User File Type Association Roaming on Server 2016 with Citrix User Profile Manager

here we go again with an ongoing issue, that most of my customers have after updating their XenApp environments to Server 2016.

recently a customer asked me, why a user can not associate .log files with Notepad++ on his XenApp server – well, actually the user CAN do that, but after a logoff, the association is gone. i tried to reproduce that in my lab and indeed the association IS gone after logoff (using Citrix UPM). this even happened on the SAME server (without PVS, but deleting the cached profile after a logoff). the other issue is, that an administrator can not set the associations based on user or groups anymore (that was possible in older windows versions) – but you can set it server based (which does not help for special users).

if you dont know about this issue, some additional information is needed to understand the problem: Microsoft added a new “security” mechanism to avoid malware filetype hijacking. you can read more about that here. long story short: when a user associates an application with a filetype, a hash value is written to his registry, which should make it harder to change it through a 3rd party application (which is not true – stay tuned for more information about that). Microsoft states following about this hash:

However In Win 8, the registry changes are verified by a hash (unique per user and app)  that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry. 

 

For a 3rd Party Application, the Filetypes including the hash are written to this registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice

First i thought, the file type association roaming is not working because of this hash (but Microsoft states, it is NOT unique by server). actually there are some Citrix articles stating, that roaming of FTA should work with UPM and we even opened a case with Citrix. they told us:

Expected behavior with Windows 10/8 and Server 2012 R2/2016. Currently MS and Citrix have no fix but are actively working on this issue.

Wow. that means, a basic windows function is broken on Server 2016? If you have read my other article about a similar issue, then you might be not surprised (i wasnt). BUT wait Citrix. Why is there this article then: https://support.citrix.com/article/CTX221380?

Profile Management: Occasionally, File Type Association (FTA) Fails to Roam on Windows 10 and Windows Server 2016

Doesnt this mean, that it actually IS supported and SHOULD work? you will find a lot of different information about this “issue”, but Citrix documentation is a jungle and you have to get all pieces on your own and put them together. Carl Stalhood does an awesome job on this and offers very detailed documentations – much better than the Citrix Knowledge Base.

if you check his documentation about configuring Citrix UPM, he states: Full support for roaming Start Menu and/or File Type Associations requires UPM 5.7 or newer, and VDA 7.13 and newer.

now im really confused. Citrix says it doesnt work and he states it is supported? i followed his guide to enable FTA roaming and it worked somewhat, but it broke my start menu. i was NOT able to get FTA and Start Menu working with UPM 7.15 on Server 2016. i had a deeper look at this and found a workaround that is working fine in my LAB.

i noticed, that FTA and the hash ARE being roamed by Citrix UPM (and the hash is correct – even on a different server), but the associations do not work – so something seems to be missing. roaming the UsrClass.dat DOES make it work, but breaks the Start Menu. i cant have both it seems, or something is completely missing in the documentation (or its a bug). however – it turned out, that you need only

HKCU\SOFTWARE\Classes\Applications

from the UsrClass.dat part of the registry to get the FTA working again (procmon rocks). this is at least true for 3rd party applications, but sadly Citrix UPM does NOT support inclusions or exclusions in the UsrClass.dat – you can only have it all or nothing. argh. but what if i manually save just this part?

THE WORKAROUND

first make sure that following is true for your environment:

  • Server 2016 (fully patched – i have up to october cumulative installed)
  • XenApp 7.15 with UPM 7.15 (i did NOT test older Versions)
  • following UPM settings.
    • enable default exclusions of directories (i have everything ticked)
    • delete locally cached profiles on logoff
    • enable default exclusion list (registry) – do NOT select “Speech_OneCore”
    • i have streaming on (but i dont think it matters)
    • NO inclusions or exclusions defined (UsrClass.dat is excluded in the ini, if you deleted that you need to add the exclusion in the GPO)

NOW here comes the important part. just with this configuration, UPM will NOT load the HKCU\SOFTWARE\Classes\Applications contents, because this is in the UsrClass.dat and that file is excluded by default in the UPM ini.

i actually wanted only these settings and not the full UsrClass.dat and therefore implemented a registry export on logoff and an import on logon – just with this simple commands:

reg.exe export HKCU\SOFTWARE\Classes\Applications %APPDATA%\Applications.reg /y
reg.exe import %APPDATA%\Applications.reg

this will export the needed registry keys into the userprofile and on the next login it will restore them. the best way to do that is using the GPO logon and logoff option (the same GPO where i have Citrix UPM configured, you might have to enable loopback processing).

Action: Logoff
Script Name: reg.exe
Script Parameters: export HKCU\SOFTWARE\Classes\Applications %APPDATA%\Applications.reg /y

Action: Logon
Script Name: reg.exe
Script Parameters: import %APPDATA%\Applications.reg

i have no other setting in my UPM (nothing for the Start menu roaming) and now i have User FTA and Start menu working on different Servers! i successfully changed .log files to Notepad++, logged out and logged in on another server and it worked.  you can verify this in your UPM profile folder:

and the reg file contains the missing information to make the FTA work correctly:

of course your users need the permission to run reg.exe – which might not be desired, but this is a workaround and i will inform Citrix about it.

UPDATE 23.10.2017: if you still encounter StartMenu corruption, you might configure a delay before deleting the cached profiles in UPM.

That was it – i hope you enjoy this post and if you like to donate, i would appreciate it very much:

BTC: 1G7HETp7j5dq422mTg1VNB1yph9m3eKgX1
LTC: LdmnKE7SnKAzKPrs6MrrPFXskuP1qRVBcD
ETH: 0x89c83770e89ae08e856EE239e477BC758FCf3Bf8
XMR: 47y7gzD2DmjSBhKyaxQ2C7RUpLgwzr2hYGu2Ui6NcAi2feChfVR99nhBvJPQxPqhEpRfuy9pAr5ypghETPWQ3MQGCdYSK3u
PayPal: https://www.paypal.me/Kolbicz

Thank you!

3 Trackbacks / Pingbacks

  1. Detailed Change Log – Carl Stalhood
  2. Citrix Profile Management 7.15 – Carl Stalhood
  3. EUC Weekly Digest – October 21, 2017 – Carl Stalhood

Leave a Reply