Get me outta here!

Citrixology

by Lal Mohan

Menu

Skip to content
  • About Me
  • Citrix
    • Citrix Cloud
    • NetScaler
    • WEM & UPM
    • XenApp & XenDesktop
    • Citrix Storefront
  • WVD
  • VMware
    • Workspace One

Category Archives: User Profile Management

Installing and Configuring Citrix Workspace Environment Manager (WEM) in a Citrix Environment

March 11, 2020 by Lal Mohan

I have done numerous Citrix Workspace Environment Manager (WEM) deployments in the past but never did I think about once doing a blog post on it yet. So, we are doing it this time. For the uninformed, Citrix WEM is a resource management and user persona management tool and is a must-have in every Citrix environment for the following reasons.

  • It’s FREE for all the Enterprise and Platinum customers that have a valid Citrix Customer Success Services (CSS) agreement.
  • It’s super impressive if you have applications that consumes large amounts of memory, which most of the modern apps are.

Refer here if you want to look at what you get with different Citrix licenses https://www.citrix.com/en-au/products/citrix-virtual-apps-and-desktops/feature-matrix.html?_ga=2.163129148.1481679903.1582674361-19471628.1580160671

Overview

WEM has the following simplified architecture (courtesy of Citrix.com)

Workspace Environment Management architecture diagram

There are 3 key pieces for a WEM deployment

  • Infrastructure Services – It is the brain of the whole solution. It helps synchronizing the agent and admin console with the SQL server and Active Directory. This role CANNOT be installed on a Domain Controller and Desktop Delivery Controller according to Citrix.
  • Administration Console – Console is used to configure and manage WEM. This could be installed on any standard Windows machine.
  • Agent – The Workspace Environment Management agent connects to the Workspace Environment Management infrastructure services and is responsible for enforcing the settings you configure by using the administration console. The agent can either be deployed on VDAs or on physical Windows devices (for Transformer use cases). It can be installed on a Windows client (to manage client environments) or on a Windows Server (to manage server environments, or to manage published desktops and applications).

Installation

Pre-Requisites

  • domain service account
  • sysadmin access for the service account on the SQL server(s)
  • an AD group that contains all the WEM admins in the organization
  • Add the service account to local administrator group on the WEM servers

Install WEM Infrastructure Services

Download the installer binaries and run the .exe for Infrastructure Services

Click Install

Click Next


Accept the EULA

Enter the Customer and Organization Name

Click Next

Click Install

Click Finish. The database management utility will start

Click Create Database

The database creation wizard will start.

Click Next

Tick the box for “Use Integrated Connection” if the account that has been used is a sysadmin on the SQL server. if that’s not the case, use another account that has sysadmin rights

Click Next

  • Add the WEM Administrator AD group
  • select the domain service account. This is the broker service account under which the Infra services will be run
  • set a password for the SQL vuemUser

Click Next

You get the database information summary as below

Click OK

Click Finish

Close the Database Management Utility


WEM Infrastructure Services Configuration

On the server where WEM is installed, run the WEM Infrastructure Service Configuration Utility as an administrator.

On the Database settings tab, enter the Database server name and Database Name that was created in the previous step

If there is a failover server, give the secondary SQL server name and instance

On the Network settings tab, leave everything as default

On the Advanced Settings tab, enter the Infrastructure Service account and the vuemUser SQL password.

Enable the Performance Tuning – Tick that

Decide if you want to enable Google Analytics or not

Enable Scheduled Database Maintenance as below

On the Licensing Tab, tick the box for Global license Server override

Click Save Configuration

This will restart the broker service

Click Yes

Close the WEM Infrastructure Service Configuration utility.

Click Yes

Ensure that the Infrastructure service account has full permissions to the DBSync folder. The installation of the Infrastructure service role should set this up correctly but if that isn’t the case, ensure that the permissions are setup like the below. Else, your WEM upgrades will most likely fail in the future.

If you have multiple WEM infrastructure services servers and you are planning to load balance them, you will need to set up a Kerberos SPN. Follow the command below to set it. Service account name is the account used for WEM Infrastructure Service. No need to add the domain name before the service account name

setspn -U -S Norskale/BrokerService [serviceaccountname]

Run the Citrix Workspace Environment Management Infrastructure Services Setup on the rest of the WEM servers.

Once the installation is complete, do NOT run the Database Management Utility but run the WEM Infrastructure Service Configuration utility instead.

