Include and exclude folders in roaming user profiles

• Author
• Recent Posts

James Rankin

James is a consultant from the UK, specializing mainly in end-user computing, Active Directory and client-side monitoring. When not consulting for james-rankin.com, he can often be found blogging, writing technical articles and speaking at conferences and user groups.

Latest posts by James Rankin (see all)

• Can’t uninstall app: Delete or change Windows apps that have been flagged as non-removable - Thu, Mar 16 2023
• FSLogix VHDX compaction: Resize virtual disks - Thu, Dec 1 2022
• Sysinternals Process Monitor: Real-time file system, registry, and process monitoring - Fri, Oct 28 2022

No particular engine controls roaming profiles. They instead rely on a registry value in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. This value is a string (REG_SZ) format and is called ExcludeProfileDirs. It tells the roaming profile what not to save from the %USERPROFILE% folder. The screenshot below shows the default values on Windows 10.

ExcludeProfileDirs default settings

Why to include folders

You can see from the screenshot above that the system excludes AppData\Local by default. However, to capture the Windows 10 Start Menu, we need to capture the AppData\Local\TileDataLayer folder.

So by this method, if we were to remove AppData\Local from the exclusion list, and then add all the other subfolders to the exclusion list except the one we are interested in (TileDataLayer), we could make our roaming profile capture the Windows 10 Start Tiles settings.

Now the number of subfolders within %LOCALAPPDATA% that you need to exclude will depend very much on what your application sets are. It is very important to exclude folders like Google (for Chrome) and Mozilla (for Firefox) as these bloat quite heavily.

You need to make sure that you keep the exclusion list current and streamlined; otherwise you will soon start capturing lots of unwanted data that is transmitted to and stored on the network. The example list I have here is based around a very simple Windows 10 setup. So make sure you include all relevant subfolders for your environment!

How to include and exclude folders

The easy way to enforce this is to use a Group Policy Preference (GPP). Here is an example of the one I have used to set this. Make sure the list is semicolon-delimited, and state the excluded folders as subfolders of the %USERPROFILE% folder.

Group Policy Preferences to enable Windows 10 roaming profile

That is, quite simply, all you need to set up. Now the roaming profile will capture the %LOCALAPPDATA%\TileDataLayer subfolder into the roaming profile share when the user logs off, and restore it when the user logs back on again.

Roaming profile with LOCALAPPDATA

If you're using the latest version of Windows 10 fully patched, you should find that using a roaming profile in this way allows you to seamlessly maintain Start Tiles settings, file type associations, and everything else the user needs.

Finally, you'll need to apply slightly changed permissions to the profile folders to allow administrative access for ongoing monitoring and maintenance. I normally apply permissions as below either through inheritance or GPO settings.

Profile permissions

Windows 10 with full roaming profile capability

What folders to include

In an ordinary environment, here's a good list to start with. It includes the registry entries to cover you for some of the most common folders out there on a Windows 10 machine. If you aren't using some of the software specified, then it won't cause any trouble to add them in. If they're not present, the system won't process them at all.

AppData\LocalLow
$Recycle.Bin
OneDrive
WorkFolders
AppData\Local\ConnectedDevicesPlatform
AppData\Local\Google
AppData\Local\GroupPolicy
AppData\Local\Microsoft
AppData\Local\PeerDistRepub
AppData\Local\Publishers
AppData\Local\Temp
AppData\Local\VirtualStore
AppData\Local\Mozilla
AppData\Local\Packages
AppData\Local\AppSense (if using AppSense, as I was)
AppData\Local\History
AppData\Local\MicrosoftHelp
AppData\Local\Publishers
AppData\Local\Comms
AppData\Local\HP
AppData\Local\TemporaryInternetFiles
AppData\Local\VirtualStore
AppData\Local\Winternals
AppData\Local\Adobe
AppData\Local\Apple
AppData\Local\AppleComputer
AppData\Local\Autodesk
AppData\Local\Chromium
AppData\Local\CrashDumps
AppData\Local\NVIDIA
AppData\Local\NVIDIACorporation
AppData\Local\Skype
AppData\Local\WebEx
AppData\Local\Foxit Reader
AppData\Local\Macromedia
AppData\Local\Microsoft_Corporation
AppData\Local\Real
AppData\Local\DropBox (if using DropBox)
AppData\Local\VMware
AppData\Local\Windows Live
AppData\Local\CrashDumps
AppData\Local\Citrix (if using Citrix)

Bear in mind that these entries need to be semicolon-delimited.

Conclusion

Obviously, you will still have the limitations of a roaming profile: possible corruption, last writer wins, limited to a single OS or profile version, and so on. But for a lightweight method of a roaming user state from session to session, it works very well. There's also the added bonus that it will extend onto Server 2016 Remote Desktop Session Host (RDSH) sessions as well. If you're using Modern Apps on Windows 10 though, you will get blank Start Menu entries where the Modern Apps were on the Server 2016 session.

However, this little trick also extends your capabilities with roaming profiles a lot. You could even selectively include other folders from %LOCALAPPDATA% if you want to roam them as well. Logon times are also quite reasonable with this method. I observed around a minute for the very first logon after creating the roaming profile, and 20–40 seconds for each logon after that.

If you would like to see this method in action, I have recorded a YouTube video: