- Configuration Items in Configuration Manager (SCCM, MECM) - Mon, Aug 22 2022
- Create and read SCVMM custom properties with PowerShell and the VMM Console - Mon, Apr 18 2022
- Prevent ransomware attacks on network shares with File Server Resource Manager (FSRM) - Mon, Mar 7 2022
With the introduction of Windows 10 Build 1607 (commonly known as the Windows 10 Anniversary Update), Microsoft fixed many of the bugs that broke roaming mandatory profiles. They also added new Group Policies to make deploying a consistent, locked Start menu and taskbar layout easier.
First, we are going to build the roaming mandatory profile. A roaming mandatory profile, or roaming man profile, is a read-only user profile stored on a network share that acts as the default template for all users. Unlike roaming profiles, all changes made to a roaming mandatory profile are lost upon logoff, as the changes made do not propagate back to the server.
You will still be able to use folder redirection to redirect important user folders, such as documents and downloads. You can read more about user profiles in general on Microsoft's website.
For this guide, I will be creating my template user profile on the VM that is the template for my Windows 10 image. The operating system I am using is Window 10 Pro Build 1607 x64. You can use a vanilla Windows 10 image to create your template user profile. However, I always use the image I plan to deploy to my workstations, as you can configure pre-installed apps in the template user profile and have those settings captured when you use the copy profile function.
Before we configure the user profile, we need to create the XML file that will tell Windows to capture the settings we specified. Open a blank Notepad document and copy and paste the following:
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CopyProfile>true</CopyProfile>
</component>
</settings>
</unattend>Save the file as CopyProfile.xml to a network share that you can map from the VM. For this guide, I will be saving the CopyProfile.xml to the following location:
\\SCS-CFGMGR-MP\SWSTORE\Unattend\Windows 10
With the unattend XML file created, we can start to configure the template user profile. On your Windows 10 machine, run the System Preparation Tool (sysprep) and enter into system audit mode. If you are using a freshly installed Windows 10, you can send the keystroke Ctrl+Shift+F3 on the "Get going fast" screen to enter system audit mode. When your machine reboots into audit mode, this will automatically log you in under the built-in Administrator account and present you with a desktop similar to the image below.
System audit mode
You may close the System Preparation Tool, as we will sysprep and generalize the image using the command prompt later in this guide. At this time, you can configure the template user profile as well as any preinstalled applications to your liking. For demonstration purposes, I will be making the following changes to the template user profile:
File Explorer – Folder Options
Open File Explorer and click on the View tab to expand the window ribbon. Click on the Options applet at the very end of the ribbon to open up Folder Options. Find the setting Open File Explorer to: and choose This PC. Then under Privacy, uncheck the boxes Show recently used files in Quick access and Show recently used folders in Quick access. When you are done, click OK to close the Folder Options window.
Folder Options
File Explorer – Quick Access
Open File Explorer and navigate to the Quick access sidebar. Unpin the Desktop and Downloads user folders and instead pin the Music and Videos user folders.
Quick access
App Data – Start Menu
Open File Explorer and navigate to C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs. Delete the folders Windows Administrative Tools and Windows PowerShell. Open the folder Windows System and delete all the shortcuts except File Explorer and This PC. Delete the OneDrive shortcut from the Programs folder as well.
User Start menu
App Data – Send To
Open File Explorer and navigate to C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo. Delete all the shortcuts except Documents.
When you are happy with your configuration, you can capture the user profile settings with sysprep. Connect to the network share where you saved your CopyProfile.xml and move it to your reference VM. For this guide, I will be moving the CopyProfile.xml to the following location: C:\Windows\System32\Sysprep
Open a command prompt as an administrator and enter the following command:
C:\Windows\System32\Sysprep\Sysprep.exe /oobe /generalize /reboot /Unattend:C:\Windows\System32\Sysprep\CopyProfile.xml
Capture a user profile
The sysprep tool will start to run and will automatically reboot the machine when it is finished. Since you only need to copy the profile to a network share, you can quickly run through the initial setup without much thought or configuration.
When you finish the initial setup and are logged into the OS, you should notice that the changes you previously made to the profile are still intact. Navigate to System Properties and click on the Advanced system settings item in the left-hand sidebar. Find the User Profiles header and click on the Settings button underneath it. You should see a list of all the generated user profiles. In this case, the only profile we need to be concerned about is the Default Profile. Find and select the default profile and click the Copy To… button.
Under the Copy profile to header, type the location you want to copy the user profile to. For this guide, I am going to copy the profile to the desktop temporarily. Under the Permitted to use header, click the Change button and give Everyone permission to use it. Click OK when you are done.
Copying the profile
You should see a new folder in the location where you copied the profile.
Profile folder
Open the folder. You should see all the standard shell folders of a Windows user profile. Before we copy the user profile to a network share, we are going to make a few changes to the ntuser.dat file. To do this, we have to show hidden files, folders, and drives, and uncheck the box Hide protected operating system files (Recommended) under the Folder Options applet. The system should now display all the hidden files and folders in the user profile.
Files and folders in the user profile
Right-click on the Start button and select Run. Type regedit.exe in the box and hit Enter. In the registry editor, you should see the five standard registry hives. The only one we are concerned about is the HKEY_USERS hive.
Select that hive and go to File > Load Hive. Find the ntuser.dat file from the profile you copied earlier and open it. Give the newly loaded hive a name, such as TemplateProf, and click OK. You should now see your newly loaded hive under HKEY_USERS.
TemplateProf hive
Expand the hive and navigate to SOFTWARE > Microsoft > Windows > CurrentVersion > ContentDeliveryManager. Set the value for each key to 0. This will prevent your user profile from downloading recommended applications and from reinstalling any metro applications you may have removed earlier from your image.
The ContentDeliveryManager key
Go back to the CurrentVersion hive and navigate to Explorer > Shell Folders. Delete all the registry keys except for (Default), !Do not use this registry key, and Fonts. This will allow Windows to regenerate the shell folders unique to each user instead using the ones generated for the built-in Administrator account.
The Shell Folders key
Finally, navigate to the root of your newly loaded hive, right-click on it, and select Permissions. Delete the Administrators permission, click Apply, and then OK. If you are satisfied with your changes, unload the hive by going to File > Unload Hive.
Now it's time to copy the profile to a network share. Note that you will need to make sure you have the correct NTFS and share permissions in place for roaming mandatory profiles to work properly. You can read more about the permissions needed on Microsoft's website.
I am going to copy my profile to the following location:\\FSMGMT\HSCS\Profiles
Instead of copying the template profile folder, I created a new folder on the network share with the .V6 profile extension to store the profile contents and copied all the items within my template profile. I then pasted those items in the folder created on the network share to retain their shell icons.
After copying all of your items, you must rename the ntuser.dat file to ntuser.man. This ensures the system will check in your profile as a mandatory one. You can delete all excess files except for ntuser.ini and ntuser.man. When you are finished, your user profile should resemble the following image:
My Quick~WKS user profile
Now it's time to configure your workstations to use this roaming mandatory profile. Launch the Group Policy Management MMC snap-in and create a new Group Policy that will tell the workstation to use the template user profile. Since I will be using the template user profile for all users, I have created a new Group Policy Object (GPO) called "Quick~WKS User Profile Policy" and applied the following security filtering settings:
User Profile Security Filtering
Open your newly created GPO, navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles, and modify the policy definitions as shown below.
User profile GPO
For the policy Set roaming profile path for all users logging onto this computer, specify the path to your template user profile, but omit the .V6 extension. Whereas you can edit the policy definitions to fit the needs of your organization, you should not change the settings for Prevent Roaming Profile changes from propagating to the server and Wait for remote user profile. The former definition prevents any changes the user makes from being saved to the actual template user profile, and the latter ensures that the user profile is always unloaded correctly to prevent any corruptions.
Finally, we are going to create the Start menu and taskbar layout XML file. Open a blank Notepad document and copy and paste the following:
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<LayoutOptions StartTileGroupCellWidth="6" StartTileGroupsColumnCount="1" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
<start:Group Name="" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
<start:Tile Size="4x2" Column="0" Row="0" AppUserModelID="Windows.ContactSupport_cw5n1h2txyewy!App" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Windows System\File Explorer.lnk" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Media Player.lnk" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>I have specified in the XML that the Start menu should include the Contact Support application, and the taskbar should remove Microsoft Edge and include File Explorer and Windows Media Player. Save the file as StartLayout.xml to a network share accessible via Group Policy. For this guide, I will be saving the StartLayout.xml to my NETLOGON share.
Launch the Group Policy Management MMC snap-in and create a new Group Policy that will tell the workstation to load the custom start menu layout. Since I will be loading the custom Start menu for all users, I have created a new GPO called "Quick~WKS Computer Lockdown Policy" and applied the following security filtering settings:
Computer lockdown Security Filtering
Open your newly created GPO, navigate to Computer Configuration > Policies > Administrative Templates > Start Menu and Taskbar, and find the policy Start Layout. Under the Start Layout File header, specify the location of your start menu layout. Include the XML file and extension in your path.
Force a Group Policy update on the machines you want to load the roaming man profile on. When you log in as a user in one of the specified security filtered groups, you should notice the system retains all the customizations made to your template profile.
When a user logs off, the system will delete the local profile unique to the user from the workstation and will not propagate changes the user made to the roaming mandatory profile on the server. Note that you can make changes to the template roaming man profile at any time, and they will instantly apply to all users who check out the profile upon their next login.
Desktop for a mandatory profile
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Don’t you need to remove all references to the originating username from the Registry? Such as the entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders?
Not in the case of User Shell Folders as those registry keys use the env. variable %USERPROFILE% to point the shell folders to the local user profile:
%USERPROFILE%\Personal
%USERPROFILE%\Music
%USERPROFILE%\Pictures
%USERPROFILE%\Video
Modifying these values is actually how folder redirection is accomplished at the registry level. Deleting the all the keys under Shell Folders simply allows Windows to regenerate the shell folder items themselves, not determine where they point.
Thank you for the comment; I hope this makes things a little more clear!
OK bad example for User Shell Folders, they only put the username in when it is a redirected folder. But the user name does appear in various areas of the Registry, do you not need to check the ntuser.dat file for these and remove them? I thought it was standard practice when creating mandatory profiles.
Do you not also need to remove some of the items from the filesystem itself, as there will be things in there like provisioned UWP apps and other extraneous settings within the %LOCALAPPDATA% folder?
Also do you need to set any specific security permissions within the Registry file within the profile? I seem to remember a query about users being able to edit other users’ Registry items when using mandatory profiles that cropped up a few years ago, although my recollection of the exact details is hazy (something like this rings a bell https://helgeklein.com/blog/2010/12/mandatory-profiles-%E2%80%93-insecure-by-default/)
It’s also worth noting that the GPO to enable mandatory profiles is a Computer item and will apply to all device users, even admins. If you want it more targeted, then you can populate the relevant fields on user objects in AD.
When using the “Copy profile to” function, Windows exports a generalized profile that does not include the Local folder or any mention of a custom username. With Windows 7, I remember having to go through the process of generalizing the ntuser.dat file myself as well. I did try this with Windows 10 and was not able to successfully merge my generalized customizations nor correctly load the user profile. Since I do not use UWP in my environment, I can not speak on the process of handling those application settings.
As for the security permissions, I was not aware of that being an issue. On the workstations that we use roaming man profiles, RDP and REGEDIT are disabled for all standard users as well as browsing the network share where we host the profiles, so this really wouldn’t be a problem. Nonetheless, I suppose if the scenario mentioned in the article mimicked your environment it would be a good idea to enact some of the changes he suggests.
What if i want to do this with local storage instead of network? is there anything needs to be changed?
If you wanted to do this with local storage, you would apply all customizations before syspreping the machine with the CopyProfile.xml. This would store the template profile in the image itself and would be the profile all users check-out when logging into the machine.
The only difference is you’d have to write a script to delete the individual user’s profile after a certain number of days. Otherwise, the changes users make will persist in their profile, but will not be propagated to the template user profile in the image.
I’m still kinda new at this mandatory profiles, basically what i need is a multiple locked state profiles (about 10) that reloads everytime user relogin, preferably stored in local drive, but you said the changes would pile up, so i guess this is only possible by storing it on network? Or is there another way?
Mandatory profiles are a little different than roaming mandatory profiles. With mandatory profiles, users do use a template user profile to generate their individual user profile, however, the changes they make to their user profile are not lost upon logoff and will persist on the machine they logged into, or if used in your environment, their roaming profile.
With roaming mandatory profiles, users also use a template user profile to generate their individual user profile, however, their changes are lost upon logoff and their individual profile is deleted from the local machine upon logoff.
If you store the template user profile locally, you would be using simply a local profile, as the template user profile on the machine will not be able “roam” to other machines.
Ok i think i’ll use your method.. i think i could “cross-share” the profile between 3 PCs
But my need is quite specific, for aster multiseat. http://www.ibik.ru/
Since i need some kind of solution to “deepfreeze” between logoff-login session,
mandatory profile seems to be only way.
This is what i did
1. Install Windows 10 1511
2. Go to audit mode
3. Install all drivers
4. Make 3 administrators account for multiseat,
Multi1, Multi2, Multi3 (all on administrators level)
5. Install Aster multi seat and assign 3 workstations to each accounts in step 4 respectively,
so at this point we have 3 accounts running on 3 monitors, 3 mice and 3 keyboards
6. Ran C:\Windows\System32\Sysprep\Sysprep.exe /oobe /generalize /reboot /Unattend:C:\Windows\System32\Sysprep\CopyProfile.xml
frm Mult2..
7. about 20 mins later “your pc ran into a problem and needs to restart”
8. after boot, getting devices ready, and then it’s stuck at “getting ready” now…
Specs : intel i3 6300 + Gygabite mobo GA-B150M-DS3H + Rx570 + 8 GB ram + 120gb ssd
Any idea how to do this properly?
Maybe it has something to do with me creating 3 additional administrator accounts for aster multiseat?
Update:
9. After waiting a while,>> region keyboard language settings.
10. enter new account
11. Aster gets scrambled again, e.g have to re-assign all of them
So i’d assume the deepfreeze didn’t work, probably because bluescreen problem earlier
When creating roaming mandatory profiles that require a lot of steps and configurations, I recommend you use a virtual machine so you can create snapshots of your progress, and revert back if an error or issue occurs. As for installing drivers, when you run Sysprep all non-essential drivers are erased from the machine (the generalize) switch accomplishes this.
I am not too familiar with the multipoint software you are using, but if you create the three administrator accounts before you run sysprep to copy the profile over to the template then the three administrator accounts will not get the template profile.
Unfortunately VM isn’t possible for my case, because AFAIK, GPU can’t be used in vmware.. i’ve tried it and it won’t detect it..
Here’s some illustration from aster website of my setup :
I tested again this time with 3 guest accounts instead of admin accounts, (multi1, multi2, multi3)
Aster setup complete,
signed in as admin user, then enter audit mode, exist audit mode
but i still got same bluescreen (Systemthreadexception not handled) after exiting audit mode,
after getting ready and setting up regions keyboard etc the aster setup is still not being saved.
You said 3 admins won’t work, 3 guests account doesn’t work either… any idea how to save this kind of setup on the profile?
It sounds like this issue is a little more complicated than both you or I anticipated, and if you would like to email me I can help you troubleshoot this issue further.
Sure what’s your email? i couldn’t find it, or if you want my email it’s denywinarto”at”gmail.com.. thanks..
How can I modify a mandatory profil after sysprep and domain integration ?
Can I rename ntuser.man in ntuser.dat, log on with a domain user, make modifications on the profile, log off and rename ntuser ?
I would like to make a mandatory profile for use on a domain. I do not understand, why a mandatory profil must be create from a local administrator user and not from a domain user.
Thank you.
I’d like to know how to edit the mandatory profile as well..
Since installing the multiseat program i told you earlier didnt work i decided to create mandatory profile first, then modify it to work with multiseat
Btw i followed your tutorial using 1703 but start menu isnt working, im prioritizing multiseat first though..
Is there a way to not create a new user profile for each user? I’m dealing with a lab environment using Deepfreeze, so creating a profile for each user takes forever and serves no purpose when I want them all the same and they go away at each reboot.
With Win7, I would copy the customized “template” profile to a folder and redirect everything there through the registry (User Shell Folders). The default profile, then would be empty and logon was very quick.
It seems like everything I have found explains how to customize the default profile that is used to create the new profile for each user, but for my purposes (and I don’t think I’m the only one) I don’t want to customize the default profile created for each user, I want to eliminate their individual profiles and actually use one already created.
Thanks in advance for any advice.
I’m a little confused with this one. Do you want to create a customized profile that is used by all users who logon to the machine? Or do you want to create a customized profile that is used by all users, but has only been checked-out by one (generic) user account which is shared by all users?
Sorry for the confusion, it would be a customized profile used by all users on that machine. There are drive mappings, and there need to be recorded logins, so logging in with a generic user (though obviously very easy to do) would not work. Thanks
So when a user signs in for the first time, a new profile is going to be generated for them. If you want to have that customized profile used each time the user signs in without being regenerated, you are going to want to follow this guide up to the point where you Sysprep the machine. At this point, enter the following command:
C:\Windows\System32\Sysprep\Sysprep.exe /oobe /generalize /shutdown /Unattend:C:\Windows\System32\Sysprep\CopyProfile.xml
You are then going to want to capture this image as it will contain your customized profile. Also, make sure you apply any desktop and application configurations in the profile itself or through group policy. You will not be able to go and make changes to the profile without re-capturing the image.
my start menu, search and Volume icons are not active after implementing mandatory profile.
any idea how to fix the issue.
Check the %USERNAME%\AppData folder and make sure the folder “Local” is not present. Also, what version of Windows are you using? I am aware Windows 10 Enterprise 2015 LTSB had roaming man. profile issues and these were some of them.
I have followed your steps exactly and the start menu does not work. I am using the 1703 version of win10. Do you know what might be causing this?
In my experience, Windows 10 Build 1703 seems to have some issues with sysprep and the copyprofile function. This causes the start menu to become unstable and internet explorer to stop working. Hopefully Microsoft will fix this with the upcoming Creator’s Update!
is it possible to create a mandatory profile on a freshly deployed windows 10 from MDT? so i can set some default settings for other programs used in the mandatory profile? but i don’t have that ctrl-shitf f3 option, but is that necessary? also i would like to know how to speed up the logon time, we don’t use most windows 10 apps. at which stage is the best way to remove those apps? while customizing the default profile or in a task within MDT?
HI,
I manage to create a mandatory profile for Windows 10 1709. when I log on to a working with Windows 10 version 1709 installed and Windows AD domain joined. I get the following error message:
“We can’t sign into your account”
“This problem can often be fixed by signing out of your account and then signing back in. If you don’t sign out now, any files you create or changes you make will be lost.
Witch version should I use to rename the profile folder V6 or V7?
Best Regards
HI,
I manage to create a mandatory profile for Windows 10 1709. when I log on to a working with Windows 10 version 1709 installed and Windows AD domain joined. I get the following error message:
“We can’t sign into your account”
“This problem can often be fixed by signing out of your account and then signing back in. If you don’t sign out now, any files you create or changes you make will be lost.
Witch version should I use to rename the profile folder V6 or V7?
Best Regards
Christophe, did you manage to resolve this? I have exactly the same problem with 1709.
Any pointers appreciated. Thanks Kev
Hi, I need some help please. I'm using VMWare and can't access CTRL SHIFT F3. Can i simply run sysprep from it's original location then choose reboot in audit mode?
Hi James,
I ran into the problem that whenever i ran Sysprep with the small unattended.xml file which only contained the 'copyprofile' setting, OOBE hung on the EULA page. somehow the EULA couldn't be found and i couldn't get passed that.
I managed to solve that by editing the xml file and adding the following lines, right after the '</copyprofiles>':
this way my OOBE went right through the account creation, instead of trying me to accept an EULA which couldn't be found.