The Enterprise Eightfold Path

How to create mandatory profiles in Windows 10 Creators Update (1703)

The Enterprise Eightfold Path

How to create mandatory profiles in Windows 10 Creators Update (1703)

By James Rankin   |     Friday 2 June 2017

Tags:

I wrote a comprehensive post a few years ago (God, it’s been that long?) on how to create mandatory profiles. When Windows 10 came along, mandatory profiles had been completely and utterly forgotten about, and simply didn’t work. After a while, they got around to fixing this, and I ended up recording a (rather long!) video about how to create them.

Unfortunately this had some issues around UWP apps, in that they seemed not to work very well when using a mandatory profile. And then, just as I was getting around to having a look at the WP issue, Microsoft released the Creators’ Update (1703). This, although it ostensibly brought back the capability to use the Copy Profile command to create a mandatory profile, also had the annoying effect of now breaking the Start Menu when you used a mandatory profile (thanks to Pim for the heads up on this issue). So, yesterday I set about cracking the issues that we had, so we needed to create a mandatory profile and test:-

a) Whether the Start Menu functions

b) Whether the UWP apps function

c) If both of the above still work OK when the user logs in to a second machine

Now, the only officially supported way to create a mandatory profile is by using Audit Mode to create a custom default user profile, and then using the Copy Profile command to move the customized default user profile to a network share. This is the way I’ve attacked it in the new video I’ve recorded. This article is intended to supplement that – and if you choose to do it the old-fashioned way, by copying an existing profile directly into a network share, you’re going to get problems. Believe me, I’ve tried!

Pre-requisites

We need:-

a) a network share to hold our user profile

b) a Windows 10 1703 machine to create the custom default profile on

c) a functional Active Directory environment

d) Ensure this Registry value is set on your devices – HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SpecialRoamingOverrideAllowed REG_DWORD value 1

Hopefully you should have all that checked!

The hard work – creating the mandatory profile

Build a Windows 10 1703 machine and enter Audit Mode. You trigger Audit Mode when it reaches the screen that asks you which regional layout you want, and do it by pressing Ctrl-Shift-F3. The machine will then log you in and put up a sysprep prompt – click Cancel on this.

Once logged on, customize the environment how you want your mandatory profile to look. How much or how little you do probably really depends on what you are using the mandatory profile for. If you are using it as a base for a UEM product, then you probably don’t want much customization. If you’re using it for a kiosk or similar device, you may want a lot. Some of the things I find it handy to set are browser home pages, browser search provider, “show file extensions” in Explorer, change the default view in “This PC” away from Quick Access – it’s entirely up to you how much or how little you customize. Here’s how much I did – complete with “odd” icon placement so I can tell if it has worked 🙂

Next, create an XML file with the following text:

<?xml version=”1.0″ encoding=”utf-8″?><unattend xmlns=”urn:schemas-microsoft-com:unattend”>

<settings pass=”specialize”>
<component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<CopyProfile>true</CopyProfile>
</component>
</settings>
<cpi:offlineImage cpi:source=”wim:D:/sources/install.wim#Windows 10 Enterprise” xmlns:cpi=”urn:schemas-microsoft-com:cpi” />
</unattend>

Changing the settings in bold to those as required in your environment (the path to the install files, and the Windows 10 Edition)

Make a note of the XML file name and path – I normally copy it to C:\unattend.xml

Next, open an administrative command prompt and run the following command

%windir%\system32\sysprep\sysprep.exe /generalize /oobe /reboot /unattend:c:\unattend.xml

where c:\unattend.xml is the path to the XML file you created.

Now, this will restart the system and complete the installation, copying your user profile into the default user profile area.

After this, I normally apply all patches and join the domain. Once this is done, log on with a domain account that has access to your network share where you intend to store the profile, and open up the Advanced System Properties dialog. Click on the Advanced tab and then Settings. Highlight the Default Profile, and click Copy To

Enter the path that you wish to copy to, change Permitted to use to say Authenticated Users, and check the box for Mandatory profile (not that it appears to do anything, but hey, check it anyways)

This copies the Default Profile across to our file share – but it’s not done properly, sadly. Firstly, we need to set the permissions correctly. The filesystem needs to have the permissions set as below:-

  • ALL APPLICATION PACKAGES – Full Control (this is mega-important – without this set the Start Menu will fail)
  • Authenticated Users – Read and Execute
  • SYSTEM – Full Control
  • Administrators – Full Control

Once you have set these permissions on the parent folder ENSURE that you cascade them all the way down the filesystem, and also MAKE SURE that Administrators is the owner of all the files and folders as well.

Next we need to set the Registry permissions as well. Open up regedit.exe, select the HKEY_USERS hive, and choose the Load Hive option from the File menu. Browse to the network share where you copied the files to, and open up the ntuser.dat file that is in there. Give it a name, and you will see the named hive loaded under HKEY_USERS.

Right-click on the root of the hive you have loaded and select Permissions. The permissions in here will be wrong. Change them to match those set below exactly.

You must ensure that the RESTRICTED group is removed, otherwise you will be unable to log on and will get an Access Denied error. When you apply these permissions, you will get an error saying “unable to set security in some keys” – just ignore this.

