User’s profile contains user’s personal settings and application settings which are loaded / applied every time the user logs on to Citrix. Therefore, we want to make sure that the profile is loaded correctly, maintained and optimized for best logon and logoff experience and users personalized settings saved in the profile irrespective of the server where user’s sessions will be established. Profile Management is needed when we want to provide this experience. There are two main profile management solutions which can be used when it comes to Citrix. First is Citrix Profile Management and Second one is Microsoft FSlogix. As we all know Microsoft acquired FSLogix, is a profile management solution works best when you are dealing with non-persistent windows environments. Its a Profile Container where profile data is stored in a file with extension vhd or vhdx. Citrix Profile Management also have Profile Container option but FSLogix seems to work better. This post is not about review or comparison between FSLogix and Citrix profile management but to show you how to set it up from scratch. However, I prefer to use FSLogix and deployed it few times which worked fine so far.
When I am setting up either Citrix Profile management or FSLogix Profile Containers I will be Re-directing few profile folders like downloads, desktop, documents to a file share to reduce the data stored in the profile. If the users are on office365 then you can use One drive for re-directing Documents, Desktop and Pictures.
Post Contents
Steps
- Setup Folder Redirection
- Setup Citrix User Profile Management or Microsoft’s FSLogix (out of the two choose one Profile Management Solution and configure it as per the steps provided in this post)
Infrastructure
I am using a single domain controller which is also a file server and 2 X Citrix VDA Servers for my demo / Implementation.
Folder Redirection Setup
A Network Folder Share and access to the Group Policies console will be require to set up the folder redirection. First create Network Share folder, then configure share permissions and NTFS Permissions on this folder.
Folder Redirection is two step process >>
- Create Network Share and configure share permissions and NTFS Permissions.
- Configure Group Policy and apply it to the users.
Create Network Share and configure Share and NTFS Permissions
- Create a New Folder in Data Drive
- Name the Folder for example: ctx_redirectedfolders (or any folder name suitable)
- Right Click the Folder and click Properties
- Go to Sharing Tab -> Advanced Sharing
- Share the Folder and then click on Permissions button
- Provide Everyone Full Control Share Permissions. Click OK to Save.
- Click on Caching button.
- Select the option to disable shared Folder availability Offline. Click on OK to save.
- Once the permissions are assigned and Caching option is configured. You can see that the Folder is shared and it will now show the UNC Path of the Shared Folder.
- Next We need to configure the NTFS Permissions of Shared Folder. Click on Security Tab and then Click on Advanced Button.
- Disable Folder Inheritance and Select the option highlighted to convert Inherited permissions to explicit permissions.
- Now Click on Add button to add the permissions.
- Click Select a principal and Select Everyone and Click OK. I have used Everyone group in my demo but you can also use yourdomainname\users (e.g. corp.techpress.net\users)
- Make Sure Applies to is “This Folder Only” so that Users are not getting permission on Other users redirected folders.
- Configure the NTFS permissions as shown in the screenshot
- Make Sure you are able to access the folder using UNC Path
| Re-direct Desktop, Documents and Downloads to the network share using Folder Redirection Policy. If you want to re-direct Appdata folder as well, then test all the applications once its setup as appdata re-direction tend to cause issues with Applications like slowness or other errors. I have not included appdata folder re-direction in my setup and kept this folder in the user profile. |
Configure Group Policy for Folder Redirection
- Open Group Policy management console on the domain Controller
- Right Click on Group Policy Objects and Click New to Create a New Group Policy Object
- Name the GPO e.g. Citrix – Folder Redirection and click OK to Create.
- Right Click on Citrix – Folder Redirection GPO and Click on Edit to configure the Group Policy Settings
- Once you are in the Group Policy Editor, Expand the User Configuration section -> Policies -> Windows Settings ->Folder Redirection. We will Configure Folder Redirection for Desktop,Documents, Downloads, Start menu, Music, Videos, Pictures Folder. Do not re-direct the AppData folder as it may cause application slowness or issues with applications.
- Configuration of Desktop Folder Redirection
- Start menu redirection. Configure Music, Videos and Pictures Folder same as Start Menu Folder Redirection
- Configuration of Documents Folder Redirection
- Configuration of Downloads folder redirection
- In the Same Group Policy, Configure Loopback Processing Mode to Merge as shown in the screenshot
Folder re-direction is setup now, Next choose one of the below profile management solution which you want to configure. The Instructions for Configuration of both the Profile Management Solutions is given in this post. FSLogix Requires an Agent to be Installed on each VDA Server and Configuration via Registry Editor or by using Group Policies. Citrix UPM is also setup using Group Policies but depends on Citrix Profile Management Service which is installed when we install Citrix Virtual Delivery agent on the Server, it should be running on all Citrix VDA Servers for Citrix Profile Management to work.
Citrix User Profile Configuration using FSLogix
FSLogix Installation and Configuration
Lets setup FSlogix Profile Container where the user profiles will be stored. This will be again a Network Share Folder on a File Server where the profiles will be stored in vhd/vhdx file. You can create the user profile folder and assign share and NTFS Permissions as we did earlier. Refer to the Folder Redirection section for setting up a shared folder. Once the folder is created, note down the shared folder UNC path required for configuration.
I have created a folder name fslogix_ctx_profiles for storing the user profiles and configured the permissions same as ctx_redirectedfolders. Make sure the folder is accessible using the UNC Path (using \\ notation).
Download FSLogix Agent and Install it on each Citrix VDA / Session Host Server
Download the FSLogix Agent: https://aka.ms/fslogix_download and follow below screenshots for installing the agent. This agent needs to be installed on each Citrix VDA server.
Configure FSLogix
We need to create the registry settings on each VDA to setup fslogix profile containers. For full list of registry entries you can visit the link Profile Container Registry Configuration Settings. You can create the registry settings manually or configure these settings via the Group Policy Administrative templates.
I have used only subset of the registry entries for the configuration of FSLogix. Below are the registry entries i created under registry path: HKLM\SOFTWARE\FSLogix\Profiles (create Profiles Key if it does not exist)
VHDLocations and Enabled Registry Entries are the minimum required settings for FSLogix to work.
- Create a MULTI_SZ or REG_SZ name VHDLocations. MULTI_SZ is used if you have more than one path to search for the user profiles. For Simplicity i have created a REG_SZ registry entry VHDLocations set the path \\tp-dc1\fslogix_ctx_profiles. This folder will store user’s profile in VHD/VHDX file.
- Create DWORD Registry Entry Enabled and set its value to 1. This will enable Profile Containers.
Additional registry entries are created for optimizing fslogix e.g. User Profile Container File Extension, Maximum Size of the Profile Container settings along with Dynamic disk as explained below:
- VolumeType registy entry (REG_SZ) and set its value to vhdx. This will make sure that the profile containers are created in vhdx file extension. VHDX disk is more optimized than VHD. For more information on the VHDX Files, you can read the link VHDX Overview
- DeleteLocalProfileWhenVHDShouldApply registry entry is a REG_DWORD type, set its value to 1. This will permanently delete the local profile on the Citrix VDA’s if it exists for the user and use the fslogix profile.
- SizeInMBs registry entry is a REG_DWORD type, set its value to a number which will be accepted as MBs. The Default value is 30000 (30GB), When you set the value here, it will become the size of VHDX File. This is the maximum allowed size of the user profile. Once the limit is crossed, user may experience issues / errors during logon.
- IsDynamic registry entry is a REG_DWORD type, set its value to 1 to make sure that the VHDX file is not allocated with space set in SizeinMBs in one go. If IsDynamic is set to 1 then the FSLogix user profile will use minimum space required on the disk and can grow upto the value set in SizeinMBs.
- FlipFlopProfileDirectoryName registry entry is a REG_DWORD type, set its value to 1. When set to ‘1’ the SID folder is created as “%username%%sid%” instead of the default “%sid%%username%”. This setting has the same effect as setting SIDDirNamePattern = “%username%%sid%” and SIDDirNameMatch = “%username%%sid%”.
