Citrix Profile Management 7.18

Last Modified: Aug 9, 2018 @ 9:36 am

Navigation

This article applies to all versions of Profile Management: 7.18, 7.15 LTSR, 5.8, 5.7, etc.

💡 = Recently Updated

Change Log

Planning

Profile Management Versions

Profile Management is included with the installation of Virtual Delivery Agent. For VDAs, to upgrade Profile Management, simply upgrade your VDA software. Here are the currently supported versions of VDA:

Or you can download the individual Profile Management component and install/upgrade it separate from the VDA. You can even install it on non-VDA machines (e.g. PCs accessed by licensed Citrix users).

The latest Current Release of Citrix Profile Management is version 7.18, which can be downloaded from  XenApp/XenDesktop 7.18. To find it, click Components that are on the product ISO but also packaged separately.

The latest Long Term Service Release (LTSR) of Citrix Profile Management is Version 7.15.2000, which can be downloaded from XenApp/XenDesktop 7.15.2000. To find it, click Components that are on the product ISO but also packaged separately. Note: the versioning jumped from 5.8 to 7.15.

Profile Management Configuration Options

Profile Management consists of a Service (installed on the VDA), a file share, and configuration settings.

There are four methods of delivering configuration settings to the Citrix Profile Management service:

If a UPM setting is not configured in GPO, Citrix Policy, or WEM, then the default setting in the UPMPolicyDefaults.ini file takes effect. The .ini file is located in C:\Program Files\Citrix\User Profile Manager on every machine that has Profile Management service installed.

Microsoft Group Policy (ADMX file) is probably the most reliable method of delivering configuration settings to the Profile Management services. This method uses the familiar Group Policy registry framework. Just copy the Profile Management ADMX files to PolicyDefinitions and start configuring. The configuration instructions in this article use the GPO ADMX method.

The Citrix Policies configuration method requires Citrix Studio, or Citrix Group Policy Management Plug-in. On the Profile Management service side, only VDAs can read the Citrix Policies settings.

  • Citrix Policies has settings for Folder Redirection. If you use Citrix Policy to configure Folder Redirection, then the Folder Redirection settings only apply to VDAs that can read Citrix Policies. To apply to Folder Redirection to more than just VDAs, configure Folder Redirection using normal Microsoft Group Policy as detailed below.
  • If you’re going to use Microsoft Group Policy to configure Folder Redirection, then you might as well use Microsoft Group Policy to also configure Citrix Profile Management.

Citrix Workspace Environment Management can also deliver configuration settings to the Profile Management services. This option requires the WEM Agent to pull down the settings from the WEM Brokers and apply them to Profile Management. It can sometimes be challenging to troubleshoot why WEM is not applying the settings.

Try not to mix configuration options. If you use both WEM and GPO, which one wins?

Multiple Datacenters

For optimum performance, users connecting to Citrix in a particular datacenter should retrieve their roaming profiles from a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will need file servers in each datacenter.

DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-datacenter designs.

For active/active datacenters, split the users such that different users have different home datacenters. Whenever a particular user connects, that user always connects to the same datacenter, and in that datacenter is a file server containing the user’s roaming profile. StoreFront uses Active Directory group membership to determine a user’s home datacenter.

For users that connect to Citrix in multiple datacenters, there are a couple options:

  • The user’s roaming profile is located in only one datacenter – If the user connects to a remote datacenter, then the roaming profile must be transmitted across the WAN. To optimize performance, disable Active Write Back, and make sure Profile Streaming is enabled.
  • The user has separate profiles for each datacenter – There is no replication of profiles between datacenters. This scenario is best for deployments where different applications are hosted in different datacenters.

Disaster Recovery – For disaster recovery scenarios, the user’s roaming profile data (and home directories) must be recovered in a different datacenter. Here are some considerations:

  • Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
  • Use VMware SRM or similar to recover the file server in the DR datacenter.
  • A datacenter failover might result in multiple file servers accessed from a single VDA, especially if you have users split across datacenters. Use DFS Namespaces as detailed below.

DFS Namespace

DFS Namespace for central user store – The Citrix Profile Management user store path is a computer-level setting, meaning there can only be one path for every user that logs into a particular VDA. If you have different users with roaming profiles on different file servers, then you must use Active Directory user attributes and DFS namespaces to locate the user’s file server. Here is an overview of the configuration:

  • Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1 – Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more information.
  • Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS replication. See Scenario 2 – Multiple folder targets and replication at Citrix Docs for more information.
  • Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
  • Set the Profile Management user store path to \\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!. This pulls the user’s l attribute from Active Directory and appends that to the DFS share. The folder that matches the attribute value is linked to a file server. For example, if the user’s l attribute is set to Omaha, then the user’s profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha folder is linked to a file server in the Omaha datacenter.

Create User Store

This procedure could also be used to create a file share for redirected profile folders.

If you intend to place Citrix Profile Management roaming profiles in the user’s home directory, then there is no need to follow the procedure in this section. Only use this section if you are creating a new file share for storage of the Citrix roaming profiles.

Create and Share the Folder

  1. Make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.

  3. Share the folder.
  4. Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click Share, and then click Done.
  5. Go to the Properties of the folder.
  6. On the Sharing tab, click Advanced Sharing.
  7. Click Caching.
  8. Select No files or programs. Click OK, and then click Close.

Folder (NTFS) Permissions

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry, and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

Access Based Enumeration

With this setting enabled, users can only see folders to which they have access:

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it. Or perform a refresh.
  3. Right-click the new share and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration.

GPO ADMX Policy Template

  1. You can find the GPO ADMX templates on the main XenDesktop ISO in the \x64\ProfileManagement\ADM_Templates\en folder.
    • Or, they are included in the separate Profile Management download in the \Group Policy Templates\en folder.
  2. If Profile Management 7.16:
    1. Edit the ctxprofile7.16.0.admx file.
    2. Near line 648, find the text string.XenAppOptimizationEnable_Help and change it to string.XenAppOptimizationEnabled_Help. It’s missing a d.
  3. Copy the file ctxprofile7.18.0.admx (or ctxprofile7.15.2000.admx) to the clipboard.
  4. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  5. If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing the .admx file does not affect your existing Profile Management configuration. The template only defines the available settings, not the actual settings.
  6. Go back to the Citrix Profile Management Group Policy Template files.
  7. Copy ctxprofile7.18.0.adml (or ctxprofile7.15.2000.adml) to the clipboard.

  8. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
  9. If you have an older version of the ctxprofile.adml file in either location, delete it.
  10. Go up a folder, and then open the CitrixBase folder.
  11. In the CitrixBase folder, copy the file CitrixBase.admx to the clipboard.
  12. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  13. Go back to the Citrix Profile Management Group Policy Templates, and copy CitrixBase.adml to the clipboard.
  14. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.

Group Policy Settings

  1. Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.
  2. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management.
    • Note: if you did not install the CitrixBase.admx file, then you can find Profile Management directly under the Administrative Templates node instead of under Citrix Components.
  3. In Profile Management 7.16, if you see an error about XenAppOptimizationEnable_Help, then you’ll need to edit the ctxprofile7.16.0.admx file.

    1. Go to your PolicyDefinitions folder and edit the ctxprofile7.16.0.admx file.
    2. Near line 648, find the text string.XenAppOptimizationEnable_Help, and change it to string.XenAppOptimizationEnabled_Help. It’s missing a d.
  4. Enable the setting Enable Profile management. Profile Management will not function until this setting is enabled.
  5. If desired, enable the setting Process logons of local administrators.
  6. Enable Path to user store.
  7. Specify the UNC path to the folder share. An example path = \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!

