Citrix User Profile Manager: How Registry Exclusion Lists Can Mess Up Group Policy Processing

The documentation of Citrix User Profile Manager (UPM, for short) recommends excluding the following registry keys from processing:

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

The net effect of this is that the Citrix profiles managed by UPM do not contain any policy settings. The reasoning behind this being: Policies are reapplied anyway during the next logon, so there is no reason to waste CPU cycles on synchronizing such “redundant” information.

Unfortunately, nobody had taken the group policy engine’s own optimizations into account. Policy processing is relatively costly in terms of performance. It is only logical to try and reduce the number of times policies need to be applied. Since policies are relatively static compared to the frequency of user logons, it makes sense to cache the policy settings in the user profile. That is exactly what the group policy engine does.

Actual settings are cached in the two registry keys mentioned above. What is still missing, though, is a way to detect new or changed policies in the domain. The policy engine thus needs to cache metadata on the applied GPOs in addition to the settings stored in those GPOs. Group policy metadata is stored in another area of the user’s registry hive:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy

Where is the Problem?

We have two locations containing data that relates to each other. Storing only one part of it and dropping the other breaks the group policy engine’s caching mechanism.

If HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy is present but HKEY_CURRENT_USER\Software\Policies is not, the engine thinks all policy information is present in the user profile whereas in reality it is not. As a result, policies effectively are not applied any more.

How to Fix it

Either exclude all three registry paths from processing by UPM or none of them. I recommend the latter, which leaves the group policy engine’s caching mechanism intact.

Wrap Up

Do not put any of these paths on UPM’s registry exclusion list:

Software\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Group Policy

Note: Above paths are in the notation UPM expects (without the string “HKEY_CURRENT_USER”).

CitrixGroup PolicyUser Profile Manager

Comments

Related Posts

Citrix User Profile Manager 5 Years Ago: Birth

Citrix User Profile Manager 5 Years Ago: Birth
Citrix User Profile Manager is pretty well-known in the SBC space today. Five years ago, things were quite different. Citrix did not have a user profile solution, and neither did sepago. But we had an idea spinning in our heads we soon came to call Smooth Profiles. Slowly that idea became code, then was renamed to sepagoPROFILE, was acquired by Citrix and renamed again to User Profile Manager and then again to Profile management (with capital P and lower-case m!). You may have heard the latter part of the story. Here is a little something from the very beginning.
User Profiles

Folder De-Localization with Citrix User Profile Manager (UPM)

Windows user profiles prior to Vista / Server 2008 contain localized folder names. End users expect that, of course, but admins tend to hate it because automated management becomes much more difficult. How can this dilemma be resolved? End users only see the local copy of the profile, while admins mostly have to deal with the central copy on a file server. Wouldn’t it be cool to have a “translator” component that makes sure local folders are localized while central folders are in one language only?
User Profiles

Latest Posts