User Profile Disks (UPD) is a Microsoft technology best known for its use on Windows RDSH (Remote Desktop Session Host) Servers. It provides a lightweight method for user setting persistence. It works by mounting the user's profile area (%USERPROFILE%) to a .VHDX (Hyper-V virtual hard disk) file on a network share and essentially redirecting all profile write actions to this mounted disk.
Contents of this article

However, a recent post from Eirik Haavarstein indicated that it was possible to use UPD on Citrix XenApp systems. Doing so provides not just user profile persistence, but also a solution to handling certain file types. These include Outlook OST files, Windows Search and other caches that traditionally perform badly in RDSH or VDI (virtual desktop infrastructure) environments. The article also mentions briefly that they also performed testing on Windows client systems. So what I set out to investigate was – just how easy, and how feasible, is it to use UPD on Windows 10?

Firstly, does Microsoft even support UPD on Windows client systems?

The official answer is yes – for VDI only. There's no detail as to what flavor of VDI this referenced, so I assume it means VDI of any type. However, as with the UPD feature on RDSH, you may find documentation and support to be a bit, shall we say, lacking. It's clear that Microsoft doesn't seem particularly interested in UPD as a key feature, which is a shame. In certain situations, it can provide an easy way of providing a persistence solution that gets around some of the major drawbacks of a traditional roaming profile.

So, assuming we are using Windows 10 VDI (or maybe you're running Windows 10 physically and just want to see if it might provide an easy but unsupported solution), how do we go about setting this up?

Setup ^

First, you need a file share to hold the profiles you will be mounting. Dependent on user volume, you may want this to be quite sizeable, because UPD captures the entire user profile, and on Windows 10, profiles have gotten rather large. It would also make sense to use fast storage for this where possible.

UPD isn't as sensitive as roaming profiles are to transient network conditions. This is mainly because it is only writing to a single file, and large amounts of files are just as bad for profile performance as sheer size. However, for something that is going to be central to the entire user experience, I would definitely recommend using fast storage. In addition, ensure that you fully patch your file server before using UPD.

You need to set both NTFS and share permissions so that all devices accessing it have full control. Attaching and detaching the VHDX file occurs in the context of the computer account, so either individually add the accounts for your client machines or use the Domain Computers group.

Filesystem permissions

Filesystem permissions

Share permissions

Share permissions

Next, inside the file share, create a folder for each operating system for which you will be using UPD. You'll need to subdivide them by profile version number, so Windows 10 RTM and 1511 can share a folder, but Windows 10 1607 will need a separate one. In this case, we have simply created three folders, one each for Windows 10 1511 (and RTM) and Windows 10 1607, and a separate one for Windows Server 2016.

Folder structure

Folder structure

After this, we need to create a template VHDX file for our systems using PowerShell. It doesn't matter which operating system you create the template VHDX from, but I used Windows 10 1607 just to err on the side of caution. Open up an administrative PowerShell session and run the following command (changed to fit your file share and path):

(get-wmiobject -ns root\cimv2\terminalservices -class win32_tssessiondirectory).createuserdisktemplate("\\SERVER\SHARE\Profiles",1)

You can change the last value (1) – this is for the size of the template profile in GB. You may want to make it a little higher than 1 GB if you anticipate any bloat in profiles. For a production environment, 5 GB may be a better size to start with, assuming you have the space available.

You should now see a template VHDX file created in the share you specified.

Template file

Template file

You now need to copy this file to each of the OS-specific subfolders you created.

Copied template

Copied template

We now need to enable UPD on our Windows 10 clients. To do this, open up an administrative PowerShell session again and run the following command (changed to fit your profile share and path). If you have multiple OS version folders, you will need to point each client to the correct folder path for its operating system. For instance, this is what we would run on Windows 10 1607 machines:

(gwmi -ns root\cimv2\terminalservices -class win32_tssessiondirectory).enableuservhd("\\SERVER\SHARE\Profiles\Win10-1607","<UvhdRoamingPolicy><RoamingMode>0</RoamingMode></UvhdRoamingPolicy>")

And this is what we would use on Windows 10 1511 machines

(gwmi -ns root\cimv2\terminalservices -class win32_tssessiondirectory).enableuservhd("\\SERVER\SHARE\Profiles\Win10-1511","<UvhdRoamingPolicy><RoamingMode>0</RoamingMode></UvhdRoamingPolicy>")

After running this, you should see the following output:

PowerShell output

PowerShell output

This command creates a set of registry values in the key:

HKLM\System\CurrentControlSet\Control\Terminal Server\ClusterSettings

User Profile Disks Registry values

User Profile Disks Registry values

The UvhdEnabled value indicates whether UPD is enabled on the endpoint or not.

The UvhdShareUrl tells it where to store the UPD profiles for each user.

The UvhdRoamingPolicyFile value tells it where to look for a configuration XML file. This should always be set to the default (C:\Windows\RemotePackages\RDFarm\UvhdRoamingPolicy.xml) and should always have the following content:

XML file content

XML file content

Now you're probably thinking that this would be easy enough to enforce with Group Policy. Indeed, it would. A Group Policy startup script (filtered by devices) that runs the initial get-wmi command would suffice to activate UPD on target machines automatically. Bear in mind that the different OS versions need a different path in the command, so you'd probably have to use a WMI filter on the Group Policy Object (GPO) to ensure each OS points to the right path. The same applies to the registry values, which you could enforce with Group Policy preferences within the same GPO.

If you need a WMI filter to differentiate between different Windows 10 versions, use these:

Windows 10 1551 WMI filter

Windows 10 1551 WMI filter

Windows 10 1607 WMI filter

Windows 10 1607 WMI filter

And now we're completely set up; we just need to test.

Testing ^

When you log on, you should see a VHDX file created in the subfolder for the target operating system as below. There is one for each user, named by security identifier (SID).

User Profile Disks

User Profile Disks

Users logging on via UPD should not have roaming profiles or mandatory profile paths set on the Active Directory (AD) object, or there may be problems. If a local or roaming profile already exists on the endpoint, UPD will rename this profile to a "backup" folder.

The user's profile folder will simply appear to be a mounted VHD rather than a traditional filesystem folder, but applications and data will write to this seamlessly.

Mounted VHDX

Mounted VHDX

Each user can only have one UPD session at a time. The reason for this is that the session locks the VHDX file exclusively, as you can see.

Locked files

Locked files

You also cannot apply UPD specifically to subsets of users. It is a device-level setting, so an administrator logging on to the endpoint will also create a UPD profile.

Logon time seems to vary; the first logon can be around one to two minutes, while subsequent logons might vary from about forty seconds up to a minute. I tested this in a small lab using spinning disks though, so you should expect better performance in enterprise situations.

Occasionally, the file lock will not release cleanly when the user logs out, and this will fail to remove the junction point for the user's folder in C:\Users. You can rectify this by closing the open handle on the file server or by simply restarting the client endpoint that has the VHDX file locked. Do not, if possible, perform a hard reset on any devices that have open file locks; this can cause the profile to become corrupted. To prevent this lock issue from occurring, it may be useful in VDI environments to set the devices to restart whenever a user logs out or disconnects (see this thread for a discussion of doing this on Citrix XenDesktop).

An administrator wishing to edit the profile of a user not currently logged in can mount the VHDX file and edit it directly. However, remember to unmount the file after completing the editing.

Summary ^

You can use UPD on Windows 10 using the technique described above. It provides a quick and low-overhead method of setting up user persistence without any extra expenditure. In addition, it roams the entire user profile, overcoming some of the limitations of a traditional roaming profile. It also deals with the performance issues of things like Outlook OST files in a VDI or RDSH environment.

UPD does require a lot of storage overhead and is limited to single sessions. Moreover, the occasional file lock means you may have to put in some mitigations against this. What's more, the habit of storing the VHDX file with the SID means that in high-volume environments, it is sometimes tricky to work out which UPD belongs to which user.

It is also worth mentioning that FSLogix has taken the UPD concept and improved it with their Profile Containers product. Profile Containers works in much the same way, but has added support for older client operating systems like Windows 7 and 8, removed the file locking issues, improved the logon times, appended user names to the VHDX file names, and also has much more readily available support than Microsoft with regard to the product. Admittedly, this comes at a (fairly low) license cost, but there is more in the FSLogix suite than just the Profile Containers part. If you're going to use a technology like UPD in a busy production environment, then the price for FSLogix is in my opinion worth paying.

Credits

Subscribe to 4sysops newsletter!

Thanks to Claudio Rodrigues and Eirik Haavarstein for originally bringing this technique to my attention, and to Toby Phipps for providing Claudio with the commands to enable UPD in this fashion.

avatar
33 Comments
  1. david 5 years ago

    What's the impact on using mounted VHDX on the File Server? is it greater compared to the standard roaming profiles?

  2. Author

    Standard roaming profiles (without redirection) only put load on the file server at logon and logoff as the profile is copied up there. However it is uncommon to see roaming profiles in use without folder redirection which imposes a load of its own during the session. The User Profile Disk maintains a single open file during the session which is read and written to, so in theory it should not create a significant increase in load (dependent on the number of users that are connected).

  3. Martin 5 years ago

    When I open up an administrative PowerShell session and run the command (gwmi -ns root\cimv2\terminalservices -class win32_tssessiondirectory).enableuservhd("\\myserver\myshare\Win10-1607","<UvhdRoamingPolicy><RoamingMode>0</RoamingMode></UvhdRoamingPolicy>") I get the  following error message from Powershell:

     

    gwmi :
    At line:1 char:2
    + (gwmi -ns root\cimv2\terminalservices -class win32_tssessiondirectory ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-WmiObject], FileNotFoundException
    + FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.PowerShell.Commands.GetWm
    iObjectCommand

    Tested on Windows 10 1607. On Windows Server 2012R2 with the other share it works perfect. Any idea?

     

    Regards
    Martin

    • Rick 3 years ago

      Hello I found out why this error happens and what you need to do. Because UHDs are normally used on servers for remote sessions.. You need to enable RDP on your clients and after that the command will work.. 🙂

       

  4. Author

    Hi Martin

    That doesn't happen when I test on Windows 10  "File not found" sounds odd. Can you actually browse to the path where it creates the file (C:\windows\RemotePackages\xxxx) and see if that folder structure exists on the Windows 10 endpoints?

  5. Martin 5 years ago

    Hi James,

    thanks for the fast response. Yes, the folder structure exists and the file has been written with correct content.

     

  6. Author

    Hmmm, strange. Are all the permissions right on the folders and the shares? Sorry I can't test very thoroughly for you at the moment, I am away at an event currently.

  7. Martin 5 years ago

    I think so. On Windows Server 2012R2 with same permissions it works perfect. I´ve granted access with full rights for everyone temporary and use the command -> same error...Cannot find anything helpful in google search...

  8. Author

    Are you using the Enterprise version of Windows 10?

  9. Martin 5 years ago

    no, windows 10 pro

  10. Author

    Ah that may be the issue then. All my testing is done on Enterprise. The Pro edition is somewhat hobbled so may not have this available as a feature, per se.

  11. Per-Ole Fanuelsen 5 years ago

    Is there it possible to exclude folders for this on Windows 10? I can find examples on Windows 2012R2 RDSH but when searching for exclusions on a client OS i cant find anything related.

    Problem is that some users have spotify and chrome, this will quickly make UPD size of 1GB and more.

    Thanks for nice guide BTW.

     

  12. Author

    I was going to do a follow-up article around this...

    On Server 2012 R2, if you enable this, there are options for the UPD that allow you to exclude folders. I'm assuming these translate to Registry keys. So if you exclude certain folders on the Server UPD and then search the Registry for these folders you should find the exclusion keys.

    Apologies if this is a bit fiddly - hopefully I might be able to track them down and do a follow-up article by the end of the week or so.

  13. Per-Ole Fanuelsen 5 years ago

    I will do some testing tomorrow to see if it is registry keys that does the trick. Gonna install a Windows 2016 server and do the upd stuff there and see if i can find where the exclusions get applied.

  14. Martin 5 years ago

    I´ve upgraded Windows 10 pro to enterprise, still the same error.

     

  15. Martin 5 years ago

    I´ve set up the registry keys you mentioned manually via group policy. The UvhdRoamingPolicyFile has been created to C:\Windows\RemotePackages\RDFarm\UvhdRoamingPolicy.xml

    On next login I get a message from windows 10 "We can´t sign into your account". Then I can dismiss or log off.  After dismiss I get a message that I´ve been logged in with a temporary user profile.

    Seems that access to profile disk does not work. I checked the privileges twice on the UHD file. Same as for the windows server 2k12R2 folder which works fine. Cannot find more information in eventlog.

    Any clues?

    • Author

      Sorry, I can't seem to recreate the error you are having. UPD is supported in this way when using it for VDI, so you may be able to get Microsoft support to help.

      This does, however, bear out my point at the end of the article that UPD is a temperamental product. If you're looking to deploy this in a production environment, FSLogix Profile Containers may well be worth looking into.

      Thanks,

      JR

  16. Per-Ole Fanuelsen 5 years ago

    I found out where you can set exclusions. You put the exclusions in the C:\Windows\RemotePackages\RDFarm\UvhdRoamingPolicy.xml

    Here is my example of the xml file with exclusions:

    <UvhdRoamingPolicy><RoamingMode>0</RoamingMode><Exclude><Folder>AppData\Local\Google\Chrome\User Data\Defaul\Cache</Folder><Folder>AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images</Folder><Folder>AppData\Local\Spotify</Folder><Folder>Documents</Folder><Folder>Downloads</Folder><Folder>Music</Folder><Folder>Videos</Folder><Folder>Saved Games</Folder><Folder>Desktop</Folder></Exclude></UvhdRoamingPolicy>

    I have put the exclusions in bold.