    1. Profile Versions– Different OS versions have different profile versions. Each profile version only works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.
      1. Windows 10 Profile Versions – Windows 10 has two different profile versions. Windows 10 build 1511 and older use v5 profiles. Windows 10 build 1607 and newer use v6 profiles. v5 and v6 profile versions are incompatible so they should be separated.
      2. Resolved variables – With the example user store path shown above, if the user logs into Windows 2012 R2 RDSH, the profile folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10 build 1607, the profile folder will be \\server\share\user01\Win10RS1v6.
      3. Windows 10 v6 vs Windows 2016 v6 – Both Windows 10 (1607 and newer) and Windows Server 2016 use v6 profiles. Do you want to use the same profile for both platforms? If so, remove !CTX_OSNAME! from the Path. Note: Windows 10 supports Store apps while Windows 2016 does not. If you’re allowing Store apps, then it’s probably best to use different profiles for both OS platforms.
      4. Windows 2012 R2 warning: in older versions of Citrix Profile Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isn’t correct. v2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug was fixed in Profile Management 5.4 and newer. If you have existing Windows 2012 R2 profiles based on the !CTX_PROFILEVER! variable set to v2, after upgrading to 5.4 or newer, then your profiles might stop working . See http://discussions.citrix.com/topic/374111-psa-upm-54-ctx-osname-server-2012-value-change/ for more details.
    2. Windows 10 and !CTX_OSNAME!: Profile Management on Windows 10 1607 sets !CTX_OSNAME! to Win10RS1. On Windows 10 1703, !CTX_OSNAME! is set to Win10RS2. On Windows 10 1709, !CTX_OSNAME! is set to Win10RS2 (a bug?). RS = Redstone (Microsoft codeword). If you use !CTX_OSNAME! in your profile store path, then Windows 10 1709, Windows 10 1703, and Windows 10 1607 will have separate profiles. The profiles from these OS versions are probably compatible so it might be OK to use the same profile across all three Windows 10 versions. Otherwise, with !CTX_OSNAME! in the path, whenever you upgrade the Windows 10 version (feature upgrade), users will lose their profile settings.
    3. Multiple Domains – If you have multiple domains, in the user profile store path, change #SAMAccountName# to %username%.%userdomain% (e.g. \\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!). That way you can have the same account name in multiple domains and each account will have a different profile.
    4. Hard Code Store Path – Instead of using variables, you can specify a hard coded path. However, the profile incompatibility restrictions listed above still apply. To avoid applying a single profile across multiple operating system versions, place VDAs with different OS versions in different OUs, and then use different Profile Management GPOs on those OUs to specify different Profile Management user store paths.
  8. Disable Active write back. This feature places additional load on the file server and is only needed if users login to multiple machines concurrently and need mid-session changes to be saved. Note: if you don’t disable this, then it is enabled by default.
  9. On the left, go to the Advanced settings node.
  10. Enable the setting Process Internet cookie files on logoff.
  11. In 5.6 and newer, Customer Experience Improvement Program (CEIP) is enabled by default. It can be disabled here.
  12. See http://www.carlstalhood.com/delivery-controller-7-18-and-licensing/#ceip for additional places where CEIP is enabled.
  13. Profile Management 7.18 adds Enable search index roaming for Outlook.  💡
  14. Notes on Outlook OST and Search roaming:
    1. This feature is only supported on Windows 10 1709 and Windows Server 2016.
    2. Concurrent sessions on multiple machines are not supported.
    3. In the user’s profile location, a new folder called VHD is created.
    4. Inside the \VHD\Win2016 folder are two new thin provisioned .vhdx files – one for OST, one for Search.
    5. UPM grants Domain Computers Full Control of the VHDX files. Users must have Full Control to the Profile Share, and UPM Folder to be able to grant this permission. Modify permissions are not sufficient. (Source = Robert Steeghs The Citrix Profile management could not mount virtual disk)
    6. When the user logs into a Citrix session, the two VHDXs are mounted to %localappdata%\Microsoft\Outlook and %appdata%\Citrix\Search. This means that OST files and Search Indexes are stored in the VHDX instead of in the user’s profile.


    7. Only enable this feature for users with new Outlook profiles. If the user already has an .ost file, then you’ll see an error about missing .ost when Outlook is launched.
    8. The Search roaming feature is only supported with specific versions of Windows Search service. Event Log will tell you if your Windows patches are too new.
    9. VHDX files can only be mounted on one machine at a time. If you login to two VDAs, and if both try to mount the same VHDX files, then you’ll see errors in Event Viewer.
    10. For a detailed explanation of how the per-user Search Index works, see CTX235347 Citrix Profile Management: VHDX-based Outlook cache and Outlook search index on a user basis.  💡

Exclusions, Synchronization, and Mirroring – 5.5 and newer

The Exclusions process in 5.5 and newer is dramatically simplified. If you haven’t yet deployed 5.5 or newer, and it’s corresponding ADMX file, then skip to the older Exclusions process.

  1. Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion List – directories.
  2. You can use checkboxes to not exclude some folders.
  3. Then edit Exclusion list – directories.
  4. Enable the setting, and click Show.

  5. Add the following to the list. This is the new path for Temporary Internet Files in Windows 8 and later.
    AppData\Local\Microsoft\Windows\INetCache
    AppData\Local\Microsoft\Internet Explorer\DOMStore
    • Note: if you see errors in Office programs (e.g. “Word could not create the work file”), then you might have to use Group Policy Preferences to recreate %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache at logon. Source = Olav Lillebo Errors when starting published Microsoft Office applications.
  6. If running Office 365 with Shared Computer Activation, then you might need to exclude !ctx_localappdata!\Microsoft\Office\15.0\Licensing and/or !ctx_localappdata!\Microsoft\Office\16.0\Licensing. Ideally you should have ADFS integration so users can seamlessly re-activate Office at every launch.
  7. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  8. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of exclusions for IE in Enterprise Mode.
    appdata\local\microsoft\internet explorer\emieuserlist
    appdata\local\microsoft\internet explorer\emiesitelist
    appdata\local\microsoft\internet explorer\emiebrowsermodelist
  9. Then click OK twice to return to the Group Policy Editor.
  10. You might need to exclude usrclass.dat* from roaming. Some articles say exclude it, others say include it (for file type association). The UPMPolicyDefaults_all.ini file has it listed as an exclusion.
    1. Instead of roaming usrclass.dat, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
    2. Edit the setting Exclusion list – files.
    3. Enable the setting, and click Show.
    4. Add the following. Then click OK twice.
      !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*
      

  11. Clean up excluded folders –  If you add to the exclusions list after profiles have already been created, Profile Management 5.8 has a feature that can delete the excluded folders at next logon. See To enable logon exclusion check at Citrix Docs. In Profile Management 7.15 and newer, Logon Exclusion Check is configurable in group policy under the File System node.

    1. In Profile Management 5.8, Logon Exclusion Check is only configurable in the .ini file.
    2. Also see Muralidhar Maram’s post at Citrix Discussions for a tool that will clean up the existing profiles.
    3. Also see Jeremy Sprite Clean Citrix UPM Profiles.

Directories to Synchronize

  1. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  2. Edit the setting Directories to synchronize.
  3. Enable the setting, and click Show.
  4. Profile Management 7.16 Fixed Issues says that AppData\Local\Microsoft\Windows\Caches should be synchronized. Also see CTX234144 Start Menu Shows Blank Icons on VDA 7.15 LTSR CU1/7.16/7.17 with UPM Enabled.
  5. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  6. Start Menu and File Type Associations:
    1. If Windows 10 1703 or newer, see James Rankin Roaming profiles and Start Tiles (TileDataLayer) in the Windows 10 1703 Creators Update for information on the new location for Tile data. Citrix Profile Management 5.8 and newer should handle this automatically.
    2. See David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
    3. To roam Start Menu and/or File Type Associations in Windows 10 or Windows Server 2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for info on why this is difficult.
    4. Instead of roaming usrclass.dat, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
    5. Daniel Feller at Sync the Windows 10 Start Menu in VDI says that configuring SettlementPeriodBeforeAutoShutdown might improve reliability of Start Menu roaming, assuming users log out of the virtual desktop instead of rebooting the virtual desktop. On a Delivery Controller, open PowerShell, and run the following:
      asnp citrix.*
      Set-BrokerDesktopGroup -Name "NAME_OF_DESKTOP_GROUP" -SettlementPeriodBeforeAutoShutdown 00:00:15
    6. With VDA 7.15 Update 1, the icons on the Start Menu of Windows 2012 R2 and Windows 2016 are sometimes blank.

  7. Click OK twice.

Files to Synchronize

  1. Edit Files to synchronize

  2. Enable the setting, and click Show

  3. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  4. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  5. Then click OK twice to return to the Group Policy Editor.

Folders to mirror

  1. In the Synchronization node, enable the setting Folders to mirror.
  2. Enable the setting, and click Show.

  3. Add the following, and click OK.
    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\TileDataLayer
    AppData\Local\Microsoft\Vault
    

  4. For Windows 10 1709 and newer, you might have to add Outlook Signatures and Chrome to the Folders to Mirror setting. Leave these folders in Folders to Synchronize, but also add them to Folders to Mirror. (source = Citrix Discussions)  💡
    AppData\Roaming\Microsoft\Signatures
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  5. According to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Configuration > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.

Registry Exclusions

  1. On the left, under Profile Management, click Registry.
  2. On the right, open Enable Default Exclusion List.
  3. Enable the setting. You can use the checkboxes to control which registry keys you don’t want to exclude.
  4. According to Citrix CTX221380 Occasionally, File Type Association (FTA) Fails to Roam with Profile Management 5.7 on Windows 10 and Windows Server 2016, Software\Microsoft\Speech_OneCore should be unchecked. Click OK.
  5. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of registry exclusions for IE in Enterprise Mode.
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieUserList
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieSiteList
  6. In 5.5 and newer is the NTUSER.DAT backup setting, which is disabled by default. You can enable it to provide some resiliency against profile corruption.
  7. Skip to the Log Settings section.

Exclusions – 5.4.1 and older

This section is for UPM 5.4.1 and older. For 5.5 scroll up to Exclusions – 5.5 and newer. Or if you’ve already configured the exclusions, then Skip to the Log Settings section.

The UPMPolicyDefaults.ini file includes a default list of exclusions. If you intend to add to the default list, you must first copy the exclusions from the .ini file to the GPO. Then you can add exclusions to your GPO.

Note: this file was updated for Profile Management 5.4 and Windows 10 so if you are upgrading make sure you copy the new exclusions to the GPO. For example, !ctx_localappdata!\TileDataLayer seems to have been added in 5.4.

  1. Browse to a VDA, go to C:\Program Files\Citrix\User Profile Manager and open the file UPMPolicyDefaults_all.ini using Notepad.
  2. Under the File system node in the Group Policy Editor you can configure which profile folders should be excluded from synchronization. Edit Exclusion list – directories.
  3. Enable the setting and click Show

  4. In the .ini file, scroll down to the SyncExclusionListDir section. Copy each of these lines to the GPO. Do not include the equals sign on the end.
  5. Add the following to the list. This is the new path for Temporary Internet Files in Windows 8 and later.
    AppData\Local\Microsoft\Windows\INetCache
  6. If running Office 365 with Shared Computer Activation, then you might need to exclude !ctx_localappdata!\Microsoft\Office\15.0\Licensing and/or !ctx_localappdata!\Microsoft\Office\16.0\Licensing. Ideally you should have ADFS integration so users can seamlessly re-activate Office at every launch.
  7. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  8. Then click OK twice to return to the Group Policy Editor.
  9. To roam Start Menu and/or File Type Associations in Windows 10/2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for details on the difficulty of roaming FTAs. Instead of roaming usrclass.dat, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
  10. You might need to exclude usrclass.dat* as detailed at Known Issue for Profile Management 5.4.
    1. Edit the setting Exclusion list – files.
    2. Enable the setting and click Show.
    3. Add the following. Then click OK twice. This is detailed as a Known Issue for Profile Management 5.4.
      !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*
      

  11. Note: If you add to the exclusions list after profiles have already been created, then see Muralidhar Maram’s post at discussions.citrix.com for a tool that will clean up the existing profiles. Also see Jeremy Sprite Clean Citrix UPM Profiles.
  12. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  13. Edit the setting Directories to synchronize.
  14. Enable the setting and click Show.
  15. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
    AppData\Local\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  16. Also see David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
  17. Click OK twice.
  18. Edit Files to synchronize

  19. Enable the setting and click Show

  20. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  21. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  22. Then click OK twice to return to the Group Policy Editor.
  23. To enable handling of Cookies, in the Synchronization node, enable the setting Folders to mirror.
  24. Enable the setting and click Show.
  25. Add the following and click OK

    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\Microsoft\Vault

  26. Note: according to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Config > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.
  27. On the left, under Profile Management, click Registry.
  28. On the right, open Exclusion List.
  29. Enable the setting and then click Show.
  30. Back in the UPMPolicyDefaults.ini file, look for the ExclusionListRegistry section. Copy the two items from there without the equals sign to the GPO setting.
  31. Click OK twice.

Log Settings

  1. In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot problems with Profile Management. The logfile is located in C:\Windows\System32\LogFiles\UserProfileManager.
  2. Edit the Log settings setting.
  3. Enable the setting and check the boxes next to Logon and Logoff. Click OK.
  4. If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To change the log file path, edit the Path to log file setting.


  5. CTX123005 Citrix UPM Log Parser
  6. CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

Profile Streaming

  1. For shared persistent VDAs (e.g. RDSH), go to the Profile handling node under Profile Management.
  2. Enable the setting Delete locally cached profiles at logoff. Note: this might cause problems in Windows 10.

    Helge Klein has a tool to delete locally cached profiles on a session host. http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/. This tool should only be needed if profiles are not deleting properly.
  3. For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User Logs off recommends setting Delay before deleting cached profiles to 40 seconds.

  4. Enable the setting Migration of existing profiles, and set it to Local and Roaming.  Citrix CTX221564 UPM doesn’t migrate local user profile since version 5.4.1.

  5. Enable the setting Local profile conflict handling, and set it to Delete local profile. Note: this might cause problems on Windows 10.

  6. Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
  7. Profile Management 7.16 introduces the XenApp Optimization feature, which uses Microsoft UE-V templates to define specific settings that should be saved and restored at logoff and logon. See George Spiers XenApp Optimization (new in CPM 7.16+) for details.

  8. After modifying the GPO, use Group Policy Management Console to update the VDAs.
  9. Or run gpupdate /force on the VDAs, or wait 90 minutes.

Mandatory Profile – Citrix Method

Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method. Also see James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703).

  1. Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to Administrators.
  2. Login to the VDA machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4. Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that. Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.

    1. You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  5. Open the AppData folder and delete the Local and LocalLow folders.
  6. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file, and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  7. Open regedit.exe.
  8. Click HKEY_LOCAL_MACHINE to highlight it.
  9. Open the File menu and click Load Hive.
  10. Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not use NTUSER.MAN and instead the file must be NTUSER.DAT.
  11. Name it a or similar.
  12. Go to HKLM\a, right-click it, and click Permissions.
  13. Add Authenticated Users and give it Full Control. Click OK.
  14. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ and http://appsensebigot.blogspot.ru/2014/10/create-windows-mandatory-profiles-in.html?m=1 for some suggestions.
  15. Citrix CTX212784 Slow User Logon When Using Mandatory Profiles – set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
  16. Highlight HKLM\a.
  17. Open the File menu, and click Unload Hive.
  18. Go back to the file share and delete the NTUSER.DAT log files.
  19. Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy template is loaded.
  20. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Profile Management > Profile handling. Edit the setting Template profile.
  21. Enable the setting and enter the path to the Mandatory profile.
  22. Check all three boxes. Then click OK.

Redirected Profile Folders

  1. Make sure loopback processing is enabled on your VDAs.
  2. Edit a GPO that applies to all VDA users, including Administrators.
  3. Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents, and click Properties.
  4. In the Setting drop down, select Basic.
  5. In the Target folder location drop down, select Redirect to the user’s home directory.
  6. Switch to the Settings tab.
  7. On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move the contents to the new location might cause issues in some deployments.
  8. Click Yes to acknowledge this message.
  9. Right-click Desktop and click Properties.
  10. Change the Setting drop-down to Basic.
  11. Change the Target folder location to Redirect to the following location.
  12. In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC path and not a mapped drive. Also, since we’re using home directory variables, all users must have home directories defined in Active Directory.
  13. Switch to the Settings tab.
  14. Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.
  15. Click Yes when prompted that the target is not a UNC path. You get this error because of the variable. It doesn’t affect operations.
  16. Repeat for the following folders:
    • Documents = Redirect to the User’s Home Directory
    • Desktop = %HOMESHARE%%HOMEPATH%\Desktop
    • Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
    • Downloads = %HOMESHARE%%HOMEPATH%\Downloads
  17. Redirect the following folders but set them to Follow the Documents folder.
    • Pictures
    • Music
    • Videos

Folders not redirected will be synchronized by Citrix Profile Management.

Verify Profile Management

  1. Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.
  2. Logoff and log back in.
  3. Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the log for logon and logoff events.

Profile Management Troubleshooting

UPM Troubleshooter

Citrix Blog Post – UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application that examines the live User Profile Management-enabled system in a single click, gives Profile Management Configurations, information on the Citrix products installed, facility to collect and send the logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier manner. See the blog post for more details.

Profile Management Configuration Check Tool

UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has been configured optimally for the environment in which it is being run, taking into account:

  • Hypervisor Detection– The presence or absence of supported hypervisors (for example, Citrix XenServer, VMware vSphere, or Microsoft Hyper-V)
  • Provisioning Detection– The presence or absence of a supported machine-provisioning solution (for example, Machine Creation Services or Provisioning Services)
  • XenApp or XenDesktop– Whether it is running in a XenApp or a XenDesktop environment
  • User Store – Determines that the expanded Path to User Store exists.
  • WinLogon Hooking Test – Verifies that Profile management is correctly hooked into WinLogon processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and requires the user running the Configuration Check Tool to have permission to access the relevant registry keys, or an error may be returned.
  • Verify Personal vDisk enabled / disabled – Whether the Personal vDisk feature of XenDesktop is enabled
  • Miscellaneous – Other factors that it is able to determine through registry or WMI queries, such as whether the computer running Profile management is a laptop

Profile Size

Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile share.

Log Parser

CTX123005 Citrix UPM Log Parser

View Log Files using Excel

CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

682 thoughts on “Citrix Profile Management 7.18”

  1. Hi Carl,

    we use your tutorial for building our new XenDektop 7.15 LTS Environment with Windows 10 1709 (Fully patched).

    We use UPM for Profile Management. Everything works fine except Google Chrome Bookmarks sync.

    We tried different things but had no luck. The User Profiles are synching fine but upm does not sync Bookmarks.

    Folder to mirror, Files to synchronize. Nothing works.

    Do you know if there is a bug oder something else within this Citrix Version?

      1. Yeah i know. The Google Chrome Profile is syncing fine without Google account. Only the bookmarks are not syncing.

          1. I had the same problem on Win 10 – 1803 with VDA 7.15 CU2 and UPM 7.15.2001.

            The file AppData\Local\Google\Chrome\User Data\Default\bookmarks just not roaming. Everything else is working fine.

            After adding AppData\Local\Google\Chrome\User Data\Default to mirror folder list it works.

  2. Hi Carl,
    When using mandatory profil, the path of the ShellFolders(HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) are not updated with the UserName path, wich cause error in some applications.
    To correct you need de recreate theses keys in type Reg_Expand_SZ with %Username% in path.
    here a script that doing the job :
    #charger la ruche à modifier en tant que “Ipop”
    $RegKey = “HKU:\Ipop\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”

    $KeysToChange = @{
    ‘{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Libraries’
    ‘{374DE290-123F-4565-9164-39C4925E467B}’=’C:\Users\%UserName%\Downloads’
    ‘{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}’=’C:\Users\%UserName%\Saved Games’
    ‘{56784854-C6CB-462B-8169-88E350ACB882}’=’C:\Users\%UserName%\Contacts’
    ‘{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}’=’C:\Users\%UserName%\Searches’
    ‘{A520A1A4-1780-4FF6-BD18-167343C5AF16}’=’C:\Users\%UserName%\AppData\LocalLow’
    ‘{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}’=’C:\Users\%UserName%\Links’
    ‘Administrative Tools’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools’
    ‘AppData’=’C:\Users\%UserName%\AppData\Roaming’
    ‘Cache’=’C:\Users\%UserName%\AppData\Local\Microsoft\Windows\Temporary Internet Files’
    ‘CD Burning’=’C:\Users\%UserName%\AppData\Local\Microsoft\Windows\Burn\Burn’
    ‘Cookies’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Cookies’
    ‘Desktop’=’C:\Users\%UserName%\Desktop’
    ‘Favorites’=’C:\Users\%UserName%\Favorites’
    ‘History’=’C:\Users\%UserName%\AppData\Local\Microsoft\Windows\History’
    ‘Local AppData’=’C:\Users\%UserName%\AppData\Local’
    ‘My Music’=’C:\Users\%UserName%\Music’
    ‘My Pictures’=’C:\Users\%UserName%\Pictures’
    ‘My Video’=’C:\Users\%UserName%\Videos’
    ‘NetHood’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Network Shortcuts’
    ‘Personal’=’C:\Users\%UserName%\Documents’
    ‘PrintHood’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts’
    ‘Programs’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs’
    ‘Recent’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Recent’
    ‘SendTo’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\SendTo’
    ‘Start Menu’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu’
    ‘Startup’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup’
    ‘Templates’=’C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Templates’
    }

    #création du provider Reg
    New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS | Out-Null

    #Chargement de la ruche
    Try
    {
    If (Get-Item -Path $RegKey)
    {
    Write-Host “Debut modification des clés …”

    #iteration des clés à modifier
    $KeysToChange.Keys | % {
    # suppression de la clé existante
    Remove-ItemProperty -Path $RegKey -Name $_

    # recréation de la clé en Reg_Expand_SZ
    New-ItemProperty -Path $RegKey -Name $_ -PropertyType “ExpandString” -Value $KeysToChange.$_ | Out-Null
    }
    Write-Host “Recréation de toutes les clés OK !”
    }
    Else {Write-Host “clé $RegKey introuvable”}
    }
    Catch {Write-Host “Erreur : ” $_}

    #deconexion PSDrive
    Remove-PSDrive -Name HKU -PSProvider registry | Out-Null

    Write-Host “— Fin du script —“

  3. Carl can you suggest definitively what needs to be excluded/included to get outlook to work on server 2016 /7.15 CU2. User profiles are on a server and I have a policy that currently saves to Outlook folder outside the UPM but inside the user profile folder. I followed this: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/deployment-guide-office-365-for-xenapp-and-xendesktop.pdf

    However UPM keeps recreating my OST . When I turn UPM off and just apply the outlook policy that points OST to the network share, ost files are saved and reused.

    Do you have any ideas?

    1. How are you configuring your policies, are they separated? I am running a similar setting to yours with Folder Redirection. Try this GPO setting: Microsoft Outlook 2016/Miscellaneous/PST Settings and specify where you want it to be saved. I’d be using PST instead of OST.

  4. Hi Carl

    I have upgraded to 7.18 which has somehow broken UPM on the server I upgraded, roll back to 7.17 no issues

    Any ideas

  5. Hello, just one question, why Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites and not Favorites = %HOMESHARE%%HOMEPATH%\Favorites ? (folder redirection). Thanks for you website, it’s my bible.

  6. suggestion for the file exclusion list:
    use !ctx_localappdata!\Microsoft\Windows\UsrClass.dat{* instead (mind the bracket)

    this way the trashy regtrans-ms files are deleted while the file associations are preserved

  7. HI Carl i want to build a new site based on 7.15 ltsr on the same domain as the old 7.6 site, my questions is can i use citrix profile management 7.15 with a 7.6 site?( 7.6 deilvery controllers, 7.6 xenapp servers), i need to update the xenapp servers with 7.15 profile management and also copy the new templates to my policy definitions folder, and redo the exclusions based on your guide for the 5.5 and newer recommendations? , also i can specify 2 different user path for each site so like 2 different domain OU and security groups to which the policies are applied to, so they dont interfere with each other even if they are on the same domain?

      1. yeah i understand but i can upgrade to 7.6.500 from 7.6.300 if i dont have a an ltsr contract?also if vms are on different OU and i applied a computer policy with UPM 7.15 which is only linked to that OU and on another OU i do the same but with a different path it will work? do i need to use dfs share? the OU ‘s are on the same on the same domain , is that UPM 7.15.100 from the 7.6.500 same as the one found on 7.15 xenapp LTSR instalation

        1. If you are OK with different paths on different machines, then you can certainly link different GPOs to different machines.

          1. so in the end i could update my old 7.6.300 xenapp vda with profile management 7.15 template, put the template in the policy definitions folder , rename the win2012x64 folders in user profiles to win2012r2x64 and redo the exclusions according to 5.5 and above guide and i should be ok

          2. Sure. Or you can put the updated machines in a different OU and put a new GPO on that OU. The path in the profile store would need to be different if you want to start over.

  8. Any drawbacks to mirroring ‘AppData\Local\Packages’ for the purpose of roaming UWP app data? That path is excluded by default, and I can’t find a single source online where somebody covers mirroring it to allow UWP shortcuts to roam in Profile Manager. I was considering leaving the default Windows 10 Calculator UWP app installed in App Layering 4.11, since it’s now supported, but the UWP shortcut winds up disappearing after the first logon. You also can’t search for Calculator after that initial logon.

    1. I recently had to stop excluding that folder so Store Apps would roam.

      Another option is to write a login script that reinstalls the store apps on every logon.

  9. Hello,

    To reduce (or hopefully eliminate), we are looking at excluding everything and working with inclusions to ensure only the data we want to persist will enter the roaming profile.

    Reading through comments here and on Reddit, this appears to be something others have done.
    To avoid having to re-invent the wheel with regards to inclusion lists, is anyone aware of any comprehensive inclusion lists that cover the Windows operating system (7×64, 2012R2), MS Office applications?

    Thanks in advance

  10. Hello together,

    I installed a 7.15 LTSR farm and use Citrix Profile Management. When a user has already an old profile no settings (e.g. Favorites, Outlook profile) will be “migrated”. I can see the profiles in the new 7.15 userstore but nothing is migrated. I set “migration of existing profiles”. What can I do next?

    Thanks a lot!

    Norman

  11. Hi Carl, I am having issues with Startmenu Tiles not appearing on second login on windows servers 2016 with 7.16 UPM. here is the configuration I have set currently on Citrix UPM GPO.

    Citrix Components/Profile Management/File system
    Policy Setting Comment
    Enable
    Default Exclusion List – directories Enabled
    !ctx_internetcache! Enabled
    !ctx_localappdata!\Google\Chrome\User Data\Default\Cache Enabled
    !ctx_localappdata!\Google\Chrome\User Data\Default\Cached Theme Images Enabled
    !ctx_localappdata!\Google\Chrome\User Data\Default\JumpListIcons Enabled
    !ctx_localappdata!\Google\Chrome\User Data\Default\JumpListIconsOld Enabled
    !ctx_localappdata!\GroupPolicy Enabled
    !ctx_localappdata!\Microsoft\AppV Enabled
    !ctx_localappdata!\Microsoft\Messenger Enabled
    !ctx_localappdata!\Microsoft\Office\15.0\Lync\Tracing Enabled
    !ctx_localappdata!\Microsoft\OneNote Enabled
    !ctx_localappdata!\Microsoft\Outlook Enabled
    !ctx_localappdata!\Microsoft\Terminal Server Client Enabled
    !ctx_localappdata!\Microsoft\UEV Enabled
    !ctx_localappdata!\Microsoft\Windows Live Enabled
    !ctx_localappdata!\Microsoft\Windows Live Contacts Enabled
    !ctx_localappdata!\Microsoft\Windows\Application Shortcuts Enabled
    !ctx_localappdata!\Microsoft\Windows\Burn Enabled
    !ctx_localappdata!\Microsoft\Windows\CD Burning Enabled
    !ctx_localappdata!\Microsoft\Windows\Notifications Enabled
    !ctx_localappdata!\Packages Disabled
    !ctx_localappdata!\Sun Enabled
    !ctx_localappdata!\Windows Live Enabled
    !ctx_localsettings!\Temp Enabled
    !ctx_roamingappdata!\Microsoft\AppV\Client\Catalog Enabled
    !ctx_roamingappdata!\Sun\Java\Deployment\cache Enabled
    !ctx_roamingappdata!\Sun\Java\Deployment\log Enabled
    !ctx_roamingappdata!\Sun\Java\Deployment\tmp Enabled
    $Recycle.Bin Enabled
    AppData\LocalLow Enabled
    Tracing Enabled

