App Layering

Exclude files from layers (Advanced feature)

You can exclude specific files and folders from a composited layer to prevent files from persisting on a user’s desktop. For example, you can exclude antivirus software files and folders that must not persist for a desktop from one login to the next.

The exclusions you define are applied to a composited layer, once that is part of a published image. This feature isn’t enforced on a packaging machine, only on a published image where the layers have been composited. That means that you define the exclusions while creating the layer, include the layer in the image template, and then publish the image.

Default exclusions

The Gold Image tool updates maintain a folder of .txt files to introduce and accumulate default exclusions for the App Layer file system. OS layers must be updated with the latest tool versions to ensure the correct and full set of exclusions are in place.

The location for these default exclusions is C:\Windows\Setup\Scripts\CitrixDefaultExclusions\. Customers don’t need to do anything with this folder or its contents. Any new exclusions can be removed through an OS layer revision if they cause problems for a customer.


Future Gold Image tool installations will overwrite local changes made by customers, so reporting issues with any default exclusions is recommended.

This feature complements the user exclusions delivery method and follows the same format, restrictions, and usage as c:\Program Files\Unidesk\Uniservice\UserExclusions\ files would.

The two new default exclusions files are FsLogixExclusions.txt and GroupPolicyHistoryExclusions.txt.


Excluded files and folders on elastic layers aren’t processed. Exclusions can only be processed when present in the image.

Specify files and folders to exclude

In the C:\Program Files\Unidesk\Uniservice\UserExclusions\ folder, create one or more .txt files that specify paths to be excluded.

All valid paths to files and directories are excluded and then read from the image. All changes to those files and directories on the writable layer no longer persist.

If one of the files you create contains an invalid path, processing of that file stops and moves to the next .txt file within the \UserExclusions folder.

You can also use a * character to wildcard one directory for exclusion. For example, C:\Users\*\AppData\Local\Temp\, where * indicates any user name. In this case, any user name that matches the rest of the path fits the exclusion rule, allowing the administrator to skip the user’s \Temp directory for all users who use that image.

For each exclusion rule, you can only wildcard one directory (use one *) in a single path. You can’t exclude multiple directories with one *. For example, using the rule C:\Top\*\Bottom\ excludes the files in directories C:\Top\First\Bottom\, C:\Top\Second\Bottom\, and so on. But files in the directory C:\Top\First\Second\Bottom\ aren’t excluded, because there are two directories between \Top\ and \Bottom\ rather than one.

There’s no limit to the number of exclusion rules that you can set containing a wildcard (*).


Exclude a file:


Exclude a directory:



The following restrictions apply to exclusions.

Directory name

  • Begin the path with C:\
  • End with a Backslash (\)


These top-level directories can’t be excluded:

  • C:\
  • C:\Program Files\
  • C:\Program Files (x86)\
  • C:\ProgramData\
  • C:\Windows\
  • C:\Users\

The following characters and expressions aren’t allowed in exclusions:

  • No question marks (?)
  • No regular expressions (no %x%)
  • No forward slash (/)
  • No network (\\)
  • No path to a different directory (\..\)
  • No quotation marks (“)
  • No colon (:) after C:\


Log messages are available in:

C:\Program Files\Unidesk\Uniservice\Log\Log0.txt

Messages written to the log:

  • User exclusion added: Includes the details about the file or directory.

  • Failed to add user exclusion: Includes details about the unsupported exclusions.

Exclude files from layers (Advanced feature)