Setup the Kerberos SPN (it is case sensitive so be mindful of how you use the service account on the previous servers)

Citrix WEM Console Install

Run the console install on the WEM servers or any other server of your choice

Accept the EULA

Enter the Customer Name and Organization and Click Next

Select Complete and click Next

Click Install

Click Finish

WEM Agent Install

Once the Infra services and console is installed, you can now install WEM agents on the machines that you need to manage via WEM. In our case, they are Citrix VDAs themselves.

Run the installer binaries for Citrix Workspace Environment Management Agent Setup

Click Install


Click Next

Click Next

Select On-Premises deployment

Select Skip Configuration. These settings will be pushed down via GPOs.

Click Next

You can choose to leave the WEM Cache on the C drive but when using PVS or MCS , its is often good practice to move the cache folder to the persistent drives. I have selected to use the MCS Write Cache disk in the example above.

Click Next

Click Install

Click Finish

Click Close

WEM Initial Configuration

Once the console and WEM services roles are installed, a Configuration Set is required to be created so that it could be applied to the machines that you intend to. They are previously called Sites so don’t freak out if you are used to that terminology in the past.

If you already have a backup of the Configuration set, you can now browse to that and select it and import it.

Else, create a new Configuration set

Click Create

Give it a Name and a description

Click OK

Now it’s time to import default recommended settings. You can find them in the WEM download package.

Click Restore

Restore Wizard will open

Select Settings

Click Next

Click Next

Click Browse and pick the Default Recommended Settings

Click OK

Check all the boxes as shown in the picture below

Click Next

Click Restore Settings

Say Yes to the warning above

Wait until the restore is finished

Click Finish

To add the agents in WEM console, Click “Active Directory Objects” and then click Machines

Under Actions pane at the bottom, select Add Object

Pick the computer account that you want the policies to be pushed using the WEM agent. You can also choose to add the whole OU to make things a bit more automated.

The basic config is now there. Now if you want to get a bit more deeper into the WEM or understand the concepts a bit more, please feel free to read the blog I wrote a while ago. It has explanations and best practices that you can follow for your environment and customize it according to your needs. It is a good read, I promise!

https://lalmohan.co.nz/2018/08/15/citrix-workspace-environment-manager-wem-baseline-policies-and-best-practices/

Spread the love:

  • Twitter
  • Facebook
  • LinkedIn
  • Pinterest
  • Reddit
  • Email
  • Print
  • Pocket
  • Tumblr

Like this:

Like Loading...
Citrix Virtual Apps Citrix Virtual Apps and Desktops Citrix Virtual Desktops CVAD Profile Management User Profile Management XenApp XenDesktop XenDesktop 7 Citrix WEMCitrix Workspace Environment ManagerHow to Citrix WEMHow to guide WEMNorskaleStep by step guide for WEM installWEM Install and configureWorkspace Environment Manager 1 Comment

Citrix Workspace Environment Management (WEM) – Baseline Policies and Best Practices

August 15, 2018 by Lal Mohan

Citrix Workspace Environment Manager is a tremendous addition to any Citrix environment. It changes drastically how resources are consumed on the Citrix servers. It will also help you control what the users have access to on Citrix servers, define Start Menu, blacklist and whitelist processes, shift your GPOs to WEM, printer mappings, drive mappings, file type associations and so on. Talk about super fast logins, WEM is a must have. Why do you not have it? It comes free of cost if you have XenApp/XenDesktop Enterprise and above licenses with Citrix Customer Success Services -Select (valid Software Maintenence)

There are tons of literature on setting up WEM on the internet, so I will skip that step and go straight onto some of the best practices and configuration that I have followed for  XenApp environments.

Some of the best guides out there for installing WEM are as follows.

https://www.carlstalhood.com/workspace-environment-management/

https://www.jgspiers.com/citrix-workspace-environment-manager/

Baseline WEM Policies

Let’s get started! Please note that all these settings may not be entirely relevant in your environment so enable them with caution or increase/decrease the values to suit your environment. I will explain settings where necessary so that you guys know what they are supposed to do.

I am working with WEM version 4.6, so some of the settings that you are after may not be there or in a different place in the console.

Assuming that you are all set with the WEM, and you have access to the console and you have a configuration set created, below are the settings I will set up right off the bat.

Monitoring

Go to * Monitoring – Configuration – Boot Time Minimum Value and Login Time Minimum Value. Check the values below.

34

 

Advanced Settings

* Advanced Settings – Configuration – Main Configuration tab. Some of the settings aren’t being used in my environment so check whats necessary in your case.

Agent Actions. These settings determine whether or not the agent processes actions configured in the Actions tab. These settings apply at login, automatic refresh, or manual (user or administrator triggered) refresh.

