If you have tried to use Windows 10 in XenDesktop with Citrix Profile Management you have probably run into two major issues.
The Issues
The first issue is the start menu… which is now a database located at %localappdata%\TileDataLayer\Database. At logoff when profile manager tries to copy it off it can’t due to services locking the files. This results in the user logging on and their start menu not working.
The second issue revolves around SMB2/3. SMB1 would close files as soon as it was done with them, but 2/3 leave them open for a little longer in case they are requested again. This means when a user logs off and their Pooled Random desktop shuts down file locks can remain in the profile store if the shutdown process happens too fast (which it does 99% of the time). Basically, if a user was to logoff and then try to log back on in a short period of time their logon would be greatly delayed due to the “ghost” file locks.
The Workarounds
Start Menu – This one is a bit tricky. When a user logs off we need to stop the Tile Data model server and State Repository Service (in that order) so that profile manager can copy the start menu database off to the user store. Here is the rub… a normal user cannot stop these services, so you can’t use a logoff script! Here is what you do… logon as a local administrator and…
- Create a powershell script on the root of C:\ – name it logoff.ps1
- Open powershell_ise.exe as administrator and write these 2 lines in the white space at the top (if no white space hit the new button to create a new script).
stop-service tiledatamodelsvc -force
stop-service staterepository -force - Save it as C:\logoff.ps1 (or put it where ever you want – just remember where it is)
- Open powershell_ise.exe as administrator and write these 2 lines in the white space at the top (if no white space hit the new button to create a new script).
- Right click the start menu – hit run – type in taskschd.msc and hit ok
- Right click the Task Scheduler Library node and select Create Basic Task…
- Name it whatever you want – I named mine logoff – hit next
- Select “When a specific event is logged” on the next screen and hit next
- Under Log: start typing “Sec” the Security log should show up
- Under Source type in “Microsoft Windows security auditing” (no quotes)
- Event ID will be 4647 – hit next
- leave Start a program selected – hit next
- in the program/script blank C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- in the add arguments blank “-executionpolicy unrestricted -file c:\logoff.ps1” (no quotes) – if you put the script somewhere else make sure you have the path correct.
- click next, and on the next screen check the box “Open the Properties dialog…” and hit Finish
- Click Change User or Group, type in “system” (no quotes) and hit ok
- Check “Run with highest privileges”, and hit ok
Now when a user initiates a logoff the system will stop the Tile Data model server and State Repository Service. This will allow profile manager to copy off the start menu database.
Ghost File locks
This one is pretty easy – we just delay the shutdown with a shutdown script. This allows the file locks to be released at shutdown. Here is what you do… (you should still be logged on as a local administrator)
- Run powershell_ise.exe as administrator and type these 2 lines in the white space at the top… again if no white space hit the new button.
stop-service brokeragent -force
start-sleep -s 30 - Save it as C:\shutdown.ps1 (or where ever you want)
- Right click the start menu – hit run – type in gpedit.msc
- Under “Computer Configuration\Windows Settings\Scripts” double click on Shutdown
- Click the PowerShell Scripts tab
- Click Add – browse to the script you just created – hit ok
- Hit Ok again on the shutdown properties box, and close the local group policy editor
At shutdown this script will kill the brokeragent service (just in case delaying the shutdown would allow the desktop to appear “available” again), and delay the shutdown by 30 seconds. This allows all file locks in the profile manager store to be released.
Bonus – UPM policy settings for Windows 10 (These are mine, so you may need to tweak for your environment – of course redirect all you can)
Exclusion list (registry)
Software\Microsoft\Office\15.0\Excel\Resiliency
Software\Microsoft\Office\15.0\PowerPoint\Resiliency
Software\Microsoft\Office\15.0\Word\Resiliency
Software\Microsoft\Office\15.0\OneNote\Resiliency
Software\Microsoft\Office\15.0\Outlook\Resiliency
Software\Microsoft\Internet Explorer\Recovery
Exclusion list – directories
$Recycle.Bin
$Recycle.Bin
AppData\Local\Microsoft\Windows\Burn
AppData\Local\Microsoft\Windows Live
AppData\Local\Microsoft\Windows Live Contacts
AppData\Local\Microsoft\Terminal Server Client
AppData\Local\Microsoft\Messenger
AppData\Local\Microsoft\OneNote
AppData\Local\Windows Live
AppData\Local\Sun
AppData\Local\Google\Chrome\User Data\Default\Cache
AppData\Local\Microsoft\Windows\Temporary Internet Files
AppData\Local\Temp
AppData\LocalLow
AppData\Roaming\Sun\Java\Deployment\cache
AppData\Roaming\Sun\Java\Deployment\log
AppData\Roaming\Sun\Java\Deployment\tmp
AppData\Roaming\Citrix\PNAgent\AppCache
AppData\Roaming\Citrix\PNAgent\Icon Cache
AppData\Roaming\Citrix\PNAgent\ResourceCache
AppData\Roaming\ICAClient\Cache
AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
AppData\Roaming\Macromedia\Flash Player\#SharedObjects
AppData\Roaming\Microsoft\Excel
AppData\Local\Microsoft\Internet Explorer\Recovery
AppData\Roaming\Microsoft\Word
AppData\Roaming\Microsoft\Powerpoint
AppData\Local\Microsoft\Windows Mail
AppData\Local\Microsoft\Office\15.0\OfficeFileCache
AppData\Roaming\Dropbox
AppData\Local\Dropbox
Dropbox
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
Sharefile
AppData\Roaming\Microsoft\Templates\LiveContent
AppData\Local\Downloaded Installations
AppData\Local\Cisco\Unified Communications\Jabber\CSF\Voicemail
AppData\Local\Cisco\Unified Communications\Jabber\Voicemail
AppData\Local\Microsoft\Windows\Themes
AppData\Local\Microsoft\Windows\WER
AppData\Local\Microsoft\Windows\WebCache.old
AppData\Local\ATT Connect
AppData\Roaming\Sharefile\Outlook
AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat
AppData\Local\Skype
AppData\Local\Assembly\dl3
AppData\Local\Cisco\Unified Communications\Jabber\Crash Dump
AppData\Local\Cisco\Unified Communications\Jabber\CSF\Logs
AppData\Roaming\Microsoft\Internet Explorer\UserData
AppData\Roaming\Spotify
AppData\Local\Spotify
AppData\Local\Microsoft\Windows\PriCache
AppData\Local\Packages
AppData\Local\Microsoft\Windows\Application Shortcuts
OneDrive
AppData\Local\Microsoft\CLR-v4.0_32
AppData\Local\Microsoft\GameDVR
AppData\Local\Microsoft\Group Policy
AppData\Local\Microsoft\Media Player
AppData\Local\Microsoft\OneDrive
AppData\Local\Microsoft\PlayReady
AppData\Local\Microsoft\Windows\1033
AppData\Local\Microsoft\Windows\Caches
AppData\Local\Microsoft\Windows\Explorer
AppData\Local\Microsoft\Windows\GameExplorer
AppData\Local\Microsoft\Windows\Notifications
AppData\Local\Microsoft\Windows\Ringtones
AppData\Local\Microsoft\Windows\RoamingTiles
AppData\Local\Comms
Exclusion list – files
AppData\Local\Microsoft\Windows\UsrClass.dat*
*thumb*.db
*icon*.db
Files to synchronize
AppData\Local\Microsoft\Office\*.qat
AppData\Local\Microsoft\Office\*.officeUI
AppData\LocalLow\Google\GoogleEarth\*.kml
AppData\Roaming\Microsoft\Excel\Excel*.xlb
AppData\LocalLow\Sun\Java\Deployment\deployment.properties
AppData\Roaming\ShareFile\Outlook\config.cfg
AppData\Roaming\ShareFile\Outlook\log.txt
Directories to synchronize
AppData\Roaming\Microsoft\Credentials
AppData\Roaming\Microsoft\Crypto
AppData\Roaming\Microsoft\Protect
AppData\Roaming\Microsoft\SystemCertificates
AppData\Local\Microsoft\Credentials
AppData\Roaming\Microsoft\Excel\XLSTART
AppData\Roaming\Microsoft\Word\STARTUP
AppData\LocalLow\Sun\Java\Deployment\ext
AppData\LocalLow\Sun\Java\Deployment\security
Folders to mirror
AppData\Local\Microsoft\Windows\INetCookies
AppData\Local\Microsoft\Windows\WebCache
AppData\Roaming\Microsoft\Windows\Cookies
Process Internet Cookie files on logoff – Enabled
Process logons of local administrators – Enabled
Profile streaming – Enabled
Path to user store – \\server\share\%username%.%userdomain%\!CTX_PROFILEVER!!CTX_OSBITNESS!
Enable Profile management – Enabled
One more bonus!!
Based mostly on this Citrix blog – Windows 10 Optimization for XenDesktop – I wrote a powershell script to automatically optimize your Windows 10 gold PVS image… available HERE.
[…] see David Ott’s list of UPM exclusions for Windows 10. This blog post also details how to roam the Windows 10 Start Menu and prevent file share locks. […]
Hi David
As far as I am aware since the April 2016 updates for Windows 10 the Start Menu database should no longer “lock” at logoff time. However there are still issues around the Start Menu tiles – namely that they don’t all appear.
I’ve been playing with using Import-StartLayout at logon time to essentially “spoof” a new menu creation. However I will give this a try on my XenDesktops and see how it goes.
Cheers,
JR
Hi David
This doesn’t seem to work in my lab. The database copies OK – but at next logon I get a blank Start Tiles area, and the entire Start Menu has most of its applications missing. Are you on Windows 10 version 10586.420?
Cheers,
JR
My OS version is 10.0.10240, so that may have something to do with it. I’ll see if updating changes anything (last update was early June, so definitely have the April updates). Have you verified the .edb file is saved in the profile after logoff (AppData\Local\TileDataLayer\Database\vedatamodel.edb) as well as the .chk/.log/.jrs files? You still need the regular start menu path to be saved or redirected as it is still used (AppData\Roaming\Microsoft\Windows\Start Menu)… it is read and populates the start menu database. If you are excluding that… I bet that is your problem.
Hi David
Thanks for providing all these details.
I am getting the database files, but that’s news to me about the “regular” Start Menu…very interesting. Thinking about it now I should have guessed that – I was well aware it contributes to the database 🙂
10240 is the RTM version as far as I remember – do you have the 1511 update installed?
I’m actively working on this now – I will see if I can get it working any better. My email is james@htguk.com if you want to contact me directly (I still can’t get on that CTA Slack channel!)
Here is a video of how it works. Things of note:
You will see a liquidware folder in the profile store – that is from a previous test and is not being used.
27ish seconds in the first session is launched where it is booting from the vdisk which does not have the workarounds implemented.
38ish seconds in you will see the initial profile being created in the profile store
During the session I customize the start menu a bit, show the redirected start menu location, the database file(s), file locks on the storage server
2:27ish is the first logoff
3:09 you will see file locks after the desktop has been shutdown
3:33 second launch occurs, note the time is 1:46pm
4:12 second logon still going… I show not all the files made it to the TileDataLayer\Database location in the profile store
4:38 logon is complete – I paused the recording and restarted it after logon finally completed… finished at 1:50pm (4 min logon)
You’ll notice task bar items are not present, and clicking on the start menu does nothing.
5:28 you see the database file doesn’t get re-created
5:42 second signout
after which I force close connections to the profile store used by my test user
I then place the desktops I’m testing with in maintenance mode and shut them down (ddc restarted one and it was missed by my script – shutdown manually)
7:39 I switch the vdisk version to the version with the workarounds and take the desktops out of maintenance mode (allowing the ddc to start them)
9:04 I rename the test user profile in the profile store – user will get a new profile at the next logon
9:14 logon to the “fixed” desktop image
9:52 customize the start menu/task bar
10:29 logoff
then I check for file locks on the profile store a couple of times, and they go away
11:03 I drill down into the profile store to show the TileDataLayer\Database folder – you’ll all the files are there
11:15 Log back on to check the start menu
12:16 I logon to the console of one of the Windows 10 machines to show the scheduled task/logoff scripts
Hi David
I think I understand the difference in what we are seeing now. You are using the LTSB version of Windows 10, are you not (I think I can tell because your right-click Start Menu is white – the latest version is black)? That would explain why your version is still 10240 as well.
I am doing all my testing on CBB, not LTSB, which is why my version is 10586. For what it’s worth, I spun up an LTSB instance and it works perfectly with the technique you describe above. Unfortunately, it doesn’t seem to work on CBB in my lab…
I don’t see a listing for CBB in our Microsoft licensing portal… only normal and LTSB (honestly I never even noticed that before). I am fairly certain the one i downloaded was the one simply labeled “Windows 10 Enterprise” not LTSB.
If you’re still on 10240 fully patched it must be LTSB. The Current Branch version of Enterprise was 10586 from November 2015 onwards.
