Citrix Profile Management 2203

Last Modified: Mar 27, 2022 @ 11:29 am


This article applies to all versions of Profile Management: 2203, 1912 LTSR CU5, 1909, 7.15.8000 LTSR, 5.8, 5.7, etc.

💡 = Recently Updated

Change Log


Profile Management Versions

Profile Management is included with the installation of Virtual Delivery Agent. To upgrade Profile Management, simply upgrade your VDA software. Here are the currently supported versions of VDA:

Or you can download the individual Profile Management component and install/upgrade it separately from the VDA software. You can even install it on non-VDA machines (e.g., PCs accessed by licensed Citrix users).

For LTSR VDAs, for LTSR support compliance, only install the Profile Management version that is included with your VDA installer. Don’t upgrade to a newer Current Release version.

The latest release of Citrix Profile Management is version 2203, which can be downloaded from Citrix Virtual Apps and Desktops 7 2203. To find it, click Components that are on the product ISO but also packaged separately.

Profile Management Configuration Options

Profile Management consists of a Service (installed on the VDAs), a file share, and configuration settings.

There are four methods of delivering configuration settings to the Citrix Profile Management service:

If a UPM setting is not configured in GPO, Citrix Policy, or WEM, then the default setting in the UPMPolicyDefaults.ini file takes effect. The .ini file is located in C:\Program Files\Citrix\User Profile Manager on every machine that has Profile Management service installed.

Microsoft Group Policy (ADMX file) is probably the most reliable method of delivering configuration settings to the Profile Management services. This method uses the familiar Group Policy registry framework. Just copy the Profile Management ADMX files to PolicyDefinitions and start configuring. The configuration instructions in this article use the GPO ADMX method.

The Citrix Policies configuration method requires Citrix Studio, or Citrix Group Policy Management Plug-in. On the Profile Management service side, only VDAs can read the Citrix Policies settings.

  • Citrix Policies has settings for Folder Redirection. If you use Citrix Policy to configure Folder Redirection, then the Folder Redirection settings only apply to VDAs that can read Citrix Policies. To apply to Folder Redirection to more than just VDAs, configure Folder Redirection using normal Microsoft Group Policy as detailed below.
  • If you’re going to use Microsoft Group Policy to configure Folder Redirection, then you might as well use Microsoft Group Policy to also configure Citrix Profile Management.

Citrix Workspace Environment Management can also deliver configuration settings to the Profile Management services. This option requires the WEM Agent to pull down the settings from the WEM Brokers and apply them to Profile Management. It can sometimes be challenging to troubleshoot why WEM is not applying the settings.

Try not to mix configuration options. If you use both WEM and GPO, which one wins?

Multiple Datacenters

For optimum performance, users connecting to Citrix in a particular datacenter should retrieve their roaming profiles from a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will need file servers in each datacenter.

DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-datacenter designs.

For active/active datacenters, split the users such that different users have different home datacenters. Whenever a particular user connects, that user always connects to the same datacenter, and in that datacenter is a file server containing the user’s roaming profile. StoreFront uses Active Directory group membership to determine a user’s home datacenter.

For users that connect to Citrix in multiple datacenters, there are a couple options:

  • The user’s roaming profile is located in only one datacenter – If the user connects to a remote datacenter, then the roaming profile must be transmitted across the WAN. To optimize performance, disable Active Write Back, and make sure Profile Streaming is enabled.
  • The user has separate profiles for each datacenter – There is no replication of profiles between datacenters. This scenario is best for deployments where different applications are hosted in different datacenters.

Disaster Recovery – For disaster recovery scenarios, the user’s roaming profile data (and home directories) must be recovered in a different datacenter. Here are some considerations:

  • Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
  • Use VMware SRM or similar to recover the entire file server in the DR datacenter.
  • A datacenter failover might result in multiple file servers accessed from a single VDA, especially if you have users split across datacenters. Use DFS Namespaces as detailed below.

DFS Namespace

DFS Namespace for central user store – The Citrix Profile Management user store path is a computer-level setting, meaning there can only be one path for every user that logs into a particular VDA. If you have different users with roaming profiles on different file servers, then you must use Active Directory user attributes and DFS namespaces to locate the user’s file server. Here is an overview of the configuration:

  • Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1 – Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more information.
  • Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS replication. See Scenario 2 – Multiple folder targets and replication at Citrix Docs for more information.
  • Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
  • Set the Profile Management user store path to \\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!. This pulls the user’s l attribute from Active Directory and appends that to the DFS share. The folder that matches the attribute value is linked to a file server. For example, if the user’s l attribute is set to Omaha, then the user’s profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha folder is linked to a file server in the Omaha datacenter.

Create User Store

This procedure could also be used to create a file share for redirected profile folders.

Create and Share the Folder

  1. Make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.

  3. Right-click the folder, expand Give Access to (Windows Server 2019) or expand Share with (Windows Server 2016) and select Specific people.

  4. Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click Share, and then click Done.
  5. Go to the Properties of the folder.
  6. On the Sharing tab, click Advanced Sharing.
  7. Click Caching.
  8. Select No files or programs. Click OK, and then click Close.

Folder NTFS Permissions

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry, and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

Access Based Enumeration

With this setting enabled, users can only see folders to which they have access:

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it. Or perform a refresh.
  3. Right-click the new share and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration.

GPO ADMX Policy Template

  1. You can find the GPO ADMX templates on the main Citrix Virtual Apps and Desktops 2203 ISO in the \x64\ProfileManagement\ADM_Templates\en folder.

    • Or, they are included in the separate Profile Management download in the \Group Policy Templates\en folder.
  2. Copy the file ctxprofile.admx (or ctxprofile7.15.8000.admx) to the clipboard.

  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing the .admx file does not affect your existing Profile Management configuration. The template only defines the available settings, not the actual settings.
  5. Go back to the Citrix Profile Management Group Policy Template files.
  6. Copy ctxprofile.adml (or ctxprofile7.15.8000.adml) to the clipboard.

  7. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
  8. If you have an older version of the ctxprofile.adml file in the en-US folder in either location, delete it.


  1. Go up a folder and then open the CitrixBase folder.
  2. In the CitrixBase folder, copy the file CitrixBase.admx to the clipboard.
  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. Go back to the Citrix Profile Management Group Policy Templates and copy CitrixBase.adml to the clipboard.
  5. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.

Group Policy Settings

  1. Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.
  2. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management.
    • Note: if you did not install the CitrixBase.admx file, then you can find Profile Management directly under the Administrative Templates node instead of under Citrix Components.
  3. Enable the setting Enable Profile management. Profile Management will not function until this setting is enabled.
  4. If desired, enable the setting Process logons of local administrators.
  5. Enable Path to user store.
  6. Specify the UNC path to the folder share. An example path = \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!

    1. Profile Versions– Different OS versions have different profile versions. Each profile version only works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.
      1. Windows 10 Profile Versions – Windows 10 has two different profile versions. Windows 10 build 1511 and older use v5 profiles. Windows 10 build 1607 and newer use v6 profiles. v5 and v6 profile versions are incompatible so they should be separated.
      2. Resolved variables – With the example user store path shown above, if the user logs into Windows 2012 R2 RDSH, the profile folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10 build 1607, the profile folder will be \\server\share\user01\Win10RS1v6.
      3. Windows 10 v6 vs Windows 2016 v6 – Both Windows 10 (1607 and newer) and Windows Server 2016 use v6 profiles. Do you want to use the same profile for both platforms? If so, remove !CTX_OSNAME! from the Path. Note: Windows 10 supports Store apps while Windows 2016 does not. If you’re allowing Store apps, then it’s probably best to use different profiles for both OS platforms.
      4. Windows 2012 R2 warning: in older versions of Citrix Profile Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isn’t correct. v2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug was fixed in Profile Management 5.4 and newer. If you have existing Windows 2012 R2 profiles based on the !CTX_PROFILEVER! variable set to v2, after upgrading to 5.4 or newer, then your profiles might stop working . See for more details.
    2. Windows 10 and !CTX_OSNAME!: Profile Management sets !CTX_OSNAME1! to different strings for different Windows operating system versions, especially different versions of Windows 10: (RS = Redstone, which is a Microsoft codeword)
      • Windows Server 2019 sets !CTX_OSNAME! to Win2019v6.
      • Windows Server 2016 sets !CTX_OSNAME! to Win2016v6.
      • Windows 10 version 1903 and 1909 set !CTX_OSNAME! to Win10RS6.
      • Windows 10 version 1809 sets !CTX_OSNAME! to Win10RS5.
      • Windows 10 version 1803 sets !CTX_OSNAME! to Win10RS4.
      • Windows 10 version 1709 sets !CTX_OSNAME! to Win10RS3.
      • Windows 10 version 1703 sets !CTX_OSNAME! to Win10RS2.
      • Windows 10 version 1607 sets !CTX_OSNAME! to Win10RS1.
    3. If you use !CTX_OSNAME! in your profile store path, then different CTX_OSNAMEs will have different profiles, which means users will lose their profile settings whenever you upgrade Windows 10.
      • Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can alleviate this problem.
    4. Multiple Domains – If you have multiple domains, in the user profile store path, change #SAMAccountName# to %username%.%userdomain% (e.g. \\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!). That way you can have the same account name in multiple domains and each account will have a different profile.
    5. Hard Code Store Path – Instead of using variables, you can specify a hard coded path. However, the profile incompatibility restrictions listed above still apply. To avoid applying a single profile across multiple operating system versions, place VDAs with different OS versions in different OUs, and then use different Profile Management GPOs on those OUs to specify different Profile Management user store paths.
    6. Migrate User Store – Profile Management 1909 and newer can move profiles from an old profile path to a new profile path.

  7. Disable Active write back. This feature places additional load on the file server and is only needed if users login to multiple machines concurrently and need mid-session changes to be saved, or if users never log off from their sessions. Note: if you don’t disable this, then it is enabled by default.
  8. On the left, go to the Advanced settings node.
  9. Enable the setting Process Internet cookie files on logoff.
  10. In 5.6 and newer, Customer Experience Improvement Program (CEIP) is enabled by default. It can be disabled here.
  11. See for additional places where CEIP is enabled.
  12. Profile Management 7.18 and newer have Enable search index roaming for Outlook.

Notes on Outlook OST and Search roaming:

  1. Microsoft FSLogix is a superior product that is now free. For details, see the FSLogix section in the VDA articles.
  2. Profile Management 1906 and newer support 64-bit Outlook 2016 and Office 2019.
  3. VDA 1906 or newer are recommended for the bug fixes for this feature. You can upgrade the VDA without upgrading your Delivery Controllers.
  4. Concurrent sessions on multiple machines are not supported.
  5. After the first user logon, Profile Management 1811 and newer creates a template VHDX file in a folder named UpmVhd at the root of the user store. The template file is copied to new users, thus speeding up VHDX creation.

  6. In the user’s profile location, a new folder called VHD is created.
  7. Inside the \VHD\Win2016 folder are two new thin provisioned .vhdx files – one for OST, one for Search. The per-user .vhdx files are copied from the parent template.
  8. UPM grants Domain Computers Full Control of the VHDX files. Users must have Full Control to the Profile Share, and UPM Folder to be able to grant this permission. Modify permissions are not sufficient. (Source = Robert Steeghs The Citrix Profile management could not mount virtual disk)
  9. When the user logs into a Citrix session, the two VHDXs are mounted to %localappdata%\Microsoft\Outlook and %appdata%\Citrix\Search. This means that OST files and Search Indexes are stored in the VHDX instead of in the user’s profile.

  10. eastwood357 at Outlook OST and Search vhdx not unmounting after log off at Citrix Discussions says that the Profile Management Path to User Store must be all lower case or else the VHDX files will not unmount at logoff.
  11. Only enable this feature for users with new Outlook profiles. If the user already has an .ost file, then you’ll see an error about missing .ost when Outlook is launched.
  12. The Search roaming feature is only supported with specific versions of Windows Search service. Event Log will tell you if your Windows patches are too new.
  13. VHDX files can only be mounted on one machine at a time. If you login to two VDAs, and if both try to mount the same VHDX files, then you’ll see errors in Event Viewer.
  14. Search Index Backup – Profile Management 1909 and newer have a GPO setting named Outlook search index database – backup and restore that can provide automatic recovery of the search index if it becomes corrupted. The backup consumes more of the available storage space of the VHDX files.
  15. For a detailed explanation of how the per-user Search Index works, see CTX235347 Citrix Profile Management: VHDX-based Outlook cache and Outlook search index on a user basis.
  16. Profile Management 2109 and newer can Automatically reattach detached VHDX disks. In Profile Management 2203 and newer, it’s available as a group policy setting under the Profile Management | Advanced Settings node.

Exclusions, Synchronization, and Mirroring

  1. Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion List – directories.
  2. You can use checkboxes to not exclude some folders.
  3. Then edit Exclusion list – directories.
  4. Enable the setting, and click Show.

  5. For Edge Chromium, see Avanite Roaming Edge Chromium.
  6. For Chrome, use the same list as Edge but change \Microsoft\Edge to \Google\Chrome.
  7. Add the following to the list.
    AppData\Local\Microsoft\Internet Explorer\DOMStore
    AppData\Local\Google\Software Reporter Tool
    AppData\Roaming\Microsoft\Teams\Service Worker\CacheStorage
    AppData\Roaming\Microsoft\Teams\Application Cache
  8. Newer versions of Office Click-to-run let you roam the shared computer activation licensing token. See Overview of shared computer activation for Office 365 ProPlus and search for “roam”. The licensing tokens also last 30 days instead of 2-3 days. Source = Rick Smith in the comments. Ideally you should have ADFS integration so users can seamlessly re-activate Office.
  9. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  10. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of exclusions for IE in Enterprise Mode.
    appdata\local\microsoft\internet explorer\emieuserlist
    appdata\local\microsoft\internet explorer\emiesitelist
    appdata\local\microsoft\internet explorer\emiebrowsermodelist
  11. Then click OK twice to return to the Group Policy Editor.
  12. usrclass.dat*.
    1. Profile Management 1909 and newer automatically include usrclass.dat* in the Files to Synchronize. UPM 2103 and newer add it for Windows 10 but not for RDSH. If added to the exclusion list, then Profile Management 1909 and newer automatically removes it from the exclusion list. See Start menu roaming at Citrix Docs.
    2. usrclass.dat* contains file type associations. For roaming file type associations, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
  13. Clean up excluded folders –  If you add to the exclusions list after profiles have already been created, Profile Management 5.8 has a feature that can delete the excluded folders at next logon. See To enable logon exclusion check at Citrix Docs. In Profile Management 7.15 and newer, Logon Exclusion Check is configurable in group policy under the File System node.

    1. Also see Muralidhar Maram’s post at Citrix Discussions for a tool that will clean up the existing profiles.
    2. Also see Jeremy Sprite Clean Citrix UPM Profiles.

