.1 is installed per-user, then enable UWP app roaming, which requires Profile Management 2308 or newer. See CTX585013 Microsoft Teams 2.1 supported for VDI/DaaS.
- If Teams 2.1 is installed per-user, then enable UWP app roaming, which requires Profile Management 2308 or newer. See CTX585013 Microsoft Teams 2.1 supported for VDI/DaaS.
- Enable the setting Process Internet cookie files on logoff. This is probably only for Internet Explorer.
- The Replicate user stores setting replicates to multiple file shares. Note: this slows down logoffs. Profile Management 2209 and newer supports replicating profile containers, which seems to use robocopy.exe.
- In Profile Management 2407 and newer, for the container-based profile solution, the Enable in-session policy container failover among user stores policy is automatically enabled to ensure profile redundancy for the entire session.
- In Profile Management 2407 and newer, for the container-based profile solution, the Enable in-session policy container failover among user stores policy is automatically enabled to ensure profile redundancy for the entire session.
- Customer Experience Improvement Program (CEIP) is enabled by default. It can be disabled here.
- See https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#ceip for additional places where CEIP is enabled.
- Profile Management 2206 adds Enable asynchronous processing for user Group Policy on logon. This might speed up logons. This feature requires you to disable Always wait for the network at computer startup and logon and enable Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services. More details at Citrix Docs.
- Profile Management 2311 and newer support Enable OneDrive container. It works the same way as search index roaming as detailed next. See Citrix Tech Zone Deployment Guide: Citrix Profile Management – OneDrive Container.
- Profile Management 7.18 and newer have Enable search index roaming for Outlook.
Notes on Outlook OST and Search roaming:
- Microsoft FSLogix is another Outlook search index roaming product that is now free. For details, see the FSLogix section in the computer group policy article.
- Profile Management 1906 and newer support 64-bit Outlook 2016 and Office 2019.
- VDA 1906 or newer are recommended for the bug fixes for this feature. You can upgrade the VDA without upgrading your Delivery Controllers.
- After the first user logon, Profile Management 1811 and newer creates a template VHDX file in a folder named UpmVhd at the root of the user store. The template file is copied to new users, thus speeding up VHDX creation.
- In the user’s profile location, a new folder called VHD is created.
- You can override the VHDX path by configuring Customize storage path for VHDX files as detailed at Citrix Docs.
- You can override the VHDX path by configuring Customize storage path for VHDX files as detailed at Citrix Docs.
- Inside the \VHD\Win2016 folder are two new thin provisioned .vhdx files – one for OST, one for Search. The per-user .vhdx files are copied from the parent template.
- UPM grants Domain Computers Full Control of the VHDX files. Users must have Full Control to the Profile Share, and UPM Folder to be able to grant this permission. Modify permissions are not sufficient. (Source = Robert Steeghs The Citrix Profile management could not mount virtual disk)
- When the user logs into a Citrix session, the two VHDXs are mounted to %localappdata%\Microsoft\Outlook and %appdata%\Citrix\Search. This means that OST files and Search Indexes are stored in the VHDX instead of in the user’s profile.
- eastwood357 at Outlook OST and Search vhdx not unmounting after log off at Citrix Discussions says that the Profile Management Path to User Store must be all lower case or else the VHDX files will not unmount at logoff.
- Only enable this feature for users with new Outlook profiles. If the user already has an .ost file, then you’ll see an error about missing .ost when Outlook is launched.
- The Search roaming feature is only supported with specific versions of Windows Search service. Event Log will tell you if your Windows patches are too new.
- Profile Management 2206 and newer have an option for Enable concurrent session support for Outlook search data roaming.
- In older Profile Management, VHDX files can only be mounted on one machine at a time. If you login to two VDAs, and if both try to mount the same VHDX files, then you’ll see errors in Event Viewer.
- In older Profile Management, VHDX files can only be mounted on one machine at a time. If you login to two VDAs, and if both try to mount the same VHDX files, then you’ll see errors in Event Viewer.
- Search Index Backup – Profile Management 1909 and newer have a GPO setting named Outlook search index database – backup and restore that can provide automatic recovery of the search index if it becomes corrupted. The backup consumes more of the available storage space of the VHDX files.
- For a detailed explanation of how the per-user Search Index works, see CTX235347 Citrix Profile Management: VHDX-based Outlook cache and Outlook search index on a user basis.
- Profile Management 2109 and newer can Automatically reattach detached VHDX disks. In Profile Management 2203 and newer, it’s available as a group policy setting under the Profile Management | Advanced Settings node.
- Profile Management 2303 and newer have a Profile Container GPO setting to Enable VHD disk compaction on user logoff. See Citrix Docs.
- Additional disk compaction settings can be found under Advanced Settings.
- Additional disk compaction settings can be found under Advanced Settings.
Exclusions, Synchronization, and Mirroring
- Profile Management 2209 and newer have File Deduplication > Files to include in the shared store for deduplication. You must specify which files to delete from each user’s profile and instead store in a shared location. See Citrix Docs. Profile Management 2311 support Files deduplication of profile containers.
- Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion List – directories.
- You can use checkboxes to not exclude some folders.
- Then edit Exclusion list – directories.
- Enable the setting, and click Show.
- For Edge Chromium, see Avanite Roaming Edge Chromium.
- For Chrome, use the same list as Edge but change \Microsoft\Edge to \Google\Chrome.
- Add the following to the list.
AppData\Local\Microsoft\Windows\INetCache AppData\local\Microsoft\Windows\IEDownloadHistory AppData\Local\Microsoft\Internet Explorer\DOMStore AppData\Local\Google\Software Reporter Tool AppData\Roaming\Microsoft\Teams\media-stack AppData\Roaming\Microsoft\Teams\Logs AppData\Roaming\Microsoft\Teams\Service Worker\CacheStorage AppData\Roaming\Microsoft\Teams\Application Cache AppData\Roaming\Microsoft\Teams\Cache AppData\Roaming\Microsoft\Teams\GPUCache AppData\Roaming\Microsoft\Teams\meeting-addin\Cache
- Note: if you see errors in Office programs (e.g. “Word could not create the work file”), then you might have to use Group Policy Preferences to recreate
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache
at logon. Source = Olav Lillebo Errors when starting published Microsoft Office applications.
- Also see CTP Matthias Schlimm Google Chrome – Citrix UPM Configuration with Mirroring
- Note: if you see errors in Office programs (e.g. “Word could not create the work file”), then you might have to use Group Policy Preferences to recreate
- Newer versions of Office Click-to-run let you roam the shared computer activation licensing token. See Overview of shared computer activation for Office 365 ProPlus and search for “roam”. The licensing tokens also last 30 days instead of 2-3 days. Source = Rick Smith in the comments. Ideally you should have ADFS integration so users can seamlessly re-activate Office.
- James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
- Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of exclusions for IE in Enterprise Mode.
appdata\local\microsoft\internet explorer\emieuserlist appdata\local\microsoft\internet explorer\emiesitelist appdata\local\microsoft\internet explorer\emiebrowsermodelist
- Then click OK twice to return to the Group Policy Editor.
- usrclass.dat*.
- Profile Management 1909 and newer automatically include usrclass.dat* in the Files to Synchronize. UPM 2103 and newer add it for Windows 10 but not for RDSH. If added to the exclusion list, then Profile Management 1909 and newer automatically removes it from the exclusion list. See Start menu roaming at Citrix Docs.
- usrclass.dat* contains file type associations. For roaming file type associations, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
- Profile Management 1909 and newer automatically include usrclass.dat* in the Files to Synchronize. UPM 2103 and newer add it for Windows 10 but not for RDSH. If added to the exclusion list, then Profile Management 1909 and newer automatically removes it from the exclusion list. See Start menu roaming at Citrix Docs.
- Clean up excluded folders – If you add to the exclusions list after profiles have already been created, Profile Management 5.8 has a feature that can delete the excluded folders at next logon. See To enable logon exclusion check at Citrix Docs. In Profile Management 7.15 and newer, Logon Exclusion Check is configurable in group policy under the File System node.
- Also see Muralidhar Maram’s post at Citrix Discussions for a tool that will clean up the existing profiles.
- Also see Jeremy Sprite Clean Citrix UPM Profiles.
Directories to Synchronize
- Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
- Edit the setting Directories to synchronize.
- Enable the setting, and click Show.
- Profile Management 7.16 Fixed Issues says that AppData\Local\Microsoft\Windows\Caches should be synchronized. Also see CTX234144 Start Menu Shows Blank Icons on VDA 7.15 LTSR CU1/7.16/7.17 with UPM Enabled.
- CTX489573Office 365 – Account Error: Sorry, we can’t get to your account right now says that Appdata\local\microsoft\identitycache should be synchronized.
- To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
AppData\Local\Microsoft\Windows\Caches AppData\Local\Microsoft\Credentials Appdata\local\Microsoft\identitycache Appdata\Roaming\Microsoft\Credentials Appdata\Roaming\Microsoft\Crypto Appdata\Roaming\Microsoft\Protect Appdata\Roaming\Microsoft\SystemCertificates
- Click OK twice.
Files to Synchronize
- Edit Files to synchronize.
- Enable the setting, and click Show
- Add the following three entries so Java settings are saved to the roaming profile:
AppData\LocalLow\Sun\Java\Deployment\security\exception.sites AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs AppData\LocalLow\Sun\Java\Deployment\deployment.properties
- Bob Bair at Citrix Discussions recommends these additional files for Chrome:
AppData\Local\Google\Chrome\User Data\First Run AppData\Local\Google\Chrome\User Data\Local State AppData\Local\Google\Chrome\User Data\Default\Bookmarks AppData\Local\Google\Chrome\User Data\Default\Favicons AppData\Local\Google\Chrome\User Data\Default\History AppData\Local\Google\Chrome\User Data\Default\Preferences
- Citrix’s Start Menu Roaming documentation says that Appdata\Local\Microsoft\Windows\UsrClass.dat* should be added to the list. Profile Management 1909 and newer automatically add Appdata\Local\Microsoft\Windows\UsrClass.dat* to the Files to Synchronize list.
- You can disable the automatic inclusion of these folders by enable the setting Disable automatic configuration located under Advanced Settings.
- You can disable the automatic inclusion of these folders by enable the setting Disable automatic configuration located under Advanced Settings.
- Then click OK twice to return to the Group Policy Editor.
Folders to mirror
- Under File System, in the Synchronization node, enable the setting Folders to mirror.
- Enable the setting, and click Show.
- Settings required for Internet Explorer 10 and later versions for browser compatibility at Citrix Docs indicate that the first three folders shown below must be mirrored in order for the Windows 10 Start Menu to function correctly.
- CTX222433 Start Menu Layout Roaming on Windows 10 indicates that TileDataLayer should be mirrored.
- CTX238419 UPM 7.15.2000: With Profile Management Enabled, Blank Icons Might Appear In The Start Menu In The Published Desktops says that AppData\Local\Microsoft\Windows\Caches should be mirrored.
- Citrix’s Start Menu Roaming documentation says that Appdata\Local\Packages should be added to the mirror list but only for Windows 10. In UPM 2103 and newer, RDSH does not need this folder mirrored. If you leave automatic configuration enabled then UPM should automatically decide if it should be mirrored or not.
- Profile Management 1909 and newer automatically add AppData\Local\Packages and AppData\Local\Microsoft\Windows\Caches to the Folders to Mirror list. In UPM 2103 and newer, Packages is added for Windows 10 but not for RDSH.
