Citrix Profile Management settings
Note:
Some options work only with specific versions of Profile Management. Consult the Profile Management documentation for details.
Workspace Environment Management (WEM) supports all versions of Citrix Profile Management through the current version.
In the console (Configuration Set > Profiles > Profile Management Settings), you can configure all settings for the current version of Citrix Profile Management.
In addition to using WEM to configure Citrix Profile Management features, you can use Active Directory GPOs, Citrix Studio policies, or .ini files on the VDA. We recommend that you use the same method consistently.
Profile Management settings
When enabled, you can configure and apply your settings. Enabling this option creates Profile Management related registries in the user environment. The option controls whether WEM deploys the Profile Management settings you configure in the console to the agent. If disabled, none of the Profile Management settings are deployed to the agent.
By default, most Profile Management settings work only at the machine level. You can enable certain Profile Management settings to work at the user level, so that you can tailor the profile experience for specific users. See User-level Profile Management settings.
You can select tags to filter the profile management settings as needed. Settings associated with the selected tags get displayed and the rest are hidden.
- File-based. Settings that support file-based solution.
- Container-based. Settings that support container-based solution.
- App access control. Settings related to app access control.
When you switch between views, the selected set of tags get saved as a part of administrator preferences for further usage.
Quick setup
To quickly set up Profile Management, you can restore your settings from a backup or start with a template.
Restore from backup
Backups containing Profile Management settings are shown. To upload backups containing Profile Management settings, see Back up Profile Management settings.
Select one backup from the list. Click Preview to see the settings and make adjustments as needed. Other types of settings (if any) in the backup are ignored.
Note:
- To restore Profile Management settings, you can also use the back up and restore feature.
- When restoring Profile Management settings from a backup, the SMB shares selected for relevant services to use are also restored.
Start with template
Important:
If you already have Profile Management configured, keep in mind that using a template overwrites all existing settings.
There are two types of user stores based on how profiles are handled:
-
File-based. User profiles are fetched from the remote user store to the local computer on logon and written back on logoff.
-
Container-based. User profiles are stored in profile containers. Those containers are attached on logon and detached on logoff.
To set up Profile Management quickly for your use case, choose a template.
User-level settings
This feature lets you configure certain Profile Management settings at the user level for customization and precise control. Use this feature to apply specific Profile Management settings to individual users or user groups, tailoring the profile experience as needed.
There are two ways to configure Profile Management settings at the user level:
- Use the Workspace Environment Management web console
- Use the user-level policy setting available with Profile Management
The web console offers a user-friendly, UI-based interface for configuring Profile Management user-level settings.
To configure user-level settings using the web console, complete the following steps.
- On the Profile Management Settings page, click the user-level settings link.
- On the user-level settings page, you can do the following:
- Add configuration.
- Set priority order for groups.
- Toggle between the two views: View by configuration and View by user/group.
Add configuration
To add a configuration, complete the following steps.
- Name your configuration.
-
Add individual users or user groups to which you want to apply this configuration.
Note:
Active Directory (AD) and Azure Active Directory (AAD) are supported.
-
Add settings that you want to apply to those users.
Note:
- Only settings available to users are shown in the UI.
- You can edit or delete settings as needed.
Each time you add a configuration, it appears in Actions > Group Policy settings > Others. For your user-level settings to take effect, you must enable GPO processing (enable the Process GPOs option in Group Policy Settings).
Set priority order for groups
When a session starts, Profile Management determines which policy settings to apply, by prioritizing user settings over user group settings, and user group settings over machine settings.
You can set the priority order for groups to handle the situation (where a user belongs to multiple groups with conflicting settings) by completing the following steps.
- Select Enable priority order for groups option.
- Click Add to add groups.
-
Arrange the groups in descending order of priority.
Note:
When a user belongs to multiple groups with conflicting settings, the group that appears higher in the list takes precedence.
- On completion, click Save to exit.
View by configuration or user/group
You can toggle between the two views to view the user-level settings categorized by user/group, or by configuration.
Folder redirection
This feature lets you configure rule sets to redirect the paths of local folders to new locations. Each rule set specifies where you want to redirect the folders based on the users accessing them. A rule set mainly includes:
- Redirection rules. Specify which local folders you want to redirect and where to redirect them (such as a network location).
- Assignments. Specify the users to whom you assign the redirection rules.
To add a rule set for a configuration set, follow these steps:
- Go to the Profile Management Settings page of the target configuration set.
- Click the Folder redirection link above the search box.
- On the Folder redirection page that appears, click Add rule set.
- On the Add rule set page that appears, follow these steps to complete the settings:
- On the Redirection rules page, select the folders to redirect, specify the redirection destinations, and then click Next.
- You can redirect a folder to a network location, the user’s home directory (only for certain folders), or the local user profile location.
- By default, the Move contents to new location option is selected, identifying that after you set or modify a redirection target path, contents from the previous path are automatically moved to the new one. To prevent this behavior, clear the option.
- On the Assignments page, select users, groups, or OUs to which you want to assign the redirection rules, and then click Next. Default groups include Everyone and Administrators. To add a group, click Add new target.
- On the Additional settings page, specify the following settings for the rule set, and then click Next:
- Grant access to administrators: Whether to grant the local Administrators group access to the redirection target paths. By default, those paths are accessible exclusively to the profile owner.
- Grant access to specific users and groups: Whether to grant specific users and groups access to the redirection target paths. After selecting this option, click Add user/group to specify the users and groups as needed.
- Include domain name: Whether to include the %userdomain% environment variable as part of the UNC path.
- Set a priority for this rule set by entering a numeric value. Greater numbers indicate higher priority. When multiple rule sets apply to the same target, the one with the higher priority wins.
- Enter a descriptive name for this rule set and review settings. To adjust, click the corresponding step in the left pane.
- Click Done.
- On the Redirection rules page, select the folders to redirect, specify the redirection destinations, and then click Next.
Note:
Currently, end users must log on twice for newly deployed rule sets to take effect.
Basic settings
Get started with Profile Management by applying basic settings. Basic settings include processed groups, excluded groups, user store, and more.
Enable Profile Management. Controls whether to enable the Profile Management service on the agent machine. If disabled, the Profile Management service does not work.
You might want to disable Profile Management completely so that settings already deployed to the agent will no longer be processed. To achieve the goal, do the following:
-
Clear the Enable Profile Management checkbox and wait for the change to apply automatically or apply the change manually for immediate effect.
Note:
The change takes some time to take effect, depending on the value you specified for SQL Settings Refresh Delay in Advanced Settings. For the change to take effect immediately, refresh agent host settings and then reset Profile Management settings for all related agents. See Administration.
-
After the change takes effect, disable Profile Management Settings.
Set processed groups. Lets you specify which groups are processed by Profile Management. Only the specified groups have their Profile Management settings processed. If left empty, all groups are processed.
Set excluded groups. Lets you specify which groups are excluded from Profile Management.
Process logons of local administrators. If enabled, local administrator logons are treated the same as non-administrator logons for Profile Management.
Set path to user store. Lets you specify the path to the user store — the central location for Citrix user profiles. Enter an absolute UNC path or a path relative to the home directory. Example path:
\\<IP address or FQDN>\<user store directory>\%USERNAME%.%USERDOMAIN%\!CTX_OSNAME!!CTX_OSBITNESS!
Migrate user store. Lets you specify the path to the folder where the user settings (registry changes and synchronized files) were saved. Enter the user store path that you previously used. Use this option along with the Set path to user store option.
Enable active write back. If enabled, profiles are written back to the user store during the user session, preventing data loss.
-
Enable active write back registry. If enabled, registry entries are written back to the user store during the user session, preventing data loss.
-
Enable active write back on session lock and disconnection. If enabled, profile files and folders are written back only when a session is locked or disconnected. With both this option and the Enable active write back registry option enabled, registry entries are written back only when a session is locked or disconnected.
Enable offline profile support. If enabled, profiles are cached locally for use while not connected.
Profile container
Configure profile container settings. Profile containers are VHDX disks stored on the network and attached during logon and detached during logoff.
Enable Profile Container. Lets you add the folders you want to include in the profile container. To put an entire user profile in its profile container, add an asterisk (*) instead. If enabled, Profile Management maps the listed folders to the profile disk stored on the network, thus eliminating the need to save a copy of the folders to the local profile. Specify at least one folder to include in the profile container.
-
Enable local caching for profile container. If enabled, each local profile serves as a local cache of its profile container. This option requires you to put an entire user profile in its profile container.
-
Log off users when profile container is not available during logon. Lets you specify whether to force log-off users when the profile container is unavailable during user logon. Enabling this option displays a notification message to users and logs them off after they click OK.
Enable folder exclusions. If enabled, Profile Management excludes the listed folders from the profile container. Specify at least one folder to exclude from the profile container.
Enable file exclusions. If enabled, Profile Management excludes the listed files from the profile container. Specify at least one file to exclude from the profile container.
Enable folder inclusions. If enabled, Profile Management keeps the listed folders in the profile container when their parent folders are excluded. Folders on this list must be subfolders of the excluded folders. This means that you must use this option with the Enable folder exclusions option. Specify at least one folder to include in the profile container.
Enable file inclusions. If enabled, Profile Management keeps the listed files in the profile container when their parent folders are excluded. Files on this list must be contained in the excluded folders. This means that you must use this option with the Enable folder exclusions option. Specify at least one file to include in the profile container.
TIP:
When adding files or folders, you can use wildcards. For more information, see Wildcard support.
When adding profile container content, exclusions, and inclusions, you can add them individually and in bulk. When adding them in bulk, enter paths separated by line breaks. After that, click Run validation to validate items you are about to add. Only valid items can be added. Invalid items are skipped.
Also, you can have a hierarchical view of the profile container content, exclusions, and inclusions. To do that, click View hierarchy.
Enable VHD auto-expansion for profile container. If enabled, when the profile container reaches 90% utilization, it automatically expands by 10 GB, with a maximum capacity of 80 GB. Depending on your needs, you can adjust the default auto-expansion settings using the following options:
-
Auto-expansion trigger threshold (%). Lets you specify the utilization percentage of storage capacity at which the profile container triggers auto-expansion.
-
Auto-expansion increment (GB). Lets you specify the amount of storage capacity (in GB) by which the profile container automatically expands when auto-expansion is triggered.
-
Auto-expansion limit (GB). Lets you specify the maximum storage capacity (in GB) to which the profile container can automatically expand when auto-expansion is triggered.
Set users and groups to access profile container. Lets you specify which AD domain users and groups have Read & Execute permission on profile containers. By default, a profile container is accessible only to its owner.
Profile handling
Specify how Profile Management handles user profiles.
Delete locally cached profiles on logoff. If enabled, locally cached profiles are deleted when the user logs off.
- Set delay before deleting cached profiles. Lets you specify a delay (in seconds) before cached profiles are deleted on logoff. Supported values: 0–600.
Enable migration of existing profiles. If enabled, existing Windows profiles are migrated to Profile Management on logon. Specify the type of user profiles to migrate if the user store is empty. Types include:
- Local and roaming
- Local
- Roaming
Automatic migration of existing application profiles. If enabled, existing application profiles are migrated automatically. Profile Management performs the migration when a user logs on and when there are no user profiles in the user store.
Enable local profile conflict handling. Configures how WEM handles cases where Profile Management and Windows profiles conflict. Specify what to do if both a local Windows user profile and a Citrix user profile exist in the user store:
- Use local profile
- Delete local profile
- Rename local profile
Enable template profile. Lets you enter a template profile path. If enabled, Profile Management uses the specified template profile. You can configure additional settings as follows:
- Template profile overrides local profile. If enabled, the template profile overrides local profiles.
- Template profile overrides roaming profile. If enabled, the template profile overrides roaming profiles.
- Use template profile as Citrix mandatory profile for all logons. If enabled, the template profile overrides all other profiles.
Advanced settings
Control the advanced configuration of Profile Management.
Applications
Enable search index roaming for Microsoft Outlook users. If enabled, the user-specific Microsoft Outlook offline folder file (*.ost) and Microsoft search database are roamed along with the user profile. This feature improves the user experience when searching mail in Microsoft Outlook.
-
Outlook search index database – backup and restore. If enabled, Profile Management automatically saves a backup of the last known good copy of the search index database. When there is a corruption, Profile Management reverts to that copy. As a result, you no longer must manually reindex the database when the search index database becomes corrupted.
-
Enable concurrent session support. Provides native Outlook search experience in concurrent sessions. If enabled, each concurrent session uses a separate Outlook OST file.
- Maximum number of VHDX disks for storing Outlook OST files. Lets you specify the maximum number of VHDX disks for storing Outlook OST files. If unspecified, only two VHDX disks can be used to store Outlook OST files (one file per disk). If more sessions start, their Outlook OST files are stored in the local user profile. Supported values: 1–10.
Enable OneDrive container. If enabled, Profile Management roams OneDrive folders with users by storing the folders on a VHDX disk. The disk is attached during logons and detached during logoffs.
Enable UWP app roaming. If enabled, UWP (Universal Windows Platform) apps roam with users. As a result, users can access the same UWP apps from different devices.
Enable UWP app load acceleration. Lets you accelerate the loading of UWP apps and improve their consistency in non-persistent environments. By default, Windows stores UWP App registration information locally on each machine, which can be lost upon restart in non-persistent environments. With this policy enabled, Profile Management creates a VHDX container for each machine to store the UWP app registration data, speeding up user logon and preventing data loss on restarts.
Enable use of application definition files. Lets you enter the path to the definition files. If enabled, only the settings included in the definition file are synchronized. Specify a folder where the Citrix virtual apps optimization definition files are located. For more information about creating definition files, see Create a definition file.
VHD settings
Default capacity of VHD containers (GB). Lets you specify the default storage capacity (in GB) of each VHD container.
Customize storage path for VHDX files. Lets you specify a separate path to store VHDX files. By default, VHDX files are stored in the user store. Policies that use VHDX files include the following: Profile container, Search index roaming for Outlook, and Accelerate folder mirroring. If enabled, VHDX files of different policies are stored in different folders under the storage path.
Enable VHD disk compaction. If enabled, VHD disks are automatically compacted on user logoff when certain conditions are met. This policy enables you to save the storage space consumed by the profile container, OneDrive container, and mirror folder container. Depending on your needs and the resources available, you can adjust the default VHD compaction settings and behavior using the Disable defragmentation for VHD disk compaction, Set free space ratio to trigger VHD disk compaction, and Set number of logoffs to trigger VHD disk compaction options in Advanced settings.
-
Set freeable space ratio to trigger VHD disk compaction. Applicable when Enable VHD disk compaction is enabled. Lets you specify the freeable space ratio to trigger VHD disk compaction. When the freeable space ratio exceeds the specified value on user logoff, disk compaction is triggered.
-
Freeable space ratio = (current VHD file size – required minimum VHD file size*) ÷ current VHD file size
Obtained using the
GetSupportedSize
method of theMSFT_Partition
class from the Microsoft Windows operating system.
-
-
Disable defragmentation for VHD disk compaction. Applicable when Enable VHD disk compaction is enabled. Lets you specify whether to disable file defragmentation for VHD disk compaction.
-
Set number of logoffs to trigger VHD disk compaction. Applicable when Enable VHD disk compaction is enabled. Lets you specify the number of user logoffs to trigger VHD disk compaction. When the number of logoffs since the last compaction reaches the specified value, the disk compaction is triggered again.
Enable exclusive access to profile container. If enabled, the profile container allows one access at a time.
Enable exclusive access to OneDrive container. If enabled, the OneDrive container allows one access at a time.
User store
Set number of retries when accessing locked files. Configures the number of times the WEM agent retries accessing locked files. Supported values: 0–100.
Replicate user stores. If enabled, Profile Management replicates a user store to multiple paths on each logoff, in addition to the path that the Set path to user store option specifies. To synchronize to the user stores files and folders modified during a session, enable active write-back. Enabling the option can increase system I/O and might prolong logoffs.
By default, when multiple user stores are available, Profile Management selects the store with the latest profile data. If more than one store has the latest profile, Profile Management selects the one configured earliest. With the User store selection method option, you can now enable Profile Management to select the store with the best access performance.
When you enable the Replicate user store policy for the container-based profile solution, the Enable in-session profile container failover among user stores policy is automatically enabled to ensure profile redundancy for the entire session. With this policy enabled, if Profile Management loses connection to the active profile container during a session, it automatically switches to another available one. If you disable this policy, profile container failover occurs only at user logon.
Note:
Enabling this policy requires that only the profile container is enabled in your deployment. If any other containers, such as OneDrive, UWP, Outlook, folder mirroring, or Profile streaming for pending area, is enabled, this policy doesn’t take effect.
Enable credential-based access to user store. If disabled, Profile Management impersonates the current user to access user stores. Thus, make sure that the current user can directly access the user stores. If enabled, Profile Management accesses the user stores on behalf of the user through the connections configured for relevant services in Advanced Settings > File Shares > SMB shares. (When needed, Profile Management accesses the selected SMB shares that host the user stores.) Enabling this setting lets you put user stores in file shares (for example, Azure Files) that the current user has no permission to access. When using this option, consider the following:
-
To add SMB shares hosting your user stores, go to Advanced Settings > File Shares > SMB shares.
-
SMB shares you select in File Shares for relevant services appear here. Profile Management accesses the selected SMB shares as needed.
IMPORTANT:
Disabling this setting deletes all user store connections that the WEM agent previously established.
-
When adding or editing credentials, complete the following fields:
- Server share. Enter a UNC path that specifies a server share.
-
User name. Enter the name in the form
domain\username
. - Password. Enter the password to be used to access the server share.
- Show password. Control whether to show or hide the password.
Other options
Disable automatic configuration. If enabled, dynamic configuration is disabled.
Enable asynchronous processing for user Group Policy on logon. If enabled, Profile Management roams with users a registry value that Windows uses to determine the processing mode for the next user logon — synchronous or asynchronous processing mode. If the registry value does not exist, synchronous mode is applied. Enabling the option ensures that the actual processing mode is applied each time users log on. If disabled, asynchronous mode can’t be applied as expected if users:
- Log on to different machines.
-
Log on to the same machine where the Delete locally cached profiles on logoff option is enabled.
- Log on to different machines.
- Log on to the same machine where the Delete locally cached profiles on logoff option is enabled.
Process Internet cookie files on logoff. If enabled, stale cookies are deleted on logoff.
Alert user when profile size exceeds quota. If enabled, users receive a notification message when their profile size exceeds a quota. With this feature, you can customize the quota limit and the notification content based on the default settings. The supported quota range is 0–100,000 MB.
Log off user if problems occur. If enabled, users are logged off rather than switched to a temporary profile if a problem occurs.
Join the Citrix Customer Experience Improvement Program. If enabled, Profile Management uses the Customer Experience Improvement Program (CEIP) to help improve the quality and performance of Citrix products by collecting anonymous statistics and usage information. For more information on the CEIP, see About the Citrix Customer Experience Improvement Program (CEIP).
File deduplication
Specify files that you want to include in the shared store for deduplication.
Identical files can exist among various user profiles. Separating those files from the user store and storing them in a central location saves storage space by avoiding duplicates.
You can specify files that you want to include in the shared store on the server hosting the user store. Specify the file names with paths relative to the user profile.
Enable file deduplication. If enabled, Profile Management generates the shared store automatically. It then centrally stores the specified files in the shared store rather than in each user profile in the user store. Doing so reduces the load on the user store by avoiding file duplication, thus reducing your storage cost.
Tip:
When adding files or folders, you can use wildcards. For more information, see Wildcard support.
When adding inclusions and exclusions, you can add them individually and in bulk. When adding them in bulk, enter paths separated by commas or line breaks. After that, click Run validation to validate items you are about to add. Only valid items can be added. Invalid items are skipped.
By default, Profile Management deduplicates files from profile containers only when those files are larger than 256 MB. If necessary, you can increase this threshold size by providing a larger value for Deduplicate files this size or larger (MB).
Enable file exclusions. If enabled, Profile Management excludes the specified files from the shared store. This option is available only after you enable the Enable file deduplication option. Specify at least one file to exclude from the shared store.
Streamed user profiles
Specify how Profile Management processes streamed user profiles.
Enable profile streaming. If disabled, none of the settings in this section are processed.
- Enable profile streaming for folders. If enabled, folders are fetched only when they are being accessed, thus eliminating the need to traverse all folders during logon. This saves bandwidth and reduces the time to synchronize files.
Always cache. If enabled, files of the specified size (in MB) or larger are always cached. Supported values: 0–20,000.
Set timeout for files in pending area when user store remains locked. Lets you specify the number of days after which user’s files are written back to the user store from the pending area when the user store remains locked. Supported values: 1–30.
Set streamed user profile groups. Lets you add user groups for which streamed profiles are used.
Set excluded folders. If enabled, Profile Management does not stream folders in this list, and all the folders are fetched immediately from the user store to the local machine when users log on.
Enable profile streaming for pending area. If enabled, files in the pending area are fetched to the local profile only when they are requested. This ensures optimum logon experience in concurrent session scenarios. The pending area is used to ensure profile consistency while profile streaming is enabled. It temporarily stores profile files and folders changed in concurrent sessions. By default, this option is disabled. All files and folders in the pending area are fetched to the local profile during logon.
Log settings
Configure Profile Management logging.
Enable logging. Enables or disables logging of Profile Management operations.
Include more information in the logs. Lets you specify more information (or types of events) in the logs, including:
- Common warnings
- Common information
- File system notifications
- File system actions
- Registry actions
- Registry differences on logoff
- Active Directory actions
- Policy values on logon and logoff
- Logon
- Logoff
- Personalized user information
Set maximum size of the log file. Lets you specify a maximum allowed size for the Profile Management log file. If the log file grows beyond the maximum size, its backup (.bak) is deleted, the log file is renamed to .bak, and a new log file is created. Supported values: 1–100.
Set path to log file. Lets you specify the location where the log file is created.
Registry
Specify which registry keys are included or excluded from Profile Management processing.
NTUSER.DAT backup. If enabled, Profile Management maintains a last known good backup of the NTUSER.DAT file. If Profile Management detects corruption, it uses the last known good backup copy to recover the profile.
Enable default registry exclusions. Provides a default list of registry keys in the HKCU hive that are not synchronized to the user profile. If enabled, registry settings that are selected in this list are forcibly excluded from Profile Management profiles.
Enable registry exclusions. If enabled, registry settings you add are forcibly excluded from Profile Management profiles.
Enable registry inclusions. If enabled, registry settings you add are forcibly included in Profile Management profiles.
App access control
Add rules to control end user access to applications or to enforce redirections for files, folders, registry values, and keys:
- Select the App access control category next to the Search box.
- Select Enable app access control.
- Click Add rules to add rules.
- When adding rules, you can browse to a
.rule
file generated using WEM Tool Hub > Rule Generator for App Access Control or paste data from the clipboard. After adding rules, click Manage to view, edit, or update the rules. When viewing rules, you can switch between category view and raw data view.
There are two ways you can create rules:
- GUI-based tool - WEM Tool Hub > Rule Generator for App Access Control
- PowerShell tool – available with the Profile Management installation package
Example: Suppose you need to provide applications (App1, App2, App3, and App4) in desktops assigned to users from three departments: HR, Sales, and R&D.
- Only users from the HR department can access App1.
- Only users from the Sales department can access App2.
- Only users from the R&D department can access App3.
- All users can access App4.
To achieve the goal, you can deploy rules using just one image. The image contains applications App1, App2, App3, and App4. You then set up application rules as follows:
- Create a rule for App1. Add objects associated with App1 and users from the Sales and R&D departments.
- Create a rule for App2. Add objects associated with App2 and users from the HR and R&D departments.
- Create a rule for App3. Add objects associated with App3 and users from the HR and Sales departments.
Wildcard support
When adding files or folders, you can use wildcards. Wildcards in file names are applied recursively while wildcards in folder names are not. You can use the vertical bar (|) to restrict the policy only to the current folder so that the policy does not apply to its subfolders.
Examples:
-
AppData\*.tmp
excludes all files with the extension .tmp in the folderAppData
and its subfolders. -
AppData\*.tmp|
excludes all files with the extension .tmp in the folderAppData
. -
Downloads\*\a.txt
excludesa.txt
in any immediate subfolder of theDownloads
folder. Remember: wildcards in folder names are not applied recursively. -
Downloads\*
excludes all immediate subfolders of theDownloads
folder.