Citrix User Profile Manager: How Registry Exclusion Lists Can Mess Up Group Policy Processing
The documentation of Citrix User Profile Manager (UPM, for short) recommends excluding the following registry keys from processing:
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
The net effect of this is that the Citrix profiles managed by UPM do not contain any policy settings. The reasoning behind this being: Policies are reapplied anyway during the next logon, so there is no reason to waste CPU cycles on synchronizing such “redundant” information.
Unfortunately, nobody had taken the group policy engine’s own optimizations into account. Policy processing is relatively costly in terms of performance. It is only logical to try and reduce the number of times policies need to be applied. Since policies are relatively static compared to the frequency of user logons, it makes sense to cache the policy settings in the user profile. That is exactly what the group policy engine does.
Actual settings are cached in the two registry keys mentioned above. What is still missing, though, is a way to detect new or changed policies in the domain. The policy engine thus needs to cache metadata on the applied GPOs in addition to the settings stored in those GPOs. Group policy metadata is stored in another area of the user’s registry hive:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Where is the Problem?
We have two locations containing data that relates to each other. Storing only one part of it and dropping the other breaks the group policy engine’s caching mechanism.
If HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy is present but HKEY_CURRENT_USER\Software\Policies is not, the engine thinks all policy information is present in the user profile whereas in reality it is not. As a result, policies effectively are not applied any more.
How to Fix it
Either exclude all three registry paths from processing by UPM or none of them. I recommend the latter, which leaves the group policy engine’s caching mechanism intact.
Wrap Up
Do not put any of these paths on UPM’s registry exclusion list:
Software\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Group Policy
Note: Above paths are in the notation UPM expects (without the string “HKEY_CURRENT_USER”).
6 Comments
Hallo Helge
Hmm…. interessant. Ein von uns eröffneter Citrix-Call zu diesem Thema wurde letzte Woche anderst beantwortet.
Folgender Eintrag sollte der Reg-Exclude Liste hinzugefügt werden:
Software\Microsoft\Windows\CurrentVersion\Group Policy
Deine Ausführungen erscheinen mir aber als sinnvoller. (Performanter)
Was ist jetzt richtig?
Gruss Christian
To the non-germanic readers:
The question was which of the two solutions presented in the article is the “better” one.
I think I have answered the question in the article:
“Either exclude all three registry paths from processing by UPM or none of them. I recommend the latter, which leaves the group policy engine’s caching mechanism intact.”
Hello,
Although the settings where ok with Version1, by deleting these 3 keys as suggested made my GPO work again with V2.
Software\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Group Policy
Thank you!
Helge,
there is hard proof that removing the policy keys from the exclusions list is the proper fix because I tested adding the third key at a customer. Although group policy processing was fixed for Software\Microsoft\Windows\CurrentVersion\Policies, the key Software\Policies did not exist resulting in “fewer settings” to be applied ;-)
To cut a long story short: Remove both keys from the exclusion list. Just like you recommended.
Thanks for the resolution,
Nicholas
Hello,
I’m having the same type issues and have tried everything. Here is my exact issue: Everything works great when the profile is first created. However, if I change the GPO to add a directory or file sync (outside the profile) it does not happen. The log file on the PC and the .ini file created in the profile by UPM 2.0.1 both show the entries so I know that the service is reading the GPO…however the files/directories never get created. Changes within the profile work fine. We get no errors anywhere and show no denies in FileMon on the profile store side of it. If I delete the profile and log back in everything is fine once again with the current changes.
I’m not excluding any of the 3 policy keys and I’ve set various GPO settings to force GPO to process even if there are no changes. This is happening with both versions of UPM. We are provisioning physical desktops with XP via PVS 5.0. Any thoughts on what is missing?
Casey
Casey,
the problem you have described is different from the one outlined in the article (user policies not being processed at all). I suggest you either post in the UPM forum or open a support case with Citrix.