35

Enable (Virtual) Desktop Compatibility. This setting is necessary for the agent to be launched when the user is logged in to session 1. If you have any users on physical desktops or VDI, select this option.

Execute only CMD Agent in Published Applications. If enabled, the agent will launch in command line mode (CMD) when initiating a published application, rather than in UI mode. CMD mode displays a command prompt instead of an agent splash screen.

Cleanup Actions

36

Settings here are self-explanatory

Agent Options

37

Enable Offline Mode. If this is disabled, the agent does not fall back on its cache if it cannot connect to the infrastructure service. Note For Offline Mode to work, SQL Server Compact Edition 3.5 SP2 must be installed in the user environment and on the Workspace Environment Management infrastructure server.

Initial Environment/Desktop Cleanup. If enabled, the agent cleans up the environment/desktop at first login only. Be careful with this setting! Please test this thoroughly before allowing this in production

Check Application Existence. If enabled, the agent checks that an application is available to the user/group before creating a shortcut to that application.

Expand App Variables. If enabled, variables are expanded by default (see Environment variables for normal behaviour when the agent encounters a variable).

Enable Cross-Domain User Group Search. If enabled, the agent queries user groups in all Active Directory domains. Note: This is an extremely time-intensive process which should only be selected if necessary.

Broker Service Timeout. The timeout value after which the agent switches to its own cache, when it fails to connect to the infrastructure service. The default value is 2000 milliseconds.

Directory Services Timeout. The timeout value for directory services on the Agent Host machine, after which the agent uses its own internal cache of user group associations. The default value is 2000 milliseconds.

Network Resources Timeout. The timeout value for resolving network resources (network drives or file/folder resources located on the network), after which the agent considers the action has failed. The default value is 500 milliseconds.

Agent Max Degree of Parallelism. The maximum number of threads the agent can use. The default value is 0 (as many threads as physically allowed by the processor), 1 is single-threaded, 2 is dual-threaded, etc. In most cases, this value does not need changing. Available in WEM 4.7 onwards

Advanced Options

Enforce Execution of Agent Actions. If these settings are enabled, the Agent Host will always refresh those actions, even if no changes have been made.

Revert Unassigned Actions. If these settings are enabled, the Agent Host will delete any unassigned actions when it next refreshes.

Automatic Refresh. If enabled, the Agent Host will refresh automatically. By default, the refresh delay is 30 minutes.

38

Reconnection Actions

Action Processing on Reconnection. These settings control what actions the Agent Host processes upon reconnection to the user environment.

39

Advanced Processing

Filter Processing Enforcement. If enabled, these options will force the Agent Host to re-process filters at every refresh.

40

Service Options

These settings configure the Agent Host service.

Agent Cache Refresh Delay. This setting controls how long the Agent Host service will wait to refresh its cache.

SQL Settings Refresh Delay. This setting controls how long the Agent Host service will wait to refresh its SQL connection settings.

Agent Extra Launch Delay. This setting controls how long the Agent Host service will wait to launch the Agent Host executable.

Enable Debug Mode. This enables verbose logging for all Agent Hosts connecting to this site.

Bypass ie4uinit Check. By default, the Agent Host service will wait for ie4uinit to run before launching the Agent Host executable. This setting forces the Agent Host service to not wait for ie4uinit.

Agent Launch Exclusions. If enabled, the Citrix Workspace Environment Management Agent Host will not be launched for any user belonging to the specified user groups.

41

Console Settings

Forbidden Drives. Any drive letter added to this list is excluded from the drive letter selection when assigning a drive resource.

42

UI Agent Personalization

These settings let you customize the appearance of the session agent (in UI mode only) in the user’s environment.

UI Agent Options

Disable Administrative Refresh Feedback. When Administrators force a session agent to refresh from the Administration Console, this option prevents a notification tooltip appearing in the user environment. This will disable all the user interactions/notifications with WEM Agent. Very useful to have!

43

HelpDesk Options

These options control the Agent Host’s help desk functionalities.

Help Link Action. This field controls what happens when the user clicks on the Help command in the Citrix Workspace Environment Management Agent Host.

Custom Link Action. This field controls what happens when the user clicks on the Support command in the Citrix Workspace Environment Management Agent Host.

Enable Screen Capture. If enabled, users are given the option to open a screen capture utility. This allows the user to screenshot any errors in their environment, which they can then send to your support staff.

Enable Send to Support Option. If enabled, the user is able to send screenshots and log files directly to the nominated support email address, with the specified template. This requires a working, configured email client.