- You can disable the automatic inclusion of these folders by enable the setting Disable automatic configuration located under Advanced Settings.
- You can disable the automatic inclusion of these folders by enable the setting Disable automatic configuration located under Advanced Settings.
- To prevent Chrome Extension corruption, add AppData\Local\Google\Chrome\User Data\Default\Extensions to Folders to Mirror (source = CTX238525 Google Chrome extensions are getting corrupted when using using UPM)
- For Chrome login data, add AppData\Local\Google\Chrome\User Data\Default\Login Data and AppData\Local\Google\Chrome\User Data\Default\Last Session to Folders to Mirror (source = CTX232587 Citrix UPM + WEM – Google Chrome does not remember user login data)
- For Chrome Bookmarks, add AppData\Local\Google\Chrome\User Data\Default to Folders to Mirror (source = CTX235698 Issues to synchronize bookmarks of Google Chrome using Citrix UPM on latest LTSR version (7.15 CU2))
- Add the following:
AppData\Roaming\Microsoft\Windows\Cookies AppData\Local\Microsoft\Windows\INetCookies AppData\Local\Microsoft\Windows\WebCache AppData\Local\TileDataLayer AppData\Local\Microsoft\Vault AppData\Local\Microsoft\Windows\Caches AppData\Local\Packages AppData\Local\Google\Chrome\User Data\Default
- These three are only needed if you didn’t include the entire Chrome User Data Default folder.
AppData\Local\Google\Chrome\User Data\Default\Extensions AppData\Local\Google\Chrome\User Data\Default\Login Data AppData\Local\Google\Chrome\User Data\Default\Last Session
- These three are only needed if you didn’t include the entire Chrome User Data Default folder.
- Click OK.
- Profile Management 2106 and newer have a setting called Accelerate folder mirroring that stores the mirrored folders in a VHDX file instead of copying back and forth at login and logoff.
- UPM creates a folder named MirrorFolders in the user’s UPM path and creates a couple thin-provisioned VHDX files in that path.
- Disk Management shows that the mounted Diff disk has a 50 GB capacity limit.
- Logging into multiple sessions concurrently results in multiple Diff disks.
- If the file server is unavailable then unpredictable behavior occurs. After the file server is back up, the session continues to misbehave and won’t recover until users log off and log back on. Plan for file server high availability that can handle always-open VHDX files. DFS won’t help you.
- Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
- UPM creates a folder named MirrorFolders in the user’s UPM path and creates a couple thin-provisioned VHDX files in that path.
- According to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Configuration > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.
Profile Container
Profile Management 2407 and newer have new Container features, including:
- In-session profile container failover among multiple user stores – Citrix Docs
- Registry exclusion and inclusion support extended to container-based profile solution – Citrix Docs
- Reset container-based profiles without the risk of losing user data – Citrix Docs
- Collects statistical data on VHD compaction actions and provides it to Workspace Environment Management (WEM) for reporting
To configure profile container:
- Profile Management 1903 and newer have a Profile container setting.
- In Profile Management 2009 and newer, the Profile container setting moved to its own node.
- In older versions of Profile Management, Profile Container is located under File System | Synchronization.
- In Profile Management 2009 and newer, the Profile container setting moved to its own node.
- Click the Show button to specify profile paths that should be placed in the mounted file share profile disk (VHDX file) instead of copied back and forth at logon and logoff.
- In Profile Management 2009 and newer, you can specify * to put the entire profile in the Container. Then use the other two settings to exclude folders from the Container. See Profile Container at Citrix Docs.
- In Profile Management older than version 2009, this setting is for large cache files (e.g. Citrix Files cache) and is not intended for the entire profile.
- In Profile Management 2009 and newer, you can specify * to put the entire profile in the Container. Then use the other two settings to exclude folders from the Container. See Profile Container at Citrix Docs.
- Profile Management 2103 and newer have a setting to Enable local caching for profile containers. Combine this with Profile Streaming for faster logons. The entire profile should be stored in the profile container.
- Profile Management 2311 and newer can Log off users when profile container is not available during logon.
- On the left, under Advanced Settings, Profile Management 2103 and newer have a setting to Enable multi-session write-back for profile containers. This setting applies to both UPM Profile Container and Microsoft FSLogix Profile Container. If the same user launches multiple sessions on different machines, changes made in each session are synchronized and saved to the user’s profile container disk.
- Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
- Citrix recommends using Profile Container for Microsoft Teams.
- See CTX247569 Citrix Profile Management: Troubleshooting Profile Containers.
- Profile Management 2209 and newer can replicate the profile container to multiple shares.
- In Profile Management 2407 and newer, for the container-based profile solution, the Enable in-session policy container failover among user stores policy is automatically enabled to ensure profile redundancy for the entire session.
- In Profile Management 2407 and newer, for the container-based profile solution, the Enable in-session policy container failover among user stores policy is automatically enabled to ensure profile redundancy for the entire session.
- Profile Management 2308 and newer can auto-expansion the container.
- Advanced settings node has additional auto-expansion settings.
- Advanced settings node has additional auto-expansion settings.
- On the CVAD 2311 and newer ISO, at \x64\ProfileManagement\Tools is a script that can migrate profiles from FSLogix to Citrix Profile Container. Prior to CVAD 2311 the Tools folder is not on the CVAD ISO but is instead included with the separately downloaded Profile Management. See Migrate user profiles at Citrix Docs.
Registry Exclusions
- On the left, under Profile Management, click Registry.
- On the right, open Enable Default Exclusion List.
- Enable the setting. You can use the checkboxes to control which registry keys you don’t want to exclude.
- According to Citrix CTX221380 Occasionally, File Type Association (FTA) Fails to Roam with Profile Management 5.7 on Windows 10 and Windows Server 2016, Software\Microsoft\Speech_OneCore should be unchecked. Click OK.
- The setting Exclusion List under Registry lets you exclude registry keys from the roaming profile.
- Nick Panaccio in the comments says that if Office with ADFS constantly prompts for login, then you should exclude the following:
Software\Microsoft\Office\16.0\Common\Identity
- Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of registry exclusions for IE in Enterprise Mode.
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieUserList Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieSiteList
- Click OK when done.
- For the NTUSER.DAT backup setting, which is disabled by default, you can enable it to provide some resiliency against profile corruption.
Log Settings
- In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot problems with Profile Management. The logfile is located in C:\Windows\System32\LogFiles\UserProfileManager.
- Edit the Log settings setting.
- Enable the setting and check the boxes next to Logon and Logoff. Click OK.
- If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To change the log file path, edit the Path to log file setting.
- CTX123005 Citrix UPM Log Parser
- CTX200674 How To: Review Profile Management Log Files using Microsoft Excel
Profile Streaming
- Go to the Profile handling node under Profile Management.
- Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can migrate existing profiles when you upgrade the version of Windows 10. This setting requires the !CTX_OSNAME! variable in your profile store path.
- Enable the setting Delete locally cached profiles at logoff. Note: this might cause problems in Windows 10.
Helge Klein has a tool to delete locally cached profiles on a session host. http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/. This tool should only be needed if profiles are not deleting properly. - For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User Logs off recommends setting Delay before deleting cached profiles to 40 seconds.
- Enable the setting Migration of existing profiles and set it to Local and Roaming. Citrix CTX221564 UPM doesn’t migrate local user profile since version 5.4.1.
- Enable the setting Local profile conflict handling, and set it to Delete local profile. Note: this might cause problems on Windows 10.
- For fastest logons, Citrix recommends Profile streaming + Enable profile streaming for folders + Accelerate folder mirroring all enabled, or only enable Profile Container for the entire user profile. More details at CTX463658 Reduce logon time with Profile Management.
- Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
- Profile Management 2103 and newer have a setting to Enable profile streaming for folders, which should speed up logons. In Profile Management 2402 and newer, profile streaming for folders is enabled by default.
- Profile Management 2106 and newer have a setting under File System > Synchronization called Accelerate folder mirroring that stores the mirrored folders in a VHDX file instead of copying back and forth at login and logoff.
- Profile Management 2206 adds Enable profile streaming for pending area. Enable this setting if users run multiple Citrix sessions concurrently and you have Active Write Back enabled.
- Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
- Profile Management 7.16 and newer have XenApp Optimization (aka Citrix Virtual Apps Optimization) feature, which uses Microsoft UE-V templates to define specific settings that should be saved and restored at logoff and logon. See George Spiers XenApp Optimization (new in CPM 7.16+) for details.
- After modifying the GPO, use Group Policy Management Console to update the VDAs.
- Or run gpupdate /force on the VDAs, or wait 90 minutes.
App Access Control
Profile Management 2303 and newer support app access control. This is similar to FSLogix App Masking.
Citrix WEM Cloud Service has a GUI-based Rule Generator.
- In Citrix Cloud, go to Workspace Environment Management.
- Switch to the Utilities tab, find WEM Tool Hub, and click Download.
- Extract the WEM Tool Hub and run Citrix.WEM.AdminToolHub.exe.
- Click Rule Generator for App Access Control.
- Click Create app rule.
- Click Scan to select an app installed on the local machine.
- The tool scans the selected app and automatically adds rules for the app. Click Add when done.
- Give the app a name and click Next.
- Assign the rule to users, computers, or processes. Click Done.
- Select the app rules and click Generate raw data.
- Click Save to file.
- Use WEM or Group Policy to push the string to the VDAs. App Access Control is currently a preview feature. Enable it in Citrix Cloud > Workspace Environment Management > Manage > Web Console > Home page > Preview features.
- Then edit a Configuration Set. Go to Profiles > Profile Management Settings and find App access control. Browse to the .rule file saved earlier.
If you don’t have access to WEM Cloud, then the PowerShell Rule Generator is on the CVAD 2311 or newer ISO under \x64\ProfileManagement\Tools. Prior to CVAD 2311, the Tools folder is in the downloaded standalone Profile Management.
- The CPM_App_Access_Control_Config.ps1 PowerShell script is in the Tools folder.
- The Rule Generator script lists all locally installed apps and asks you choose one.
- The tool auto-generates some rules for the app and asks you to edit the rules or go to the next step to manage assignments.
- You can assign groups that can view the app. When done, press 4 to generate the rules for deployment.
- The script can push the rules to a GPO. Or you can press 3 to generate the string that you then must configure yourself in the GPO.
- The GPO setting is at Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management | App Access Control. Enable the setting named App access control and paste the string that the Rule Generator provided.
Also see CTP James Rankin QuickPost – Citrix UPM App Access Control
Mandatory Profile – Citrix Method
Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method. Also see CTP James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703).
- Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to Administrators.
- Login to the VDA machine as a template account. Do any desired customizations. Logoff.
- Make sure you are viewing hidden files and system files.
- Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that. Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.
- You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
- You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
- Open the AppData folder and delete the Local and LocalLow folders.
- Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file, and the security/trusted.certs file. Delete the Java cache, tmp and logs.
- Open regedit.exe.
- Click HKEY_LOCAL_MACHINE to highlight it.
- Open the File menu and click Load Hive.
- Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not use NTUSER.MAN and instead the file must be NTUSER.DAT.
- Name it a or similar.
- Go to HKLM\a, right-click it, and click Permissions.
- Add Authenticated Users and give it Full Control. Click OK.
- With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ and http://appsensebigot.blogspot.ru/2014/10/create-windows-mandatory-profiles-in.html?m=1 for some suggestions.
- Citrix CTX212784 Slow User Logon When Using Mandatory Profiles – set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
- Highlight HKLM\a.
- Open the File menu, and click Unload Hive.
- Go back to the file share and delete the NTUSER.DAT log files.
- Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy template is loaded.
- Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Profile Management > Profile handling. Edit the setting Template profile.
- Enable the setting and enter the path to the Mandatory profile.
- Check all three boxes. Then click OK.
Redirected Profile Folders
- Make sure loopback processing is enabled on your VDAs.
- Edit a GPO that applies to all VDA users, including Administrators.
- Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents, and click Properties.
- In the Setting drop down, select Basic.
- In the Target folder location drop down, select Redirect to the user’s home directory.
- Switch to the Settings tab.
- On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move the contents to the new location might cause issues in some deployments.
- Click Yes to acknowledge this message.
- Right-click Desktop and click Properties.
- Change the Setting drop-down to Basic.
- Change the Target folder location to Redirect to the following location.
- In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC path and not a mapped drive. Also, since we’re using home directory variables, all users must have home directories defined in Active Directory.
- Switch to the Settings tab.
- Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.
- Click Yes when prompted that the target is not a UNC path. You get this error because of the variable. It doesn’t affect operations.
- Repeat for the following folders:
- Documents = Redirect to the User’s Home Directory
- Desktop = %HOMESHARE%%HOMEPATH%\Desktop
- Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
- Downloads = %HOMESHARE%%HOMEPATH%\Downloads
- Redirect the following folders but set them to Follow the Documents folder.
- Pictures
- Music
- Videos
Folders not redirected will be synchronized by Citrix Profile Management.
Verify Profile Management
- Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.
- Logoff and log back in.
- Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the log for logon and logoff events.
Profile Management Troubleshooting
UPM Troubleshooter
Citrix Blog Post – UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application that examines the live User Profile Management-enabled system in a single click, gives Profile Management Configurations, information on the Citrix products installed, facility to collect and send the logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier manner. See the blog post for more details.
Profile Management Configuration Check Tool
UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has been configured optimally for the environment in which it is being run, taking into account:
- Hypervisor Detection– The presence or absence of supported hypervisors (for example, Citrix XenServer, VMware vSphere, or Microsoft Hyper-V)
- Provisioning Detection– The presence or absence of a supported machine-provisioning solution (for example, Machine Creation Services or Provisioning Services)
- XenApp or XenDesktop– Whether it is running in a XenApp or a XenDesktop environment
- User Store – Determines that the expanded Path to User Store exists.
- WinLogon Hooking Test – Verifies that Profile management is correctly hooked into WinLogon processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and requires the user running the Configuration Check Tool to have permission to access the relevant registry keys, or an error may be returned.
- Verify Personal vDisk enabled / disabled – Whether the Personal vDisk feature of XenDesktop is enabled
- Miscellaneous – Other factors that it is able to determine through registry or WMI queries, such as whether the computer running Profile management is a laptop
Profile Size
Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile share.
Log Parser
CTX123005 Citrix UPM Log Parser
View Log Files using Excel
CTX200674 How To: Review Profile Management Log Files using Microsoft Excel
I run into strange problem with different Apps not working on a new farm. We user german Version of Sever 2022 and 2212 (german). We use Profile Containers with different other settings deployed via GPO…
Now, we noticed that the Apps (not working) seems to work when we set TMP and TEMP to something like C:\TEMPTEST…
When we dig deeper we found out that when you use dir /x in c:\users you got a list with all “Folders” there. All with 8.3 naming – for example:
25.01.2023 19:20 User~1 Username1
25.01.2023 19:20 User~2 Username2
when I then exec
-dir User~2 and compare withe dir Username2 then the content differs
C:\Users>dir User~2
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 6233-3781
Verzeichnis von C:\Users\User~2
21.03.2023 16:52 .
21.03.2023 17:20 ..
21.03.2023 16:52 AppData
0 Datei(en), 0 Bytes
3 Verzeichnis(se), 88.070.516.736 Bytes frei
C:\Users>dir Username2
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 6233-3781
Verzeichnis von C:\Users\Username2
21.03.2023 16:47 .
21.03.2023 08:08 .ms-ad
20.03.2023 16:08 3D Objects
20.03.2023 16:08 Contacts
20.03.2023 16:44 Desktop
20.03.2023 16:44 Downloads
20.03.2023 16:08 Links
20.03.2023 16:08 Saved Games
20.03.2023 16:08 Searches
21.03.2023 14:46 WINDOWS
0 Datei(en), 0 Bytes
10 Verzeichnis(se), 53.078.626.304 Bytes frei
I wonder if this is normal or this i the source of our different problemes here…
I created a ticket at citrix with no solution until now…
regards
Hi Carl,
I seem to have an issue with a two users, apps are either slow to launch or don’t launch at all.
The only difference between those users and others is the amount of files in their profiles. Their profiles are not large compared to other users but they have 10,000+ more files in their profiles. The files in questions are very small DAT files in a cache folder.
Many thanks
Is Profile Streaming enabled?
Thanks for your reply.
Profile Streaming is not enabled.
Try enabling it.
Hi Carl,
Thank you for your help putting on this information together. Just to clarify, Microsoft Edge only needs folders excluded?
I see Chrome has files/folders to sync, mirror and exclude. I was expecting Edge to have similar configurations. Is this not the case?
Cheers,
Steve
I usually just follow https://www.avanite.com/blog/roaming-edge-chromium
Hello,
We just upgraded the VDA version of our XenApp servers to 2203 LTSR CU1 (from 1912) and afterwards all Outlook cache VHDXs failed to mount with this error..
2022-10-17;14:19:56.443;ERROR;DOMAIN;USERABC;3;2992;ProcessOutlookSearchRoamingOnLogon: Mount VHDX \\domain.com\dfs\ctxupmprofiles\USERABC.DOMAIN\Win2016x64\VHD\Win2016\OutlookSearchIndex.vhdx to C:\Users\USERABC\Appdata\Roaming\Citrix\Search\ failed. Error code:59
If we wiped the VHD folder UPM would successfully create a new directory, BUT this time it doesn’t create it in the context of the XA server (and add Domain Computers to the ACL), it actually looks like every other file in the UPM store and is created in the context of the user.
Did they change the behavior? I can’t find anything about this in the documentation. It is a fairly easy fix to reset the owner/perms on the VHD sub-directories to match the rest of the profile, but it is just concerning that I don’t see this change documented.
hello,
I use CPM for user profile and FSLogix for Office Container including OneDrive.
At Logoff, CPM want to delete the local user profile but fail during long minutes on OneDrive folders mapped from fslogix vhdx.
Folders are still there but empty.
2022-08-26;09:36:42.774;ERROR;;;;7968;DeleteDirectory: Deleting the directory failed with: Élément introuvable.
I have the same error when as admin I want to delete manually.
How to protect file share from deletion as Everyone will have full permission
Hi Carl ,
I am planning to configure the User profile redirection through Citrix policies only , for this do you have any separate link to understand better .
Citrix Policies have Profile Management settings that are identical to group policy settings. Is that what you’re asking?
I am using the citrix policies to set the Profile management .
But i am getting the error like this in the user profile manager log file . And it is not creating the Profile inside the file share i mentioned .
2022-08-12;19:42:48.675;INFORMATION;;;3;11720;DispatchLogonLogoff: ———- Starting logon processing…
2022-08-12;19:42:48.675;INFORMATION;;;3;11720;IsRunningInTerminalServerSession: Terminal services installed.
2022-08-12;19:42:48.675;INFORMATION;;;3;11720;IsRunningInTerminalServerSession: ICA session.
2022-08-12;19:42:48.675;INFORMATION;Contoso;c4td;3;11720;DispatchLogonLogoff: UserSID = S-1-5-21-1690560143-3050255188-1512472656-748420
2022-08-12;19:42:48.909;INFORMATION;Contoso;c4td;3;11720;DispatchLogonLogoff: Triggered policy evaluation for
2022-08-12;19:42:48.909;INFORMATION;Contoso;c4td;3;11720;DispatchLogonLogoff: Updated Group Policy Extension history for
2022-08-12;19:42:48.956;INFORMATION;Contoso;c4td;3;11720;CheckUserExistsInGroup: No Entries Found In ExcludedGroups
2022-08-12;19:42:48.956;INFORMATION;Contoso;c4td;3;11720;CheckUserExistsInGroup: No Entries Found In ProcessedGroups
2022-08-12;19:42:48.956;INFORMATION;Contoso;c4td;3;11720;CheckIfUserNeedsToBeProcessed: Logon/logoff will be processed.
2022-08-12;19:42:48.956;INFORMATION;Contoso;c4td;3;11720;GetUserStorePath: User Store: Path In: \\Testserver\ctxfiles$\%username%
2022-08-12;19:42:48.956;INFORMATION;Contoso;c4td;3;11720;CADUser::Init: Determined user and DNS domain name: ,
2022-08-12;19:42:48.956;INFORMATION;Contoso;c4td;3;11720;CADUser::Init: Determined the ADsPath of user: :
2022-08-12;19:42:48.956;INFORMATION;Contoso;c4td;3;11720;GetUserStorePath: User Store: Path Out: \\Testserver\ctxfiles$\c4td
2022-08-12;19:42:48.956;INFORMATION;Contoso;c4td;3;11720;XenApp Optimization, enabled: 0, definition path:
2022-08-12;19:42:48.956;INFORMATION;Contoso;c4td;3;11720;SessionCount::RealTimeCount – User: c4td, Domain: Contoso, Session Count: 0.
2022-08-12;19:42:48.972;INFORMATION;Contoso;c4td;3;11720;NTUSER.DAT not found in userstore, try to load NTUSER.DAT.LASTGOODLOAD.
2022-08-12;19:42:48.972;ERROR;Contoso;c4td;3;11720;UpmUserStore::UpdateNtuserDatWithLastGoodLoad: There is no NTUSER.DAT.LASTGOODLOAD in the path:\\Testserver\ctxfiles$\c4td\UPM_Profile\NTUSER.DAT.LASTGOODLOAD 0x2. 指定されたファイルが見つかりません。
2022-08-12;19:42:48.972;INFORMATION;Contoso;c4td;3;11720;QueryLocalProfile: Profile directory read from registry: c:\users\c4td
2022-08-12;19:42:48.972;INFORMATION;Contoso;c4td;3;11720;QueryLocalProfile: Local profile is a UPM profile.
2022-08-12;19:42:48.972;INFORMATION;Contoso;c4td;3;11720;User store not found : 指定されたプログラムは、新しいバージョンの Windows を必要とします。
2022-08-12;19:42:48.972;ERROR;Contoso;c4td;3;11720;ProcessLogon: A local UPM profile has been found but the corresponding profile can not be found in the userstore. Switching to a temporary profile.
2022-08-12;19:42:49.081;INFORMATION;Contoso;c4td;3;11720;CreateLocalProfile: Profile directory initialized: .
2022-08-12;19:42:51.644;INFORMATION;Contoso;c4td;3;11720;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
2022-08-12;19:42:51.925;INFORMATION;Contoso;c4td;3;11720;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
2022-08-12;19:42:51.925;INFORMATION;Contoso;c4td;3;11720;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
2022-08-12;19:42:51.925;INFORMATION;Contoso;c4td;3;11720;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
2022-08-12;19:42:51.925;INFORMATION;Contoso;c4td;3;11720;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
2022-08-12;19:42:51.925;INFORMATION;Contoso;c4td;3;11720;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
2022-08-12;19:42:52.034;INFORMATION;Contoso;c4td;3;11720;CRegistryHive::Load: RegLoadKey of to succeeded.
2022-08-12;19:42:52.050;INFORMATION;Contoso;c4td;3;11720;CRegistryHive::Unload: Unloaded registry hive .
2022-08-12;19:42:52.050;INFORMATION;Contoso;c4td;3;11720;DispatchLogonLogoff: Updated Group Policy Extension history for
2022-08-12;19:42:52.050;INFORMATION;Contoso;c4td;3;11720;DispatchLogonLogoff: ———- Finished logon processing successfully in [s]: .
“A local UPM profile has been found but the corresponding profile can not be found in the userstore. Switching to a temporary profile.”
Go to sysdm.cpl > Advanced > Profiles > Settings and delete the local profile. Then try again.
Thanks for the reply and support ,
After deleting the local profile , it created the profile in the file store .
Also want to know , whether any link we can refer the user profile processing step by step
I usually learn it by looking at log files. Or learning every GPO setting will give you a sense of how it works.
I had a quick question regarding ctxprofile7.15.admx files. We are upgrading our 7.15 XenDesktop to 7.22. Instead of deleting ctxprofile7.15.admx, can I keep both ctxprofile7.15 and ctxprofile7.22.admx files on the same SysVol PolicyDefinitions directory?
There’s no harm in trying it.
Hi Matt,
Could you please let us know the complete procedure of upgrading Citrix 7.15 environment to Citrix 7.2203? or if you have any screenshots when you are doing please share. because we are planning to do but want to be very sure before starting the procedure.
Our Infrastructure is as follows
License: We have one license server 11.14.1.1 build 21103
Storefront: We have two storefront servers on 3.12.0.17 in group (Server Group)
Director: We have one Director 7.15.0 build 82
Delivery controllers: We have two delivery controllers 7.15.0.93
Database: We are using sql server microsoft separate servers.
VDA: 7.15
As per best practices I understand that we need to follow this order for upgrading:
1. License, 2, Storefront, 3. Director, 4. Delivery Controllers
before upgrade we need to take the snapshot of the VMs and database backup.
while upgrading store front I understand that we need to remove from server group and upgrade separately and later join.
If you can share the full document, so that the upgradation process done smooth.
Thanks in Advance.
See https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/upgrade-migrate/upgrade.html
And https://www.carlstalhood.com/delivery-controller-2203-ltsr-and-licensing/#upgrade
UPM intermittently unable to unload ntuser.dat during logIN… I have an issue where UPM is configured to use a template/mandatory profile. It works fine over 90% of the time occasionally after the coping the template to c:\users\username it loads the ntuser.dat HKCU\usersid_tmp. It then receives and access denied trying to unload. AV has been disabled, no effect. It is not user or machine specific (servers are PVS provisioned). Any ideas? It appears to be some type of timing issue. I have an incident open with Citrix (going no where).
A month of pushing the elephant that is Citrix technical support I finally got this case to escalation. Here’s what is happening in case anyone else is dealing with same…
When using Citrix UPM, under high logon situations:
-Citrix UPM is unable to unload the c:\username\ntuser.dat during LOGON
-User then receive a temporary profile
-C:\username\ntuser.dat remains mounted under hku\usersid_temp cannot be unload even under system context
-If user attempts another logon to same server before server is rebooted they receive access denied error from user profile service.
The issue is related to security processing of the ntuser.dat. When this can be disabled (via a private test exe) the issue does not occur. I’ll post again if I get a fix.
Hey Brian,
Also having a similar issue to yours but I am using profile containers. The VHDX container get created on the file share, mounts to the VDA but for some reason doesn’t always create the junction points required for the user profile, therefore resulting in a temp profile. Logs suggest it is related to NTUSER.dat file not being found. Its so odd and has only started happening recently, on a new build too.
I’m yet to find a solution.
Hello – We are doing a domain migration. We have UPM configured, the Share with the user store is staying on existing domain for now. For a brief time, users will be authenticating to published Desktops in both domains, using the same roaming profile. Same username, both domains. During testing, the only issue I saw might be the rights on the profile, depending which domain they used first. Should we use ADMT to migrate these profiles? Not sure if we will face any other unexpected issues. TIA.
As long as SID History is configured then it should work. There’s also a GPO setting to enable cross-forest profiles.
Great, thanks for your reply. I will checkout that GPO.
Hi Carl,
According to Citrix eDocs you have to install the Windows Feature “Windows Search”. You have not mentioned this. Have you forgot this or is this maybe not necessary? On my Windows Server 2016 VDA I can start the Windows Search service without having the feature installed.
Regards,
Hong
I don’t recall needing to install the service but there’s probably no harm in doing so. In newer OSs, I don’t bother enabling search index roaming since newer OS have per-user indexes instead of machine-wide indexes.
Are you referring to the GPO setting ‘Computer Config | Policies | Administrative Templates | Windows Components | Search | Prevent indexing Microsoft Office Outlook’?
Should I enable this when enabling Search Index Roaming via Citrix UPM?
No, definitely prevent indexing.
In 2016, the search index is machine-wide and UPM (or FSLogix) has to redirect the per-user portion to a different file. In 2019 and newer Windows does that automatically and there’s no need for special search index handling. Once the index is created, UPM (or FSLogix) will roam it.
Now I am a little confused…
So from Windows Server 2019 on there is also no need to enable the GPO setting ‘Enable search index roaming for Outlook’ in Profile Management?
Can you please summarize which GPO settings do I need to configure for Windows Server 2019 for indexing the Outlook search?
Thanks…!
2019 should just work since it natively supports per-user indexes. The latest FSLogix release says that it won’t do the special search index roaming any more since the indexes are already stored in per-user locations that roaming profile tools can roam.
Hi Carl,
According to Citrix Docs (https://docs.citrix.com/en-us/profile-management/current-release/configure/enable-native-outlook-search-experience.html) you have to set the registry entry “EnablePerUserCatalog = 0”. Is this correct?
After some tests I found out that with this value the search index DB is not created per user. After I changed it to “1” the search index is created under C:\Users\%Username%\AppData\Roaming\Microsoft\Search.
Can you please clarify…?
In Windows 2019+ or in Windows 10, the search index is per-user by default. No need for a registry value. Setting that registry value to 0 turns off the per-user index.
Hi carl,
in 2019 search is per user but not roaming it to AppData folder redirect when using UPM. is there option to exclude search folder from UPM? (not working for us)
Hi Carl,
In my citrix environment, we wants c\users\username deleted automatically once user will log off.
For this we enabled policy delete locally cached profile on log off but still that is not happening.
It’s resulting in C drive full issue.
Please help me here
Hi Everyone,
Not sure who else has run into this but I wanted to share. It looks like Chrome has change the default location of the Cookies file, you may want to review your settings for Profile Management. Use to be under:
AppData\Local\Google\Chrome\User Data\Default
Now it’s buried one folder deeper:
AppData\Local\Google\Chrome\User Data\Default\Network
So if you’re like me and you’re specifically synching the Cookie file…You may have noticed that websites that normally give you the prompt “keep my computer signed in”, “Don’t ask me for a code for [x] amount of days”, are asking for OTP every day. Not a game breaker but definitely annoying to the user base. Anyhow, I’ve just made this change and will reply in case this doesn’t work, but I’ve got a feeling in my gut that this is it. I’d spent way too much time trying to find this Cookie. 😀
Hi Carl,
we have CVAD 7 1912 LTSR and UPM. With CU3 I configured a folder exclusion for the Downloads folder (no folder redirection). And it worked, users could download but need to store the files elsewhere. Next day the local Downloads folder is empty again,
After Update to CU4 this behavior changed so that the local Downloads folder will not be created. C:\Users\Default\Downloads exits, and when I create a dummy Downloads folder in the user store, the user has Downloads after next logon. But that cannot be the solution, because new users will not have a user store.
Can someone confirm this behavior?
Hi Carl,
I am using Active / Passive DR for Citrix CVAD using ADC GSLB, I have two independent CVAD Site in HQ and DR. the VDA workload is running on both sites. In HQ all users profile storing on Central profile server using Cirix UPM.
Can I use DFS replication to replicate HQ profile to DR File server and create profile policy on DR OU to get users profile from DR server?
My requirement is when anyting goes down in HQ user should able get their profile from DR profile server.
Neither Microsoft nor Citrix support multi-master merge replication of user profiles. You can set the DFS Namespace so only one Target is accessed. Then you can manually change the DFS Namespace after the disaster occurs to point to the DR file server.
My preference is to use hypervisor-based replication to replicate the entire VM and restore it after disaster.
Hi! Can you tell me why some people redirect AppData Roaming path outside user profile?
Our partner setup user profile in UNC path “\\server\profile$\#SAMAccountName#\” but the AppData (Roaming) is on \\server\profile$
Thanks in advance.
All users have the same AppData folder? Or is it creating a sub-folder per user? In Microsoft GPO, it should show you the full example path.
I usually never redirect AppData.
Can you explain why you don’t redirect AppData? Typically AppData can become very large so I would think loading it in the UPM profile at logon would impact logon performance? What size UPM profile do you typically see? When I redirect AppData the UPM profile on average from what I’ve seen is under 30mb and logons averaging around 40 seconds. Thanks
It depends on the latency and performance between the VDA and the file server. Apps assume that AppData is local and thus they do not optimize their I/O to AppData. When I tried in the past the performance was not good.
Hi Carl,
We have applications that depend upon Microsoft Word to view the reports. We currently run office 2013 on our master and we have to run scripts for Microsoft Office Activations each time we update our catalog. We want to get away from this and utilize O365.
O365 is now setup in our test environment successfully following the best practices according to Microsoft for multi-users OS. Now, the problem we have is that when users try to run the report from their published application, they get stuck on the screen because Office trying to open explorer to activate and also requesting MFA which never showed up on the screen because the report covers the whole screen. We use MFA so if users are running Office on the new machine they get prompted to verify their identity with MFA.
Long story short, we don’t want this kind of experience and we don’t want to remove MFA layer security. My question is that, if we use Citrix UPM or Microsoft FxLogix, would any of these allow users to pass through and bypass O365 license check on their profiles on the new machine?
Please advise on what we need to do to resolve this problem. I appreciate your swift response at all times.
Hello Carl, very interesting article as always. You did help us in so many ways indirectly.
I would like to have your opinion on using the same share to store the upm folder (to store the user profile) used by two windows catalog with multiple mcs vdi (WIN10) and each catalog has it’s own configuration sets (with different settings for UPM) ? The same user can log into each catalog at the same time.
I think it’s quite a bad practice so i would like to have your opinion :p
Regards,
Does each Catalog point to a different folder inside the share?
UPM is able to merge changes from multiple sessions, assuming no more than one of them have .vhdx (Profile Container) files.
Hello Carl, thank you for your answer.
No, every catalog point to a share with the following structure “\\filer\QCTXUserProfiles\UPM\#sAMAccountName#\!CTX_OSNAME!”
So it seems that the same registry hive and userstore are used when user log in in each catalog.
We aren’t using profile container, we have UPM (with active write back) and redir folder controlled by WEM.
Regards,
CPM or FSLogix? What are your thoughts of when to use what?
FSLogix consumes lots of disk sapce. CPM doesn’t need as much disk space. I frequently do both: FSLogix for Office and CPM for everything else.
https://jkindon.wordpress.com/2021/09/16/citrix-upm-and-fslogix-containers/
Hi Carl,
Thanks for your guide.
We seem to be having a profile issue where the roaming profile is written back to the profile store in an incomplete state I.e various directories missing. We’ve tried tweaking some GPOs but the issue persists. When a user then launch apps they start throwing errors.
Profile Management has logs. Default location is C:\Windows\System32\Logfiles\User Profile Manager\pm.log.
Are you excluding too much?
Is the VDA virtual machine rebooting before the user has finished logging off?
Hi Carl,
We have all the Exclusions for Teams in place, however, this directory is bloating the Profile – appdata\roaming\Microsoft\Teams\IndexedDB
Can this be excluded? Or is there a way to manage this?
Thanks,
Raj
Google says that some people are exluding it or simply deleting it so I assume it’s safe to exclude. That’s what testing is for. 🙂
Were you able to exclude this folder? Did it impact ms teams web?
We’re having the problem that the UserChoice FTA is not saved into the profile. As soon as I log off, the UserChoice is deleted. When I load the users registry hive from ntuser.dat the UserChoice is also missing.
The “Software\Microsoft\Speech_OneCore=” is unchecked in the exclusion list. We use Windows Server 2016 with VDA Version 1912 CU2.
Do you have an further ideas?
Since upgrading to 2109 in C:\Users there are newly created empty folders like USERNAME_UPM_LOCAL. For what is it and how can we disable it?
Is UPM renaming an existing local profile so it can restore a roaming profile? Make sure the profile doesn’t already exist locally on your master image.
@Carl – no local profiles existing on the golden master image.
GPO settings are:
Delete localy cached profiles on logoff = 1
Migration of existing profiles = NONE
Local profile conflict handling = Delete local profile
These Local-Folders appeared since upgrading from UPM 12.12 LTSR CU3 to 2109
Are you doing any of the profile container features that create VHDXs for each user?
@Carl, yes we are using ProfileContainer for redirecting MS Teams to vhdx.
Hi, I just removed internet explorer with “Disable-WindowsOptionalFeature -FeatureName Internet-Explorer-Optional-amd64 -Online -norestart” from the Provisioned master image.
We now have huge Problems with the “UserProfileManager.exe” (CtxProfile Service) using 5 Gb RAM and 50% CPU on all Servers 🙁 .
Do this service requires Internet Explorer? Do anyone has experience with removing Internet Explorer from the Provisioning Master Image?
We have the VDI 1912 LTSR CU3 Version.
Hi, same problem since a few day (but crucial since yesterday) with UserProfileManager.exe using 60% CPU on my Citrix suddenly. Don’t know why. I’ve not removed IE and no particular soft install this later days.
I just found out this morning that the CPU rises when i (or others Users) Chrome starts and use. I am now investigating if a UPM Policy tries to synchronises a file that is not existing anymore. I have to say that i also actualised Chrome when i removed Internet Explorer. I ‘ll write again when i know what is going on.
Other admins are having the same issue with Chrome 93 and RDS :
https://www.reddit.com/r/chrome/comments/ph3vfu/chrome_93_huge_disk_writes_killing_rds/
I reverted to the old master image and made a new image:
– only deinstalled Internet explorer
– did not updated Chrome 92 to Chrome 93.
UPM is now working stable again. 🙂
I will try to Update Chrome when a new Version of it will come out.
Good job, thank you very much for your post. Chrome 93 was indeed the killer of my Citrix servers. Reverting to Chrome 92 and disabling the Chrome update returned to normal operation.
Hi Carl, Do you know why i have enabled AD GPO Folder redirection to work together with Citrix Policies, however Citrix UPM without any configuration have caused my setup to create Downloads and Desktop folder duplicate inside C:\users\USERNAME within the Citrix Session? I’m running LTSR 1912 CU3, windows Server 2019 OS VDA. Tested moving out of the OU where Citrix UPM is not applied, and Desktop, Downloads folder is not created within the C:\users\USERNAME\ folder. And have verified that these folders are created (found in UPM logging)
Other than the extra folders, does it cause users any problems?
it may cause confusion to some users that somehow love to enter the location when they enter their “full display name” folder which may show duplicate Desktop and Downloads folder, and in results in a possible data loss if they were to save it in the duplicated folder. Not sure why UPM is checking it for “SpecialFolders” in the logs
Carl,
We have been using FSLogix profile container for handling user profiles over the past 10 month and have not run into any real major issues but we have been seeing some really large user profiles. We are thinking about separating the profile and Office container or using Citrix UPM with FSLogix office container only. We are your thoughts and what do you recommend? Thanks!
Either option is fine. Since you already have functional FSLogix, it’s easier to keep your existing FSLogix configs but add Office Profile Container. Note that adding a new container does not move data from the old container.
UPM with FSLogix is also fine but you’d have to develop the config and test it.
Hello Carl,
I have done about 50 deployments using the methods you describe here as well as using Helge Klein’s method. They have been tried and true. The only change I make is to use authenticated users instead of everyone in my deployments. That said, we are having challenge trying to migrate user data from an old location to a new user data location via script to save time as we migrate about 1500 users. We have the user log in to dynamically create the user profile and user data folders (two different shares) and that sets the permissions on the user’s root share. The problem we are running into is that since the system uses creator owner to create files and folders and the user has “this folder only” rights, when we robocopy the files over and maintain the permissions of the target folder, the inherited permissions for the user will not push down – because it is set to “this folder only” at the root folder. The data is not copied over under the user context, so the user doesn’t have rights to the files or folders after the copy is complete. We have tried various other methods to push down the permissions after the fact, but are running into the same limitation since the user has “this folder only” rights and the user is not actually copying the data and creating the folders in this case.
I’m wondering if you have run into this situation before and what you did to solve it. We are looking for a potential solution or options. I would prefer not to pre-stage the folders and break the inheritance and the model we set up. We may have another challenge there as we used “My Documents” in the UNC path for folder redirection. Windows creates a system alias called “Documents” in the target folder (special icon). If we pre-stage a folder called “Documents” via script, folder redirection will create a second documents folder and we have the same challenge. Having to re-think that practice since Windows creates the alias in this way. We have not found a way to assume the user’s context during the copy, that would solve it. I know the system can impersonate the user at times (I have seen it in the UPM logs when updating the NTUSER.dat file), but we are having trouble finding a method via script. Thanks in advance for any help or ideas.
Steve
The problem is further complicated by the fact that the old user data was under a different domain user and the target user account is under a new domain (part of a domain migration). The old user data needs to be migrated for the new account.
I wonder if you can use SetACL to configure inherited permissions. https://helgeklein.com/setacl/
Don’t forget inside ntuser.dat are additional permissions. If you do SIDHistory during your migration then I assume it won’t be an issue.
Hi Carl, thanks for your message. Yes we are looking at that as well. We are only migrating user data, so no profile files, I was just using NTUSER.dat as an example of the system impersonating the user. That makes sense about the extra permissions. I suppose we could apply explicit permissions to each file and folder that is copied over for the user. Or push down the permissions using the SetACL tool after the files are copied. That breaks the inheritance, but may be our only way to solve it. The other option could be to run the copy script in the background to copy the data under the user’s context from inside the VDI session. Open to other ideas.
Hello Carl, I was wondering if when creating the root folder for the user data if you might recommend using the permission “This folder, subfolders and files” instead for “Creator Owner” to prevent the challenge listed above when migrating data from an old user data location? The setting of Creator/Owner: full control, subfolders and files only ends up with the user having permissions of “This Folder Only” rights at the use’s root and root folders. This is fine if the files are migrated under the user’s context (i.e. copy from UNC path), but the user won’t have permissions to the subfolders and files under the root upon migrating the data using robocopy or other script. We ended up pre-staging the folders and windows did update them with the system alias icons after the user logged in (it didn’t create two folders, which was lucky). Inheritance is broken for the user permissions at the user root, but the rest of the permissions are inherited down through the structure properly. I don’t believe this will be a problem going forward since if the permissions change at the user data root they will be pushed down through the file structure.The user’s permissions themselves would need to be updated manually, but that would probably not need to happen.
https://helgeklein.com/blog/how-to-configure-a-file-server-for-hosting-user-profiles/
Hi Carl (and everybody else here),
is there a way to define different exclusion lists for different user groups?
We’d like to test some new directory exclusions with a test user group before we configure it for all users.
The gpo settings “Processed groups” and “Excluded groups” just control if UPM is executed at all, but it doesn’t prevent the rest of the GPO to be applied.
Security filtering of the GPO doesn’t work as well because it’s applied to the computers and not to the users.
Or am I missing something?
Thanks in advance,
Stefan
You’d probably need different Delivery Groups in different OUs and then apply different UPM GPOs to each OU.
Yes, ok, we already have a separate delivery group with some test servers where we applied the new UPM GPO.
But we wanted a bunch of users to test the new settings in real life before rolling the settings out for all users.
Would have been good if it was possible to define these settings on user group level.
Anyway, thanks for your quick reply and have a nice weekend 🙂
Yes, you can only have one configuration set per set of machines or OU.
Hello Carl, I am struggling with user profiles and a huge amount of files in it. Mostly IE Cookies and Chrome. Although I actually set the mentioned recommended settings. So for example AppData\Local\Microsoft\Windows\INetCookies Folder ~1700files. Maybe any hints where I could optimize. Process Cookies at logoff is enabled.
Well Chrome is another headache for me. We use the profile.pb file in the roaming path. And as far as I know we excluded the complete AppData\Local\Google\Chrome Folder but as suddendly the Google EULA repeatetly came we changed and since then the horror started. We are coping with very slow logoff times and the scheduled reboots configured in the delivery group does not work reliable as the Server then stays in off state.
AppData\Local\Google\Chrome\User Data\Default\JumpListIcons
AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld
Appdata\Local\Google\Chrome\User Data\Default\JumpListIconsMostVisited
Appdata\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed
AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images
AppData\Local\Google\Chrome\User Data\Default\Cache
AppData\Local\Google\Chrome\User Data\Default\Media Cache
AppData\Local\Google\Chrome\User Data\Default\Application Cache
AppData\Local\Google\Chrome\User Data\Default\Code Cache
AppData\Local\Google\Chrome\User Data\Default\Crashpad
AppData\Local\Google\Chrome\User Data\Default\GPU Cache
AppData\Local\Google\Chrome\User Data\Default\Media Cache
AppData\Local\Google\Chrome\User Data\Default\Sync Data
AppData\Local\Google\Chrome\User Data\Default\Sync Data Backup
AppData\Local\Google\Chrome\User Data\Default\Service Worker
AppData\Local\Google\Software Reporter Tool
AppData\Local\Google\Chrome\User Data\PepperFlash
Hope you have some ideas for me how to optimize.
Regards
Edge exclusions in case you need to copy-paste:
AppData\Local\Microsoft\Edge\User Data\Ad Blocking
AppData\Local\Microsoft\Edge\User Data\BrowserMetrics
AppData\Local\Microsoft\Edge\User Data\Crashpad
AppData\Local\Microsoft\Edge\User Data\PepperFlash
AppData\Local\Microsoft\Edge\User Data\Safe Browsing
AppData\Local\Microsoft\Edge\User Data\ShaderCache
AppData\Local\Microsoft\Edge\User Data\SmartScreen
AppData\Local\Microsoft\Edge\User Data\Subresource Filter
AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists
AppData\Local\Microsoft\Edge\User Data\WidevineCdm
AppData\Local\Microsoft\Edge\User Data\Default\blob_storage
AppData\Local\Microsoft\Edge\User Data\Default\BudgetDatabase
AppData\Local\Microsoft\Edge\User Data\Default\Cache
AppData\Local\Microsoft\Edge\User Data\Default\Code Cache
AppData\Local\Microsoft\Edge\User Data\Default\File System
AppData\Local\Microsoft\Edge\User Data\Default\GPUCache
AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB
AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsRecentClosed
AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsTopSites
AppData\Local\Microsoft\Edge\User Data\Default\Local Storage
AppData\Local\Microsoft\Edge\User Data\Default\Storage
AppData\Local\Microsoft\Edge\User Data\Default\Service Worker
AppData\Local\Microsoft\Edge\User Data\Default\Web Applications
Great! Thanks, Sergio! So simple yet so helpful.
I was looking for this in Carl’s post. @Carl…? 😉
Hello Carl, I’m having the same problem stated above, just started a few weeks ago after working for months. Our profiles appear to be frozen in time. No new changes are saved between sessions, but existing changes before the issue occurred are persistent. New users that just came on the platform are having no changes being saved. We are using WEM and UPM with VDA 7.15 LTSR CU6 on WIn10 VDI via MCS. The logs below show that it finds the profile in the users store and loads it up. However upon logoff, it appears to then not be able to locate the user’s NTUSER.DAT file and the settings are not saved back. It is quite bizarre. I’ll post the log snippets below (usernames and domain names removed – placesholders). One article I read said that perhaps the machines are rebooting (refresh on logoff) before the profile can save back, but that has not been changed and it clearly tries to read the NTUSER.DAT file and can’t for some reason. Perhaps some sort of file locking issue. Just strange that it worked for months and then all of the sudden stopped working with no changes to UPM or WEM. Windows updates to the image and standard stuff during that time.
Logon:
2021-03-31;07:03:34.367;INFORMATION;;;1;8828;DispatchLogonLogoff: ———- Starting logon processing…
2021-03-31;07:03:34.367;INFORMATION;;;1;8828;IsRunningInTerminalServerSession: Workstation found. Console session.
2021-03-31;07:03:34.367;INFORMATION;;;1;8828;DispatchLogonLogoff: UserSID = S-1-5-21-1177238915-1767777339-725345543-22930673
2021-03-31;07:03:35.195;INFORMATION;;;1;8828;DispatchLogonLogoff: Triggered policy evaluation for
2021-03-31;07:03:35.195;INFORMATION;;;1;8828;DispatchLogonLogoff: Updated Group Policy Extension history for
2021-03-31;07:03:35.195;INFORMATION;;;1;8828;CheckUserExistsInGroup: No Entries Found In ExcludedGroups
2021-03-31;07:03:35.195;INFORMATION;;;1;8828;CheckUserExistsInGroup: Checking if user is a member of one of the ProcessedGroups
2021-03-31;07:03:35.195;INFORMATION;;;1;8828;UserIsMemberOfGroup: User is a member of group .
2021-03-31;07:03:35.195;INFORMATION;;;1;8828;CheckUserExistsInGroup: User is member of a ProcessedGroups
2021-03-31;07:03:35.195;INFORMATION;;;1;8828;CheckIfUserNeedsToBeProcessed: Logon/logoff will be processed.
2021-03-31;07:03:35.195;INFORMATION;;;1;8828;GetUserStorePath: User Store: Path In: \\share.domain.com\CTXPROFILES\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!
2021-03-31;07:03:35.195;INFORMATION;;;1;8828;CADUser::Init: Determined user and DNS domain name:
2021-03-31;07:03:37.179;INFORMATION;;;1;8828;CADUser::Init: Determined the ADsPath of user:
2021-03-31;07:03:37.179;INFORMATION;;;1;8828;GetUserStorePath: User Store: Path Out: \\share.domain.com\ctxprofiles\username\Win10RS5v6
2021-03-31;07:03:37.179;INFORMATION;;;1;8828;SessionCount:RealTimeCount – Detected a Client OS, not using WTS calls
2021-03-31;07:03:37.538;INFORMATION;;;1;8828;ProcessLogon: Found a profile in the user store:
2021-03-31;07:03:37.538;INFORMATION;;;1;8828;QueryLocalProfile: No profile directory found.
2021-03-31;07:03:37.538;INFORMATION;;;1;8828;QueryLocalProfile: Determined the name of a new profile directory: .
2021-03-31;07:03:37.538;INFORMATION;;;1;8828;CreateLocalProfile: Profile directory initialized:
2021-03-31;07:03:37.601;INFORMATION;;;1;8828;ProcessLogon: Starting to restore directories and files.
2021-03-31;07:03:50.835;INFORMATION;;;1;8828;StartJitSupport: Starting streamed profile support thread.
2021-03-31;07:03:50.835;INFORMATION;;;1;8828;ProcessLogon: User logging on with Streamed Profile support enabled.
2021-03-31;07:03:50.835;INFORMATION;;;1;8828;ProcessLogon: Restore finished.
2021-03-31;07:03:51.085;INFORMATION;;;1;8828;CreateV2ProfileJunctions: Starting to create NTFS junctions…
2021-03-31;07:03:51.085;INFORMATION;;;1;8828;ReadFolderRedirectionSettings: S-1-5-21-1177238915-1767777339-725345543-22930673\Software\Citrix\UserProfileManager\FolderRedirection\Settings
2021-03-31;07:03:51.117;INFORMATION;;;1;8828;CreateV2ProfileJunctions: Finished creating NTFS junctions.
2021-03-31;07:03:51.132;INFORMATION;;;1;8828;ProcessLogon: Performing Cross Platform logon processing
2021-03-31;07:03:51.132;INFORMATION;;;1;8828;CpsUserData::Init: Cross Platform is not enabled
2021-03-31;07:03:51.335;INFORMATION;;;1;8828;CRegistryHive::Unload: Unloaded registry hive .
2021-03-31;07:03:51.335;INFORMATION;;;1;8828;DispatchLogonLogoff: Updated Group Policy Extension history for
2021-03-31;07:03:51.335;INFORMATION;;;1;8828;DispatchLogonLogoff: ———- Finished logon processing successfully in [s]: .
Logoff:
2021-03-31;06:59:38.106;INFORMATION;;;1;17048;DispatchLogonLogoff: ———- Starting logoff processing…
2021-03-31;06:59:38.106;INFORMATION;;;1;17048;DispatchLogonLogoff: Session is a console session.
2021-03-31;06:59:38.106;INFORMATION;;;1;17048;DispatchLogonLogoff: UserSID = S-1-5-21-1177238915-1767777339-725345543-22899194
2021-03-31;06:59:38.106;INFORMATION;;;1;17048;SessionCount:RealTimeCount – Detected a Client OS, not using WTS calls
2021-03-31;06:59:38.106;INFORMATION;;;1;17048;ProcessLogoff: Profile directory read from registry: C:\Users\e671950
2021-03-31;06:59:38.137;INFORMATION;;;1;17048;CRegistryHive::Load: RegLoadKey of succeeded.
2021-03-31;06:59:38.137;INFORMATION;;;1;17048;ProcessLogoff: Successfully open registry file NTUSER.DAT for cross-platform processing during logoff.
2021-03-31;06:59:38.137;INFORMATION;;;1;17048;ProcessLogoff: Performing Cross Platform logoff processing
2021-03-31;06:59:38.137;INFORMATION;;;1;17048;CpsUserData::ProcessChangedFiles: Cross Platform processing will not be performed for user
2021-03-31;06:59:42.387;INFORMATION;;;1;17048;ProcessLogoff: Found registry hive file in: .
2021-03-31;06:59:42.481;INFORMATION;;;1;17048;CRegistryHive::Unload: Unloaded registry hive .
2021-03-31;06:59:42.481;INFORMATION;;;1;17048;RegistryWriteBack: Copying user registry file.
2021-03-31;06:59:42.528;INFORMATION;;;1;17048;RegistryWriteBack: Copying user registry file succeeded.
2021-03-31;06:59:42.528;INFORMATION;;;1;17048;RegistryWriteBack: Locking user registry file.
2021-03-31;06:59:43.356;INFORMATION;;;1;17048;CRegistryHive::Unload: Unloaded registry hive .
2021-03-31;06:59:43.356;INFORMATION;;;1;17048;ApplyRegChanges: Finished applying registry changes.
2021-03-31;06:59:43.356;INFORMATION;;;1;17048;CRegistryHive::Unload: Unloaded registry hive .
2021-03-31;06:59:43.356;INFORMATION;;;1;17048;Saving Registry changes back to user store…
…..
2021-03-31;10:08:43.494;INFORMATION;;;1;17788;RegistryWriteBack: Copying user registry file.
2021-03-31;10:08:43.496;INFORMATION;;;1;17788;NTUSER.DAT not found in userstore, try to load NTUSER.DAT.LASTGOODLOAD.
2021-03-31;10:08:43.496;ERROR;;;1;17788;UpmUserStore::UpdateNtuserDatWithLastGoodLoad: There is no NTUSER.DAT.LASTGOODLOAD in the path:\\share.domain.com\ctxprofiles\username\Win10RS5v6\Pending\UPM_Profile\NTUSER.DAT.LASTGOODLOAD 0x2. The system cannot find the file specified.
2021-03-31;10:08:43.590;INFORMATION;;;1;17788;RegistryWriteBack: Copying user registry file succeeded.
2021-03-31;10:08:43.590;INFORMATION;;;1;17788;RegistryWriteBack: Locking user registry file.
2021-03-31;10:08:43.784;INFORMATION;;;1;17788;CRegistryHive::Unload: Unloaded registry hive .
2021-03-31;10:08:43.784;INFORMATION;;;1;17788;ApplyRegChanges: Finished applying registry changes.
2021-03-31;10:08:43.785;INFORMATION;;;1;17788;Saving Registry changes back to user store…
It looks like the error message was coming from Active Write Back. I disabled the setting and the errors have gone away in the logs, but the new profile settings are still not saving back to the user store. I am now looking at AV to see if it might be a culprit.
Hello Carl and All, I believe I have found the problem using the UPM Parsing tool. The NTUSER.DAT file appears to be locked by another process at logoff. There is one CTX article that addresses this, but we are already on VDA 7.15 LTSR CU6. I have opened a case with Ctirix and will send an update when we find a solution:
CRegistryHive::Load: RegLoadKey of to failed with: The process cannot access the file because it is being used by another process.
https://support.citrix.com/article/CTX226731
Hello Carl and all,
It turns out that the problem was caused by enabling the “Enable Registry Inclusions” check box in WEM under the Registry tab. We had a setting that was reported not being saved back by development, so we added the key there. This apparently disables all the default inclusions for the HKCU hive that is set by default (you would have to add them all back in which is not feasible). There is no information or description in the WEM console to know this, but if you go to the Citrix Policies and read the description on the setting it tells you there. That said, there is no explanation why the problem caused the NTUSER.DAT file to lock and generate access denied and other errors in the logs/traces because a single setting was set, so this seems like a bug in the Citrix code to me. Citrix was completely lost on this case (including escalation – they thought it was a permissions issue) and I had to figure this out myself though process of elimination. It was a literal needle in a haystack. The problem presented itself as something very different than a setting that would just exclude the HKCU hive preventing most settings from being written back to the user store. I wanted to provide an update and hope this saves someone else the pain it caused us.
