Citrix Profile Management 2402

Last Modified: Apr 30, 2024 @ 11:34 am


This article applies to all versions of Profile Management: 2402, 2203 LTSR CU4, 1912 LTSR CU9, etc.

💡 = Recently Updated

Change Log


Profile Management Versions

Profile Management is included with the installation of Virtual Delivery Agent. To upgrade Profile Management, simply upgrade your VDA software. Here are the currently supported versions of VDA:

Or you can download the individual Profile Management component and install/upgrade it separately from the VDA software. You can even install it on non-VDA machines (e.g., PCs accessed by licensed Citrix users).

For LTSR VDAs, for LTSR support compliance, only install the Profile Management version that is included with your VDA installer. Don’t upgrade to a newer Current Release version.

The latest release of Citrix Profile Management is version 2311, which can be downloaded from Citrix Virtual Apps and Desktops 2402. To find it, click Components that are on the product ISO but also packaged separately.

Profile Management Configuration Options

Profile Management consists of a Service (installed on the VDAs), a file share, and configuration settings.

There are four methods of delivering configuration settings to the Citrix Profile Management service:

If a UPM setting is not configured in GPO, Citrix Policy, or WEM, then the default setting in the UPMPolicyDefaults.ini file takes effect. The .ini file is located in C:\Program Files\Citrix\User Profile Manager on every machine that has Profile Management service installed.

Microsoft Group Policy (ADMX file) is probably the most reliable method of delivering configuration settings to the Profile Management services. This method uses the familiar Group Policy registry framework. Just copy the Profile Management ADMX files to PolicyDefinitions and start configuring. The configuration instructions in this article use the GPO ADMX method.

The Citrix Policies configuration method requires Citrix Studio, or Citrix Group Policy Management Plug-in. On the Profile Management service side, only VDAs can read the Citrix Policies settings.

  • Citrix Policies has settings for Folder Redirection. If you use Citrix Policy to configure Folder Redirection, then the Folder Redirection settings only apply to VDAs that can read Citrix Policies. To apply to Folder Redirection to more than just VDAs, configure Folder Redirection using normal Microsoft Group Policy as detailed below.
  • If you’re going to use Microsoft Group Policy to configure Folder Redirection, then you might as well use Microsoft Group Policy to also configure Citrix Profile Management.

Citrix Workspace Environment Management can also deliver configuration settings to the Profile Management services. This option requires the WEM Agent to pull down the settings from the WEM Brokers and apply them to Profile Management. It can sometimes be challenging to troubleshoot why WEM is not applying the settings.

Try not to mix configuration options. If you use both WEM and GPO, which one wins?

Multiple Datacenters

For optimum performance, users connecting to Citrix in a particular datacenter should retrieve their roaming profiles from a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will need file servers in each datacenter.

DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-datacenter designs.

For active/active datacenters, split the users such that different users have different home datacenters. Whenever a particular user connects, that user always connects to the same datacenter, and in that datacenter is a file server containing the user’s roaming profile. StoreFront uses Active Directory group membership to determine a user’s home datacenter.

For users that connect to Citrix in multiple datacenters, there are a couple options:

  • The user’s roaming profile is located in only one datacenter – If the user connects to a remote datacenter, then the roaming profile must be transmitted across the WAN. To optimize performance, disable Active Write Back, and make sure Profile Streaming is enabled.
  • The user has separate profiles for each datacenter – There is no replication of profiles between datacenters. This scenario is best for deployments where different applications are hosted in different datacenters.

Disaster Recovery – For disaster recovery scenarios, the user’s roaming profile data (and home directories) must be recovered in a different datacenter. Here are some considerations:

  • Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
  • Use VMware SRM or similar to recover the entire file server in the DR datacenter.
  • A datacenter failover might result in multiple file servers accessed from a single VDA, especially if you have users split across datacenters. Use DFS Namespaces as detailed below.

DFS Namespace

DFS Namespace for central user store – The Citrix Profile Management user store path is a computer-level setting, meaning there can only be one path for every user that logs into a particular VDA. If you have different users with roaming profiles on different file servers, then you must use Active Directory user attributes and DFS namespaces to locate the user’s file server. Here is an overview of the configuration:

  • Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1 – Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more information.
  • Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS replication. See Scenario 2 – Multiple folder targets and replication at Citrix Docs for more information.
  • Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
  • Set the Profile Management user store path to \\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!. This pulls the user’s l attribute from Active Directory and appends that to the DFS share. The folder that matches the attribute value is linked to a file server. For example, if the user’s l attribute is set to Omaha, then the user’s profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha folder is linked to a file server in the Omaha datacenter.

Create User Store

This procedure could also be used to create a file share for redirected profile folders.

Create and Share the Folder

  1. Make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.

  3. Right-click the folder, expand Give Access to (Windows Server 2019) or expand Share with (Windows Server 2016) and select Specific people.

  4. Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click Share, and then click Done.
  5. Go to the Properties of the folder.
  6. On the Sharing tab, click Advanced Sharing.
  7. Click Caching.
  8. Select No files or programs. Click OK, and then click Close.

Folder NTFS Permissions

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry, and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

Access Based Enumeration

With this setting enabled, users can only see folders to which they have access:

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it. Or perform a refresh.
  3. Right-click the new share and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration.

GPO ADMX Policy Template

  1. You can find the GPO ADMX templates on the main Citrix Virtual Apps and Desktops 2402 ISO in the \x64\ProfileManagement\ADM_Templates\en folder.

    • Or they are included in the standalone Profile Management download in the \Group Policy Templates\en folder.
  2. Copy the file ctxprofile.admx to the clipboard.
  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing the .admx file does not affect your existing Profile Management configuration. The template only defines the available settings, not the configured settings.
  5. Go back to the Citrix Profile Management Group Policy Template files.
  6. Copy ctxprofile.adml to the clipboard.
  7. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.
  8. If you have an older version of the ctxprofile.adml file in the en-US folder in either location, delete it.


  1. Go up a folder and then open the CitrixBase folder.
  2. In the CitrixBase folder, copy the file CitrixBase.admx to the clipboard.
  3. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.

    • If you don’t have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the file.
  4. Go back to the Citrix Profile Management Group Policy Templates and copy CitrixBase.adml to the clipboard.
  5. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL. This is a subfolder of the PolicyDefinitions folder.

    • If you don’t have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and paste the file. This is a subfolder of the PolicyDefinitions folder.

Group Policy Settings

  1. Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.
  2. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management.
    • Note: if you did not install the CitrixBase.admx file, then you can find Profile Management directly under the Administrative Templates node instead of under Citrix Components.
  3. Enable the setting Enable Profile management. Profile Management will not function until this setting is enabled.
  4. If desired, enable the setting Process logons of local administrators.
  5. Enable Path to user store.
  6. Specify the UNC path to the folder share. An example path = \\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!

