Anybody who has worked with, or supported, a Citrix environment for any length of time will know the importance of good user profile management.  Unfortunately however, we see many helpdesk resources who, when trying to resolve a Citrix issue, their first action is to simply reset the user profile (i.e. delete the user profile).  This is frustrating, since very rarely does a user actually need a complete reset of their profile.  Reseting the profile deletes all of the user’s settings, customisations, mailbox setup, etc and does not lead to a good user experience.  Almost all profile related problems could be resolved by fixing the issue within the profile itself.  Unfortunately, helpdesks often lack the required troubleshooting skills, are focused purely on getting things working again rather than finding root cause, or are simply under too much time pressure from SLAs to properly investigate issues within the profile.  As such they commonly just perform a profile reset and ask the user to try again.  This places an onus on architects of Citrix systems to consider the impact on users when their profiles are reset and to do as much as possible to reduce this.  I call this the Citrix helpdesk problem.

Citrix App Layering has supported full User Layers for a while now.  This is a great option for giving users a persistent VDI desktop in a non-persistent environment.  User Layers capture all of the changes made to the VDI and persist them within a VHD container.  This means that a user’s profile, files, folders and locally installed applications will be stored in the User Layer.

Given the Citrix helpdesk problem, you can probably see a potential issue with User Layers:  Helpdesk resources deleting User Layers when resetting user profiles.  This has a potentially large impact to users as their installed applications, files, folders could be lost. 

So how can we reduce this impact? 

Firstly, you should use folder redirection for any Windows library folders where documents or user favourites are stored.  Desktop, My Documents, Downloads, Favourites, Links, Music, Pictures and Videos can all be directed to a network location.  This could be done with Windows GPO or through Citrix Workspace Environment Management (WEM).  There is an argument to say that using folder redirection can impact performance due to the additional network access.  Whilst this is true to a degree, the benefits of redirection for the user are clear: they won’t lose their data following a call to the helpdesk.  So, my advice is to redirect key folders which contain user content – but never redirect %appdata% since this can cause issues within applications.

Secondly, use a dedicated profile management solution alongside User Layers to store the profile outside of the User Layer container.  By doing this the impact of the Citrix helpdesk problem is reduced since the profile reset can occur without deleting the whole user layer.  There are a 2 main options for doing this, Citrix User Profile Management (UPM) and the FSLogix profile container.  Both of these profile management technologies can be configured to sit above the User Layer and capture the user profile changes before the data reaches it.  Citrix UPM should in fact work straight out of the box.  Just configure the settings in Citrix Studio, GPO or WEM and all should be well.  FSLogix however needs a minor change to ensure that profile related data is stored in the FSLogix container instead of the User Layer.

To utilise FSLogix containers with User Layers (and also elastic layers), after installing the FSLogix apps, you need to change the altitude of the FSLogix mini filter driver.  This can be easily done with a registry change:

  • Edit HKLM\System\CurrentControlSet\Services\frxdrvvt\Instances\frxdrvvt\Altitude
  • Set the value to 138010
  • Reboot 

Then configure FSLogix to your requirements using GPO.  You can use both FSLogix Profile and Office containers.  If you are using Office applications, you should also use the Office containers feature of FSLogix. This further helps to reduce the Citrix helpdesk problem by storing Office data outside of the profile.  Outlook OST, Outlook search index and the Office license will all be retained if the user profile container is deleted. FSLogix Office containers do have a number of other benefits, but that’s another story. 

There is one further thing to bear in mind if you want to use FSLogix containers with User Layers:  Since the profile stored within the FSLogix container is effectively a local profile (not a roaming one), then Windows stores the current local profiles within a HKLM registry key.  This HKLM registry key would be captured and stored within the User Layer.  If a helpdesk user does delete the FSLogix profile container on its own, then the HKLM key will still exist within the User Layer.  When the user next logs in, the reference in the registry for the profile will still exist but the profile will not be present.  This will result in a login error stating “The User Profile Service service failed the sign-in.  User profile cannot be loaded.”.

The solution to this is easy enough, just delete the HKLM profile reference within the User Layer registry hive.  The details below outline the full process required when deleting an FSLogix profile container with user layers enabled:

  1. Delete the FSLogix container from the network storage location.
  2. Mount the user layer VHD with Windows Explorer.
  3. Open RegEdit, click HKEY_USERS and then File->Load Hive. Load the HKLM hive from <Mount drive letter>:\Program Files\Unidesk\Etc\PUEPTemplate.hive, where <Mount drive letter> is the drive letter associated to the mounted user layer.  Name the loaded hive PUEPHive.
  4. Delete the registry keys:
    • HKU:\PUEPHive\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileGUID
    • HKU:\PUEPHive\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    • HKU:\PUEPHive\Registry\Machine\SOFTWARE\FSLogix
  5. Delete the folders <Mount drive letter>:\users\%username% and <Mount drive letter>:\users\%username%_local.
  6. Un-load the registry hive (Click on the PUEPHive hive within HKEY_USERS and then File->Unload Hive)
  7. Unmount the user layer

Fortunately, this process can be scripted in PowerShell.   As such, helpdesk resources can simply run a script to perform profile resets cleanly with minimal impact for users.  We are happy to provide this script to anybody who would like a copy – please post a message on this blog or email and we’ll send it to you with our compliments.

In summary, the Citrix helpdesk problem will always exist.  Whilst this is frustrating to see, you can take steps to minimise the impact on users with User Layers through folder redirection and a separate profile management solution.  The choice of profile management solution will depend on your own situation and requirements.  It goes without saying that you should always test to ensure that a solution works for you in your environment.