Citrix User Profile Manager: How Registry Exclusion Lists Can Mess Up Group Policy Processing

Helge Klein's picture

The documentation of Citrix User Profile Manager (UPM, for short) recommends excluding the following registry keys from processing:

HKEY_CURRENT_USER\Software\Policies HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

The net effect of this is that the Citrix profiles managed by UPM do not contain any policy settings. The reasoning behind this being: Policies are reapplied anyway during the nextlogon, so there is no reason to waste CPU cycles on synchronizing such "redundant" information.

Unfortunately, nobody had taken the group policy engine's own optimizations into account.
Policy processing is relatively costly in terms of performance. It is only logical to try and reduce the number of times policies need to be applied. Since policies are relatively static compared to the frequency of user logons, it makes sense to cache the policy settings in the user profile. That is exactly what the group policy engine does.

Actual settings are cached in the two registry keys mentioned above. What is still missing, though, is a way to detect new or changed policies in the domain. The policy engine thus needs to cache metadata on the applied GPOs in addition to the settings stored in those GPOs. Group policy metadata is stored in another area of the user's registry hive:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy

Where is the Problem?

We have two locations containing data that relates to each other. Storing only one part of it and dropping the other breaks the group policy engine's caching mechanism.

If HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy is present but HKEY_CURRENT_USER\Software\Policies is not, the engine thinks all policy information is present in the user profile whereas in reality it is not. As a result, policies effectively are not applied any more.

How to Fix it

Either exclude all three registry paths from processing by UPM or none of them. I recommend the latter, which leaves the group policy engine's caching mechanism intact.

Wrap Up

Do not put any of these paths on UPM's registry exclusion list:

Software\Policies Software\Microsoft\Windows\CurrentVersion\Policies Software\Microsoft\Windows\CurrentVersion\Group Policy

Note: Above paths are in the notation UPM expects (without the string "HKEY_CURRENT_USER").