Custom Subject. If enabled, the support email generated by the Citrix Workspace Environment Management Agent Host screen capture utility is sent with the specified subject.

Email Template. This field allows you to specify a template for the support email generated by the Citrix Workspace Environment Management Agent Host screen capture utility. Note You must configure the email template to include useful information.

See Dynamic tokens for a list of hash-tags which can be used in the email template. Note Users are only presented with the option to enter a comment if the ##UserScreenCaptureComment## hash-tag is included in the email template.

Use SMTP to Send Email. If enabled, this will send the support email using SMTP instead of MAPI.

Test SMTP. Tests your SMTP settings as entered above to verify that they are correct.

Power Saving

Shut Down At Specified Time. If enabled, the Agent Host will automatically shut off the environment it is running in at the specified local time.

Shut Down When Idle. If enabled, the Agent Host will automatically shut off the environment it is running in after running idle (no user input) for the specified length of time.

I don’t have anything set up for power options as they are more for VDI and servers running in the cloud for cost savings.

Transformer Settings

These options allow you to configure the Transformer feature. Transformer allows agents to connect as web/application launchers which redirect users to the configured remote desktop interface. Use Transformer to convert any Windows PC into a high-performance thin client using a fully reversible ‘kiosk’ mode.

I don’t currently utilize this feature for my customer deployment.

Active Directory Objects

Use this page to specify the users, computers, groups, and organizational units you want to be managed by Workspace Environment Management.

Advanced – AD Settings

44

Active Directory search timeout. The time period (msec) for Active Directory searches to be performed before they time out. The default value is 1000 msec. I recommend using a timeout value of at least 500 msec to avoid timeouts before searches complete.

Security

These settings allow you to control the applications users are permitted to run by defining rules. This functionality is similar to Windows AppLocker. When you use Workspace Environment Management to manage Windows AppLocker rules, the agent processes (converts) Application Security tab rules into Windows AppLocker rules on the agent host. If you stop the agent processing rules, they are preserved in the configuration set and AppLocker continues running by using the last set of instructions processed by the agent.

Application Security

Process Application Security Rules. When selected, the Application Security tab controls are enabled and the agent processes rules in the current configuration set, converting them into AppLocker rules on the agent host. When not selected, the Application Security tab controls are disabled and the agent does not process rules into AppLocker rules. (In this case, AppLocker rules are not updated.)

Process DLL Rules. When selected, the agent processes DLL rules in the current configuration set into AppLocker DLL rules on the agent host. This option is only available when you select Process Application Security Rules.

Important: If you use DLL rules, you must create a DLL rule with “Allow” permission for each DLL that is used by all the allowed apps.

Caution: If you use DLL rules, users may experience a reduction in performance. This happens because AppLocker checks each DLL that an app loads before it is allowed to run.

Process Management

Lets you define what is allowed to run and what isn’t.

This helps you apply software licensing restrictions (well, in a less intuitive way) using blacklisting. The only caveat is that you will NOT be able to set up individual restrictions for applications. They are managed as a list of processes with a list of groups that will have access to run them. Hence, this will not serve the purpose when you have a list of applications that need to be restricted. Look at Application Security, if you have multiple applications.

Note: This option only works if the session agent is running in the user’s session. To do this use the Main Configuration Agent settings to set the Launch Agent options (at Logon/at Reconnect/for Admins) to launch according to the user/session type, and set Agent Type to “UI”. These options are described in Advanced Settings.

Be super careful with Whitelisting as the moment you add a process in there, WEM will stop all the other processes from running. The safe bet will be using blacklisting unless it is a greenfield environment.

Policies and Profiles

Environmental Settings

These options modify the user’s environmental settings. Some of the options are processed at logon, while some others can be refreshed in session with the agent refresh feature.

Under the known Folders Management tab, Disable Specified Known Folders prevents the creation of the specified user profile known folders at profile creation.

Here is the link to the Canonical names for the Control Panel applets

https://docs.citrix.com/en-us/workspace-environment-management/current-release/reference/control-panel-applets.html

System Optimization

Although system optimization settings are machine-based and apply to all user sessions, process optimization is user-centric. This means that when a process triggers CPU Spikes Protection in User A’s session, the event is recorded for User A only. When User B starts the same process, process optimization behavior is determined only by process triggers in User B’s session.

Tip

When your virtual machines have different hardware configurations, consider creating multiple configuration sets for them, and configuring the system optimization settings differently for each configuration set. Machines can only belong to one configuration set.

CPU Management

Enable CPU Spikes Protection. Lowers the CPU priority of any process which exceeds the configured percentage of CPU usage, for a configurable period of time.

