Citrix Profile Management 5.

8
Navigation

This article applies to all versions of Profile Management: 5.8, 5.7, 5.6, 5.5, 5.4, etc.

Profile Management Configuration Options

Planning Multi-datacenter
Create User Store (File Share)
GPO ADMX Policy Template
Group Policy Settings
o Basic Settings
o Exclusions
o Log Settings
o Profile Streaming
Mandatory Profile Citrix Method
Redirected Profile Folders (Folder Redirection)
Verify Profile Management
Troubleshooting

= Recently Updated

Profile Management Configuration Options

Version 5.8 of Citrix Profile Management can be downloaded from XenApp/XenDesktop 7.14. To find it,
click Components that are on the product ISO but also packaged separately.

There are three methods of configuring Citrix Profile Management:

Citrix Studio in the Policies node

Microsoft group policy using an ADMX file
.ini file this is the default

This page will detail the GPO ADMX method of configuring Citrix Profile Management. The Studio method
is similar.

Citrix Studio Policies and Microsoft GPOs override the .ini file. When configuring Studio Policies or GPOs,
copy the default settings from the .ini file as detailed below.

Planning Multi-Datacenter
For optimum performance, users connecting to Citrix in a particular datacenter should find their roaming
profiles on a file server in the same datacenter. If you have Citrix in multiple datacenters, then you will
need file servers in each datacenter.

DFS active/active replication of roaming profiles is not supported. This limitation complicates multi-
datacenter designs.

For active/active datacenters, split the users such that different users have different home datacenters.
Whenever a particular user connects, that user always connects to the same datacenter and in that
datacenter is a file server containing the users roaming profile. StoreFront uses Active Directory group
membership to determine a users home datacenter.

For users that connect to Citrix in multiple datacenters, there are a couple options:

The users roaming profile is located in only one datacenter If the user connects to a remote
datacenter, then the roaming profile must be transmitted across the WAN. To optimize
performance, disable Active Write Back, and make sure Profile Streaming is enabled.
The user has separate profiles for each datacenter There is no replication of profiles between
datacenters. This scenario is best for deployments where different applications are hosted in
different datacenters.

Disaster Recovery For disaster recovery scenarios, the users roaming profile data (and home directories)
must be recovered in a different datacenter. Here are some considerations:

Use DFS One-way replication. After the disaster, edit the DFS Namespace folder target to point to
the file server in the DR datacenter. You must avoid multi-master DFS replication/namespace.
Use VMware SRM or Zerto to recover the file server in the DR datacenter.
A datacenter failover might result in multiple file servers accessed from a single VDA, especially if
you have users split across datacenters. Use DFS Namespaces as detailed below.

DFS Namespace for central user store The Citrix Profile Management user store path is a computer-level
setting, meaning there can only be one path for every user that logs into a particular VDA. If you have
different users with roaming profiles on different file servers, you must use Active Directory user attributes
and DFS namespaces to locate the users file server. Here is an overview of the configuration:

Create a domain-based DFS namespace with folder targets on different file servers. See Scenario 1
Basic setup of geographically adjacent user stores and failover clusters at Citrix Docs for more
information.
Do not enable two-way DFS Replication for the roaming profile shares. But you can do One-way DFS
replication. See Scenario 2 Multiple folder targets and replication at Citrix Docs for more
information.
Edit each user in Active Directory with a location (l) attribute that matches the DFS folder name.
Set the Profile Management user store path to
\\corp.local\CtxProfiles\#l#\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!. This pulls the users l
attribute from Active Directory and appends that to the DFS share. The folder that matches the
attribute value is linked to a file server. For example, if the users l attribute is set to Omaha, then
the users profile will be located at \\corp.local\CtxProfiles\Omaha\user01\Win2016v6. The Omaha
folder is linked to a file server in the Omaha datacenter.

Create User Store

This procedure could also be used to create a file share for redirected profile folders.
If you intend to place Citrix Profile Management roaming profiles in the users home directory, then there
is no need to follow the procedure in this section. Only use this section if you are creating a new file share
for storage of the Citrix roaming profiles.