    1. Profile Versions– Different OS versions have different profile versions. Each profile version only works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows 10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a unique folder. If users connect to multiple operating system versions, then users will have multiple profiles.
      1. Windows 10 Profile Versions – Windows 10 has two different profile versions. Windows 10 build 1511 and older use v5 profiles. Windows 10 build 1607 and newer use v6 profiles. v5 and v6 profile versions are incompatible so they should be separated.
      2. Resolved variables – With the example user store path shown above, if the user logs into Windows 2012 R2 RDSH, the profile folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10 build 1607, the profile folder will be \\server\share\user01\Win10RS1v6.
      3. Windows 10 v6 vs Windows 2016 v6 – Both Windows 10 (1607 and newer) and Windows Server 2016 use v6 profiles. Do you want to use the same profile for both platforms? If so, remove !CTX_OSNAME! from the Path. Note: Windows 10 supports Store apps while Windows 2016 does not. If you’re allowing Store apps, then it’s probably best to use different profiles for both OS platforms.
      4. Windows 2012 R2 warning: in older versions of Citrix Profile Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isn’t correct. v2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug was fixed in Profile Management 5.4 and newer. If you have existing Windows 2012 R2 profiles based on the !CTX_PROFILEVER! variable set to v2, after upgrading to 5.4 or newer, then your profiles might stop working . See for more details.
    2. Windows 10 and !CTX_OSNAME!: Profile Management sets !CTX_OSNAME! to different strings for different Windows operating system versions, especially different versions of Windows 10: (RS = Redstone, which is a Microsoft codeword)
      • Windows Server 2019 sets !CTX_OSNAME! to Win2019v6.
      • Windows Server 2016 sets !CTX_OSNAME! to Win2016v6.
      • Windows 10 version 1903 and 1909 set !CTX_OSNAME! to Win10RS6.
      • Windows 10 version 1809 sets !CTX_OSNAME! to Win10RS5.
      • Windows 10 version 1803 sets !CTX_OSNAME! to Win10RS4.
      • Windows 10 version 1709 sets !CTX_OSNAME! to Win10RS3.
      • Windows 10 version 1703 sets !CTX_OSNAME! to Win10RS2.
      • Windows 10 version 1607 sets !CTX_OSNAME! to Win10RS1.
    3. If you use !CTX_OSNAME! in your profile store path, then different CTX_OSNAMEs will have different profiles, which means users will lose their profile settings whenever you upgrade Windows 10.
      • Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can alleviate this problem.
    4. Multiple Domains – If you have multiple domains, in the user profile store path, change #SAMAccountName# to %username%.%userdomain% (e.g. \\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!). That way you can have the same account name in multiple domains and each account will have a different profile.
    5. Hard Code Store Path – Instead of using variables, you can specify a hard coded path. However, the profile incompatibility restrictions listed above still apply. To avoid applying a single profile across multiple operating system versions, place VDAs with different OS versions in different OUs, and then use different Profile Management GPOs on those OUs to specify different Profile Management user store paths.
    6. Migrate User Store – Profile Management 1909 and newer can move profiles from an old profile path to a new profile path.

    7. User-level overrides – Profile Management 2305 and newer support user-level overrides. First, configure Enable user-level policy settings under Advanced Settings. Then add registry keys for user group SIDs with override settings. See Enable and configure user-level policy settings at Citrix Docs.

  7. Disable Active write back. This feature places additional load on the file server and is only needed if users login to multiple machines concurrently and need mid-session changes to be saved, or if users never log off from their sessions. Note: if you don’t disable this, then it is enabled by default.

    1. Profile Management 2303 and newer have an option to only perform Active write back on session lock and disconnection.
  8. On the left, go to the Advanced settings node.
  9. If Microsoft Teams 2.1 or newer, and if Teams is installed per machine, then simply make sure Profile Management is version 2402 or newer. See Enable roaming for the new Microsoft Teams at Citrix Docs.
  10. Enable the setting Process Internet cookie files on logoff. This is probably only for Internet Explorer.
  11. The Replicate user stores setting replicates to multiple file shares. Note: this slows down logoffs. Profile Management 2209 and newer supports replicating profile containers. This feature seems to use robocopy.exe.
  12. Customer Experience Improvement Program (CEIP) is enabled by default. It can be disabled here.
  13. See for additional places where CEIP is enabled.
  14. Profile Management 2206 adds Enable asynchronous processing for user Group Policy on logon. This might speed up logons. This feature requires you to disable Always wait for the network at computer startup and logon and enable Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services. More details at Citrix Docs.
  15. Profile Management 2311 and newer support Enable OneDrive container. It works the same way as search index roaming as detailed next. See Citrix Tech Zone Deployment Guide: Citrix Profile Management – OneDrive Container.
  16. Profile Management 7.18 and newer have Enable search index roaming for Outlook.

Notes on Outlook OST and Search roaming:

  1. Microsoft FSLogix is another Outlook search index roaming product that is now free. For details, see the FSLogix section in the computer group policy article.
  2. Profile Management 1906 and newer support 64-bit Outlook 2016 and Office 2019.
  3. VDA 1906 or newer are recommended for the bug fixes for this feature. You can upgrade the VDA without upgrading your Delivery Controllers.
  4. After the first user logon, Profile Management 1811 and newer creates a template VHDX file in a folder named UpmVhd at the root of the user store. The template file is copied to new users, thus speeding up VHDX creation.

  5. In the user’s profile location, a new folder called VHD is created.

    • You can override the VHDX path by configuring Customize storage path for VHDX files as detailed at Citrix Docs.
  6. Inside the \VHD\Win2016 folder are two new thin provisioned .vhdx files – one for OST, one for Search. The per-user .vhdx files are copied from the parent template.
  7. UPM grants Domain Computers Full Control of the VHDX files. Users must have Full Control to the Profile Share, and UPM Folder to be able to grant this permission. Modify permissions are not sufficient. (Source = Robert Steeghs The Citrix Profile management could not mount virtual disk)
  8. When the user logs into a Citrix session, the two VHDXs are mounted to %localappdata%\Microsoft\Outlook and %appdata%\Citrix\Search. This means that OST files and Search Indexes are stored in the VHDX instead of in the user’s profile.

  9. eastwood357 at Outlook OST and Search vhdx not unmounting after log off at Citrix Discussions says that the Profile Management Path to User Store must be all lower case or else the VHDX files will not unmount at logoff.
  10. Only enable this feature for users with new Outlook profiles. If the user already has an .ost file, then you’ll see an error about missing .ost when Outlook is launched.
  11. The Search roaming feature is only supported with specific versions of Windows Search service. Event Log will tell you if your Windows patches are too new.
  12. Profile Management 2206 and newer have an option for Enable concurrent session support for Outlook search data roaming.

    • In older Profile Management, VHDX files can only be mounted on one machine at a time. If you login to two VDAs, and if both try to mount the same VHDX files, then you’ll see errors in Event Viewer.
  13. Search Index Backup – Profile Management 1909 and newer have a GPO setting named Outlook search index database – backup and restore that can provide automatic recovery of the search index if it becomes corrupted. The backup consumes more of the available storage space of the VHDX files.
  14. For a detailed explanation of how the per-user Search Index works, see CTX235347 Citrix Profile Management: VHDX-based Outlook cache and Outlook search index on a user basis.
  15. Profile Management 2109 and newer can Automatically reattach detached VHDX disks. In Profile Management 2203 and newer, it’s available as a group policy setting under the Profile Management | Advanced Settings node.
  16. Profile Management 2303 and newer have a Profile Container GPO setting to Enable VHD disk compaction on user logoff. See Citrix Docs.

    • Additional disk compaction settings can be found under Advanced Settings.

Exclusions, Synchronization, and Mirroring

  1. Profile Management 2209 and newer have File Deduplication > Files to include in the shared store for deduplication. You must specify which files to delete from each user’s profile and instead store in a shared location. See Citrix Docs. Profile Management 2311 support Files deduplication of profile containers.
  2. Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion List – directories.
  3. You can use checkboxes to not exclude some folders.
  4. Then edit Exclusion list – directories.
  5. Enable the setting, and click Show.