Whenever a specific process triggers Spike Protection, the event is recorded in the agent’s local database. The agent records trigger events for each user separately. This means that CPU Optimization for a specific process for User A does not affect the behavior of the same process for User B.

  • Limit Sample Time. This is the time for which a process must exceed the CPU Usage Limit before its CPU priority is lowered.
  • Idle Priority Time. This is the length of time the process’ priority is lowered. After this time expires, the process CPU Priority returns to its original level.

 

Exclude Specified Processes. By default, WEM CPU Management excludes all of the most common Citrix and Windows core service processes. You can, however, use this option to Add or Remove processes from an exclusion list for CPU Spikes Protection by executable name (for example notepad.exe). Typically, antivirus processes would be excluded.

45

46

47

There is a good summary of how you want to set this up here https://docs.citrix.com/en-us/workspace-environment-management/current-release/user-interface-description/system-optimization/cpu-management.html

CPU Clamping

CPU clamping is a brute force approach which is computationally expensive. To keep the CPU usage of a troublesome process artificially low, it is better to use CPU Spikes Protection, at the same time as assigning static CPU priorities and CPU affinities to such processes. CPU clamping is best reserved for controlling processes which are notoriously bad at resource management, but which cannot stand to be dropped in priority.

To find out if CPU Clamping is working, follow the Citrix KB below

https://support.citrix.com/article/CTX226272

48

I don’t have any CPU Affinity and Priority policies configured. If you want to know why they are there and what they are supposed to do, follow this Citrix blog post-https://www.citrix.com/blogs/2018/07/03/the-best-kept-secret-at-citrix/

Memory Management

These settings allow you to optimize application RAM usage.

Note

Please note that enabling this will increase the disk usage if the pagefile has been setup to system managed pagefile size. Change it to use a fixed pagefile size after performing some calculations. This is also found to increase the storage IO so if you see similar issues in your environment, come back and check the Memory Optimization settings. May be play around with it a bit and change the settings to a conservative value such as 30 mins for Idle Sample Time 

49

IO Management

50

Fast Logoff

Fast Logoff ends the HDX connection to a remote session immediately, giving users the impression that the session was immediately closed. However, the session itself continues through the session logoff phases in the background on the VDA.

Note

Fast Logoff supports XenApp and RDS resources only.

51

 

Now, there are Actions, Filters and Assignments which I am not going to talk to you about now as you will have a completely different set of applications and rules that you would like to apply in your environment.

It’s been a long post, and since I need a coffee desperately, I will talk about setting up applications, network drives, printers, file associations and so on in another blog post. There are a few blogs currently out there that have step-by-step instructions on how to do that. Feel free to comment with any useful tips and the good stuff that you are doing in your environment using WEM. Adios!

Spread the love:

  • Twitter
  • Facebook
  • LinkedIn
  • Pinterest
  • Reddit
  • Email
  • Print
  • Pocket
  • Tumblr

Like this:

Like Loading...
User Profile Management XenApp XenDesktop Application SecurityCitrix WEMCPU Utilization and ManagementMemory ManagementPerformance ManagementResource ManagementWEMWorkspace Environment Manager 4 Comments

Citrix User Profile Manager (UPM) – Baseline Policies

August 6, 2018 by Lal Mohan

I always wanted to document this so it would help me for my next assignment, but I never did. As a result, I was always having to refer my previous customer environments or As-Built documents for this information which was quite a pain. Well, that’s gonna change today as I am going to put this up on my blog so that it can becomes my quick and easy reference place.

As mentioned in the title, this is going to be the baseline policy set upon which you can build yours with any specific policies pertaining to your environment, Also, all the settings that I have mentioned here may not be applicable or work for you or you may even not see all of them due to older UPM version, XenApp version etc etc.

Please note that some of the settings found in newer UPM versions aren’t listed here as well. I will continue to update it as Citrix releases new UPM versions but this should give you a good start nonetheless.