Create and Share the Folder

1. Make sure file and printer sharing is enabled.

2. On the file server that will host the file share, create a new folder and name it CtxProfiles or similar.
3. Share the folder.

4. Give Everyone (or some other group that contains all Citrix Users) Full Control (Read/Write). Click
Share, and then click Done.
5. Go to the Properties of the folder.

6. On the Sharing tab, click Advanced Sharing.

 7. Click Caching.

8. Select No files or programs. Click OK, and then click Close.

Folder (NTFS) Permissions

1. Open the properties of the new shared folder.

2. On the Security tab, click Edit.
3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can
create new folders.

4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they
create. Click OK.
5. Now click Advanced.

6. Highlight the Everyone permission entry, and click Edit.

7. Change the Applies to selection to This folder only. Click OK three times. This prevents the
Everyone permission from flowing down to newly created profile folders.
Access Based Enumeration

With this setting enabled, users can only see folders to which they have access:

1. In Server Manager, on the left, click File and Storage Services.

 2. If you dont see Shares then you probably need to close Server Manager and reopen it. Or perform
a refresh.
3. Right-click the new share and click Properties.

4. On the Settings page, check the box next to Enable access-based enumeration.

GPO ADMX Policy Template

1. Go to the downloaded Citrix Profile Management 5.8. In the \Group Policy Templates\en folder,
copy the file ctxprofile5.8.0.admx to the clipboard. You can also find the templates on the main
 XenDesktop 7.14 ISO in the \x64\ProfileManagement\ADM_Templates\en folder.

2. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.
3. If you dont have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the
file.

4. If you have an older version of the ctxprofile.admx file in either location, delete it. Note: replacing
the .admx file does not affect your existing Profile Management configuration. The template only
defines the available settings, not the actual settings.
5. Go back to the Citrix Profile Management 5.8 ADM_Template files and copy ctxprofile5.8.0.adml to
the clipboard.

6. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL.
7. If you dont have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and
paste the file. This is a subfolder of the PolicyDefinitions folder.

8. If you have an older version of the ctxprofile.adml file in either location, delete it.
9. Citrix Profile Management 5.8 ADM_Template files and in the \Group Policy
Templates\CitrixBase folder, copy the file CitrixBase.admx to the clipboard.

10. If your domain has PolicyDefinitions copied to SYSVOL, paste the file there.
11. If you dont have SysVol PolicyDefinitions, then go to C:\Windows\PolicyDefinitions and paste the
file.

12. Go back to the Citrix Profile Management 5.8 ADM_Template files and copy CitrixBase.adml to the
clipboard.
 13. If your domain has a PolicyDefinitions central store in SYSVOL, copy it to the en-us folder in SYSVOL.

14. If you dont have SysVol PolicyDefinitions,, then go to C:\Windows\PolicyDefinitions\en-US and

paste the file. This is a subfolder of the PolicyDefinitions folder.

Group Policy Settings

1. Edit a GPO that applies to all machines (VDAs) that have the Profile Management service installed.

2. Go to Computer Configuration\Policies\Administrative Templates\Citrix Components\Profile

Management. If older than 5.5, the settings are beneath the Citrix folder. Note: if you did not install
the CitrixBase.admx file, then you can find Profile Management directly under the Administrative
Templates folder.
3. Enable the setting Enable Profile management. Profile Management will not function until this
setting is enabled.
4. If desired, enable the setting Process logons of local administrators.

5. Enable Path to user store.

6. Specify the UNC path to the folder share. An example path =
\\server\share\#SAMAccountName#\!CTX_OSNAME!!CTX_PROFILEVER!

7. Profile Versions Different OS versions have different profile versions. Each profile version only
works on specific OS versions. For example, you cannot use a Windows 7 profile (v2) on Windows
10 1607 (v6). The variables in the path above ensure that every unique profile version is stored in a
unique folder. If users connect to multiple operating system versions, then users will have multiple
profiles.
1. Windows 10 Profile Versions Windows 10 has two different profile versions. Windows 10
build 1511 and older use v5 profiles. Windows 10 build 1607 and newer use v6 profiles. V6
is also the profile version in Windows Server 2016. These different profile versions are
probably incompatible so they should be separated.
2. Windows 10 build 1703 warning: Profile Management 5.8 on Windows 10 1703 sets
!CTX_OSNAME! to Win10RS2. On Windows 10 1607, !CTX_OSNAME! is set to
Win10RS1. RS = Redstone. If you use !CTX_OSNAME! in your path, then Windows 10 1703
and Windows 10 1607 will have separate profiles.
3. With the UNC path shown above, if the user logs into Windows 2012 R2 RDSH, the profile
folder will be \\server\share\user01\Win2012R2v4. If the user logs into 64-bit Windows 10
build 1607, the profile folder will be \\server\share\user01\Win10RS1v6.
4. Windows 2012 R2 warning: If you are upgrading to Profile Management 5.4 or newer, and
have existing Windows 2012 R2 profiles based on the !CTX_OSNAME! variable, Citrix fixed
the variable, and now your profiles might stop working.
See http://discussions.citrix.com/topic/374111-psa-upm-54-ctx-osname-server-2012-value-
change/ for more details.
5. Windows 2012 R2 note: in older versions of Citrix Profile
Management, !CTX_PROFILEVER! recognizes Windows 2012 R2 as v2, which isnt correct.
V2 is Windows Server 2008 R2, while Windows Server 2012 R2 is v4. The profile version bug
was fixed in recent versions of Profile Management.
8. Another option is to place VDAs with different OS versions in different OUs, and then use different
GPOs on those OUs to specify different Profile Management user store paths.
9. Multiple Domains If you have multiple domains, change #SAMAccountName# to
%username%.%userdomain% (e.g.
\\server\share\%username%.%userdomain%\!CTX_OSNAME!!CTX_PROFILEVER!). That way you can have the
same account name in multiple domains and each account will have a different profile.
10. Disable Active write back. This places additional load on the file server and is only needed if users
login to multiple machines concurrently and need mid-session changes to be saved. Note: if you
dont configure this, it is enabled by default.

11. Under the Advanced settings node, enable the setting Process Internet cookie files on logoff.

12. In 5.6 and newer, Customer Experience Improvement Program (CEIP) is enabled by default. It can
be disabled here.
13. See http://www.carlstalhood.com/delivery-controller-7-13-and-licensing/#ceip for additional
places where CEIP is enabled.
Exclusions 5.5 and newer

The Exclusions process in 5.5 and newer is dramatically simplified. If you havent yet deployed 5.5 or
newer, and its corresponding ADMX file, then skip to the older Exclusions process.

1. Under the File system node in the Group Policy Editor, enable the setting Enable Default Exclusion
List directories.
2. You can use checkboxes to not exclude some folders.

3. Then edit Exclusion list directories.

4. Enable the setting, and click Show.

5. Add the following to the list. This is the new path for Temporary Internet Files in Windows 8 and
later.

AppData\Local\Microsoft\Windows\INetCache

6. If running Office 365 with Shared Computer Activation, then you might need to exclude
!ctx_localappdata!\Microsoft\Office\15.0\Licensing and/or !ctx_localappdata!\Microsoft\Office\16.0\Licensing.
Ideally you should have ADFS integration so users can seamlessly re-activate Office at every launch.
7. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to
know about virtualizing, optimizing and managing Windows 10but were afraid to ask part #6:
ROAMING.
8. Then click OK twice to return to the Group Policy Editor.

9. You might need to exclude usrclass.dat*. Some articles say exclude it, others say include it (for file
type association). The UPMPolicyDefaults_all.ini file has it listed as an exclusion.
1. Edit the setting Exclusion list files.

2. Enable the setting, and click Show.

3. Add the following. Then click OK twice.

4. !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*
10. Clean up excluded folders If you add to the exclusions list after profiles have already been
created, Profile Management 5.8 has a feature that can delete the excluded folders at next logon.
See To enable logon exclusion check at Citrix Docs. Unfortunately, this feature is only configurable

in the .ini file.

1. Also see Muralidhar Marams post at Citrix Discussions for a tool that will clean up the
existing profiles.
2. Also see Jeremy Sprite Clean Citrix UPM Profiles.
11. Under the File System\Synchronization node in the Group Policy Editor you can configure which
profile folders should be synchronized that have otherwise been excluded.
12. Edit the setting Directories to synchronize.
13. Enable the setting and click Show.

14. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following
directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between
Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you
should instead exclude these folders from roaming as detailed at CTX124948 How to Configure
Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
15. AppData\Local\Microsoft\Credentials
16. Appdata\Roaming\Microsoft\Credentials
17. Appdata\Roaming\Microsoft\Crypto
18. Appdata\Roaming\Microsoft\Protect
Appdata\Roaming\Microsoft\SystemCertificates

19. Also see David Otts list of UPM exclusions for Windows 10. This blog post also details how to roam
the Windows 10 Start Menu and prevent file share locks.
20. To roam Start Menu and/or File Type Associations in Windows 10/2016, see CTX214754 Error An
app default was reset after signout and Logon in Citrix UPM for details on the folders that must be
included/excluded from the roaming profile. These should be added to the inclusion (Directories to
Synchronize) list. UsrClass.dat* are files, not directories. For Option 2, compare to Option 1 and add
the missing items to the Exclusion list. Full support for roaming Start Menu and/or File Type
 Associations requires UPM 5.7 or newer, and VDA 7.13 and newer.

21. Click OK twice.

22. Edit Files to synchronize

23. Enable the setting, and click Show

24. Add the following three entries so Java settings are saved to the roaming profile:
25. AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
26. AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
27. AppData\LocalLow\Sun\Java\Deployment\deployment.properties
28. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
29. AppData\Local\Google\Chrome\User Data\First Run
30. AppData\Local\Google\Chrome\User Data\Local State
31. AppData\Local\Google\Chrome\User Data\Default\Bookmarks
32. AppData\Local\Google\Chrome\User Data\Default\Favicons
33. AppData\Local\Google\Chrome\User Data\Default\History
AppData\Local\Google\Chrome\User Data\Default\Preferences

34. Then click OK twice to return to the Group Policy Editor.

35. To enable handling of Cookies, in the Synchronization node, enable the setting Folders to mirror.
36. Enable the setting, and click Show.

37. Add the following and click OK.

38. The Known Issues for UPM 5.7 indicate that the first three folders shown below must be mirrored
in order for the Windows 10 Start Menu to function correctly.
39. CTX222433 Start Menu Layout Roaming on Windows 10 indicates that TileDataLayer should be
mirrored.
40. AppData\Roaming\Microsoft\Windows\Cookies
41. AppData\Local\Microsoft\Windows\INetCookies
42. AppData\Local\Microsoft\Windows\WebCache
43. AppData\Local\TileDataLayer
44. AppData\Local\Microsoft\Vault

45. Note: according to CTX213190 Configure UPM to save password in Internet Explorer, youll also
need a User Config > Preferences > Windows Settings > Folders item to create the
 %localappdata%\Microsoft\Vault folder.

46. On the left, under Profile Management, click Registry.

47. On the right, open Enable Default Exclusion List.

48. Enable the setting. You can use the checkboxes to control which registry keys you dont want to
exclude.
49. According to Citrix CTX221380 Occasionally, File Type Association (FTA) Fails to Roam with Profile
Management 5.7 on Windows 10 and Windows Server 2016,
 Software\Microsoft\Speech_OneCore should be unchecked. Click OK.

50. New in 5.5 is the NTUSER.DAT backup setting, which is disabled by default. You can enable it to
provide some resiliency against profile corruption.

51. Skip to the Log Settings section.

Exclusions 5.4.1 and older

This section is for UPM 5.4.1 and older. For 5.5 scroll up to Exclusions 5.5 and newer.

The UPMPolicyDefaults.ini file includes a default list of exclusions. If you intend to add to the default list,
you must first copy the exclusions from the .ini file to the GPO. Then you can add exclusions to your GPO.

Note: this file was updated for Profile Management 5.4 and Windows 10 so if you are upgrading make sure
you copy the new exclusions to the GPO. For example, !ctx_localappdata!\TileDataLayer seems to have
been added in 5.4.
1. Browse to a VDA, go to C:\Program Files\Citrix\User Profile Manager and open the file
UPMPolicyDefaults_all.ini using Notepad.

2. Under the File system node in the Group Policy Editor you can configure which profile folders
should be excluded from synchronization. Edit Exclusion list directories.
3. Enable the setting and click Show
4. In the .ini file, scroll down to the SyncExclusionListDir section. Copy each of these lines to the GPO.
Do not include the equals sign on the end.

5. Add the following to the list. This is the new path for Temporary Internet Files in Windows 8 and
later.

AppData\Local\Microsoft\Windows\INetCache

6. If running Office 365 with Shared Computer Activation, then you might need to exclude
!ctx_localappdata!\Microsoft\Office\15.0\Licensing and/or !ctx_localappdata!\Microsoft\Office\16.0\Licensing.
Ideally you should have ADFS integration so users can seamlessly re-activate Office at every launch.
7. James Rankin has a much longer list of exclusions and synchronizations at Everything you wanted to
know about virtualizing, optimizing and managing Windows 10but were afraid to ask part #6:
 ROAMING.

8. Then click OK twice to return to the Group Policy Editor.

9. To roam Start Menu and/or File Type Associations in Windows 10/2016, see CTX214754 Error An
app default was reset after signout and Logon in Citrix UPM for details on the folders that must be
included/excluded from the roaming profile. The list below are inclusions.

10. You might need to exclude usrclass.dat* as detailed at Known Issue for Profile Management 5.4.
1. Edit the setting Exclusion list files.

2. Enable the setting and click Show.

3. Add the following. Then click OK twice. This is detailed as a Known Issue for Profile
Management 5.4.
4. !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*
11. Note: If you add to the exclusions list after profiles have already been created, then see Muralidhar
Marams post at discussions.citrix.com for a tool that will clean up the existing profiles. Also see
Jeremy Sprite Clean Citrix UPM Profiles.
12. Under the File System\Synchronization node in the Group Policy Editor you can configure which
profile folders should be synchronized that have otherwise been excluded.
13. Edit the setting Directories to synchronize.

14. Enable the setting and click Show.

15. To configure Profile Management to sync Saved Passwords in Internet Explorer, add the following
directories as detailed by gtess80 at Internet Explorer 11 Saved Passwords Not Retaining Between
Sessions at Citrix Discussions. However, if Microsoft Credentials Roaming is enabled, then you
 should instead exclude these folders from roaming as detailed at CTX124948 How to Configure
Citrix Profile Manager when Microsoft Credentials Roaming is Used in the Environment.
16. AppData\Local\Microsoft\Credentials
17. Appdata\Roaming\Microsoft\Credentials
18. Appdata\Roaming\Microsoft\Crypto
19. Appdata\Roaming\Microsoft\Protect
Appdata\Roaming\Microsoft\SystemCertificates

20. Also see David Otts list of UPM exclusions for Windows 10. This blog post also details how to roam
the Windows 10 Start Menu and prevent file share locks.
21. Click OK twice.
22. Edit Files to synchronize
23. Enable the setting and click Show

24. Add the following three entries so Java settings are saved to the roaming profile:
25. AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
26. AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
27. AppData\LocalLow\Sun\Java\Deployment\deployment.properties
28. Bob Bair at Citrix Discussions recommends these additional files for Chrome:
29. AppData\Local\Google\Chrome\User Data\First Run
30. AppData\Local\Google\Chrome\User Data\Local State
31. AppData\Local\Google\Chrome\User Data\Default\Bookmarks
32. AppData\Local\Google\Chrome\User Data\Default\Favicons
33. AppData\Local\Google\Chrome\User Data\Default\History
AppData\Local\Google\Chrome\User Data\Default\Preferences

34. Then click OK twice to return to the Group Policy Editor.

35. To enable handling of Cookies, in the Synchronization node, enable the setting Folders to mirror.

36. Enable the setting and click Show.

37. Add the following and click OK

38. AppData\Roaming\Microsoft\Windows\Cookies
39. AppData\Local\Microsoft\Windows\INetCookies
40. AppData\Local\Microsoft\Windows\WebCache
AppData\Local\Microsoft\Vault
41. Note: according to CTX213190 Configure UPM to save password in Internet Explorer, youll also
need a User Config > Preferences > Windows Settings > Folders item to create the
%localappdata%\Microsoft\Vault folder.

