Profile Management

Profile Management policy descriptions and defaults

This topic describes the policies in the Profile Management .adm and .admx files.

For more information about the policies, see Profile Management policies.

Sections in the .adm and .admx files

Profile Management policies reside in the following sections:

Profile Management

Profile Management\Folder Redirection (User Configuration)

Profile Management\Profile handling

Profile Management\Advanced settings

Profile Management\Log settings

Profile Management\Registry

Profile Management\File system

Profile Management\File system\Synchronization

Profile Management\File deduplication

Profile Management\Streamed user profiles

Profile Management\Cross-platform settings

In the Group Policy Object Editor, most of the policies appear under Computer Configuration > Administrative Templates > Classic Administrative Templates > Citrix. Redirected folder policies appear under User Configuration > Administrative Templates > Classic Administrative Templates > Citrix.

In the Group Policy Editor, the policies appear under Computer Configuration unless the policies are under the section labeled User Configuration.

Profile Management

Enable Profile Management

Lets you enable Profile Management. By default, to ease deployment, Profile Management does not process logons or logoffs. Enable Profile Management only after you do all other setup tasks and test how Citrix user profiles behave in your environment.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.

  2. If this policy is not configured either here or in the .ini file, Profile Management does not process Windows user profiles in any way.

Processed groups

Lets you specify users whose profiles are processed. Specify users using the following user groups:

  • Domain groups (local, global, and universal) in the format of <DOMAIN NAME>\<GROUP NAME>
  • Local groups in the format of GROUP NAME

Configuration precedence:

  1. If this policy is configured here, Profile Management processes only members of these user groups. If this policy is disabled, Profile Management processes all users.
  2. If this policy isn’t configured here, the value from the .ini file is used.
  3. If this policy is not configured either here or in the .ini file, members of all user groups are processed.

Excluded groups

Lets you specify users whose profiles aren’t processed. You can specify users by using the following user groups:

  • Domain groups (local, global, and universal) in the format of <DOMAIN NAME>\<GROUP NAME>
  • Local groups in the format of GROUP NAME

Configuration precedence:

  1. If this setting is configured here, Profile Management excludes members of those user groups.
  2. If this setting is disabled, Profile Management does not exclude any users.
  3. If this setting isn’t configured here, the value from the .ini file is used.
  4. If this setting is not configured either here or in the .ini file, no members of any groups are excluded.

Process logons of local administrators

Lets you specify whether Profile Management processes logons of members of the BUILTIN\Administrators group. Enabling this policy is recommended for Citrix virtual desktops deployments, in which most users are local administrators.

Citrix virtual apps environments are the typical use cases of multi-session operating systems. If this policy is disabled or not configured on multi-session operating systems, Profile Management processes logons of domain users but not of local administrators. Citrix virtual desktops environments are the typical use cases of single-session operating systems. On single-session operating systems, Profile Management processes local administrator logons.

Domain users with local administrator permissions are typically Citrix virtual desktops users with assigned virtual desktops. When a desktop experiences problems with Profile Management, this policy allows the user to log on by bypassing any logon processing and to troubleshoot the problems.

Note:

Domain users’ logons might be subject to restrictions imposed by group membership, typically to ensure compliance with product licensing.

Configuration precedence:

  1. If this policy is disabled, Profile Management does not process logons by local administrators.
  2. If this policy isn’t configured here, the value from the .ini file is used.
  3. If this policy is not configured either here or in the .ini file, administrators aren’t processed.

Path to user store

Lets you specify the storage path of the user store. The user store is the central network location where user profiles (registry changes and synchronized files) are stored.

The path can be:

  • A path relative to the home directory. The home directory is typically configured as the #homeDirectory# attribute for a user in the Active Directory.
  • A UNC path. It typically specifies a server share or a DFS namespace.
  • Disabled or unconfigured. In this case, the path is #homeDirectory#\Windows.

The following types of variables can be used in the path setting:

  • System environment variables enclosed in percent signs (for example, %ProfVer%). System environment variables generally require extra setup.
  • Attributes of the Active Directory user object enclosed in hashes (for example, #sAMAccountName#).
  • Profile Management variables. For more information, see the Profile Management variables product document.

User environment variables cannot be used, except for %username% and %userdomain%. You can also create custom attributes to define organizational variables such as location or users fully. Attributes are case-sensitive.

Examples:

  • \\server\share\#sAMAccountName# stores the user settings to the UNC path \\server\share\JohnSmith (if #sAMAccountName# resolves to JohnSmith for the current user)
  • \\server\profiles$\%USERNAME%.%USERDOMAIN%\!CTX_OSNAME!!CTX_OSBITNESS! might expand to \\server\profiles$\JohnSmith.DOMAINCONTROLLER1\Win8x64

Important: Whichever attributes or variables you use, check that this policy expands to the folder one level higher than the folder containing NTUSER.DAT. For example, if this file exists in \server\profiles$\JohnSmith.Finance\Win8x64\UPM_Profile, set the path to the user store as \server\profiles$\JohnSmith.Finance\Win8x64 (not the \UPM_Profile subfolder).

For more information on using variables when specifying the path to the user store, see the following topics:

  • Share Citrix user profiles on several file servers
  • Administer profiles within and across OUs
  • High availability and disaster recovery with Profile Management

Configuration precedence:

  1. If Path to user store is disabled, the user settings are saved in the Windows subdirectory of the home directory. If this policy is disabled, the user settings are saved in the Windows subdirectory of the home directory.
  2. If this policy isn’t configured here, the value from the .ini file is used.
  3. If this policy is not configured either here or in the .ini file, the Windows directory on the home drive is used.

Migrate user store

Lets you specify the storage path of the user store that Profile Management previously used (the path to user store setting that you previously specified).

If this setting is configured, the user settings stored in the previous user store are migrated to the current user store.

The path can be an absolute UNC path or a path relative to the home directory.

In both cases, you can use the following types of variables:

  • System environment variables enclosed in percent signs
  • Attributes of the Active Directory user object enclosed in hash signs

Examples:

  • If %ProfileVer% is a system environment variable that resolves to W2K3, the folder Windows\%ProfileVer% stores the user settings in a subfolder called Windows\W2K3 of the user store.
  • If #SAMAccountName# resolves to JohnSmith for the current user, \\server\share\#SAMAccountName# stores the user settings to the UNC path \\server\share\<JohnSmith>.

Configuration precedence:

  1. In the path, you can use user environment variables except %username% and %userdomain%. If this setting is disabled, the user settings are saved in the current user store.

  2. If this setting isn’t configured here, the corresponding setting from the .ini file is used.

  3. If this setting is not configured either here or in the .ini file, the user settings are saved in the current user store.

Active write back

Lets you enable the active write-back feature. With this feature enabled, Profile Management synchronizes files and folders that are modified on the local computer to the user store during a session.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, it is disabled.

Active write back registry

Lets you enable Profile Management to synchronize registry entries that are modified on the local computer to the user store during a session. Use this policy with the Active write back policy.

Configuration precedence:

  1. If you do not configure this setting here, the value from the .ini file is used.
  2. If you configure this setting neither here nor in the .ini file, the active write-back registry is disabled.

Active write back on session lock and disconnection

With both this policy and the Active write back policy enabled, profile files and folders are written back only when a session is locked or disconnected.

With this policy and both the Active write back and Active write back registry policies enabled, registry entries are written back only when a session is locked or disconnected.

Configuration precedence:

  • If this setting isn’t configured here, the value from the .ini file is used.
  • If this setting is not configured either here or in the .ini file, this policy is disabled.

Offline profile support

Lets you enable the offline profile feature. This feature allows profiles to synchronize with the user store at the earliest opportunity.

This feature aims at laptop or mobile device users who often roam. When a network disconnection occurs, profiles remain intact on the laptop or device even after restart or hibernation. When mobile users start sessions, their profiles are updated locally. Profile Management synchronizes their profiles with the user store only after the network connection restores.

Configuration precedence:

  • If this policy isn’t configured here, the value from the .ini file is used.
  • If this policy is not configured either here or in the .ini file, offline profiles are disabled.

Profile Management\Advanced settings

Number of retries when accessing locked files

Lets you specify the number of retries when accessing locked files.

It is most unlikely that you need to enable this policy.

During logoff, if there are any locked files, Profile Management tries the specified number of times to access the files and copy them back to the user store. But typically Profile Management only reads (not writes to) the files for the copy operation to succeed. If any locked files exist, Profile Management doesn’t delete the local profile and instead leaves it “stale” (as long as the appropriate policy was enabled).

We recommend that you do not enable this policy.

Configuration precedence:

  1. If this policy is disabled, the default value of five retries is used.
  2. If this policy isn’t configured here, the value from the .ini file is used.
  3. If this policy is not configured either here or in the .ini file, the default value is used.

Some deployments leave extra Internet cookies that Index.dat does not reference. The extra cookies left in the file system after sustained browsing can lead to profile bloat. This policy lets you enable Profile Management to force processing of Index.dat and remove the extra cookies. The policy increases logoff times, so enable it only after you experience this issue.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, no processing of Index.dat takes place.

Disable automatic configuration

Profile Management examines any Citrix virtual desktops environment, for example for the presence of personal vDisks, and configures Group Policy accordingly. Only Profile Management policies in the Not Configured state are adjusted, so any customizations you have made are preserved.

This policy lets you speed up deployment and simplifies optimization. You do not need to configure this policy. However, you can disable automatic configuration when doing one of the following:

  • Upgrading to retain settings from earlier versions
  • Troubleshooting

You can regard automatic configuration as a dynamic configuration checker that automatically configures the default policy settings according to environments at runtime. It eliminates the need to configure the settings manually. Runtime environments include:

  • Windows OS
  • Windows OS versions
  • Presence of Citrix virtual desktops
  • Presence of personal vDisks

Automatic configuration might change the following policies if the environment changes:

  • Active write back
  • Always cache
  • Delete locally cached profiles on logoff
  • Delay before deleting cached profiles
  • Profile streaming

See the following table for the default status of the preceding policies on different OSs:

  Multi-session OS Single-session OS
Active write back Enabled Enabled
Always cache Disabled Enabled
Delete locally cached profiles on logoff Enabled Disabled if Citrix virtual desktop is assigned or Citrix virtual desktop is not installed. Otherwise, enabled.
Delay before deleting cached profiles 0 seconds 60 seconds if user changes are not persistent; otherwise, 0 seconds.
Profile streaming Enabled Enabled
Profile streaming for folders Enabled Enabled

However, with automatic configuration disabled, all policies above default to Disabled.

To ensure that Start menu roaming works properly on Windows 10, Windows Server 2016, and Windows Server 2019, follow these steps:

  1. Enable automatic configuration or set the Disable automatic configuration policy to Enabled.
  2. Complete the configuration steps, as described in the Profile Management best practices article.

Configuration precedence:

  1. If this setting isn’t configured here, the value from the .ini file is used.

  2. If this setting is neither configured here nor in the .ini file, automatic configuration is turned on. In this case, Profile Management settings might change if the environment changes.

Log off user if a problem is encountered

Lets you specify whether Profile Management logs off users if a problem is encountered.

If this policy is disabled or not configured, Profile Management gives a temporary profile to users if a problem is encountered. For example, the user store is unavailable.

Configuration precedence:

  1. If this setting is enabled, an error message is displayed and users are logged off. This setup can simplify troubleshooting of the problem.

  2. If this setting isn’t configured here, the value from the .ini file is used.

  3. If this setting is neither configured here nor in the .ini file, a temporary profile is provided.

Customer Experience Improvement Program

By default, the Customer Experience Improvement Program is enabled to help improve the quality and performance of Citrix products by sending anonymous statistics and usage data.

If this setting isn’t configured here, the value from the .ini file is used.

Enable search index roaming for Outlook

With this policy enabled, Profile Management provides native Outlook search experience to users by automatically roaming Outlook search data with user profiles. This policy requires extra storage to store the search index for Outlook.

Log off and then log on again for this policy to take effect.

Outlook search index database – backup and restore

Lets you specify what Profile Management does during logon when the Enable search index roaming for Outlook policy is enabled.

If this policy is enabled, Profile Management backs up the search index database each time the database is mounted successfully on logon. Profile Management treats the backup as the good copy of the search index database. When an attempt to mount the search index database fails due to database corruption, Profile Management reverts the search index database to the last-known good copy.

Note:

Profile Management deletes the previously saved backup after a new backup is saved successfully. The backup consumes the available VHDX storage.

Enable concurrent session support for Outlook search data roaming

Lets Profile Management provide native Outlook search experience in concurrent sessions of the same user. Use this policy with the Search index roaming for Outlook policy.

With this policy enabled, each concurrent session uses a separate Outlook OST file.

By default, only two VHDX disks can be used to store Outlook OST files (one file per disk). If the user starts more sessions, their Outlook OST files are stored in the local user profile. You can specify the maximum number of VHDX disks for storing Outlook OST files.

Enable multi-session write-back for profile containers

Lets you enable write-back for profile containers in multi-session scenarios.

Note:

Citrix Profile Management profile container is available starting with Citrix Profile Management 2103. The FSLogix Profile Container is available starting with Citrix Profile Management 2003.

If the policy is enabled, changes in all sessions are written back to profile containers. Otherwise, only changes in the first session are saved because only the first session is in read/write mode in profile containers.

To use this policy for the FSLogix Profile Container, ensure that the following prerequisites are met:

  • The FSLogix Profile Container feature is installed and enabled.
  • The profile type is set to Try for read-write profile and fallback to read-only in FSLogix.

Replicate user stores

Lets you replicate the remote user profile store to multiple paths on each logon and logoff. Doing so lets Profile Management provide profile redundancy for user logons.

Enabling the policy increases system I/O and might prolong logoffs.

Note:

This feature is available for both the file-based and container-based profile solutions.

Enable credential-based access to user stores

Lets you enable credential-based access to user stores.

By default, Citrix Profile Management impersonates the current user to access user stores. Therefore, it requires the current user to have permission to access the user store. In some situations, you want to put user stores in a storage repository (for example, Azure Files) that the current user has no permission to access. In those cases, enable this policy to let Profile Management access the user stores by using the credentials of the storage repository.

To ensure that Profile Management can access user stores using credentials, save the credentials in Workspace Environment Management (WEM) or Windows Credential Manager. We recommend you use Workspace Environment Management to eliminate the need of configuring the same credentials for each machine running Profile Management. If you use the Windows Credential Manager, use the Local System account to securely save the credentials.

Note:

This policy is available both for file-based and VHDX-based user stores. For Profile Management versions earlier than 2212, this policy is available only for VHDX-based user stores.

Configuration precedence:

  1. If this setting isn’t configured here, the value from the .ini file is used.
  2. If this setting is not configured either here or in the .ini file, it is disabled by default.

Specify the storage path for VHDX files

Lets you specify a storage path to store VHDX files used in Profile Management.

Citrix Profile Management provides the following VHDX-based policies: Enable native Outlook search experience, Citrix Profile Management profile container, and Accelerate folder mirroring. By default, VHDX files are stored in the user store.

Configuration precedence:

  1. If this setting isn’t configured here, the value from the .ini file is used.
  2. If this setting is not configured either here or in the .ini file, it is disabled by default.

Default capacity of VHD containers

Lets you specify the default storage capacity (in GB) of VHD containers.

Configuration precedence:

  1. If this policy is not configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, the default is 50 (GB).

Automatically reattach VHDX disks in sessions

With this policy enabled, Profile Management ensures a high level of stability of VHDX-based policies. By default, this policy is enabled.

When this policy is enabled, Profile Management monitors VHDX disks that are in use by VHDX-based policies. If any of the disks is detached, Profile Management reattaches the disk automatically.

Enable asynchronous processing for user Group Policy on logon

Windows provides two processing modes for user Group Policy: synchronous and asynchronous. Windows uses a registry value to determine the processing mode for the next user logon. If the registry value doesn’t exist, synchronous mode is applied. The registry value is a machine-level setting and doesn’t roam with users. Thus, asynchronous mode will not be applied as expected if users:

  • Log on to different machines.
  • Log on to the same machine where the Delete locally cached profiles on logoff policy is enabled.

With this policy enabled, the registry value roams with users. As a result, processing mode is applied each time users log on.

Free space ratio to trigger VHD disk compaction

Applicable when Enable VHD disk compaction is enabled. Lets you specify the freeable space ratio to trigger VHD disk compaction. When the freeable space ratio exceeds the specified value on user logoff, disk compaction is triggered.

Freeable space ratio = (current VHD file size – required minimum VHD file size*) ÷ current VHD file size

* Obtained using the GetSupportedSize method of the MSFT_Partition class from the Microsoft Windows operating system.

Configuration precedence:

  1. If this setting isn’t configured here, the value from the .ini file is used.
  2. If this setting is not configured either here or in the .ini file, the default value 20 (%) is used.

Number of logoffs to trigger VHD disk compaction

Applicable when Enable VHD disk compaction is enabled. Lets you specify the number of user logoffs to trigger VHD disk compaction.

When the number of logoffs since the last compaction reaches the specified value, disk compaction is triggered again.

Configuration precedence:

  1. If this setting isn’t configured here, the value from the .ini file is used.
  2. If this setting is not configured either here or in the .ini file, the default value 5 is used.

Disable defragmentation for VHD disk compaction

Applicable when Enable VHD disk compaction is enabled. Lets you specify whether to disable file defragmentation for VHD disk compaction.

When VHD disk compaction is enabled, the VHD disk file is first automatically defragmented using the Windows built-in defrag tool, and then compacted. VHD disk defragmentation produces better compaction results while disabling it can save system resources.

Configuration precedence:

  1. If this setting isn’t configured here, the value from the .ini file is used.
  2. If this setting is not configured either here or in the .ini file, defragmentation is enabled by default.

Profile container auto-expansion threshold

Lets you specify the utilization percentage of storage capacity at which profile containers trigger auto-expansion.

Configuration precedence:

  1. If this policy is not configured here, the value from the .ini file is used.
  2. If this policy is not configured here or in the .ini file, the default is 90 (%) of storage capacity.

Profile container auto-expansion increment

Lets you specify the amount of storage capacity (in GB) by which profile containers automatically expand when auto-expansion is triggered.

Configuration precedence:

  1. If this policy is not configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, the default is 10 (GB).

Profile container auto-expansion limit

Lets you specify the maximum storage capacity (in GB) to which profile containers can automatically expand when auto-expansion is triggered.

Configuration precedence:

  • If this policy is not configured here, the value from the .ini file is used.
  • If this policy is not configured either here or in the .ini file, the default is 80 (GB).

Enable OneDrive container

Lets OneDrive folders roam with users.

The OneDrive container is a VHDX-based folder roaming solution. Profile Management creates a VHDX file per user on a file share and stores the users’ OneDrive folders into the VHDX files. The VHDX files are attached when users log on and detached when users log off.

UWP app roaming

Lets you enable UWP (Universal Windows Platform) apps to roam with users. As a result, users can access the same UWP apps from different devices.

With this policy enabled, Profile Management lets UWP apps roam with users by storing the apps on separate VHDX disks. Those disks are attached during user logons and detached during user logoffs.

Configuration precedence:

  1. If this setting is not configured here, the value from the .ini file is used.
  2. If this setting is configured neither here nor in the .ini file, this feature is disabled.

Enable AppX package load acceleration

Lets you accelerate the loading of UWP apps and improve their consistency in non-persistent environments. By default, Windows stores UWP App registration information locally on each machine, which can be lost upon restart in non-persistent environments. With this policy enabled, Profile Management creates a VHDX container for each machine to store the UWP app registration data, speeding up user logon and preventing data loss on restarts.

Configuration precedence:

  1. If this setting isn’t configured using a GPO, Studio, or Workspace Experience Management (WEM), the value from the .ini file is used.
  2. If this setting isn’t configured anywhere, this feature is disabled.

Enable user-level policy settings

With this policy enabled, machine-level policy settings can work at the user level, and user-level settings override machine-level settings.

Configuration precedence:

  1. If this policy is not configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, it is disabled.

Set priority order for user groups

Specify the priority order for user groups. The order determines which group takes precedence when a user belongs to multiple groups with different policy settings.

When a user belongs to multiple groups with conflicting policy settings, consider the following:

  • If the user belongs to one or more groups defined in this policy, the group with the highest priority takes precedence.

  • If the user doesn’t belong to any of the groups defined in this policy, the group with the SID listed earliest in alphabetical order takes precedence.

Configuration precedence:

  1. If this setting is not configured here, the value from the .ini file is used.
  2. If this setting is not configured either here or in the .ini file, no priority order is specified.

User store selection method

Lets you specify the user store selection method when multiple user stores are available. Options include:

  • Configuration order. Profile Management selects the earliest configured store.
  • Access performance. Profile Management selects the store with the best access performance.

Configuration precedence:

  1. If this setting isn’t configured here, the value from the .ini file is used.
  2. If this setting isn’t configured here or in the .ini file, Configuration order is used.

Enable in-session profile container failover among user stores

By default, when multiple user stores are deployed, profile container failover occurs only at user logon. As a result, profile redundancy is available only at user logon. This policy lets you expand the failover scope to the entire session, ensuring profile redundancy throughout the session. With the policy enabled, if Profile Management loses connection to the active profile container during a session, it automatically switches to another available one.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy isn’t configured either here or in the .ini file, the setting is disabled.

Notify user when profile size exceeds quota

Lets you set a quota for the user profile and notify users when their profile size exceeds it.

Notification message when profile size exceeds quota

Applicable when the Notify user when profile size exceeds quota policy is enabled. Lets you set the notification message users receive.

Profile Management\Citrix Virtual Apps Optimization settings

Enable Citrix Virtual Apps Optimization

When you enable this feature, only the settings specific to the published applications a user launches or exits are synchronized.

Configuration precedence:

  1. If this setting isn’t configured here, the value from the .ini file is used.

  2. If this setting is not configured either here or in the .ini file, no optimization settings for Citrix virtual apps are applied.

Path to Citrix Virtual Apps optimization definitions

Lets you specify a folder to store definition files of the Citrix virtual apps optimization.

Configuration precedence:

  1. If this setting isn’t configured here, the value from the .ini file is used.

  2. If this setting is not configured either here or in the .ini file, no Citrix virtual apps optimization settings are applied.

Note:

The folder can reside in the local storage or on an SMB file share.

Profile Management\Cross-platform settings

Enable cross-platform settings

Lets you enable the cross-platform settings. The cross-platform settings feature is primarily used for migration from Windows 7 and Windows Server 2008 to Windows 8 and Windows Server 2012. This migration might also move from Microsoft Office 2003 or Office 2007 to Office 2010.

By default, to ease deployment, cross-platform settings are disabled. Enable this policy only after thorough planning and testing of this feature.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, no cross-platform settings are applied.

Cross-platform settings user groups

Lets you specify Windows user groups to which the cross-platform settings feature applies. For example, you can use this policy to process only the profiles from a test user group.

Configuration precedence:

  1. If this policy is configured, the cross-platform settings feature of Profile Management processes only members of these user groups. If this policy is disabled, the feature processes all users specified by the Processed groups policy.

  2. If this policy isn’t configured here, the value from the .ini file is used.

  3. If this policy is not configured either here or in the .ini file, all user groups are processed.

Path to cross-platform definitions

Lets you specify the network location where the definition files reside.

This path must be a UNC path. Users must have read access to this location, and administrators must have write access to it. The location must be a Server Message Block (SMB) or Common Internet File System (CIFS) file share.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, no cross-platform settings are applied.

Path to cross-platform settings store

Lets you specify the path to the cross-platform settings store. The store refers to the folder in which users’ cross-platform settings are saved.

This store resides in the user store where profile data shared by multiple platforms is located. Users must have write access to the store. The path can be an absolute UNC path or a path relative to the home directory. You can use the variables used in Path to user store.

Configuration precedence:

  1. If this policy is disabled, the Windows\PM_CP path is used.

  2. If this policy isn’t configured here, the value from the .ini file is used.

  3. If this policy is not configured either here or in the .ini file, the default value is used.

Source for creating cross-platform settings

Lets you specify a platform as the base platform if this policy is enabled in that platform’s OU. This policy migrates data from the base platform’s profiles to the cross-platform settings store. By default, this policy is disabled.

Each platform’s own set of profiles are stored in a separate OU. Decide which platform’s profile data that you want to use as the base platform to seed the cross-platform settings store.

With this policy enabled, when one of the following situations occurs, Profile Management migrates the data from the single-platform profile to the store.

  • The cross-platform settings store contains a definition file with no data.
  • The cached data in a single-platform profile is newer than the definition’s data in the store.

Important:

If this policy is enabled in multiple OUs, user objects, or machine objects, the platform that the first user logs on to become the base profile.

Profile Management\File system

Exclusion list - files

Lets you specify the files that Profile Management ignores during synchronization. File names must be paths relative to the user profile (%USERPROFILE%). Wildcards are allowed and are applied recursively.

Examples:

  • Desktop\Desktop.ini ignores the Desktop.ini file in the Desktop folder.
  • %USERPROFILE%\*.tmp ignores all files with the .tmp extension in the entire profile.
  • AppData\Roaming\MyApp\*.tmp ignores all files with the .tmp extension in one part of the profile.

Configuration precedence:

  1. If this policy is disabled, no files are excluded.
  2. If this policy isn’t configured here, the value from the .ini file is used.
  3. If this policy is not configured either here or in the .ini file, no files are excluded.

Enable Default Exclusion List - directories

Lets you specify the default list of directories that Profile Management ignores during synchronization. Use this policy to specify GPO exclusion directories without having to fill them in manually.

Configuration precedent:

  1. If you disable this policy, Profile Management does not exclude any directories by default.
  2. If you do not configure this policy here, Profile Management uses the value from the .ini file.
  3. If you do not configure this policy here or in the .ini file, Profile Management does not exclude any directories by default.

Exclusion list - directories

Lets you specify the folders that Profile Management ignores during synchronization. Folder names must be specified as paths relative to the user profile (%USERPROFILE%).

Example:

  • Desktop ignores the Desktop folder in the user profile

Configuration precedence:

  1. If this policy is disabled, no folders are excluded.
  2. If this policy isn’t configured here, the value from the .ini file is used.
  3. If this policy is not configured either here or in the .ini file, no folders are excluded.

Logon Exclusion Check

Lets you specify what Profile Management does if a profile in the user store contains excluded files or folders.

Configuration precedence:

  1. If this setting is disabled or set to the default value of Synchronize excluded files or folders, Profile Management synchronizes those excluded files or folders from the user store to the local profile when a user logs on.

  2. If this setting is set to Ignore excluded files or folders, Profile Management ignores the excluded files or folders in the user store on user logon. If this setting is set to Delete excluded files or folders, Profile Management deletes the excluded files or folders in the user store on user logon.

  3. If this setting isn’t configured here, the value from the .ini file is used.

  4. If this setting is neither configured here nor in the .ini file, Profile Management synchronizes excluded files or folders from the user store to the local profile.

Lets you specify the files that are created as symbolic links. This setting is used to improve logon performance and to process large-size files.

You can use wildcards in policies that refer to files. Example, !ctx_localappdata!\Microsoft\Outlook*.OST.

To process the Offline Outlook Data File (*.ost), make sure that the Outlook folder is not excluded for Profile Management.

Those files cannot be accessed in multiple sessions simultaneously.

Profile Management\File system\Synchronization

Directories to synchronize

Lets you specify folders that you want Profile Management to synchronize when their parent folders are excluded.

Paths on this list must be relative to the user profile.

Profile Management synchronizes each user’s entire profile between the system where it is installed and the user store. It is not necessary to include subfolders of the user profile by adding them to this list.

Disabling this policy has the same effect as enabling it and configuring an empty list.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.

  2. If this policy is not configured either here or in the .ini file, only non-excluded folders in the user profile are synchronized.

Files to synchronize

Lets you specify files that you want Profile Management to synchronize when their parent folders are excluded.

Paths on this list must be relative to the user profile. Wildcards can be used in file names and folder names. But wildcards are applied recursively only in file names.

Examples:

  • AppData\Local\Microsoft\Office\Access.qat specifies a file in a folder that is excluded in the default configuration
  • AppData\Local\MyApp*.cfg specifies all files with the extension .cfg in the profile folder AppData\Local\MyApp and its subfolders

Profile Management synchronizes each user’s entire profile between the system where it is installed and the user store. It is not necessary to include files in the user profile by adding them to this list.

Disabling this policy has the same effect as enabling it and configuring an empty list.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.

  2. If this policy is not configured either here or in the .ini file, only non-excluded files in the user profile are synchronized.

Folders to mirror

This policy can help solve issues involving any transactional folder (also known as a referential folder). That type of folder contains interdependent files, where one file references other files.

With the policy, Profile Management processes a transactional folder and its contents as a single entity when synchronizing user profiles.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, no folders are mirrored.

Accelerate folder mirroring

With both this policy and the Folders to mirror policy enabled, Profile Management stores mirrored folders on a VHDX-based virtual disk. It attaches the virtual disk during logons and detaches it during logoffs. Enabling this policy eliminates the need to copy the folders between the user store and local profiles and accelerates folder mirroring.

Profile Management\File deduplication

Identical files can exist among various user profiles in the user store. Having duplicate instances of files stored in the user store increases your storage cost.

File deduplication policies let Profile Management remove duplicate files from the user store and store one instance of them in a central location (called shared store). Doing so avoids file duplications in the user store, thus saving your storage cost.

Files to include in the shared store for deduplication

Lets you enable file deduplication and specify files to include in the shared store for deduplication.

Files to exclude from the shared store

Lets you specify files to exclue from the shared store. Use this policy along with the Files to include in the shared store for deduplication policy.

Minimum size of files to deduplicate from profile containers

Lets you specify the minimum size of files to deduplicate from profile containers. This size must be 256 MB or greater.

Configuration precedence:

  1. If this setting is not configured here, the value from the .ini file is used.
  2. If this setting is not configured either here or in the .ini file, the value is 256.

Profile Management\Log settings

Enable logging

Lets you specify whether to enable logging for Profile Management. Enable this policy only when you are troubleshooting Profile Management.

Configuration precedence:

  1. If this policy is disabled, only errors are logged. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, only errors are logged.

Log settings

Lets you select which events or actions Profile Management logs. Select them all only if you are requested to do so by Citrix personnel.

Configuration precedence:

  1. If the policy isn’t configured here, Profile Management uses the values from the .ini file.

  2. If this policy is not configured either here or in the .ini file, errors and general information are logged.

The checkboxes for this policy correspond to the following settings in the .ini file: LogLevelWarnings, LogLevelInformation, LogLevelFileSystemNotification, LogLevelFileSystemActions, LogLevelRegistryActions, LogLevelRegistryDifference, LogLevelActiveDirectoryActions, LogLevelPolicyUserLogon, LogLevelLogon, LogLevelLogoff, and LogLevelUserName.

Maximum size of the log file

Lets you specify the maximum size of the Profile Management log file in bytes.

The default value for the maximum size of the Profile Management log file is 10 MB. If you have sufficient disk space, increase the value. If the log file grows beyond the maximum size, the following happens:

  1. An existing backup of the file (.bak) is deleted.
  2. The log file is renamed to .bak.
  3. A new log file is created.

The log file is created in %SystemRoot%\System32\Logfiles\UserProfileManager or in the location that the Path to log file policy specifies.

Configuration precedence:

  1. If this policy is disabled, the default value of 10 MB is used.
  2. If this policy isn’t configured here, the value from the .ini file is used.
  3. If this policy isn’t configured either here or in the .ini file, the default value is used.

Path to log file

Lets you configure an alternative path to store the log files.

The path can point to a local drive or a network-based one (a UNC path):

  • Remote drives are recommended in large, distributed environments. However, they can create significant network traffic, which might not be appropriate for log files.
  • Local drives are often used in provisioned virtual machines with a persistent hard drive.

This setting ensures that log files are preserved when the machine restarts. For virtual machines without a persistent hard drive, setting a UNC path allows you to retain the log files. But the system account for the machines must have write access to the UNC share. Use a local path for any laptops managed by the offline profiles feature.

If a UNC path is used for log files, Citrix recommends that you apply an appropriate access control list to the log file folder. Access control ensures that only authorized user or computer accounts can access the stored files.

Examples:

  • D:\LogFiles\ProfileManagement.
  • \server\LogFiles\ProfileManagement

If this policy isn’t configured here, the value from the .ini file is used. If this policy is not configured either here or in the .ini file, the default location %SystemRoot%\System32\Logfiles\UserProfileManager is used.

Profile Management\Profile container settings

Profile container

Lets you use a VHDX-based network disk (profile container) to store user profiles. You can use it to store a user profile in whole or in part. On user logon, the profile container is mounted to the user environment and the profile folders are available immediately.

Enable local caching for profile containers

Lets you enable local caching for Citrix Profile Management profile containers. This policy takes effect only when the profile container is enabled for the entire user profile.

With the policy set to Enabled, each local profile serves as a local cache of its Citrix Profile Management profile container. If profile streaming is in use, locally cached files are created on demand. Otherwise, they are created during user logons.

Folders to exclude from profile container

Lets you specify folders to exclude from the Citrix Profile Management profile container.

Folders to include in profile container

Lets you specify folders to keep in the Citrix Profile Management profile container when their parent folders are excluded.

Folders on this list must be subfolders of the excluded folders. Otherwise, this setting does not work.

Disabling this setting has the same effect as enabling it and configuring an empty list.

Files to include in profile container

Lets you specify files to include in the Citrix Profile Management profile container when their parent folders are excluded.

Files on this list must be inside the excluded folders. Otherwise, this setting does not work.

Files to exclude from profile container

Lets you specify files to exclude from the Citrix Profile Management profile container.

Enable VHD disk compaction

Lets you enable VHD disk compaction for Profile Management. If enabled, VHD disks are automatically compacted on user logoff when certain conditions are met. This policy enables you to save the storage space consumed by profile container, OneDrive container, and mirror folder container.

Depending on your needs and the resources available, you can adjust the default VHD compaction settings and behavior using the Free space ratio to trigger VHD disk compaction, Number of logoffs to trigger VHD disk compaction, and Disable defragmentation for VHD disk compaction policies in Advanced settings.

Configuration precedence:

  1. If this setting isn’t configured here, the value from the .ini file is used.
  2. If this setting is not configured either here or in the .ini file, the feature is disabled.

Enable VHD auto-expansion for profile container

Lets you specify whether to enable VHD auto-expansion for the profile container. When enabled, all VHD auto-expansion settings apply to the profile container.

Configuration precedence:

  • If this policy is not configured here, the value from the .ini file is used.
  • If this policy is not configured either here or in the .ini file, it is disabled.

Enable exclusive access to VHD containers

By default, VHD containers allow concurrent access. With this setting enabled, they allow only one access at a time. This feature applies to profile containers and OneDrive containers.

Note:

In the container-based profile solution, enabling this setting for profile containers automatically disables the Enable multi-session write-back for profile containers setting.

Configuration precedence:

  1. If this policy is not configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, the setting is disabled.

Log off users when profile container is not available during logon

Lets you specify whether to force log-off users when the profile container is unavailable during user logon and customize the error message users see.

Configuration precedence:

  1. If this policy is not configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, the setting is disabled.

Users and groups to access profile container

Lets you specify which AD domain users and groups have Read & Execute permission on profile containers. By default, a profile container is accessible only to its owner.

Configuration precedence:

  1. If this policy is not configured here, the setting from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, the profile container is accessible only to its owner.

Profile Management\Profile handling

Delete locally cached profiles on logoff

Lets you specify whether locally cached profiles are deleted after logoff.

If this policy is enabled, a user’s local profile cache is deleted after user logoff. This setting is recommended for terminal servers. If this policy is disabled, cached profiles are not deleted.

Note:

You can control when profile caches are deleted on logoff using the Delay before deleting the cached profiles policy.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, cached profiles are not deleted.

Delay before deleting cached profiles

Lets you specify an optional extension to the delay before locally cached profiles are deleted on logoff. Extending the delay is useful if you know that a process keeps files or the user registry hives open during logoff. With large profiles, this setup can also speed up logoff.

A value of 0 deletes the profiles immediately, at the end of the logoff process.

Profile Management checks for logoffs every minute. A value of 60 ensures that profiles are deleted between one and two minutes after user logoffs depending on when the last check takes place.

Important: This policy works only if Delete locally cached profiles on logoff is enabled.

If this policy isn’t configured here, the value from the .ini file is used. If this policy is not configured either here or in the .ini file, profiles are deleted immediately.

Migration of existing profiles

Lets you specify Profile Management migrate which types of user profiles to the user store if the user store is empty.

Profile Management can migrate existing profiles “on the fly” during logon if the user has no profile in the user store. Select Roaming if you are migrating roaming profiles or Remote Desktop Services profiles.

The following event takes place during logons. If the user has a Windows profile instead of a Citrix user profile in the user store, Profile Management migrates the Windows profile to the user store. After this process, Profile Management uses the user store profile in the current and other sessions that are configured with the path to the same user store.

Configuration precedence:

  1. If this setting is enabled, profile migration can be activated for roaming and local profiles (the default), roaming profiles only, local profiles only. Or profile migration can be disabled.

  2. If this policy is disabled and no Citrix user profile exists in the user store, the existing Windows mechanism for creating profiles is used.

  3. If profile migration is disabled and no Citrix user profile exists in the user store, the existing Windows mechanism for creating profiles is used.

  4. If this policy isn’t configured here, the value from the .ini file is used.

  5. If this policy is not configured either here or in the .ini file, Profile Management migrates existing local and roaming profiles to the user store.

Automatic migration of existing application profiles

This setting enables or disables the automatic migration of existing application profiles across different operating systems. The application profiles include both the application data in the AppData folder and the registry entries under HKEY_CURRENT_USER\SOFTWARE. This setting can be useful in cases where you want to migrate your application profiles across different operating systems.

For example, you need to upgrade your operating system (OS) from Windows 10 version 1803 to Windows 10 version 1809. If this setting is enabled, Profile Management automatically migrates the existing application settings to Windows 10 version 1809 the first time each user logs on. The application data in the AppData folder and the registry entries under HKEY_CURRENT_USER\SOFTWARE are migrated.

If there are several existing application profiles, Profile Management performs the migration in the following order of priority:

  1. Profiles of the same OS type (single-session OS to single-session OS and multi-session OS to multi-session OS).
  2. Profiles of the same Windows OS family; for example, Windows 10 to Windows 10, or Windows Server 2016 to Windows Server 2016).
  3. Profiles of an earlier version of the OS; for example, Windows 7 to Windows 10, or Windows Server 2012 to Windows 2016.
  4. Profiles of the closest OS.

Note:

You must specify the short name of the OS by including the !CTX_OSNAME! variable in the user store path. Doing so lets Profile Management locate the existing application profiles.

If this setting isn’t configured here, the setting from the .ini file is used.

If this setting is neither configured here nor in the .ini file, it is disabled by default.

Local profile conflict handling

Lets you specify how Profile Management behaves if both a profile in the user store and a local Windows user profile (not a Citrix user profile) exist.

Configuration precedence:

  1. If this policy is disabled or set to the default value of Use local profile, Profile Management uses the local profile, but does not change it in any way.

  2. If this policy is set to Delete local profile, Profile Management deletes the local Windows user profile. And then imports the Citrix user profile from the user store. If this policy is set to Rename local profile, Profile Management renames the local Windows user profile (for backup purposes). And then imports the Citrix user profile from the user store.

  3. If this policy isn’t configured here, the value from the .ini file is used. If this policy is not configured either here or in the .ini file, existing local profiles are used.

Template profile

Lets you specify the storage path of the profile you want to use as a template. This path is the full path of the folder containing the NTUSER.DAT registry file and any other folders and files required for the template profile.

Important: Ensure that you do not include NTUSER.DAT in the path setting. For example, with the \\myservername\myprofiles\template\ntuser.dat file, set the location as \\myservername\myprofiles\template. Use absolute paths, which can be UNC ones or paths on the local computer. You can use the latter, for example, to specify a template profile permanently on a Citrix Provisioning Services image. Relative paths are not supported.

This policy does not support expansion of Active Directory attributes, system environment variables, or the %USERNAME% and %USERDOMAIN% variables.

Configuration precedence:

  1. If this policy is disabled, templates aren’t used.

  2. If this policy is enabled, Profile Management uses the template instead of the local default profile when creating user profiles. If a user has no Citrix user profile, but a local or roaming Windows user profile exists, by default the local profile is used. And the local profile is migrated to the user store, if this policy is not disabled. This setup can be changed by enabling the Template profile overrides local profile or Template profile overrides roaming profile check box. Also, identifying the template as a Citrix mandatory profile means that, like Windows mandatory profiles, changes are not saved.

  3. If this policy isn’t configured here, the value from the .ini file is used.

  4. If this policy is not configured either here or in the .ini file, no template is used.

Profile Management\Registry

Exclusion list

Lets you specify the registry keys in the HKCU hive that Profile Management ignores during logoff.

Example: Software\Policies

Configuration precedence:

  • If this policy is disabled, no registry keys are excluded.
  • If this policy isn’t configured here, the value from the .ini file is used.
  • If this policy is not configured either here or in the .ini file, no registry keys are excluded.

Inclusion list

Lets you specify registry keys in the HKCU hive that Profile Management processes during logoff.

Example: Software\Adobe.

Configuration precedence:

  1. If this policy is enabled, only keys on this list are processed. If this policy is disabled, the complete HKCU hive is processed.
  2. If this policy isn’t configured here, the value from the .ini file is used.
  3. If this policy is not configured either here or in the .ini file, all of HKCU is processed.