Steve
Hi Carl,
There is a mistake in your post. In the section “Folder to mirror” you list the following paths/folders:
AppData\Local\Google\Chrome\User Data\First Run
AppData\Local\Google\Chrome\User Data\Local State
AppData\Local\Google\Chrome\User Data\Default\Bookmarks
AppData\Local\Google\Chrome\User Data\Default\Favicons
AppData\Local\Google\Chrome\User Data\Default\History
AppData\Local\Google\Chrome\User Data\Default\Preferences
But these are actually FILES which you mention earlier correctly in your post.
Just in hint 😉
Hong
Thanks for pointing that out. It should be fixed now. 🙂
Hi Carl
In the GPO we have linked to our W2016 Citrix session servers, we have the following setting enabled to migrate users’ old profiles to Citrix Profile Management:
Computer Configuration > Administrative Templates > Citrix Components > Profile Management > Profile handling > Migration of existing profiles
I know this is working as we can see the users old files showing up when logging into the new Citrix session servers.
I can’t see how it knows where the source location is for existing user profiles as we are missing the following policy setting does not appear in the GPO where you mention this can be specified in version 1909 onwards:
Computer Configuration > Administrative Templates > Citrix Components > Profile Management > Migrate user store
Wondering if you might know how it knows the source location to pull old user profile from in the absence of this setting?
Also, what policy setting can I use please to omit dragging over Start Menu data from user’s old profiles (I believe this is separate to the file syncing exclusions you can specify as I’m purely referring to items to exclude in the migration of old user profile data but please correct me if I’m wrong)?
Thank you
“Migration of existing profiles” migrates profiles under C:\Users to an empty UPM profile share. Roaming vs Local is based on what you see in sysdm.cpl > Advanced > User Profiles > Settings. All roaming profiles are copied to C:\Users during logon.
I don’t think I’ve tried “Migrate user store” before. That would point to a UPM user store.
You could have a script that saves the settings you want at logoff to the user’s home directory. Then create new profiles for each user and during logon restore the settings from the user’s home directory.
Hi Carl, Thanks for putting this all together in one place.
Below are the Edge exclusions for the your screencap, copy paste easy 🙂
AppData\Local\Microsoft\Edge\User Data\Ad Blocking
AppData\Local\Microsoft\Edge\User Data\BrowserMetrics
AppData\Local\Microsoft\Edge\User Data\Crashpad
AppData\Local\Microsoft\Edge\User Data\Safe Browsing
AppData\Local\Microsoft\Edge\User Data\ShaderCache
AppData\Local\Microsoft\Edge\User Data\SmartScreen
AppData\Local\Microsoft\Edge\User Data\Subresource Filter
AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists
AppData\Local\Microsoft\Edge\User Data\WidevineCdm
AppData\Local\Microsoft\Edge\User Data\Default\Cache
AppData\Local\Microsoft\Edge\User Data\Default\Code Cache
AppData\Local\Microsoft\Edge\User Data\Default\File System
AppData\Local\Microsoft\Edge\User Data\Default\GPUCache
AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB
AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsRecentClosed
AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsTopSites
AppData\Local\Microsoft\Edge\User Data\Default\Local Storage
AppData\Local\Microsoft\Edge\User Data\Default\Storage
AppData\Local\Microsoft\Edge\User Data\Default\Service Worker
AppData\Local\Microsoft\Edge\User Data\Default\Web Applications
Hi Carl,
I have the following problem: when I open Edge and select “pin icon to taskbar”, the next time I log into Citrix the icon appears blank. We use UPM and have configured what is indicated in this Citrix article: https://support.citrix.com/article/CTX220821
But it still doesn’t work. Could you help us? Thanks in advance
Hello Carl, Good Evening! How are doing ?
Big fan here.
I running XenDesktop 7.15 LTSR CU2 over XenServer 7.1 CU1 LTSR with PVS Accelerator enabled. On my vDisk image (Win10), I have Microsoft Teams installed, and this my big challenge here , because the PVS Write Cache is filling up very quickly.
So I testing my VDI (XenDesktop + Win10, version 2004) with Citrix UPM for Roaming profile plus Folder Redirection, and to cached all files from Microsoft Teams and OneDrive I used FSLogix with option Office365 Container.
My Doubt the both guys Citrix UPM + FSLogix Office365 Container can work together?
If yes, there anychange to decrease VHDX Office365 container size ? Because, on my first logon, the VHDX file already have 1,5GB.
Thanks a lot
Best Regards.
Is Teams installed using the machine-wide installer?
Yes, FSLogix Office Container and UPM work together. Just make sure you add exclusions to UPM for whatever you are capturing in FSLogix.
Yes, the machine-wide installer was configured.
But I realized when I´m using FSLogix Office365 Container, it capture everything, I don´t have option to exclusion some directories like UPM. And on my UPM GPO already have all the exclusion list suggest by the Citrix Articles.
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html
Hi Carl,
we are experiencing a strange behaviour which I can’t identify. We are using Windows GPOs for homefolder redirection (profiles are handled by FSLogix). (loopback/replace is configured)
Now our VDAs sometimes, after daily reboot, are not able to apply the folder redirection policy (it’s pauses at the “applying folder redirection” during logon, this can take up to several minutes), then starts the user session. But homefolder data has been copied into the profile. (This is configured in the policy in case of the GPO being removed).
Strangely this only happens to some VDAs and with the next reboot and can be fine again on these and happen on others. Once a user logged in on VDA where the policy has been applied correctly, Data is moved out of the profile again.
But even on the VDAs where the policy does not work correctly, you can see that documents and the other folders are actually redirected to the correct DFS location…
I’m stuck and can’t find the problem.
May be you’ve got an idea?
Thank you!
Regards,
Florian
I would turn off both of the file copy checkboxes since it seems to working anyways.
Thanks for fast reply.
Sorry, my fault. I was investigating a bit further and it is actually not working…
What I see is that for a server where the FDR is not applied, no User GPOs are actually applied. So it seems we have reboots where it works fine and then we have reboots where it does not apply User GPOs at all… Computer GPOs are getting applied though.
does profile container in 2009 version have any new features? or it just moved to a new node?
Hello carl,
I am not using the citrix profile manager for my user profiles so this one has not installed on my VDAs. On the other hand, even if I don’t use it, is it the one who feeds the information back to the Director for citrix user logon times?
Yes. Just install it. To ensure it is disabled, configure a group policy to disable it.
Hello Carl,
to install it I can go from the DVD 1912ltrs Cu1
D: \ x64 \ ProfileManagement \ profilemgtx64.msi is that the one? there are other elements to install?
Hi Carl,
We’ve been trying to troubleshoot some file server issues lately, and I currently feel like Citrix is not the root cause but we are exploring all options. We run a term server farm of roughly 70 term servers (Server 2016) (non-persistent) housing ~1500 users spread out fairly evenly. Towards the end of the day it seems like things start to really slow down and we will find dozens if not hundreds of folks stuck logging off. But it’s not just Citrix affected, basically anything talking to the file server cluster where the profiles (and many other things are stored), it just drags. So, a few things to point out I guess:
– We are looking at migrating the Profiles volume/share to its own file server, try and isolate the issue at least
-We are in the process of upgrading our environment from 7.15LTSR CU3
-Storefronts are 3.2 CU6
-PVS is 1912 LTSR CU1
-Director is 1912 LTSR CU1
-Lic server is 1912.
Really the only thing left to upgrade is the delivery controllers and VDA (currently testing VDA 1912 LTSR on a few servers)
Anyhow, I guess my question is, what could I look at to possibly improve our situation and prevent the profile hangups from snowballing to whatever else is going on with the file server?
We are using WEM to configure UPM and one thing I noticed is we have Profile streaming enabled, active write back for registry enabled, but not active write back. I keep reading conflicting stories about whether I should or should not enable write back. Also, I don’t know why we have registry write back if file write back is not enabled, I thought that was bad?
Anyways, not sure if this makes a whole lot of sense, it’s late, I’m tired, the last few nights we’ve been working late, rebooting term servers once we see all the sessions on it “idle” (really they’re just stuck logging off), in order to let other file server tasks finish, like backup jobs and stuff.
I think separating the Citrix Profiles volume will at least help isolate things, I just don’t know what has happened within the last couple of weeks that has aggravated the situation.
Thanks, and good night.
Just an update on this, we did migrate the profiles volume to its own file server. While this has alleviated the latency on the rest of the shares, the slow logoffs still persist, so we only succeeded in isolating the problem a bit. Our environment is now on 1912 CU1, and we have once again reached out to Citrix. They are again suggesting that we try AWB. I know your blog says to turn it off due to impact on file server, which I brought up with Citrix, but they say that we should still try it though. I guess really I would like to hear if someone else has had positive results with AWB, I still tend to find mixed responses on other sites, but I think maybe the majority I’ve come across say it did not help, or had a negative impact. Some sources say the biggest potential impact would be in the mornings, when everyone is logging on. An example they gave is that if they all open up Internet Explorer soon after they log in, then it could potentially mean a burst of write back activity once they close it out, with the webcachev01.dat file and some other things.
I think Active Write Back writes all changes to the file share as the changes occur throughout the day even if the same file changes multiple times throughout a day. AWB might pre-upload the changes to the file share so the logoff doesn’t have to do as much.
Yes, that is one understanding that I had of it as well. It almost feel like they’re trying to mimic a profile container in a way. So in a profile container, you have a .vhd file, which is mounted to the VDA, then from there, the only “write” activity that’s happening is to the files that are actually being modified. Then at the end of the day there’s just the dismount process when they log off, not sure how much “writing” that actually produces on a file server. At least that’s how I understand it.
Side note: We have recently started implementing FSLogix for a small group of single-session (Win10) users. While the experience has been fairly good, we are still fine tuning some things (One FSLogix profile could be anywhere from 6-10GB whereas I’ve manage to cut down UPM profiles to under 100mb for the most part). FSLogix is something I am interested in applying to all of our user base, but we have much more testing and fine tuning before we can really push for that change.
Hi, Carl,
I hope you and your family are in good health.
I am confused about the cross-platform policy and Citrix support couldn’t help too much.
Can you please advise me on how to configure the policy in the below context?
– currently, we have XA 6.5 farm (Windows server 2018 R2 VMs) and we want to migrate to XD 7.1912 (new Windows Servers 2016 VMs)
– I already created a profile management policy for XD 7 (including folder redirection), where I published the new 2016 servers
– the current profiles corresponding to W 2008 servers are saved in the user’s store
– the new profiles corresponding to W 2016 (XD 7) are saved in a different user’s store location
– our goal is to migrate Office 2016 settings from W 2008 to W 2016, so the users would not have to enter the Outlook credentials again when they connect to the published desktops for the first time
Thank you
Carl
I am reviewing VDA logs trying to learn what makes a successful logon and why some are not so successful .
My success = 30 second or less logon time. i have some logons taking up to 50 seconds
I am using UPM and FSlogix.
Log results
Starting logon processing…
2020-10-08;08:42:11.330;INFORMATION;;;78;15356;IsRunningInTerminalServerSession: Terminal services installed.
2020-10-08;08:42:11.330;INFORMATION;;;78;15356;IsRunningInTerminalServerSession: ICA session.
2020-10-08;08:42:11.334;INFORMATION;Domain;user.name;78;15356;DispatchLogonLogoff: UserSID = S-1-5-21-2053067395-2001430784-1236798564-31243
Right off the bat it shows a fail
2020-10-08;08:42:11.339;ERROR;Domain;user.name;78;15356;DispatchLogonLogoff: Triggering policy evaluation for failed: 0x106
it continues and looks normal gathering info
Logon/logoff will be processed.
GetUserStorePath: User Store: Path In: \\svr\xaprofiles\#samaccountname#\!ctx_osname!!ctx_profilever!
User Store: Path Out: \\svr\xaprofiles\user.name\Win2016v6
ProcessLogon: Found a profile in the user store: .
2020-10-08;08:42:11.413;INFORMATION; Domain;user.name;78;15356;QueryLocalProfile: Profile directory read from registry: c:\users\user.name
2020-10-08;08:42:11.413;INFORMATION; Domain;user.name;78;15356;Mark as UPM profile by force to support FSLogix
2020-10-08;08:42:11.417;INFORMATION;Domain;user.name;78;15356;GetUserStorePath: ParentVhdFolder: Path In: \\svr\xaprofiles\
INFORMATION;Domain;user.name;78;15356;GetUserStorePath: ParentVhdFolder: Path Out: \\svr\xaprofiles
2020-10-08;08:42:14.843;;Domain;user.name;78;15356;Copied NTUSER.DAT from \\svr\xaprofiles\user.name\Win2016v6\UPM_Profile\NTUSER.DAT to c:\users\user.name\NTUSER.DAT The operation completed successfully.
Not sure why it copies from svr to local vda
INFORMATION;Domain;user.name;78;15356;ProcessLogon: Starting to restore directories and files.
2020-10-08;08:42:14.843;INFORMATION;Domain;user.name;78;15356;Now start to copy from\\svr\xaprofiles\user.name\Win2016v6\UPM_ProfileTo c:\users\user.name
2020-10-08;08:42:27.372;INFORMATION;Domain;user.name;78;15356;Finished copying from\\svr\xaprofiles\user.name\Win2016v6\UPM_ProfileTo c:\users\user.name
Than there is about 100 pages of errors, this is just a sampling
2020-10-08;08:42:27.505;ERROR;Domain;user.name;78;15356;FindFirstFileAPIWrapper: FindFirstFile for path returned: The system cannot find the file specified.
2020-10-08;08:42:27.506;ERROR;Domain;user.name;78;15356;FindFirstFileAPIWrapper: FindFirstFile for path returned: The system cannot find the file specified.
2020-10-08;08:42:27.506;ERROR;Domain;user.name;78;15356;FindFirstFileAPIWrapper: FindFirstFile for path returned: The system cannot find the path specified.
2020-10-08;08:42:27.506;ERROR;Domain;user.name;78;15356;FindFirstFileAPIWrapper: FindFirstFile for path returned: The system cannot find the path specified.
2020-10-08;08:42:27.507;ERROR;Domain;user.name;78;15356;FindFirstFileAPIWrapper: FindFirstFile for path returned: The system cannot find the file specified.
Is Profile Streaming enabled? Even if it’s enabled, ntuser.dat must be copied down.
What version of VDA?
No
Policy Setting Comment
Profile streaming Disabled et profile streaming to disabled when FSLogixSupport is enabled as there is a conflict and will cause reparse point corruption
Policy Setting Comment
VDA 2006
Are you doing multi-session write-back for FSLogix Profile Container? Or are you just doing FSLogix Office Container?
Carl
Ohh
i have Computer\Policies\Admin Templates\Profile mgmt\Advanced settings\Enable multi-session “ENABLED”
My intent is to manage office Profiles with FSLogix and all others with Citrix Profile management
I think that setting is only for full Profile Container, not Office Container.
Hi Carl,
For a new deployment with CVAD 2009, would you recommend using UPM with FSLogix or skip FSLogix and put the enitre profile in a profile container? What are the benefits in using FSLogix, when you can put the entire profile in a Profile Container?
If you have disk space, I recommend FSLogix Profiles since it can do everything. Citrix Profile Container has limitations. https://james-rankin.com/articles/quickpost-citrix-upm-profile-containers-feature/
Hello Carl
In a test deployment I did following:
-Enable profile management -> Enable
-Path to user store -> store’s path
-no extra configurations
But after logging in virtual desktop, user profiles are created in the VDA, not in the user store.
What is the problem?
Is there any other things to check?
Thanks
Check the log file (default location = C:\Windows\System32\LogFiles\User Profile Manager\pm.log). You might have to do some policy settings to enable the log.
Hey Carl very nice guide! Followed it “mostly” on Version 1912. Yesterday upgraded the whole infrastructure to “2006” now UPM isnt working well. I´ve created an UPM Policy in Citrix Policies but this Policy won´t apply on every user (sometimes yes / sometimes no – same user) I´ve tried to determine the problem with UPM Config checker etc. The Logfile says that no upm policy is configured .ini is not set … so the defaults will be applied. This affect on our users to not load the upm settings. Followed yout guides to check if policy files appear in C:\ProgramData\CitrixCseCache – yes it is.
Environemt is MCS with non persistand Maschines on Windows Server 2019 Datacenter on VmWare ESXi with updates Controllers Storefront WSA etc.. any suggestions? 🙂
I generally recommend using the .admx with group policies instead of Citrix Policies.
Okay thanks for your reply, I´ll try it with .admx group policies.
Greetings
Hey Carl, thanks a lot this did the trick… sometimes it’s easier than expected. have a great day
Best wishes
Dominik
Hi Carl,
Can i upgrade my UPM to 5.8 from 5.3 on a 7.6 FP3 non LTSR environment?
Secondly, for template profiles and its registry for user shell folders i realised that %USERNAME% variable is not supported and resolved when user grabs the template profile but I don’t see any issues so far. like e.g. a user’s shell folders cache still remains as C:\Users\%USERNAME%\AppData\…INetCache. would it pose of any problem or how do i resolve it?
Is 5.8 the newest you’re entitled to? If you upgrade VDA, then you also get upgraded UPM.
I think the registry have to be REG_EXPAND_SZ for it to expand the variable.
Hi Carl, But does it have any dependency on the infra of Citrix if i upgrade the UPM? i.e 5.8 not supported on 7.6 vda only on 7.14.
As for the template profile i configured the template path on Citrix policy instead of user inheriting the default profile on the VDA. But i have amended the profile to C:\Users\%USERNAME%\ on User Shell Folders in registry.
But when i checked my own NTUSER.DAT registry hives, other than folder redirection entries is replaced things like Cache – C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\INetCache
AppData – C:\Users\%USERNAME%\AppData\Roaming
Question: would it cause any issues? If it doesn’t grab a template profile and based on default profile from VDA server the User Shell Folders would be like C:\users\\… etc
Hello Carl,
Great guide, wondering if you have ever seen on VDI Windows 2016, the Recycle Bin where the settings of all Recycle Bin Locations are set to “Don’t move files to the Recycle Bin. Remove files immediately when deleted”, I want to change this behavior for a certain Recycle Bin location – Desktop for all users and enable “Custom Size: 500 MB”, is there a policy that will do this for just the specified location ?
Did you get any solution for this Darren?
Hey Carl,
Followed your guide (thank you!) but wondering if you’ve seen this issue before. VDA 2006, Server 2019, MCS non-persistent desktops, folder redirection enabled. Users can sign into Chrome and while in the session, it stays connected fine, but when signing out and signing back in, the Chrome login is lost and it starts on the Welcome to Chrome tab. Oddly, if a user opens a new tab, their bookmarks bar shows up populated, but still not signed into Chrome/no logins remembered. Everything has been configured as discussed above regarding Chrome.
Any thoughts?
Sorry, forgot to add that we had this set of users on 2016 prior and it was working flawlessly, no GPO changes between the two. Also noticed that the First Run and Local State files never make it to the UPM_Profile folder on the 2019 version.
Hi Joshua,
Did you find a solution for this issue? I have the same and can’t find a solution.
Have the same problem here in lab environment 🙁 Fresh install and tried a lot of exclusion/sync variations but still the same f*cking problem. Gets really annoying. Hoping Carl know’s a solution. Also trying mirroring the hole Default folder doesn’t fixes it.
Did anyone ever get a solution to this? I am trying to suppress the Welcome to Chrome page. Thought it would have been an easy GPO, but I don’t see it.
From the application side of this, no desktop just virtualized apps, have you seen any work arounds or solutions on how to open the MS-Settings/Immersive Control Panel/PC Settings app? We have an issue where program defaults are not sticking or cannot be set and we cannot open the settings page. If we do the desktop side we can open it but the problem still exist with default programs not sticking.
Example: Open a link in Outlook, are asked “Stick with IE, Use Edge, Use other”, select Chrome to be the default. For that session Chrome stays. Log off, wait a few minutes, log back on (only one test server at this time so it is the same machine), open the same link as before and it has reverted back to IE. Looked at the registry values and the hash seems to be the key in breaking this.
Any advice is greatly appreciated.
SetUserFTA.exe has a get parameter that you can run at logoff to save FTAs to a file and then run SetUserFTA.exe at logon to restore it. https://kolbi.cz/blog/2017/10/25/setuserfta-userchoice-hash-defeated-set-file-type-associations-per-user/
Thank you for this information. I have tried to follow the steps provided but it does not seem to work. IE still sits as the default program for opening web browsers
I usually use https://kolbi.cz/blog/2017/11/10/setdefaultbrowser-set-the-default-browser-per-user-on-windows-10-and-server-2016-build-1607/ for force a particular default browser.
That worked perfectly!!! I saw that but wasn’t sure since the updated version of SetUserFTA, i thought, was supportive of the default browser. Thank you very much for your time and advice on this.
Hello Carl,
we have changed our Chrome Exclusion to the following and all files are delete because of Logon Exclusion check “Delete files or folders” but all the folders in the AppData\Local\Google\Chrome folder are still there – should’nt they deleted?
Directory exclusion
AppData\Local\Google
Folder mirror
AppData\Local\Google\Chrome\User Data\Default\Extensions
AppData\Local\Google\Chrome\User Data\Default\Login Data
AppData\Local\Google\Chrome\User Data\Default\Last Session
File synchronisation
AppData\Local\Google\Chrome\User Data\First Run
AppData\Local\Google\Chrome\User Data\Local State
AppData\Local\Google\Chrome\User Data\Default\Bookmarks
AppData\Local\Google\Chrome\User Data\Default\Favicons
AppData\Local\Google\Chrome\User Data\Default\History
AppData\Local\Google\Chrome\User Data\Default\Preferences
Do the newer Profile Management versions support creating the Desktop folder in the user profile on the server when opening a published application? We’re running 7.15 LTSR and with no folder redirection the Desktop folder is not created until the user does something in the app that then creates the Desktop folder. Published Desktops (server-based) work fine and turning off Profile Management allows the Desktop folder to be created regardless of whether a published application or desktop is opened.
I haven’t tested this. Maybe you can configure Group Policy Preferences > Folders to create the Desktop folder? I assume this only applies to new users.
It’s supposed to create a desktop folder. Along with the whole user director shell. Unless you excluded it. Just make sure your not excluding it in the upm policy.