Profile Management

Set up profile containers

Important:

This feature does not work on Windows 7.

Large folders in a user profile can cause a slow user logon. To improve the logon experience, Profile Management provides the profile container, a VHDX-based profile solution. This solution lets you store the profile folders of your choice on the VHDX profile disk. When users log on, the VHDX profile disk is mounted and the profile folders are available immediately.

You can achieve one of the following goals using profile containers:

  • Set up the container-based profile solution: Store the entire user profile in the profile container.

  • Optimize user experiences for the file-based profile solution: Store a portion of the user profile in the profile container.

Workflow

The general workflow for deploying the profile container is as follows:

  1. (Optional) Customize the storage capacity and path for profile containers.

  2. Enable the profile container in a way that suits your needs:

    Note:

    With the container-based profile solution enabled, the following user profiles (if any) are automatically migrated to the container upon its first use:

    • Local Windows user profile
    • User profiles from the Citrix file-based profile solution
  3. To prevent the profile container from bloating, exclude folders and files.

  4. If multi-session scenarios are common in your deployment, enable multi-session write-back for profile containers as needed.

  5. To enable profile containers to dynamically grow in size as the profile data expands, enable and configure VHD auto-expansion for profile containers.

  6. To reduce the storage costs resulting from identical files in user profiles, you can enable and configure file deduplication policies:

    1. Specify files to deduplicate from profile containers.
    2. (Optional) Specify files to exclude from deduplication.
    3. (Optional) Specify the minimum size of files to deduplicate from profile containers.
  7. When multiple user stores are deployed and the profile container is the only type of container enabled in your deployment, you can enable in-session profile container failover among user stores to provide profile redundancy for the entire session.

  8. (Optional) Grant AD users Read access to profile containers.

  9. If you’ve enabled the profile container for the entire user profile (container-based profile solution), you can enable one of the following policies as necessary:

Considerations

When the container-based profile solution is enabled, be aware of these considerations:

  • The file-based profile solution is disabled automatically and the following policies no longer apply:

    • Profile streaming

      Exception: profile streaming applies to the profile container only when the Enable local caching for profile containers policy is enabled. For more information, see Enable local caching for profile containers.

    • File System
    • Active write-back
    • Delete locally cached profiles on logoff

    To view policies that apply to the container-based profile solution, see Policies for file-based and container-based solutions.

  • To maintain backward compatibility with the Search index roaming for Outlook feature, Profile Management keeps the two VHDX disks that are used to store the following files, respectively:

    • Outlook search index database
    • Offline Outlook Data Files (.ost)

(Optional) Customize the storage capacity and path for profile containers

By default, the profile container is stored in the user store with a default storage capacity of 50 GB.

For example, you configure the path of the user store as: \\myprofileserver\profiles$\%username%.%domain%\!ctx_osname!.!ctx_osbitness!.

The profile container is then stored in: \\myprofileserver\profiles$\%username%.%domain%\!ctx_osname!.!ctx_osbitness!\ProfileContainer\!ctx_osname!.

You can specify a different network location for the profile container and change its default storage capacity. For more information, see Specify the storage capacity and path for VHD files.

Enable the profile container for a portion of the user profile

To reduce logon time with the user store, you can enable the profile container feature and add those large profile folders to the profile container.

Note:

The folders you add to the profile container also exist in the user store. After you enable the profile container feature, Profile Management keeps the folders synchronized between the profile container and the user store.

Suppose you enable the profile container feature and then you disable it. To ensure a consistent user profile, Profile Management synchronizes the user store profile with a profile container. This synchronization occurs during the user logon. Folders in the exclusion list are not copied to the user store.

  1. Open the Group Policy Management Editor.
  2. Under Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) > Citrix Components > Profile Management > Profile container settings, double-click the Profile container policy.
  3. Select Enabled.
  4. Click Show and add the folders in the form of relative paths to the user profile. We recommend that you add folders that contain large cache files. For example, add the Citrix Files content cache folder to the list: AppData\Local\Citrix\Citrix Files\PartCache.

Enable the container-based profile solution

To enable the container-based profile solution, follow these steps:

  1. Open the Group Policy Management Editor.
  2. Under Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) > Citrix Components > Profile Management > Profile container settings, double-click the Profile container policy.
  3. Select Enabled.
  4. Click Show, and then add an asterisk (*) to the profile container list.
  5. Click OK.

(Optional) Include and exclude folders and files

To prevent the profile container from bloating, you can exclude folders and files from it. If needed, you can include folders and files when their parent folders are excluded.

Exclude folders from the profile container

Important:

If you enable the profile container for the entire user profile, the folder redirection setting still takes effect. Do not put folders to be redirected in the Folders to exclude from profile container list. Otherwise, folder redirection does not work.

  1. Under Profile Management > Profile container settings, double-click the Folders to exclude from profile container policy.
  2. Select Enabled.
  3. Click Show, and then enter the folders to exclude in the form of relative paths to the user profile.

    Wildcards in folder names are supported but are not applied recursively. Example:

    • Desktop indicates the Desktop folder.
    • Downloads\* indicates all immediate subfolders of the Downloads folder.

Note:

If you enable the profile container for the entire user profile (container-based profile solution), the appdata\local\temp folder is automatically excluded from the profile container.

Configuration precedence:

  1. If the setting is disabled, no folder is excluded.
  2. If the setting isn’t configured here, the value from the .ini file is used.
  3. If the setting isn’t configured either here or in the .ini file, no folder is excluded.

Include folders into the profile container

To include subfolders of the excluded folders in the profile container, follow these steps:

  1. Under Profile Management > Profile container settings, double-click the Folders to include in profile container policy.
  2. Select Enabled.
  3. Click Show, and then enter the folders to include in the form of relative paths to the user profile.

Be aware of the following:

  • Folders on this list must be subfolders of the excluded folders. Otherwise, this setting does not work.
  • Wildcards in folder names are supported but are not applied recursively.
  • Enabling the policy and configuring an empty list have the same effect as disabling the setting.

Configuration precedence:

  1. If the setting isn’t configured here, the value from the .ini file is used.
  2. If the setting isn’t configured either here or in the .ini file, folders not on the exclusion list are included in the profile container.

Include files into the profile container

After you exclude a folder from the profile container, you can include files inside the folder into the profile container. Detailed steps are as follows:

  1. Under Profile Management > Profile container settings, double-click the Files to include in profile container policy.
  2. Select Enabled.
  3. Click Show, and then enter the files to include in the form of relative paths to the user profile.

Be aware of the following:

  • Files on this list must be inside the excluded folders. Otherwise, this setting does not work.
  • Wildcards in file names are applied recursively. To restrict the policy only to the current folder, use the vertical bar (|).
  • Starting with Profile Management 2112, wildcards in folder names are supported but are not applied recursively.

Examples: - Desktop\Desktop.ini indicates the Desktop\Desktop.ini file. - AppData\*.tmp indicates all files with the .tmp extension in the AppData folder and its subfolders. - AppData\*.tmp| indicates all files with the .tmp extension only in the AppData folder. - Downloads\*\a.txt indicates a.txt in any immediate subfolder of the Downloads folder.

Enabling the policy and configuring an empty list have the same effect as disabling the setting.

Configuration precedence:

  1. If the setting isn’t configured here, the value from the .ini file is used.

  2. If the setting isn’t configured either here or in the .ini file, files not on the exclusion list are included in the profile container.

Exclude files from the profile container

Starting with Profile Management 2112, you can exclude files from the profile container. Detailed steps are as follows.

  1. Under Profile Management > Profile container settings, double-click the Files to exclude from profile container policy.
  2. Select Enabled.
  3. Click Show, and then enter the files to exclude in the form of relative paths to the user profile.

Be aware of the following:

  • Wildcards in file names are applied recursively. To restrict the policy only to the current folder, use the vertical bar (|).
  • Starting with Profile Management 2112, wildcards in folder names are supported but are not applied recursively.

Configuration precedence:

  1. If the setting is disabled, no file is excluded.

  2. If the setting isn’t configured here, the value from the .ini file is used. If the setting isn’t configured either here or in the .ini file, no file is excluded.

(Optional) Enable in-session profile container failover among user stores

By default, when multiple user stores are deployed, profile container failover occurs only at user logon. As a result, profile redundancy is available only at user logon. The Enable in-session profile container failover among user stores policy lets you expand the failover scope to the entire session, ensuring profile redundancy throughout the session. With this policy enabled, if Profile Management loses connection to the active profile container during a session, it automatically switches to another available one.

Note:

  • Enabling this policy requires that only the profile container is enabled in your deployment. If any other containers, such as OneDrive, UWP, Outlook, folder mirroring, or Profile streaming for pending area is enabled, this policy doesn’t take effect.
  • This policy is implemented upon the Automatically reattach VHDX disks in sessions feature, which is enabled by default. If that feature is manually disabled, the policy can’t work properly.
  • With this policy enabled, the differential disk is stored on the local disk, posing additional storage requirements on the local disk.

To enable this policy using GPO, follow these steps:

  1. Under Profile Management > Advanced settings, double-click the Enable in-session profile container failover among user stores policy.
  2. Select Enabled.
  3. Click OK.

Configuration precedence:

  1. If this policy isn’t configured here, the value from the .ini file is used.
  2. If this policy isn’t configured either here or in the .ini file, the setting is disabled.

(Optional) Enable and configure VHD auto-expansion

User profiles typically grow over time. To simplify storage management, enable the VHD auto-expansion feature for profile containers. With this feature enabled, when the container reaches 90% utilization, it automatically expands by 10 GB, with a maximum capacity of 80 GB. If needed, you can customize these default settings to meet your specific needs.

Tip:

You can use user-level policy settings for more granular control over VHD auto-expansion settings. Your organization can have a standard set of auto-expansion settings while providing unique settings, such as larger maximum capacity, for specific users.

