Citrix Profile Management 1912

Last Modified: Dec 21, 2019 @ 3:13 pm

Navigation

This article applies to all versions of Profile Management: 1912 LTSR, 1909, 7.15.5000 LTSR , 5.8, 5.7, etc.

💡 = Recently Updated

Change Log

Planning

Profile Management Versions

Profile Management is included with the installation of Virtual Delivery Agent. For VDAs, to upgrade Profile Management, simply upgrade your VDA software. Here are the currently supported versions of VDA:

Or you can download the individual Profile Management component and install/upgrade it separate from the VDA. You can even install it on non-VDA machines (e.g. PCs accessed by licensed Citrix users).

For LTSR VDAs, for LTSR support compliance, only install the Profile Management version that is included with your VDA installer. Don’t upgrade to a newer Current Release version.

The latest release of Citrix Profile Management is version 1912 LTSR, which can be downloaded from  Citrix Virtual Apps and Desktops 7 1912 LTSR. To find it, click Components that are on the product ISO but also packaged separately.

Profile Management Configuration Options

Profile Management consists of a Service (installed on the VDAs), a file share, and configuration settings.

There are four methods of delivering configuration settings to the Citrix Profile Management service:

If a UPM setting is not configured in GPO, Citrix Policy, or WEM, then the default setting in the UPMPolicyDefaults.ini file takes effect. The .ini file is located in C:\Program Files\Citrix\User Profile Manager on every machine that has Profile Management service installed.

Microsoft Group Policy (ADMX file) is probably the most reliable method of delivering configuration settings to the Profile Management services. This method uses the familiar Group Policy registry framework. Just copy the Profile Management ADMX files to PolicyDefinitions and start configuring. The configuration instructions in this article use the GPO ADMX method.

The Citrix Policies configuration method requires Citrix Studio, or Citrix Group Policy Management Plug-in. On the Profile Management service side, only VDAs can read the Citrix Policies settings.

  • Citrix Policies has settings for Folder Redirection. If you use Citrix Policy to configure Folder Redirection, then the Folder Redirection settings only apply to VDAs that can read Citrix Policies. To apply to Folder Redirection to more than just VDAs, configure Folder Redirection using normal Microsoft Group Policy as detailed below.
  • If you’re going to use Microsoft Group Policy to configure Folder Redirection, then you might as well use Microsoft Group Policy to also configure Citrix Profile Management.

Citrix Workspace Environment Management can also deliver configuration settings to the Profile Management services. This option requires the WEM Agent to pull down the settings from the WEM Brokers and apply them to Profile Management. It can sometimes be challenging to troubleshoot why WEM is not applying the settings.

Try not to mix configuration options. If you use both WEM and GPO, which one wins?

Multiple Datacenters

For optimum performance, users connecting to Citrix in a particular datacenter should retrieve their roaming profiles from a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will need file servers in each datacenter.

DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-datacenter designs.

For active/active datacenters, split the users such that different users have different home datacenters. Whenever a particular user connects, that user always connects to the same datacenter, and in that datacenter is a file server containing the user’s roaming profile. StoreFront uses Active Directory group membership to determine a user’s home datacenter.

For users that connect to Citrix in multiple datacenters, there are a couple options:

  • The user’s roaming profile is located in only one datacenter – If the user connects to a remote datacenter, then the roaming profile must be transmitted across the WAN. To optimize performance, disable Active Write Back, and make sure Profile Streaming is enabled.
  • The user has separate profiles for each datacenter – There is no replication of profiles between datacenters. This scenario is best for deployments where different applications are hosted in different datacenters.

Disaster Recovery – For disaster recovery scenarios, the user’s roaming profile data (and home directories) must be recovered in a different datacenter. Here are some considerations:

  • Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
  • Use VMware SRM or similar to recover the file server in the DR datacenter.
  • A datacenter failover might result in multiple file servers accessed from a single VDA, especially if you have users split across datacenters. Use DFS Namespaces as detailed below.

DFS Namespace

DFS Namespace for central user store – The Citrix Profile Management user store path is a computer-level setting, meaning there can only be one path for every user that logs into a particular VDA. If you have different users with roaming profiles on different file servers, then you must use Active Directory user attributes and DFS namespaces to locate the user’s file server. Here is an overview of the configuration:

  • Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1 – Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more information.
  • Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS replication. See Scenario 2 – Multiple folder targets and replication at Citrix Docs for more information.
  • Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
  • Set the Profile Management user store path to \\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!. This pulls the user’s l attribute from Active Directory and appends that to the DFS share. The folder that matches the attribute value is linked to a file server. For example, if the user’s l attribute is set to Omaha, then the user’s profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha folder is linked to a file server in the Omaha datacenter.

Create User Store

This procedure could also be used to create a file share for redirected profile folders.

If you intend to place Citrix Profile Management roaming profiles in the user’s home directory, then there is no need to follow the procedure in this section. Only use this section if you are creating a new file share for storage of the Citrix roaming profiles.

Create and Share the Folder

  1. Make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.

  3. Share the folder.
  4. Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click Share, and then click Done.
  5. Go to the Properties of the folder.
  6. On the Sharing tab, click Advanced Sharing.
  7. Click Caching.
  8. Select No files or programs. Click OK, and then click Close.

Folder (NTFS) Permissions

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry, and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

Access Based Enumeration

With this setting enabled, users can only see folders to which they have access:

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it. Or perform a refresh.
  3. Right-click the new share and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration.

GPO ADMX Policy Template

  1. You can find the GPO ADMX templates on the main Citrix Virtual Apps and Desktops 1912 ISO in the \x64\ProfileManagement\ADM_Templates\en folder.
    • Or, they are included in the separate Profile Management download in the \Group Policy Templates\en folder.
  2. Copy the file ctxprofile.admx (or ctxprofile7.15.5000.admx) to the clipboard.

  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing the .admx file does not affect your existing Profile Management configuration. The template only defines the available settings, not the actual settings.
  5. Go back to the Citrix Profile Management Group Policy Template files.
  6. Copy ctxprofile.adml (or ctxprofile7.15.5000.adml) to the clipboard.

  7. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
  8. If you have an older version of the ctxprofile.adml file in the en-US folder in either location, delete it.

CitrixBase:

  1. Go up a folder and then open the CitrixBase folder.
  2. In the CitrixBase folder, copy the file CitrixBase.admx to the clipboard.
  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. Go back to the Citrix Profile Management Group Policy Templates and copy CitrixBase.adml to the clipboard.
  5. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.

Group Policy Settings

  1. Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.
  2. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management.
    • Note: if you did not install the CitrixBase.admx file, then you can find Profile Management directly under the Administrative Templates node instead of under Citrix Components.
  3. Enable the setting Enable Profile management. Profile Management will not function until this setting is enabled.
  4. If desired, enable the setting Process logons of local administrators.
  5. Enable Path to user store.
  6. Specify the UNC path to the folder share. An example path = \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!

    1. Profile Versions– Different OS versions have different profile versions. Each profile version only works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.
      1. Windows 10 Profile Versions – Windows 10 has two different profile versions. Windows 10 build 1511 and older use v5 profiles. Windows 10 build 1607 and newer use v6 profiles. v5 and v6 profile versions are incompatible so they should be separated.
      2. Resolved variables – With the example user store path shown above, if the user logs into Windows 2012 R2 RDSH, the profile folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10 build 1607, the profile folder will be \\server\share\user01\Win10RS1v6.
      3. Windows 10 v6 vs Windows 2016 v6 – Both Windows 10 (1607 and newer) and Windows Server 2016 use v6 profiles. Do you want to use the same profile for both platforms? If so, remove !CTX_OSNAME! from the Path. Note: Windows 10 supports Store apps while Windows 2016 does not. If you’re allowing Store apps, then it’s probably best to use different profiles for both OS platforms.
      4. Windows 2012 R2 warning: in older versions of Citrix Profile Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isn’t correct. v2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug was fixed in Profile Management 5.4 and newer. If you have existing Windows 2012 R2 profiles based on the !CTX_PROFILEVER! variable set to v2, after upgrading to 5.4 or newer, then your profiles might stop working . See http://discussions.citrix.com/topic/374111-psa-upm-54-ctx-osname-server-2012-value-change/ for more details.
    2. Windows 10 and !CTX_OSNAME!: Profile Management sets !CTX_OSNAME1! to different strings for different Windows operating system versions, especially different versions of Windows 10: (RS = Redstone, which is a Microsoft codeword)
      • Windows Server 2019 sets !CTX_OSNAME! to Win2019v6.
      • Windows Server 2016 sets !CTX_OSNAME! to Win2016v6.
      • Windows 10 version 1903 and 1909 set !CTX_OSNAME! to Win10RS6.
      • Windows 10 version 1809 sets !CTX_OSNAME! to Win10RS5.
      • Windows 10 version 1803 sets !CTX_OSNAME! to Win10RS4.
      • Windows 10 version 1709 sets !CTX_OSNAME! to Win10RS3.
      • Windows 10 version 1703 sets !CTX_OSNAME! to Win10RS2.
      • Windows 10 version 1607 sets !CTX_OSNAME! to Win10RS1.
    3. If you use !CTX_OSNAME! in your profile store path, then different CTX_OSNAMEs will have different profiles, which means users will lose their profile settings whenever you upgrade Windows 10.
      • Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can alleviate this problem.
    4. Multiple Domains – If you have multiple domains, in the user profile store path, change #SAMAccountName# to %username%.%userdomain% (e.g. \\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!). That way you can have the same account name in multiple domains and each account will have a different profile.
    5. Hard Code Store Path – Instead of using variables, you can specify a hard coded path. However, the profile incompatibility restrictions listed above still apply. To avoid applying a single profile across multiple operating system versions, place VDAs with different OS versions in different OUs, and then use different Profile Management GPOs on those OUs to specify different Profile Management user store paths.
    6. Migrate User Store – Profile Management 1909 and newer can move profiles from an old profile path to a new profile path.

  7. Disable Active write back. This feature places additional load on the file server and is only needed if users login to multiple machines concurrently and need mid-session changes to be saved, or if users never log off from their sessions. Note: if you don’t disable this, then it is enabled by default.
  8. On the left, go to the Advanced settings node.
  9. Enable the setting Process Internet cookie files on logoff.
  10. In 5.6 and newer, Customer Experience Improvement Program (CEIP) is enabled by default. It can be disabled here.
  11. See https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#ceip for additional places where CEIP is enabled.
  12. Profile Management 7.18 adds Enable search index roaming for Outlook.

Notes on Outlook OST and Search roaming:

  1. Microsoft FSLogix is a superior product that is now free. For details, see the FSLogix section in the VDA articles.
  2. Citrix’s feature is only supported with Office 2016 on Windows 10 1709 and later, and Windows Server 2016 and later. Office 2019 is not supported as of Profile Management 1912.
  3. Profile Management 1906 and newer support 64-bit Outlook 2016.
  4. VDA 1906 or newer are recommended for the bug fixes for this feature. You can upgrade the VDA without upgrading your Delivery Controllers.
  5. Concurrent sessions on multiple machines are not supported.
  6. After the first user logon, Profile Management 1811 and newer creates a template VHDX file in a folder named UpmVhd at the root of the user store. The template file is copied to new users, thus speeding up VHDX creation.

  7. In the user’s profile location, a new folder called VHD is created.
  8. Inside the \VHD\Win2016 folder are two new thin provisioned .vhdx files – one for OST, one for Search. The per-user .vhdx files are copied from the parent template.
  9. UPM grants Domain Computers Full Control of the VHDX files. Users must have Full Control to the Profile Share, and UPM Folder to be able to grant this permission. Modify permissions are not sufficient. (Source = Robert Steeghs The Citrix Profile management could not mount virtual disk)
  10. When the user logs into a Citrix session, the two VHDXs are mounted to %localappdata%\Microsoft\Outlook and %appdata%\Citrix\Search. This means that OST files and Search Indexes are stored in the VHDX instead of in the user’s profile.


  11. eastwood357 at Outlook OST and Search vhdx not unmounting after log off at Citrix Discussions says that the Profile Management Path to User Store must be all lower case or else the VHDX files will not unmount at logoff.
  12. Only enable this feature for users with new Outlook profiles. If the user already has an .ost file, then you’ll see an error about missing .ost when Outlook is launched.
  13. The Search roaming feature is only supported with specific versions of Windows Search service. Event Log will tell you if your Windows patches are too new.
  14. VHDX files can only be mounted on one machine at a time. If you login to two VDAs, and if both try to mount the same VHDX files, then you’ll see errors in Event Viewer.
  15. Search Index Backup – Profile Management 1909 and newer have a GPO setting named Outlook search index database – backup and restore that can provide automatic recovery of the search index if it becomes corrupted. The backup consumes more of the available storage space of the VHDX files.
  16. For a detailed explanation of how the per-user Search Index works, see CTX235347 Citrix Profile Management: VHDX-based Outlook cache and Outlook search index on a user basis.

Exclusions, Synchronization, and Mirroring – 5.5 and newer

The Exclusions process in 5.5 and newer is dramatically simplified. If you haven’t yet deployed 5.5 or newer, and it’s corresponding ADMX file, then skip to the older Exclusions process.

  1. Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion List – directories.
  2. You can use checkboxes to not exclude some folders.
  3. Then edit Exclusion list – directories.
  4. Enable the setting, and click Show.

  5. Add the following to the list.
    AppData\Local\Microsoft\Windows\INetCache
    AppData\local\Microsoft\Windows\IEDownloadHistory
    AppData\Local\Microsoft\Internet Explorer\DOMStore
    AppData\Local\Google\Software Reporter Tool
    AppData\Local\Google\Chrome\User Data\Default\Media Cache
  6. Newer versions of Office Click-to-run let you roam the shared computer activation licensing token. See Overview of shared computer activation for Office 365 ProPlus and search for “roam”. The licensing tokens also last 30 days instead of 2-3 days. Source = Rick Smith in the comments. Ideally you should have ADFS integration so users can seamlessly re-activate Office.
  7. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  8. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of exclusions for IE in Enterprise Mode.
    appdata\local\microsoft\internet explorer\emieuserlist
    appdata\local\microsoft\internet explorer\emiesitelist
    appdata\local\microsoft\internet explorer\emiebrowsermodelist
  9. Then click OK twice to return to the Group Policy Editor.
  10. usrclass.dat*.
    1. Profile Management 1909 and newer automatically include usrclass.dat* in the Files to Synchronize. If added to the exclusion list, then Profile Management 1909 and newer removes it from the list.
    2. usrclass.dat* contains file type associations. For roaming file type associations, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
  11. Clean up excluded folders –  If you add to the exclusions list after profiles have already been created, Profile Management 5.8 has a feature that can delete the excluded folders at next logon. See To enable logon exclusion check at Citrix Docs. In Profile Management 7.15 and newer, Logon Exclusion Check is configurable in group policy under the File System node.

    1. In Profile Management 5.8, Logon Exclusion Check is only configurable in the .ini file.
    2. Also see Muralidhar Maram’s post at Citrix Discussions for a tool that will clean up the existing profiles.
    3. Also see Jeremy Sprite Clean Citrix UPM Profiles.

Directories to Synchronize

  1. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  2. Edit the setting Directories to synchronize.
  3. Enable the setting, and click Show.
  4. Profile Management 7.16 Fixed Issues says that AppData\Local\Microsoft\Windows\Caches should be synchronized. Also see CTX234144 Start Menu Shows Blank Icons on VDA 7.15 LTSR CU1/7.16/7.17 with UPM Enabled.
  5. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  6. Start Menu and File Type Associations:
    1. If Windows 10 1703 or newer, see James Rankin Roaming profiles and Start Tiles (TileDataLayer) in the Windows 10 1703 Creators Update for information on the new location for Tile data. Citrix Profile Management 5.8 and newer should handle this automatically.
    2. See David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
    3. To roam Start Menu and/or File Type Associations in Windows 10 or Windows Server 2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for info on why this is difficult.
    4. Instead of roaming usrclass.dat, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
    5. Daniel Feller at Sync the Windows 10 Start Menu in VDI says that configuring SettlementPeriodBeforeAutoShutdown might improve reliability of Start Menu roaming, assuming users log out of the virtual desktop instead of rebooting the virtual desktop. On a Delivery Controller, open PowerShell, and run the following:
      asnp citrix.*
      Set-BrokerDesktopGroup -Name "NAME_OF_DESKTOP_GROUP" -SettlementPeriodBeforeAutoShutdown 00:00:15
    6. With VDA 7.15 Update 1, the icons on the Start Menu of Windows 2012 R2 and Windows 2016 are sometimes blank.

  7. Click OK twice.

Files to Synchronize

  1. Edit Files to synchronize.
  2. Enable the setting, and click Show

  3. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  4. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  5. Citrix’s Start Menu Roaming documentation says that Appdata\Local\Microsoft\Windows\UsrClass.dat* should be added to the list. Profile Management 1909 and newer automatically add Appdata\Local\Microsoft\Windows\UsrClass.dat* to the Files to Synchronize list.

    • You can disable the automatic inclusion of these folders by enable the setting Disable automatic configuration located under Advanced Settings. 💡
  6. Then click OK twice to return to the Group Policy Editor.

Folders to mirror

  1. In the Synchronization node, enable the setting Folders to mirror.
  2. Enable the setting, and click Show.

  3. Add the following:
    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\TileDataLayer
    AppData\Local\Microsoft\Vault
    AppData\Local\Microsoft\Windows\Caches
    AppData\Local\Packages
    AppData\Local\Google\Chrome\User Data\Default
  4. For Windows 10 1709 and newer, you might have to add Outlook Signatures and Chrome to the Folders to Mirror setting. Leave these folders in Folders to Synchronize, but also add them to Folders to Mirror. (source = Citrix Discussions)
    AppData\Roaming\Microsoft\Signatures
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  5. Click OK.
  6. According to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Configuration > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.

Profile Container

  1. Profile Management 1903 and newer have a Profile container setting:
  2. Click the Show button to specify profile paths that should be placed in the mounted file share profile disk (VHDX file) instead of copied back and forth at logon and logoff. This setting is for large cache files (e.g. Citrix Files cache), and is not intended for the entire profile. See Profile container at Citrix Docs.
  3. See CTX247569 Citrix Profile Management: Troubleshooting Profile Containers.

Registry Exclusions

  1. On the left, under Profile Management, click Registry.
  2. On the right, open Enable Default Exclusion List.
  3. Enable the setting. You can use the checkboxes to control which registry keys you don’t want to exclude.
  4. According to Citrix CTX221380 Occasionally, File Type Association (FTA) Fails to Roam with Profile Management 5.7 on Windows 10 and Windows Server 2016, Software\Microsoft\Speech_OneCore should be unchecked. Click OK.
  5. The setting Exclusion List under Registry lets you exclude registry keys from the roaming profile.
  6. Nick Panaccio in the comments says that if Office with ADFS constantly prompts for login, then you should exclude the following:
    Software\Microsoft\Office\16.0\Common\Identity
  7. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of registry exclusions for IE in Enterprise Mode.
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieUserList
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieSiteList
  8. Click OK when done.
  9. In 5.5 and newer is the NTUSER.DAT backup setting, which is disabled by default. You can enable it to provide some resiliency against profile corruption.
  10. Skip to the Log Settings section.

Exclusions – 5.4.1 and older

This section is for UPM 5.4.1 and older. For 5.5 scroll up to Exclusions – 5.5 and newer. Or if you’ve already configured the exclusions, then Skip to the Log Settings section.

The UPMPolicyDefaults.ini file includes a default list of exclusions. If you intend to add to the default list, you must first copy the exclusions from the .ini file to the GPO. Then you can add exclusions to your GPO.

Note: this file was updated for Profile Management 5.4 and Windows 10 so if you are upgrading make sure you copy the new exclusions to the GPO. For example, !ctx_localappdata!\TileDataLayer seems to have been added in 5.4.

  1. Browse to a VDA, go to C:\Program Files\Citrix\User Profile Manager and open the file UPMPolicyDefaults_all.ini using Notepad.
  2. Under the File system node in the Group Policy Editor you can configure which profile folders should be excluded from synchronization. Edit Exclusion list – directories.
  3. Enable the setting and click Show

  4. In the .ini file, scroll down to the SyncExclusionListDir section. Copy each of these lines to the GPO. Do not include the equals sign on the end.
  5. Add the following to the list. This is the new path for Temporary Internet Files in Windows 8 and later.
    AppData\Local\Microsoft\Windows\INetCache
  6. If running Office 365 with Shared Computer Activation, then you might need to exclude !ctx_localappdata!\Microsoft\Office\15.0\Licensing and/or !ctx_localappdata!\Microsoft\Office\16.0\Licensing. Ideally you should have ADFS integration so users can seamlessly re-activate Office at every launch.
  7. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  8. Then click OK twice to return to the Group Policy Editor.
  9. To roam Start Menu and/or File Type Associations in Windows 10/2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for details on the difficulty of roaming FTAs. Instead of roaming usrclass.dat, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
  10. You might need to exclude usrclass.dat*.
    1. Edit the setting Exclusion list – files.
    2. Enable the setting and click Show.
    3. Add the following. Then click OK twice. This is detailed as a Known Issue for Profile Management 5.4.
      !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*
      

  11. Note: If you add to the exclusions list after profiles have already been created, then see Muralidhar Maram’s post at discussions.citrix.com for a tool that will clean up the existing profiles. Also see Jeremy Sprite Clean Citrix UPM Profiles.
  12. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  13. Edit the setting Directories to synchronize.
  14. Enable the setting and click Show.
  15. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
    AppData\Local\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Credentials
    Appdata\Roaming\Microsoft\Crypto
    Appdata\Roaming\Microsoft\Protect
    Appdata\Roaming\Microsoft\SystemCertificates

  16. Also see David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
  17. Click OK twice.
  18. Edit Files to synchronize

  19. Enable the setting and click Show

  20. Add the following three entries so Java settings are saved to the roaming profile:
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
    
  21. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  22. Then click OK twice to return to the Group Policy Editor.
  23. To enable handling of Cookies, in the Synchronization node, enable the setting Folders to mirror.
  24. Enable the setting and click Show.
  25. Add the following and click OK

    AppData\Roaming\Microsoft\Windows\Cookies
    AppData\Local\Microsoft\Windows\INetCookies
    AppData\Local\Microsoft\Windows\WebCache
    AppData\Local\Microsoft\Vault

  26. Note: according to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Config > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.
  27. On the left, under Profile Management, click Registry.
  28. On the right, open Exclusion List.
  29. Enable the setting and then click Show.
  30. Back in the UPMPolicyDefaults.ini file, look for the ExclusionListRegistry section. Copy the two items from there without the equals sign to the GPO setting.
  31. Click OK twice.

Log Settings

  1. In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot problems with Profile Management. The logfile is located in C:\Windows\System32\LogFiles\UserProfileManager.
  2. Edit the Log settings setting.
  3. Enable the setting and check the boxes next to Logon and Logoff. Click OK.
  4. If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To change the log file path, edit the Path to log file setting.


  5. CTX123005 Citrix UPM Log Parser
  6. CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

Profile Streaming

  1. For shared persistent VDAs (e.g. RDSH), go to the Profile handling node under Profile Management.
  2. Enable the setting Delete locally cached profiles at logoff. Note: this might cause problems in Windows 10.

    Helge Klein has a tool to delete locally cached profiles on a session host. http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/. This tool should only be needed if profiles are not deleting properly.
  3. For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User Logs off recommends setting Delay before deleting cached profiles to 40 seconds.

  4. Enable the setting Migration of existing profiles, and set it to Local and Roaming.  Citrix CTX221564 UPM doesn’t migrate local user profile since version 5.4.1.

  5. Enable the setting Local profile conflict handling, and set it to Delete local profile. Note: this might cause problems on Windows 10.

  6. Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
  7. Profile Management 7.16 introduces the XenApp Optimization (aka Citrix Virtual Apps Optimization) feature, which uses Microsoft UE-V templates to define specific settings that should be saved and restored at logoff and logon. See George Spiers XenApp Optimization (new in CPM 7.16+) for details.

  8. After modifying the GPO, use Group Policy Management Console to update the VDAs.
  9. Or run gpupdate /force on the VDAs, or wait 90 minutes.

Mandatory Profile – Citrix Method

Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method. Also see James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703).

  1. Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to Administrators.
  2. Login to the VDA machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4. Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that. Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.

    1. You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  5. Open the AppData folder and delete the Local and LocalLow folders.
  6. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file, and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  7. Open regedit.exe.
  8. Click HKEY_LOCAL_MACHINE to highlight it.
  9. Open the File menu and click Load Hive.
  10. Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not use NTUSER.MAN and instead the file must be NTUSER.DAT.
  11. Name it a or similar.
  12. Go to HKLM\a, right-click it, and click Permissions.
  13. Add Authenticated Users and give it Full Control. Click OK.
  14. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ and http://appsensebigot.blogspot.ru/2014/10/create-windows-mandatory-profiles-in.html?m=1 for some suggestions.
  15. Citrix CTX212784 Slow User Logon When Using Mandatory Profiles – set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
  16. Highlight HKLM\a.
  17. Open the File menu, and click Unload Hive.
  18. Go back to the file share and delete the NTUSER.DAT log files.
  19. Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy template is loaded.
  20. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Profile Management > Profile handling. Edit the setting Template profile.
  21. Enable the setting and enter the path to the Mandatory profile.
  22. Check all three boxes. Then click OK.

Redirected Profile Folders

  1. Make sure loopback processing is enabled on your VDAs.
  2. Edit a GPO that applies to all VDA users, including Administrators.
  3. Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents, and click Properties.
  4. In the Setting drop down, select Basic.
  5. In the Target folder location drop down, select Redirect to the user’s home directory.
  6. Switch to the Settings tab.
  7. On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move the contents to the new location might cause issues in some deployments.
  8. Click Yes to acknowledge this message.
  9. Right-click Desktop and click Properties.
  10. Change the Setting drop-down to Basic.
  11. Change the Target folder location to Redirect to the following location.
  12. In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC path and not a mapped drive. Also, since we’re using home directory variables, all users must have home directories defined in Active Directory.
  13. Switch to the Settings tab.
  14. Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.
  15. Click Yes when prompted that the target is not a UNC path. You get this error because of the variable. It doesn’t affect operations.
  16. Repeat for the following folders:
    • Documents = Redirect to the User’s Home Directory
    • Desktop = %HOMESHARE%%HOMEPATH%\Desktop
    • Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
    • Downloads = %HOMESHARE%%HOMEPATH%\Downloads
  17. Redirect the following folders but set them to Follow the Documents folder.
    • Pictures
    • Music
    • Videos

Folders not redirected will be synchronized by Citrix Profile Management.

Verify Profile Management

  1. Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.
  2. Logoff and log back in.
  3. Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the log for logon and logoff events.

Profile Management Troubleshooting

UPM Troubleshooter

Citrix Blog Post – UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application that examines the live User Profile Management-enabled system in a single click, gives Profile Management Configurations, information on the Citrix products installed, facility to collect and send the logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier manner. See the blog post for more details.

Profile Management Configuration Check Tool

UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has been configured optimally for the environment in which it is being run, taking into account:

  • Hypervisor Detection– The presence or absence of supported hypervisors (for example, Citrix XenServer, VMware vSphere, or Microsoft Hyper-V)
  • Provisioning Detection– The presence or absence of a supported machine-provisioning solution (for example, Machine Creation Services or Provisioning Services)
  • XenApp or XenDesktop– Whether it is running in a XenApp or a XenDesktop environment
  • User Store – Determines that the expanded Path to User Store exists.
  • WinLogon Hooking Test – Verifies that Profile management is correctly hooked into WinLogon processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and requires the user running the Configuration Check Tool to have permission to access the relevant registry keys, or an error may be returned.
  • Verify Personal vDisk enabled / disabled – Whether the Personal vDisk feature of XenDesktop is enabled
  • Miscellaneous – Other factors that it is able to determine through registry or WMI queries, such as whether the computer running Profile management is a laptop

Profile Size

Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile share.

Log Parser

CTX123005 Citrix UPM Log Parser

View Log Files using Excel

CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

879 thoughts on “Citrix Profile Management 1912”

  1. Wasn’t there some sort of Director issues with UPM 5.4.1. I believe that’s the latest version.
    I recall reading it on your site I think?

  2. Hey Carl,

    I noticed in the UPMPolicyDefaults.
    Citrix uses a !CTX_localappdata!

    In mine I used just the normal AppData\Location.

    Is there any Differnece?

    I also See that When you use the UPMChecker it detects that the INI file and the GPO file is together. It recommends using one or the other but not both. I didn’t realize the INI file was being applied with the GPO in place.

    Ever seen this?

    1. It’s just a variable that points to AppData\Local.

      The GPO overrides the .ini file. I think the checker wants you to realize that the .ini settings are not copied to the GPO automatically. However, this is fixed in the next release.

  3. Great information on UPM.

    I am curious what folks think about the following feature request for UPM.

    I have 3 XA sites (2 US, 1 Singapore). We use the home directory for UPM. Most apps are available in each user’s local data center. We have some apps that are only hosted in the US. This causes slow logons for Singapore users loading their UPM profile across the WAN. The profile is NOT required for these apps.

    I have asked some Citrix folks if it is possible to create an option in a published app that would turn UPM on/off. In other words, if I don’t need to load a user’s profile for an app, it would be nice to have an option at the application level to disable it. So any app where UPM is not required would bypass the UPM portion of the logon and speed up logon times.

    I can think of a number of other ways to achieve this, but it would complicate the overall setup (extra servers, additional GPOs, extra UPM stores, etc.)

    1. With session sharing, how would you handle running both UPM and non-UPM apps on the same server? This is probably more appropriate as a Delivery Group setting, but you can easily handle that through Group Policy.

  4. Hi Carl,

    We have our favorites redirected in our profile path for each site, ctxprofile1\~userdata\favorites and it replicates to ctxprofile2\~userdata\favorites for DR

    this approach has been done for appdata, desktop etc….

    When I log into Site 1, I have my favorites – while I’m logged in there and I tested logging into Site 2, I keep everything but my Favorites always get deleted and then its got dfs replication, it deletes on the other side. It doesn’t happen for the other folders but only for this folder? What could be causing it?

        1. Thanks

          I have copied exactly how you have done it for Windows Folder Redirection, only thing not done is redirect it to Home Drive, just the same path as the other folders.

          Under settings – I have Leave the folder in the new location when the policy is removed

          1. There’s a checkbox for “Move the contents” “to the new location”. I would uncheck that.

            Note: DFS multi-master replication is not supported for any UEM folder: profiles, folder redirection, home directories. You must make sure only one folder is updated no matter where the user is connecting from.

          2. Thanks carl, your guide had it to move content only ticked.

            I have kept only exclusive rights ticked from both profile server for favourites which seemed to done the trick. Should I do it for the rest of the redirected folders?

          3. When deploying to a new environment, I leave “move contents” checked. But your design needs it unchecked. There is no one configuration that satisfies all requirements.

  5. Hi Carl.

    great Blog and Content. I´ve implemented above Profile Management with Folder Redirection and have issues when my users try to save file from the Internet into their redirected folders. It is saying that they dont have permission to modify and after confirming and refreshing the file is showing up. Any ideas why that is?

  6. Carl,

    We are using UPM and have the printer preferences saving to the users profile. For some reason the auto-created printers preferences are not being saved. Any idea what would cause this?

      1. We have UPD only being used if requested driver is not available. I have found an issue using Citrix UPD causing printed files to be 5-100X larger when spooling. I was seeing a 5MB file spool up as a 100MB file. As far as making the changes I have made changes to both local to the PC as well as in citrix. The local settings stay but the citrix preferences do not. If I remove the printer from the local PC and add it to citrix then go back and add it locally the settings stay just fine.

        Thank you in advance.

  7. Thanks for another great article. You may be in the running to replace Brian M. You need to let your hair grow out and put on an AC/DC shirt. Anyways, do you have any articles on how to make the windows 2012 R2 user experience more familiar for the users? It doesn’t feel like a desktop at all when configuring published desktops with Citrix. I know about the desktop experience, which allows them to personalize. I’m mainly looking for tweaks that will make it feel more like a desktop or any recommendations that will benefit the end users.

    Thanks
    sunshine

  8. Thanks Again Carl for a wonderful guide,
    All steps followed correctly but when users logon to applications on a Server VDA a profile gets created in the store but when they logon to a desktop VDA another version gets created called v2.

    1. The easiest solution is to redirect Documents to a sub-folder instead of redirecting to the root of the home directory. However, this might cause user confusion. Otherwise, you’d need some way of changing permissions on desktop.ini.

  9. Hello Carl, First thing to start with as everyone says “I love ur blogs” and implemented most of the solutions by following your articles.

    Here comes my question, We have configured UPM on our XenApp 6.5 Farm which is working perfectly. User profiles are getting created on a File share over network. Last week we faced a issue where our file server is down and users are not able to launch any of the apps and are receiving profile related error. It seems like user session is not abl to find a place where it can store/use profiles.

    Is there any way, users can still launch the apps without Profile management (fileserver) by loading the profiles may be at any temporary location in servers locally. and once the file server is online, again user profiles will get redirected to UPM store.

    our point is to avoid single of failure over the file server which stops our farm users from being accessing the apps.

    Thanks in advance,
    Kranthi

  10. We’ve had enough problems with UPM here, if we are to go back to using MS roaming profiles what can we do to block the UPM portion of the VDA (agent) from using UPM policies?
    We have applied a roaming profile GPO but roaming profiles are not creating.

    1. You can set the UPM GPO setting for “Enable Profile Management” to disabled. Or you can stop the Citrix Profile Management service.

  11. Hi Carl

    Do you have experience what’s the best when using OneNote on XenApp. Now it syncs the notebook everytime it starts up. Should I mirror the folders in UPM? As OneNote relys on OneDrive(4B) and this is not recommended on Multi-user-systems I don’t know if there is a solution at all.

    Thanks and regards
    Udo

  12. Hi Carl

    We have a XenApp 7.8 Deployment using UPM 5.4, we recently had some issues with local duplicate profiles being created and apps not launching for users so upgraded a server to UPM 5.4.1 as it includes the Citrix Fix (11 July) for this issue. At the same time we’ve also implemented Classic Shell on this test server (whilst we had locked down the desktop and customization already) since the above two changes have been implemented the Line of Business Apps crash on occasion for some users (they store Config Files in \APPData\Local) and also an Office Template Add-In occasionally also crashes for some users (not all). So I wondered if you had seen anything similar.

    We did think it might have been the File Server’s AV (On Access Scan) where the UPM Profiles Resides locking some of these files and causing them to be corrupted (so had temporarily excluded this location from the AC On Access Scanning) but are still seeing some issues.

    If I delete the App Files from AppData\Local\APP NAME (in the UPM Profile) the Applications generally run when the user first logs on but once the users log off (and the Profile is Sync’d) and they log on again (the App issues can return) so the issue I believe is definitely related to Profile Management but I’m not sure where.

    Plan is

    1) Test on Another Server without Quick Shell and the UPM Update (so iff problems still occur)
    2) Test with QuickShell (and its GPO) disabled and re-test to rule it out from the cause (it has Apps Hidden from Menus not sure if this is an issue but if you hidden printers No Citrix Printer Re-direct to Local Client Occurs)
    3) Test with Older Version of UPM (Dont think going back to an older version is an option) but keen to know
    4) Speak to Vendors about issues with Excluding their APPDATA\Local Folders from Sync.

    Any suggestions welcome.

    Thanks

    Gary

  13. I am not sure I’ve got AppData/AppData(Roaming) redirected properly. I have AppData Roaming going to a name space share (\\DomainName\NS-1\Share\#SAMAccount#\). It creates a folder there with the username and in that is another folder with the username and finally a folder called Application Data in there.. Also, the profile on the server when I login is over 25 MB.

    Note: I’m doing everything with UPM within Policies within Studio.

    Any insight on what I am doing wrong or need to do differently would be appreciated.

  14. Hey Carl, love the site. Have built our entire new infrastructure following your guidance. I have a problem though. How do you want me to set up my folder redirection, it seems to rely on some information you’ve left out or i’ve missed.

    I have E:\Shares\CITRIXPROFILES and E:\Shares\RedirectedFolders

    the first, is where my profiles where going based on your 7.8 guide.
    the latter is where my “desktop users” (our whole office) has their stuff going.

    the desktop users aren’t using roaming profiles (at this time)

    when they login to citrix, their profiles go to the first place and then they’re able to access their other folders as i have the folder redirection policy applied to their desktops & the servers. do i need to setup home directories? is that required for profile management? if i did set their desktop to point to a home folder, would that then point them to an empty location and remove their access to their redirected files from their desktop environment?

