In this guide, I am going to go through the steps to build a Windows 10 roaming mandatory profile and then deploy the profile with Group Policy. I will also outline the steps to create the XML file that tells Windows how to configure the Start menu and taskbar.
Profile gravatar of Alex Pazik

Alex Pazik

Alexander specializes in Windows deployments and systems management applications such as System Center Configuration Manager and System Center Operations Manager.
Profile gravatar of Alex Pazik

With the introduction of Windows 10 Build 1607 (commonly known as the Windows 10 Anniversary Update), Microsoft fixed many of the bugs that broke roaming mandatory profiles. They also added new Group Policies to make deploying a consistent, locked Start menu and taskbar layout easier.

First, we are going to build the roaming mandatory profile. A roaming mandatory profile, or roaming man profile, is a read-only user profile stored on a network share that acts as the default template for all users. Unlike roaming profiles, all changes made to a roaming mandatory profile are lost upon logoff, as the changes made do not propagate back to the server.

You will still be able to use folder redirection to redirect important user folders, such as documents and downloads. You can read more about user profiles in general on Microsoft's website.

For this guide, I will be creating my template user profile on the VM that is the template for my Windows 10 image. The operating system I am using is Window 10 Pro Build 1607 x64. You can use a vanilla Windows 10 image to create your template user profile. However, I always use the image I plan to deploy to my workstations, as you can configure pre-installed apps in the template user profile and have those settings captured when you use the copy profile function.

Before we configure the user profile, we need to create the XML file that will tell Windows to capture the settings we specified. Open a blank Notepad document and copy and paste the following:

Save the file as CopyProfile.xml to a network share that you can map from the VM. For this guide, I will be saving the CopyProfile.xml to the following location:

\\SCS-CFGMGR-MP\SWSTORE\Unattend\Windows 10

With the unattend XML file created, we can start to configure the template user profile. On your Windows 10 machine, run the System Preparation Tool (sysprep) and enter into system audit mode. If you are using a freshly installed Windows 10, you can send the keystroke Ctrl+Shift+F3 on the "Get going fast" screen to enter system audit mode. When your machine reboots into audit mode, this will automatically log you in under the built-in Administrator account and present you with a desktop similar to the image below.

System audit mode

System audit mode

You may close the System Preparation Tool, as we will sysprep and generalize the image using the command prompt later in this guide. At this time, you can configure the template user profile as well as any preinstalled applications to your liking. For demonstration purposes, I will be making the following changes to the template user profile:

File Explorer – Folder Options

Open File Explorer and click on the View tab to expand the window ribbon. Click on the Options applet at the very end of the ribbon to open up Folder Options. Find the setting Open File Explorer to: and choose This PC. Then under Privacy, uncheck the boxes Show recently used files in Quick access and Show recently used folders in Quick access. When you are done, click OK to close the Folder Options window.

Folder Options

Folder Options

File Explorer – Quick Access

Open File Explorer and navigate to the Quick access sidebar. Unpin the Desktop and Downloads user folders and instead pin the Music and Videos user folders.

Quick access

Quick access

App Data – Start Menu

Open File Explorer and navigate to C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs. Delete the folders Windows Administrative Tools and Windows PowerShell. Open the folder Windows System and delete all the shortcuts except File Explorer and This PC. Delete the OneDrive shortcut from the Programs folder as well.

User Start menu

User Start menu

App DataSend To

Open File Explorer and navigate to C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo. Delete all the shortcuts except Documents.

When you are happy with your configuration, you can capture the user profile settings with sysprep. Connect to the network share where you saved your CopyProfile.xml and move it to your reference VM. For this guide, I will be moving the CopyProfile.xml to the following location: C:\Windows\System32\Sysprep

Open a command prompt as an administrator and enter the following command:

C:\Windows\System32\Sysprep\Sysprep.exe /oobe /generalize /reboot /Unattend:C:\Windows\System32\Sysprep\CopyProfile.xml

Capture a user profile

Capture a user profile

The sysprep tool will start to run and will automatically reboot the machine when it is finished. Since you only need to copy the profile to a network share, you can quickly run through the initial setup without much thought or configuration.

When you finish the initial setup and are logged into the OS, you should notice that the changes you previously made to the profile are still intact. Navigate to System Properties and click on the Advanced system settings item in the left-hand sidebar. Find the User Profiles header and click on the Settings button underneath it. You should see a list of all the generated user profiles. In this case, the only profile we need to be concerned about is the Default Profile. Find and select the default profile and click the Copy To… button.

Under the Copy profile to header, type the location you want to copy the user profile to. For this guide, I am going to copy the profile to the desktop temporarily. Under the Permitted to use header, click the Change button and give Everyone permission to use it. Click OK when you are done.

Copying the profile

Copying the profile

You should see a new folder in the location where you copied the profile.

Profile folder

Profile folder

Open the folder. You should see all the standard shell folders of a Windows user profile. Before we copy the user profile to a network share, we are going to make a few changes to the ntuser.dat file. To do this, we have to show hidden files, folders, and drives, and uncheck the box Hide protected operating system files (Recommended) under the Folder Options applet. The system should now display all the hidden files and folders in the user profile.

Files and folders in the user profile

Files and folders in the user profile

Right-click on the Start button and select Run. Type regedit.exe in the box and hit Enter. In the registry editor, you should see the five standard registry hives. The only one we are concerned about is the HKEY_USERS hive.

Select that hive and go to File > Load Hive. Find the ntuser.dat file from the profile you copied earlier and open it. Give the newly loaded hive a name, such as TemplateProf, and click OK. You should now see your newly loaded hive under HKEY_USERS.

TemplateProf hive

TemplateProf hive

Expand the hive and navigate to SOFTWARE > Microsoft > Windows > CurrentVersion > ContentDeliveryManager. Set the value for each key to 0. This will prevent your user profile from downloading recommended applications and from reinstalling any metro applications you may have removed earlier from your image.

The ContentDeliveryManager key

The ContentDeliveryManager key

Go back to the CurrentVersion hive and navigate to Explorer > Shell Folders. Delete all the registry keys except for (Default), !Do not use this registry key, and Fonts. This will allow Windows to regenerate the shell folders unique to each user instead using the ones generated for the built-in Administrator account.

The Shell Folders key

The Shell Folders key

Finally, navigate to the root of your newly loaded hive, right-click on it, and select Permissions. Delete the Administrators permission, click Apply, and then OK. If you are satisfied with your changes, unload the hive by going to File > Unload Hive.

Now it's time to copy the profile to a network share. Note that you will need to make sure you have the correct NTFS and share permissions in place for roaming mandatory profiles to work properly. You can read more about the permissions needed on Microsoft's website.

I am going to copy my profile to the following location:\\FSMGMT\HSCS\Profiles

Instead of copying the template profile folder, I created a new folder on the network share with the .V6 profile extension to store the profile contents and copied all the items within my template profile. I then pasted those items in the folder created on the network share to retain their shell icons.

After copying all of your items, you must rename the ntuser.dat file to ntuser.man. This ensures the system will check in your profile as a mandatory one. You can delete all excess files except for ntuser.ini and ntuser.man. When you are finished, your user profile should resemble the following image:

My Quick~WKS user profile

My Quick~WKS user profile

Now it's time to configure your workstations to use this roaming mandatory profile. Launch the Group Policy Management MMC snap-in and create a new Group Policy that will tell the workstation to use the template user profile. Since I will be using the template user profile for all users, I have created a new Group Policy Object (GPO) called "Quick~WKS User Profile Policy" and applied the following security filtering settings:

User Profile Security Filtering

User Profile Security Filtering

Open your newly created GPO, navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles, and modify the policy definitions as shown below.

User profile GPO

User profile GPO

For the policy Set roaming profile path for all users logging onto this computer, specify the path to your template user profile, but omit the .V6 extension. Whereas you can edit the policy definitions to fit the needs of your organization, you should not change the settings for Prevent Roaming Profile changes from propagating to the server and Wait for remote user profile. The former definition prevents any changes the user makes from being saved to the actual template user profile, and the latter ensures that the user profile is always unloaded correctly to prevent any corruptions.

Finally, we are going to create the Start menu and taskbar layout XML file. Open a blank Notepad document and copy and paste the following:

I have specified in the XML that the Start menu should include the Contact Support application, and the taskbar should remove Microsoft Edge and include File Explorer and Windows Media Player. Save the file as StartLayout.xml to a network share accessible via Group Policy. For this guide, I will be saving the StartLayout.xml to my NETLOGON share.

Launch the Group Policy Management MMC snap-in and create a new Group Policy that will tell the workstation to load the custom start menu layout. Since I will be loading the custom Start menu for all users, I have created a new GPO called "Quick~WKS Computer Lockdown Policy" and applied the following security filtering settings:

Computer lockdown Security Filtering

Computer lockdown Security Filtering

Open your newly created GPO, navigate to Computer Configuration > Policies > Administrative Templates > Start Menu and Taskbar, and find the policy Start Layout. Under the Start Layout File header, specify the location of your start menu layout. Include the XML file and extension in your path.

Force a Group Policy update on the machines you want to load the roaming man profile on. When you log in as a user in one of the specified security filtered groups, you should notice the system retains all the customizations made to your template profile.

When a user logs off, the system will delete the local profile unique to the user from the workstation and will not propagate changes the user made to the roaming mandatory profile on the server. Note that you can make changes to the template roaming man profile at any time, and they will instantly apply to all users who check out the profile upon their next login.

Desktop for a mandatory profile

Desktop for a mandatory profile

Take part in our competition and win $100!

Share
0

Related Posts

14 Comments
  1. avatar
    James Rankin 2 months ago

    Don't you need to remove all references to the originating username from the Registry? Such as the entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders?

    0
    • Profile gravatar of Alex Pazik Author
      Alex Pazik 2 months ago

      Not in the case of User Shell Folders as those registry keys use the env. variable %USERPROFILE% to point the shell folders to the local user profile:

      %USERPROFILE%\Personal
      %USERPROFILE%\Music
      %USERPROFILE%\Pictures
      %USERPROFILE%\Video

      Modifying these values is actually how folder redirection is accomplished at the registry level. Deleting the all the keys under Shell Folders simply allows Windows to regenerate the shell folder items themselves, not determine where they point.

      Thank you for the comment; I hope this makes things a little more clear!

      1+
      • avatar
        James Rankin 2 months ago

        OK bad example for User Shell Folders, they only put the username in when it is a redirected folder. But the user name does appear in various areas of the Registry, do you not need to check the ntuser.dat file for these and remove them? I thought it was standard practice when creating mandatory profiles.

        Do you not also need to remove some of the items from the filesystem itself, as there will be things in there like provisioned UWP apps and other extraneous settings within the %LOCALAPPDATA% folder?

        Also do you need to set any specific security permissions within the Registry file within the profile? I seem to remember a query about users being able to edit other users' Registry items when using mandatory profiles that cropped up a few years ago, although my recollection of the exact details is hazy (something like this rings a bell https://helgeklein.com/blog/2010/12/mandatory-profiles-%E2%80%93-insecure-by-default/)

        It's also worth noting that the GPO to enable mandatory profiles is a Computer item and will apply to all device users, even admins. If you want it more targeted, then you can populate the relevant fields on user objects in AD.

        0
        • Profile gravatar of Alex Pazik Author
          Alex Pazik 2 months ago

          When using the "Copy profile to" function, Windows exports a generalized profile that does not include the Local folder or any mention of a custom username. With Windows 7, I remember having to go through the process of generalizing the ntuser.dat file myself as well. I did try this with Windows 10 and was not able to successfully merge my generalized customizations nor correctly load the user profile. Since I do not use UWP in my environment, I can not speak on the process of handling those application settings.

          As for the security permissions, I was not aware of that being an issue. On the workstations that we use roaming man profiles, RDP and REGEDIT are disabled for all standard users as well as browsing the network share where we host the profiles, so this really wouldn't be a problem. Nonetheless, I suppose if the scenario mentioned in the article mimicked your environment it would be a good idea to enact some of the changes he suggests.

          0
  2. avatar
    deny 3 weeks ago

    What if i want to do this with local storage instead of network? is there anything needs to be changed?

    0
    • Profile gravatar of Alex Pazik Author
      Alex Pazik 3 weeks ago

      If you wanted to do this with local storage, you would apply all customizations before syspreping the machine with the CopyProfile.xml. This would store the template profile in the image itself and would be the profile all users check-out when logging into the machine.

      The only difference is you'd have to write a script to delete the individual user's profile after a certain number of days. Otherwise, the changes users make will persist in their profile, but will not be propagated to the template user profile in the image.

      0
  3. avatar
    deny winarto 2 weeks ago

    I'm still kinda new at this mandatory profiles, basically what i need is a multiple locked state profiles (about 10) that reloads everytime user relogin, preferably stored in local drive, but you said the changes would pile up, so i guess this is only possible by storing it on network? Or is there another way?

    0
    • Profile gravatar of Alex Pazik Author
      Alex Pazik 2 weeks ago

      Mandatory profiles are a little different than roaming mandatory profiles. With mandatory profiles, users do use a template user profile to generate their individual user profile, however, the changes they make to their user profile are not lost upon logoff and will persist on the machine they logged into, or if used in your environment, their roaming profile.

      With roaming mandatory profiles, users also use a template user profile to generate their individual user profile, however, their changes are lost upon logoff and their individual profile is deleted from the local machine upon logoff.

      If you store the template user profile locally, you would be using simply a local profile, as the template user profile on the machine will not be able "roam" to other machines.

       

      0
  4. avatar
    denywinarto 2 weeks ago

    Ok i think i'll use your method.. i think i could "cross-share" the profile between 3 PCs

    But my need is quite specific, for aster multiseat. http://www.ibik.ru/

    Since i need some kind of solution to "deepfreeze" between logoff-login session,

    mandatory profile seems to be only way.

    This is what i did

    1. Install Windows 10 1511
    2. Go to audit mode
    3. Install all drivers
    4. Make 3 administrators account for multiseat,
    Multi1, Multi2, Multi3 (all on administrators level)
    5. Install Aster multi seat and assign 3 workstations to each accounts in step 4 respectively,
    so at this point we have 3 accounts running on 3 monitors, 3 mice and 3 keyboards
    6. Ran C:\Windows\System32\Sysprep\Sysprep.exe /oobe /generalize /reboot /Unattend:C:\Windows\System32\Sysprep\CopyProfile.xml
    frm Mult2..
    7. about 20 mins later "your pc ran into a problem and needs to restart"
    8. after boot, getting devices ready, and then it's stuck at "getting ready" now...

    Specs : intel i3 6300 + Gygabite mobo GA-B150M-DS3H + Rx570 + 8 GB ram + 120gb ssd

    Any idea how to do this properly?

    Maybe it has something to do with me creating 3 additional administrator accounts for aster multiseat?

     

    0
  5. avatar
    denywinarto 2 weeks ago

    Update:
    9. After waiting a while,>> region keyboard language settings.
    10. enter new account
    11. Aster gets scrambled again, e.g have to re-assign all of them
    So i'd assume the deepfreeze didn't work, probably because  bluescreen problem earlier

    0
  6. Profile gravatar of Alex Pazik Author
    Alex Pazik 2 weeks ago

    When creating roaming mandatory profiles that require a lot of steps and configurations, I recommend you use a virtual machine so you can create snapshots of your progress, and revert back if an error or issue occurs. As for installing drivers, when you run Sysprep all non-essential drivers are erased from the machine (the generalize) switch accomplishes this.

    I am not too familiar with the multipoint software you are using, but if you create the three administrator accounts before you run sysprep to copy the profile over to the template then the three administrator accounts will not get the template profile.

    0
  7. avatar
    denywinarto 2 weeks ago

    Unfortunately VM isn't possible for my case, because AFAIK, GPU can't be used in vmware.. i've tried it and it won't detect it..

    Here's some illustration from aster website of my setup :

    I tested again this time with 3 guest accounts instead of admin accounts, (multi1, multi2, multi3)

    Aster setup complete,

    signed in as admin user, then enter audit mode, exist audit mode

    but i still got same bluescreen (Systemthreadexception not handled) after exiting audit mode,

    after getting ready and setting up regions keyboard etc the aster setup is still not being saved.

    You said 3 admins won't work, 3 guests account doesn't work either... any idea how to save this kind of setup on the profile?

    0
  8. Profile gravatar of Alex Pazik Author
    Alex Pazik 1 week ago

    It sounds like this issue is a little more complicated than both you or I anticipated, and if you would like to email me I can help you troubleshoot this issue further.

    1+
  9. Profile gravatar of Denywinarto
    Denywinarto 6 days ago

    Sure what's your email? i couldn't find it, or if you want my email it's denywinarto"at"gmail.com.. thanks..

     

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account