Citrix User Profile Manager: How Registry Exclusion Lists Can Mess Up Group Policy Processing

User Profiles
Published Feb 25, 2009

The documentation of Citrix User Profile Manager (UPM, for short) recommends excluding the following registry keys from processing:

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

The net effect of this is that the Citrix profiles managed by UPM do not contain any policy settings. The reasoning behind this being: Policies are reapplied anyway during the next logon, so there is no reason to waste CPU cycles on synchronizing such “redundant” information.

Unfortunately, nobody had taken the group policy engine’s own optimizations into account. Policy processing is relatively costly in terms of performance. It is only logical to try and reduce the number of times policies need to be applied. Since policies are relatively static compared to the frequency of user logons, it makes sense to cache the policy settings in the user profile. That is exactly what the group policy engine does.

Actual settings are cached in the two registry keys mentioned above. What is still missing, though, is a way to detect new or changed policies in the domain. The policy engine thus needs to cache metadata on the applied GPOs in addition to the settings stored in those GPOs. Group policy metadata is stored in another area of the user’s registry hive:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy

Where is the Problem?

We have two locations containing data that relates to each other. Storing only one part of it and dropping the other breaks the group policy engine’s caching mechanism.

If HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy is present but HKEY_CURRENT_USER\Software\Policies is not, the engine thinks all policy information is present in the user profile whereas in reality it is not. As a result, policies effectively are not applied any more.

How to Fix it

Either exclude all three registry paths from processing by UPM or none of them. I recommend the latter, which leaves the group policy engine’s caching mechanism intact.

Wrap Up

Do not put any of these paths on UPM’s registry exclusion list:

Software\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Group Policy

Note: Above paths are in the notation UPM expects (without the string “HKEY_CURRENT_USER”).

Citrix Group Policy User Profile Manager

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Latest Posts

Changing the Location of PowerShell Profile Scripts

A PowerShell profile is an init script that is executed when the shell starts. PowerShell searches for profile scripts in hard-coded locations. This article explains how to move profile scripts to any directory of your choice.

Applications

Mar 14, 2026

Changing the Location of the Windows Terminal Settings Files

Windows Terminal stores its settings in configuration files that resides in the Windows user profile. This article explains how to move them to any directory of your choice. Where are the Settings Files Located? The location of the Windows Terminal settings file is hard-coded. The exact path depends on the app variant you installed, but it’s always in the user profile:

Applications

Mar 8, 2026

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Hardware

Feb 7, 2026

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Hardware

Jan 31, 2026

Citrix User Profile Manager: How Registry Exclusion Lists Can Mess Up Group Policy Processing

Comments

Related Posts

New KB Articles on User Profiles (April to May 2009)

Fixing Office 2007's Quick Access Toolbars With Citrix User Profile Manager

Differences Between Citrix Profile Management and Immidio Flex Profiles

How to Configure a File Server for Hosting User Profiles

Latest Posts

Changing the Location of PowerShell Profile Scripts

Changing the Location of the Windows Terminal Settings Files

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding