Citrix Profile Management 5.8

Last Modified: May 27, 2017 @ 3:50 pm

Navigation

This article applies to all versions of Profile Management: 5.8, 5.7, 5.6, 5.5, 5.4, etc.

💡 = Recently Updated

Profile Management Configuration Options

Version 5.8 of Citrix Profile Management can be downloaded from XenApp/XenDesktop 7.14. To find it, click Components that are on the product ISO but also packaged separately.

There are three methods of configuring Citrix Profile Management:

  • Citrix Studio – in the Policies node
  • Microsoft group policy – using an ADMX file
  • .ini file – this is the default

This page will detail the GPO ADMX method of configuring Citrix Profile Management. The Studio method is similar.

Citrix Studio Policies and Microsoft GPOs override the .ini file. When configuring Studio Policies or GPOs, copy the default settings from the .ini file as detailed below.

Planning – Multi-Datacenter

For optimum performance, users connecting to Citrix in a particular datacenter should find their roaming profiles on a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will need file servers in each datacenter.

DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-datacenter designs.

For active/active datacenters, split the users such that different users have different home datacenters. Whenever a particular user connects, that user always connects to the same datacenter and in that datacenter is a file server containing the user’s roaming profile. StoreFront uses Active Directory group membership to determine a user’s home datacenter.

For users that connect to Citrix in multiple datacenters, there are a couple options:

  • The user’s roaming profile is located in only one datacenter – If the user connects to a remote datacenter, then the roaming profile must be transmitted across the WAN. To optimize performance, disable Active Write Back, and make sure Profile Streaming is enabled.
  • The user has separate profiles for each datacenter – There is no replication of profiles between datacenters. This scenario is best for deployments where different applications are hosted in different datacenters.

Disaster Recovery – For disaster recovery scenarios, the user’s roaming profile data (and home directories) must be recovered in a different datacenter. Here are some considerations:

  • Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
  • Use VMware SRM or Zerto to recover the file server in the DR datacenter.
  • A datacenter failover might result in multiple file servers accessed from a single VDA, especially if you have users split across datacenters. Use DFS Namespaces as detailed below.

DFS Namespace for central user store – The Citrix Profile Management user store path is a computer-level setting, meaning there can only be one path for every user that logs into a particular VDA. If you have different users with roaming profiles on different file servers, you must use Active Directory user attributes and DFS namespaces to locate the user’s file server. Here is an overview of the configuration:

  • Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1 – Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more information.
  • Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS replication. See Scenario 2 – Multiple folder targets and replication at Citrix Docs for more information.
  • Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
  • Set the Profile Management user store path to \\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!. This pulls the user’s l attribute from Active Directory and appends that to the DFS share. The folder that matches the attribute value is linked to a file server. For example, if the user’s l attribute is set to Omaha, then the user’s profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha folder is linked to a file server in the Omaha datacenter.

Create User Store

This procedure could also be used to create a file share for redirected profile folders.

If you intend to place Citrix Profile Management roaming profiles in the user’s home directory, then there is no need to follow the procedure in this section. Only use this section if you are creating a new file share for storage of the Citrix roaming profiles.

Create and Share the Folder

  1. Make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.

  3. Share the folder.
  4. Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click Share, and then click Done.
  5. Go to the Properties of the folder.
  6. On the Sharing tab, click Advanced Sharing.
  7. Click Caching.
  8. Select No files or programs. Click OK, and then click Close.

Folder (NTFS) Permissions

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry, and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

Access Based Enumeration

With this setting enabled, users can only see folders to which they have access:

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it. Or perform a refresh.
  3. Right-click the new share and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration.

GPO ADMX Policy Template

  1. Go to the downloaded Citrix Profile Management 5.8. In the \Group Policy Templates\en folder, copy the file ctxprofile5.8.0.admx to the clipboard. You can also find the templates on the main XenDesktop 7.14 ISO in the \x64\ProfileManagement\ADM_Templates\en folder.
  2. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.
  3. If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing the .admx file does not affect your existing Profile Management configuration. The template only defines the available settings, not the actual settings.
  5. Go back to the Citrix Profile Management 5.8 ADM_Template files and copy ctxprofile5.8.0.adml to the clipboard.
  6. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL.
  7. If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
  8. If you have an older version of the ctxprofile.adml file in either location, delete it.
  9. Citrix Profile Management 5.8 ADM_Template files and in the \Group Policy Templates\CitrixBase folder, copy the file CitrixBase.admx to the clipboard.
  10. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.
  11. If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  12. Go back to the Citrix Profile Management 5.8 ADM_Template files and copy CitrixBase.adml to the clipboard.
  13. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL.
  14. If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.

Group Policy Settings

  1. Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.
  2. Go to Computer Configuration\Policies\Administrative Templates\Citrix Components\Profile Management. If older than 5.5, the settings are beneath the Citrix folder. Note: if you did not install the CitrixBase.admx file, then you can find Profile Management directly under the Administrative Templates folder.
  3. Enable the setting Enable Profile management. Profile Management will not function until this setting is enabled.
  4. If desired, enable the setting Process logons of local administrators.
  5. Enable Path to user store.
  6. Specify the UNC path to the folder share. An example path = \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!
  7. Profile Versions– Different OS versions have different profile versions. Each profile version only works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.
    1. Windows 10 Profile Versions – Windows 10 has two different profile versions. Windows 10 build 1511 and older use v5 profiles. Windows 10 build 1607 and newer use v6 profiles. V6 is also the profile version in Windows Server 2016. These different profile versions are probably incompatible so they should be separated.
    2. Windows 10 build 1703 warning: Profile Management 5.8 on Windows 10 1703 sets !CTX_OSNAME! to “Win10RS2”. On Windows 10 1607, !CTX_OSNAME! is set to “Win10RS1”. RS = Redstone. If you use !CTX_OSNAME! in your path, then Windows 10 1703 and Windows 10 1607 will have separate profiles.
    3. With the UNC path shown above, if the user logs into Windows 2012 R2 RDSH, the profile folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10 build 1607, the profile folder will be \\server\share\user01\Win10RS1v6.
    4. Windows 2012 R2 warning: If you are upgrading to Profile Management 5.4 or newer, and have existing Windows 2012 R2 profiles based on the !CTX_OSNAME! variable, Citrix fixed the variable, and now your profiles might stop working. See http://discussions.citrix.com/topic/374111-psa-upm-54-ctx-osname-server-2012-value-change/ for more details.
    5. Windows 2012 R2 note: in older versions of Citrix Profile Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isn’t correct. V2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug was fixed in recent versions of Profile Management.
  8. Another option is to place VDAs with different OS versions in different OUs, and then use different GPOs on those OUs to specify different Profile Management user store paths.
  9. Multiple Domains – If you have multiple domains, change #SAMAccountName# to %username%.%userdomain% (e.g. \\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!). That way you can have the same account name in multiple domains and each account will have a different profile.
  10. Disable Active write back. This places additional load on the file server and is only needed if users login to multiple machines concurrently and need mid-session changes to be saved. Note: if you don’t configure this, it is enabled by default.
  11. Under the Advanced settings node, enable the setting Process Internet cookie files on logoff.
  12. In 5.6 and newer, Customer Experience Improvement Program (CEIP) is enabled by default. It can be disabled here.
  13. See http://www.carlstalhood.com/delivery-controller-7-13-and-licensing/#ceip for additional places where CEIP is enabled.

Exclusions – 5.5 and newer

The Exclusions process in 5.5 and newer is dramatically simplified. If you haven’t yet deployed 5.5 or newer, and it’s corresponding ADMX file, then skip to the older Exclusions process.

  1. Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion List – directories.
  2. You can use checkboxes to not exclude some folders.
  3. Then edit Exclusion list – directories.
  4. Enable the setting, and click Show.

  5. Add the following to the list. This is the new path for Temporary Internet Files in Windows 8 and later.
    AppData\Local\Microsoft\Windows\INetCache
  6. If running Office 365 with Shared Computer Activation, then you might need to exclude !ctx_localappdata!\Microsoft\Office\15.0\Licensing and/or !ctx_localappdata!\Microsoft\Office\16.0\Licensing. Ideally you should have ADFS integration so users can seamlessly re-activate Office at every launch.
  7. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  8. Then click OK twice to return to the Group Policy Editor.
  9. You might need to exclude usrclass.dat*. Some articles say exclude it, others say include it (for file type association). The UPMPolicyDefaults_all.ini file has it listed as an exclusion.
    1. Edit the setting Exclusion list – files.
    2. Enable the setting, and click Show.
    3. Add the following. Then click OK twice.
      !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*
      

  10. Clean up excluded folders –  If you add to the exclusions list after profiles have already been created, Profile Management 5.8 has a feature that can delete the excluded folders at next logon. See To enable logon exclusion check at Citrix Docs. Unfortunately, this feature is only configurable in the .ini file.  💡

    1. Also see Muralidhar Maram’s post at Citrix Discussions for a tool that will clean up the existing profiles.
    2. Also see Jeremy Sprite Clean Citrix UPM Profiles.
  11. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  12. Edit the setting Directories to synchronize.
  13. Enable the setting and click Show.
  14. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
    AppData\Local\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  15. Also see David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
  16. To roam Start Menu and/or File Type Associations in Windows 10/2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for details on the folders that must be included/excluded from the roaming profile. These should be added to the inclusion (Directories to Synchronize) list. UsrClass.dat* are files, not directories. For Option 2, compare to Option 1 and add the missing items to the Exclusion list. Full support for roaming Start Menu and/or File Type Associations requires UPM 5.7 or newer, and VDA 7.13 and newer.
  17. Click OK twice.
  18. Edit Files to synchronize

  19. Enable the setting, and click Show

  20. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  21. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  22. Then click OK twice to return to the Group Policy Editor.
  23. To enable handling of Cookies, in the Synchronization node, enable the setting Folders to mirror.
  24. Enable the setting, and click Show.
  25. Add the following and click OK.
  26. The Known Issues for UPM 5.7 indicate that the first three folders shown below must be mirrored in order for the Windows 10 Start Menu to function correctly.
  27. CTX222433 Start Menu Layout Roaming on Windows 10 indicates that TileDataLayer should be mirrored.
    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\TileDataLayer
    AppData\Local\Microsoft\Vault
    

  28. Note: according to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Config > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.
  29. On the left, under Profile Management, click Registry.
  30. On the right, open Enable Default Exclusion List.
  31. Enable the setting. You can use the checkboxes to control which registry keys you don’t want to exclude.
  32. According to Citrix CTX221380 Occasionally, File Type Association (FTA) Fails to Roam with Profile Management 5.7 on Windows 10 and Windows Server 2016, Software\Microsoft\Speech_OneCore should be unchecked. Click OK.
  33. New in 5.5 is the NTUSER.DAT backup setting, which is disabled by default. You can enable it to provide some resiliency against profile corruption.
  34. Skip to the Log Settings section.

Exclusions – 5.4.1 and older

This section is for UPM 5.4.1 and older. For 5.5 scroll up to Exclusions – 5.5 and newer.

The UPMPolicyDefaults.ini file includes a default list of exclusions. If you intend to add to the default list, you must first copy the exclusions from the .ini file to the GPO. Then you can add exclusions to your GPO.

Note: this file was updated for Profile Management 5.4 and Windows 10 so if you are upgrading make sure you copy the new exclusions to the GPO. For example, !ctx_localappdata!\TileDataLayer seems to have been added in 5.4.

  1. Browse to a VDA, go to C:\Program Files\Citrix\User Profile Manager and open the file UPMPolicyDefaults_all.ini using Notepad.
  2. Under the File system node in the Group Policy Editor you can configure which profile folders should be excluded from synchronization. Edit Exclusion list – directories.
  3. Enable the setting and click Show

  4. In the .ini file, scroll down to the SyncExclusionListDir section.  Copy each of these lines to the GPO. Do not include the equals sign on the end.
  5. Add the following to the list. This is the new path for Temporary Internet Files in Windows 8 and later.
    AppData\Local\Microsoft\Windows\INetCache
  6. If running Office 365 with Shared Computer Activation, then you might need to exclude !ctx_localappdata!\Microsoft\Office\15.0\Licensing and/or !ctx_localappdata!\Microsoft\Office\16.0\Licensing. Ideally you should have ADFS integration so users can seamlessly re-activate Office at every launch.
  7. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  8. Then click OK twice to return to the Group Policy Editor.
  9. To roam Start Menu and/or File Type Associations in Windows 10/2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for details on the folders that must be included/excluded from the roaming profile. The list below are “inclusions”.
  10. You might need to exclude usrclass.dat* as detailed at Known Issue for Profile Management 5.4.
    1. Edit the setting Exclusion list – files.
    2. Enable the setting and click Show.
    3. Add the following. Then click OK twice. This is detailed as a Known Issue for Profile Management 5.4.
      !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*
      

  11. Note: If you add to the exclusions list after profiles have already been created, then see Muralidhar Maram’s post at discussions.citrix.com for a tool that will clean up the existing profiles. Also see Jeremy Sprite Clean Citrix UPM Profiles.
  12. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  13. Edit the setting Directories to synchronize.
  14. Enable the setting and click Show.
  15. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
    AppData\Local\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  16. Also see David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
  17. Click OK twice.
  18. Edit Files to synchronize

  19. Enable the setting and click Show

  20. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  21. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  22. Then click OK twice to return to the Group Policy Editor.
  23. To enable handling of Cookies, in the Synchronization node, enable the setting Folders to mirror.
  24. Enable the setting and click Show.
  25. Add the following and click OK

    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\Microsoft\Vault

  26. Note: according to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Config > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.
  27. On the left, under Profile Management, click Registry.
  28. On the right, open Exclusion List.
  29. Enable the setting and then click Show.
  30. Back in the UPMPolicyDefaults.ini file, look for the ExclusionListRegistry section. Copy the two items from there without the equals sign to the GPO setting.
  31. Click OK twice.

Log Settings

  1. In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot problems with Profile Management. The logfile is located in C:\Windows\System32\LogFiles\UserProfileManager.
  2. Edit the Log settings setting.
  3. Enable the setting and check the boxes next to Logon and Logoff. Click OK.
  4. If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To change the log file path, edit the Path to log file setting.


  5. CTX123005 Citrix UPM Log Parser
  6. CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

Profile Streaming

  1. For shared persistent VDAs (e.g. RDSH), go to the Profile handling node under Profile Management. Enable the setting Delete locally cached profiles at logoff. Note: this might cause problems in Windows 10.

    Helge Klein has a tool to delete locally cached profiles on a session host. http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/. This tool should only be needed if profiles are not deleting properly.
  2. For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User Logs off recommends setting Delay before deleting cached profiles to 40 seconds.

  3. Enable the setting Migration of existing profiles, and set it to Local and Roaming.  Citrix CTX221564 UPM doesn’t migrate local user profile since version 5.4.1.

  4. Enable the setting Local profile conflict handling and set it to Delete local profile. Note: this might cause problems on Windows 10.

  5. Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
  6. After modifying the GPO, use Group Policy Management Console to update the VDAs.
  7. Or run gpupdate /force on the VDAs, or wait 90 minutes.

Mandatory Profile – Citrix Method

Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method.

  1. Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to Administrators.
  2. Login to the VDA machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4. Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that. Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.

    1. You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  5. Open the AppData folder and delete the Local and LocalLow folders.
  6. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file, and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  7. Open regedit.exe.
  8. Click HKEY_LOCAL_MACHINE to highlight it.
  9. Open the File menu and click Load Hive.
  10. Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not use NTUSER.MAN and instead the file must be NTUSER.DAT.
  11. Name it a or similar.
  12. Go to HKLM\a, right-click it, and click Permissions.
  13. Add Authenticated Users and give it Full Control. Click OK.
  14. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ and http://appsensebigot.blogspot.ru/2014/10/create-windows-mandatory-profiles-in.html?m=1 for some suggestions.
  15. Citrix CTX212784 Slow User Logon When Using Mandatory Profiles – set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
  16. Highlight HKLM\a.
  17. Open the File menu, and click Unload Hive.
  18. Go back to the file share and delete the NTUSER.DAT log files.
  19. Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy template is loaded.
  20. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Profile Management > Profile handling. Edit the setting Template profile.
  21. Enable the setting and enter the path to the Mandatory profile.
  22. Check all three boxes. Then click OK.

Redirected Profile Folders

  1. Make sure loopback processing is enabled on your VDAs.
  2. Edit a GPO that applies to all VDA users, including Administrators.
  3. Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents, and click Properties.
  4. In the Setting drop down, select Basic.
  5. In the Target folder location drop down, select Redirect to the user’s home directory.
  6. Switch to the Settings tab.
  7. On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move the contents to the new location might cause issues in some deployments.
  8. Click Yes to acknowledge this message.
  9. Right-click Desktop and click Properties.
  10. Change the Setting drop-down to Basic.
  11. Change the Target folder location to Redirect to the following location.
  12. In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC path and not a mapped drive. Also, since we’re using home directory variables, all users must have home directories defined in Active Directory.
  13. Switch to the Settings tab.
  14. Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.
  15. Click Yes when prompted that the target is not a UNC path. You get this error because of the variable. It doesn’t affect operations.
  16. Repeat for the following folders:
    • Documents = Redirect to the User’s Home Directory
    • Desktop = %HOMESHARE%%HOMEPATH%\Desktop
    • Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
    • Downloads = %HOMESHARE%%HOMEPATH%\Downloads
  17. Redirect the following folders but set them to Follow the Documents folder.
    • Pictures
    • Music
    • Videos

Folders not redirected will be synchronized by Citrix Profile Management.

Verify Profile Management

  1. Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.
  2. Logoff and log back in.
  3. Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the log for logon and logoff events.

Profile Management Troubleshooting

UPM Troubleshooter

Citrix Blog Post – UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application that examines the live User Profile Management-enabled system in a single click, gives Profile Management Configurations, information on the Citrix products installed, facility to collect and send the logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier manner. See the blog post for more details.

Profile Management Configuration Check Tool

UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has been configured optimally for the environment in which it is being run, taking into account:

  • Hypervisor Detection– The presence or absence of supported hypervisors (for example, Citrix XenServer, VMware vSphere, or Microsoft Hyper-V)
  • Provisioning Detection– The presence or absence of a supported machine-provisioning solution (for example, Machine Creation Services or Provisioning Services)
  • XenApp or XenDesktop– Whether it is running in a XenApp or a XenDesktop environment
  • User Store – Determines that the expanded Path to User Store exists.
  • WinLogon Hooking Test – Verifies that Profile management is correctly hooked into WinLogon processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and requires the user running the Configuration Check Tool to have permission to access the relevant registry keys, or an error may be returned.
  • Verify Personal vDisk enabled / disabled – Whether the Personal vDisk feature of XenDesktop is enabled
  • Miscellaneous – Other factors that it is able to determine through registry or WMI queries, such as whether the computer running Profile management is a laptop

Profile Size

Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile share.

Log Parser

CTX123005 Citrix UPM Log Parser

View Log Files using Excel

CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

472 thoughts on “Citrix Profile Management 5.8”

  1. Carl you are the best,thanks man,i had a question if i applied local profile in xen application server when i updated the master image and then updated the catalog all the profile in xen applications servers
    were deleted,any ideas ?!

    1. Local profile?

      Did you enable Profile Management? If so, then it should be saving the profiles at logoff to a remote file share. If that’s not working, then we need to look in the log files to troubleshoot it.

      1. Thanks for your answer carl ,I mean Local profile not roaming nor upm ,locally on xen app server ,but when i updated the machine catalog (master image) all the profiles on xen app servers are deleted,so how can local profiles can be useful?!!

        citrix recommended three:
        Local Profiles
        Mandatory Profiles
        Roaming Profiles

        and i think my environment best practice is local profile because we are not very big organization,but this scenario is not good because every time i make change to the master image and update xen application with this changes from the master image all profile are deleted and this normal because the master image doesn’t have the local users profiles ,if u get my point ,is there any police or configuration don’t to delete the profile when i update the xen application machine catalog ?

        1. The whole point of roaming profiles is to back them up at logoff so they can be restored at logon. Enable UPM, and your problem will be solved.

          1. Hi Carl,

            This is regarding page file size on a Citrix VDA template server.
            memory :24 GB
            C drive space : 70 GB
            server os: Windows Server 2012
            What should be the size of Paging file?

            At the moment it is set to “automatically manage paging size”, but I believe thats not the recommeneded way when creating MCS machines from the template.

            Please advise.

            Thanks,
            Arshi

          2. Automatic has a minimum equal to the size of memory. If you don’t fill your memory, then you probably don’t need a large pagefile, and thus can shrink it.

  2. Hey Carl, question about Office 365 shared computer activation and UPM. Under “Exlusions – 5.5 and newer” you recommended excluding the licensing folder. I am wondering why the recommendation? According to the Citrix Office 365 deployment article, “The Shared Computer Activation does not impact the user’s ability to install Office 365 Pro Plus on 5 different machines.” Unfortunately our environment doesn’t have ADFS setup at the moment. We are about to push out O365 pro plus 2016 but want to make sure we do it right. Thank you!

      1. So this would require them to log in to license office daily anyway? Really appreciate the quick answer!

  3. Hi Carl, thanks a lot for writing such a detailed article.

    Please help me with following Question.

    We have XenApp 7.6 with Windows Server 2012 VDAs and Citrix UPM 5.4.1. Policies are configured from Studio.

    Now we need to upgrade UPM from 5.4.1 to 5.7. Is it correct that all I have to do is install UPM 5.7 on all VDAs? There are only 12-15 profile related policies that are similar to policies in UPM 5.7 so I don’t think I have to be worried about the policy changes. I, of course, will take the back up of the profiles on NAS.

  4. I had to add AppData/Local/Packages to the Mirror list to get the Start Menu to work on Windows Server 2016/XA 7.13

    Without it the Start Menu wouldn’t appear.

      1. It was my own experimentation,

        I was getting these errors in Application log when I clicked on the start menu or search button;

        Failure to load the application settings for package Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy. Error Code: 5
        Failure to load the application settings for package Microsoft.Windows.Cortana_cw5n1h2txyewy. Error Code: 5

        and in the UPM log there was an error when logging on to the server.

        2017-05-09;14:39:42.523;ERROR;—-;——;19;8792;ResetSecurityForRS1StartMenu: target file C:\Users\———–\Appdata\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\ac does not exist

  5. Should Creator Owner have Full Control on Subfolders and Files? The very last screenshot show Creator Owner with Modify permissions on Subfoldres and Files.

    1. I tried it again and it showed Modify instead of Full Control. To avoid confusion, I forced it to Full Control and updated the screenshot. Thanks for noticing.

    1. Optional. I include it because some home folders are in a subdirectory. There’s no harm in having two backslashes in the path.

  6. Hi Carl,
    i must say that your blog has really been very beneficial to me.
    now i do have a question, please guide me on how to configure a GPO for defining the user home directory in the Active Directory so that i can redirect folders like my documents, desktop etc.

    Thanks in advance

    1. There’s a GPO setting for RDS: Computer Config > Admin Templates > Windows Components > RDS > RDSH > Profiles. But this is only for RDS.

      I’m not aware of a GPO setting for non-RDSH.

      Most companies use scripts to create users and home directories. Or an Identity Management tool to automate user creation with home directory.

      1. HI Carl,

        for citrix Xendesktop MCS, i need to create a startup program or create a shortcut on users desktop using group policy for only users in a certain security group.How should I do this, is it user configuration/or computer config?
        eg; for creating a shortcut, how do I specify the target path? As users will be logging on to any one of the 5 MCS servers, i cant specify any one server in the target path!
        or should I just put C:\xxxxx in the target path and add all the servers in the item level targeting?

        is there any other way?

        1. Group Policy Preferences lets you create Shortcuts with Item Level Targeting. Is that what you’re asking?

  7. Hi Carl,

    in your section “Exclusions – 5.5 and newer”, Point 15 you wrote that the folders start menu and/or FTA have to be included in the “directories to synchronize”. One of these folders is “AppData\Local\TileDataLayer”.
    In Point 26 you state that TileDataLayer should be put into “Folders to Mirror”.
    I’m a little bit confused at the moment – where should I put this folder?
    Maybe you can explain the difference between “directories to synchronize” and “folders to mirror”?

    Thank you,
    Holger

    1. Citrix has several articles on roaming Start Menu and they are not consistent. Since both settings end up synchronizing the folder, I don’t see any harm in specifying both. Mirroring is for specific types of folders containing .dat files.

  8. Hi Carl. First thanks for the guide.

    Im having an issues. I have a program which work with data in appdata/locallow folder. But somehow i can’t get UPM to roam the folder no matter what i do, do you have any solution or quick guide that explains what to do?

    best regard Brian C.

    1. Adding the folder to Folders to Sync should work. There’s a separate policy for Files to Sync. You can also try Folders to Mirror.

        1. Just upgrade the service on each VDA. As for GPO, replace the ADMX templates and configure whatever new settings you want to enable.

  9. Hi Carl,
    I would like to implement the mandatory profile.
    If I understand correctly, the mandatory profile would make sure that any user who logs on to the vm, will always have the same profile (Mandatory) loaded, in my case, locally (it’s possible on local disk ?).

    eg .:
    User01 logged in to VM and its profile is the folder c: \ users \ mandatory;
    User02 logged in to VM and its profile is always the folder c: \ users \ mandatory;

    In this way the login performance improves, because the profile is already created when the user logs on, right?

    Now after doing the steps in the section “Mandatory Profile – Citrix”, I do also those of the redirect etc etc, or not?

    Thanks for all.

      1. Hi Carl , thanks for your reply.
        Another question.
        If I do not create the Folder Redirection, the Mandatory Profile, even redirect the Desktop folder, Documents, etc., in the same Mandatory profile folder for all users ?

        Thanks.

        1. If no folder redirection, when the user logs off, it’s deleted. Each user gets a different copy of the mandatory profile.

  10. Hi Carl

    Though I could configure GPO but I have a limited access to the “Domain Controller to copy the admx templates over”. The other option left would be to use “citrix policy” node with GPO to configure UPM. I understood GPO is preferable to citrix-policies wherever possible.

    However since “adm” template is also available for “ctxprofile”, this could be imported and used for UPM configuration. But is there anywhere I could find “adm template” for “CitrixBase” also. It seems not to be on XendDesktop ISO.

  11. Carl,

    Do you have a recommendation for creating default user profiles in windows 10? We are a government agency that is required to use applications provided by the state. Quite a few of those applications require the use of Internet Explorer and have OCX and controls that need to be installed as the user. We would like to go through the process of installing all of these once and keep them in a default profile so future users get access without getting prompted to install controls they do not have access rights to install.

    Thanks!

    John

  12. Hi Carl,

    I noticed that, in the Citrix Policies node in an Active Directory policy, settings for Profile Management also exist. Can they be used to configure the Profile Management environment? I am trying but having some problems. If they cannot be used, why is it there?

    1. I can’t think of any advantage of using Citrix Policies to configure UPM instead of regular GPO ADMX template. The only reason they are available in Citrix Policies is for environments that are not allowed to use group policies. You can also use Citrix WEM to configure UPM.

  13. Hi Carl,

    we were running one VDA server with around 80 plus users. Now thinking of moving to a citrix Farm. We created a VDA template and using the provisioning service we create 3 VDAs.
    I added a test user to the new delivery group that points to one of the 3 VDAs, everything except the outlook works. When we open outlook, it gives, outlook cannot be open, system resources are crtically low, etc..
    I tried the user to the old delivery group which pointed to the only one original VDA, still got the same error.
    So , somehow it had currupted the user profile. I re-created the profile, still same error.
    So I had to remove the user from new deliverygroup (pointing to PVS VDAs), re-create the profile,-> so user logge don to the old VDA and it works again fine.

    Why is only outlook affected when moving user to new delivery group? User profiles are stored on only 1 single server.

    Is there any settings need to be done on the profile management setting? Please advise!!

    Thanks,
    Arshi

    1. If you still have the corrupted profile, can you get procmon traces of a good Outlook and bad Outlook and compare them?

      1. Carl, thanks for replying. I figured that if I rdp to one of the VDA and open outlook, i get the same error. So, i think its more windows. Is there any Citrix recommendation on installing outlook on VDA templates?
        Please help

  14. Carl ,UPM 5.7 Is not working with my XA6.5 Environment .You no longer have the post for 5.4 .That has always worked for me .

    1. The instructions are the same for both versions, except for the Default Exclusions in 5.5 and newer. I left the exclusions config for 5.4 and older.

      1. The profile for user ‘NAFT\testuser’ is managed by Citrix Profile management, but the user store ‘\\localfs.org\localfs-ns\ctx-userprofile\testuser’ could not be found. A temporary profile will be created for this user and no changes will be saved to their profile in this user store. Cause: The Citrix Profile Management Service on this computer could not find the profile in the specified user store. This may be because of a network issue or because the server hosting the user store is unavailable, but it may also be because the profile in the user store has been deleted or moved, or the path to the user store has changed and no longer correctly points to an existing profile in the user store. Action: Ensure the server hosting the user store is available, the network between this computer and the server is operational and the path to the user store points to an existing profile. If the profile in the user store has been deleted, delete the profile on the local machine.

        What could be causing this .I am using UPM 5.4 ,Please advise . Folders are redirecting fine .

        1. Login to the machine as a different user. Delete the local profile for testuser. Then login as testuser again.

  15. Hello Carl,

    first thanks for your great tutorials!

    We are using XenDesktop 7.6.300 with Citrix UPM 5.3.0. At the moment we have issues with “WebCacheLocal” errors when users log on.

    Do you have any recommendations to install/upgrade UPM to the latest version und test it parallel with some users?

    best regards,

    1. There shouldn’t be any problem upgrading UPM on a VDA and testing it with your existing profiles. One method of updating is to upgrade your VDA to 7.6.3000, which comes with UPM 5.6.

  16. I installed VDA 7.6 Base then 7.6.300 then CU3, I am getting an issue with “there was a problem setting up your profile” when I log on. Not sure which part caused this?

  17. Sorry….it is win 10. No.v2 or .v6 at the end.
    Ran a Procmon (via psexec) and found out some weird stuff. System is owner and has full control of the follow keys and yet it gets access denied:
    HKLM\System\CurrentCountrolSet\Services\WinSock2\Parameters
    HKU\.Default\SOFTWARE\Microsoft\ADs\Providers\LDAP\CN=Aggregate……

  18. Hi Carl,
    is it possible to configure Profile Management using the Citrix Policy GPO plug-in on a separate machine which contains only the GPMC ?
    Regards,
    Martin

Leave a Reply