Exclusion List – Directories

$Recycle.Bin 
AppData\LocalLow 
!ctx_internetcache! 
!ctx_localappdata!\Microsoft\Windows\Burn 
!ctx_localappdata!\Microsoft\Windows\CD Burning 
!ctx_localappdata!\Microsoft\Windows Live 
!ctx_localappdata!\Microsoft\Windows Live Contacts 
!ctx_localappdata!\Microsoft\Terminal Server Client 
!ctx_localappdata!\Microsoft\Messenger 
!ctx_localappdata!\Microsoft\OneNote 
!ctx_localappdata!\Microsoft\Outlook 
!ctx_localappdata!\Microsoft\AppV 
!ctx_localappdata!\Windows Live 
!ctx_localappdata!\Sun 
!ctx_roamingappdata!\Sun\Java\Deployment\cache 
!ctx_roamingappdata!\Sun\Java\Deployment\log 
!ctx_roamingappdata!\Sun\Java\Deployment\tmp 
AppData\Local\Microsoft\Windows\INetCache 
AppData\Local 
AppData\Roaming\Citrix\PNAgent\AppCache 
AppData\Roaming\Citrix\PNAgent\Icon Cache 
AppData\Roaming\Citrix\PNAgent\ResourceCache 
AppData\Roaming\ICAClient\Cache 
AppData\Roaming\Sun\Java\Deployment\cache 
AppData\Roaming\Sun\Java\Deployment\log 
AppData\Roaming\Sun\Java\Deployment\tmp 
Citrix 
Java 
Local Settings 
Music 
My Pictures 
My Videos 
Pictures 
Videos 
AppData\Roaming\Macromedia\FlashPlayer\macromedia.com\support\flashplayer\sys 
AppData\Roaming\Macromedia\FlashPlayer\#SharedObject 
Downloads 
Saved Games 
Searches 
Application Data\Sun\Java\Deployment\cache 
Application Data\Sun\Java\Deployment\log 
Application Data\Sun\Java\Deployment\tmp 
Local Settings\Application Data\Microsoft\AppV 
Local Settings\Application Data\Microsoft\Messenger 
Local Settings\Application Data\Microsoft\OneNote 
Local Settings\Application Data\Microsoft\Outlook 
Local Settings\Application Data\Microsoft\Terminal Server Client 
Local Settings\Application Data\Microsoft\Windows Live 
Local Settings\Application Data\Microsoft\Windows Live Contacts 
Local Settings\Application Data\Microsoft\Windows\Burn 
Local Settings\Application Data\Microsoft\Windows\CD Burning 
Local Settings\Application Data\Sun 
Local Settings\Application Data\Windows Live 
Local Settings\Temporary Internet Files 
AppData\Local\Microsoft\AppV 
AppData\Local\Microsoft\Messenger 
AppData\Local\Microsoft\OneNote 
AppData\Local\Microsoft\Outlook 
AppData\Local\Microsoft\Terminal Server Client 
AppData\Local\Microsoft\Windows Live 
AppData\Local\Microsoft\Windows Live Contacts 
AppData\Local\Microsoft\Windows\Burn 
AppData\Local\Microsoft\Windows\CD Burning 
AppData\Local\Sun 
AppData\Local\Windows Live 
AppData\Local\microsoft\windows\Temporary Internet Files 
AppData\Local\Microsoft\Windows\INetCookies 
AppData\local\Google\Chrome\User Data\Default\Media Cache 
AppData\Local\Google\Chrome\User Data\Default\Cache 
AppData\local\Google

Exclusion List – Files

Application Data\VMware\hgfs.dat 
AppData\local\Google\Chrome\User Data\Default\ChromeDWriteFontCache 
AppData\*.tmp
!ctx_localappdata!\Microsoft\Windows\UsrClass.dat*
AppData\*.xar
AppData\*.wbk
AppData\*.asd
AppData\*.log
AppData\*.dmp
AppData\*.trc

Directories to Synchronize

AppData\Roaming\Microsoft\Credentials 
AppData\Roaming\Microsoft\Crypto 
AppData\Roaming\Microsoft\Protect 
AppData\Roaming\Microsoft\SystemCertificates 
AppData\Local\Microsoft\Credentials 
AppData\Roaming\Microsoft\Signatures 
AppData\Local\Microsoft\Vault 
%LOCALAPPDATA%\Microsoft\Credentials
!ctx_localappdata!\Microsoft\Windows\Notifications
!ctx_Startmenu
AppData\Local\MultiDrive

Files to Synchronize

AppData\LocalLow\Sun\Java\Deployment\security\exception.sites 
AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs 
AppData\LocalLow\Sun\Java\Deployment\deployment.properties 
AppData\Local\Microsoft\Office\*.qat 
AppData\Local\Microsoft\Office\*.OfficeUI 
AppData\LocalLow\Google\GoogleEarth\*.kml 
AppData\Local\Citrix\PNAgent\Icon Cache\*.ico 
AppData\Local\Microsoft\Windows\INetCache\wpad.dat 
AppData\Local\Google\Chrome\User Data\First Run 
AppData\Local\Google\Chrome\User Data\Local State 
AppData\Local\Google\Chrome\User Data\Default\History 
AppData\Local\Google\Chrome\User Data\Default\Preferences 
AppData\Local\Google\Chrome\User Data\Default\Favicons 
AppData\Local\Google\Chrome\User Data\Default\Bookmarks
AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Folders to Mirror

AppData\Roaming\Microsoft\Windows\Cookies 
AppData\Local\Microsoft\Vault 
AppData\Local\Microsoft\Windows\WebCache
!ctx_localappdata!\TileDataLayer

Log Settings

Define events or actions which Profile management logs in depth: 
Common warnings                                        Enabled 
Common information                                     Enabled 
File system notifications                              Enabled 
File system actions                                    Enabled 
Registry actions                                       Enabled 
Registry differences at logoff                         Enabled 
Active Directory actions                               Enabled 
Policy values at logon and logoff                      Enabled 
Logon                                                  Enabled 
Logoff                                                 Enabled 
Personalized user information                          Enabled

Log Settings                                                                                                Enabled

Enable Logging                                                                                          Enabled

Maximum size of the log file                                                                  Enabled

Maximum size in bytes                                                                            10485760

Profile Handling

Delay before deleting cached profiles                                                  Enabled

Delay(Seconds)                                                                                          0

Delete locally cached profiles on logoff                                               Enabled

Local profile conflict handling                                                              Enabled

If both a local Windows user profile and a
Citrix user profile in the user store both exist:                                  Delete local profile

Registry Exclusion List

Software\Microsoft\AppV 
Software\Microsoft\Windows\CurrentVersion\UFH\SHC 
Software\Microsoft\Installer\Products\4645D6EBF1B0CC6498379F56F16E4AA5
Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify

Enable Default Exclusion List

Software\Microsoft\AppV\Client\Integration                Enabled
Software\Microsoft\AppV\Client\Publishing                 Enabled
Software\Microsoft\Speech_OneCore                         Enabled

Streamed user profiles

Always cache                                                                                                 Enabled

Cache files this size or larger (megabytes):                                             1

Profile streaming                                                                                          Enabled
Streamed user profile groups                                                                    Disabled
Timeout for pending area lock files (days)                                             Enabled

Timeout for pending area lock files (days)                                              1

Advanced settings

Disable automatic configuration                                                              Disabled
Number of retries when accessing locked files                                     Enabled
Number of retries:                                                                                       5
Process Internet cookie files on logoff                                                    Enabled

Profile Management

Active write back                                                                                         Enabled
Enable Profile management                                                                      Enabled
Excluded groups                                                                                          Disabled
Path to user store                                                                                         Enabled

Process logons of local administrators                                                   Enabled
Processed groups                                                                                        Disabled

Spread the love:

  • Twitter
  • Facebook
  • LinkedIn
  • Pinterest
  • Reddit
  • Email
  • Print
  • Pocket
  • Tumblr

Like this:

Like Loading...
Group Policy Profile Management User Profile Management XenApp XenApp 5.0 XenApp 6.5 XenApp 7.5 XenDesktop XenDesktop 7 Citrix Profile ManagementCitrix UPM baseline policiesCitrix UPM Best PracticesCitrix UPM PoliciesUser profile Manager policiesXenAppXenDesktop 4 Comments

Post navigation

Translate this blog

Recent Posts

  • Integrate Azure MFA with NetScaler Gateway for Two-Factor Authentication
  • Microsoft Windows Virtual Desktops (WVD) or Citrix – The Big Question answered!
  • Desktop Restart – Citrix Storefront Power Management
  • Citrix Machine Creation Services (MCS) – Primer For On-Prem Vs Azure
  • Microsoft DirectAccess breaks Citrix/XenApp application launches – Fix

RSS Citrix Blogs

  • Citrix announces preview of identity provider integrations using SAML 2.0
  • Leverage Citrix Workspace app for Windows on ARM64 devices
  • Citrix Deployment Builder: Simplifying Citrix cloud-native deployments
  • New human-centered change resources to help you and your employees succeed
  • Citrix ADCs earn accolades for secure hybrid access with Azure identity
  • Citrix Workspace and Wrike empower IT for a better employee experience
  • What’s new with Citrix Workspace – February 2021
  • Citrix Support and Services earns 5th straight TSIA certification
  • Secure your DNS infrastructure with Citrix ADC
  • What’s new with the Citrix Knowledge Center – February 2021

RSS Google Cloud Platform

  • Peer reviewed 'allow' and 'deny' software installation decisions to enable scalable protection
  • Reducing risk through credit card fraud detection
  • What’s new with Google Cloud
  • Inventory management with BigQuery and Cloud Run
  • Managing cloud firewalls at scale with new Hierarchical Firewall Policies
  • Automating smartphone manufacturing with Visual Inspection AI
  • How to build a serverless real-time credit card fraud detection solution
  • Back by popular demand: Google Cloud products in 4 words or less (2021 edition)
  • Google Cloud Born-Digital Summit: Inspiring the next generation of technology leaders
  • All together now: Bringing your GKE logs to the Cloud Console

RSS Trending

  • A deep dive into the Citrix HDX FIDO2 and Windows Hello optimized virtual channel with virtual desktops and apps using USB, NFC, BLE, and built-in authenticators
  • Using Windows Hello FIDO2 capability with web browsers, Microsoft WVD, Teams, and native Windows apps for passwordless logins using your fingerprint or face
  • How to use Azure AD Conditional Access to add a Terms of Use EULA to Citrix Workspace, Microsoft WVD, Office 365, and SaaS apps
  • How to report on Microsoft Authenticator password-less phone sign-in & FIDO2 security key usage using Azure AD & Azure Monitor Log Analytics
  • How to use FIDO2 security keys remotely inside a virtual desktop session hundreds of miles away using Citrix HDX USB redirection and Microsoft Azure AD
  • Work from home reality and making positive IT decisions in response to the COVID-19 Coronavirus pandemic
  • How to use Microsoft WVD, Windows 10 multi-session, FSLogix, & MSIX app attach to build an Azure-powered virtual desktop experience
  • Driving Modern Passwordless Authentication: Citrix Workspace and Microsoft Azure Active Directory
  • Why Windows Hello for Business, Microsoft Authenticator, and FIDO2 are not a suggestion, but a requirement for your Azure AD powered enterprise – PART 2
  • Understanding the passwordless authentication renaissance and how to plan your Microsoft Windows based organization for this change – PART 1

RSS VMware EUC Blog

  • An error has occurred; the feed is probably down. Try again later.

RSS Citrix Guru

  • A look at the upcoming Citrix Identity Platform improvements in Citrix Cloud
  • TOP 10 upcoming features in Citrix Cloud [2019]
  • Citrix Managed Desktops Service is a glimpse into the future of Citrix Cloud services
  • I’ve tested Nutanix Xi Frame and it is…
  • Everything you need to know about WVD, Windows 10 EVD and Citrix
  • EUC Masters Retreat 2019: the conference you want to attend
  • Renewed as Citrix Technology Professional (CTP) for 2019
  • First words from the 2019 Citrix Technology Professionals
  • LTSR vs. CR: Citrix wants customers off LTSR
  • Ultimate Citrix App Layering Guide 2019

RSS Microsoft Azure Blog

  • Apply AI to your most critical business needs with new Azure AI capabilities
  • Accelerate IT innovation with new Windows Server on Azure updates
  • Improving agility, performance, and resilience with new Azure infrastructure capabilities
  • Connecting customers and businesses with Azure Communication Services and Microsoft Teams
  • Innovate across hybrid and multicloud with new Azure Arc capabilities
  • Azure Percept: Edge intelligence from silicon to service
  • Harness the power of data with Azure Data and AI
  • Demystifying cloud economics
  • E-commerce on Azure increases security with Payment Card Industry Three-Domain Secure compliance
  • Azure Cost Management and Billing updates – February 2021

RSS Amazon AWS

  • AWS Asia Pacific (Osaka) Region Now Open to All, with Three AZs and More Services
  • AWS DeepRacer League’s 2021 Season Launches With New Open and Pro Divisions
  • Amplify Flutter is Now Generally Available: Build Beautiful Cross-Platform Apps
  • New – Amazon Elastic Block Store Local Snapshots on AWS Outposts
  • AWS PrivateLink for Amazon S3 is Now Generally Available
  • New – Multiple Private Marketplace Catalogs
  • Amazon Lex Introduces an Enhanced Console Experience and New V2 APIs
  • New – AWS Transfer Family support for Amazon Elastic File System
  • Amazon Location – Add Maps and Location Awareness to Your Applications
  • New –  FreeRTOS Long Term Support to Provide Years of Feature Stability

Blog Stats

  • 487,339 hits

Archives

Create a website or blog at WordPress.com
Cancel

 
Loading Comments...
Comment
    ×
    loading Cancel
    Post was not sent - check your email addresses!
    Email check failed, please try again
    Sorry, your blog cannot share posts by email.
    Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
    To find out more, including how to control cookies, see here: Cookie Policy
    %d bloggers like this: