Citrix User Profile Manager: How Registry Exclusion Lists Can Mess Up Group Policy Processing

The documentation of Citrix User Profile Manager (UPM, for short) recommends excluding the following registry keys from processing:

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

The net effect of this is that the Citrix profiles managed by UPM do not contain any policy settings. The reasoning behind this being: Policies are reapplied anyway during the next logon, so there is no reason to waste CPU cycles on synchronizing such “redundant” information.

Unfortunately, nobody had taken the group policy engine’s own optimizations into account. Policy processing is relatively costly in terms of performance. It is only logical to try and reduce the number of times policies need to be applied. Since policies are relatively static compared to the frequency of user logons, it makes sense to cache the policy settings in the user profile. That is exactly what the group policy engine does.

Actual settings are cached in the two registry keys mentioned above. What is still missing, though, is a way to detect new or changed policies in the domain. The policy engine thus needs to cache metadata on the applied GPOs in addition to the settings stored in those GPOs. Group policy metadata is stored in another area of the user’s registry hive:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy

Where is the Problem?

We have two locations containing data that relates to each other. Storing only one part of it and dropping the other breaks the group policy engine’s caching mechanism.

If HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy is present but HKEY_CURRENT_USER\Software\Policies is not, the engine thinks all policy information is present in the user profile whereas in reality it is not. As a result, policies effectively are not applied any more.

How to Fix it

Either exclude all three registry paths from processing by UPM or none of them. I recommend the latter, which leaves the group policy engine’s caching mechanism intact.

Wrap Up

Do not put any of these paths on UPM’s registry exclusion list:

Software\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Group Policy

Note: Above paths are in the notation UPM expects (without the string “HKEY_CURRENT_USER”).

CitrixGroup PolicyUser Profile Manager

Comments

Related Posts

Folder De-Localization with Citrix User Profile Manager (UPM)

Windows user profiles prior to Vista / Server 2008 contain localized folder names. End users expect that, of course, but admins tend to hate it because automated management becomes much more difficult. How can this dilemma be resolved? End users only see the local copy of the profile, while admins mostly have to deal with the central copy on a file server. Wouldn’t it be cool to have a “translator” component that makes sure local folders are localized while central folders are in one language only?
User Profiles

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware