- Create and read SCVMM custom properties with PowerShell and the VMM Console - Mon, Apr 18 2022
- Prevent ransomware attacks on network shares with File Server Resource Manager (FSRM) - Mon, Mar 7 2022
- Block brute force Remote Desktop attacks with Windows PowerShell - Fri, Feb 11 2022
With the introduction of Windows 10 Build 1607 (commonly known as the Windows 10 Anniversary Update), Microsoft fixed many of the bugs that broke roaming mandatory profiles. They also added new Group Policies to make deploying a consistent, locked Start menu and taskbar layout easier.
First, we are going to build the roaming mandatory profile. A roaming mandatory profile, or roaming man profile, is a read-only user profile stored on a network share that acts as the default template for all users. Unlike roaming profiles, all changes made to a roaming mandatory profile are lost upon logoff, as the changes made do not propagate back to the server.
You will still be able to use folder redirection to redirect important user folders, such as documents and downloads. You can read more about user profiles in general on Microsoft’s website.
For this guide, I will be creating my template user profile on the VM that is the template for my Windows 10 image. The operating system I am using is Window 10 Pro Build 1607 x64. You can use a vanilla Windows 10 image to create your template user profile. However, I always use the image I plan to deploy to my workstations, as you can configure pre-installed apps in the template user profile and have those settings captured when you use the copy profile function.
Before we configure the user profile, we need to create the XML file that will tell Windows to capture the settings we specified. Open a blank Notepad document and copy and paste the following:
<?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <CopyProfile>true</CopyProfile> </component> </settings> </unattend>
Save the file as CopyProfile.xml to a network share that you can map from the VM. For this guide, I will be saving the CopyProfile.xml to the following location:
With the unattend XML file created, we can start to configure the template user profile. On your Windows 10 machine, run the System Preparation Tool (sysprep) and enter into system audit mode. If you are using a freshly installed Windows 10, you can send the keystroke Ctrl+Shift+F3 on the “Get going fast” screen to enter system audit mode. When your machine reboots into audit mode, this will automatically log you in under the built-in Administrator account and present you with a desktop similar to the image below.
You may close the System Preparation Tool, as we will sysprep and generalize the image using the command prompt later in this guide. At this time, you can configure the template user profile as well as any preinstalled applications to your liking. For demonstration purposes, I will be making the following changes to the template user profile:
File Explorer – Folder Options
Open File Explorer and click on the View tab to expand the window ribbon. Click on the Options applet at the very end of the ribbon to open up Folder Options. Find the setting Open File Explorer to: and choose This PC. Then under Privacy, uncheck the boxes Show recently used files in Quick access and Show recently used folders in Quick access. When you are done, click OK to close the Folder Options window.
File Explorer – Quick Access
Open File Explorer and navigate to the Quick access sidebar. Unpin the Desktop and Downloads user folders and instead pin the Music and Videos user folders.
App Data – Start Menu
Open File Explorer and navigate to C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs. Delete the folders Windows Administrative Tools and Windows PowerShell. Open the folder Windows System and delete all the shortcuts except File Explorer and This PC. Delete the OneDrive shortcut from the Programs folder as well.
App Data – Send To
Open File Explorer and navigate to C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo. Delete all the shortcuts except Documents.
When you are happy with your configuration, you can capture the user profile settings with sysprep. Connect to the network share where you saved your CopyProfile.xml and move it to your reference VM. For this guide, I will be moving the CopyProfile.xml to the following location: C:\Windows\System32\Sysprep
Open a command prompt as an administrator and enter the following command:
C:\Windows\System32\Sysprep\Sysprep.exe /oobe /generalize /reboot /Unattend:C:\Windows\System32\Sysprep\CopyProfile.xml
The sysprep tool will start to run and will automatically reboot the machine when it is finished. Since you only need to copy the profile to a network share, you can quickly run through the initial setup without much thought or configuration.
When you finish the initial setup and are logged into the OS, you should notice that the changes you previously made to the profile are still intact. Navigate to System Properties and click on the Advanced system settings item in the left-hand sidebar. Find the User Profiles header and click on the Settings button underneath it. You should see a list of all the generated user profiles. In this case, the only profile we need to be concerned about is the Default Profile. Find and select the default profile and click the Copy To… button.
Under the Copy profile to header, type the location you want to copy the user profile to. For this guide, I am going to copy the profile to the desktop temporarily. Under the Permitted to use header, click the Change button and give Everyone permission to use it. Click OK when you are done.
You should see a new folder in the location where you copied the profile.
Open the folder. You should see all the standard shell folders of a Windows user profile. Before we copy the user profile to a network share, we are going to make a few changes to the ntuser.dat file. To do this, we have to show hidden files, folders, and drives, and uncheck the box Hide protected operating system files (Recommended) under the Folder Options applet. The system should now display all the hidden files and folders in the user profile.
Right-click on the Start button and select Run. Type regedit.exe in the box and hit Enter. In the registry editor, you should see the five standard registry hives. The only one we are concerned about is the HKEY_USERS hive.
Select that hive and go to File > Load Hive. Find the ntuser.dat file from the profile you copied earlier and open it. Give the newly loaded hive a name, such as TemplateProf, and click OK. You should now see your newly loaded hive under HKEY_USERS.
Expand the hive and navigate to SOFTWARE > Microsoft > Windows > CurrentVersion > ContentDeliveryManager. Set the value for each key to 0. This will prevent your user profile from downloading recommended applications and from reinstalling any metro applications you may have removed earlier from your image.
Go back to the CurrentVersion hive and navigate to Explorer > Shell Folders. Delete all the registry keys except for (Default), !Do not use this registry key, and Fonts. This will allow Windows to regenerate the shell folders unique to each user instead using the ones generated for the built-in Administrator account.
Finally, navigate to the root of your newly loaded hive, right-click on it, and select Permissions. Delete the Administrators permission, click Apply, and then OK. If you are satisfied with your changes, unload the hive by going to File > Unload Hive.
Now it’s time to copy the profile to a network share. Note that you will need to make sure you have the correct NTFS and share permissions in place for roaming mandatory profiles to work properly. You can read more about the permissions needed on Microsoft’s website.
I am going to copy my profile to the following location:\\FSMGMT\HSCS\Profiles
Instead of copying the template profile folder, I created a new folder on the network share with the .V6 profile extension to store the profile contents and copied all the items within my template profile. I then pasted those items in the folder created on the network share to retain their shell icons.
After copying all of your items, you must rename the ntuser.dat file to ntuser.man. This ensures the system will check in your profile as a mandatory one. You can delete all excess files except for ntuser.ini and ntuser.man. When you are finished, your user profile should resemble the following image:
Now it’s time to configure your workstations to use this roaming mandatory profile. Launch the Group Policy Management MMC snap-in and create a new Group Policy that will tell the workstation to use the template user profile. Since I will be using the template user profile for all users, I have created a new Group Policy Object (GPO) called “Quick~WKS User Profile Policy” and applied the following security filtering settings:
Open your newly created GPO, navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles, and modify the policy definitions as shown below.
For the policy Set roaming profile path for all users logging onto this computer, specify the path to your template user profile, but omit the .V6 extension. Whereas you can edit the policy definitions to fit the needs of your organization, you should not change the settings for Prevent Roaming Profile changes from propagating to the server and Wait for remote user profile. The former definition prevents any changes the user makes from being saved to the actual template user profile, and the latter ensures that the user profile is always unloaded correctly to prevent any corruptions.
Finally, we are going to create the Start menu and taskbar layout XML file. Open a blank Notepad document and copy and paste the following:
<?xml version="1.0" encoding="utf-8"?> <LayoutModificationTemplate xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout" Version="1"> <LayoutOptions StartTileGroupCellWidth="6" StartTileGroupsColumnCount="1" /> <DefaultLayoutOverride> <StartLayoutCollection> <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"> <start:Group Name="" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"> <start:Tile Size="4x2" Column="0" Row="0" AppUserModelID="Windows.ContactSupport_cw5n1h2txyewy!App" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> </DefaultLayoutOverride> <CustomTaskbarLayoutCollection PinListPlacement="Replace"> <defaultlayout:TaskbarLayout> <taskbar:TaskbarPinList> <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows System\File Explorer.lnk" /> <taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Media Player.lnk" /> </taskbar:TaskbarPinList> </defaultlayout:TaskbarLayout> </CustomTaskbarLayoutCollection> </LayoutModificationTemplate>
I have specified in the XML that the Start menu should include the Contact Support application, and the taskbar should remove Microsoft Edge and include File Explorer and Windows Media Player. Save the file as StartLayout.xml to a network share accessible via Group Policy. For this guide, I will be saving the StartLayout.xml to my NETLOGON share.
Launch the Group Policy Management MMC snap-in and create a new Group Policy that will tell the workstation to load the custom start menu layout. Since I will be loading the custom Start menu for all users, I have created a new GPO called “Quick~WKS Computer Lockdown Policy” and applied the following security filtering settings:
Open your newly created GPO, navigate to Computer Configuration > Policies > Administrative Templates > Start Menu and Taskbar, and find the policy Start Layout. Under the Start Layout File header, specify the location of your start menu layout. Include the XML file and extension in your path.
Force a Group Policy update on the machines you want to load the roaming man profile on. When you log in as a user in one of the specified security filtered groups, you should notice the system retains all the customizations made to your template profile.
When a user logs off, the system will delete the local profile unique to the user from the workstation and will not propagate changes the user made to the roaming mandatory profile on the server. Note that you can make changes to the template roaming man profile at any time, and they will instantly apply to all users who check out the profile upon their next login.