Directories to Synchronize

  1. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  2. Edit the setting Directories to synchronize.
  3. Enable the setting, and click Show.
  4. Profile Management 7.16 Fixed Issues says that AppData\Local\Microsoft\Windows\Caches should be synchronized. Also see CTX234144 Start Menu Shows Blank Icons on VDA 7.15 LTSR CU1/7.16/7.17 with UPM Enabled.
  5. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.

  6. Start Menu and File Type Associations:
    1. If Windows 10 1703 or newer, see James Rankin Roaming profiles and Start Tiles (TileDataLayer) in the Windows 10 1703 Creators Update for information on the new location for Tile data. Citrix Profile Management 5.8 and newer should handle this automatically.
    2. See David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
    3. To roam Start Menu and/or File Type Associations in Windows 10 or Windows Server 2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for info on why this is difficult.
    4. Instead of roaming usrclass.dat, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
    5. Daniel Feller at Sync the Windows 10 Start Menu in VDI says that configuring SettlementPeriodBeforeAutoShutdown might improve reliability of Start Menu roaming, assuming users log out of the virtual desktop instead of rebooting the virtual desktop. On a Delivery Controller, open PowerShell, and run the following:
      asnp citrix.*
      Set-BrokerDesktopGroup -Name "NAME_OF_DESKTOP_GROUP" -SettlementPeriodBeforeAutoShutdown 00:00:15
    6. With VDA 7.15 Update 1, the icons on the Start Menu of Windows 2012 R2 and Windows 2016 are sometimes blank.

  7. Click OK twice.

Files to Synchronize

  1. Edit Files to synchronize.
  2. Enable the setting, and click Show

  3. Add the following three entries so Java settings are saved to the roaming profile:
  4. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  5. Citrix’s Start Menu Roaming documentation says that Appdata\Local\Microsoft\Windows\UsrClass.dat* should be added to the list. Profile Management 1909 and newer automatically add Appdata\Local\Microsoft\Windows\UsrClass.dat* to the Files to Synchronize list.

    • You can disable the automatic inclusion of these folders by enable the setting Disable automatic configuration located under Advanced Settings.
  6. Then click OK twice to return to the Group Policy Editor.

Folders to mirror

  1. Under File System, in the Synchronization node, enable the setting Folders to mirror.
  2. Enable the setting, and click Show.

  3. Add the following:
    AppData\Local\Google\Chrome\User Data\Default
  4. Click OK.
  5. Profile Management 2106 and newer have a setting called Accelerate folder mirroring that stores the mirrored folders in a VHDX file instead of copying back and forth at login and logoff.

    • UPM creates a folder named MirrorFolders in the user’s UPM path and creates a couple thin-provisioned VHDX files in that path.
    • Disk Management shows that the mounted Diff disk has a 50 GB capacity limit.
    • Logging into multiple sessions concurrently results in multiple Diff disks.
    • If the file server is unavailable then unpredictable behavior occurs. After the file server is back up, the session continues to misbehave and won’t recover until users log off and log back on. Plan for file server high availability that can handle always-open VHDX files. DFS won’t help you.
    • Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
  6. According to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Configuration > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.

Profile Container

  1. Profile Management 1903 and newer have a Profile container setting.
    • In Profile Management 2009 and newer, the Profile container setting moved to its own node.
    • In older versions of Profile Management, Profile Container is located under File System | Synchronization.
  2. Click the Show button to specify profile paths that should be placed in the mounted file share profile disk (VHDX file) instead of copied back and forth at logon and logoff.
    • In Profile Management 2009 and newer, you can specify * to put the entire profile in the Container. Then use the other two settings to exclude folders from the Container. See Profile Container at Citrix Docs.

    • In Profile Management older than version 2009, this setting is for large cache files (e.g. Citrix Files cache), and is not intended for the entire profile.
  3. Profile Management 2103 and newer have a setting to Enable local caching for profile containers. Combine this with Profile Streaming for faster logons. The entire profile should be stored in the profile container.
  4. On the left, under Advanced Settings, Profile Management 2103 and newer have a setting to Enable multi-session write-back for profile containers. This setting applies to both UPM Profile Container and Microsoft FSLogix Profile Container. If the same user launches multiple sessions on different machines, changes made in each session are synchronized and saved to the user’s profile container disk.
  5. Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
  6. Citrix recommends using Profile Container for Microsoft Teams.
  7. See CTX247569 Citrix Profile Management: Troubleshooting Profile Containers.

Registry Exclusions

  1. On the left, under Profile Management, click Registry.
  2. On the right, open Enable Default Exclusion List.
  3. Enable the setting. You can use the checkboxes to control which registry keys you don’t want to exclude.
  4. According to Citrix CTX221380 Occasionally, File Type Association (FTA) Fails to Roam with Profile Management 5.7 on Windows 10 and Windows Server 2016, Software\Microsoft\Speech_OneCore should be unchecked. Click OK.
  5. The setting Exclusion List under Registry lets you exclude registry keys from the roaming profile.
  6. Nick Panaccio in the comments says that if Office with ADFS constantly prompts for login, then you should exclude the following:
  7. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of registry exclusions for IE in Enterprise Mode.
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieUserList
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieSiteList
  8. Click OK when done.
  9. For the NTUSER.DAT backup setting, which is disabled by default, you can enable it to provide some resiliency against profile corruption.

Log Settings

  1. In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot problems with Profile Management. The logfile is located in C:\Windows\System32\LogFiles\UserProfileManager.
  2. Edit the Log settings setting.
  3. Enable the setting and check the boxes next to Logon and Logoff. Click OK.
  4. If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To change the log file path, edit the Path to log file setting.

  5. CTX123005 Citrix UPM Log Parser
  6. CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

Profile Streaming

  1. Go to the Profile handling node under Profile Management.
  2. Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can migrate existing profiles when you upgrade the version of Windows 10. This setting requires the !CTX_OSNAME! variable in your profile store path.
  3. Enable the setting Delete locally cached profiles at logoff. Note: this might cause problems in Windows 10.

    Helge Klein has a tool to delete locally cached profiles on a session host. This tool should only be needed if profiles are not deleting properly.
  4. For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User Logs off recommends setting Delay before deleting cached profiles to 40 seconds.

  5. Enable the setting Migration of existing profiles, and set it to Local and Roaming.  Citrix CTX221564 UPM doesn’t migrate local user profile since version 5.4.1.

  6. Enable the setting Local profile conflict handling, and set it to Delete local profile. Note: this might cause problems on Windows 10.

  7. Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
  8. Profile Management 2103 and newer have a setting to Enable profile streaming for folders, which should speed up logons.
  9. Profile Management 7.16 and newer have XenApp Optimization (aka Citrix Virtual Apps Optimization) feature, which uses Microsoft UE-V templates to define specific settings that should be saved and restored at logoff and logon. See George Spiers XenApp Optimization (new in CPM 7.16+) for details.

  10. After modifying the GPO, use Group Policy Management Console to update the VDAs.
  11. Or run gpupdate /force on the VDAs, or wait 90 minutes.

Mandatory Profile – Citrix Method

Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method. Also see James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703).

  1. Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to Administrators.
  2. Login to the VDA machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4. Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that. Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.

    1. You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  5. Open the AppData folder and delete the Local and LocalLow folders.
  6. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the file, the exception.sites file, and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  7. Open regedit.exe.
  8. Click HKEY_LOCAL_MACHINE to highlight it.
  9. Open the File menu and click Load Hive.
  10. Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not use NTUSER.MAN and instead the file must be NTUSER.DAT.
  11. Name it a or similar.
  12. Go to HKLM\a, right-click it, and click Permissions.
  13. Add Authenticated Users and give it Full Control. Click OK.
  14. With the hive still loaded, you can do some cleanup in the registry keys. See and for some suggestions.
  15. Citrix CTX212784 Slow User Logon When Using Mandatory Profiles – set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
  16. Highlight HKLM\a.
  17. Open the File menu, and click Unload Hive.
  18. Go back to the file share and delete the NTUSER.DAT log files.
  19. Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy template is loaded.
  20. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Profile Management > Profile handling. Edit the setting Template profile.
  21. Enable the setting and enter the path to the Mandatory profile.
  22. Check all three boxes. Then click OK.

Redirected Profile Folders

  1. Make sure loopback processing is enabled on your VDAs.
  2. Edit a GPO that applies to all VDA users, including Administrators.
  3. Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents, and click Properties.
  4. In the Setting drop down, select Basic.
  5. In the Target folder location drop down, select Redirect to the user’s home directory.
  6. Switch to the Settings tab.
  7. On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move the contents to the new location might cause issues in some deployments.
  8. Click Yes to acknowledge this message.
  9. Right-click Desktop and click Properties.
  10. Change the Setting drop-down to Basic.
  11. Change the Target folder location to Redirect to the following location.
  12. In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC path and not a mapped drive. Also, since we’re using home directory variables, all users must have home directories defined in Active Directory.
  13. Switch to the Settings tab.
  14. Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.
  15. Click Yes when prompted that the target is not a UNC path. You get this error because of the variable. It doesn’t affect operations.
  16. Repeat for the following folders:
    • Documents = Redirect to the User’s Home Directory
    • Desktop = %HOMESHARE%%HOMEPATH%\Desktop
    • Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
    • Downloads = %HOMESHARE%%HOMEPATH%\Downloads
  17. Redirect the following folders but set them to Follow the Documents folder.
    • Pictures
    • Music
    • Videos

Folders not redirected will be synchronized by Citrix Profile Management.

Verify Profile Management

  1. Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.
  2. Logoff and log back in.
  3. Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the log for logon and logoff events.

Profile Management Troubleshooting

UPM Troubleshooter

Citrix Blog Post – UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application that examines the live User Profile Management-enabled system in a single click, gives Profile Management Configurations, information on the Citrix products installed, facility to collect and send the logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier manner. See the blog post for more details.

Profile Management Configuration Check Tool

UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has been configured optimally for the environment in which it is being run, taking into account:

  • Hypervisor Detection– The presence or absence of supported hypervisors (for example, Citrix XenServer, VMware vSphere, or Microsoft Hyper-V)
  • Provisioning Detection– The presence or absence of a supported machine-provisioning solution (for example, Machine Creation Services or Provisioning Services)
  • XenApp or XenDesktop– Whether it is running in a XenApp or a XenDesktop environment
  • User Store – Determines that the expanded Path to User Store exists.
  • WinLogon Hooking Test – Verifies that Profile management is correctly hooked into WinLogon processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and requires the user running the Configuration Check Tool to have permission to access the relevant registry keys, or an error may be returned.
  • Verify Personal vDisk enabled / disabled – Whether the Personal vDisk feature of XenDesktop is enabled
  • Miscellaneous – Other factors that it is able to determine through registry or WMI queries, such as whether the computer running Profile management is a laptop

Profile Size

Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile share.

Log Parser

CTX123005 Citrix UPM Log Parser

View Log Files using Excel

CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

1,048 thoughts on “Citrix Profile Management 2203”

  1. We run IE heavily as published app. We’re running into the webcache / cookie issues. Can’t pin down issue entirely but long story short many times there are files under the Cookies and WebCache folders that are locked by UPM and cannot be deleted. The handle could for userprofilemanager was also going through the roof. We are currently running a private hotfix from Citrix that is supposed to fix the handle issue but still have random locking issues. This seemed to start w/ IE11. My question is that can having both AppData\Roaming\Microsoft\Windows\Cookies [mirrored] and AppData\Roaming\Microsoft folder synced cause issues?

    Mirrored folders:

    Synced folder

    1. Don’t know. You’re welcome to revert the config to the defaults and see if that improves anything.

      The recent locking issues only seems to happen after Windows Updates in February.

      1. Hi Carl! Please i need your help. I m not sure if you have seen this before. I have Office365 and we use Outlook OWA. For a few days now the send button will not work and sometimes you cant attach. Everything else works. So i have been doing some troubleshooting and i was able to isolate to just 2012 servers with profile management. On 2008r2 Servers everything seems to work fine. Even though i have same VDA version and UPM installed. (I run UPM 5.6) So i was able to narrow this down to the 2012 servers. When i disable profile Management service on the 2012 server the send button works when i enable it no-go. It was working up till last week no change nothing. The work around i have for now is to enable Inprivate browsing for that.

    2. Hi George, i am having the exact same issue on a Heavy IE app. recently updated IE11 and patches. I updated to UPM 5.4 still same issue. looking at upm log I am seeing tons of lock file errors AppData\Roaming\Microsoft\Protect… This issue is killing me

    1. Of course. I personally prefer Microsoft’s implementation but you’re welcome to use Citrix’s instead.

  2. Impressive blog, Carl, thanks for sharing all your deep knowledge to us!

    We have been implementing the latest version of UPM 5.4 in our Windows 10 (1511) environment, including all inclusions & exclusions you listed here.
    What happens on every logoff is, that the file type associations for the browser is being resetted, which makes it impossible for a user to install a new browser and make it the default one. Anyone any idea what is wrong?

    OS: Windows 10 (1511) – All latest patches
    UPM: 5.4
    Policy Template: 5.4
    Exclusion & Inclusion list: as described in this blog

      1. If I set the GPO & the user changes the default browser within the running session, wouldn`t it reset the settings during the next login and set the browser you defined in the .txt or .xml?

        1. Yes. Maybe you can figure out where the settings are stored in the registry/profile, on logoff export the settings, on logon import the settings.

          1. Brilliant, thanks!
            Will definitely give it a try and let you know if I can find anything in the registry.

  3. Anyone have thoughts on this situation?

    I want to have 4 different user profile stores. I want to divide the citrix users between these 4 different stores. I thought I could create 4 different AD groups, put 250 users per group. Then create 4 different GPO’s, each pointing to a different user store and using the Security Filtering of the GPO, assign each AD group. I just cannot seem to get this off the ground.
    I created 1 AD group, put my 1 test account in it, linked at both the Users and the Servers OU (where my test account, test AD group and test Citrix server reside).
    It has to do with the Security Filtering. For whatever reason if I put Authenticated Users in the Security Filter it will create a profile folder out in UserStore1. But if I assign one of the AD groups, it only creates a local profile on one of the Citrix servers.

    Thanks in advance

    1. Or maybe the better way to ask this is….
      If I have 1,000 users all using the same Citrix servers but I want to send users 1-250 to UserProfileStore1 and 251-500 to UserProfileStore2 and 501-750 to UserProfileStore3 and 751-1000 to UserProfileStore4….what is the best way to do that with GPO?

        1. Thank you very much Carl, a lot of good information in those links I am sifting through. I am testing today.

    2. UPM Profile Store is a Computer Setting, not a User Setting. You’ll need DFS and AD attributes.

  4. Hi Carl;
    In a UPM path like the one below, is there a language variable it will accept? \\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_OSBITNESS!
    Thanks in advance…

    1. I don’t think there’s a Citrix variable for language. But you can use any environment variable or AD attribute.

  5. Very detailed thanks
    But Appdata\Local is still synchronized despite being excluded and redirected.

    Any ideas?

    1. You can’t redirect AppData\Local.

      The default exclusions don’t exclude AppData\Local. You might have configured it yourself. If you did that after the profiles are created, then you’ll have to manually remove the content from the existing roaming profiles.

  6. Great article Carl

    Just to clarify and clear up my confusion. Can you confirm if Citrix Profile Manager 5.4 does support Windows 10 without issue?

    It seems that XenDesktop 7.7 and XenDesktop 7.8 releases do not include a newer version. So is it the case that XenDesktop 7.7 enabled CPM 5.4 to work with Windows 10? Therefore if running 7.7 or 7.8 then Windows 10 profile management is fine but if running 7.6 then no Windows 10 Support?

    Sorry if this has already been confirmed


    1. Yes, 5.4 is a release specifically for Windows 10.

      7.8 VDA does include 5.4. 7.7 does not.

      7.6.300 does support Windows 10 with UPM 5.4. However, Windows 10 support is not included in the LTSR support statement. This is more of a long term support statement than whether it works or not. Citrix had to release some hotfixes for VDA 7.6.300 to get it to work on newer releases of Windows 10. These hotfixes are included in VDA 7.8.

        1. Oops. 🙂 Thanks for noticing. When 7.6.300 was released Windows 10 was not supported with UPM. Then they later released 5.4, which added support for Windows 10.

  7. Hi Carl, I have a Citrix Xenapp 6 farm with around 150 physical servers. I want to know if we can upgrade UPM to 5.4 from current 5.1.

    1. Yes. It should upgrade without issue. Just install the newer service. If you look in the UPMPolicyDefaults.ini file the default exclusions have changed so you might need to copy them to your GPO.

  8. Carl, In windows 10 VDI I cannot seem to get rid of the sync icon in the systray. I have disabled syn in the gpo, Computer Configuration/ Administrative Templates/Windows Components/Sync your settings, do not sync ENABLED. Is there another place to kill the icon from the systray?

      1. Folder redirection is enabled for Documents, Desktop and Favorites, UPM 5.4. Computer Config > Policies > Admin Templates > Network > Offline Files > Allow or disallow use of the Offline Files feature, DISABLED, strangely enough after a couple of reboots of the vdi, it seems to be gone now.

  9. Hi Carl,

    We have updated the Exclusions of Directories as suggested here. Users are looking for their Personalization to be retained in Outlook, such as Font settings view settings, Dictionary additions etc. Since we are excluding Outlook folder, I hope they are not getting retained in Profile.

    Is it worth to remove the Outlook Folder from the exclusion directories list ? Or can we able to include only the Outlook personalization.

    Thanks in advance !

    1. I think the default exclusion is AppData\Local. The settings you describe should be in AppData\Roaming or in the user’s registry. If you find one that’s actually in AppData\Local, let me know.

      1. I just searched and got to know that the Custom Dictionary settings are saved in Roaming\Microsoft\Uproof. Is this excluded by default ? I dont see it in our exclusion list. Anyway i can add this to the inclusion list to fix the issue.

        Now I am looking for the folder or file which holds the user’s customized View/Font settings. Please let me know if you this detail

  10. Carl,

    thankx for this great article, one question why do you use a ADMX if all settings can be done in the Citrix portion of a GPO? Is that not working in a GPO? I never tried it this way. And having trouble to get it working, I’m (trying) setting up UPM at the moment in the Unfiltered policy in a GPO attached to the OU with my Pooled Desktops. I used the ADM in previous versions and that worked ok, but htought to use the Citrix part in GPO now.


    1. If you use Studio to create the policy then it’s difficult to move the settings to a different farm later.

      Configuring Profile Management using Citrix Policies in a GPO introduces additional complexity (more potential failure points) for no benefit.

      1. thanks for the quick reply

        I was (trying) using teh Citrix settings as we cann’t manage GPO’s ourselfs (add, delete etc. incl. adding ADMX) because of the delegation of control. So I thought I’d use the Citrix settings but in a GPO. So a bit of bad of both worlds 😉
        I will try the ADMX file and will persuade the AD managers to add it to the central store.


  11. Hi,

    I have some users with roaming profiles on server A: \\serverA\ctxuserprof\username\

    I also have parallel UPM users with different folder path on Server B: \\serverB\userprofil\username\UPM\

    How do I migrate existing roaming profiles from ServerA to ServerB and convert to profile structure in use on Server B?


    1. Are ServerA profiles Microsoft profiles? If so, make sure the users are configured with the Microsoft path. Then have the users log into a UPM machine and the profile will be converted automatically.

        1. Works great Carl, after enabling “migrate roaming” profiles in group policy.
          Any idea if same is possible for “AppData” profiles?

  12. Hi Carl,

    thank you very much for updating your articles with 7.7 release! It is very useful. My question: is CPM 5.4 officially supports Windows 10 or not? Which version shall i use for implementing W10??? I was not able to find this information.

    Thank you for the answer!

  13. Dear Carl,

    the Citrix Virtual Desktop Handbook mentions a profile called “Hybrid profile”. Citrix states “Hybrid profiles combine a robust profile core (a mandatory profile or a local default profile) with user specific registry keys or files that are merged during logon.”. I think I know what Citrix wants to achieve with hybrid profiles, but I’m unsure how to configure this.
    Do you ever had to deal with this type of profile? Do you know how this is implemented?


    1. This is the basis for various 3rd party UEM products like AppSense, ProfileUnity, Microsoft UE-V, etc. The disadvantage of this approach is the additional management effort to define the rules that dictate what is saved or not saved. In larger environments you practically have to dedicate a FTE to manage it. Citrix Consulting used to have a hybrid profile offering but then they bought UPM and now there’s less need for it.

      1. Citrix states that UPM itself is also a “Hybrid Profile solution” and is even often recommended (in their virtual desktop handbook).
        So I was wondering how to manage this Hybrid Profile within UPM.

  14. Followed this and it worked perfectly without issues for about 2 weeks. Now for some reason the user’s session printers either do not map or drop their mapping after connection. The spooler on the server is fine and others on the same server don’t have issues, it only affects certain people (but not all the time).

    I currently have the Citrix Policy for Printers set to “Held in profile only if not saved on client”. Do I need to sync or exclude any folders/files?

    I have logging enabled (as your article states) on the UPM, What can I be looking for to help resolve the issue.

  15. Hi Carl, many thanks for a great article.

    One thing that is slightly confusing, in the NTFS permissions section you say to give CREATOR OWNER Full Control permissions but in the graphic showing the Advanced Security Settings for ctxprofiles it shows CREATOR OWNER as having Modify permissions not Full Control. Which one is correct? Also, it would be great if the Advanced Security Settings graphic showed the Applies to column on the right hand side for easier reference.

    1. Thanks for catching that. I can see how that would be confusing. Not sure what I was thinking. Hopefully it’s better now.

  16. Hi Carl

    Great article. We are building a 7.6 environment parallel to our production version 5 Farm on Windows 2003.

    If we go ahead and do this before we move users to 7.6, do we need to be cautious of effecting our old production Farm.

    Thank You


    1. If you don’t install the service on the old farm then nothing will happen on the old farm. Also, profile migration does not affect the old profile. Not that it matters since they are different operating system versions which means the profiles are different.

  17. Hey Carl, I’ve got a quick question for you. I’ve got a UPM 5.4 setup that was upgraded from 5.2. Both with 5.2 and 5.4, I’ve got logon and logoff times of >45 seconds, when I know all of the VM’s are capable of MUCH better times. Without UPM enabled, logon times are <10 seconds. The back end ESX hosts and storage are very capable.

    I have folder redirection enabled via standard Windows / AD group policy for Desktop/Documents/Downloads. Everything else is in UPM. This behavior exists with or without streaming and active writeback enabled…

    Any ideas?

  18. Hi Carl,

    I wonder if there is a best practice for excluding the license folder of Office in Office 365 (2016) deployments. “%localappdata%\Microsoft\Office\16.0\Licensing”.
    If we don’t exclude this folder we sometimes get the error “Sorry, we cannot verify the license currently installed for this product…” when opening Office 2016

    Kind Regards

      1. Hi Carl,

        Thanks for the link.
        On that page I find the following text:
        “And important to remember that the Shared Computer support token is bound to the machine, so we cannot roam that token around computers or using any profile management tool.”

        So I conclude it’s best to exclude the Licensing folder from Roaming:
        for Office 2013: %localappdata%\Microsoft\Office\15.0\Licensing
        for Office 2016: %localappdata%\Microsoft\Office\16.0\Licensing

        Kind Regards

  19. Hi Carl, I have ha strange Problem regarding roaming profiles in a provisioned xd 7.7 Windows 10 Environment. I´ve implemented roaming profiles and Folder redirection. Somehow on the second Login start menu does not work any more. I have excluded usrclass.dat* but if you do a left click on start nothing happens. it just Dows not open. Do you have any ideas ? Any help would be highly appreciated. Thanks ! m.

  20. I am amazed at the amount of Citrix information you put together. Excellent job and I follow all your recommendations.

    My questions is regarding permissions on the Log file location. I have the logs (via GPO) being redirected to \\Server\CTX\Profiles\Logs. Everything else is setup as your document above. I can’t get the logs to show up in that location and was wondering if it’s a permissions issue on the Share/NTFS. What account is used to create the logs and access the share? Since it’s going to the same path as \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_OSBITNESS! could that be causing any issues?

  21. Awesome article Carl!

    I was wondering if you know if Citrix has a list of predefined variables like !CTX_OSBITNESS!? I have long been looking for such a list.
    One variable that we would benefit from is to get the name or id of a delivery group, to only use one Citrix Policy to separate the profiles from different delivery groups.

    1. I’m not sure. Another option is to add an environment variable to your master image and use that variable in your profile path: %MyVar%

  22. Hey Carl… Love your website…!!! 🙂
    We have an issue wrt to UPM. Outlook signatures are not retained in central store. On investigation, we found that local profiles are not unloading, NTuser.dat seem to be locked. We are also unable to clear local profiles using delprof2 or manually deleting, file is in use… I think ‘cos of this, the changes are not writing back to central store.
    There are some folders writing back to the central store. Also, checked AppData\Microsoft\Signatures are not in the Exclusion List – Directories. Even tried to add this path in Folders to Synchronise, no go.
    Environment: W2K12, XA 7.6, UPM 5.2, PVS 7.6.
    Any guidance would be much appreciated. thanks!

    1. You might be able to use Process Explorer (procexp.exe) to determine what process is keeping the profile open. Typically security software (antivirus).

      As a workaround, you could enable Active Write Back. That should write partial updates to the central store.

      1. Thanks for quick reply. Tried to enable Active Write Back, no go. Have Trend Micro AV. Will try Process Explorer… Any thing else you feel could be missing from UPM GPO perspective?

        1. The default exclusions will save the signature.

          You’ll need to troubleshoot why the profile hive won’t unload.

  23. Thanks a lot Carl for your fantastic post, Please I just have one issue we are facing, we gave XenApp 7.6 on top of VMware vsphere 6.0 infrastructure, we are facing are problem where users end up with multiple profiles created locally on the xenapp servers, Profile1 for example is the username , profile 2 is the username.domainname or username.domainname.000, .. we are using Server 2012 R2 for the Xenapp 7.6 which is using latest VDA 7.6.3 agents, please can you help us, thanks in advance.

    1. What is left over in the profiles that aren’t getting deleted?

      When you installed VMware Tools, did you choose “Typical” instead of “Complete”? The Shared Folders feature will prevent roaming profiles from deleting.

  24. Thanks a lot Carl. This article is too good and very well document. I actually followed step by step and have it successfully implemented in my environment.

  25. We are using Xenapp 7.6.
    Logoff time for several users takes very long.

    i saw this time gap in the log >
    2015-11-10;16:39:36.331;INFORMATION;username 22;12932;ProcessLogoff: Starting migrate of pending area to user store.
    2015-11-10;16:40:43.512;INFORMATION;usernname;22;12932;ProcessLogoff: Migrate of pending area to user store complete.

    any ideas?

      1. Or is it actually writing tons of data to the file share? You can enable more logging to see what files are actually being copied.

        Also verify the performance of the file server. Sometimes you can copy folders to/from the server and see if fast or slow.

        1. Hi Carl,
          Active Write Back was already disabled. I enabled all the logging options this morning, i hope to see more now. Already thx for this tip. Regards.

          1. Hi Carl,

            i sow this to much i think…those lines were comming 50 seconds…

            2015-11-20;13:34:21.630;INFORMATION;username;6;31392;SetFileTimeAPIWrapper: File \\servername\profiles$\username\Pending\UPM_Profile\appdata\local\microsoft\windows\inetcookies\Low\1CZ7E7JY.txt Time is set.
            2015-11-20;13:34:21.630;INFORMATION;username;6;31392;SetFileTimeAPIWrapper: File \\servername\profiles$\username\Pending\UPM_Profile\appdata\local\microsoft\windows\inetcookies\Low\1D0BOXCQ.txt Time is set.
            2015-11-20;13:34:21.645;INFORMATION;username;6;31392;SetFileTimeAPIWrapper: File \\servername\profiles$\username\Pending\UPM_Profile\appdata\local\microsoft\windows\inetcookies\Low\1D123ZU8.txt Time is set.

            i need to exclude them?

          2. Are you sure Active Write Back is disabled? It’s on by default.

            Once the user logs off, is the Pending area empty? If not, try deleting the files from Pending and see if there’s any improvement?

          3. Hello Frederik/Carl

            I see the same gap in my logging. it takes about 38 sec between starting and complete the migration of the user store. Active Write Back is disabled, nothing in the pending folder. The file server is not the problem.
            If there is no way to speed it up, the users could live with the fact that the logoff is running in the background. Now they see the logoff screen for more then 1 minute. If I could hide that screen, that would be a workaround.

  26. hi Carl i have a strange problem, i get the log from the citrix profile management for the golden image, but it doesn’t get generated from the xenapp servers 7.6, the unc path has everyone with full control, and the golden image and the xenapp servers are on the same ou

    1. Domain Computers needs write permission to the share and folder.

      Did you check HKLM\Software\Poicies\Citrix\UserProfileManager to ensure the policies applied?

      1. path to the logs is in the registries , still no log is generated , on the share everyone has full control , now ive put everyone also on the ntfs permisions with read write and execute

  27. One more thing, it’s best to to use built-in CPM variables to get compatibility across different OS.


    Exclusion list – directories:

    !ctx_localsettings!\Chromium\User Data\Default\Cache
    !ctx_localsettings!\Chromium\User Data\Default\Cached Theme Images
    !ctx_localsettings!\Chromium\User Data\Default\JumpListIcons
    !ctx_localsettings!\Chromium\User Data\Default\JumpListIconsOld
    !ctx_localsettings!\Google\Chrome\User Data\Default\Cache
    !ctx_localsettings!\Google\Chrome\User Data\Default\Cached Theme Images
    !ctx_localsettings!\Google\Chrome\User Data\Default\JumpListIcons
    !ctx_localsettings!\Google\Chrome\User Data\Default\JumpListIconsOld
    !ctx_localsettings!\Microsoft\Device Metadata
    !ctx_localsettings!\Microsoft\Internet Explorer\DOMStore
    !ctx_localsettings!\Microsoft\Internet Explorer\Recovery
    !ctx_localsettings!\Microsoft\Media Player
    !ctx_localsettings!\Microsoft\Terminal Server Client
    !ctx_localsettings!\Microsoft\Windows Live
    !ctx_localsettings!\Microsoft\Windows Live Contacts
    !ctx_localsettings!\Microsoft\Windows Mail
    !ctx_localsettings!\Microsoft\Windows Media
    !ctx_localsettings!\Microsoft\Windows Side Bar
    !ctx_localsettings!\Microsoft\Windows\Application Shortcuts
    !ctx_localsettings!\Microsoft\Windows\CD Burning
    !ctx_localsettings!\Mozilla Firefox
    !ctx_localsettings!\Windows Live
    !ctx_roamingappdata!\Adobe\Acrobat\Distiller 10
    !ctx_roamingappdata!\Adobe\Flash Player\AssetCache
    !ctx_roamingappdata!\Advent Software, Inc
    !ctx_roamingappdata!\Macromedia\Flash Player\#SharedObjects
    !ctx_roamingappdata!\Macromedia\Flash Player\\support\flashplayer\sys
    !ctx_roamingappdata!\Microsoft Office\Live Meeting 8
    !ctx_roamingappdata!\Microsoft Shared\LiveMeeting Shared
    !ctx_roamingappdata!\Microsoft\Internet Explorer\UserData

    Directories to synchronize:
    !ctx_localsettings!\Microsoft\Feeds Cache

    Folder to Mirror:

    Files to synchronize:
    !ctx_localsettings!Low\Apple Computer\QuickTime\QuickTime.qtp

    1. True. But this should only be an issue for XP/2003, which I’m hoping nobody is deploying anymore. I’ve not seen any changes coming in future versions of Windows.

  28. Carl, your blog is fantastic and has provided me with invaluable information as I deploy a 7.6 environment for the first time. There’s still one area that I’m having some difficulty with involving profiles that I’m having trouble with, however.

    I want to have roaming profiles also utilizing folder redirections and lock down the Win 2012 R2 environment and so far, so good. But then I want to customize the Start Tiles and apps that can be seen by end users based on what they should have access to – in other words, end users don’t need to see Administrative Tools, so I want that hidden from them. Only a subset of users need to see an app like Adobe Captivate or maybe even Publisher, so for those who have access I’d like them to see it, perhaps even have a tile already on the start menu for them, but for those who shouldn’t have access, they shouldn’t be aware that it exists on the server.

    And finally, I’d like to still have the end users have the ability to add or remove or customize their own tiles/desktop after they’ve seen my default set up if they choose to do so – just so long as it doesn’t involve the stuff I’ve decided they shouldn’t have access to in the first place.

    I’ve managed to come up with scenarios to do pieces of this, but never ALL of this, and in some cases it seems like it is is one or the other. If I enable the GPO setting, “Remove Common Program Groups from Start Menu” then I lose what I actually want them to have access to. If I enable Citrix Profile Management while utilizing roaming profiles, I lose the ability for them to be able to right-click and add tiles to their start screen.

    I know I’m probably not trying to invent the wheel here, but I can’t seem to find any good guidance on how to effectively manage end user profiles and default settings in the way that I’m attempting to do.

    Any advice? (Please and thanks in advance!)

        1. AppSense certainly has many more knobs than Citrix Profile Management. James Rankin tries to provide procedures independent of the particular UEM technology.

    1. Depends on what you’ve built. Backup the databases. Backup the profiles. If using MCS or PvS, backup the master images. If using full persistent machines, then backup each persistent machine. Backup the NetScaler configs, certs, and customizations. Document the entire configuration (see Carl Webster’s scripts). Everything else can be rebuilt.

  29. Great article, Carl!
    I’m just trying to find the reason why I should use CPM with Mandatory Template over Microsoft Mandatory Profiles. Could you please explain some benefits?

    1. No need to worry about .v2 (or .v3/.v4/.v5) so it might work on multiple OS. Haven’t tried it yet. Otherwise there’s probably not much difference.

      1. Thanks, Carl.
        Currently using XenApp 7.6 on Windows Server 2012 R2. Mandatory profiles is the best option for our environment. Unfortunately it’s very unclear how to make the right choice. If multiple OS support is the only benefit I’ll better stick to Microsoft way.

        1. Can’t create Mandatory profile from template domain user. Getting access denied error on login with temp profile. Checked everything: share, file system, registry rights are OK.

      2. Hi Carl

        There is a problem with Microsoft Mandatory Profile (local profile and roaming profile works fine). On Windows Server 2012 R2 Remote Assistance fails with misleading error: There was a problem starting Remote Assistance – Remote Assistance is unavailable for the current user account. If you are using a Windows Guest account, try logging in with another account. If you are not using a Guest account, try restarting your machine. For Windows Server 2008 R2 I found (had no time to test it yet). Googling found some regedit workaround to change profile state and it works: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\\State (REG_DWORD) = 0.
        Citrix Profile Management is the way to go because Template Profile type is local.

        1. UEM tools like VMware User Environment Management and AppSense have a user certificates option that changes this key automatically.

  30. HI Carl, I recommend enabling a delay before deleting the locally cached profiles. This ensures there is no timing issue with that process. Citrix recommends a 60 second delay.

    1. The default used to be 5 minutes. However, it’s quite annoying when you’re logging in and out and testing profile restore or need to delete a user’s profile because you have to wait for the delay to expire before deleting the user’s central profile or logging back in.

  31. Dear Carl,

    you’re doing a great job! Thank you for all these detailed informations. Keep going!

    Do have any suggestions on the handling of unauthenticated users and their “profiles”? Have you been in this situation? Any tips or hints?

      1. Yes, I mean anonymous users. Thanks, I already read this article and it helped me a lot.
        But when I do an anonymous logon it seems like the profile is newly created every time (the typical “first time logon behaviour).
        Should I edit the default profile? Or is it possible to create a mandatory profile for the anonymous users?

        1. I think anonymous users are essentially Guest accounts, which means their profile is deleted at logoff. I wonder if you can point their Profile Path to a “Template Profile” of some sort. The local accounts have a Profile tab so I assume you can point them to a local template profile folder (or remote if permissions allow it).

  32. Hi Carl,

    When using Folder Redirection, I have noticed at the root of my Home Directory share (\\server\HomeShareRoot) I see not only the correct subdirectory (based on the login username) but a row of folders all called Documents as well.

    Are these folders supposed to by there? Each one represents what looks like a symbolic link to the actual folder itself (\\Server\HomeShareRoot\Username).

    If examine the security permissions, each Documents folder is exclusive to the user.

    I am not sure if I am doubling up the consumption of disk space as well.

    From an end users point of view, everything is being presented correctly. When you check the path to Documents from the users Desktop (Server 2012 R2), the path is correct.

      1. Carl,

        You have just save my bacon again!

        I ended up using the File Screen option, targeting the actual share itself.

        The only drawback I could find is that I cannot delete the folder (rename, content delete at a level below the root works though).

        I guess it is due to the hidden Desktop.ini file. Changing the view setting to see Hidden files does not allow me to see the file.

  33. Carl,

    Are there any other exclusions you can recommend? I built an environment per your whole website and it’s running terrific. However I’m just worried about profile bloat. I logged the a user in and out quite a few times. Each time launching all their usual programs and surfing around the web. Here is where I’m at on profile size.

    (53.5MB and 362 files)

    Here are some exclusions I added.

    AppData\Local\Microsoft\Windows Mail
    AppData\Local\Microsoft\Windows Media
    AppData\Local\Microsoft\Media Player
    AppData\Local\Microsoft\Feeds Cache

    1. CPM is a set-it-and-forget-it product and thus has minimal exclusions so you don’t have to spend much time tweaking it. If Profile Streaming is enabled then it should only download actively accessed content.

      If profiles are too large, you are welcome to add exclusions to the CPM GPO. Note that adding exclusions will not delete existing content in the profile share. Also, exclusions tend to be app dependent.

      If you have time to exert more control over profile size, look to one of the UEM products like AppSense.

  34. Carl, I’m curious why you’re opting for GP over Studio settings. Specifically, have you found a reason to use folder redirection rather than having profile management handle that? have heard of many successes not using folder redirection extension

    1. I can’t think of any reason why I should be using Citrix’s instead of Microsoft’s. And I’ve seen some issues reported at

      1. According to escalation engineer, while GPO is supported, Citrix “Fully tests” policies within Studio…(awkward silence implying they don’t fully test the same in GPO)

    2. As for GP over Studio, I typically need to build multiple sites/farms and Studio policies are separately managed in every farm. It’s much easier to create a GPO that applies to multiple sites/farms.

  35. Hi Carl,

    I have implemented Folder Redirection via MS GPO as per your documentation.

    Do I need to exclude these same Redirected Folders in UPM as well?

    If so, do I do this under:-

    Computer Configuration>Polices>Administrative Templates>Citrix>Profile Management>File System>Exclusion list – directories

    Can you provide a guide to any special syntax requirements at the same time?


  36. Hi Carl,

    Would you recommend folder redirecting Appdata or keeping CPM handle it with recommended exclusions? Incase outlook was default installed without customization to automatically add the user account settings, the user by CPM defaults would always be asked for that information after logoff/logon , would including Appdata office in directory inclusions in CPM solve the issue? if not would redirecting Appdata by default do the trick?

    Thanks .

    1. I usually don’t redirect AppData and instead let CPM handle it. I’ve seen too many performance problems when redirecting AppData.

      Do you have a .prf Outlook script configured somewhere? I’ve seen older versions of Outlook store the install time in the registry and if the user roams to a machine with a different install time then Outlook resets itself.

    2. Outlook profile is stored in the registry under HEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles. CPM should be saving HKCU by default.

  37. Thanks Carl. Quick question; I have users with roaming profiles set at the user account attribute level in AD. I know UPM can migrate roaming profiles, but I don’t understand if it then somehow clears the AD attribute or overrides it?

    Also, I don’t want users yet to come off the roaming profiles, so ideally would like UPM to work in Citrix and Roaming, when they are on their desktops. Is this possible?

    1. If CPM is enabled on the device and if CPM detects that the user already has a CPM profile then it will use that profile and ignore whatever’s configured in AD. It only converts the AD profile if a CPM profile doesn’t exist.

  38. Awesome articles Carl!

    I came to this section of your website looking for recommended “Registry” exclusions for CPM.

    I’ve come across an issue where some user GPO settings are being saved in the ntuser.dat file, which are not desired on some endpoints that use the profile management – eg. hiding volume letters on VDAs, but would prefer to see drive letters on physical machines.

    In this instance, does it make sense that I exclude some registry paths from being saved in the profile? In this example I would exclude HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer from being saved to prevent this setting from roaming.

    Any advice would be appreciated!

    1. Do you have Loopback Processing enabled in the GPOs? You can configure the GPO for Citrix to hide the drives and configure the GPO for PCs to unhide the drives. There is also a setting at Computer Config > Policies > Admin Templates > System > Group Policy > Registry Policy Processing that you can configure to force GPOs to reapply at every logon.

  39. Just discovered your website!

    Fantastic information here Carl. This is making my life just that little bit easier now.

  40. Excellent article Carl – thanks! Have you ever seen an issue where IE 11 on Citrix starts changing the . in extensions to an underscore? (test.pdf becomes test_pdf and thus won’t open) It’s an intermittent problem I’m having and I’m wondering if I have something configured wrong in Profile Management.

    1. Does the problem happen realtime? Or only after the user logs off? Is Active Write Back disabled?

      IE Protected Mode disabled? Save encrypted pages to disk enabled? Try running procmon.

      1. Yes it happens realtime. Active Write back is disabled, Do not save encrypted pages to disk is not checked so I guess it’s enabled.

        IE Enhanced Protected Mode is not enabled. Protected Mode is enabled but the website is a Trusted Site in IE so that Zone in IE doesn’t have Protected Mode. Should I disable Protected Mode globally (and disable the annoying banner).

        I’ll try procmon. So if I have a user that it already happened to click on a PDF link in IE and see what procmon tells me?

  41. Hi Carl , Previously we had to exclude the redirected folders from UPM , now UPM documentation says do not exclude . Is this only when configuring redirection through Citrix Policy rather than using GP or this is a rule of thumb now NOT to exclude redirected folders when configuring UPM ?


    1. Older versions of CPM would create local empty versions of redirected folders. The problem has been fixed since one of the 3.x versions. CPM now notices that a folder has been redirected and won’t create an empty version of it in the local profile.

      1. Hi Carl,

        As per Dan on Doing it Right Series , in his latest answers he is saying that Citrix Edocs are not accurate on this point and that redirected folders still need to be added to exclusion list to avoid orphaned folders that keep bouncing around. Based on my recent implementations I have found that if the redirection is in the same UPM GPO with loopback there is no need for excluding redirected folders never the less if they are in seperate GPOs then they have to be added to exclusions.


  42. Thanks Carl a well written guide for different setup with UPM. What I think is confusing is not the setup of UPM but the licensing of UPM.
    In Citrix Matrix for Citrix XenApp/XenDesktop 7.6: Requirements for UPM – “Integrated Profile management” Advanced, Enterprise Platinum Licensing” The only UPM license FAQ – CTX119747 I can find. Citrix XenApp/XenDesktop is not mention in applicable products descriptions. Citrix could have made licensing of UPM easier to understand.

    1. I just assume it’s available for all editions of XenApp/XenDesktop. However, I thought it wasn’t available for XenApp Advanced but the feature matrix seems to indicate that it is.

      1. Thanks for this great article and guide!
        Just one question. Has anyone Outllok Search Index roaming working stable?

        In my case, sometimes it’s working, but most of the time it’s not. I am using Profile Management 1811 on Server 2016 with Office/Outlook 2016. The VHDX-files are getting mounted properly, the OST-cache is created properly. The search index is nearly never created on the first login.
        When the search index is created it will stop later..and is not available for Outlook any more. I can see the eventlog-messages from the source “Outlook” (event id 34 and 35)

        Event ID: 35 – Failed to determine if the store is in the crawl scope (error=0x80004002).
        Event ID: 34 – Failed to get the Crawl Scope Manager with error=0x80004002.

        Citrix Profile management tells me: “The user-based Outlook search roaming feature is enabled.”

        i tried to figure out the issue with the profile checker ( but everything seems to be ok and normal.

        Is there any advice/idea?

        BR, Christian

        1. I have issues with Citrix outlook vhd mount. Had a case opened up for 8 weeks. Then made the decision to switch to fslogix. When I tell you it’s night and day. It’s crazing how fast the login are and it just works. Switch man. Don’t stay with upm. It’s being phased out soon anyways. With the new release with Citrix profile containers, it will only matter of time.

Leave a Reply