  6. For Edge Chromium, see Avanite Roaming Edge Chromium.
  7. For Chrome, use the same list as Edge but change \Microsoft\Edge to \Google\Chrome.
  8. Add the following to the list.
    AppData\Local\Microsoft\Internet Explorer\DOMStore
    AppData\Local\Google\Software Reporter Tool
    AppData\Roaming\Microsoft\Teams\Service Worker\CacheStorage
    AppData\Roaming\Microsoft\Teams\Application Cache
  9. Newer versions of Office Click-to-run let you roam the shared computer activation licensing token. See Overview of shared computer activation for Office 365 ProPlus and search for “roam”. The licensing tokens also last 30 days instead of 2-3 days. Source = Rick Smith in the comments. Ideally you should have ADFS integration so users can seamlessly re-activate Office.
  10. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING.
  11. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of exclusions for IE in Enterprise Mode.
    appdata\local\microsoft\internet explorer\emieuserlist
    appdata\local\microsoft\internet explorer\emiesitelist
    appdata\local\microsoft\internet explorer\emiebrowsermodelist
  12. Then click OK twice to return to the Group Policy Editor.
  13. usrclass.dat*.
    1. Profile Management 1909 and newer automatically include usrclass.dat* in the Files to Synchronize. UPM 2103 and newer add it for Windows 10 but not for RDSH. If added to the exclusion list, then Profile Management 1909 and newer automatically removes it from the exclusion list. See Start menu roaming at Citrix Docs.
    2. usrclass.dat* contains file type associations. For roaming file type associations, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
  14. Clean up excluded folders –  If you add to the exclusions list after profiles have already been created, Profile Management 5.8 has a feature that can delete the excluded folders at next logon. See To enable logon exclusion check at Citrix Docs. In Profile Management 7.15 and newer, Logon Exclusion Check is configurable in group policy under the File System node.

    1. Also see Muralidhar Maram’s post at Citrix Discussions for a tool that will clean up the existing profiles.
    2. Also see Jeremy Sprite Clean Citrix UPM Profiles.

Directories to Synchronize

  1. Under the File System\Synchronization node in the Group Policy Editor you can configure which profile folders should be synchronized that have otherwise been excluded.
  2. Edit the setting Directories to synchronize.
  3. Enable the setting, and click Show.
  4. Profile Management 7.16 Fixed Issues says that AppData\Local\Microsoft\Windows\Caches should be synchronized. Also see CTX234144 Start Menu Shows Blank Icons on VDA 7.15 LTSR CU1/7.16/7.17 with UPM Enabled.
  5. CTX489573Office 365 – Account Error: Sorry, we can’t get to your account right now says that Appdata\local\microsoft\identitycache should be synchronized.
  6. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming as detailed at CTX124948 How to Configure Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.

  7. Start Menu and File Type Associations:
    1. If Windows 10 1703 or newer, see James Rankin Roaming profiles and Start Tiles (TileDataLayer) in the Windows 10 1703 Creators Update for information on the new location for Tile data. Citrix Profile Management 5.8 and newer should handle this automatically.
    2. See David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks.
    3. To roam Start Menu and/or File Type Associations in Windows 10 or Windows Server 2016, see CTX214754 Error “An app default was reset” after signout and Logon in Citrix UPM for info on why this is difficult.
    4. Instead of roaming usrclass.dat, you can export/import HKCU\SOFTWARE\Classes\Applications as described by Christoph Kolbicz at User File Type Association Roaming on Server 2016 with Citrix User Profile Manager.
    5. Daniel Feller at Sync the Windows 10 Start Menu in VDI says that configuring SettlementPeriodBeforeAutoShutdown might improve reliability of Start Menu roaming, assuming users log out of the virtual desktop instead of rebooting the virtual desktop. On a Delivery Controller, open PowerShell, and run the following:
      asnp citrix.*
      Set-BrokerDesktopGroup -Name "NAME_OF_DESKTOP_GROUP" -SettlementPeriodBeforeAutoShutdown 00:00:15
    6. With VDA 7.15 Update 1, the icons on the Start Menu of Windows 2012 R2 and Windows 2016 are sometimes blank.

  8. Click OK twice.

Files to Synchronize

  1. Edit Files to synchronize.
  2. Enable the setting, and click Show

  3. Add the following three entries so Java settings are saved to the roaming profile:
  4. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
    AppData\Local\Google\Chrome\User Data\First Run
    AppData\Local\Google\Chrome\User Data\Local State
    AppData\Local\Google\Chrome\User Data\Default\Bookmarks
    AppData\Local\Google\Chrome\User Data\Default\Favicons
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Local\Google\Chrome\User Data\Default\Preferences
  5. Citrix’s Start Menu Roaming documentation says that Appdata\Local\Microsoft\Windows\UsrClass.dat* should be added to the list. Profile Management 1909 and newer automatically add Appdata\Local\Microsoft\Windows\UsrClass.dat* to the Files to Synchronize list.

    • You can disable the automatic inclusion of these folders by enable the setting Disable automatic configuration located under Advanced Settings.
  6. Then click OK twice to return to the Group Policy Editor.

Folders to mirror

  1. Under File System, in the Synchronization node, enable the setting Folders to mirror.
  2. Enable the setting, and click Show.

  3. Add the following:
    AppData\Local\Google\Chrome\User Data\Default
  4. Click OK.
  5. Profile Management 2106 and newer have a setting called Accelerate folder mirroring that stores the mirrored folders in a VHDX file instead of copying back and forth at login and logoff.

    • UPM creates a folder named MirrorFolders in the user’s UPM path and creates a couple thin-provisioned VHDX files in that path.
    • Disk Management shows that the mounted Diff disk has a 50 GB capacity limit.
    • Logging into multiple sessions concurrently results in multiple Diff disks.
    • If the file server is unavailable then unpredictable behavior occurs. After the file server is back up, the session continues to misbehave and won’t recover until users log off and log back on. Plan for file server high availability that can handle always-open VHDX files. DFS won’t help you.
    • Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
  6. According to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Configuration > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder.

Profile Container

  1. Profile Management 1903 and newer have a Profile container setting.
    • In Profile Management 2009 and newer, the Profile container setting moved to its own node.
    • In older versions of Profile Management, Profile Container is located under File System | Synchronization.
  2. Click the Show button to specify profile paths that should be placed in the mounted file share profile disk (VHDX file) instead of copied back and forth at logon and logoff.
    • In Profile Management 2009 and newer, you can specify * to put the entire profile in the Container. Then use the other two settings to exclude folders from the Container. See Profile Container at Citrix Docs.

    • In Profile Management older than version 2009, this setting is for large cache files (e.g. Citrix Files cache) and is not intended for the entire profile.
  3. Profile Management 2103 and newer have a setting to Enable local caching for profile containers. Combine this with Profile Streaming for faster logons. The entire profile should be stored in the profile container.
  4. Profile Management 2311 and newer can Log off users when profile container is not available during logon.
  5. On the left, under Advanced Settings, Profile Management 2103 and newer have a setting to Enable multi-session write-back for profile containers. This setting applies to both UPM Profile Container and Microsoft FSLogix Profile Container. If the same user launches multiple sessions on different machines, changes made in each session are synchronized and saved to the user’s profile container disk.
  6. Profile Management 2109 and newer can Automatically reattach detached VHDX disks.
  7. Citrix recommends using Profile Container for Microsoft Teams.
  8. See CTX247569 Citrix Profile Management: Troubleshooting Profile Containers.
  9. Profile Management 2209 and newer can replicate the profile container to multiple shares. 
  10. Profile Management 2308 and newer can auto-expansion the container.

    • Advanced settings node has additional auto-expansion settings.
  11. On the CVAD 2311 and newer ISO, at \x64\ProfileManagement\Tools is a script that can migrate profiles from FSLogix to Citrix Profile Container. Prior to CVAD 2311 the Tools folder is not on the CVAD ISO but is instead included with the separately downloaded Profile Management. See Migrate user profiles at Citrix Docs.

