Citrix Profile Management 2009

Last Modified: Sep 30, 2020 @ 6:21 am

Navigation

This article applies to all versions of Profile Management: 2009, 1912 LTSR CU1, 1909, 7.15.6000 LTSR , 5.8, 5.7, etc.

💡 = Recently Updated

Change Log

Planning

Profile Management Versions

Profile Management is included with the installation of Virtual Delivery Agent. To upgrade Profile Management, simply upgrade your VDA software. Here are the currently supported versions of VDA:

Or you can download the individual Profile Management component and install/upgrade it separate from the VDA software. You can even install it on non-VDA machines (e.g. PCs accessed by licensed Citrix users).

For LTSR VDAs, for LTSR support compliance, only install the Profile Management version that is included with your VDA installer. Don’t upgrade to a newer Current Release version.

The latest release of Citrix Profile Management is version 2009, which can be downloaded from  Citrix Virtual Apps and Desktops 7 2009. To find it, click Components that are on the product ISO but also packaged separately.

Profile Management Configuration Options

Profile Management consists of a Service (installed on the VDAs), a file share, and configuration settings.

There are four methods of delivering configuration settings to the Citrix Profile Management service:

If a UPM setting is not configured in GPO, Citrix Policy, or WEM, then the default setting in the UPMPolicyDefaults.ini file takes effect. The .ini file is located in C:\Program Files\Citrix\User Profile Manager on every machine that has Profile Management service installed.

Microsoft Group Policy (ADMX file) is probably the most reliable method of delivering configuration settings to the Profile Management services. This method uses the familiar Group Policy registry framework. Just copy the Profile Management ADMX files to PolicyDefinitions and start configuring. The configuration instructions in this article use the GPO ADMX method.

The Citrix Policies configuration method requires Citrix Studio, or Citrix Group Policy Management Plug-in. On the Profile Management service side, only VDAs can read the Citrix Policies settings.

  • Citrix Policies has settings for Folder Redirection. If you use Citrix Policy to configure Folder Redirection, then the Folder Redirection settings only apply to VDAs that can read Citrix Policies. To apply to Folder Redirection to more than just VDAs, configure Folder Redirection using normal Microsoft Group Policy as detailed below.
  • If you’re going to use Microsoft Group Policy to configure Folder Redirection, then you might as well use Microsoft Group Policy to also configure Citrix Profile Management.

Citrix Workspace Environment Management can also deliver configuration settings to the Profile Management services. This option requires the WEM Agent to pull down the settings from the WEM Brokers and apply them to Profile Management. It can sometimes be challenging to troubleshoot why WEM is not applying the settings.

Try not to mix configuration options. If you use both WEM and GPO, which one wins?

Multiple Datacenters

For optimum performance, users connecting to Citrix in a particular datacenter should retrieve their roaming profiles from a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will need file servers in each datacenter.

DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-datacenter designs.

For active/active datacenters, split the users such that different users have different home datacenters. Whenever a particular user connects, that user always connects to the same datacenter, and in that datacenter is a file server containing the user’s roaming profile. StoreFront uses Active Directory group membership to determine a user’s home datacenter.

For users that connect to Citrix in multiple datacenters, there are a couple options:

  • The user’s roaming profile is located in only one datacenter – If the user connects to a remote datacenter, then the roaming profile must be transmitted across the WAN. To optimize performance, disable Active Write Back, and make sure Profile Streaming is enabled.
  • The user has separate profiles for each datacenter – There is no replication of profiles between datacenters. This scenario is best for deployments where different applications are hosted in different datacenters.

Disaster Recovery – For disaster recovery scenarios, the user’s roaming profile data (and home directories) must be recovered in a different datacenter. Here are some considerations:

  • Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
  • Use VMware SRM or similar to recover the file server in the DR datacenter.
  • A datacenter failover might result in multiple file servers accessed from a single VDA, especially if you have users split across datacenters. Use DFS Namespaces as detailed below.

DFS Namespace

DFS Namespace for central user store – The Citrix Profile Management user store path is a computer-level setting, meaning there can only be one path for every user that logs into a particular VDA. If you have different users with roaming profiles on different file servers, then you must use Active Directory user attributes and DFS namespaces to locate the user’s file server. Here is an overview of the configuration:

  • Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1 – Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more information.
  • Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS replication. See Scenario 2 – Multiple folder targets and replication at Citrix Docs for more information.
  • Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
  • Set the Profile Management user store path to \\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!. This pulls the user’s l attribute from Active Directory and appends that to the DFS share. The folder that matches the attribute value is linked to a file server. For example, if the user’s l attribute is set to Omaha, then the user’s profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha folder is linked to a file server in the Omaha datacenter.

Create User Store

This procedure could also be used to create a file share for redirected profile folders.

If you intend to place Citrix Profile Management roaming profiles in the user’s home directory, then there is no need to follow the procedure in this section. Only use this section if you are creating a new file share for storage of the Citrix roaming profiles.

Create and Share the Folder

  1. Make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.

  3. Share the folder.
  4. Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click Share, and then click Done.
  5. Go to the Properties of the folder.
  6. On the Sharing tab, click Advanced Sharing.
  7. Click Caching.
  8. Select No files or programs. Click OK, and then click Close.

Folder (NTFS) Permissions

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry, and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

Access Based Enumeration

With this setting enabled, users can only see folders to which they have access:

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it. Or perform a refresh.
  3. Right-click the new share and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration.

GPO ADMX Policy Template

  1. You can find the GPO ADMX templates on the main Citrix Virtual Apps and Desktops 2009 ISO in the \x64\ProfileManagement\ADM_Templates\en folder.

    • Or, they are included in the separate Profile Management download in the \Group Policy Templates\en folder.
  2. Copy the file ctxprofile.admx (or ctxprofile7.15.6000.admx) to the clipboard.

  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing the .admx file does not affect your existing Profile Management configuration. The template only defines the available settings, not the actual settings.
  5. Go back to the Citrix Profile Management Group Policy Template files.
  6. Copy ctxprofile.adml (or ctxprofile7.15.6000.adml) to the clipboard.

  7. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
  8. If you have an older version of the ctxprofile.adml file in the en-US folder in either location, delete it.

CitrixBase:

  1. Go up a folder and then open the CitrixBase folder.
  2. In the CitrixBase folder, copy the file CitrixBase.admx to the clipboard.
  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. Go back to the Citrix Profile Management Group Policy Templates and copy CitrixBase.adml to the clipboard.
  5. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.

Group Policy Settings

  1. Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.
  2. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management.
    • Note: if you did not install the CitrixBase.admx file, then you can find Profile Management directly under the Administrative Templates node instead of under Citrix Components.
  3. Enable the setting Enable Profile management. Profile Management will not function until this setting is enabled.
  4. If desired, enable the setting Process logons of local administrators.
  5. Enable Path to user store.
  6. Specify the UNC path to the folder share. An example path = \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!

    1. Profile Versions– Different OS versions have different profile versions. Each profile version only works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.
      1. Windows 10 Profile Versions – Windows 10 has two different profile versions. Windows 10 build 1511 and older use v5 profiles. Windows 10 build 1607 and newer use v6 profiles. v5 and v6 profile versions are incompatible so they should be separated.
      2. Resolved variables – With the example user store path shown above, if the user logs into Windows 2012 R2 RDSH, the profile folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10 build 1607, the profile folder will be \\server\share\user01\Win10RS1v6.
      3. Windows 10 v6 vs Windows 2016 v6 – Both Windows 10 (1607 and newer) and Windows Server 2016 use v6 profiles. Do you want to use the same profile for both platforms? If so, remove !CTX_OSNAME! from the Path. Note: Windows 10 supports Store apps while Windows 2016 does not. If you’re allowing Store apps, then it’s probably best to use different profiles for both OS platforms.
      4. Windows 2012 R2 warning: in older versions of Citrix Profile Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isn’t correct. v2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug was fixed in Profile Management 5.4 and newer. If you have existing Windows 2012 R2 profiles based on the !CTX_PROFILEVER! variable set to v2, after upgrading to 5.4 or newer, then your profiles might stop working . See http://discussions.citrix.com/topic/374111-psa-upm-54-ctx-osname-server-2012-value-change/ for more details.
    2. Windows 10 and !CTX_OSNAME!: Profile Management sets !CTX_OSNAME1! to different strings for different Windows operating system versions, especially different versions of Windows 10: (RS = Redstone, which is a Microsoft codeword)
      • Windows Server 2019 sets !CTX_OSNAME! to Win2019v6.
      • Windows Server 2016 sets !CTX_OSNAME! to Win2016v6.
      • Windows 10 version 1903 and 1909 set !CTX_OSNAME! to Win10RS6.
      • Windows 10 version 1809 sets !CTX_OSNAME! to Win10RS5.
      • Windows 10 version 1803 sets !CTX_OSNAME! to Win10RS4.
      • Windows 10 version 1709 sets !CTX_OSNAME! to Win10RS3.
      • Windows 10 version 1703 sets !CTX_OSNAME! to Win10RS2.
      • Windows 10 version 1607 sets !CTX_OSNAME! to Win10RS1.
    3. If you use !CTX_OSNAME! in your profile store path, then different CTX_OSNAMEs will have different profiles, which means users will lose their profile settings whenever you upgrade Windows 10.
      • Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can alleviate this problem.
    4. Multiple Domains – If you have multiple domains, in the user profile store path, change #SAMAccountName# to %username%.%userdomain% (e.g. \\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!). That way you can have the same account name in multiple domains and each account will have a different profile.
    5. Hard Code Store Path – Instead of using variables, you can specify a hard coded path. However, the profile incompatibility restrictions listed above still apply. To avoid applying a single profile across multiple operating system versions, place VDAs with different OS versions in different OUs, and then use different Profile Management GPOs on those OUs to specify different Profile Management user store paths.
    6. Migrate User Store – Profile Management 1909 and newer can move profiles from an old profile path to a new profile path.

  7. Disable Active write back. This feature places additional load on the file server and is only needed if users login to multiple machines concurrently and need mid-session changes to be saved, or if users never log off from their sessions. Note: if you don’t disable this, then it is enabled by default.
  8. On the left, go to the Advanced settings node.
  9. Enable the setting Process Internet cookie files on logoff.
  10. In 5.6 and newer, Customer Experience Improvement Program (CEIP) is enabled by default. It can be disabled here.
  11. See https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#ceip for additional places where CEIP is enabled.
  12. Profile Management 7.18 adds Enable search index roaming for Outlook.

Notes on Outlook OST and Search roaming:

  1. Microsoft FSLogix is a superior product that is now free. For details, see the FSLogix section in the VDA articles.
  2. Citrix’s feature is only supported with Office 2016 on Windows 10 1709 and later, and Windows Server 2016 and later. Office 2019 is not supported as of Profile Management 2009.
  3. Profile Management 1906 and newer support 64-bit Outlook 2016.
  4. VDA 1906 or newer are recommended for the bug fixes for this feature. You can upgrade the VDA without upgrading your Delivery Controllers.
  5. Concurrent sessions on multiple machines are not supported.
  6. After the first user logon, Profile Management 1811 and newer creates a template VHDX file in a folder named UpmVhd at the root of the user store. The template file is copied to new users, thus speeding up VHDX creation.

  7. In the user’s profile location, a new folder called VHD is created.
  8. Inside the \VHD\Win2016 folder are two new thin provisioned .vhdx files – one for OST, one for Search. The per-user .vhdx files are copied from the parent template.
  9. UPM grants Domain Computers Full Control of the VHDX files. Users must have Full Control to the Profile Share, and UPM Folder to be able to grant this permission. Modify permissions are not sufficient. (Source = Robert Steeghs The Citrix Profile management could not mount virtual disk)
  10. When the user logs into a Citrix session, the two VHDXs are mounted to %localappdata%\Microsoft\Outlook and %appdata%\Citrix\Search. This means that OST files and Search Indexes are stored in the VHDX instead of in the user’s profile.


  11. eastwood357 at Outlook OST and Search vhdx not unmounting after log off at Citrix Discussions says that the Profile Management Path to User Store must be all lower case or else the VHDX files will not unmount at logoff.
  12. Only enable this feature for users with new Outlook profiles. If the user already has an .ost file, then you’ll see an error about missing .ost when Outlook is launched.
  13. The Search roaming feature is only supported with specific versions of Windows Search service. Event Log will tell you if your Windows patches are too new.
  14. VHDX files can only be mounted on one machine at a time. If you login to two VDAs, and if both try to mount the same VHDX files, then you’ll see errors in Event Viewer.
  15. Search Index Backup – Profile Management 1909 and newer have a GPO setting named Outlook search index database – backup and restore that can provide automatic recovery of the search index if it becomes corrupted. The backup consumes more of the available storage space of the VHDX files.
  16. For a detailed explanation of how the per-user Search Index works, see CTX235347 Citrix Profile Management: VHDX-based Outlook cache and Outlook search index on a user basis.

Exclusions, Synchronization, and Mirroring

  1. Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion List – directories.
  2. You can use checkboxes to not exclude some folders.
  3. Then edit Exclusion list – directories.
  4. Enable the setting, and click Show.