For making it quicker for you to configure these settings in registry, I have exported the reg file from my demo setup. You can download below registry file content, save it to a text file and change the file extension from txt to reg, copy the file on the Citrix VDA servers and double click on this reg file to import the registry entries. Once the registry entries are imported, you can update the VHDLocations path and Other settings as per the requirement. You can also configure the settings via Group Policy and target it to the Citrix servers (only session hosts / vda servers) so that you do not have to make the changes manually and also to make sure if a new server is added to the Citrix Pool, it will get the registry settings automatically configured when group policy will be applied (don’t forget to install the FSLogix Agent on the new Citrix VDA Server, this step can also be automated using Group Policy)
| FSLogix_Reg_Keys_File.txt |
|---|
| Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\FSLogix\Profiles] “VHDLocations”=”\\\\tp-dc1\\fslogix_ctx_profiles” “VolumeType”=”vhdx” “Enabled”=dword:00000001 “DeleteLocalProfileWhenVHDShouldApply”=dword:00000001 “SizeInMBs”=dword:00030000 “IsDynamic”=dword:00000001 “FlipFlopProfileDirectoryName”=dword:00000001 |
Below screenshot shows the FSLogix Registry Entries
Exclude Users from FSLogix
By default when you install FSLogix Agent on the server, four local groups are automatically created on the server. To locate the groups, Click on Start -> Type Run -> Type compmgmt.msc -> System Tools -> Local Users and Computers -> Groups.
By default Everyone is added to the FSLogix Profile Include List and FSLogix ODFC Include List Group. You can add users / AD Security groups to FSLogix Profile Exclude List and FSLogix ODFC Exclude list to exclude users from fslogix / to not have fslogix settings applied. (If you want to manage the Office container separately, then add the users to FSLogix ODFC exclude group only. Office containers store Microsoft Office specific settings).
Below Screenshot shows the FSLogix Groups Created on Citrix VDA Server.
FSLogix Profile Container
Now after you have setup the Folder Redirection and FSLogix Profile Container, Once the user will login on Citrix, user’s profile folder will be created with file extension vhdx in fslogix_ctx_profiles as shown in below screenshot. As we also applied the Folder Redirection Policy, you can find the Folders Desktop, Documents and Downloads re-directed to the network share ctx_RedirectedFolders as shown in below screenshot.
Citrix User Profile Management (UPM) Configuration
For Setting up citrix user profile management, there are three things required. First make sure Citrix Profile Management Service is running on each VDA, Second is a network share where the users profile will be stored and Third is to Enable Citrix Profile Management via Group Policy or Citrix Policies. (I will be using Group Policy Configuration to enable / configure Citrix UPM). For Configuration of the Profile Management settings, you may have to import the ADMX and ADML (Group Policy Administrative Templates) files for profile Management in Group Policy. You can find administrative template in the Citrix Installation ISO -> \x64\ProfileManagement\ADM_Templates\en.
Copy ctxprofile7.15.4000.admx and ctxprofile7.15.4000.adml (the file name could be different in your case depending upon the version of citrix virtual apps and desktops you are using) and paste it in C:\windows\PolicyDefinitions\ and C:\windows\PolicyDefinitions\en-US path respectively. If you are using a central GPO Store then copy it to Central GPO Store PolicyDefinitions folder
Citrix Profile Management ADMX File Location
Citrix Profile Management Service on VDA
Create Network Share on File Server (User Store)
When We setup Folder Redirection earlier in this post, we created a network share and configured share permissions and NTFS permissions. Please check the section for creating a network share, you can name the folder anything you like e.g. ctx_upm_profiles. Note down the UNC path of the user store for configuring it in GPO.
Configure Citrix UPM using Group Policy
Citrix UPM settings are computer configuration based settings so a restart of VDA servers may be needed to get the policy affected.
- Login to the Domain Controller and open group policy management console (gpmc.msc)
- Create a new Group Policy or use the existing one, I have use the same group policy which i had created earlier for folder redirection called citrix – folderredirection to enable citrix profile management.
- All the settings will be configured under below Group Policy Path Computer Configuration | Policies | Administrative Templates | Profile Management
- There are some settings which are minimum required settings to enable Citrix Profile Management e.g. Enable Profile Management and Path to User Store and other settings which are configured as best practices. Below table shows each setting which i have configured in my setup.
| Profile Setting | Path of the Setting | Value |
|---|---|---|
| Enable Profile Management | …\Profile Management\ | Enabled |
| Path to User Store | …\Profile Management\ | \\<server>\ctx_upm_profiles\#SAMAccountName# |
| Customer Experience Improvement Program | …\Profile Management\ | Disabled |
| Process logons of local administrators | …\Profile Management\ | Disabled (It helps when troubleshooting because, if Profile Management is misconfigured and prevents user logons, you are still able to log on as an administrator.) |
| Enable Logging | …Profile Management\Log Settings | Enabled |
| Maximum size of Log File | …Profile Management\Log Settings | Enabled Maximum Size in bytes: 10485760 (10 MB) |
| Path to Log File | …Profile Management\Log Settings | C:\ctx_upm_logs |
| Local Profile Conflict Handling | …Profile Management\Profile Handling | Enabled if both a local Windows user profile and a Citrix user profile in the user store both exist: Delete Local Profile or Rename Local profile according to your preference. |
| Migration of Existing Profiles | …Profile Management\Profile Handling | Enabled Types of user profiles to be migrated if the user store is empty: Roaming and Local |
| Delete locally cached profiles on logoff | …Profile Management\Profile Handling | Enabled |
| Profile streaming | …Profile Management\Streamed User Profiles | Enabled |
| Profile Streaming Exclusion list | …Profile Management\Streamed User Profiles | Enabled List of directories to exclude from profile Streaming: List1 |
| Exclusion list- Files | …Profile Management\File system | Enabled List of files to Exclude: !ctx_localappdata!\Microsoft\Windows\UsrClass.dat* |
| Directories to synchronize | …Profile Management\File system\Synchronization | Enabled List of directories to synchronize: AppData\Local\Microsoft\Credentials Appdata\Roaming\Microsoft\Credentials Appdata\Roaming\Microsoft\Crypto Appdata\Roaming\Microsoft\Protect Appdata\Roaming\Microsoft\SystemCertificates |
| Files to Synchronize | …Profile Management\File system\Synchronization | Enabled List 2 (Files to Synchronize) |
| List1 (List of directories to exclude from profile Streaming) |
|---|
| Exclusion list-directories [These are part of Default Exclusions from UPM 5.3 onwards] !ctx_internetcache! AppData\Local\Google\Chrome\User Data\Default\Cache AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images AppData\Local\Google\Chrome\User Data\Default\JumpListIcons AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld AppData\Local\GroupPolicy AppData\Local\Microsoft\AppV AppData\Local\Microsoft\Messenger AppData\Local\Microsoft\Office\15.0\Lync\Tracing AppData\Local\Microsoft\OneNote AppData\Local\Microsoft\Terminal Server Client AppData\Local\Microsoft\UEV AppData\Local\Microsoft\Windows Live AppData\Local\Microsoft\Windows Live Contacts AppData\Local\Microsoft\Windows\Application Shortcuts AppData\Local\Microsoft\Windows\Burn AppData\Local\Microsoft\Windows\CD Burning AppData\Local\Microsoft\Windows\Notifications AppData\Local\Packages AppData\Local\Sun AppData\Local\Windows Live !ctx_localsettings!\Temp AppData\Roaming\Microsoft\AppV\Client\Catalog AppData\Roaming\Sun\Java\Deployment\cache AppData\Roaming\Sun\Java\Deployment\log AppData\Roaming\Sun\Java\Deployment\tmp $Recycle.Bin AppData\LocalLow Tracing new path for Temporary Internet Files in Windows 8 and later AppData\Local\Microsoft\Windows\INetCache If running Office 365 with Shared Computer Activation, then exclude !ctx_localappdata!\Microsoft\Office\15.0\Licensing !ctx_localappdata!\Microsoft\Office\16.0\Licensing |
| List 2 (Files to Synchronize) |
|---|
| AppData\LocalLow\Sun\Java\Deployment\security\exception.sites AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs AppData\LocalLow\Sun\Java\Deployment\deployment.properties AppData\Local\Google\Chrome\User Data\First Run AppData\Local\Google\Chrome\User Data\Local State AppData\Local\Google\Chrome\User Data\Default\Bookmarks AppData\Local\Google\Chrome\User Data\Default\Favicons AppData\Local\Google\Chrome\User Data\Default\History AppData\Local\Google\Chrome\User Data\Default\Preferences |
As the GPO settings are computer based, when applied to Citrix VDA Servers it will created the registry entries in below registry path on each Citrix VDA Server. Make sure you can see the registry entries and values as you have configured in the GPO. If you do not see the registry entries, it could be that the GPO is not getting applied or not configured correctly.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\UserProfileManager\
Citrix Profile Folder
Once the user logs on to Citrix, A Citrix UPM profile folder using user’s samAccountname is created as shown in below screenshot:
External References
User Profile Best Practices for XenApp
https://support.citrix.com/article/CTX120285
Citrix Profile Management Recommended Exclusions and Inclusions
https://support.citrix.com/article/CTX230538
How to Synchronize Profile Efficiently
https://support.citrix.com/article/CTX224498