Enable Default Exclusion List - Profile Management 5.5

Lets you specify registry keys in the HKCU hive that Profile Management does not synchronize to the user profiles. Use this policy to specify GPO exclusion files without having to fill them in manually.

Configuration precedence:

  1. If you disable this policy, Profile Management does not exclude any registry keys by default.
  2. If you do not configure this policy here, Profile Management uses the value from the .ini file.
  3. If you configure this policy neither here nor in the .ini file, Profile Management does not exclude any registry keys by default.

NTUSER.DAT backup

Lets you enable a backup of the last-known good copy of NTUSER.DAT and roll back when any corruption occurs.

If you do not configure this policy here, Profile Management uses the value from the .ini file. If you configure this policy neither here nor in the .ini file, Profile Management does not back up NTUSER.DAT.

Profile Management\App access control

Lets you use rules to control user access to files, folders, registry keys, and values or to implement machine-level redirections for files, folders, registry keys, and values.

Use the following ways to create rules:

  • GUI-based tool – WEM Tool Hub > Rule Generator for App Access Control
  • PowerShell tool – available with the Profile Management installation package

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.

  2. If this policy is not configured either here or in the .ini file, it is disabled.

Profile Management\Streamed user profiles

Profile streaming

Lets you enable the profile streaming feature. With this feature enabled, files in user profiles are fetched from the user store to the local computer only when users access them. The NTUSER.DAT file and any files in the pending area are the exception. They are fetched immediately. NTUSER.DAT stores registry entries.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.

  2. If this policy is not configured either here or in the .ini file, it is disabled.

Enable profile streaming for folders

Lets you enable the profile streaming feature for folders in user profiles.

With both this policy and the Profile streaming policy set to Enabled, folders in a user profile are fetched from the user store to the local computer only when users access them.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, it’s disabled.

Always cache

Lets you specify the lower limit on the size of files that are fetched from the user store to the local computer immediately after logon.

When the profile streaming feature is enabled, files in user profiles are fetched to the local computers when users access them. This on-demand file-fetching mechanism causes slow loading when files that users request are large. With this policy enabled, Profile Management fetches files larger than a specified size to the local computers immediately after logon.

To fetch the entire profile to the local computer immediately after logon, set this limit to zero.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, it’s disabled.

Timeout for pending area lock files

Lets you specify a timeout period (days) after which Profile Management frees up users’ files. When the timeout occurs, users’ files are written to the user store from the pending area if the user store remains locked when its storage server becomes unresponsive. Use this policy to prevent bloat in the pending area and to ensure that the user store always contains the most up-to-date files.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, the default value of one day is used.

Streamed user profile groups

Lets you specify Windows user groups whose user profiles are streamed.

This policy streams the profiles of a subset of Windows user groups in the OU. The profiles of users in all other groups are not streamed.

Configuration precedence:

  1. If this policy is disabled, all user groups are processed.
  2. If this policy isn’t configured here, the value from the .ini file is used. If this policy is not configured either here or in the .ini file, all users are processed.

Profile Streaming Exclusion list - directories

Lets you specify the folders that Profile Streaming ignores. Folder names must be specified as paths relative to the user profile.

Examples: Entering Desktop ignores the Desktop directory in the user profile.

Configuration precedence:

  1. If this setting is disabled, no folders are excluded.

  2. If this setting isn’t configured here, the value from the .ini file is used.

  3. If this setting is not configured either here or in the .ini file, no folders are excluded.

Note:

Profile Streaming exclusions do not indicate that the configured folders are excluded from profile handling. Citrix Profile Management still processes them.

Enable profile streaming for pending area

Lets you enable the profile streaming feature for files and folders in the pending area.

The pending area is used to ensure profile consistency while profile streaming is enabled. It temporarily stores profile files and folders changed in concurrent sessions.

By default, this policy is disabled, and all files and folders in the pending area are fetched to the local profile on logon. With this policy enabled, files in the pending area are fetched to the local profile only when they are requested. Use the policy with the Profile streaming policy to ensure optimal logon experience in concurrent session scenarios.

The policy applies to folders in the pending area when the Enable profile streaming for folders policy is enabled.

Profile Management\Folder Redirection (User Configuration)

Lets you specify whether to redirect folders that commonly appear in profiles and specify the redirection target. Specify targets as UNC paths (for server shares or DFS namespaces) or as paths relative to users’ home directory. The home directory is typically configured with the #homeDirectory# attribute in the Active Directory.

If a policy isn’t configured here, Profile Management does not redirect the specified folder.

Note:

  • When you use UNC paths for folder redirection, the #homedirectory# variable is not supported. After you choose the Redirect to the user’s home directory policy, you do not need to specify the path.
  • We recommend using the Users and groups to access redirection target paths policy instead of the Grant administrator permission policy to grant users access to redirection target folders. The Grant administrator permission policy grants members in the Local Administrators group access to the redirection target folders. However, adding users to the Local Administrators group can pose security concerns due to the broad permissions associated with this role.

The Redirect <folder-name> folder policy lets you specify how to redirect the <folder-name> folder. To do so, select Enabled and then type the redirected path.

Caution:

Potential data loss might occur.

You might want to modify the path after the policy takes effect. However, consider potential data loss before you do so. The data contained in the redirected folder might be deleted if the modified path points to the same location as the previous path.

For example, you specify the Contacts path as path1. Later, you change path1 to path2. If path1 and path2 point to the same location, all data contained in the redirected folder is deleted after the policy takes effect.

To avoid potential data loss, complete the following steps:

  1. Apply Microsoft policy to machines where Profile Management is running through Active Directory Group Policy Objects. Detailed steps are as follows:
    1. Open the Group Policy Management Console.
    2. Navigate to Computer Configuration > Administrative Templates > Windows Components > File Explorer.
    3. Enable Verify old and new Folder Redirection targets point to the same share before redirecting.
  2. If applicable, apply hotfixes to machines where Profile Management is running. For details, see https://support.microsoft.com/en-us/help/977229 and https://support.microsoft.com/en-us/help/2799904.