    1. Home Directories are just a convenience. Documents is almost always redirected to home directory. Desktop and Downloads are usually redirected to Home directory because that’s where users want their downloaded files to be placed. But if you don’t have home directories, you can redirect to any share that is not your profile share.

  15. Hi Carl

    Can these user redirection policies be applied to normal Windows environment

    Im testing redirection of only desktop and documents to homedrive

    Keeping favourites and rest in profile server and excluding video downloads and pictures and keep them local userprofile workstation.

    Would this be okay?

    Also we have a normal.dotm issue before if microsoft loses its desktop then it gives you normal.dotm etc, i assume redirecting to home drive should be fine for citrix users and non citrix users as we have some internal/external and majority external remote access citrix users, so when they log in they get a citrix profile but they get a normal.dotm error so we have to temporily move then to a citrix users OU to get the policy but the policy is specific to only a citrix profile path so I hope %homeshare%%homedrive% helps.

    Secondly, I also noticed that the desktop is shown in the home drive and it can be deleted by a user, is there a way to permission it so they can’t? I found a GPO that can only hide it..

    1. You don’t have to redirect to the user’s home directory. You’re welcome to create a new share and redirect to that.

      1. Thanks for replying as always

        We are now deciding to Hide Documents, force our users to always save in their Home Drive.

        We have added Documents to Exclusions in UPM and also in Roaming profile

        Is this good practice? As we want users to just always save their documents to their network homeshare. Would it affect other programs? Or should we take it out of exclusions atleast and not configure it for folder redirection?

        1. I always redirect Documents. But I never add it to exclusions since UPM should be smart enough to realize it is redirected and automatically exclude the folder.

          1. Ok any specific reason why you always redirect my documents – sorry my question is it bad practice if we don’t redirect it and make users just save to their home drive manually? Will this have any affect on Citrix using non-persistent desktop where all local c:\users gets deleted off everytime.

          2. Profiles should be disposable so I don’t want any permanent data in the profile. Redirecting Documents is easier for the user.

  16. Hi Carl,
    I´m working in an environment with XenDesktop 7.8 and Windows 10 with UPM and redirection folders. I am having problems with the application association. On the one hand continuously I get a message that has reset the association of some extensions and the other does not save changes once I close my session
    Where is the problem?
    Thanks

  17. Carl,

    I am having an issue. I have a user lockdown policy in place. This is hiding control panel items, start menu items, and windows explore items. I have loop back processing on. All of the items defined under User Config\Policies\ are not applying. The policies i have under User Config\Preferences are working. Any assistance would be amazing.

    Thanks
    Rick

          1. Nothing in Event Viewer about the Group Policy extensions?

            What does Group Policy Results show? Any errors? Does it show that the settings should have applied?

            What version of Citrix VDA? Does it work without the VDA installed? If not, then it’s a Windows issue.

          2. I am thinking it is due to the policy does not apply to a OU with users in it. Although not sure why our old citrix enviroment works with theses same settings with no users in the OU the policy is applied to.

          3. The whole point of loopback is that you don’t need users in the OU.

            If you think VDA is the issue, if you upgrade VDA to 7.9, does the problem still occur? I seem to recall a group policy issue in 7.6.300, which is the same as 7.7.

          4. Thank you very much. I have a version 7.6.0.5026 I am running for a older application and it has no issues with the GPO. v 7.7.0.6111 is the version that i am having issues with.

          5. A interesting workaround. If a user launches an app from the 7.6 environment. then goes into the 7.7 environment the GPO stays and works just fine.

            Any thoughts why?

            Thanks in advance.

          6. I have citrix user profile management installed and running. I have found that in the v7.7 in the ump folder there is no “ntuser.pol” file being created which seems to hold the user polices. This files does get created when logging into the older v7.6.

          7. If you enable all logging, what does the UPM log file show for that file?

            Same problem in UPM 5.4.1?

  18. I have an issue with O365 where it asks for activation every time a user logs on, it creates 2 txt files in the user profile (AppData\Local\Microsoft\Office\16.0\Licensing) and when logging off copies those back to the profile share, when the user logs in again it copies the files to the Citrix server but asks for activation and creates another 2 txt files?

    I have excluded the folder: !ctx_localappdata!\Microsoft\Office\16.0\Licensing

    We do not use ADFS.

    Any thoughts?

    1. I believe that’s how Shared Computer Activation works. ADFS makes the activation process more seamless.

  19. Hello Carl !!

    Love your blog. I was wondering if you can help me as I’m at an impasse. I use UPM 5.4 and use the ADMX templates. I am confused about behavior. When a new profile loads it has the UP<M settings that were specified. Any changes I make to policies however are rarely synced up to the VDAs. Obviously, most of the commonly used UPM settings are machine-related, so in a non-persistent, random PVS deployment, does the base image need to be versioned to see the changes to upm policies or should the VDA clients immediately get changes during the next login? Thank you very much.

    1. I find it more reliable to update the master image with the GPO changes. Otherwise, you can do a Computer Startup script to run gpupdate. However, I’ve seen running “gpupdate /force” cause problems.

  20. Any way to process Admin accounts but to allow them to have full desktop use? I have the setting to process admin accounts but my admins don’t have all the icons they need if they rdp to a citrix server. If I set to not process admin accounts all my admins have to keep resetting their outlook and lose their signatures and setting in outlook. No profile are kept on local servers.

      1. it was not loading all the icons for my Admins. We had no administrative tools, run, command prompt, etc etc icons. Not even a icon to get to file explorer. Now after a few reboots it working. Go figure.

  21. Hi Carl

    I have an existing 7.1 environment running on 2012. I created a new 7.9 on 2012 R2. I created a new GPO for UPM and set the security filter for the two XA-worker and the user group. But when I login, the Director shows me that Microsoft Roaming Profile is used, not Citrix UPM.
    Isn’t it working to use the existing home folders for both environments and “just” via security filtering using the new policy on the 7.9 environment and with the old policy on the 7.1

    Thanks
    Udo

    1. UPM GPO is Computer Settings only. Do you see the registry keys applied to HKLM\Software\Policies\Citrix\UserProfileManager?

        1. So first the user had admin rights… didn’t know that.

          One question: UPM on user settings can also be configured to redirect appdata etc. Isn’t it a good idea to go for that instead under the usual setting? I tried with the !OSbitness! etc. variable but they aren’t working in the user context. By design?

          Thx.

          1. I don’t think the CTX variables work with folder redirection.

            I personally always do Microsoft redirection because I can’t think of any reason why Citrix’s is better. CITRIX says they added it to Studio for environments where group policies are not allowed.

  22. what’s the advantage of using the mandatory profile with citrix profile management? i always thought citrix profile management was a alternative to roaming and mandatory. is that not correct?

    1. There are some scenarios where mandatory is useful. There isn’t much difference between Citrix and Microsoft methods.

      1. can you give me some examples? just trying to learn more. why wouldn’t you just use local and then citrix profile management and redirection to redirect desktop, my documents, etc? Would you just use mandatory when using PVD? thanks for your input..i am kind new at this..

        1. For RDSH servers, I usually want profiles to be deleted when the user logs off. Mandatory can do that. For MCS, Local profiles aren’t deleted until the machine reboots. Or if persistent, then the profiles are never deleted until I do it manually.

          PvD can store the full profile so there’s no need for mandatory on those machines.

  23. Hi Carl,

    great article.

    We switched from Microsoft Profile Management to UPM.
    UPM is configured for a published desktop with XA76 on W2K8R2. Unfortunately desktop icon position is not saved and restored for all users.
    Do you have any idea?

    Thanks,

    Timo

    1. That is a common problem with all profile solutions, because it’s stored in the ShellNoRoam registry key. If you Google, you’ll find various scripting attempts, including 3rd party UEM products (e.g. AppSense).

    2. Hi Carl,

      me too great article.
      I’ve the same problem like Timo C. XA 78 on W2k8R2. Desktop and Quick Launch Shortcuts loose when next logon after 20 seconds waiting. Folder Redirections Desktop and AppData did not solve that problem. I’am working very hard for that problem to fix it. But unfortunately not sucessfully. Have you any Idea with other solutions

      Thank you very much and greetings.

  24. Hi Carl, first of all great post.
    Secondly we have weird issue, randomly the NTUSER.DAT is not copied
    the INI file is deleted from base and we use GPO. Until now no one is been able to solve this

  25. Hi Carl, 2 questions.
    1° Sometimes, when login on, we still have a black screen. Even the register setting “Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Logon” is set.
    2° sometimes the “pending folder” is not emtpy after a user is logged of. When the user logged on again, there is a problem to load his ntuser.dat file. We have to delete al files under the pending folder en his 2 other default subfolders. Any idea?

    regards
    F.

    1. Then it won’t work. Those variables assume each user is configured with a home directory. If not, then you’ll some other means of specifying the share and path.

  26. Hi Carl.

    The %HOMESHARE%%HOMEPATH% is not working for me. In the event log I’m getting the error invalid path. %Homepath% is opening correctly, but %homeshare% always says not found.

    What is wrong here?

    Regards
    Udo

      1. Hi Carl,
        I have the same issue. Can you please add a screenshot from Active Directory with these variables defined.

        1. Are you asking where to configure a home directory? Open Active Directory Users & Computers. Double-click a user. On the Profile tab, there’s a home folder section. This should be configured with a drive letter and a UNC path. If not, then %homeshare% won’t work.

          1. So each user will have two or more folders inside the root share: one for folder redirection and one or more (if there are different OS versions) for the profiles, right?

  27. Thanks Carl for such as great post. I wanted to implement UPM in my environment but we are only using local profiles as we have deployed random machines using MCS, Xenapp7.5 and windows server 2008r2. So could you please clarify whether UPM is applied only for roaming profiles or for local profiles as well? If so, the process is same as you have stated in this post or any different to this?

      1. Thanks for the prompt reply Carl. My question is, as I have only local profiles in our environment; is UPM can be implemented for local profiles as well? or is it only for roaming/mandatory profiles?

        1. The whole point of UPM is roaming profiles. What benefit would that provide for local profiles?

          User logs in and a local profile is created. At logoff, user’s profile is saved to file share. UPM can either delete the local profile, or leave it. Next time user logs in, if the local profile (locally cached profile) is still there, that’s the one that’s used. If the locally cached profile is missing, then UPM downloads the profile from the file share and copies it to C:\Users.

          In all cases, Windows only uses the profiles in C:\Users. UPM is nothing more than a backup and restore tool.

  28. Hey Carl

    Quick Query, I presume if you setup Profile Management via XD Studio (it then generates the AD GPO and you have visibility within a single management console) but if you setup in AD GPOM you don’t see the values in Studio.

    Thanks

    Gary

    1. Studio does not create AD GPOs. Instead, Studio puts the settings in the Site database.

      Do Studio or GPO, but not both.

      1. Ah I see, I think I’ll stick with AD GPO’s for the UPM Elements as its related to Roaming Profiles and just use Studio for Citrix Stuff like ICA Changes and Load Management then

        Thanks for clearing up my mis-understanding

    1. I usually do Merge so I capture folder redirection and drive mapping settings defined elsewhere. But if Merge causes me problems then I change it to Replace and define all of the settings the users need.

  29. Good morning Carl,

    What do you recommend for provisioned desktops with Citrix UPM as far as printing? Do you recommend Group policy preference printers policy or using Citrix Studio policy? Our users/ tellers logs into different station (thin client) throughout the day so we want our printers to be map based on the endpoint they log into. Any suggestion or info is appreciated. Thank you!

    1. Group Policy Preferences Printers will delay the login until printer mappings are complete. Users don’t like this.

      Citrix Policy printers are mapped in the background. It’s a better user experience.

  30. Thanks, I should have mentioned that we are deploying Xen App 7.8 Servers using a Golden Image and MCS (Random Assignment), as these are classed as “Both Persistent and Shared” Active Write Back was going to be enabled to save changes in profiles for the users as they will roaming between servers as outlined in the Citrix Profile Management Doc.

    1. Changes are saved when the user logs off. If the user connects to a second server before the logging off of the first server then maybe Active Write Back is useful. But if the user always logs off between sessions then you don’t need Active Write Back. Besides, it does generate some load on the file server so you have to weigh the pros and cons.

  31. Hi Carl

    Read the article very useful, had a couple of queries relating to Profile Manager although I realise these are more Roaming profile than PM specific. We are implement a Dual Datacentre Environment with 1 Production and 1 DR DC (these will switch during the course of the year or if an outage occurs) and as such will use SRM to manage bringing the DFS Environment for User and Profile Stores online.

    My questions;

    1) Are there any baseline figures for no of users to associate with a single DFS Share (I know there is the it depends size of profile etc but on the basis all folder redirection will be outside of the profile it should be fairly minimal, we have approx 400 Profiles we will be looking to store, together with the user home drive and folder redirection so want to check if there were any specific considerations) the DFS Target will be on a single server in a 2 Node Hyper Visor Cluster with Dual Nic’s configured in each Hyper-visor Server (just wondered about Network and Disk I/O don’t see it being an issue but thought I ask.

    2) Profile Manager will be used to manage User Profile on the Citrix Xen App Servers but to keep a consistent look and feel across all end-point devices we’ll be implementing the !CTX_Variables to allow separate profiles per OS, so that it can also be used for the Desktop machines any issues with this approach.

  32. Hello Carl, Great site!

    Have a question about your comment of excluding !ctx_localappdata!\Microsoft\Office\15.0\Licensing and/or !ctx_localappdata!\Microsoft\Office\16.0\Licensing.

    We have ADFS running and office does list my account on startup. However, I get message about the license couldn’t be validated (0x8004005). You click OK and everything is fine. Other office apps don’t get this message. I don’t that 16.0 patch excluded.

    What does excluding the path accomplish?

  33. Hi Carl, thanks for helping us all by sharing your precious knowledge. You’re a star.

    I want to define a default profile for my XA 7.6 users with UPM 5.4.
    I created a NetworkDefault profile where I made my customization and most of the cleaning described for the mandatory ones.
    When I define ‘Path to template profile’, the profile loads ok but doesn’t get copied to UPM store. It stay as local on the server and can’t be reused.

    Is it meant to work the way I want or are the settings to be lost like in the mandatory profile you described?

    Thanks

    1. Mandatory means it’s deleted at logoff. If you configure a template profile without enabling mandatory then it should stick.

        1. Problem solved. UPM logs where showing access denied on the HKCU\Software\Microsoft\SystemCertificates\Root\ProtectedRoots.
          This happened because I was copying a pre-configured user profile.
          I had to sysprep my profile to make it default, in order to get rid of this error and resolv the UPM problem.

  34. Great Post! Thanks for sharing.
    I recently implemented XenApp 7.6 and I am now trying to add Profile Management.

    This may sound a stupid question. Where do we install the UPM? On the delivery controller, or the machine catalogs/ applications hosts?

    Thanks

    1. It’s included with the VDA. If you install VDA 7.6.1000 (or 7.9) then you already have the latest release. Otherwise you can download 5.4 and install it on your VDAs.

      The group policy templates are on the 7.6.1000 ISO (or 7.9) or in the CPM 5.4 download.

  35. Hi Carl!…
    I follow your steps to improve UPM and folder redirection, UPM works fine but folder redirection doesn’t work, I’m trying to redirect My Documents and some other folders, we are using Windows Server 2012 and XenApp 7.9, please Carl I need some help!!

  36. Hi Carl,

    I am new to the Citrix world and I found your site very useful in helping me setup our XenDesktop environment 7.8. I was able to move some our users from Roaming profile to UPM using your step by step instructions. My problem is that we are redirecting the AppData folder as well as Microsoft Outlook .OST file to our file server and this is causing Outlook to error out when users open Outlook “Outlook is using an old copy of your Outlook data file (.ost). Exit Outlook, delete the file, and restart Outlook. A new file will be automatically created the next time you initiate a send/receive.” We have over 500 users so trying to walk everyone through deleting their Outlook profile is not an option. We can delete the users current user profile ahead of time and get Outlook to prompt the user to recreate their Outlook profile, but this causes users to lose their signatures. Any advice is appreciated.

    Thanks,
    Bruce Vang

      1. No. I’m wondering if there’s a way we can setup UPM to move the OST file to the new location. Current OST file is stored on c:\users\AppData\Local\Microsoft\Outlook.The new location is \\servername\OST$

        We’re trying to set it up this way because we don’t want the .OST file (most are 1 to 2 GBs) to roam with the profiles. But since we’re already redirecting the AppData folder anyway we shouldn’t have to redirect the .OST file to a different location, correct? I assuming once FR is applied, the APPDATA folder on the local machine gets copied/moved over to the network drive?

          1. Thanks Carl! One more question for the day. For provisioned desktops do you recommend changing the OST default file location to a file/network share as mention in the article above to improve logons or performance? Some of our users have static VMs while some (tellers) get provisioned desktops and we use exchange cache mode in our environment so OST files do get pretty big.

          2. I only do OST files if Exchange is hosted by Office365. If Exchange is on-premises then I always do online mode.

            There are also layering products that can store the OST files.

          3. Hey Carl,

            Came across this MS Article https://support.microsoft.com/en-gb/kb/2752583 which states you cannot modify existing mail profiles with the new OST path (Outlook 2013), only newly created mail profiles will see the revised version.

            Only found this out when I made changes in GPO and nothing happened unless it was a new mail profile.

            Have I read this right?

          4. Seems right.

            One option is to give users new roaming profiles. Otherwise you’d have to clean up the old Outlook profile and recreate it. There are sites on the Internet that explain how to automate this.

  37. Hi Carl, Great post.

    Have you heard of any issues with UPM, IE 11 and ‘Proxy Is Not Responding’ errors? We use a web proxy server, which we force through Group Policy user preferences. With UPM enabled, a logged in user cannot get to external sites. I get the proxy not responding message. Chrome, which abides by the proxy setting, works fine.

    As soon as I disable UPM through group policy, IE can get to external webpages just fine. Here’s the real kicker… if UPM is enabled, I get the same proxy errors even when logged onto the VDA’s console as a local admin (the account isn’t being handled by UPM at all).

    Kinda stumped. Any help would be much appreciated! oh… maybe helpful to mention that our proxy is reached via port 3128. Any change there’s a port conflict?

  38. Hi Carl,

    I need some advise. One of my customers are currently experiencing slow logon times since I disabled profile streaming. I had to disable profile streaming as the streaming driver doesn’t play nicely with Mcafee which causes a kernal mode hang of the userprofilemanager.exe process (despite having userprofilemanager.exe as an excluded file) meaning the only way to restart the citrix profile manager service is to restart the server.
    After disabling profile streaming I haven’t had to restart a single server in 4 weeks which is vastly better than the 2-3 servers per day. However some user accounts are taking anywhere between 10-20 minutes to logon since making this change. What is even more confusing is my profile loads within 2 minutes every single time and my profile is substantially larger than that of the users seeing slow logon times. When checking the UPM logs to see where these logons are stalling it appears to hang while restoring directories and files. Any recommendations for ways to improve this or what might causing it?

    1. Cookies? Thousands of small files will slow down the copy process.

      Try manually copying the profile from one machine to another and see how long that takes.

  39. Hi Carl, this worked just fine following your guide.
    enabling Profile streaming helps speed up logons, but is it at all possible to avoid coping any part of the profile and just stream the lot to speed up logons and sessions even more?
    User are still experiecing above average logon times with “interactive session” taking the most time and we are wondering if any other UPM settings allows us additional logon speeds.
    Thanks

    1. Interactive Session usually means logon scripts, printer mappings, etc.

      You can use procmon during a logon to determine what exactly is consuming the time.

      1. Thanks for your prompt response Carl, checking with procmon now

        My colleague had “Always cache” enabled and this may be causing some issues. I noticed you have it set to “not configured”

        We will turn it off and see if that makes a difference.

        Regards
        Jim

  40. Hi Carl,

    do you have some best practice for 2 delivery group, one with internet explorer 11 and one with internet explorer 8? i mean, can have the same upm store location?

    Regards
    Andrea

    1. Yes. IE usually uses the same settings for all versions. If user is logged into both machines concurrently, UPM will merge the profile changes at logoff.

  41. Hi Carl,

    When redirecting folders such as Desktops, Documents etc should they also be added to the Exclusion List – directories part?

    cheers
    steve

    1. Profile Management should realize that they are redirected and not need to exclude them. This was fixed in an older version of Profile Management.

      1. reason I ask is that I have sometimes noticed the desktop, documents etc appearing the user’s profile directory and not in the redirected folder. It has been a rare occurrence but it is something I never want to happen for the sake of user’s data. This is with using Citrix UPM to redirect the folders, I will switch to just using windows redirection instead, I’m assuming doing this has less of a burden on the Citrix UPM.

        1. I personally always to Microsoft redirection. I can’t think of any reason to do it using UPM.

  42. Hi Carl – was just curious your approach for applications that seem to be hardcoded to use a local AppData path. We redirect AppData but there is one application that will not function correctly with this redirection in place. I confirmed that removing AppData redirection allows the app to launch without issue. I have tried including it as a directory to be synchronized and have also tried specifying file types within the directory to be synchronized as well. I can get AppData\Local\AppDir to sync with the profile but the AppData\Roaming\AppDir continues to be redirected. Is there anything I am overlooking here? Anything else I can try except disabling Appdata redirection?

    1. I personally never redirect AppData.

      Can you create a script that creates the local AppData folder? Then use additional scripts to backup the folder at logoff and restore it at logon? I believe if AppData is redirected then Profile Management will not sync it.

  43. Hi Carl,

    We have enabled the mirroring of the AppData\Local\Microsoft\Windows\INetCookies folder.

    Since then that folder is building up and slowing down the logon & logoff. Example: User A took 1217 sec. to logon. After cleaning the folder it took 60 sec.

    The only solution I see is a script the cleans out those folders on a regular basis.

    Your thoughts?

    cheers,
    Jan

Leave a Reply