Easy way to tell – do you have Edge in your image? LTSB doesn’t have Edge…
Yes Edge is there.
I see… the one I have is option 1… not CCB or LTSB…
There are two downloads available for this Edition:
1. Windows 10 Enterprise (Released Jul ’15)
2. Windows 10 Enterprise, Version 1511 (Updated Apr ’16)
Windows 10 Enterprise, Version 1511 (Updated Apr ’16) is the Current Branch for Business version of Windows 10 Enterprise, Version 1511. It includes all updates released for Windows 10 since Version 1511 (Released Nov ’15) including security and non-security updates.
That’s amazing then, I can’t understand how you are still on build 10240 and are not on LTSB….all my machines picked up the 10586 update back in December 2015.
Probably explains the difference in behaviour though. I’m going to see if I can get UPM working on 10586 and the 14532 builds. Cheers!
Ah, so you’re using the RTM version. I wonder why it hasn’t picked up the update? Maybe if you’re using SCCM you have to manually allow it maybe…
Have you tried using version number 2 – that’s the Current Branch or Current Branch for Business version.
I’ll give it a shot after the holidays 🙂
Hi David
What I’ve also noticed is that when setting up the Scheduled Task there are two “sources” in the drop-down box under Security, one called “Microsoft Windows security auditing” and one called “Microsoft Windows security auditing.” (note the period at the end). When you use the second one, the Scheduled Task source actually populates as “Microsoft-Windows-Security-Auditing” which seems to be the way it should look when I actually get the Scheduled Task to run successfully.
I will continue trying to fathom this out on 10586 for the moment – enjoy your holiday weekend 🙂
James, its working for me in 10586.494
I did have to enable the logoff/logon auditing as it was disabled by default so wasnt actually running the task
Cheers
Alex
Hi Alex
I will see if I can give this a try in a bit, however with the new version of Windows 10 landing tomorrow I guess I’m going to be a bit busy testing everything else that I need to keep working 🙁
Reading posts like this make surfing such a pluaesre
I haven’t successfully got this working. I am running with 10586.494 – vesion 1511
Using your solution I can successfully copy the start tile files using UPM and the script,
however when I log into a ‘new’ desktop (non-persistant pool) the ‘changed’ settings I did in the start tiles have not come across, these are some other things:
** Start Tiles/Menu is never blank or broken
** Start Tile changes do not save.
Does this solution resolve the ‘start tiles’ so they can be changed and roam between other desktops?
Watch the video I posted in the comments. Make sure you see the same files getting saved (vedatamodel.edb is the main one).
We are running into an issue on Windows 10 when we enable the App-V 5 service. We are on PVS 7.9 with UPM and when we enable the service user profiles reset with each logon. Has anyone else ran into profile corruption like this? If we turn the service off no more profile issues. Note: we are using full Infrastructure for App-V not the integrated option within Studio.
Yes we have the same issue, Windows 10 LSTB 2016. Profile doesn’t reset, however most setting dont save after the first login. Disabling the App-V service corrects the issue, however we need this.
We are have the same issue with Window Server 2016 as Remote Desktop Session Host. From my point of view, the Workaround with stopping the services:
stop-service tiledatamodelsvc -force
stop-service staterepository -force
Is not an option for a Terminalserver environment, because if I stop the services, the other users can´t use their startmenu.
Any Ideas?!
According to what I read the other day it looks like UPM 5.7 can handle the start menu. Link
Hi and thanks for this, it was helpful.
Does anyone have any idea how to setup chrome and firefox in UPM to reduce the bloat?
I’m looking for exclusions, synchronizations and what to mirror if any.
Thanks in advance.
I currently use WEM to create junciton points for Chrome/Firefox cache. Click here for details
Can I use it for linux platform
[…] with Windows 10, UPM really struggled, necessitating some hacks to unhook the Tile Data Model Server service so the Start Menu database could be copied. However, […]
Hi David,
Using all your settings to configure UPM using GPO works fine. When UPM is configured using WEM, each time i check and added Files and Folders to Sync and Folders to Mirror, UPM profiles are not saved.
Outlook and windows act like a user is logging on for the first time each time. When i remove those settings it works fine – *weird*
Without Files and Folders to Sync and Folders to Mirror, Everything works fine. Start Menu icons, Pinned taskbar ETC.
Any ideas why would be appreciated
NB: I am Using Citrix App Layering Technology for this Env. So User Layers is active.
Thanks