- Consolidating Group Policy, part 3: Loopback policy processing and folder redirection - Wed, Aug 25 2021
- Consolidating Group Policy, part 2: GPOZaurr - Thu, Aug 19 2021
- Consolidating Group Policy, part 1: Get-GpoReport and Advanced Group Policy Management (AGMC) - Wed, Aug 18 2021
No particular engine controls roaming profiles. They instead rely on a registry value in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. This value is a string (REG_SZ) format and is called ExcludeProfileDirs. It tells the roaming profile what not to save from the %USERPROFILE% folder. The screenshot below shows the default values on Windows 10.
Why to include folders ^
You can see from the screenshot above that the system excludes AppData\Local by default. However, to capture the Windows 10 Start Menu, we need to capture the AppData\Local\TileDataLayer folder.
So by this method, if we were to remove AppData\Local from the exclusion list, and then add all the other subfolders to the exclusion list except the one we are interested in (TileDataLayer), we could make our roaming profile capture the Windows 10 Start Tiles settings.
Now the number of subfolders within %LOCALAPPDATA% that you need to exclude will depend very much on what your application sets are. It is very important to exclude folders like Google (for Chrome) and Mozilla (for Firefox) as these bloat quite heavily.
You need to make sure that you keep the exclusion list current and streamlined; otherwise you will soon start capturing lots of unwanted data that is transmitted to and stored on the network. The example list I have here is based around a very simple Windows 10 setup. So make sure you include all relevant subfolders for your environment!
How to include and exclude folders ^
The easy way to enforce this is to use a Group Policy Preference (GPP). Here is an example of the one I have used to set this. Make sure the list is semicolon-delimited, and state the excluded folders as subfolders of the %USERPROFILE% folder.
That is, quite simply, all you need to set up. Now the roaming profile will capture the %LOCALAPPDATA%\TileDataLayer subfolder into the roaming profile share when the user logs off, and restore it when the user logs back on again.
If you're using the latest version of Windows 10 fully patched, you should find that using a roaming profile in this way allows you to seamlessly maintain Start Tiles settings, file type associations, and everything else the user needs.
Finally, you'll need to apply slightly changed permissions to the profile folders to allow administrative access for ongoing monitoring and maintenance. I normally apply permissions as below either through inheritance or GPO settings.
What folders to include ^
In an ordinary environment, here's a good list to start with. It includes the registry entries to cover you for some of the most common folders out there on a Windows 10 machine. If you aren't using some of the software specified, then it won't cause any trouble to add them in. If they're not present, the system won't process them at all.
AppData\LocalLow $Recycle.Bin OneDrive WorkFolders AppData\Local\ConnectedDevicesPlatform AppData\Local\Google AppData\Local\GroupPolicy AppData\Local\Microsoft AppData\Local\PeerDistRepub AppData\Local\Publishers AppData\Local\Temp AppData\Local\VirtualStore AppData\Local\Mozilla AppData\Local\Packages AppData\Local\AppSense (if using AppSense, as I was) AppData\Local\History AppData\Local\MicrosoftHelp AppData\Local\Publishers AppData\Local\Comms AppData\Local\HP AppData\Local\TemporaryInternetFiles AppData\Local\VirtualStore AppData\Local\Winternals AppData\Local\Adobe AppData\Local\Apple AppData\Local\AppleComputer AppData\Local\Autodesk AppData\Local\Chromium AppData\Local\CrashDumps AppData\Local\NVIDIA AppData\Local\NVIDIACorporation AppData\Local\Skype AppData\Local\WebEx AppData\Local\Foxit Reader AppData\Local\Macromedia AppData\Local\Microsoft_Corporation AppData\Local\Real AppData\Local\DropBox (if using DropBox) AppData\Local\VMware AppData\Local\Windows Live AppData\Local\CrashDumps AppData\Local\Citrix (if using Citrix)
Bear in mind that these entries need to be semicolon-delimited.
Obviously, you will still have the limitations of a roaming profile: possible corruption, last writer wins, limited to a single OS or profile version, and so on. But for a lightweight method of a roaming user state from session to session, it works very well. There's also the added bonus that it will extend onto Server 2016 Remote Desktop Session Host (RDSH) sessions as well. If you're using Modern Apps on Windows 10 though, you will get blank Start Menu entries where the Modern Apps were on the Server 2016 session.
However, this little trick also extends your capabilities with roaming profiles a lot. You could even selectively include other folders from %LOCALAPPDATA% if you want to roam them as well. Logon times are also quite reasonable with this method. I observed around a minute for the very first logon after creating the roaming profile, and 20–40 seconds for each logon after that.
If you would like to see this method in action, I have recorded a YouTube video: