Citrix Profile Management

Last Modified: Dec 11, 2016 @ 3:00 pm

Navigation

💡 = Recently Updated

Profile Management Configuration Options

Version 5.6 of Citrix Profile Management can be downloaded from XenApp/XenDesktop 7.12. To find it, click Components that are on the product ISO but also packaged separately.

There are three methods of configuring Citrix Profile Management:

  • Citrix Studio – in the Policies node
  • Microsoft group policy – using an ADMX file
  • .ini file – this is the default

This page will detail the GPO ADMX method of configuring Citrix Profile Management. The Studio method is similar.

Citrix Studio Policies and Microsoft GPOs override the .ini file. When configuring Studio Policies or GPOs, copy the default settings from the .ini file as detailed below.

Planning – Multi-Datacenter

For optimum performance, users connecting to Citrix in a particular datacenter should find their roaming profiles on a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will need file servers in each datacenter.

DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-datacenter designs.

For active/active datacenters, split the users such that different users have different home datacenters. Whenever a particular user connects, that user always connects to the same datacenter and in that datacenter is a file server containing the user’s roaming profile. StoreFront uses Active Directory group membership to determine a user’s home datacenter.

For users that connect to Citrix in multiple datacenters, there are a couple options:

  • The user’s roaming profile is located in only one datacenter – If the user connects to a remote datacenter, then the roaming profile must be transmitted across the WAN. To optimize performance, disable Active Write Back, and make sure Profile Streaming is enabled.
  • The user has separate profiles for each datacenter – There is no replication of profiles between datacenters. This scenario is best for deployments where different applications are hosted in different datacenters.

Disaster Recovery – For disaster recovery scenarios, the user’s roaming profile data (and home directories) must be recovered in a different datacenter. Here are some considerations:

  • Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
  • Use VMware SRM or Zerto to recover the file server in the DR datacenter.
  • A datacenter failover might result in multiple file servers accessed from a single VDA, especially if you have users split across datacenters. Use DFS Namespaces as detailed below.

DFS Namespace for central user store – The Citrix Profile Management user store path is a computer-level setting, meaning there can only be one path for every user that logs into a particular VDA. If you have different users with roaming profiles on different file servers, you must use Active Directory user attributes and DFS namespaces to locate the user’s file server. Here is an overview of the configuration:

  • Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1 – Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more information.
  • Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS replication. See Scenario 2 – Multiple folder targets and replication at Citrix Docs for more information.
  • Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
  • Set the Profile Management user store path to \\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!. This pulls the user’s l attribute from Active Directory and appends that to the DFS share. The folder that matches the attribute value is linked to a file server. For example, if the user’s l attribute is set to Omaha, then the user’s profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha folder is linked to a file server in the Omaha datacenter.

Create User Store

This procedure could also be used to create a file share for redirected profile folders.

If you intend to place Citrix Profile Management roaming profiles in the user’s home directory, then there is no need to follow the procedure in this section. Only use this section if you are creating a new file share for storage of the Citrix roaming profiles.

Create and Share the Folder

  1. Make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.

  3. Share the folder.
  4. Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click Share, and then click Done.
  5. Go to the Properties of the folder.
  6. On the Sharing tab, click Advanced Sharing.
  7. Click Caching.
  8. Select No files or programs. Click OK, and then click Close.

Folder (NTFS) Permissions

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

Access Based Enumeration

With this setting enabled, users can only see folders to which they have access:

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it. Or perform a refresh.
  3. Right-click the new share and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration.

GPO ADMX Policy Template

  1. Go to the downloaded Citrix Profile Management 5.6. In the \GPO_Templates\en folder, copy the file ctxprofile5.6.0.admx to the clipboard. You can also find the templates on the main XenDesktop 7.12 ISO in the \x64\ProfileManagement\ADM_Templates\en folder.
  2. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.
  3. If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing the .admx file does not affect your existing Profile Management configuration. The template only defines the available settings, not the actual settings.
  5. Go back to the Citrix Profile Management 5.6 ADM_Template files and copy ctxprofile5.6.0.adml to the clipboard.
  6. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL.
  7. If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
  8. If you have an older version of the ctxprofile.adml file in either location, delete it.
  9. Citrix Profile Management 5.6 ADM_Template files and in the \GPO_Templates\CitrixBase folder, copy the file CitrixBase.admx to the clipboard.
  10. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.
  11. If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  12. Go back to the Citrix Profile Management 5.5 ADM_Template files and copy CitrixBase.adml to the clipboard.
  13. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL.
  14. If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.

Group Policy Settings

  1. Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.
  2. Go to Computer Configuration\Policies\Administrative Templates\Citrix Components\Profile Management. If older than 5.5, the settings are beneath the Citrix folder. Note: if you did not install the CitrixBase.admx file, then you can find Profile Management directly under the Administrative Templates folder.
  3. Enable the setting Enable Profile management. Profile Management will not function until this setting is enabled.
  4. If desired, enable the setting Process logons of local administrators.
  5. Enable Path to user store.

    Specify the UNC path to the folder share. An example path = \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!

    Different OS versions have different profile versions. You must not use the wrong profile version on the wrong OS version. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.

    For example, if the user logs into Windows 2012 R2 RDSH, the profile folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10, the profile folder will be \\server\share\user01\Win10v6.

    Warning: If you are upgrading to Profile Management 5.4 or newer and have existing Windows 2012 R2 profiles based on the !CTX_OSNAME! variable, Citrix fixed the variable and now your profiles might stop working. See http://discussions.citrix.com/topic/374111-psa-upm-54-ctx-osname-server-2012-value-change/ for more details.

    Note: in older versions of Citrix Profile Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isn’t correct. V2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug was fixed in recent versions of Profile Management.

    Note: Windows 10 has two different profile versions: v5, and the build 1607 is v6. V6 is also the profile version in Windows Server 2016. These different profile versions are probably incompatible so they should be separated.

    Another option is to place VDAs with different OSs in different OUs, and then use different GPOs on those OUs to specify different Profile Management user store paths.
    If you have multiple domains, change #SAMAccountName# to %username%.%userdomain% (e.g. \\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!). That way you can have the same account name in multiple domains and each account will have a different profile.
  6. Disable Active write back. This places additional load on the file server and is only needed if users login to multiple machines concurrently and need mid-session changes to be saved. Note: if you don’t configure this, it is enabled by default.
  7. Under the Advanced settings node, enable the setting Process Internet cookie files on logoff.
  8. In 5.6 and newer, Customer Experience Improvement Program is enabled by default. It can be disabled here.

Exclusions – 5.5 and newer

The Exclusions process in 5.5 and newer is dramatically simplified. If you haven’t yet deployed 5.5 or newer, and it’s corresponding ADMX file, then skip to the older Exclusions process.

  1. Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion List – directories.
  2. You can use checkboxes to not exclude some folders.
  3. Then edit Exclusion list – directories.
  4. Enable the setting, and click Show.

  5. Add the following to the list. This is the new path for Temporary Internet Files in Windows 8 and later.
    AppData\Local\Microsoft\Windows\INetCache
  6. If running Office 365 with Shared Computer Activation, then you might need to exclude !ctx_localappdata!\Microsoft\Office\15.0\Licensing and/or !ctx_localappdata!\Microsoft\Office\16.0\Licensing. Ideally you should have ADFS integration so users can seamlessly re-activate Office at every launch.
  7. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  8. Then click OK twice to return to the Group Policy Editor.
  9. For Windows 10, exclude usrclass.dat* from the roaming profile. If you don’t do this then the Start Menu won’t work. However, excluding this file also prevents file type associations from roaming. Edit the setting Exclusion list – files.
  10. Enable the setting and click Show.
  11. Add the following. Then click OK twice. This is detailed as a Known Issue for Profile Management 5.4.
    !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*
    

  12. Note: If you add to the exclusions list after profiles have already been created, then see Muralidhar Maram’s post at Citrix Discussions for a tool that will clean up the existing profiles. Also see Jeremy Sprite Clean Citrix UPM Profiles.
  13. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  14. Edit the setting Directories to synchronize.
  15. Enable the setting and click Show.
  16. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
    AppData\Local\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  17. Also see David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
  18. Click OK twice.
  19. Edit Files to synchronize

  20. Enable the setting, and click Show

  21. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  22. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  23. Then click OK twice to return to the Group Policy Editor.
  24. To enable handling of Cookies, in the Synchronization node, enable the setting Folders to mirror.
  25. Enable the setting, and click Show.
  26. Add the following and click OK

    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\Microsoft\Vault

  27. Note: according to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Config > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.
  28. On the left, under Profile Management, click Registry.
  29. On the right, open Enable Default Exclusion List.
  30. Enable the setting and click OK. You can use the checkboxes to control which registry keys you don’t want to exclude.
  31. New in 5.5 is the NTUSER.DAT backup setting, which is disabled by default. You can enable it to provide some resiliency against profile corruption.
  32. Skip to the Log Settings section.

Exclusions – 5.4.1 and older

This section is for UPM 5.4.1 and older. For 5.5 scroll up to Exclusions – 5.5 and newer.

The UPMPolicyDefaults.ini file includes a default list of exclusions. If you intend to add to the default list, you must first copy the exclusions from the .ini file to the GPO. Then you can add exclusions to your GPO.

Note: this file was updated for Profile Management 5.4 and Windows 10 so if you are upgrading make sure you copy the new exclusions to the GPO. For example, !ctx_localappdata!\TileDataLayer seems to have been added in 5.4.

  1. Browse to a VDA, go to C:\Program Files\Citrix\User Profile Manager and open the file UPMPolicyDefaults_all.ini using Notepad.
  2. Under the File system node in the Group Policy Editor you can configure which profile folders should be excluded from synchronization. Edit Exclusion list – directories.
  3. Enable the setting and click Show

  4. In the .ini file, scroll down to the SyncExclusionListDir section.  Copy each of these lines to the GPO. Do not include the equals sign on the end.
  5. Add the following to the list. This is the new path for Temporary Internet Files in Windows 8 and later.
    AppData\Local\Microsoft\Windows\INetCache
  6. If running Office 365 with Shared Computer Activation, then you might need to exclude !ctx_localappdata!\Microsoft\Office\15.0\Licensing and/or !ctx_localappdata!\Microsoft\Office\16.0\Licensing. Ideally you should have ADFS integration so users can seamlessly re-activate Office at every launch.
  7. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  8. Then click OK twice to return to the Group Policy Editor.
  9. For Windows 10, exclude usrclass.dat from the roaming profile. If you don’t do this then the Start Menu won’t work. Note: TileDataLayer should already be an excluded folder. Edit the setting Exclusion list – files.
  10. Enable the setting and click Show.
  11. Add the following. Then click OK twice. This is detailed as a Known Issue for Profile Management 5.4.
    !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*
    

  12. Note: If you add to the exclusions list after profiles have already been created, then see Muralidhar Maram’s post at discussions.citrix.com for a tool that will clean up the existing profiles. Also see Jeremy Sprite Clean Citrix UPM Profiles.
  13. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  14. Edit the setting Directories to synchronize.
  15. Enable the setting and click Show.
  16. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.  💡
    AppData\Local\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  17. Also see David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
  18. Click OK twice.
  19. Edit Files to synchronize

  20. Enable the setting and click Show

  21. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  22. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  23. Then click OK twice to return to the Group Policy Editor.
  24. To enable handling of Cookies, in the Synchronization node, enable the setting Folders to mirror.
  25. Enable the setting and click Show.
  26. Add the following and click OK

    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\Microsoft\Vault

  27. Note: according to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Config > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.
  28. On the left, under Profile Management, click Registry.
  29. On the right, open Exclusion List.
  30. Enable the setting and then click Show.
  31. Back in the UPMPolicyDefaults.ini file, look for the ExclusionListRegistry section. Copy the two items from there without the equals sign to the GPO setting.
  32. Click OK twice.

Log Settings

  1. In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot problems with Profile Management. The logfile is located in C:\Windows\System32\LogFiles\UserProfileManager.
  2. Edit the Log settings setting.
  3. Enable the setting and check the boxes next to Logon and Logoff. Click OK.

    Citrix has a log parser that can be used to view the Profile Management logs. http://support.citrix.com/article/CTX123005.
  4. If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To change the log file path, edit the Path to log file setting.


Profile Streaming

  1. For shared persistent VDAs (e.g. RDSH), go to the Profile handling node under Profile Management. Enable the setting Delete locally cached profiles at logoff. Note: this might cause problems in Windows 10.

    Helge Klein has a tool to delete locally cached profiles on a session host. http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/. This tool should only be needed if profiles are not deleting properly.
  2. For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User Logs off recommends setting Delay before deleting cached profiles to 40 seconds.

  3. Enable the setting Local profile conflict handling and set it to Delete local profile. Note: this might cause problems on Windows 10.

  4. Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
  5. After modifying the GPO, use Group Policy Management Console to update the VDAs.
  6. Or run gpupdate /force on the VDAs, or wait 90 minutes.

Mandatory Profile – Citrix Method

Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method.

  1. Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to Administrators.
  2. Login to the VDA machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4. Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that. Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.

    1. You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  5. Open the AppData folder and delete the Local and LocalLow folders.
  6. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file, and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  7. Open regedit.exe.
  8. Click HKEY_LOCAL_MACHINE to highlight it.
  9. Open the File menu and click Load Hive.
  10. Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not use NTUSER.MAN and instead the file must be NTUSER.DAT.
  11. Name it a or similar.
  12. Go to HKLM\a, right-click it, and click Permissions.
  13. Add Authenticated Users and give it Full Control. Click OK.
  14. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ and http://appsensebigot.blogspot.ru/2014/10/create-windows-mandatory-profiles-in.html?m=1 for some suggestions.
  15. Citrix CTX212784 Slow User Logon When Using Mandatory Profiles – set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
  16. Highlight HKLM\a.
  17. Open the File menu, and click Unload Hive.
  18. Go back to the file share and delete the NTUSER.DAT log files.
  19. Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy template is loaded.
  20. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Profile Management > Profile handling. Edit the setting Template profile.
  21. Enable the setting and enter the path to the Mandatory profile.
  22. Check all three boxes. Then click OK.

Redirected Profile Folders

  1. Make sure loopback processing is enabled on your VDAs.
  2. Edit a GPO that applies to all VDA users, including Administrators.
  3. Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents, and click Properties.
  4. In the Setting drop down, select Basic.
  5. In the Target folder location drop down, select Redirect to the user’s home directory.
  6. Switch to the Settings tab.
  7. On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move the contents to the new location might cause issues in some deployments.
  8. Click Yes to acknowledge this message.
  9. Right-click Desktop and click Properties.
  10. Change the Setting drop-down to Basic.
  11. Change the Target folder location to Redirect to the following location.
  12. In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC path and not a mapped drive. Also, since we’re using home directory variables, all users must have home directories defined in Active Directory.
  13. Switch to the Settings tab.
  14. Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.
  15. Click Yes when prompted that the target is not a UNC path. You get this error because of the variable. It doesn’t affect operations.
  16. Repeat for the following folders:
    • Documents = Redirect to the User’s Home Directory
    • Desktop = %HOMESHARE%%HOMEPATH%\Desktop
    • Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
    • Downloads = %HOMESHARE%%HOMEPATH%\Downloads
  17. Redirect the following folders but set them to Follow the Documents folder.
    • Pictures
    • Music
    • Videos

Folders not redirected will be synchronized by Citrix Profile Management.

Verify Profile Management

  1. Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.
  2. Logoff and log back in.
  3. Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the log for logon and logoff events.

Troubleshooting

UPM Troubleshooter

Citrix Blog Post – UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application that examines the live User Profile Management-enabled system in a single click, gives Profile Management Configurations, information on the Citrix products installed, facility to collect and send the logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier manner. See the blog post for more details.

Profile Management Configuration Check Tool

UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has been configured optimally for the environment in which it is being run, taking into account:

  • Hypervisor Detection– The presence or absence of supported hypervisors (for example, Citrix XenServer, VMware vSphere, or Microsoft Hyper-V)
  • Provisioning Detection– The presence or absence of a supported machine-provisioning solution (for example, Machine Creation Services or Provisioning Services)
  • XenApp or XenDesktop– Whether it is running in a XenApp or a XenDesktop environment
  • User Store – Determines that the expanded Path to User Store exists.
  • WinLogon Hooking Test – Verifies that Profile management is correctly hooked into WinLogon processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and requires the user running the Configuration Check Tool to have permission to access the relevant registry keys, or an error may be returned.
  • Verify Personal vDisk enabled / disabled – Whether the Personal vDisk feature of XenDesktop is enabled
  • Miscellaneous – Other factors that it is able to determine through registry or WMI queries, such as whether the computer running Profile management is a laptop

Profile Size

Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile share.

378 thoughts on “Citrix Profile Management”

  1. Hi Carl, and Happy New Year!!!

    Please tell me to which folder are the user certificates redirected? I mean for example user has a cert in IE. Where is it redirected at logoff? Profile Mgmt is configured with Citrix UPM THX!

      1. Hi Carl, Great post and has greatly helped. I have an issue here; Do you have any idea why when a user launch a Dedicated Virtual Desktop and Apps their Favorites are loaded without issues. But when they launch the pool desktops, Their profile are not recreated when refreshed even though it launches. Doesnt load the user settings and Favorites. Any help will be greatly appreciated… Thanks

          1. Four (4) Text Files with the names
            Domain#MAchineName_pm
            Domain#MAchineName_pm_config
            Domain#VDAImageMachineName_pm
            Domain#VDAImageMachineName_pm_config

  2. Hi Carl
    can we use profile management 5.6 with xd 7.12 installed on server 2008R2 and vda on windows 7.
    thanks in advance….

  3. Hello,

    I have this message in the action center when UPM is enable : an default app was reset
    this for .pdf, html, jpeg…
    Default app are photos and internet explorer.

    Do you have any recommandation on this ?

    Thank you in advance.

    1. Are you roaming usrclass.dat files? I think they should be excluded.

      Otherwise, there’s a known issue with roaming user-select file type associations. Call Support and they might have a private fix.

  4. hi Carl,
    I have a problem with the outlook profile.
    Each time a user makes a new login the mailbox will be downloaded as the first time (i use exchange).do you konw how to set up the policy?
    thanks
    Michele

    1. You mean user has to setup the Outlook profile again? If so, that suggests roaming profiles aren’t working. Check your UPM logs in c:\windows\system32\logfiles\user profile manager.

      Or are you saying that Outlook Cached Mode has to re-download on every login? Are you excluding the .ost from roaming? If on-premises Exchange, you usually disable Outlook Cached Mode. If hosted Exchange, give the user a persistent desktop, or look into FSLogix to manage the .ost file.

  5. Hello Carl,

    Have a question for you.

    I have used TS Profiles on XenApp, and UPM on Xendesktop. I never really comparef the two in a load phase.
    Load phase meaning who is better ect.
    I was curious if Citrix offers which one is better over the other for XenApp?

    Have you had any experience with this?

  6. Carl, do you know if you can install the latest version of UPM if we have 7.6.3 vda’s installed on xenapp/xendesktop machines?

    1. UPM is not LTSR compliant but is LTSR compatible. Support might ask you to duplicate an issue on the latest version of UPM.

      1. Hi Carl,

        In upgrading UPM 5.4 to 5.6. It is safe to change the adm template now then may upgrade the msi later as in a couple weeks or may months?

        Citrix says that we have to create a new policy then reapplying the previous setting to new gpo. will it still be working without creating new policy and reapplying means recreate on the new policy?

        Do I have to create a new shared drive for new profile and will the old shared drive and porfile work?

        Thanks,

        1. .admx files contain potential settings, not the actual settings. Updating .admx files should not change the actual settings. So it’s not needed to create a new GPO.

          A simple in-place upgrade will work. There’s no need to recreate all profiles.

          1. Do I have to add the template in the GPO immediately or as long as I am not changing anything its ok to not yet add the template and remove the old template in gpo editor?

          2. You only need the template if you want to change settings, or view them. They work without the template.

    1. Hi Carl,

      I upgrade UPM 5.4 to 5.6 after the reboot I got this error. “The Citrix Profile Management driver could not be loaded. Processing can not continue. The user will be given a temporary profile. Cause: The Citrix Profile Management Service on this computer could not connect to the driver while processing a user logon. Action: Restart the machine. If the problem persists, uninstall and reinstall Citrix Profile management.”

      and getting temp profile. what causes this to happen?

  7. Carl,

    Is there a reason why “Favorites” is redirected to “%HOMESHARE%%HOMEPATH%\Windows\Favorites” instead of “%HOMESHARE%%HOMEPATH%\Favorites”?

  8. Carl, thanks for this information, very well written. Just one question. We are implementing XenApp 7.11 with Windows Server 2016. Everything seems to be working ok, except for the default apps. We let our users chose their default browser, but this isn’t remembered. I have tried all sort of inclusions in UPM, but nothing seems to work. Do you know what to enable to remember this?

  9. Hi,

    I have Citrix XenDesktop 7.11, UPM 5.5, Windows 10 LTSB 1607. I Followed your Tips, but profiles are not saved correctly.

    Your settings have been set by the citrix policy.

    I logon on RPD, the profile good work, in my folder profile it creates UPMSettings.ini
    I logon on Citrix Storefront (Netscaler), the profile not work, in my folder profile it not creates UPMSettings.ini

    Can you help me?

    Best Regards

  10. Hi Carl,

    How do you deal with Profile Manger ripping out a lot memory as much as 5GB, also I seem to be getting ESENT errors and I have followed your procedure to create the right permissions on the folder share. Do you also have a procedure to upgrade UPM 5.2.0 to 5.2.1?

  11. Hi Carl,

    Daft question coming up.

    I am upgrading from 7.6 to 7.11 over the weekend.

    As I am preparing for the upgrade for the UPM part I read the notes that say the following:-

    Install the Profile management .msi file on each computer whose user profiles you want to manage.

    is that right? I just don’t recall ever installing this on my gold XenApp 7.6 server image and its been working fine.

    I did note a previous comment which says the 7.11 VDA now automatically bundles UPM 5.5.

    If I upgrade my VDA component, will it still automatically install the UPM 5.5 part or do I need to install this separately.

  12. The UPM Cleanup tool that is posted seems to only work on 2008R2. Is there an updated or alternate version that will work to clean up profiles on 2012R2?

  13. Hi Carl,
    AppData\Local is not in the exclusion list and causing profile bloats, is there a reason it’s not excluded?
    Shouldn’t Local application data (i.e. non-roaming); be excluded by default?

    1. It used to be in older versions, but then it wasn’t capturing useful files. Citrix defaults to “capture everything”, and then you specify what you don’t want. In theory, this is a “set and forget” methodology.

  14. Yes, we already tried this:

    HKEY_LOCAL_MACHINE\Software\Citrix\Logon\DisableStatus=1
    HKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\Logon\DisableStatus=1
    HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=mfaphook64.dll
    HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=mfaphook.dll

    ….and in addition opened a ticket with Citrix & Microsoft who both were not able to help us.
    Therefor we want to stick with our 70-80 seconds logon time and bring the first sign-in animation during each logon while using Citrix UPM.

  15. Hi Carl,

    this might sound stupid, but is there a possibility with active Citrix UPM to always show the first sign-in animation?
    We have set the GPO accordingly (Show first sign-animation to Enabled) but once the user profile has been created this screen does not appear any longer and the black screen comes again.

    This seems to be the only way to hide the black screen completely for all users on Windows 10 (1607) using XenDesktop 7.9 with Provisioning Services 7.9.

    What I have already tried to hide the black screen can be found here :
    https://discussions.citrix.com/topic/342198-xendesktop-7-interactive-session-slows-logon/page-4

    We really would like to use the first sign-in animation as this will show at least some prgress to the end user.

    Regards,
    Stefan

      1. Here are the keys in case anyone also always wants to show the animation:

        ‘# HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
        ‘# FirstLogon = 1 (Default = 0)
        ‘# HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
        ‘# UserSignedIn = 0 (Default = 1)

  16. Hi Carl,
    after some research I think its not possible to mix the “Enable Default Exclusion List – directories” and “Exclusion list – directories”. When I activate both options only the custom exclusion list for example “AppData\Local\Microsoft\Windows\INetCache” is being excluded.
    Can you verify this? I checked it with the UpmConfigCheck script.

    Cheers
    Mokki

  17. Hi Carl,
    does UPM automatically install together with VDA installation, or do I have to install separately?
    Which UPM version does come with which VDA version?

    BTW: Great website!

    Best regards,
    Volker

        1. I don’t think so.

          You can install an UPM version you want. You can use command line to exclude UPM from the VDA install. Or simply upgrade it after installation.

          If you look in the ISO, x64\ProfileManagement\ADM_Templates\en might show you the included version.

  18. Hello Carl, your website it’s fantastic!
    I have a question about combine “Citrix UPM 5.5” with “User Roaming Profile” and “Folder Redirection”.
    I am working in a new environment with XenApp solution with W2k12R2 and Citrix 7.9, my client has an older Citrix farm with PS 4.5 and “Microsoft active directory” with “TS Roaming User Profile” and “TS User Home Directory” put in a network share and mapping C: drive letter.
    Can I have the new deployment with “Citrix UPM” and “Microsoft GPOs” but without lose the unit C:, or maybe can I get only with “Citrix UPM” keep C: like my home folder in my roaming user profile?

    Thanks in advanced and sorry for my bad English.
    Nacho.

    1. Are you asking how to install Citrix and Windows to a drive other than C: so you can map your home directory to C:?

      UPM stores locally cached profiles on whatever drive Windows is installed. Home directories are completely different. When you logoff, UPM copies the profile to a new share, which is not your home directory.

      Folder Redirection can point to your home directory (UNC path), but not a drive letter. This is a Microsoft restriction.

      1. Ok Thank you Carl, so Can I use “Citrix UPM” to store locally cached profiles on network share? and “GPOs” to put the home directory in other network share?, It’s possible?
        Thanks

  19. Carl,

    Currently we have mixed environment XenApp 6.5 with UPM 4.0 and XenApp 7.8 with UPM 5.4. We will be decomissioning the XenApp 6.5 shortly. We have been facing issues with the users settings not getting saved. I found that we have folder redirection policy for the XenApp 7.8 for the App Data (Roaming) but the path is the XenApp 6.5 profile store and not the new one. Do we need this setting if we have the Profile management configured. Could you please suggest how do we resolve this,do we need to change the path to the new store or remove this policy.

    1. I normally do not redirect AppData. If you need to keep the data, then you might have to write a script to move the files to the new location (e.g. UPM profile) and then reconfigure it after moving the files.

  20. Hi Carl,

    Love the website!

    Just had a quick question, if using the Citrix Studio – Policies node method instead of Microsoft Group Policy (due to access limitations), would you still need to copy the admx files anywhere?

  21. Hi Carl,

    Is there a reason you have not set the AppData folder to redirect under Folder Redirections GPO. I thought you would you use folder directions policy in conjunction with UPM exclusions to speed up logon performance.

    Thanks

  22. Hey Carl, I was looking through your Citrix Profile Management document and on the section about setting up the file share I wanted to comment about your instructions. While for a test lab you can probably get away with Everyone I wouldn’t suggest using that in any environment with PCI data. Audit firms have been hitting on organizations for using the Everyone group and in some cases even domain users group. They prefer a specific group be created just to grant access.

    1. Everyone is the default permission created by Windows. You’re welcome to change it to anything. I usually do Authenticated Users, or a Citrix Users group.

  23. Hi Carl,

    We have two Profile Servers with DFS-R is re-enabled between them.

    \\ctxprofile01\~userdata\%username%
    \\ctxprofile02\~userdata\%username%

    The UPM is stored in \\ctxprofile01\~profiles\UPM and \\ctxprofile02\~profiles\UPM

    This is how the consultant set it up.

    Originally had exclusive rights and move content ticked then we have followed your folder redirection method to only Move Content but still getting an issue when into the other delivery group for Disaster Recovery using the secondary profile server, everything stays except Favorites which gets deleted from the Primary Site Profile Server which replicates to the other one. I noticed only difference between ours and yours is that we have create a root folder instead of ‘Redirect to the following location’. I keep scratching my head and cannot find a resolution to this. Both Group Policies are set for both Profile Servers using loopback.

    Should we just do a nightly robocopy between \\ctxprofile1\ to \\ctxprofile02\ as you mentioned dfs-r is not supported?

        1. I suspect that “move contents” is wiping the folder. Not sure. Test with it on and off.

          You can configure Folder Redirection so it only applies to Citrix users by using Loopback processing.

      1. Hi Carl, will this need to be done from the primary profile server gpo or the secondary?

        Also we have some windows users who use citrix sometimes so if i untick move contents will that not impact the folder redirection even though we have migrate existing profiles ticked in upm?

  24. Hi Carl,

    Just want to say, YOU ARE THE MAN. You are my go to for anything Citrix.

    Anyway, quick question. Can i run UPM 5.5 with XenApp 7.9? I am doing so, but getting a black screen once logon is processed for around 5 seconds before the desktop is displayed. 2012R2.

    Thanks,

    Mat

    1. UPM 5.5 should work fine.

      5 seconds is not excessive. Did you DisableStatus?

      If you want to troubleshoot, use procmon or similar to see what’s happening during those 5 seconds.

    2. Hi Mathew, I am having the same black window (full screen) for about 5 seconds. This is fine when launching published desktop but annoying when using published apps. It is happening with 2016 only, 2012R2 is fine (all servers are in the same OU, so the same set of GPOs) UPM 5.5, XA 7.11.

      If I add this to the registry:
      https://support.citrix.com/article/CTX135782
      [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Logon]
      “DisableStatus”=dword:00000001
      This black screen is replaced with windows logon screen (full screen as well), which is not a workaround for me.

      Have you found anything about this?
      Looks like a bug.

  25. Hi Carl, In our environment firefox blocking the outdated Adobe flash player and Java. Each and everytime user has to click Allow and remember option to enable it. However it is working just for that session.

    Upon next logon, it does not remember and asking the same options again. Is there anything which I need to specifically include in Profile management policy to retain this settings ?

    please let me know your suggestions

    1. Does it work on a PC? Does it work when you close the browser and reopen it without logging off? I suspect the browser will ask you every time you open it unless there’s an option to remember your answer.

  26. Hi Carl,

    I am having a weird issue I thought I might run by you. I am using Profile Management in XenApp 7.6. I have the GPO set to pull profiles from a network share using the Absolute path or path relative to the home directory: setting.

    What I am seeing for some users, their profile location that is set in Active Directory is being pulled into Citrix. This is causing slow login times and login failures because those profiles are so large. The Citrix GPO is a loopback policy so only the setting in that GPO should be applying to Citrix. I just need help figuring out why this is happening. I do have logging enabled for UPM, just not sure what to look for.

    Any help is appreciated.

    1. Is profile migration enabled? It’s enabled by default.

      Is UPM Service enabled? It’s not enabled by default.

  27. Do you have any recommendations for setting up profiles so that my user’s have a seamless experience whether they log into a local machine for a virtual desktop? I want the profiles to be the same no matter where they log in. However, with the profile path changing all the time with new version of OS and UPM this seems unmanageable. Thoughts?

    1. Try a UEM product that has profile capabilities. Microsoft UE-V. AppSense. RES. Etc. Each of them save settings on a per-app basis and work across OS versions.

  28. Hi Carl

    I’ve just spent quite a long time trying to work out why I couldn’t see the 5.5.0 ADMX settings under Citrix Components only to finally realise that I don’t have a Citrix Components subheading in my GPOs it is straight off the root i.e. Computer Configuration\Policies\Administrative Templates\Profile Management. You show something different in your graphic and your instructions also say:

    Go to Computer Configuration\Policies\Administrative Templates\Citrix Components\Profile Management. If older than 5.5, the settings are beneath the Citrix folder.

    My ADMX/ADML set for ctxprofile5.5.0 are dated 01/08/16 and came from the “Components that are on the product ISO but also packaged separately.” link as you suggested, the .zip file is dated the same as your graphic shows so not sure why there is a discrepancy. Will teach me to look a bit harder next time as I’ve just spent 1.5 hrs troubleshooting AD as I had presumed there was a replication problem or something!

    Thanks for the website though, it is a great resource.

    Ollie

    1. There’s a CitrixBase.admx file that also needs to be copied. Is that in your 5.5 folder? I thought I included that in my instructions.

  29. Carl,

    I have a mixed environment. I have the old Xenapp 6.5 that is Production and Xenapp 7.8 that has been tested and will be turned into Prod. So, I have the old ctxprofile4.1.1..admx file still there in PolicyDefinitions. I am not sure if I can delete that because that is being used by the old environment. What do you suggest we do with mixed environments?

    Regards,
    Satish.

    1. Deleting an .adm doesn’t remove the settings. It only removes your ability to configure the settings. The newer .adm template includes all of the 4.1 settings.

      1. Thanks Carl. That is indeed true. One more question, when we installed 7.8, the version of profile management was 5.4 and so the policies are 5.4. Can I install PM 5.5 even if I keep the Xenapp version at 7.8?

Leave a Reply