42. On the left, under Profile Management, click Registry.

43. On the right, open Exclusion List.

44. Enable the setting and then click Show.

45. Back in the UPMPolicyDefaults.ini file, look for the ExclusionListRegistry section. Copy the two
items from there without the equals sign to the GPO setting.
 46. Click OK twice.

Log Settings

1. In the Log Settings node, enable the Enable logging setting. This will make it easy to troubleshoot
problems with Profile Management. The logfile is located in
C:\Windows\System32\LogFiles\UserProfileManager.

2. Edit the Log settings setting.

3. Enable the setting and check the boxes next to Logon and Logoff. Click OK.

4. If your VDA is a Provisioning Services Target Device and/or non-persistent, consider moving the log
file to the local persistent disk (e.g. D:\Logs), or to a central share. If a central share, the VDA
computer accounts (e.g. Domain Computers) will need Modify permission to the log file path. To
change the log file path, edit the Path to log file setting.
 5. CTX123005 Citrix UPM Log Parser

6. CTX200674 How To: Review Profile Management Log Files using Microsoft Excel

Profile Streaming

1. For shared persistent VDAs (e.g. RDSH), go to the Profile handling node under Profile
Management. Enable the setting Delete locally cached profiles at logoff. Note: this might cause
 problems in Windows 10.

Helge Klein has a tool to delete locally cached profiles on a session host.
http://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/. This tool should only be
needed if profiles are not deleting properly.

2. For Windows 10/2016 machines, CTX216097 Unable to Delete NTUSER.DAT* Files When a User
Logs off recommends setting Delay before deleting cached profiles to 40 seconds.
3. Enable the setting Migration of existing profiles, and set it to Local and Roaming. Citrix CTX221564
UPM doesnt migrate local user profile since version 5.4.1.
4. Enable the setting Local profile conflict handling and set it to Delete local profile. Note: this might
cause problems on Windows 10.
 5. Under Profile Management > Streamed user profiles is Profile streaming. Enable this setting to
speed up logons.

6. After modifying the GPO, use Group Policy Management Console to update the VDAs.

7. Or run gpupdate /force on the VDAs, or wait 90 minutes.

Mandatory Profile Citrix Method

Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft
method. Also see James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703).

1. Create a file share (e.g. \\fs01\profile). Give Read permission to Users and Full Control to
Administrators.
2. Login to the VDA machine as a template account. Do any desired customizations. Logoff.
3. Make sure you are viewing hidden files and system files.

4. Copy C:\Users\%username% to your fileshare. Name the folder Mandatory or something like that.
Citrix Profile Management does not need .v2 or .v4 or .v6 on the end.

1. You can copy C:\Users\Default instead of copying a template user. If so, remove the Hidden
attribute. If you use Default as your mandatory, be aware that Active Setup will run every
time a user logs in.
5. Open the AppData folder and delete the Local and LocalLow folders.

6. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The
only Java files you need are the deployment.properties file, the exception.sites file, and the
security/trusted.certs file. Delete the Java cache, tmp and logs.

7. Open regedit.exe.
8. Click HKEY_LOCAL_MACHINE to highlight it.

9. Open the File menu and click Load Hive.

10. Browse to the mandatory profile and open NTUSER.DAT. Note: Citrix Profile Management does not
use NTUSER.MAN and instead the file must be NTUSER.DAT.

11. Name it a or similar.

12. Go to HKLM\a, right-click it, and click Permissions.

13. Add Authenticated Users and give it Full Control. Click OK.

14. With the hive still loaded, you can do some cleanup in the registry keys. See
http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ and
http://appsensebigot.blogspot.ru/2014/10/create-windows-mandatory-profiles-in.html?m=1 for
some suggestions.
15. Citrix CTX212784 Slow User Logon When Using Mandatory Profiles
set HKCU\a\Software\Citrix\WFSHELL\SpecialFoldersIntialized (DWORD) = 1
16. Highlight HKLM\a.
17. Open the File menu, and click Unload Hive.

18. Go back to the file share and delete the NTUSER.DAT log files.

19. Create/Edit a GPO that appplies to the VDAs. Make sure the Citrix Profile Management policy
template is loaded.
 20. Go to Computer Configuration > Policies > Administrative Templates > Citrix Components >
Profile Management > Profile handling. Edit the setting Template profile.

21. Enable the setting and enter the path to the Mandatory profile.
22. Check all three boxes. Then click OK.

Redirected Profile Folders

1. Make sure loopback processing is enabled on your VDAs.

2. Edit a GPO that applies to all VDA users, including Administrators.

3. Go to User Configuration\Policies\Windows Settings\Folder Redirection. Right-click Documents,

and click Properties.

4. In the Setting drop down, select Basic.

5. In the Target folder location drop down, select Redirect to the users home directory.
6. Switch to the Settings tab.

7. On the Settings tab, uncheck the box next to Grant the user exclusive rights. Click OK. Note: Move
the contents to the new location might cause issues in some deployments.

8. Click Yes to acknowledge this message.

9. Right-click Desktop and click Properties.

10. Change the Setting drop-down to Basic.

11. Change the Target folder location to Redirect to the following location.
12. In the Root Path box, enter %HOMESHARE%%HOMEPATH%\Desktop. It is critical that this is a UNC
path and not a mapped drive. Also, since were using home directory variables, all users must have
home directories defined in Active Directory.
13. Switch to the Settings tab.
 14. Uncheck the box next to Grant the user exclusive rights to Desktop and click OK.

15. Click Yes when prompted that the target is not a UNC path. You get this error because of the
variable. It doesnt affect operations.

16. Repeat for the following folders:

o Documents = Redirect to the Users Home Directory
o Desktop = %HOMESHARE%%HOMEPATH%\Desktop
o Favorites = %HOMESHARE%%HOMEPATH%\Windows\Favorites
o Downloads = %HOMESHARE%%HOMEPATH%\Downloads
17. Redirect the following folders but set them to Follow the Documents folder.
o Pictures
o Music
o Videos

Folders not redirected will be synchronized by Citrix Profile Management.

Verify Profile Management

 1. Once Profile Management is configured, login to a Virtual Delivery Agent and run gpupdate /force.

2. Logoff and log back in.

3. Go to C:\Windows\System32\LogFiles\UserProfileManager and open the pm.log file. Look in the
log for logon and logoff events.

Profile Management Troubleshooting

UPM Troubleshooter

Citrix Blog Post UPM Troubleshooter: UPM Troubleshooter is a Windows-based standalone application
that examines the live User Profile Management-enabled system in a single click, gives Profile
Management Configurations, information on the Citrix products installed, facility to collect and send the
logs along with system utilities dashboard to analyze the issue in an effective, simplified, quick and easier
manner. See the blog post for more details.

Profile Management Configuration Check Tool

UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines
whether it is optimally configured. UPMConfigCheck is designed to verify that Profile management has
been configured optimally for the environment in which it is being run, taking into account:

Hypervisor Detection The presence or absence of supported hypervisors (for example, Citrix
XenServer, VMware vSphere, or Microsoft Hyper-V)
 Provisioning Detection The presence or absence of a supported machine-provisioning solution
(for example, Machine Creation Services or Provisioning Services)
XenApp or XenDesktop Whether it is running in a XenApp or a XenDesktop environment
User Store Determines that the expanded Path to User Store exists.
WinLogon Hooking Test Verifies that Profile management is correctly hooked into WinLogon
processing. This test is for Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008
R2 and requires the user running the Configuration Check Tool to have permission to access the
relevant registry keys, or an error may be returned.
Verify Personal vDisk enabled / disabled Whether the Personal vDisk feature of XenDesktop is
enabled
Miscellaneous Other factors that it is able to determine through registry or WMI queries, such as
whether the computer running Profile management is a laptop

Profile Size

Sacha Thomet at Monitor you Profile directories has a script that displays the size of profiles in a profile
share.

Log Parser

CTX123005 Citrix UPM Log Parser

View Log Files using Excel

CTX200674 How To: Review Profile Management Log Files using Microsoft Excel