  1. Open the Group Policy Management Editor.
  2. Enable VHD auto-expansion using the following steps:
    1. Go to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) > Citrix Components > Profile Management > Profile container settings.
    2. Double-click the Enable VHD auto-expansion for profile container policy.
    3. Select Enabled.
    4. Click OK.
  3. To change the default storage utilization percentage at which profile containers trigger auto-expansion, follow these steps:
    1. Go to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) > Citrix Components > Profile Management > Advanced settings.
    2. Double-click the Profile container auto-expansion threshold policy.
    3. Select Enabled.
    4. In the Auto-expansion threshold (%) field, enter a percentage as needed.
    5. Click OK.
  4. To change the amount of storage capacity by which profile containers automatically expand, follow these steps:
    1. Go to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) > Citrix Components > Profile Management > Advanced settings.
    2. Double-click the Profile container auto-expansion increment policy.
    3. Select Enabled.
    4. In the Auto-expansion increment (in GB) field, enter a number as needed. The default is 10 (GB).
    5. Click OK.
  5. To change the maximum storage capacity to which profile containers can automatically expand, follow these steps:
    1. Go to Computer Configuration > Policies > Administrative Templates: Policy definitions (ADMX files) > Citrix Components > Profile Management > Advanced settings.
    2. Double-click the Profile container auto-expansion limit policy.
    3. Select Enabled.
    4. In the Auto-expansion limit (in GB) field, enter a number as needed. The default is 80 (GB).
    5. Click OK.

(Optional) Enable multi-session write-back for profile containers

Profile Management supports concurrent access to the profile container by default. However, among all concurrent sessions, only one session has read/write permission and can merge profile changes into the container.

The following is how Profile Management processes concurrent access:

  • On session logon:

    Checks whether a read/write session exists. If one is found, the current session becomes read-only. Otherwise, it’s a read/write session.

  • On session logoff:

    1. Dismounts the profile container.
    2. Discards profile changes if the current session is read-only.
    3. Merges profile changes of the read/write session to the profile container if there are no other concurrent sessions.

To enable multi-session write-back, use the Enable multi-session write-back for profile containers policy.

(Optional) Enable exclusive access to profile containers

By default, profile containers allow concurrent access. If needed, you can disable concurrent access to profile containers through Profile container settings > Enable exclusive access to VHD containers. As a result, profile containers allow only one access at a time.

Note:

  • This setting applies only to profile containers that are enabled for the entire user profile.
  • If this setting is enabled for profile containers, the Enable multi-session write-back for profile containers setting is automatically disabled.

For more information, see Enable exclusive access to VHD containers.

(Optional) Enable local caching for profile containers

The Enable local caching for profile containers feature takes effect only when the profile container is enabled for the entire user profile. If you enable the Enable local caching for profile containers policy, during user logon, the user’s profile in the profile container is cached in the user’s local user profile.

Important:

Applications that work only with the container-based profile solution, such as OneDrive, might not work properly when this policy is enabled. To ensure OneDrive functions correctly, either disable this policy or enable the OneDrive container policy.

By default, the entire user profile is cached during user logon. To reduce user logon time, you can enable the Profile streaming policy. As a result, the profile folders in the user profile are cached on demand after logon.

Note:

To exclude files or folders from local caching, use exclusion and inclusion policies in File system rather than those in Profile container settings.

(Optional) Specify whether to log off users when the profile container is not available during logon

By default, when the profile container is unavailable during user logon, users log on using temporary profiles instead. However, this behavior leads to data loss for any changes made during the session. Alternatively, you can enable the Log off users when profile container is not available during logon policy to force log-off users in such cases. With this policy enabled, users receive an error message that states Unable to set up your profile: profile container is not available. Clicking OK will log you off, and any changes made during this session will be lost. Clicking OK in this message immediately logs them off. If necessary, you can also customize the error message when enabling this policy.

To enable this policy using GPO, follow these steps:

  1. Under Profile Management > Profile container settings, double-click the Log off users when profile container is not available during logon policy.
  2. Select Enabled.
  3. In the Error message field, enter the message users will see when the profile container isn’t available during logon. Leaving it empty will display a default message.
  4. Click OK.

Note:

When configuring Profile Management policies using Studio, performing the Disable action can’t disable this policy. Instead, to disable it, edit the policy to change its value to Disabled, and then clear the policy checkbox.

Configuration precedence:

  1. If this policy is not configured here, the value from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, the setting is disabled.

(Optional) Grant AD users Read access to profile containers

Applies to: both file-based and container-based profile solutions.

By default, a profile container is accessible only to its owner. To extend its access to other users in your AD domains, you can enable the Users and groups to access profile container policy. Profile Management grants Read & Execute permission to users and user groups specified in this policy.

Detailed steps are as follows:

  1. Under Profile Management > Profile container settings, double-click the Users and groups to access profile container policy.
  2. Select Enabled.
  3. In the Users and groups to access profile container field, click Show, and then add AD users and groups to which you want to grant Read and Execute permission for the container. Use the format domain name\user or group name or the Security Identifier (SID) to identify an AD user or group.
  4. Click OK and OK again.

Configuration precedence:

  1. If this policy is not configured here, the setting from the .ini file is used.
  2. If this policy is not configured either here or in the .ini file, the profile container is accessible only to its owner.