Category: Microsoft

The Windows Server 2019 Start Menu is playing nice

The Windows Server 2019 Start Menu is playing nice

A couple of months ago I penned an article about how to rein the start menu in Windows Server 2016 mostly because I couldn’t find much information, on how to handle the start menu in Windows Server 2016.

I am always aiming at providing the best possible user experience in Session Host scenarios and that, among other things, implies cleaning up the start menu, as it, from a user’s point of view, contains a lot of irrelevant tiles, folders and application shortcuts. In the article 3 different scenarios are described, in each scenario you can achieve certain levels of “lockdown” or clean up of the start menu.

Unlike Windows Server 2016, the start menu in Windows Server 2019 is no longer driven by a mini database, actually Microsoft have deprecated the Tile Data Layer (the mini database feature) , but keeping it alive in Windows Server 2016, probably because it’s an LTSC edition of Windows.

This means that with Windows Server 2019 it’s now a whole lot easier to roam the start menu and customize the tile layout. However considering that we are all now switching to disk based profiles with FSLogix, roaming is a thing in the past.

In this article I’ll be focusing on how to clean up the start menu in Windows Server 2019 using scenario 3 as a baseline. The reason for this is that it provides the highest level of flexibility and customization with the start menu, as you see further on in this article. However scenario 1 and 2 are also possible in Windows Sevrer 2019.

Now, let’s get to it!

In scenario 3, I configure this group policy setting:

I also delete these 4 folders using Citrix Workspace Environment Management:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility

Using these steps, the start menu in Windows Server 2019 ends up looking like this:

So, besides the Windows Security app, this is looking pretty good. At the moment, I haven’t found any way to hide or remove the Window Security app, it’s an immersive app aka. a Universal App, so there’s no actual shortcut, like other apps and folders in the start menu.

/StartofUpdate
Update – 16-07-2019:
I was doing some additional testing and came across something that looks like a timing issue. During my testing I started seeing different variants of tiles not getting deleted/removed correctly. The folders where the tile shortcuts are located are deleted, but the tiles themselves are not.

These are some of the different variants of the start menu I have come across:

This is really strange. I tried configuring Group Policy Preferences to delete the folders in the user Programs folder, that didn’t make any difference at all.
This forces me down a path that I was really hoping to avoid, but at the moment I don’t see any other alternatives. A few years ago I was looking into how to build a custom start layout using a so called LayoutModification.xml file.

This XML file can be used to create a custom tile layout with the tiles you specify, I will not elaborate further on how to do this, as I will only use this XML file to clear out any tiles in start menu, and while we’re at it, the taskbar area as well.

Microsoft has a very extensive whitepaper on how to create the LayoutModification.xml file.

Here are the contents of my LayoutModifications.xml file:

<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6" />
    </StartLayoutCollection>
  </DefaultLayoutOverride>
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
        <taskbar:TaskbarPinList>
</taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>

This will clear out any tiles left in the start menu, and also clear out any tiles/pinned apps on the taskbar. If you don’t want to clear out the taskbar, remove the lines 14 through 19.

When you save the LayoutModification file, make sure to save it as UTF-8 encoding, otherwise it might not work.

There are 2 ways of distributing this XML file. It can be done either via a GPO or copied to the Default User folder. There are pros and cons with either method.

Deploying the XML file via a GPO

This can be done using the Start Layout policy which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

Input the path to the LayoutModification.xml path

Pros:
Easy to configure
Easy to manage

Cons:
Disables to ability to pin applications to the start menu
Citrix Workspace Environment Management is no long able to pin applications either

Deploying the XML file via the Default User

This is done by copying the LayoutModification.xml to the Default User profile, the exact path is:
C:\Users\Default\AppData\Local\Microsoft\Windows\Shell

Copying the file can be done via Group Policy Preferences or a startup script. It can also be done during any automated deployment jobs you might have.

Pros:
Does not disable the ability to pin applications to the start menu
Citrix Workspace Environment Management will be able to handle both application shortcuts and tiles in the start menu

Cons:
Only works for new users, which does not yet have a profile
Existing users, with existing profiles, are not affected by the LayoutModification.xml file.

I prefer copying the LayoutModification.xml to the Default User profile, this provides the best user experience and enables me to use Citrix Workspace Environment Management to build and manage the start menu.

/EndofUpdate

Windows Security

If you, like me, are running the Windows Defender on your servers, users will actually be able to go into the management console of Windows Defender, and poke around. They will obviously not be able to change anything because of the lack of administrative privileges, however in my opinion, they really shouldn’t be able to access this management console.

The only way, for now, to implement some kind of restriction, that doesn’t restrict administrative users, only non-admin users, is to use our good, old friend AppLocker. One of may very first bogs posts, was actually covering AppLocker breaking the start menu. Since then it has become a known fact, that if we enable AppLocker, and you really should, then we have to enable the default Packaged app rule, otherwise the start menu in modern Windows versions break.

However to prevent access to the Windows Security app, you have to take a different approach. You have to remove the default rule, which targets Everyone, and then create to new rules which are slightly more restricted.

How to create the AppLocker rule:

If you are not familiar with AppLocker, Microsoft has a basic guide here that shows how to enable AppLocker in Windows 10. It’s the same procedure on Windows Server 2019.

Start by removing the default rule. Then right click the Packaged app Rules and select Create new rule

Click Next
Click the Select button and specify the Domain Users group
Click the Select button and select a random app in the list, it doesn’t really matter which app
Select an app
Move the slider all the way up, so that there is a * in every box. This tells AppLocker allow any signed packaged apps to run
Click Next
Give the rule a name
Make a similar rule, but target Administrators, instead of Domain Users. Make sure to select BUILTIN\Administrators, otherwise you might block any local administrative users,
Right click the rule that targets the Domain Users and select Properties, go to the exceptions pane
Click add and select Windows Security in the list
Note: This can only be done on a server running Windows Server 2019
Move the slider up a notch, so that there is a * in Package version. This is done to make sure the rule still works, even if Microsoft should change the version of the app
The exceptions box, should now look like this.

Make sure that AppLocker is running and processing rules. Then either reboot your server or do a gpupdate /target:computer /force, to make sure AppLocker picks up the new rules.

Once the new Packaged app Rules are processed and working, users will be met by this message:

The Windows Security app is now blocked by AppLocker

This is not the prettiest of solutions, but it gets the job done, and prevents the users from accessing the Windows Security management console. Hopefully Microsoft comes up with another solution, which is a bit easier to configure, until then this is the way to go.

This concludes the article. The start menu in Windows Server 2019 is a bit easier to handle, than the start menu in Windows Server 2016 and if you are still holding on to any legacy profile handling tehcnology, like Windows Roaming Profile or Citrix Profile Management, then you’ll find that roaming the start menu in Windows Server 2019 has also become a bit easier and more stable, compared to Windows Server 2016.

How to rein the Start Menu in Windows Server 2016

How to rein the Start Menu in Windows Server 2016

In this article I am going to show how to control or rein the start menu in Windows Server 2016. There are a lot of articles describing how to handle the start menu in Windows 10, but very few about Windows Server 2016.

Even though the steps are almost identical in Windows Server 2016 compared to Windows 10, there are a few differences. For instance in Windows Server 2016, you don’t have to remove all the “crap” applications, like Candy Crush, trial editions of Office etc. as they are simply not included with this operating system, as it is an LTSC edition of Windows Server.

Some of the best articles out there are written by James Kindon and James Rankin, I have followed these guys for quite a while, and they know what they are doing. Some of their guides can be found here:

James Kindon:
https://jkindon.com/2018/03/20/windows-10-start-menu-declutter-the-default/

James Rankin:
https://james-rankin.com/articles/management-of-start-menu-and-tiles-on-windows-10-and-server-2016-part-1/
https://james-rankin.com/articles/management-of-start-menu-and-tiles-on-windows-10-and-server-2016-part-2/

James Rankins article is great because it focuses on how to persist, or roam, the start menu, if you haven’t read it yet, it’s highly recommendable.

Both James Rankin and James Kindon adresses the Start menu Tiles, and historically these tiles have been the source of all kinds of issues since they were first introduces in Windows Server 2012/2012R2, but the start menu is not just tiles, it’s also part “old school” start menu, like the one we have in Windows 7 and this part of the start menu, can be handled in a few different ways.

In this article I’ll will cover 3 ways on how to handle the start menu. The start menu in Windows Server 2016 is “split” in two areas the”old school” part is the part in the red box below, also know as All Programs or Programs, in the green box we have start menu tiles.

I’ll will not be covering the different ways to handle the start menu tile configuration, as both James Kindon and James Rankin have provided excellent guides for that part. However I will touch on how to manage app tiles leveraging Citrix Workspace Environment Management.

You will need to have some knowledge of Group Policy and Citrix Workspace Environment Managent and a basic understanding of how a Windows profiles works is also recommended.

I’ll be focusing on 3 different scenarios. Each scenario provide certain levels of usability, or lack thereof, in the start menu and start menu tiles sections

Here is a “before” screenshot of how the start menu looks at the first logon with my test account:

This is a pretty default start menu, one I have seen in many Session Host setups. As you can see I have a range of different applications available to me in the Programs area of the start menu, and of course the default pinned application tiles.

14-07-2019. Extensive edits have been made to the different scenarios outlined below. A colleague of mine made me aware of another, and cleaner approach on how to clear the All Users programs. And unfortunately I may have switched some screenshots and text boxes around in scenario 1 and scenario 2.

Scenario 1 – Total lockdown

This configuration, is by far the easiest one to configure and requires next to no work at all and it will provide a clean start menu with no visible applications. The All Programs section of the start menu i disabled and not visible to the user.

Isn’t this the cleanest start menu you have ever seen?

This configuration can be achieved by configuring the “Remove common program group from Start Menu” and “Remove All Programs list from Start Menu” which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

This setting will remove the common shortcuts found in C:\ProgramData\Microsoft\Windows\Start Menu\Programs and prevent them from being visible in the start menu.
Remove and disable setting, does what it says, removes and disables the Programs area of the Start Menu.

If you do not have the Remove and Disable setting available, you may need to get the latest Windows 10 adminstrative templates.

You will also need to delete four folders in the user’s profile:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility

In this case I have configured each folder to be deleted via Citrix Workspace Environment Management like this:

Note that Citrix Workspace Environment Management doesn’t usually take Windows variables, like %APPDATA%, so in this case I have used the so called dynamic token ##UserAppData## which is the equivalent to %APPDATA%. As the folder is deleted, there is no need for the action to run everytime the user logs on, so make sure to click the “Run Once” checkbox.

You will of course have to configure the “Delete Files/Folders” action type.

Repeat this process for the remaining three folders and don’t forget to assign the actions.

One major downside with this scenario is that it may be fairly difficult for the user to pin applications to the start menu, as they are not able to browse any apps via the start menu. However using Citrix Workspace Environment Manager users are able to pin apps to the start menu. This can be achieved via the Citrix Workspace Management Agent, like this:

Right click the the Citrix WEM Agent in the taskbar tray and select “Manage Applications”. In the list of applications, select the app and then click the “Start Menu” and “Start Menu (P) check boxes and click “Update shortcut(s)”.

A possible use case for this scenario could be if your users have gotten used to accessing everything via desktop shortcuts and don’t have the need or demand for using the start menu or start menu tiles.

Scenario 2 – Moderate Lockdown

This configuration is almost identical to Scenario 1, however due to a slightly less restrictive group policy configuration, users are able to access both the Programs and Tiles areas of the start menu.

Here you’ll notice that a nice and clean Programs area of the start menu is available and no tiles are present.

That can be achieved via the group policy setting:
“Remove common program group from Start Menu” which can be found in:
User Configuration/Administrative Templates/Start Menu and Taskbar

This setting will remove the common shortcuts found in C:\ProgramData\Microsoft\Windows\Start Menu\Programs and prevent them from being visible in the start menu.

And as described in scenario 1, we will also have to delete these four folders:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility

This scenario delivers a nice and clean start menu where all tiles have been removed and all apps in Programs have been removed. The user will however have to go and find the apps they need on their own.

Scenario 3 – Moderate Lockdown and app shortcut management

This solution is the most flexible solution as it enables us to have more or less full control with the start menu and its appearance. This scenario is basically the same as scenario 2, however we are going to use Citrix Workspace Environment Management to build a start menu, and group the different applications shortcuts.

Here we have a nice and clean start menu, as shown in scenario 2. The Search and Settings shortcuts are, in my opinion, harmless as Search only opens the search bar in the start menu, and settings can be locked down via Group Policy or registry.

Now we bring in Citrix Workspace Environment Management to populate the start menu with application shortcuts.

Just look at this! Doesn’t it bring tears to your eyes?

Citrix Workspace Environment Management is great at populating the start menu, and provides range of different possibilities of grouping application shortcuts etc.

Application shortcuts in Programs, the same apps pinned to the start menu.

Based on your or your users need, you could populate the Programs area and then leave it to the users, to configure the needed tiles using the Citrix Workspace Environment Management agent, as outlined in scenario 1.

This concludes the article. Reining the start menu in Windows Server 2016 can be a daunting task, but if you have Group Policy and Citrix Workspace Environment Management in your arsenal of tools, you will now be able to combine these to provide a great start menu configuration for your users and provide different levels of lockdown and user customizations.

Internet Explorer Tracking Protection

Internet Explorer Tracking Protection

One of the most overlooked features of Internet Explorer, is the Tracking Protection feature. Tracking Protection is a feature that prevents websites from tracking your browsing behavior. You know if you for instance search for, let’s sat a new Synology NAS box in Google. Suddenly a lot of NAS related adds appear in your Facebook feed and on various other add-driven sites. That’s basically tracking, someone somewhere now knows that you are in the market looking for a new NAS.

However Tracking Protection also prevents all adds, flash content and the likes from being loaded when accessing a website. This means that in most cases the websites will be loading faster and not consume as many system ressources.

In this blog I will cover how to enable Tracking Protection and why I recommend doing this, especially in a multiuser scenario.

Up until a few years ago my preferred browser was Internet Explorer. Actually, besides the good old days with Netscape Navigator, I have always used Internet Explorer when browsing the internet. I am not trying to start yet another browser war here, but the alternatives like Google Chrome, Mozilla Firefox or Opera never really said me much, I had gotten used to working with Internet Explorer and liked, and still likes, the way it works.

However as Windows 10 was released we received a new browser called Edge. Edge is supposed to be the successor of Internet Explorer and at least for my part, that is the case, but according the various sites here and here, it doesn’t look like Edge is getting favoured by many people, it’s still Google Chrome that’s topping the lists as the most preferred browser.

Even though Google Chrome may be the most preferred browser, this is usually not the case in multiuser setup like Citrix XenApp or Microsoft RDS, as we would like to provide a secure and consistent user experience, that includes the browsing experience as well. We can, via group policy, lock almost everything in Internet Explorer down, which gives us total control of what parts of Internet Explorer the user can access and/or configure. Any Internet Explorer security updates, or just regular feature updates, are all maintained either via the Microsoft Update site or via an internal Windows Server Update Service (WSUS) server, which means that during our regular Windows operating system maintenance we get updates for Internet Explorer as awell as any other relevant Microsoft software.

So how does it work?

How to configure Tracking Protection manually:

First we need to enable Tracking Protection in Internet Explorer:

Click – Tools -> Internet Options – Programs

Click – Manage add-ons

Click – Get a Tracking Protection List online…

This should bring you to this site – http://iegallery.com/da/trackingprotectionlists/ (Or a smilar looking URL based on your region)

That site errors out, way to go Microsoft!

This has been an issue for at least 6 months, maybe more, and it doesn’t look like Microsoft is going to fix it anytime soon.

So what we need to do instead, is to go to this URL – https://www.microsoft.com/en-us/iegallery

Scroll down to the Tracking Protection Lists section and select EasyList Standard, EasyList and Stop Google Tracking, by clicking add on each list.

This adds the lists to Internet Explorer and your Tracking Protection configuration, should now look like this

Your browsing experience should now be significantly faster than before the activation of Tracking Protection and also consume less system ressources.

I have created 2 short videos in which I demonstrate how the browsing experience is in Internet Explorer with and without Tracking Protection enabled. The demonstration is done in Citrix XenApp 7.18 on Windows Server 2016 in Internet Explorer 11with the latest Microsoft Updates. I have used http://www.cnn.com for demonstration purposes, however you will probably notice the same behavior with pretty much any other site.

Tracking Protection disabled:

Tracking Protection enabled:

Have a look at the CPU usage in the first video where Tracking Protection is disabled. When the site just sits there doing nothing, the CPU usage is somewhere between 40% and 70%. This is huge if you have multiple users on a Session Host server, imagine 10 users just loading this page and let it sit doing nothing.

In the second video, where Tracking Protection is enabled the CPU usage is loking a lot better some where between 5% and 15% when the site just sits there doing nothing. Also 37 services have been bloked on this particular website. As I scroll up and down, CPU usage spikes does occur because of the change in content on the site, this is normal behaviour and will occur both with and without Tracking Protection.

How to configure Tracking Protection via Group Policy:

So now you may be asking “Now I have the Tracking Protection enabled on my local Internet Explorer browser, how do I enable it for every user in my environment?”. The answer to that question is: “Via Group Policy and Group Policy Preferences, of course :)”

Once Tracking Protection has been enabled a few things happen in the file system and registry.

In the file system:

  • In the user’s profile 3 so called TPL files gets downloaded, these files contains the EasyList, EasyPrivacy and Stop Google Tracking lists.
  • The TPL files can be found here  – %LOCALAPPDATA%\Microsoft\Internet Explorer\Tracking Protection and looks like this:
  • Copy the TPL files to a central location like NETLOGON or a share where users have read access.

In the registry:

  • In the user’s registry 3 registry keys and a few values within these keys are created.
  • The registry key names corresponds with the above TPL GUID like names, and looks like this:
  • The full path the the above keys is – HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Safety\PrivacIE\Lists
  • So, as you see, 3 registry keys are created with names that corresponds with the names of the TPL files.
  • Export the 3 keys to a REG file and in each key, change the “Path” value to %LOCALAPPDATA%\Microsoft\Internet Explorer\Tracking Protection\nameofTPLfilehere.tpl

GPO Configuration:

  • Create a new GPO
  • Under User Configuration configure Group Policy Preferences registry items like shown below:
  • For each of the 3 registry keys modify the Path value, so that it looks like this:
  • %<LOCALAPPDATA>%\Microsoft\Internet Explorer\Tracking Protection\nameofTPLfilehere.tpl
  • This makes sure that the Group Policy engine resolves the %LOCALAPPDATA% correctly, and thereby configures the correct path to the TPL file.
  • You will also have to add this registry value:
  • This enables the Tracking Protection filtering feature.

You may have noticed the Tracking Protection Exceptions group I have in the GPO. The Tracking Protection Exceptions list enables you to configure specific URLs where you don’t want Tracking Protection to be active. This might be internal URLs like an intranet site or some other internal web based application, where Tracking Protection could be messing with the general functionallity of the web site.

To configure a list of exceptions add this to your GPO:

  • Here, as an example, I have the http://intranet.company.local URL you may add as many URLs you want here.

As this GPO configures user settings, it can be applied to both Windows client operating systems and Windows server operating systems. I have tested this specific configuration on Windows 7 and later and on Windows Server 2008 R2 and later, however only with Internet Explorer 11.

This concludes my guide on how to enable and configure Internet Explorer Tracking Protection. Feel free to comment.

User Profiles…the struggle is real!

User Profiles…the struggle is real!

During the last couple of years I have seen that managing user profiles in a Citrix environment can be a major PITA. However before going any further, let’s take a few steps back in time.

In the good old days in the world of Citrix, with Windows Server 2008 R2 and Windows 7, everything was nice and quite in the user profile area. We were happily rolling along with Citrix User Profile Manager, telling ourselves that the old, dusty and rather unstable Windows Roaming Profile was a thing of the past and no one would ever be using that again. We were managing User Profiles like a boss, with fine tuned configurations preventing profile bloating, roaming of Internet Explorer cookies and passwords and perhaps roaming different files and folders outside the APPDATA\Roaming folder.

Fast forward to today, or a couple of years ago, Microsoft released Windows 10 and Windows Server 2016 and with them new Windows Profile versions.

Let’s have a quick look at the different Windows Profile versions dating back to Windows XP and Windows Server 2003:

UPDATE – 04/11-17: I have updated the table below to reflect the current Windows 10 versions.

Client Operating SystemServer Operating SystemOperating System VersionProfile Version/extension
Windows XPWindows Server 2003/2003 R2None
Windows VistaWindows Server 2008 V2
Windows 7Windows Server 2008 R2V2
Windows 8Windows Server 2012V3
Windows 8.1Windows Server 2012 R2V4
Windows 10V1507V5
Windows 10V1511 (November Update)V5
Windows 10Windows Server 2016V1607 (Anniversary Update)V6
Windows 10V1703 (Creators UpdateV6
Windows 10V1709 (Fall Creators Update)V6

 

You may have noticed that Windows 10 is currently offering 2 different Windows Profile versions, V5 and V6, and rumors are that the Windows 10 Fall Creators Update may present a V7 Windows Profile. This is where the struggle begins!

UPDATE – 04/11-17: Windows 10 v1709 (Fall Creators Update) did infact NOT present a V7 Windows Profile version. V1709 is still on V6, like v1703 and v1607.

As per this “Windows as a service” guide Windows 10 will receive 2 feature updates per year, a feature update is like the Anniversary Update or the Creators Update and even though Microsoft is boasting of an “outstanding app compatibility”, this isn’t really of much use to us, if they change the profile version. A profile version change will initially trigger a new profile to be created at login which means that we need to do some kind of profile migration between the old profile and the new profile, unless we really like to receive a lot of support calls about missing application settings or that no default printer is set, because something went wrong during the profile version upgrade.

If we are using Citrix Profile Manager this profile version upgrade is handled automatically, however do wo really want to do that? If we shortly revisit the good old times, we didn’t upgrade the user profiles when we migrated from Windows XP to Windows 7 or from Windows 7 to Windows 8 or Windows 10, did we? I sure didn’t and when is comes to traditional profile management I always recommend to do a profile migration NOT an upgrade!

In the good old times, a profile upgrade was always associated with a operating system upgrade. So when we are offered, at the moment, 2 different windows profile versions i Windows 10, in my mind that is the equivalent of an operating system upgrade, which means that the profile needs to be migrated as the functionality and stability of the profile cannot be guaranteed, if it’s upgraded.

In a Windows 10 VDI scenario this presents us with a couple of things to keep in mind. As per above guide, each feature update is maintained with so called quality updates every 18 months, so at least once every 18 months we need to upgrade our Windows 10 VDIs with a feature update. Let’s just assume, and I am NOT saying that this will be the case, but let’s just assume that Microsoft will upgrade the windows profile version every 18 months, this may not be a desirable scenario, as we need to maintain some kind of profile migration feature/script to be able to migrate the settings from the old profile to the new profile with the new version.

Some Citrix setups offer hundreds of different applications where all kinds of settings are saved in all kinds of places eg. files/folders/registry, this means that a potential migration feature/script needs to cover whether the settings of one or more applications needs to be migrated or not in case of a profile version upgrade. As applications come and go or gets upgraded these different places where applications might save their settings, will have to be maintained in what ever migration feature used, which then again means that we need to have a great deal of knowledge of our applications, not just how to install them, but also how and where their settings are saved.

Let’s take a look at how Citrix User Profile Manager can help us, some of the way, when upgrading Windows 10.

This is how a Citrix UPM share looks like, when a user has logged on from a Windows 10 v1511, Windows 10 v1607 and Windows 10 v1703:

This is achieved with the “Path to user store” in a Citrix UPM GPO configured like this:

The !CTX_OSNAME! and the !CTX_OSBITNESS! are both variables that can be used as a part of the profile share path. When these variables are combined you get a very flexible profile share path where a folder is created that corresponds to the operating system and the bitness of the operating system. This means that you would usually never need more than one profile share, when using Citrix User Profile Manager.

This configuration makes sure that a new profile is created when logging on to an upgraded Windows 10 computer with a new windows profile version.

You can omit the !CTX_OSNAME! and the !CTX_OSBITNESS! and point directly at the #SAMAccountName# variable, however this will create a profile folder for the user in the root of the share, which means that you will no longer have a folder named “Win10RS2x64”. If this is the case you now have a profile share that is “locked” to this specific version of Windows 10, that’s not wrong but it may present some issue at some point, as we essentially don’t want Windows or Citrix UPM to do profile upgrades.

One way or another we are in need of some way to transfer and/or migrate settings between different profile versions. You can of course bring out the big guns and go with RES or AppSense as they are perfectly capable of migrating profile and applications settings between different profile versions with their User Environment Management (UEM) solutions.

Liquidware is, compared to RES and AppSense, a smaller player in this area, however they have in their ProfileUnity product a way to migrate profile and application settings between different Windows versions and that of course includes Windows 10 as well. They also have disk based profiles, which really boosts the login performance.

You can of course also create your own profile and applications migration script, I have seen a few so I know they are out there.

To conclude – With Windows 10 we are, in my opinion, entering a new ara where we are basically doing operating system upgrades once every 12-18 months, this adds a bunch of additional tasks to our already long list of Citrix and Citrix related tasks. I think now would be a great time to implement some kind of UEM feature, to be able to manage and maintain the profile and applications settings in different user profile on different operating systems. Citrix User Profile Manager is, in my opinion, now considered the “old solution” together with the traditionel Windows Roaming Profile.