Citrix User Profile Management (UPM) deployment

One of the key features that leverages proper user’s experience in application provisioning or VDI environments is profile management. Whenever users log on to their VD or provisioned applications they are expecting to see things as they left it – that starts with desktop personalization, regional settings, wallpaper and ends up with complex application specific settings like AutoCAD or Catia preferences, shortcuts or hot-keys. Depending on delivered infrastructure type – profile management may be simple, but it also may become complex and challenging for IT.

Unfortunately – some things cannot be achieved with Windows Roaming Profiles – example from my eperience is Microsoft Outlook which holds user settings (like signature, font styles, views, etc) in user’s AppData/Local folder which is not synchronized by default (and we don’t want it’s all content which can be done in registry). Luckily, Citrix engineers gave us an option to specify folders / files to synchronize across all user’s profile directory. Below you can find a list of Citrix UPM benefits.

Consistent Experience: Increases user satisfaction and improves productivity

  • Reliable roaming experience: Ensures that personal settings, documents, shortcuts, templates, desktop wallpapers, cookies and favorites always follow the user across different Windows environments on any device.
  • Faster logon times: Provides the ability to control and reduce the profile size, which improves the logon times.

Better Management: Reduces administrative burden

  • Inclusion by default: By default all settings are captured, reducing the amount of time and effort spent in identifying what should be captured in a profile.  Administrators only need to focus on the items to be excluded from a profile, such as conflicting settings, files or folders that bloat the profile.
  • Profile size control: Enables administrators to only include specific files and folders or exclude unnecessary ones that account for tens or hundreds of megabytes, minimizing the amount of data being managed and stored in the profile and decreasing network overhead.
  • Robust profiles: Automatically detects and stores all modified profile settings in the registry and file system and can be configured to capture any kind of registry and file system modification within the profile. Prevents the unintentional overwriting of user profiles by using built-in logic to determine which data should be kept.
  • Extended synchronization: Allows administrators to synchronize files and folders for poor-performing applications that do not store user-related content within the user profile but somewhere on the device hard disk.
  • Detailed reports: Logs detailed information on all actions being performed in an easy to read and understandable format, simplifying the troubleshooting and analysis process.
  • Easy to implement and simple to maintain: Enables administrators to automatically migrate existing user settings and choose at a granular level which profile information to keep or discard. It runs as a system service, and does not require any additional servers, services, or databases or changes to logon scripts.

I allowed myself to mark some of the key features with green color. Having that knowledge and complete understanding of UPM advantages / disadvantages over Windows Roaming Profiles, we can start UPM installation and configuration.

Citrix UPM Installation

First of all, you should obtain latest version of Citrix UPM (at the moment it’s 5.2.1, which is available under following URL – Citrix UPM Download). Inside downloaded package locate *.msi packages and install appropriate version (x64 or x86) on your XenApp Servers/ XenDesktop images.

In the same folder you will find ADMX / ADM (group policy definitions) files – all of these should be copied to your central store \\domain.local\sysvol\domain.local\Policies\PolicyDefinitions. Otherwise, when central store is not configured in your environment, just copy these files to %windir%\PolicyDefinitions on the machine you are using for Group Policy management. Keep in mind that *.admx files should be placed outside of langauge folders – meaning, make sure that *.admx files are located directly in your PolicyDefinitions folder.

User store configuration

Create new file share especially for Citrix profiles (even if you already have windows roaming profiles share – just don’t mix them up, it will become messy). In order to allow users creating their own profiles and at the same time prevent them from accessing other profiles, follow these steps:

SMB Share:

  • Everyone:
    • Read only
  • Citrix_UPM_Users_Group:
    • Full Control

NTFS Permissions:

    • Full Control (Apply onto: Subfolders and Files Only)
  • System:
    • Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins:
    • Full Control (Apply onto: This Folder, Subfolders and Files)
  • Citrix_UPM_Users_Group:
    • Create Folder/Append Data (Apply onto: This Folder Only)
  • Citrix_UPM_Users_Group:
    • List Folder/Read Data (Apply onto: This Folder Only)
  • Citrix_UPM_Users_Group:
    • Read Attributes (Apply onto: This Folder Only)
  • Citrix_UPM_Users_Group:
    • Traverse Folder/Execute File (Apply onto: This Folder Only)

In case of any issues, you may and even should follow Microsoft Knowledge Base Articles on roaming profiles permissions best practices ( In the example above I used Citrix_UPM_Users_Group as our group of users, that will create profiles, but you may want to change it to either “Authenticated Users”, “Domain users” or maybe, just “Everyone”. It’s up to you, but if it’s possible – stick to the principle of least privilege. One more thing that you may consider running Windows base File Server is Access Based Enumeration which will significantly improve your security model. As far as I know, this feature is currently also available for file shares hosted on NetApp arrays.

Group Policy configuration

Group policy configuration is one of available ways for UPM customization (other is, which is used by default *.ini config file) – this can be done either through Microsoft’s GPMC or Citrix Studio. This article will be covering GPMC usage as I simply feel more comfortable within it 🙂

Using Group Policy Management Console, create new policy object and move to it’s Computer Configuration -> Administrative Templates -> Citrix -> Profile Management:

Citrix UPM - Group Policy Management

Key things that you should configure here:

  • Enable Profile Management (Enabled) – Enable/Disable profile handling by Citrix UPM. Kinda obvious.
  • Excluded Groups (Enabled) – Groups that shouldn’t be configured with roaming profiles (for example Administrators, domain-admins, help-desk or any other group that is meant to lose all settings / personalization upon logoff). Groups specified “DOMAIN\Domain-Admins”
  • Process logons of local local administrators (Disabled) – similar to previous setting. That’s obvious we don’t want our local administrator account to roam between servers (profile issue will lead to logon issues on all affected servers).
  • Path to user store (Enabled) – UNC path to the store we created in previous steps. Use following syntax \\FQDN\userstore$\#SAMAccountName# – you may also use other user environment variables (for example %profilever% for in2k3) except from %username% and %userdomain%.
  • Active write back (Enabled/Disabled) – This setting allows concurrent writes to user profile. When you use Windows Roaming Profiles there’s a rule that last session wins, meaning settings from last closed window are saved in user profile (in simple words). You definitely should enable this setting if your users are connecting to multiple servers at the same time – this will preserve all their settings. Otherwise – when there’s only one opened server session at a time, you may want to disable this setting as it may slightly increase performance.

Moving on to Computer Configuration -> Administrative Templates -> Citrix -> Profile Management -> File System you can configure files that are included or excluded from profile synchronization. There are some defaults in the *.ini configuration file – you should put them in the policy whenever you want to add custom exclusion. INI file can be found under %programfiles%\Citrix\User Profile Manager directory (UPMPolicyDefaults_all.ini).

  • File system -> Exclustion list – directories (Enabled). You may want to customize it for your environment and basing on user profiles size. I’ll get back to this subject at the end of this article.

!ctx_localappdata!\Microsoft\Windows\Application Shortcuts=
!ctx_localappdata!\Microsoft\Windows\CD Burning=
!ctx_localappdata!\Microsoft\Windows Live=
!ctx_localappdata!\Microsoft\Windows Live Contacts=
!ctx_localappdata!\Microsoft\Terminal Server Client=
!ctx_localappdata!\Windows Live=
!ctx_localappdata!\Google\Chrome\User Data\Default\Cache=
!ctx_localappdata!\Google\Chrome\User Data\Default\Cached Theme Images=
!ctx_localappdata!\Google\Chrome\User Data\Default\JumpListIcons=
!ctx_localappdata!\Google\Chrome\User Data\Default\JumpListIconsOld=

  • File system -> synchronization -> Directories to synchronize (Enabled). This setting allows you to synchronize non-default folders that are not a part of roaming profile. Example? Microsoft’s Outlook settings (signature, language, style, etc.); Saved Passwords in Internet Explorer. Below you can find a list of my directories. Citrix_upm_folders_synchronization

Next step, Log Settings. *Only* four options to configure:

  • Enable Logging (Enabled) – when enabled, saves debug information in default location (%SystemRoot%\System32\Logfiles\UserProfileManager).
  • Log Settings (Enabled) – Detailed log settings, you may select specific actions that should be logged. Definitely you want to log following:
    • Logon
    • Logof
    • Personalized user information
    • Common warnings
    • Common information
  • Maximum size of the log file (Enabled) – by default it’s 1MB, you can change it to something bigger if your environment hosts more sessions and 1MB won’t catch enough data.
  • Path to log file (Enabled) – Few options here. You may use default value (which is applied when this setting is disabled); you also may use local path, i.e. C:\UPMLog or, last thing you may do over here (and is easiest for log browsing) is UNC path to network share. If you decide to stick with UNC path, remember about appropriate NTFS / Share permissions so only authorized users are allowed to view log contents.

Something cool right now, Computer Configuration -> Administrative Templates -> Citrix -> Profile Management -> Profile handling:

  • Delete locally cached profiles on logoff (Enabled) – Enabling this setting will cause local copies of user profiles being deleted at the session logoff. To be honest, I like this setting for two reasons – it saves disk space and what’s more important – it makes me sure, that there’s only one copy of user’s profile and it’s saved in central store so UPM will never have a chance to use any local, cached copy of profile (which at some point may lead to profile inconsistency)
  • Local profile conflict handling (Enabled) – What will happen when user JohnDoe logs on to the server which already has a local profile for JohnDoe user? I went for “Delete local profile”. But if you are not sure about that, you may stick with “Rename local profile”
  • Migration of existing profiles (Enabled/Disabled) – if you are moving from Windows Roaming profiles you may want to enable this setting so all user data / personalization is copied to newly created UPM profile. If you are starting from a scratch – I suggest you to disable this setting.
  • Template profile – this one is up to you. It’s nothing more than Windows Mandatory Profile. Meaning you can create a profile with all required settings, maybe printers, maybe files and make users work using this profile only (their customization won’t be saved anywhere at logoff). It’s really useful in some circumstances.

Next thing that you may consider if you want to decrease logon times is Profile streaming and caching of bigger files. Let’s move to Computer Configuration -> Administrative Templates -> Citrix -> Profile Management -> Streaming user profiles:

  • Profile streaming (Enabled) – Enabling this will synchronize only user’s registry entries, while rest of the files and folders are cached only when accessed by users. In short words – better logon times, less network traffic.
  • Always cache (Enabled) – optionally you can enable this setting to cache files at specified size (or larger) immediately after logon (in background). Setting this to 0 will cache complete profile immediately after logon.

That was Group Policy part. Only thing you need to do now is to link this policy in Servers / VDI OU.

User Profile optimization

Last thing you should do (if you don’t want to be killed or at least yelled by your Storage / Network admins) is profile monitoring and optimization. What I have learned while working on roaming profiles is that they are growing. And they are growing really fast, especially if users are not restricted from some functions. My suggestion here – if you already have windows roaming profiles, scan them using software like windirstat that will give you deep information about profile contents. You should be concerned about too big files, too big folders for apps that are not in use in your XenApp / XenDesktop servers. Example output based on about 30 users is shown below:windirstat_citrix_upm

Having that, we can understand a lot. For sure there’s one user that has extremely big file (upper left corner, blue color) which does not repeat for anybody, should be checked. Another thing – there are around 350MB of Microsoft Word files just for 30 users, meaning each user has around 15MBs of unneeded files in his/her profile. Same about .xls files.

In total you may find that there’s a lot of additional user data (.doc, .xls, .pdf, .zip, .rar files) that are stored in folders like Downloads, Documents, Music, Videos, Desktop or any other locations (maybe something in appdata\local or roaming). Such analysis gives you a hint where you should configure folder redirection (desktop, downloads, documents, etc) so this data won’t be copied to user store within user profile but will be still available for user when he logs on to the citrix server; and second thing – sometimes you may just want to use Citrix UPM policies to exclude synchronization of default roaming folders (appdata\roaming\…) – this may affect IE / Firefox / Chrome cached webpages, recycle bin or things like that.

Doing such analyzes periodically should let you keep profile size at reasonable level (I mean something between 5-15 MB). This will also save some storage space and network traffic.


Cleaning up Profile Management Store – scripts written by Muralidhar Maram. These will help you cleaning up your profile store when you apply some directory / file exclusion when the profiles are already existing.
Delprof2 – User Profile Deletion Tool – If user profiles are not removed from your servers properly, you may use this tool.
UPM Troubleshooter – This powershell script examines live Profile management system and determines wheather it is optimally configured.
windirstat – Application that will help you analyzing user profiles. If somebody smuggled big files, this app will find it.

One thought on “Citrix User Profile Management (UPM) deployment

  1. Many thanks and great article.

    I have been struggling with the right settings for google chrome and Firefox in UPM. Do you have any recommended settings for them?

Leave a Reply