Yes we did see this behaviour but to be honest that was way way back.

What happened is that the policies registry hyve was not being excluded from appstacks and writables but I'm speaking of the first version so my guess is that won't be the issue for you.

What is the message you are getting? Is your packaging machine within the domain? and does it have a GPO assigned to it? If so, do you block cmd from within a GPO that could block these features? And do all appstacks have the same behaviour? Or is it a specific appstack that is causing this?

I apologize for bringing that post up from dead but we are recently seeing the same problem. Right after login I can run gpupdate and gpresult with no problems and then couple of minutes later I get Access Denied on gpresult and gpupdate fails. In our case I also see that removing appstacks resolves that problem. We are also using writable volume profile only but that doesn't seem to have effect, only appstacks.

I have looked at the appstacks that I have attached and I see that they have been created 2.15.0.23U  

I'm not too sure if that would be the problem since we are on AppVOlumes 2.16 and I didn't get a chance to test other appstacks created with 2.16

If I look at the snapvol.cfg GPO exclusions here is what I see related to that:

exclude_path=\ProgramData\Citrix\GroupPolicy

exclude_path=\ProgramData\Microsoft\Group Policy

exclude_path=%SystemRoot%\System32\GroupPolicy

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy

Not sure if this is how it should be or if there is something different in 2.16.

I was wondering if you were able to resolve it and if you could provide any information on it?