  5. Add the following to the list.
    AppData\Local\Microsoft\Windows\INetCache
    AppData\local\Microsoft\Windows\IEDownloadHistory
    AppData\Local\Microsoft\Internet Explorer\DOMStore
    AppData\Local\Google\Software Reporter Tool
    AppData\Local\Google\Chrome\User Data\Default\Application Cache
    AppData\Local\Google\Chrome\User Data\Default\Code Cache
    AppData\Local\Google\Chrome\User Data\Default\Crashpad
    AppData\Local\Google\Chrome\User Data\Default\GPU Cache
    AppData\Local\Google\Chrome\User Data\Default\Media Cache
    AppData\Local\Google\Chrome\User Data\Default\Sync Data
    AppData\Local\Google\Chrome\User Data\Default\Sync Data Backup
    AppData\Roaming\Microsoft\Teams\media-stack
    AppData\Roaming\Microsoft\Teams\Logs
    AppData\Roaming\Microsoft\Teams\Service Worker\CacheStorage
    AppData\Roaming\Microsoft\Teams\Application Cache
    AppData\Roaming\Microsoft\Teams\Cache
    AppData\Roaming\Microsoft\Teams\GPUCache
    AppData\Roaming\Microsoft\Teams\meeting-addin\Cache
  6. For Edge Chromium, see Avanite Roaming Edge Chromium. These are essentially the same as Chrome except they are Edge paths instead of Chrome paths.
  7. Newer versions of Office Click-to-run let you roam the shared computer activation licensing token. See Overview of shared computer activation for Office 365 ProPlus and search for “roam”. The licensing tokens also last 30 days instead of 2-3 days. Source = Rick Smith in the comments. Ideally you should have ADFS integration so users can seamlessly re-activate Office.
  8. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  9. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of exclusions for IE in Enterprise Mode.
    appdata\local\microsoft\internet explorer\emieuserlist
    appdata\local\microsoft\internet explorer\emiesitelist
    appdata\local\microsoft\internet explorer\emiebrowsermodelist
  10. For Teams, Microsoft recommends excluding the Media-Stack folder from roaming. Add the exclusion for AppData\Roaming\Microsoft\Teams\media-stack\ to Citrix Profile Management’s Exclusion List – Directories setting.
  11. Then click OK twice to return to the Group Policy Editor.
  12. usrclass.dat*.
    1. Profile Management 1909 and newer automatically include usrclass.dat* in the Files to Synchronize. If added to the exclusion list, then Profile Management 1909 and newer removes it from the list.
    2. usrclass.dat* contains file type associations. For roaming file type associations, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
  13. Clean up excluded folders –  If you add to the exclusions list after profiles have already been created, Profile Management 5.8 has a feature that can delete the excluded folders at next logon. See To enable logon exclusion check at Citrix Docs. In Profile Management 7.15 and newer, Logon Exclusion Check is configurable in group policy under the File System node.

    1. Also see Muralidhar Maram’s post at Citrix Discussions for a tool that will clean up the existing profiles.
    2. Also see Jeremy Sprite Clean Citrix UPM Profiles.

Directories to Synchronize

  1. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  2. Edit the setting Directories to synchronize.
  3. Enable the setting, and click Show.
  4. Profile Management 7.16 Fixed Issues says that AppData\Local\Microsoft\Windows\Caches should be synchronized. Also see CTX234144 Start Menu Shows Blank Icons on VDA 7.15 LTSR CU1/7.16/7.17 with UPM Enabled.
  5. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  6. Start Menu and File Type Associations:
    1. If Windows 10 1703 or newer, see James Rankin Roaming profiles and Start Tiles (TileDataLayer) in the Windows 10 1703 Creators Update for information on the new location for Tile data. Citrix Profile Management 5.8 and newer should handle this automatically.
    2. See David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
    3. To roam Start Menu and/or File Type Associations in Windows 10 or Windows Server 2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for info on why this is difficult.
    4. Instead of roaming usrclass.dat, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
    5. Daniel Feller at Sync the Windows 10 Start Menu in VDI says that configuring SettlementPeriodBeforeAutoShutdown might improve reliability of Start Menu roaming, assuming users log out of the virtual desktop instead of rebooting the virtual desktop. On a Delivery Controller, open PowerShell, and run the following:
      asnp citrix.*
      Set-BrokerDesktopGroup -Name "NAME_OF_DESKTOP_GROUP" -SettlementPeriodBeforeAutoShutdown 00:00:15
    6. With VDA 7.15 Update 1, the icons on the Start Menu of Windows 2012 R2 and Windows 2016 are sometimes blank.

  7. Click OK twice.

Files to Synchronize

  1. Edit Files to synchronize.
  2. Enable the setting, and click Show

  3. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  4. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  5. Citrix’s Start Menu Roaming documentation says that Appdata\Local\Microsoft\Windows\UsrClass.dat* should be added to the list. Profile Management 1909 and newer automatically add Appdata\Local\Microsoft\Windows\UsrClass.dat* to the Files to Synchronize list.

    • You can disable the automatic inclusion of these folders by enable the setting Disable automatic configuration located under Advanced Settings.
  6. Then click OK twice to return to the Group Policy Editor.

Folders to mirror

  1. In the Synchronization node, enable the setting Folders to mirror.
  2. Enable the setting, and click Show.

  3. Add the following:
    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\TileDataLayer
    AppData\Local\Microsoft\Vault
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Packages
    AppData\Local\Google\Chrome\User Data\Default
  4. For Windows 10 1709 and newer, you might have to add Outlook Signatures and Chrome to the Folders to Mirror setting. Leave these folders in Folders to Synchronize, but also add them to Folders to Mirror. (source = Citrix Discussions)
    AppData\Roaming\Microsoft\Signatures
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  5. Click OK.
  6. According to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Configuration > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.

Profile Container

  1. Profile Management 1903 and newer have a Profile container setting.
    • In Profile Management 2009 and newer, the Profile container setting moved to its own node. 💡
    • In older versions of Profile Management, Profile Container is located under File System | Synchronization.
  2. Click the Show button to specify profile paths that should be placed in the mounted file share profile disk (VHDX file) instead of copied back and forth at logon and logoff.
    • In Profile Management 2009 and newer, you can specify * to put the entire profile in the Container. Then use the other two settings to exclude folders from the Container. See Profile Container at Citrix Docs. 💡

    • In Profile Management older than version 2009, this setting is for large cache files (e.g. Citrix Files cache), and is not intended for the entire profile.
  3. Citrix recommends using Profile Container for Microsoft Teams.
  4. See CTX247569 Citrix Profile Management: Troubleshooting Profile Containers.

Registry Exclusions

  1. On the left, under Profile Management, click Registry.
  2. On the right, open Enable Default Exclusion List.
  3. Enable the setting. You can use the checkboxes to control which registry keys you don’t want to exclude.
  4. According to Citrix CTX221380 Occasionally, File Type Association (FTA) Fails to Roam with Profile Management 5.7 on Windows 10 and Windows Server 2016, Software\Microsoft\Speech_OneCore should be unchecked. Click OK.
  5. The setting Exclusion List under Registry lets you exclude registry keys from the roaming profile.
  6. Nick Panaccio in the comments says that if Office with ADFS constantly prompts for login, then you should exclude the following:
    Software\Microsoft\Office\16.0\Common\Identity
  7. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of registry exclusions for IE in Enterprise Mode.
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieUserList
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieSiteList
  8. Click OK when done.
  9. For the NTUSER.DAT backup setting, which is disabled by default, you can enable it to provide some resiliency against profile corruption.

Log Settings

  1. In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot problems with Profile Management. The logfile is located in C:\Windows\System32\LogFiles\UserProfileManager.
  2. Edit the Log settings setting.
  3. Enable the setting and check the boxes next to Logon and Logoff. Click OK.
  4. If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To change the log file path, edit the Path to log file setting.


  5. CTX123005 Citrix UPM Log Parser
  6. CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

Profile Streaming

  1. For shared persistent VDAs (e.g. RDSH), go to the Profile handling node under Profile Management.
  2. Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can migrate existing profiles when you upgrade the version of Windows 10. This setting requires the !CTX_OSNAME! variable in your profile store path.
  3. Enable the setting Delete locally cached profiles at logoff. Note: this might cause problems in Windows 10.

    Helge Klein has a tool to delete locally cached profiles on a session host. http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/. This tool should only be needed if profiles are not deleting properly.
  4. For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User Logs off recommends setting Delay before deleting cached profiles to 40 seconds.

  5. Enable the setting Migration of existing profiles, and set it to Local and Roaming.  Citrix CTX221564 UPM doesn’t migrate local user profile since version 5.4.1.

  6. Enable the setting Local profile conflict handling, and set it to Delete local profile. Note: this might cause problems on Windows 10.

  7. Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
  8. Profile Management 7.16 and newer have XenApp Optimization (aka Citrix Virtual Apps Optimization) feature, which uses Microsoft UE-V templates to define specific settings that should be saved and restored at logoff and logon. See George Spiers XenApp Optimization (new in CPM 7.16+) for details.

  9. After modifying the GPO, use Group Policy Management Console to update the VDAs.
  10. Or run gpupdate /force on the VDAs, or wait 90 minutes.

Mandatory Profile – Citrix Method

Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method. Also see James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703).

  1. Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to Administrators.
  2. Login to the VDA machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4. Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that. Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.

    1. You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  5. Open the AppData folder and delete the Local and LocalLow folders.
  6. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file, and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  7. Open regedit.exe.
  8. Click HKEY_LOCAL_MACHINE to highlight it.
  9. Open the File menu and click Load Hive.
  10. Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not use NTUSER.MAN and instead the file must be NTUSER.DAT.
  11. Name it a or similar.
  12. Go to HKLM\a, right-click it, and click Permissions.
  13. Add Authenticated Users and give it Full Control. Click OK.
  14. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ and http://appsensebigot.blogspot.ru/2014/10/create-windows-mandatory-profiles-in.html?m=1 for some suggestions.
  15. Citrix CTX212784 Slow User Logon When Using Mandatory Profiles – set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
  16. Highlight HKLM\a.
  17. Open the File menu, and click Unload Hive.
  18. Go back to the file share and delete the NTUSER.DAT log files.
  19. Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy template is loaded.
  20. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Profile Management > Profile handling. Edit the setting Template profile.
  21. Enable the setting and enter the path to the Mandatory profile.
  22. Check all three boxes. Then click OK.

Redirected Profile Folders

  1. Make sure loopback processing is enabled on your VDAs.
  2. Edit a GPO that applies to all VDA users, including Administrators.
  3. Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents, and click Properties.
  4. In the Setting drop down, select Basic.
  5. In the Target folder location drop down, select Redirect to the user’s home directory.
  6. Switch to the Settings tab.
  7. On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move the contents to the new location might cause issues in some deployments.
  8. Click Yes to acknowledge this message.
  9. Right-click Desktop and click Properties.
  10. Change the Setting drop-down to Basic.
  11. Change the Target folder location to Redirect to the following location.
  12. In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC path and not a mapped drive. Also, since we’re using home directory variables, all users must have home directories defined in Active Directory.
  13. Switch to the Settings tab.
  14. Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.
  15. Click Yes when prompted that the target is not a UNC path. You get this error because of the variable. It doesn’t affect operations.
  16. Repeat for the following folders:
    • Documents = Redirect to the User’s Home Directory
    • Desktop = %HOMESHARE%%HOMEPATH%\Desktop
    • Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
    • Downloads = %HOMESHARE%%HOMEPATH%\Downloads
  17. Redirect the following folders but set them to Follow the Documents folder.
    • Pictures
    • Music
    • Videos

Folders not redirected will be synchronized by Citrix Profile Management.

Verify Profile Management

  1. Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.
  2. Logoff and log back in.
  3. Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the log for logon and logoff events.

Profile Management Troubleshooting

UPM Troubleshooter

Citrix Blog Post – UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application that examines the live User Profile Management-enabled system in a single click, gives Profile Management Configurations, information on the Citrix products installed, facility to collect and send the logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier manner. See the blog post for more details.

Profile Management Configuration Check Tool

UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has been configured optimally for the environment in which it is being run, taking into account:

  • Hypervisor Detection– The presence or absence of supported hypervisors (for example, Citrix XenServer, VMware vSphere, or Microsoft Hyper-V)
  • Provisioning Detection– The presence or absence of a supported machine-provisioning solution (for example, Machine Creation Services or Provisioning Services)
  • XenApp or XenDesktop– Whether it is running in a XenApp or a XenDesktop environment
  • User Store – Determines that the expanded Path to User Store exists.
  • WinLogon Hooking Test – Verifies that Profile management is correctly hooked into WinLogon processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and requires the user running the Configuration Check Tool to have permission to access the relevant registry keys, or an error may be returned.
  • Verify Personal vDisk enabled / disabled – Whether the Personal vDisk feature of XenDesktop is enabled
  • Miscellaneous – Other factors that it is able to determine through registry or WMI queries, such as whether the computer running Profile management is a laptop

Profile Size

Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile share.

Log Parser

CTX123005 Citrix UPM Log Parser

View Log Files using Excel

CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

958 thoughts on “Citrix Profile Management 2009”

  1. Hi, Carl,

    I hope you and your family are in good health.

    I am confused about the cross-platform policy and Citrix support couldn’t help too much.

    Can you please advise me on how to configure the policy in the below context?

    – currently, we have XA 6.5 farm (Windows server 2018 R2 VMs) and we want to migrate to XD 7.1912 (new Windows Servers 2016 VMs)
    – I already created a profile management policy for XD 7 (including folder redirection), where I published the new 2016 servers
    – the current profiles corresponding to W 2008 servers are saved in the user’s store
    – the new profiles corresponding to W 2016 (XD 7) are saved in a different user’s store location
    – our goal is to migrate Office 2016 settings from W 2008 to W 2016, so the users would not have to enter the Outlook credentials again when they connect to the published desktops for the first time

    Thank you

  2. Carl
    I am reviewing VDA logs trying to learn what makes a successful logon and why some are not so successful .
    My success = 30 second or less logon time. i have some logons taking up to 50 seconds
    I am using UPM and FSlogix.

    Log results

    Starting logon processing…
    2020-10-08;08:42:11.330;INFORMATION;;;78;15356;IsRunningInTerminalServerSession: Terminal services installed.
    2020-10-08;08:42:11.330;INFORMATION;;;78;15356;IsRunningInTerminalServerSession: ICA session.
    2020-10-08;08:42:11.334;INFORMATION;Domain;user.name;78;15356;DispatchLogonLogoff: UserSID = S-1-5-21-2053067395-2001430784-1236798564-31243

    Right off the bat it shows a fail

    2020-10-08;08:42:11.339;ERROR;Domain;user.name;78;15356;DispatchLogonLogoff: Triggering policy evaluation for failed: 0x106

    it continues and looks normal gathering info

    Logon/logoff will be processed.
    GetUserStorePath: User Store: Path In: \\svr\xaprofiles\#samaccountname#\!ctx_osname!!ctx_profilever!
    User Store: Path Out: \\svr\xaprofiles\user.name\Win2016v6
    ProcessLogon: Found a profile in the user store: .
    2020-10-08;08:42:11.413;INFORMATION; Domain;user.name;78;15356;QueryLocalProfile: Profile directory read from registry: c:\users\user.name
    2020-10-08;08:42:11.413;INFORMATION; Domain;user.name;78;15356;Mark as UPM profile by force to support FSLogix

    2020-10-08;08:42:11.417;INFORMATION;Domain;user.name;78;15356;GetUserStorePath: ParentVhdFolder: Path In: \\svr\xaprofiles\

    INFORMATION;Domain;user.name;78;15356;GetUserStorePath: ParentVhdFolder: Path Out: \\svr\xaprofiles
    2020-10-08;08:42:14.843;;Domain;user.name;78;15356;Copied NTUSER.DAT from \\svr\xaprofiles\user.name\Win2016v6\UPM_Profile\NTUSER.DAT to c:\users\user.name\NTUSER.DAT The operation completed successfully.

    Not sure why it copies from svr to local vda

    INFORMATION;Domain;user.name;78;15356;ProcessLogon: Starting to restore directories and files.
    2020-10-08;08:42:14.843;INFORMATION;Domain;user.name;78;15356;Now start to copy from\\svr\xaprofiles\user.name\Win2016v6\UPM_ProfileTo c:\users\user.name
    2020-10-08;08:42:27.372;INFORMATION;Domain;user.name;78;15356;Finished copying from\\svr\xaprofiles\user.name\Win2016v6\UPM_ProfileTo c:\users\user.name

    Than there is about 100 pages of errors, this is just a sampling

    2020-10-08;08:42:27.505;ERROR;Domain;user.name;78;15356;FindFirstFileAPIWrapper: FindFirstFile for path returned: The system cannot find the file specified.
    2020-10-08;08:42:27.506;ERROR;Domain;user.name;78;15356;FindFirstFileAPIWrapper: FindFirstFile for path returned: The system cannot find the file specified.
    2020-10-08;08:42:27.506;ERROR;Domain;user.name;78;15356;FindFirstFileAPIWrapper: FindFirstFile for path returned: The system cannot find the path specified.
    2020-10-08;08:42:27.506;ERROR;Domain;user.name;78;15356;FindFirstFileAPIWrapper: FindFirstFile for path returned: The system cannot find the path specified.
    2020-10-08;08:42:27.507;ERROR;Domain;user.name;78;15356;FindFirstFileAPIWrapper: FindFirstFile for path returned: The system cannot find the file specified.

      1. No
        Policy Setting Comment
        Profile streaming Disabled et profile streaming to disabled when FSLogixSupport is enabled as there is a conflict and will cause reparse point corruption
        Policy Setting Comment

        VDA 2006

        1. Are you doing multi-session write-back for FSLogix Profile Container? Or are you just doing FSLogix Office Container?

          1. Carl
            Ohh
            i have Computer\Policies\Admin Templates\Profile mgmt\Advanced settings\Enable multi-session “ENABLED”
            My intent is to manage office Profiles with FSLogix and all others with Citrix Profile management

    1. Hi Carl,

      For a new deployment with CVAD 2009, would you recommend using UPM with FSLogix or skip FSLogix and put the enitre profile in a profile container? What are the benefits in using FSLogix, when you can put the entire profile in a Profile Container?

  3. Hello Carl
    In a test deployment I did following:
    -Enable profile management -> Enable
    -Path to user store -> store’s path
    -no extra configurations
    But after logging in virtual desktop, user profiles are created in the VDA, not in the user store.
    What is the problem?
    Is there any other things to check?
    Thanks

    1. Check the log file (default location = C:\Windows\System32\LogFiles\User Profile Manager\pm.log). You might have to do some policy settings to enable the log.

  4. Hey Carl very nice guide! Followed it “mostly” on Version 1912. Yesterday upgraded the whole infrastructure to “2006” now UPM isnt working well. I´ve created an UPM Policy in Citrix Policies but this Policy won´t apply on every user (sometimes yes / sometimes no – same user) I´ve tried to determine the problem with UPM Config checker etc. The Logfile says that no upm policy is configured .ini is not set … so the defaults will be applied. This affect on our users to not load the upm settings. Followed yout guides to check if policy files appear in C:\ProgramData\CitrixCseCache – yes it is.

    Environemt is MCS with non persistand Maschines on Windows Server 2019 Datacenter on VmWare ESXi with updates Controllers Storefront WSA etc.. any suggestions? 🙂

      1. Hey Carl, thanks a lot this did the trick… sometimes it’s easier than expected. have a great day

        Best wishes
        Dominik

  5. Hi Carl,

    Can i upgrade my UPM to 5.8 from 5.3 on a 7.6 FP3 non LTSR environment?

    Secondly, for template profiles and its registry for user shell folders i realised that %USERNAME% variable is not supported and resolved when user grabs the template profile but I don’t see any issues so far. like e.g. a user’s shell folders cache still remains as C:\Users\%USERNAME%\AppData\…INetCache. would it pose of any problem or how do i resolve it?

    1. Is 5.8 the newest you’re entitled to? If you upgrade VDA, then you also get upgraded UPM.

      I think the registry have to be REG_EXPAND_SZ for it to expand the variable.

      1. Hi Carl, But does it have any dependency on the infra of Citrix if i upgrade the UPM? i.e 5.8 not supported on 7.6 vda only on 7.14.

        As for the template profile i configured the template path on Citrix policy instead of user inheriting the default profile on the VDA. But i have amended the profile to C:\Users\%USERNAME%\ on User Shell Folders in registry.

        But when i checked my own NTUSER.DAT registry hives, other than folder redirection entries is replaced things like Cache – C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\INetCache
        AppData – C:\Users\%USERNAME%\AppData\Roaming

        Question: would it cause any issues? If it doesn’t grab a template profile and based on default profile from VDA server the User Shell Folders would be like C:\users\\… etc

  6. Hello Carl,

    Great guide, wondering if you have ever seen on VDI Windows 2016, the Recycle Bin where the settings of all Recycle Bin Locations are set to “Don’t move files to the Recycle Bin. Remove files immediately when deleted”, I want to change this behavior for a certain Recycle Bin location – Desktop for all users and enable “Custom Size: 500 MB”, is there a policy that will do this for just the specified location ?

  7. Hey Carl,

    Followed your guide (thank you!) but wondering if you’ve seen this issue before. VDA 2006, Server 2019, MCS non-persistent desktops, folder redirection enabled. Users can sign into Chrome and while in the session, it stays connected fine, but when signing out and signing back in, the Chrome login is lost and it starts on the Welcome to Chrome tab. Oddly, if a user opens a new tab, their bookmarks bar shows up populated, but still not signed into Chrome/no logins remembered. Everything has been configured as discussed above regarding Chrome.

    Any thoughts?

    1. Sorry, forgot to add that we had this set of users on 2016 prior and it was working flawlessly, no GPO changes between the two. Also noticed that the First Run and Local State files never make it to the UPM_Profile folder on the 2019 version.

    2. Have the same problem here in lab environment 🙁 Fresh install and tried a lot of exclusion/sync variations but still the same f*cking problem. Gets really annoying. Hoping Carl know’s a solution. Also trying mirroring the hole Default folder doesn’t fixes it.

  8. From the application side of this, no desktop just virtualized apps, have you seen any work arounds or solutions on how to open the MS-Settings/Immersive Control Panel/PC Settings app? We have an issue where program defaults are not sticking or cannot be set and we cannot open the settings page. If we do the desktop side we can open it but the problem still exist with default programs not sticking.

    Example: Open a link in Outlook, are asked “Stick with IE, Use Edge, Use other”, select Chrome to be the default. For that session Chrome stays. Log off, wait a few minutes, log back on (only one test server at this time so it is the same machine), open the same link as before and it has reverted back to IE. Looked at the registry values and the hash seems to be the key in breaking this.

    Any advice is greatly appreciated.

      1. Thank you for this information. I have tried to follow the steps provided but it does not seem to work. IE still sits as the default program for opening web browsers

          1. That worked perfectly!!! I saw that but wasn’t sure since the updated version of SetUserFTA, i thought, was supportive of the default browser. Thank you very much for your time and advice on this.

  9. Hello Carl,

    we have changed our Chrome Exclusion to the following and all files are delete because of Logon Exclusion check “Delete files or folders” but all the folders in the AppData\Local\Google\Chrome folder are still there – should’nt they deleted?

    Directory exclusion

    AppData\Local\Google

    Folder mirror

    AppData\Local\Google\Chrome\User Data\Default\Extensions
    AppData\Local\Google\Chrome\User Data\Default\Login Data
    AppData\Local\Google\Chrome\User Data\Default\Last Session

    File synchronisation
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences

  10. Do the newer Profile Management versions support creating the Desktop folder in the user profile on the server when opening a published application? We’re running 7.15 LTSR and with no folder redirection the Desktop folder is not created until the user does something in the app that then creates the Desktop folder. Published Desktops (server-based) work fine and turning off Profile Management allows the Desktop folder to be created regardless of whether a published application or desktop is opened.

    1. I haven’t tested this. Maybe you can configure Group Policy Preferences > Folders to create the Desktop folder? I assume this only applies to new users.

    2. It’s supposed to create a desktop folder. Along with the whole user director shell. Unless you excluded it. Just make sure your not excluding it in the upm policy.

Leave a Reply to Vish Cancel reply