    Policy Setting Comment
    Exclusion list – directories Enabled
    List of directories to exclude:
    AppData\Local\Microsoft\Windows\INetCache
    AppData\Local\Microsoft\Internet Explorer\DOMStore
    !ctx_localappdata!\Microsoft\Office\16.0\Licensing
    AppData\Local\Microsoft\Windows\Burn
    AppData\Local\Microsoft\Windows Live
    AppData\Local\Microsoft\Windows Live Contacts
    AppData\Local\Microsoft\Windows\Temporary Internet Files
    AppData\Local\Microsoft\Terminal Server Client
    AppData\Local\Microsoft\Messenger
    AppData\Local\Microsoft\OneNote
    AppData\Local\Microsoft\Outlook
    AppData\Roaming\Microsoft\AppV\Client\Calalog
    AppData\Local\Microsoft\AppV
    AppData\LocalLow
    AppData\Local\Temp
    AppData\Local\Sun
    AppData\Roaming\Sun\Java\Deployment\cache
    AppData\Roaming\Sun\Java\Deployment\log
    AppData\Roaming\Sun\Java\Deployment\tmp
    AppData\Local\Microsoft\Windows\webcache
    AppData\Local\Microsoft\Windows\webcache.old
    AppData\Local\Microsoft\Internet Explorer
    AppData\Local\Microsoft\Windows\PriCache
    AppData\Local\Microsoft\Windows\WER
    AppData\Local\Microsoft\OneDrive
    AppData\Local\Microsoft\PlayReady
    AppData\Local\Microsoft\windows\GameExplorer
    appdata\local\microsoft\internet explorer\emieuserlist
    appdata\local\microsoft\internet explorer\emiesitelist
    appdata\local\microsoft\internet explorer\emiebrowsermodelist
    AppData\Local\Windows Live
    AppData\Local\Google\Chrome\User Data\Default\Cache
    AppData\Local\Microsoft\Internet Explorer\Recovery
    AppData\Local\Microsoft\Windows Mail
    AppData\Local\Downloaded Installations
    AppData\Roaming\Microsoft\Templates\LiveContent
    AppData\Local\Microsoft\Windows\Themes
    AppData\Roaming\Microsoft\Internet Explorer\UserData
    AppData\Local\TileDataLayer\Database
    AppData\Local\Packages
    AppData\Local\Microsoft\Windows\Caches

    Policy Setting Comment
    Exclusion list – files Enabled
    List of files to exclude:
    !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*

    Policy Setting Comment
    Logon Exclusion Check Enabled
    If profile in the user store contains files or folders
    that have been excluded: Delete excluded files or folders

    Citrix Components/Profile Management/Registry
    Policy Setting Comment
    Enable Default Exclusion list Enabled
    Software\Microsoft\AppV\Client\Integration Enabled
    Software\Microsoft\AppV\Client\Publishing Enabled
    Software\Microsoft\Speech_OneCore Enabled

    I had to exclude AppData\Local\TileDataLayer\Database folder otherwise my start menu was not even opening. We do not have startmenu roaming but I have still tried to resetCache registry on logon but still no luck.

    Thanks

    Kind Regards
    Mayur

      1. HI Carl,

        Thanks for your prompt reply as always !!

        I have applied AppData\Local\Microsoft\Windows\Caches in exclusion list of directories and also Included in directory to sync but still no luck with tile issues. I am using windows servers 2016 1607 build.I have currently below settings

        I have also looked at https://4sysops.com/archives/roaming-profiles-and-start-tiles-tiledatalayer-in-the-windows-10-1703-creators-update/ article and applied mentioned folders to Mirror folder list.

        Here is my current GPO

        Citrix Components/Profile Management/File system
        Policy Setting Comment
        Enable Default Exclusion List – directories Enabled

        Policy Setting Comment
        Exclusion list – directories Enabled
        List of directories to exclude:
        AppData\Local\TileDataLayer\Database
        AppData\Local\Packages
        AppData\Roaming\Microsoft\Internet Explorer\UserData
        AppData\Local\Microsoft\Windows\INetCache
        AppData\Local\Microsoft\Internet Explorer\DOMStore
        AppData\Local\Microsoft\Windows\Burn
        AppData\Local\Microsoft\Windows Live
        AppData\Local\Microsoft\Windows Live Contacts
        AppData\Local\Microsoft\Windows\Temporary Internet Files
        AppData\Local\Microsoft\Terminal Server Client
        AppData\Local\Microsoft\Messenger
        AppData\Local\Microsoft\OneNote
        AppData\Local\Microsoft\Outlook
        AppData\Roaming\Microsoft\AppV\Client\Calalog
        AppData\Local\Microsoft\AppV
        AppData\LocalLow
        AppData\Local\Temp
        AppData\Local\Sun
        AppData\Local\Microsoft\Windows\webcache
        AppData\Local\Microsoft\Windows\webcache.old
        AppData\Local\Microsoft\Internet Explorer
        AppData\Local\Microsoft\Windows\PriCache
        AppData\Local\Microsoft\Windows\WER
        AppData\Local\Microsoft\OneDrive
        AppData\Local\Microsoft\PlayReady
        AppData\Local\Microsoft\windows\GameExplorer
        appdata\local\microsoft\internet explorer\emieuserlist
        appdata\local\microsoft\internet explorer\emiesitelist
        appdata\local\microsoft\internet explorer\emiebrowsermodelist
        AppData\Local\Windows Live
        AppData\Local\Google\Chrome\User Data\Default\Cache
        AppData\Local\Microsoft\Internet Explorer\Recovery
        AppData\Local\Microsoft\Windows Mail
        AppData\Local\Downloaded Installations
        AppData\Roaming\Microsoft\Templates\LiveContent
        AppData\Local\Microsoft\Windows\Caches

        Policy Setting Comment
        Exclusion list – files Enabled
        List of files to exclude:
        !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*

        Citrix Components/Profile Management/File system/Synchronization
        Policy Setting Comment
        Directories to synchronize Enabled
        List of directories to synchronize:
        AppData\Local\Microsoft\Windows\Caches

        Folders to mirror Enabled
        List of folders to mirror:
        AppData\Local\Microsoft\Windows\CloudStore
        AppData\Local\Microsoft\Windows\Explorer

        Citrix Components/Profile Management/Registry
        Policy Setting Comment
        Enable Default Exclusion list Enabled
        Software\Microsoft\AppV\Client\Integration Enabled
        Software\Microsoft\AppV\Client\Publishing Enabled
        Software\Microsoft\Speech_OneCore Disabled

        I have tried 4 times after first login and I had only once broken tiles on 3rd attempt showing 3 tiles out of 9 default.

        Thanks

        Kind Regards

        Mayur

  12. I am unable to use “Template profile” and “Path to user store” policy simultaneously. My objective is to create profile for users who are logging in for the 1st time from “template profile” and the same profile with changes should migrate to “Path to user store” when they log off.
    Next time onwards when user logs in, Their profile should be used from “path to user store” instead of applying new template profile agian.

  13. Hi Carl, thank you very much for your brilliant work! Question regarding a GPO problem…

    We have a provisioned VDI environment using Citrix XenServer 7.4 on several Dell Poweredge R740 systems including Nvidia Tesla P4 cards. That comes in combination with Citrix Profilemanagement 7.15 / WEM 4.06.0000 infrastructure servers with Netscaler load balancing. The version of our provisioning server is 7.15 and so are the Citrix Target Device Driver as well as the Citrix Virtual Desktop Agent.

    That combination works well!

    Unfortunately I had installed the Citrix VDA before I had installed the Nvidia Graphics driver and assigned the GPU resources. Therefore the VDA had been provided without the HDX 3 Pro options which leads to the Nvidia Graphics adapter not being applied in our Windows 10 client virtual machines.

    No problem, I thought. Opened the golden image in private mode, uninstalled and cleaned the VDA, reinstalled it (same version) with the HDX 3 Pro option which had been offered now, rebooted and have the Nvidia Graphics adapter shown when accessing the Windows 10 client via Storefront.

    But… From that point onwards I have an error ( 7320 Computer determined to be not in a site. Error code 0x77F ) loading the user group policies. And that, at the end, causes the Profilemanagement/WEM infrastructure not to provide the profile stores anymore, because the neccessary GPO could not be loaded…

    We do not have any network or domain controller trouble.

    Is it so critical to reinstall the VDA to correct a VHD?

    Any ideas?

    Kind regards,
    Bernd

  14. Hello,

    Do you already know something about this ? : When you log on a non persistent VM, some apps likes Calculator are not loaded at logon. W10 1703 and 1709

    Cheers

  15. Hello,

    since 7.15 LTSR CU1/CU2 I see the following error in the UPM Logfile.

    “error updating perfmon logon/logoff counters failed”

    what does this error mean? The profile will not be loaded correctly (missing background, settings ..) and also on logoff the profile will not be deleted.

    This issue we don’t have without CU1/CU2. I already contacted Citrix support af few months ago and they said that this issue will be resolved with CU2. Unfortunately this is not the case and I am wondering wy no other users have this problem. Maybe there is a special setting in the UPM profile manager that is missing in our configuration?

    Any help would be greatly appreciated,

    best regards,

  16. Hi Carl, i have environment which is running xenapp 7.6 sp3, i want to build a new site inside the same domain with 7.15, is it possible to load 2 different admx profile management files and settings into the same AD and use one for the old site and policies attached to that site OU and the new ones only for the new site separate ou i am building?i want to build separate site so i can test it properly before deploying it into production
    Files wil be both located under policy definitions folder, can those admix files and settings work separately without interfering with each other?

    1. or i can only import one adm template and that is the 7.15 currently running with 5.2 admx template? na di have to redo all the settings and change the network path of the profile folders and i have no ideea how 7.15 will work with 7.6.300 xenapp vms with folder redirection and roaming profiles… woul dlike to be a way to have the iold site using 5.2 and its poclicies with old 5.2 admx template and the new one same domain but with new ou and its own policies if its possible

  17. Hi Carl,

    I am not sure if mandatory profiles would help in that case.
    We have eg. two servers called server07/server08, Citrix installed and Citrix Receiver on some workstations.
    I have defined a so called “IE10 Settings GPO” user and computer based in GPO editor eg. to define some trusted sites in IE10 and to enable Active Scripting and Cookies for these trusted sites. ProfileManagement is enabled but no profile template file is defined
    GPO is applied as usual to authenticated users.

    So far so good… and when I log directly by RDP ( without Citrix in between ) to server07/server08 and use a tool like rsop.msc then I can also see that GPO apply perfectly to all needed users and I can see the browser settings are correct.

    BUT! Now when people access server07/server08 by Citrix Receiver and open their browser none of the trusted sites are visible, it also does not make a difference if I do gpupdate / force , they have none of my GPO settings.

    That tells me that Citrix receiver uses any other profile where my GPO is not applied but I have no idea which profile Citrix is using?

    Strange is some users have then maybe my settings and some not and when I delete the ts profile from a user where it seems to work and he logs in again then again he does not see any of my IE settings.

    I don´t get it. I want to be sure that new users and existing users get my IE-GPO settings no matter what but I do not understand why it currently works for some and for some not and for some it works with 1 or 2 days delay.

    I guess Citrix uses then any kind of local profile but no idea which one it uses.

    Do you have an idea what possibly is wrong. Do I need to define a mandatory profile in order to force these GPO settings no matter what and to be sure that all users have my predefined GPO IE10 settings? Right now I do not understand why some of my GPO settings hit direclty the user and some others not and never.

    1. What OS version?

      Is IE ESC enabled? GPO settings apply to ESC or non-ESC. On older OS, I’ve seen users get the IEHarden registry key when they shouldn’t.

      Isn’t there a setting or registry or something that copies per-computer settings to per-user? Why not configure the settings in the user half of the GPO?

      1. Hi Carl, both servers have Windows 2012 OS installed. Citrix is also installed and we access the apps from any workstation by Citrix Receiver 4.11. On both servers Internet Explorer Enhanced Security Configuration (IE ESC) is and was DISABLED in Server manager. I tried to define the IE settings as explained by GPO as pr. computer setting and tried it as pr. user setting. Citrix seems to ignore that and uses any profile where these IE settings do not get applied. Even when it sometimes works for some of my co-workers and just for testing I delete their ts profile and do gpupdate /force again and they logon by Citrix then it seem to be have forgotten all IE settings. I thought there was a way for force new and existing users to have some special IE settings but “pr. user” and / or pr. computer GPO seems not to be the solution. It is actually only about to have a couple of trusted pages predefined for IE and to enable Active Scripting and Cookies in Trusted zone but my GPO seems not be the way to do that. I still think ProfilManagement has maybe any wrong setting or uses any default profile which does not know my GPO and some users get then my settings and some not.

  18. If UPM is configured in standalone VDA of win10 and version of win10 is upgraded, will it effect my profiles? How to make profile seamless across all platform?

  19. Hey Carl, again KUDOs for your work
    i have an issue in my folder redirection. i have the Documents GPO set to REdirect everyone’ folder to the same location path: %HOMESHARE%HOMEPATH%
    the share is populating many of the users in a folder named “Documents” instead of a folder with “username” for example
    “Share\user1\documents” would be expected. i am getting “share\documents” over and over and the only way to tell whose folder it is , is to look at the securites properties
    my expectation was to see a Documents folder under each username
    Thoughts ?

    1. The issue is desktop.ini and you having administrator permissions. Google this and you’ll find many workarounds.

      1. thanks Carl, yes i have been doing the permission based work around and am a bit nervous to change the document path to redirect everyone’s folder to the same location.and use \\servername\%USERNAME%\Documents or would you suggest a different unc ?
        the permission method is a bit tiring

  20. Hi Carl,

    First I want to thank you for all the knowledge you share with us.

    I’m having a problem deploying a profile template. I followed all the steps on your tutorial to create a mandatory profile (except for making it mandatory, I only need it to be the default profile) but I was unable to make it work. Checking the UPM log i see the following:

    2018-04-04;14:31:48.842;INFORMATION;CIXTEC;test3;4;6360;GetUserStorePath: Template Path: Path Out: \\profileserver\xd\perfiles.v4\plantilla.v4

    2018-04-04;14:31:49.623;ERROR;DOMAIN;test3;4;6360;RecurseRegistry: Opening the key failed with: Access denied.
    2018-04-04;14:31:49.623;ERROR;DOMAIN;test3;4;6360;CRegistryHive::ResetSecurity: Failed to reset security on registry hive .
    2018-04-04;14:31:49.623;ERROR;DOMAIN;test3;4;6360;CreateLocalProfileFromTemplate: Could not create a local profile from a template: Access denied.

    I’ve found this Citrix KB article https://support.citrix.com/article/CTX135766 which seems similar to the error I’m getting.

    My problem is that the solution presented in the article (update owner on a reg subkey) fails because I have no permissions to edit that subkey “Can’t establish a new owner on ProtectedRoots. Access Denied”. any idea about why I get that error on first place or in what to do to be able to edit owner of file?

    Thx for your help

  21. Hi Carl,

    Thanks for all the info Carl. Really respects your works here and knowledge sharing.

    Have a quick question though, currently I’ve profile redirection share hosted on a single file-server VM, and published to users via DFS. If this VM is down or rebooted for patches, Citrix clients will lose access to their roaming profiles and folder redirection.

    What do most folks typically do to make the profile shares highly available?

    Is DFS-R an option? Is that the best way to go, or do you know of other methods?

    Please help!

    1. You’re welcome to replicate, but the main requirement is that you must ensure there is no multi-master. The common option is to make sure the Namespace only points to one Target.

      Otherwise, you can backup and recover your file server VM using normal VM backup/recovery methods.

  22. Hello Carl,

    Huge fan of your work…I’m deploying 7.15 LTSR environment and I’ve been asked to deploy persistent desktops. I’ve looked at using App Layering User Layers for persistence but it looks like the feature is still in beta/labs. That really leaves me with one option which is to go with PvD which I know is deprecated on 7.17+. I’m using PVS for provisioning.

    What is the best way to configure UPM with PvD enabled? Do I need to set the regkey EnableUserProfileRedirection to “0” so the profile doesn’t redirect to P:\ and only stores on UPM. I’ve looked at the following articles but its a bit confusing.

    https://www.citrix.com/blogs/2012/05/21/beware-the-5050-split-with-pvd/

    https://www.citrix.com/blogs/2012/11/30/to-cache-or-not-to-cache-that-is-the-question/

    Your insights would be greatly appreciated.

    Thanks!

    1. I believe that’s correct. But most people that have tried PvD have given up due to issues. And it won’t even install on Windows 10 1709.

      How do you manage your physical PCs? Can you use the same method to manage persistent virtual desktops?

  23. Hi Guys!
    Have an issue with some User Group Policy Registry settings not applying when user logs in to Citrix server.
    It’s almost like the User Profile ntuser file is overwriting the GPO settings fra DC!
    Are using UPM 7.15 on Citrix server, and It works perfect, except fir this odd issue.
    Am I missing something here in regards to UPM vs GPO settings.

  24. Carl,

    We recently upgraded from Windows 10 1607 to Windows 10 1703 and for some reason UPM (version 7.15.1) stops retaining Internet Explorer 11 user data and IE Download Manager is also not working. When users download a file they cannot open, save, or save as. Clicking on any of the options does not do anything. Trying to view downloads using CTRL +J does not work as well. Have you seen anything like this or advise? There is nothing in the event or UPM log. I’ve already opened a support ticket with both Microsoft and Citrix with no luck so far..

    Environment:

    Windows 10 1703 created with Citrix App Layering
    Citrix App Layering v4.9
    7.15.1 VDAs
    Citrix PVS 7.15.1

  25. Hi Carl,

    we are running CPM 4.1.1.5 with XenApp 6.5, now we plan to upgrade to 5.8. How can I upgrade as smooth as possible?

    Cheers
    Nico

    1. Just update the service. The old GPO settings should still apply. The one exception is Active Write Back, which is enabled by default in newer versions.

      You can then update the .admx files at your leisure and configure the newer settings.

  26. You can ignore my previous post. We found an issue and we were able to resolve it. Roaming the license token folder per that MS article was simply masking the break because the roamed token didnt force MS to reauthenticate.

  27. Carl. First thanks for all your help.

    We started having an issue in our non-persistent VDI enviornment with Office 365 that only occurred in updated versions of office. Opening a case with MS didn’t get us very far, and we are using Ivanti’s UEM (formerly AppSense Enviornment Manager) for user personalization.

    We kept getting activation errors.

    I came across an MS article here stating that they changed some things with Office 365 1704 and forward and they suggest you roam or offload the shared token.

    https://docs.microsoft.com/en-us/deployoffice/overview-of-shared-computer-activation-for-office-365-proplus

    Licensing token roaming Starting with Version 1704 of Office 365 ProPlus, you can configure the licensing token to roam with the user’s profile or be located on a shared folder on the network. Previously, the licensing token was always saved to a specific folder on the local computer and was associated with that specific computer. In those cases, if the user signed in to a different computer, the user would be prompted to activate Office on that computer in order to get a new licensing token. The ability to roam the licensing token is especially helpful for non-persistent VDI scenarios.

    I added this folder to AppSense Personalization as a Windows Settings group to occur at logon\logoff and locked it to our VDI environment. Everything is now working again without issues.

    Hope this helps anyone having a similar issue.

    Rick

  28. Just after some advice please, also love the guide by the way, it was just what i needed. Would you say redirecting the AppData Roaming folder is a good choice, also does it cause any performance issues if it is redirected. Also any advice on how to manage the Windows Web Cache.

    1. I usually avoid redirecting AppData. I’ve experienced performance problems in the past.

      Where do you see that AppData Roaming is a “good choice”?

      1. I was wondering if it was redirected, would it have an impact on improving login times, one of our issues at the moment is slow login times.

  29. When creating a mandatory profile, newly created profiles will fail to copy to the network drive if AppData\local is not there. Since Office saves the activation token to that directory by default.

  30. Hello ,

    I am hardcore fan of your blogs/Post

    Getting below error in configuring UPM profile in 7:15 , Can you please share your suggestion .

    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;ImpersonateClientStart: Successfully impersonated a client.
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;CheckUserExistsInGroup: No Entries Found In ExcludedGroups
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;CheckUserExistsInGroup: No Entries Found In ProcessedGroups
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;CheckIfUserNeedsToBeProcessed: Logon/logoff will be processed.
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;GetUserStorePath: User Store: Path In: \\Server1\CtxProfileStr$\%username%
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;CADUser::Init: Determined user and DNS domain name: ,
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;GetUserStorePath: User Store: Path Out: \\Server1\ctxprofilestr$\user1
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;ImpersonateClientStop: Successfully stopped client impersonation.
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;SessionCount::RealTimeCount – User: user1, Domain: Domain, Session Count: 0.
    2018-02-10;09:01:20.821;INFORMATION;Domain;user1;5;1768;ImpersonateClientStart: Successfully impersonated a client.
    2018-02-10;09:01:20.836;INFORMATION;Domain;user1;5;1768;NTUSER.DAT not found in userstore, try to load NTUSER.DAT.LASTGOODLOAD.
    2018-02-10;09:01:20.836;ERROR;Domain;user1;5;1768;UpmUserStore::UpdateNtuserDatWithLastGoodLoad: There is no NTUSER.DAT.LASTGOODLOAD in the path:\\Server1\ctxprofilestr$\user1\UPM_Profile\NTUSER.DAT.LASTGOODLOAD 0x2. The system cannot find the file specified.
    2018-02-10;09:01:20.836;INFORMATION;Domain;user1;5;1768;ImpersonateClientStop: Successfully stopped client impersonation.
    2018-02-10;09:01:20.836;INFORMATION;Domain;user1;5;1768;QueryLocalProfile: Profile directory read from registry: c:\users\user1
    2018-02-10;09:01:20.836;INFORMATION;Domain;user1;5;1768;QueryLocalProfile: Local profile is a UPM profile.
    2018-02-10;09:01:20.836;INFORMATION;Domain;user1;5;1768;User store not found : The system cannot find the path specified.
    2018-02-10;09:01:20.836;ERROR;Domain;user1;5;1768;ProcessLogon: A local UPM profile has been found but the corresponding profile can not be found in the userstore. Switching to a temporary profile.
    2018-02-10;09:01:20.852;INFORMATION;Domain;user1;5;1768;CreateLocalProfile: Profile directory initialized: .
    2018-02-10;09:01:20.852;INFORMATION;Domain;user1;5;1768;ImpersonateClientStart: Successfully impersonated a client.
    2018-02-10;09:01:21.524;INFORMATION;Domain;user1;5;1768;ImpersonateClientStop: Successfully stopped client impersonation.
    2018-02-10;09:01:21.524;INFORMATION;Domain;user1;5;1768;SetFileAttributesAPIWrapper: Set attributes on .
    2018-02-10;09:01:21.524;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.524;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;IsFSPathExcluded: Excluding file/directory because it is excluded by configuration (default/policy settings).
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateDirectoryAPIWrapper: Created the directory:
    2018-02-10;09:01:21.539;ERROR;Domain;user1;5;1768;GetFileAttributesAPIWrapper: GetFileAttributes of failed with: The system cannot find the file specified.
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.539;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateDirectoryAPIWrapper: Created the directory:
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.555;INFORMATION;Domain;user1;5;1768;CreateJunctionPoint: Created a junction from to .
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.743;INFORMATION;Domain;user1;5;1768;CRegistryHive::SetSecurityInfo failed with ERROR_ACCESS_DENIED ignoring it.
    2018-02-10;09:01:21.758;ERROR;Domain;user1;5;1768;RecurseRegistry: Opening the key failed with: Access is denied.
    2018-02-10;09:01:21.758;ERROR;Domain;user1;5;1768;CRegistryHive::ResetSecurity: Failed to reset security on registry hive .
    2018-02-10;09:01:21.758;ERROR;Domain;user1;5;1768;CreateLocalProfileFromTemplate: Could not create a local profile from a template: Access is denied.
    2018-02-10;09:01:21.789;INFORMATION;Domain;user1;5;1768;CRegistryHive::Unload: Unloaded registry hive .
    2018-02-10;09:01:21.805;INFORMATION;Domain;user1;5;1768;CRegistryHive::Load: RegLoadKey of to succeeded.
    2018-02-10;09:01:21.883;INFORMATION;Domain;user1;5;1768;CRegistryHive::Unload: Unloaded registry hive .
    2018-02-10;09:01:21.883;INFORMATION;Domain;user1;5;1768;DispatchLogonLogoff: Updated Group Policy Extension history for
    2018-02-10;09:01:21.883;INFORMATION;Domain;user1;5;1768;DispatchLogonLogoff: ———- Finished logon processing successfully in [s]: .
    2018-02-10;09:46:09.167;INFORMATION;;;;2192;ReadINIValue: Read: =.
    2018-02-10;09:46:09.167;INFORMATION;;;;2192;PeriodicCEIPCheck, bSendCeip=0, bNotExceedMaxFailed=1, llLastSentTime=0
    2018-02-10;09:46:09.167;INFORMATION;;;;2192;PeriodicCEIPCheck, llInstallationDateInSes=1517064362, lCurrentTime=1518252369,iRandSeconds=6348
    2018-02-10;10:32:52.044;INFORMATION;;;;2184;RefreshPolicy: Got a Full Armour policy update.
    2018-02-10;10:32:52.044;INFORMATION;;;;2184;UpmEnvironmentDefaults::Refresh: Checking environment to set configuration defaults…
    2018-02-10;10:32:52.075;INFORMATION;;;;2184;UpmEnvironmentDefaults::Refresh: Detected environment: Personal Vdisk: FALSE, Running on XenDesktop: TRUE, Assigned: FALSE, Is VM: TRUE, OS changes persist: TRUE
    2018-02-10;10:32:52.075;INFORMATION;;;;2184;ReadPolicy: Configuration value PathToLogFile set neither in policy nor in INI file. Defaulting to:

    1. Login to the machine as a different user. In Control Panel, find Profiles. Delete your local profile. Then login again.

          1. In order to have that , What all the stuffs in need to check in my environment or in my UPM configuration

          2. In order to have that ntuser.dat file , what i should need to be aware of the configuration in UPM 7:15

  31. Your documentation is incredible as always, Carl. My “N” production farm is XenApp 6.5 on W2K8R2, and I’m currently running RDS profiles with content redirection to RDS home dirs

    I’ve been trying to determine if CPM 7.16 supports XA65, but heretofore have no clear answer. Are you able to provide any insight here?

    Thanks, Carl!

    1. There is no dependency between UPM and XenApp. However, UPM only works on certain operating systems, of which Windows 2008 R2 is one of them. So, as long as UPM supports Windows 2008 R2, it doesn’t matter what XenApp version is running on top of it.

  32. Carl,
    I am having a few issues with desktop items not staying put when users move them around. OS is Windows 10. I have followed your guides on profile exclusions/inclusions. Running 7.15 LTSR. Any ideas?

    1. I’m having users complaining about the same problem. We’re using same version that you are using. It seems like a silly thing to complain about, but I would like to resolve it as well.

      1. Have you found a resolution to this? My users are experiencing the same issues with Server 2016 and XA/XD 7.16.

  33. Hi Carl, in simple terms what are the risks when upgrading 7.7 to 7.16 when it comes to profile management. I had no issues following your awesome instructions for the delivery controllers etc. i just can’t seem to see any information on the internet regarding upgrading the profile management (are their only risks upgrading between different versions aka 2 to 5) or how to upgrade the AD Citrix plugin to enable the check the new policies (on studio machines). Which order should this be done in?

    1. Assuming there are no bugs, then Profile Management should continue functioning normally after the upgrade. Profile Management has a GPO admx template that you can upgrade at your leisure.

      What’s in 7.16 that you find compelling? Most are staying on 7.15 Update 1.

  34. Carl, I wanted to do folder redirection for appdata wherein the target is a user share on a fileserver .(1) How to do that ?
    (2) If I want client connections from the terminal server to share the same TCP/IP connection to the fileserver or multiple TCP/IP connection . How to do that

    1. Are you asking how to redirect AppData? You can do that in Microsoft GPO just like redirecting the other folders. Or is there something special about “user share” that I’m missing?

      Regarding TCP/IP connection, are you trying to configure firewall rules? Various firewall vendors and Microsoft should have documentation on how to allow SMB through firewalls.

  35. Carl, i am a bit confused and need your well trained eye/brain. My folder redirection is set to have “Documents”
    Setting: Basic (Redirect everyone’s folder to the same location)hide
    Path: %HOMESHARE%%HOMEPATH%
    My AD user setting under REmote Desktop Services Profile has the home folder set as “Connect H: to \\sever\xahome\%username%”
    My result is i have a directorys in my home share that read as \\server\xahome\documents for each users document directory and each user also has a \\server\xahome\username that has their appdata and outlook folders in it
    i am thinking i have a setting somewhere with a path typo or a security setting wrong but am not finding it.
    Possibly you have seen this before and can point me/open my eyes in the right direction
    thanks for what you do

      1. lol, thanks for the quick reply carl. apparently i have the c prompt access denied and will check the setting when i figure out were i denied that access
        in the mean time i also noticed i had “grant user exclusive rights” enabled on the Appdata(roaming) profile which i have directed to the \\server\xahome\%username% folder and am thinking it coulb be the cause

  36. Hi Carl. long time reader, first time poster. great site!

    Of the pofile inclusions\exclusions you have listed “fixes” for, can you advise what setting you have working for roaming appx package settings (sticky notes, edge), start menu and task bar?
    the closest i have gotten is with https://4sysops.com/archives/roaming-profiles-and-start-tiles-tiledatalayer-in-the-windows-10-1703-creators-update/
    adding these folders to mirror:
    AppData\Local\Microsoft\Windows\CloudStore
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Microsoft\Windows\Explorer
    AppData\Local\tiledatalayer.

    i also have the exclusion\inclusion list you pointed to from https://www.htguk.com/everything-you-wanted-to-know-about_23/

    XenDesktop 7.14, VDA 7.16, UPM 7.16. tried 1703 and 1709 windows fully patched.

    first login start menu is fine, as has been set and now enforced by the layout.xml in group policy.
    second logon may or may not be fine, retaining the cusom layout. but every logon past that point has the start menu reoganising itself and duplicating pinned icons and losing the default groups.

    i added the 15 second delay too from controller but this has not made a difference.
    removing tiledatalayer from mirror just makes all non provisioned app packages shortcuts disappear from start menu.

    any ideas?

      1. Thanks Nick
        Trying it out now. Initial results is that it hasn’t broken anything further but doesn’t restore the start to original layout. Will have to test with fresh user profile too.
        I had always brushed this solution aside as it was server 2016 and 1607 related which I thought could never be my issue.

        Will see how I go with it and it you know.
        Any help with my other issues, you roaming edge?

        Thanks again

  37. Hi Carl: I have a 7.13 Catalog of about 600 pooled machines; they boot from a VMware snapshot that contains recent updates. We are getting reports that sometimes Users boot up and they’re getting a Default User Profile instead of their own, while other times they get their personalized, custom Profile. I have found — from having the User share their Desktop via Skype — that in the cases where the Profile is GOOD, the Citrix UPM Service is registered and running; the ones where the Profile is DEFAULT (they don’t get their Printers, they don’t see their Home folder, etc.), the Citrix UPM Service is NOT running and is not even registered. For machines booting from a Pool, how could this happen? It’s mystifying. Any suggestions?

    1. Your VDA is 7.13? The easiest way to upgrade UPM is to upgrade the VDA. I would upgrade the VDA to 7.15 Update 1 and see if that fixes it. You can upgrade the VDA without upgrading the Controllers.

    1. Mirror: This setting specifies which folders relative to a user’s profile root folder to mirror. Configuring this policy setting can help solve issues involving any transactional folder (also known as a referential folder), that is a folder containing interdependent files, where one file references others.

      Synchronization: This setting specifies any files you want Profile management to include in the synchronization process that are located in excluded folders. By default, Profile management synchronizes everything in the user profile. It is not necessary to include files in the user profile by adding them to this list.

      https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-settings-wrapper/xad-policies-settings-pm/xad-policies-settings-pm-file-system/xad-policies-settings-pm-file-system-sync.html

      1. @ citrixguyblog or @ Carl

        Just so I can understand the logic.

        If I say Exclude Appdata\local ( Of course its going to Exclude all data here)

        But If I say (Sync directories)
        appdata\local\google\Chome (this will sync Chrome folder and data with all the junk below the chrome folder correct?)

        or if I say

        Sync a File only example
        appdata\local\google\chrome\user data\Default\bookmarks ( it will only sync this bookmark file)

        Mirroring ( will grab all data and folders you tell it too.
        Example:
        AppData\Local\Microsoft\Windows\INetCookies

  38. Citrix upm or rds roaming profiles… Which one is better?
    Can’t seem to find a good answer. Anybody have any opinions?

    Carl what is your experience?

    1. The whole point of UPM is to be better than RDS roaming profiles.

      Some UPM highlights: Profile Streaming, can save entire profile (including AppData/Local) with specific exclusions, merge ntuser.dat instead of overwriting, etc.

  39. Hi Carl – I’d like to ask for your opinion on an alternative config for DFS for profiles, if I might?
    I have a live Citrix site, with DR Failover to a second DC, DFS for roaming profiles. I previously had single target DFS which was manually updated when we failed over, as in your article, but I now use multi-master, but with the following option in DFSn enabled:

    Exclude Targets from outside the client’s site

    This blocks DFSn referrals from different AD sites. As my Primary and Fail-over resources are in different AD sites, including my XA/XD hosts and users don’t have access to both at once, this allows for fail-over & data sync without the need for any manual adjustments to DFS. Aside from an AD issue that prevented a server from registering in the correct site, it has worked well.

    1. That’s an interesting approach. Thanks for sharing. But ultimately, it’s up to the vendor to decide what they will support. 🙂

  40. Thanks Carl,

    This is a great article and I used it exactly for my setup but I’m having the same problem as my old setup.

    If I log on to a pc I have 2 desktop folders one is c:\users\username\Desktop and one is \\domain\profile\username\Desktop. (the one I want always)

    It always displays the generic one from c: and I want the other one. If I log into a thin client, I get the right one.

    Also, the documents folder shows \\Client\C$\users\username and is populated with all of the docs from c:

    I want strictly the desktop and documents from the redirected location no matter what I log in with.

    TB

    1. “Also, the documents folder shows \\Client\C$\users\username and is populated with all of the docs from c:”

      There is a known issue When you redirect the Documents folder on a Windows Vista-based or Windows 7-based computer to a network share, the folder name unexpectedly changes back to Documents

      https://support.microsoft.com/en-us/help/947222/when-you-redirect-the-documents-folder-on-a-windows-vista-based-or-win

      I ran into this recently with 2012r2 and had to mitigate it with an GPP, delete .ini

  41. I’m looking to fix the user file associations but cannot find the location in the registry, HKCU\SOFTWARE\Classes\Applications, on the Win2k16 server. Am I missing something?

  42. HI,

    After nen VDA Upgrade from 7.15LTSR der Profile Management dosn´t work. The Users get not thier Profile from the Profilestore. Replay the Snapshot bevor the VDA Upgrade everything is fine. Have anyone this Problem too?

  43. Thanks Carl,
    You always have the best solutions out there. I do have a question regarding server 2012 R2 and the pinned taskbar items not roaming. Do you know where I can have that included in the UPM profile management?

  44. Carl, is the UPM still a separate downloaded component or is it integrated with the VDA?
    …and is the WEM console a good place to manage the UPM configuration versus GPO?

    1. I’m actually adding this content to the UPM article now.

      It’s both in the VDA and separate. Usually you just need to install the VDA.

      I don’t recommend Workspace Environment Management because it adds complexity. GPOs are much simpler.

Leave a Reply