     

    This is how you exclude a single folder:

    <Exclude><Folder>AppData\Local\Google\Chrome\User Data\Defaul\Cache</Folder></Exclude>

    If you want to exclude more you put it the <Folder></Folder> inside the <Exclude></Exclude>

    Hope this helps.

    • Author

      Thanks Per, that's saved me a job! 🙂 I will write an updated article in future and credit you for the findings.

      Thanks,

      JR

  17. Martin 5 years ago

    Hi James,

    I´ve tried FSLogix in trial mode. I get the same "temp profile" profile there, also tested on another share / file server. You can set up much parameters in the registry yes, but nothing helped.

    Don´t know what´s wrong in my environment...

    Regards
    Martin

    • Author

      It sounds like the server with the file share might not be fully patched. We had that issue very early on in testing but a patch remedied it.

      Are you using a Windows file server and is it fully patched? If not, it might be worth doing the patching or testing a Windows SMB file share for this...

  18. Martin 5 years ago

    I´ve fully patched the test fileserver (cannot reboot the other during working hours), but no changes. I still get a temp profile. The strange thing is that on Windows Server 2012 R2 (the XenApp terminal server) it works perfect on same file server

    • Author

      When you see the temp profile, is there a file lock for the VHD file showing on the file server?

  19. Martin 5 years ago

    You mean the template VHD- file in the client subfolder? No, it´s not loked when I get the temp profile...

  20. David Ray 4 years ago

    I know this is a bit late... just mentioning on the off chance that someone figured this out.

    I get the same error Martin does.  Just trying to retrieve the object alone gives the error.

    Get-WmiObject -Namespace Root\cimv2\TerminalServices -Class Win32_TSSessionDirectory
    
    Get-WmiObject :
    At line:1 char:1
    + Get-WmiObject -Namespace Root\cimv2\TerminalServices -Class Win32_TSS ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo : NotSpecified: (:) [Get-WmiObject], FileNotFoundException
     + FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
    
    

    I am in Windows 10 1703.  Have not been able to figure it out.

     

    avatar
  21. David Ray 4 years ago

    Well, I did figure out why the command would not work in Windows 10 1703 (at least... I did not test other builds).  I found that there was no HKLM\CurrentControlSet\Control\Terminal Server\ClusterSettings key.  I created that key and after that the command seemed to work as described.

    But.... even though it appears to be setup correctly I am not getting any UPD-ness.  I have the share as described and on the client I have the reg settings and file as described.  Just doesn't appear to do anything.  FWIW - I am booting Win10 Ent. 1703 from Citrix PVS.

    Hope the above may help someone who is trying to figure this out.  I am done with it for now.

    Good luck.

     

  22. Marc 4 years ago

    We have had the same issue on and off since we started, I opened a ticket with Microsoft to get this sorted out.  Out environment is fully patched,  All servers are server 2012 r2.  We are using RDVH servers, Also we are using Microsoft Virtual Desktops.  No Citrix or anything.  All that to say we have been working with Microsoft support to get it fixed and they actually could not help and basically said this is a known issue that only half of their customers experience and it is not high enough on the priority list for the engineers to work on fixing.  Just my thoughts on the matter.  We use a program called SIDDer to help fix the problem with it happens.  This program shows what UPD goes to which Username.  Which greatly reduces the time to fix the issue.   We have about 20 users that experience this issue on a weekly basis.  I am curious if this FSlogic product could help us in our environment.

  23. Author

    FSLogix would definitely help you get around this issue, but obviously it has a dollar value attached to it 🙂 Feel free to hit me up if you want more info

  24. Chee Yang 4 years ago

    I am using Windows 10 Home edition.

    When I run

     (gwmi -ns root\cimv2\terminalservices -class win32_tssessiondirectory).enableuservhd("V:\product
    ion\profiles.win1709","<UvhdRoamingPolicy><RoamingMode>0</RoamingMode></UvhdRoamingPolicy>")

    I get this error:

    gwmi : Invalid namespace "root\cimv2\terminalservices"
    At line:1 char:2
    + (gwmi -ns root\cimv2\terminalservices -class win32_tssessiondirectory ...
    +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Get-WmiObject], ManagementException
        + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
    
    You cannot call a method on a null-valued expression.
    At line:1 char:1
    + (gwmi -ns root\cimv2\terminalservices -class win32_tssessiondirectory ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull

  25. Michel 3 years ago

    I use Win 10 Ent 1803 and I also have it setup as requested. It is not working when logging in.

    Remote Desktop Services could not obtain a user profile disk for the user account with a SID of ***. Verify that the user profile disk location is accessible, the server's computer account has read and write permissions to it, and that the location has a user profile disk template file present. The error code is 0x43.82

    There is a UPD Template but it seems it not using it to login. The security is even set on Everyone FC for share and ntfs.

    Sad to see it not work.

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account