As you’ve probably noticed from some of my output recently, Citrix User Profile Management (UPM) now supports container-based as well as file-based profile management. You can also mix and match the two types as well, something we will cover at a later date. For now, let’s just put together a quick guide to getting started and setting up a very simple PoC of Citrix UPM Containers.
Installation
Obviously, you need some target devices with the Citrix UPM agent installed. In order to take advantage of the newest container features, I’d recommend the latest version possible of the UPM agent. Now, you can use UPM on non-Citrix devices as long as you have the licensing, so you could simply install the agent, but as most people use it on Citrix endpoints you probably need to align the VDA version with the UPM version. You don’t technically have to do it, but mixing CR UPM versions and LTSR VDA versions often can trigger some “interesting” licensing conversations, so it makes sense to line them up.
On my devices, I have installed the 2305 version of UPM which is the latest full release available currently.
Share configuration
You also need to make sure you have an SMB file share available to hold your containers. You will need to set the following permissions on it:-
Share permissions
- Everyone – Full Control
NTFS permissions
- System – Full Control – This folder, subfolders and files
- Administrators – Full Control – This folder, subfolders and files
- Creator Owner – Full Control – Subfolders and files only
- Users – Special (see below) – This folder only
These permissions sets will allow users to create subfolders and have control of them, whilst not having access to any other user subfolders. Administrators will always be able to browse all user subfolders.
Policy files
You will also need to add the UPM ADMX/ADML files to your GP Central Store (if you are using Group Policy to apply the settings). If you are doing them via Citrix Studio Policies then you need not worry about this.
Policy configuration
The base set of policies you would need to get UPM Containers up and running in your environment are detailed below:-
(All are in Computer Config | Admin Templates | Citrix Components | Profile Management if using GP, if using Citrix Studio you can simply search for the policy name in the GUI)
Enable profile management – Enabled
This simply means that the UPM service will attempt to manage profiles
Processed groups – Enabled – select AD group
I find it useful to specify a particular group for processing as this avoids creating profiles for things such as service accounts and the like
Process logons of local administrators – Disabled
In most cases local admins are not required to be managed by UPM as they are generally support accounts, but if your users have admin access (which they shouldn’t – they should have secondary accounts if they need admin access!) then you might want to leave this out
Path to user store – Enabled – enter path to file share
This tells UPM where to store the profile containers. Enter the UNC path for your SMB file share followed by #SAMAccountName# which will create a subfolder in the share path for each user
Profile Container – Enabled – *
Set this setting to Enabled and put a “*” for the optional folder contents as below. This will mean the entire profile is captured from the root
Finally, you can optionally use this last setting if you want faster logons. Bear in mind you must also set the GPO for “Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services” if setting this policy on an RDSH-based (Windows Server) VDA
Enable asynchronous processing for user Group Policy on logon – Enabled
There is a downloadable file containing the GPO settings available here if you wish to use it.
Summary
This is all you need to configure to get UPM Containers up and running – it’s that simple.
- The installation of UPM agent and/or VDA onto your target devices
- An SMB file share with the correct permissions
- Citrix policies configured as above via GPO or Citrix Studio
Once these are set, users logging in will get a profile container created in their folder and henceforth used to save all of their settings, just like FSLogix does. The only real difference to note between FSLogix and UPM is that UPM by default uses a diff disk and then merges it back into the base VHDX at logoff. This allows easier multi-session capability – however it means that in-session there may be a slight uptick in storage utilization when running at scale.
There are obviously lots of other settings within UPM you can use to configure and tune your deployment – replication being the most obvious one – and these are covered in earlier articles.
The UPM log is written to the standard area of c:\windows\system32\logfiles\UserProfileManager, so if you encounter issues, this is where to begin troubleshooting.
Stay tuned for some videos around this process, and also migration steps from FSLogix to UPM container – coming within the next week or so.
Great article James, we are in the process of doing this and have a POC test environment currently and have started using WEM to manage the Environment better. One thing I am still trying and not seen much success is if you were already using UPM and file based profiles and then enabling containers, is it possible to migrate the existing UPM profiles into the container ? Tried setting it up but it seems any user that logged on has to setup apps from scratch.
Yes it should be possible with the migration script referenced in my latest article.
I don’t see OUtlook working as “cache” with the Citrix UPM similar to Fxlogicx. any idea?
You don’t see it working? How so? if it is using a container then the data goes in the container.