Registry Exclusions

  1. On the left, under Profile Management, click Registry.
  2. On the right, open Enable Default Exclusion List.
  3. Enable the setting. You can use the checkboxes to control which registry keys you don’t want to exclude.
  4. According to Citrix CTX221380 Occasionally, File Type Association (FTA) Fails to Roam with Profile Management 5.7 on Windows 10 and Windows Server 2016, Software\Microsoft\Speech_OneCore should be unchecked. Click OK.
  5. The setting Exclusion List under Registry lets you exclude registry keys from the roaming profile.
  6. Nick Panaccio in the comments says that if Office with ADFS constantly prompts for login, then you should exclude the following:
  7. Nick Panaccio at IE11 Enterprise Mode and UPM at Citrix Discussions has a list of registry exclusions for IE in Enterprise Mode.
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieUserList
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieSiteList
  8. Click OK when done.
  9. For the NTUSER.DAT backup setting, which is disabled by default, you can enable it to provide some resiliency against profile corruption.

Log Settings

  1. In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot problems with Profile Management. The logfile is located in C:\Windows\System32\LogFiles\UserProfileManager.
  2. Edit the Log settings setting.
  3. Enable the setting and check the boxes next to Logon and Logoff. Click OK.
  4. If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To change the log file path, edit the Path to log file setting.

  5. CTX123005 Citrix UPM Log Parser
  6. CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

Profile Streaming

  1. Go to the Profile handling node under Profile Management.
  2. Profile Management 1909 and newer have a setting called Automatic migration of existing application profiles under Profile Handling that can migrate existing profiles when you upgrade the version of Windows 10. This setting requires the !CTX_OSNAME! variable in your profile store path.
  3. Enable the setting Delete locally cached profiles at logoff. Note: this might cause problems in Windows 10.

    Helge Klein has a tool to delete locally cached profiles on a session host. This tool should only be needed if profiles are not deleting properly.
  4. For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User Logs off recommends setting Delay before deleting cached profiles to 40 seconds.

  5. Enable the setting Migration of existing profiles and set it to Local and Roaming.  Citrix CTX221564 UPM doesn’t migrate local user profile since version 5.4.1.

  6. Enable the setting Local profile conflict handling, and set it to Delete local profile. Note: this might cause problems on Windows 10.

  7. For fastest logons, Citrix recommends Profile streaming + Enable profile streaming for folders + Accelerate folder mirroring all enabled, or only enable Profile Container for the entire user profile. More details at CTX463658 Reduce logon time with Profile Management.
    1. Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to speed up logons.
    2. Profile Management 2103 and newer have a setting to Enable profile streaming for folders, which should speed up logons. In Profile Management 2402 and newer, profile streaming for folders is enabled by default.
    3. Profile Management 2106 and newer have a setting under File System > Synchronization called Accelerate folder mirroring that stores the mirrored folders in a VHDX file instead of copying back and forth at login and logoff.
    4. Profile Management 2206 adds Enable profile streaming for pending area. Enable this setting if users run multiple Citrix sessions concurrently and you have Active Write Back enabled.
  8. Profile Management 7.16 and newer have XenApp Optimization (aka Citrix Virtual Apps Optimization) feature, which uses Microsoft UE-V templates to define specific settings that should be saved and restored at logoff and logon. See George Spiers XenApp Optimization (new in CPM 7.16+) for details.

  9. After modifying the GPO, use Group Policy Management Console to update the VDAs.
  10. Or run gpupdate /force on the VDAs, or wait 90 minutes.

App Access Control

Profile Management 2303 and newer support app access control. This is similar to FSLogix App Masking.

Citrix WEM Cloud Service has a GUI-based Rule Generator.

  1. In Citrix Cloud, go to Workspace Environment Management. 
  2. Switch to the Utilities tab, find WEM Tool Hub, and click Download.
  3. Extract the WEM Tool Hub and run Citrix.WEM.AdminToolHub.exe.
  4. Click Rule Generator for App Access Control.
  5. Click Create app rule.
  6. Click Scan to select an app installed on the local machine.
  7. The tool scans the selected app and automatically adds rules for the app. Click Add when done.
  8. Give the app a name and click Next.
  9. Assign the rule to users, computers, or processes. Click Done.
  10. Select the app rules and click Generate raw data.
  11. Click Save to file.
  12. Use WEM or Group Policy to push the string to the VDAs. App Access Control is currently a preview feature. Enable it in Citrix Cloud > Workspace Environment Management > Manage > Web Console > Home page > Preview features.

  13. Then edit a Configuration Set. Go to Profiles > Profile Management Settings and find App access control. Browse to the .rule file saved earlier.

If you don’t have access to WEM Cloud, then the PowerShell Rule Generator is on the CVAD 2311 or newer ISO under \x64\ProfileManagement\Tools. Prior to CVAD 2311, the Tools folder is in the downloaded standalone Profile Management.

  1. The CPM_App_Access_Control_Config.ps1 PowerShell script is in the Tools folder.
  2. The Rule Generator script lists all locally installed apps and asks you choose one.
  3. The tool auto-generates some rules for the app and asks you to edit the rules or go to the next step to manage assignments.
  4. You can assign groups that can view the app. When done, press 4 to generate the rules for deployment.
  5. The script can push the rules to a GPO. Or you can press 3 to generate the string that you then must configure yourself in the GPO.
  6. The GPO setting is at Computer Configuration | Policies | Administrative Templates | Citrix Components | Profile Management | App Access Control. Enable the setting named App access control and paste the string that the Rule Generator provided. 

Also see CTP James Rankin QuickPost – Citrix UPM App Access Control

Mandatory Profile – Citrix Method

Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method. Also see CTP James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703).

  1. Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to Administrators.
  2. Login to the VDA machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  5. Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that. Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.

    1. You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  6. Open the AppData folder and delete the Local and LocalLow folders.
  7. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the file, the exception.sites file, and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  8. Open regedit.exe.
  9. Click HKEY_LOCAL_MACHINE to highlight it.
  10. Open the File menu and click Load Hive.
  11. Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not use NTUSER.MAN and instead the file must be NTUSER.DAT.
  12. Name it a or similar.
  13. Go to HKLM\a, right-click it, and click Permissions.
  14. Add Authenticated Users and give it Full Control. Click OK.
  15. With the hive still loaded, you can do some cleanup in the registry keys. See and for some suggestions.
  16. Citrix CTX212784 Slow User Logon When Using Mandatory Profiles – set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
  17. Highlight HKLM\a.
  18. Open the File menu, and click Unload Hive.
  19. Go back to the file share and delete the NTUSER.DAT log files.
  20. Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy template is loaded.
  21. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Profile Management > Profile handling. Edit the setting Template profile.
  22. Enable the setting and enter the path to the Mandatory profile.
  23. Check all three boxes. Then click OK.

Redirected Profile Folders

  1. Make sure loopback processing is enabled on your VDAs.
  2. Edit a GPO that applies to all VDA users, including Administrators.
  3. Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents, and click Properties.
  4. In the Setting drop down, select Basic.
  5. In the Target folder location drop down, select Redirect to the user’s home directory.
  6. Switch to the Settings tab.
  7. On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move the contents to the new location might cause issues in some deployments.
  8. Click Yes to acknowledge this message.
  9. Right-click Desktop and click Properties.
  10. Change the Setting drop-down to Basic.
  11. Change the Target folder location to Redirect to the following location.
  12. In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC path and not a mapped drive. Also, since we’re using home directory variables, all users must have home directories defined in Active Directory.
  13. Switch to the Settings tab.
  14. Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.
  15. Click Yes when prompted that the target is not a UNC path. You get this error because of the variable. It doesn’t affect operations.
  16. Repeat for the following folders:
    • Documents = Redirect to the User’s Home Directory
    • Desktop = %HOMESHARE%%HOMEPATH%\Desktop
    • Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
    • Downloads = %HOMESHARE%%HOMEPATH%\Downloads
  17. Redirect the following folders but set them to Follow the Documents folder.
    • Pictures
    • Music
    • Videos

Folders not redirected will be synchronized by Citrix Profile Management.

Verify Profile Management

  1. Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.
  2. Logoff and log back in.
  3. Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the log for logon and logoff events.

Profile Management Troubleshooting

UPM Troubleshooter

Citrix Blog Post – UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application that examines the live User Profile Management-enabled system in a single click, gives Profile Management Configurations, information on the Citrix products installed, facility to collect and send the logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier manner. See the blog post for more details.

Profile Management Configuration Check Tool

UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has been configured optimally for the environment in which it is being run, taking into account:

  • Hypervisor Detection– The presence or absence of supported hypervisors (for example, Citrix XenServer, VMware vSphere, or Microsoft Hyper-V)
  • Provisioning Detection– The presence or absence of a supported machine-provisioning solution (for example, Machine Creation Services or Provisioning Services)
  • XenApp or XenDesktop– Whether it is running in a XenApp or a XenDesktop environment
  • User Store – Determines that the expanded Path to User Store exists.
  • WinLogon Hooking Test – Verifies that Profile management is correctly hooked into WinLogon processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and requires the user running the Configuration Check Tool to have permission to access the relevant registry keys, or an error may be returned.
  • Verify Personal vDisk enabled / disabled – Whether the Personal vDisk feature of XenDesktop is enabled
  • Miscellaneous – Other factors that it is able to determine through registry or WMI queries, such as whether the computer running Profile management is a laptop

Profile Size

Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile share.

Log Parser

CTX123005 Citrix UPM Log Parser

View Log Files using Excel

CTX200674 How To: Review Profile Management Log Files using Microsoft Excel 

1,120 thoughts on “Citrix Profile Management 2402”

  1. Hi Carl,

    I have this error on Logoff.

    *** UPM Log ***

    2019-05-30;13:15:05.861;ERROR;CONTOSO;simone;1;6324;GetFileAttributesAPIWrapper: GetFileAttributes of failed with: Cannot find the specified path.
    2019-05-30;13:15:05.861;ERROR;CONTOSO;simone;1;6324;CJitThreadInfo::SaveChangedFiles: failed to copy ‘AppData\Local\Microsoft\Windows\UPPS\UPPS.bin’ to the userstore. Error 0x3: Cannot find the specified path.
    2019-05-30;13:15:05.877;ERROR;CONTOSO;simone;1;6324;GetFileAttributesAPIWrapper: GetFileAttributes of failed with: Cannot find the specified path.
    2019-05-30;13:15:05.877;ERROR;CONTOSO;simone;1;6324;CJitThreadInfo::SaveChangedFiles: failed to copy ‘AppData\Local\Microsoft\Windows\UPPS\UPPS.bin’ to the userstore. Error 0x3: Cannot find the specified path.
    2019-05-30;13:15:05.955;ERROR;CONTOSO;simone;1;6324;GetFileAttributesAPIWrapper: GetFileAttributes of failed with: Cannot find the specified path.
    2019-05-30;13:15:05.955;ERROR;CONTOSO;simone;1;6324;CJitThreadInfo::SaveChangedFiles: failed to copy ‘AppData\Local\Microsoft\Windows\UPPS\UPPS.bin’ to the userstore. Error 0x3: Cannot find the specified path.

    My Enviroment:
    I have Citrix XenDesktop 7.15 CU3 and I use Citrix UPM
    VDA client is Windows 10 LTSC 2019

    Is it correct to exclude the folder AppData\Local\Microsoft\Windows\UPPS from GPO of UPM?

    Best Regards and thanks for your tutorials.

  2. hi carl , the windows welcome screen is showing up every time i launch a VDI , although i implemented the profile managment , would you please advice ?

  3. Hi Carl, question in regards to WEM using if and then statements during login similar to the way AppSense does it.

    For example, if a user logs in and AppSense detects their AD home drive, it will then set their store path accordingly, but unfortunately all of our users do not have Home Drives identified in Active Directory, so we created a temp-share to act as their home drive until an AD home drive is created.
    So, in AppSense when the user logs in, AppSense checks user for an AD home drive, if one is not present it puts their store path to a temp-share we created, and every-time that user logs in, AppSense will check for an AD home drive, once one is detected, AppSense will set the new path and then migrate their data from their temp-share to their new home drive.

    Can WEM do this?

  4. FSlogix

    HI Carl can you do a write up on how we combine FSlogix with UPM or do we just stop using UPM if going to FSlogix

    as you know FSlogix is now free to users with TS calls and looks like the way to go..


    1. I do intend to write something on FSLogix but I don’t think it’s officially available from Microsoft yet.

      A common interaction is the Office 365 container from FSLogix and everything else handled by UPM.

      1. Download available at:

        I think 1st June is official date to be availiable but its linked to download in MS doc above, It is the complete FSlogix Suite so you can use the profile disks as well as the office disks.


  5. Hello

    (Sorry I do not speak English)
    I read your article your blog.

    I have several questions about an upcoming migration.

    Today we are in Xenapp 6.5 / 2008R2 (15 CTX servers) and a profile server (2008r2) for Windows GPO roaming profiles (with folder redirection)

    In the future we will move to Citrix apps / windows 2016 (25 CTX servers), in CPM + WEM (+ folder redirection) on a new server for profiles.

    During the migration phase (in several user batches) how to migrate the user folders (Desktop folder, Document, etc.) and the Roaming folder on the new server at the time of the migration?

    Do you have any advice?

    – Storage of VHD files for Outlook, can it store in a different location than the ctx profiles?

    1. If Folder Redirection is already configured, then simply point the new environment to the same folder redirection paths as the old environment.

      As for other files in the profile, write a logoff script in the old environment that saves files and registry keys to the user’s home directory. In the new environment, write a logon script to restore those files and registry keys. It’s basically the same process you use when you replace somebody’s PC.

      1. Hello Carl,

        Sorry I do not speak English.

        thank you for your answer, but the folder that currently contains the user folder will disappear because it will migrate to the new server (2016) so I do not point to old share.

        Do I have to prepare a script? to copy the files to another server?

  6. Hi Carl , on the point on ” if Microsoft Credentials Roaming is enabled, then you should instead exclude these folders from roaming ” the screen shot following this line show that it a setting for list of directories to synchronise. May i check is there any typo

    1. Credential Roaming is not normally enabled so UPM has to do it instead. However, if you enable the Microsoft feature named Credential Roaming, then you need to prevent UPM from roaming the credentials.

  7. Hi Carl! All these blogs are such a great read, so thanks for that!

    For the profile migration settings –
    You mentioned in UPM versions > 5.4 that migration is turned off by default. What exactly does this affect?

    I have a cluster of XenApp servers, some on 5.4 and some on 5.8, and a user store on a network drive.

    The 5.4 servers still have MigrateWindowsProfileToUserStore=1, while the 5.8 servers have MigrateWindowsProfileToUserStore=4.

    The configurations are identical outside of that.

    What pieces of the profile are NOT moving for the 5.8 firms that ARE moving for the 5.4 firms?

    Thanks again!

    1. 4 means None, while 1 means All (Local and Roaming). I think the migration is only from local profiles or Microsoft roaming profiles. If the user already has a Citrix profile, then that profile will be used. In your 5.8 configuration, the system no longer looks at the 5.4 profiles and thus they won’t be migrated.

  8. To process local Administrators, we have to deactivate the Setting (German Edition of the adm-template-File)!?. Logfile says with Setting activated “ReadPolicy: Configuration value read from Policy: ProcessAdmins=” and with deactivated “ReadPolicy: Configuration value read from Policy: ProcessAdmins=”. I wondered because it does not work for admin account until I changed the Setting to deactivated.

  9. Hi Carl, can you posting the procedure to configuring the folder redirection policy for use UPM profile, because in this section only have the procedure for configuring roaming profile of Windows.


    1. I’ve tried to avoid that method because there’s no benefit over the built-in Microsoft method and I’ve seen problems with it.

  10. I haven’t seen this posted anywhere, but I’ve had a lot of fun troubleshooting roaming [ADFS SSO] Office 365 licensing in our non-persistent XD 7.15 environment. The initial logon is fine, but the next logon is always broken, with the user seeing an error message within an O365 app stating “There are problems with your account, please sign in to fix them”. The “Fix me” button prompts for authentication, but doesn’t solve the issue.

    What did solve the issue for me was making sure that the following CPM settings were in place, particularly the former:

    Exclusion list (registry):

    Exclusion list – directories:

    1. We got the same issues with the error message…

      Excluding both registry and directory didn’t seem to solve the issue.
      We get the error with activation it seems, even when it is a clean profile, because the exclamation mark isn’t shown right away.
      But when we sync the above folder the exclamation mark is there at the start.

      Any other things we can try?

  11. Hi Carl. Thanks for the detailed description.

    We are in process of parallel migration from legacy citrix (6.x and 7.x) to 7.15 LTSR. Can we use same UPM path(\\domain\ctxprofiles$\\%username%) for profiles as we have for legacy citrix or is it mandatory to have OS version (!CTX_OSNAME!) in profile path in mixed version of Windows OS.

    During migration phase, we will have mix OS (Win7 VDIs and XenApp hosts running in Windows 2012 and 2016).

    1. Microsoft (and Citrix) do not support using profiles for one OS Version (Profile version) with a different OS Version. It might work for you, but they won’t support it.

  12. Cant figure out how to fix this error UPM:


    Mirror Folder

    *** Cookie folder ( AppData\Local\Microsoft\Windows\INetCookies AppData\Local\Microsoft\Windows\WebCache AppData\Roaming\Microsoft\Windows\Cookies ) should be correctly configured. Note that only two folders are currently configured correctly.

    This causes policy “process internet cookie file on logoff” not work.


    I have followed the guidans for Mirrorfolder list but stil gets this error.
    I can see the Cookies folder are missing “AppData\Roaming\Microsoft\Windows\Cookies”


  13. Any chance you’ve come across any risks of excluding “AppData\Local\Microsoft\Office\16.0\Wef” in CPM? I only ask because for O365 users, some of the files and subfolders in that folder are so long in name length that they can’t be deleted without first renaming them to be shorter.

  14. If we use Appsense, do we need to omit Citrix User Profile Manager from additional components when installing the VDA?

    1. UPM is disabled by default unless you enable it in a GPO. There’s no harm in installing it if you don’t enable it. I think some Director features, like Logon Duration, might need it installed.

  15. Hi Carl,
    I am using WEM 1811 and now Cisco Jabber is not saving user’s login credentials. I din’t have this problem when I used UPM via GPO. Any idea what settings I need to change?

    1. All WEM does is set the same registry keys as GPO does. Maybe there’s a difference in the two configurations? You can check HKLM\Software\Policies\Citrix for the registry keys.

  16. Whats the recommendation to do HA for the user profiles store with Windows Server 2016 or Windows 2012 R2?

  17. Hi Carl,

    is it possible to understand why 7 seconds pass between the “DispatchLogonLogoff: UserSID” and the “DispatchLogonLogoff: Triggered policy”?

    *** UPM Log ***

    2019-04-05;10:45:57.112;INFORMATION;;;1;648;DispatchLogonLogoff: ———- Starting logon processing…
    2019-04-05;10:45:57.112;INFORMATION;;;1;648;IsRunningInTerminalServerSession: Workstation found. Console session.
    2019-04-05;10:45:57.143;INFORMATION;DOMAIN;simone;1;648;DispatchLogonLogoff: UserSID = S-1-5-21-3743287879-2542679456-3018104647-2250
    2019-04-05;10:46:04.784;INFORMATION;DOMAIN;simone;1;648;DispatchLogonLogoff: Triggered policy evaluation for
    2019-04-05;10:46:04.784;INFORMATION;DOMAIN;simone;1;648;DispatchLogonLogoff: Updated Group Policy Extension history for
    2019-04-05;10:46:04.784;INFORMATION;DOMAIN;simone;1;648;CheckUserExistsInGroup: No Entries Found In ExcludedGroups
    2019-04-05;10:46:04.784;INFORMATION;DOMAIN;simone;1;648;CheckUserExistsInGroup: No Entries Found In ProcessedGroups
    2019-04-05;10:46:04.784;INFORMATION;DOMAIN;simone;1;648;CheckIfUserNeedsToBeProcessed: Logon/logoff will be processed.
    2019-04-05;10:46:04.784;INFORMATION;DOMAIN;simone;1;648;GetUserStorePath: User Store: Path In: \\DOMAIN.local\public\Profile\%username%\!ctx_osname!.!ctx_profilever!

    *** Event Viewer ***

    INFORMATION,05/04/2019 10:46:16,Microsoft-Windows-GroupPolicy,1503,Nessuna,Elaborazione delle impostazioni Criteri di gruppo per l’utente completata. Sono state rilevate e applicate nuove impostazioni da 6 oggetti Criteri di gruppo.
    Warning,05/04/2019 10:46:09,Microsoft-Windows-GroupPolicy,1109,Nessuna,L’account utente è in una foresta diversa da quella dell’account computer. L’elaborazione dei Criteri di gruppo di un’altra foresta non è consentita. L’elaborazione dei Criteri di gruppo verrà eseguita in modalità Loopback Replace. L’ambito delle impostazioni dei criteri utente verrà determinato dalla posizione dell’oggetto computer in Active Directory. Le impostazioni verranno acquisite dalla configurazione utente di tali criteri.
    INFORMATION,05/04/2019 10:45:57,Microsoft-Windows-Winlogon,7001,(1101),Notifica di accesso utente per Analisi utilizzo software
    INFORMATION,05/04/2019 10:45:49,TdIca,1004,Nessuna,The Citrix ICA Transport Driver has received a connect request from
    INFORMATION,05/04/2019 10:45:47,TdIca,1002,Nessuna,The Citrix ICA Transport Driver is waiting for connections on port 2598.
    INFORMATION,05/04/2019 10:45:47,TdIca,1002,Nessuna,The Citrix ICA Transport Driver is waiting for connections on port 1494.
    INFORMATION,05/04/2019 10:45:47,TdIca,1000,Nessuna,The Citrix ICA Transport Driver has started.

    My Enviroment:
    I have Citrix XenDesktop 7.15 CU3 and I use Citrix UPM
    VDA client is Windows 10 LTSC 2019
    Computer Account (VDA Client) are joined Domain A
    User Account are joined Domain B

    Between Domain A and Domain B is present a External Two-Way trust

    Best Regards and thanks for your tutorials.

  18. Hi Carl
    I need to synchronize folder on C drive (permission to everybody) within non-persistent VDI W10 design. I tried profile container etc but looks like I can only synchronize folders inside my profile, any idea?

    1. One option is to create Logoff script to copy the files to home directory, and then a Logon script to restore the files.

      1. Folder can grow pretty much so not great solution, I’m just trying avoid persistency atm
        Do you have any script like this what you could share?

        1. I would try SymLinks (symbolic links).
          There’s a command-line tool called mklink.exe included in windows, which allows you to do that. Normally, only local symbolic links are allowed. You would have to configure the GPO “SElectively allow the evaluation o a symbolic link” in HKLM\Computer Configuration\Administrative Templates\System\Filesystem\NTFS

          This would mean, that no file is getting copied, but instead, the user would directly work on the fileshare, which looks to be locally.

          I did not test it, but i think it’s worth a try 😉

          BR, Christian

  19. I think for our new environment we are building specific to XenApp and not XenDesktop, Profile Management may be a little easier(?). Deciding to store the profile on each users Home directory set in their account in Active Directory. If we have a single farm that contains a production instance of an Application and a test instance of the same application but on a different set of servers, how will UPM break that out if it is saving AppData and HKU registry settings in home folder? Would there be a risk of profile settings from those servers merging into a single profile on the users home folder causing application errors? Is there a way to break out UPM to save a production file in one folder for the Production Application and in another folder for the Test application?

    1. You can configure GPO to specify a different path for each Delivery Group. If you don’t prefix the path with \\, then UPM assumes it is a path relative to the user’s home directory.

  20. Hi Carl,
    I’m testing chrome on windows 2016 + XD 7.15+UPM+WEM, I installed chrome enterprise and managing the settings through GPO. Have you checked managing chrome related roaming data in this way, i guess after this mirroring from appdata\local wont require. Would love to hear your side of testing

    Deepak Kumar

  21. Hi Carl,

    for folder redirection you advise to change group policies in

    User Configuration\Policies\Windows Settings\Folder Redirection

    In Citrix Docs I read that I should do this in

    User Configuration > Policies > Administrative Templates > Citrix > Profile Management > Folder Redirection

    We are setting up an environment with XenDesktop 7.15.2000 LTSR on Windows Server 2016 with VDAs running Windows 10.

    We tried to activate folder redirection in Citrix > Profile Management. That didn’t work at all.

    Now we will give Windows Settings\Folder Redirection a chance.

    But what’s the difference? Is there a best practice?

    Regards, Roland

    1. Windows GPOs apply to all Windows machines, not just Citrix. I would only consider the UPM settings for Folder Redirection if they did something that the native Windows policy settings do not. That’s not the case here.

  22. Hi Carl, firstly thanks for all the information. It’s very helpful. Secondly I have a question about the User profile store. Currently we are looking to use Citrix Cloud + AWS for workload. Currently we have On-prem Windows server with DFSR enabled for roaming profiles. Is there any recommendation that I can look into for Roaming profile and profile store on AWS?

    1. should I just migrate current on-prem 2 Windows File server to AWS and have one each in Availability Zones and with DFSR enabled?
    2. Or can use other products and features that can be quick where users can store their files (can allocate some sizing to each user) without compromising much download time.

    Currently on On-Prem we are using Hosted Shared Desktop/Published Apps and non-persistence win T desktops.

    Any advice would be really helpful.


    1. The primary requirement is a SMB share with NTFS support. Windows file servers can certainly do this. I think NetApp has an offering in AWS that can also probably do this.

  23. Carl this might be helpful for users
    We need to put following in Registry Inclusion List:




    Directories to Synchronize:

    Appdata\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned

  24. We configured the folder mirror settings as described above for cookie persistence.
    But we had the strange behavior that the webcache database/inetcookies content were somehow inconsistent after the second login of every user.
    The consequence of this inconsistency was that already on every Internet Explorer close/start all cookies were lost, same on logoff/logon.

    The solution was to disable Profile Streaming for those two folders:

    Win10 1703/VDA 7.17/MCS random, userdata: discard

    1. I’m having a similar issue where user loads virtual desktop the first time, all websites load correctly, user exits and profile syncs…. when they load the vm the second time the website will not allow them to login… I tried your setting above but still no joy.

  25. Hi Carl,
    I would like to share information because I have not seen the description of these changes in the release notice of 7.15 CU3.
    In mid-December last year I performed upgrade of infrastructure servers from the release of 7.15 CU2 to 7.15 CU3.
    And now after reset one of the existing user UPM profile I noticed, that my current HDX Policy “Redirection settings for AppData” stopped working. In Modeling I see that policy was applied, вut the result is displayed as “Disabled”.
    I opened the case and got a private fix.
    Fix helped, but in addition, the policy changed the path for FR. AppData redirection dir changed from ‘ Application Data ‘ to ‘AppData\Roaming’ and this is by design in CU3.

  26. Hi Carl,

    I have Citrix 7.15 LTSR using Citrix profile management I have package SAP GUI via app layering I require the following path saving with a config file, C:\Users\username\AppData\Roaming\SAP\Common is this possible and which setting can I do this.

    1. Anything under AppData\Roaming should be backed up automatically unless you modified your UPM configuration to exclude it.

  27. Carl, have you ever had to add “AppData\Roaming\Microsoft\Templates” to “Folders to mirror” in order to get Normal.dotm templates to sync properly multiple times? That’s what I had to do in our Win10 VDA (7.15 LTSR CU2) in order to get additional changes to the template to sync. In other words, I login to the desktop and change the font, logoff and that template is stored. I login again and attempt to change the font again, and I see the file change locally on the VDA, but when I logoff, the file is not sync’d. However, if I right-click on the file in the VDA and do something dumb like remove one of the properties or personal information, that will somehow force CPM to sync the file.

    This behavior doesn’t occur in W7/7.6FP3/CPM 5.8 (ancient, I know).

  28. Hi,
    We are using citrix UPM through active directory policy. I see that the profile share (D drive) increases everyday. Then i realized the users are downloading stuff and the download folder is going big and that causes the user profile size increases. What can be do with the download folder so that will not increase the user ‘s profile size? Is there any way we can delete the content of only download folder while user logoff?

    1. You can certainly add it to folder exclusions. I normally configure Profile Folder Redirection and put the Downloads folder in the user’s home directory.

  29. Hi Carl,

    I’m storing user license for Office 365 ProPlus in user profiles that has Folder Redirection enabled ( Roaming ) through GPO, is it possible to exclude this directory per your recommendation in Profile Management? See example below:


      1. You can specify roaming licence tokens for O365 now. In addition, Microsoft suggest including this folder, esp. if you don’t use SSO for O365:

        “If you don’t use single sign-on, you should consider using roaming profiles and include the %localappdata%\Microsoft\Office\16.0\Licensing folder as part of the roaming profile.”

  30. Carl, I have CU3 in my XD setup for W7 vdi’s and am piloting w10 vdi’s, however I get an error in GPMC when ctxprofile.admx is copied from the 1811 UPM and ctxprofile7.15.3000.admx exist in the central store. how can i get these two to co-exist when i work on a transition plan and test the w10 image out?

    1. Delete the 7.15.3000 version and only use the new version. If you configure any of the new features released after 7.15, the 7.15 UPM will ignore those settings.

  31. Hi carl,

    Recently we build new environment of 7.15 CU2 on VMware 6.5, on which we are using MCS hosting connection. We have created master image with the OS 2012 R2 and created non-persistance VMs. My problem is when users using MS office they are getting slowness issue while working on it. I googled and found that following settings need to disabled
    • No add-ons are enabled
    • Track changes is off
    • Animations are disabled
    • Office internet live update need to disable
    I have enabled above settings by using admx file with the version of 2013 and 2016 but no luck.

    Please guide me apart from above what else do I need to do to optimize MS office on Citrix. and want to know is there any exclusion need to done for Ms office file from the profile management.

      1. Thanks for reply Carl,… facing issue an all office programs except outlook.. not using layring and there must be some security agent installed on server vda.

  32. Hi carl,

    Recently we build new environment of 7.15 CU2 on VMware 6.5, on which we are using MCS hosting connection. We have created master image with the OS 2012 R2 and created non-persistance VMs. My problem is when users using MS office they are getting slowness issue while working on it. I googled and found that following settings need to disabled
    • No add-ons are enabled
    • Track changes is off
    • Animations are disabled
    • Office internet live update need to disable
    I have enabled above settings by using admx file with the version of 2013 and 2016 but no luck.

    Please guide me apart from above what else do I need to do to optimize MS office on Citrix. and want to know is there any exclusion need to done for Ms office file from the profile management.

  33. Hi Carl,

    shouldn’t the article CTX235347 “Citrix Profile Management: VHDX-based Outlook cache and Outlook search index on a user basis” be visible for anyone who is allowed to use UPM?

    We own Citrix virtual Apps Advanced licenses but the article is restricted for us.
    Or is the premium license tier required for this feature?

  34. Hey Carl, I am looking at the Microsoft Storage Replica solution as a replacement for DFS-R for storing Citrix user profiles. Any thoughts you can share on its suitability and or because it is not on Citrix supported list (as yet) and should be avoided?


    1. Hello Mayur,

      For information I worked on a Citrix Cloud project in Azure for which we have deployed Storage Spaces Direct with Storage Replica between Azure region.
      As far as I know, it’s supported by Citrix.
      Feel free to mp me if you want more information.


  35. Hi Carl, The problem I have encountered is that UPM does not create new roaming profile when loging to Server 2016. However it works good and creates the profile when loging to 2008R2 and 2012 R2. It even creates the corresponding version v2x64 and v4x64. This is how path is set \\beaulieu.local\dfs$\DHX-CTXProfiles-PRD\%username%.%userdomain%\!CTX_PROFILEVER!!CTX_OSBITNESS! . Could be thereason be that I have installed UPM 7.15.300 but havent updated admx templates yet, current teplates are ctxprofile5.1.0
    Thanks in advance !

    1. What do you see in the UPM Logs? It should show you the full path that it constructed that the reason it can’t create the path.

  36. We have a lovely issue. On a Server 2016 VDA, Applying a Windows Theme by GPO. Each time a user logs on, a deleted theme file is added to their recycle bin. At every login after that, another theme file is deleted and added to the recycle bin, so they end up with lots of deleted theme files in there. The theme file is the same as the one applying in Group Policy. Anyone seen this?

    I can only find one other instance on the whole of the internet, with no answer…

  37. Hi Carl,

    I have a question, We are facing black screen issue with Server 2016 Published desktops. We have 7.15CU2 with UPM hotfix applied. when we delete ntuser.dat from user profile logon time drops to 27 sec. but with second logon it will jump again to 90 sec. and keeps increasing with multiple logons for the user. We are not facing any issues with published apps on Server 2016 VDAs only published desktops. We tried different VDA versions but getting same performance. was wondering if you have any recommendations to check .

  38. Hello,

    We experiencing an issue while migrating from W10 1703 to W10 1709. Some modern apps likes calculator are not loaded when we comes form a 1703 profile.
    With Microsoft Roaming Profile they recommended to apply this reg key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerSpecialRoamingOverrideAllowed dword 1

    Do you have any idea how to configure UPM to allow the apps to be registered again at first logon to a new W10 version ?


    1. UPM has a default exclusion for AppData\Local\Packages – I wonder if removing that exclusion will allow them to roam.

      Another option is to create a login script to run Add-AppxPackage.

      1. Hello,

        Thank you but not solved with this option : Roam AppData\Local\Packages
        Do you think there is an isue with the roaming method of UPM ? Cuse it is work with Windows Roaming Profile

          1. Hello ! Yes we have it. Also configure the SpecialRoamingOverrideAllowed dword to 1. Do you think it can be an issue because profile path is the same . At the end profile.v6 between 1703 and 1709?


  39. Carl CTX232587 says if you are using WEM then “Add the following Google Chrome files to be mirrored for the user profile”

    Note: If Citrix UPM is being managed through XenDesktop or domain GPO, the policy that should be enabled is “Files to Synchronize”. Then add to the list the same files mentioned above.

    You have them mirrored in the GPO of UPM in the screenshot?

    1. That article is confusing and I left them comments, which you can also do. The files are already added to Sync. Mirroring is like a super sync that can be used if regular sync is not working.

      1. Ok understood. I will send them a message on the CTX article as well.
        Thanks for your reply and all you well documented SOPs

  40. Hi Carl, a quick question, I have upgrade VDA and so UPM from VDA 7.15LTSR CU2 to Latest CR 7.1808. Now my Windows 10 (1803) profile is now Win10RS4v6, before it was Win10RS2v6. It seems weird as every user have new profile created after VDA update. Do you know if this is expected or a bug?


    1. I’ve reported it a couple times but I guess Citrix has not changed the behavior. I’m becoming more reluctant to use the variables in the User Store path and instead hard code it for each OS/profile version.

      1. Thanks for you prompt reply. Another quick question, do you know if their is another way that GPO to enable Outlook cache and search (using WEM). I mean I have configured UPM using WEM but I am not seeing the setting and I don’t want to use UPM GPO just for this one (however, maybe I will need to do it).


        1. You can probably look in the GPO ADMX template to see the registry setting and then use WEM to push the setting.

  41. Item above
    “5.According to CTX213190 Configure UPM to save password in Internet Explorer, you’ll also need a User Configuration > Preferences > Windows Settings > Folders item to create the %localappdata%\Microsoft\Vault folder”
    won’t apply in “computer settings GPO” should put it in “VDA All users including admins.”

  42. Hello Carl Stalhood

    I am having a user profile issue for single user, Citrix – ES 2013 Outlook – “preparing for first use” on each Citrix Restart

    Kindly suggest me

      1. I have the same/similar issue. We have active write back enabled. In the pending folder the ntuser.dat file is recent, but in the UPM folder its from back in 2018. The user has multiple desktops using that profile, but we have logged them off of all sessions and it still does not seem to work properly.

  43. Here’s an oddball question for you. If you set a custom, hard-coded user path in Studio, is the folder name that is created all lowercase? For instance, if I use “\\\Citrix\Profiles\#SAMAccountName#\Windows10”, the folder created is “windows10” instead of “Windows10”. I don’t know why, but this really annoys me.

      1. I do see the correct path in the registry, capital letter and all. I thought maybe it was something with how the NetApp was configured, so I tested it on a Windows file share, but saw the same results. Setting the path via AD GPO also produces the same thing. It’s not a huge deal, it just visually looks sloppy to me.

  44. Hi Carl,

    Do you know what could be causing the UPM error below? This issue is random and happening to multiple users every week and I’m not sure if it’s an UPM or App Layering issue but it’s been happening since we upgraded from App Layering 4.11 to 4.12 and still happening in 4.13. We did have some security issue with the Citrix Desktop Service failing when adding a new version to the PL in v4.12 but I already created a new Platform layer and setting the VMware connector cache to 0.

    2018-09-05;10:45:29.425;ERROR;DOMAIN;user;1;3156;ProcessLogon: Copying the user’s registry hive failed with: The volume is too fragmented to complete this operation.

  45. Hi Carl, I am using 7.15 XenApp published desktop 2016 VDA. UPM enabled. I am having a lot of issues with start menu not showing with user login. however shows when login as admin. search doesnt work at all. no responding to click at all. I have checked all KBs you mentioned above and modified exclusion list and mirror list. still no luck. also with start menu. there are only a few icons are showing in programs. I have CU2 applied thanks

  46. Hi Carl,

    Thanks for the information.

    I have question, is it better to manage the profile using the Citrix Policy or by using GPO. We are already having high logon duration which is close to 190sec. out of which the main contributor are GPO: 70 sec, HDX:50sec, Interactive Login:50
    Please help me in if changing the profile management from Citrix policy to GPO will affect the logon duration.


Leave a Reply

Your email address will not be published. Required fields are marked *