Now, search the Registry hive for any instances of the username and delete them. If you want to be really thorough, search for the SID of the user too and remove any references to that.

After this I normally delete any Registry keys which I think are unnecessary. Policies keys can definitely go, I also tend to remove APPDATALOW from \Software and the (huge amount!) of Google references you will find within the Registry. It’s up to you how much you do here – certainly there are lots of redundant objects related to gaming, XBox and SkyDrive that could easily be taken out.

Once you’ve done this, highlight the root of the loaded hive again and choose File | Unload Hive from the menu in regedit.exe, otherwise you will lock the file and it will be unusable – VERY IMPORTANT!

After this, you can highlight the Registry transaction logs in the root of your file share and delete them – they’re not needed.

Next you can strim down the filesystem. Because the Copy Profile command ignores the AppData\Local and AppData\LocalLow folders, you shouldn’t have too much to do here. I normally just get rid of \AppData\Roaming\Adobe.

This usually takes the size of the mandatory profile down to just over 1MB, which is about right.

For the penultimate steps, rename the ntuser.dat file to ntuser.man (why the hell did the Mandatory check box not do this bit????), and then set a test user to use the mandatory profile in AD or GPO.

But there is one final step we need to take to ensure that UWP apps work in our mandatory profile. You need to set a GPO that allows roaming profiles (because mandatory profiles are simply read-only roaming profiles) to deploy UWP apps. The GPO is shown below, and if this isn’t set, no UWP apps will work (they will just hang indefinitely)

Once you’ve got this set, you can now test your mandatory profile – and it should work perfectly. If you want to reduce the logon time, then removing as many UWP apps as possible from the image will be your best bet – see many of my other articles for guides on how to do this.

Summary

I’m hoping this is the last time I have to go down the mandatory profiles route. But I’m willing to bet it’s not. Welcome to Windows 10 and the fast release schedule!

Comments

70 responses to “How to create mandatory profiles in Windows 10 Creators Update (1703)”

  1. […] You might find this article and video useful. How to create mandatory profiles in Windows 10 Creators Update (1703) Now, the only officially supported way to create a mandatory profile is by using Audit Mode to […]

  2. Ivan de Mes says:

    Super cool and informative article. Thanks for sharing!

  3. […] Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method. Also see James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703). […]

  4. […] User Environment Management > Mandatory Profile – added link to James Rankin’s article on mandatory profile on Windows 10 […]

  5. […] How to create mandatory profiles in Windows 10 Creators Update (1703) – James Rankin […]

  6. Jeremy says:

    When attempting to do the sysprep command, I’m getting the following error in the sysprep log:

    “Unable to deserialize explicitely provided unattend file [c:\unattend.xml]; status = 0x800705b9, hrResult = 0x0.”

    This is after I changed the provided unattend.xml to make sure it had the proper ” marks (I was getting the same error, but different code, before I fixed that).

  7. Jeremy says:

    Figured out the issue. I didn’t get ALL of the ” marks changed. Some where copied as curly left quotes, and some as ?. I didn’t get the ? ones the first time.

    • James Rankin James Rankin says:

      Yeah that’s the problem with copying from websites where the text is encoded. I guess it would be better for me to simply provide a text file for download…will do that next time.

  8. Manny Baker says:

    Hi James
    Just following your fantastic guide and noticed one thing. It seems setting the registry permissions for Authenticated Users to have read access (as opposed to full control like you did in your accompanying video) results in the message ‘The Group Policy Client service failed the sign-in. Access is denied’

    This is at least the case with Windows 10 1607. I had to set the ‘Authenticated Users’ as having full control on the registry key in order for it to work correctly. I was able to toggle this single setting and replicate the behaviour.

    FYI too – it seems skipping the sanitising step that you recommend (the registry search and destroy for the username) is what breaks the start menu. So other internet people – follow this guide, it actually works as opposed to the hopelessly vague guide on Microsoft’s site 🙂

    Anyways, just thought you’d appreciate the feedback, you’ve helped an Aussie IT bro trying to work out the mandatory profile for 3100+ labs PCs out 🙂

  9. Richard Mainprize says:

    Hi James,

    We have followed these instructions to the letter, but cannot find a way of setting the ‘administrators’ built in group as the owner of the folder. Could you illuminate us on how this is accomplished. Whenever we try to set the ‘Administrators’ as the owner of the folder then an error is presented “An object (User, Group, or Built-in security principal) with the following name cannot be found “administrators”. Check the selected object types and locations for accuracy and ensure that you have typed the object name correctly, or removed this object from the selection.

    Many thanks

    • James Rankin James Rankin says:

      Hi Richard

      What “Location” are you searching in? “Entire Directory” or the local machine? I would guess that you may be searching the wrong one – try flipping it over and see.

  10. deny says:

    I cant find the ALL APPLICATION PACKAGES..
    The client has DNS pointed to Server IP, (since joining it via cpanel doesn’t seem to work without this) Is the location supposed to point at the client?

  11. […] you using? 1703 has the 'Copy to….' button again which may be your simplest option. You may find this guide useful […]

  12. James Rankin James Rankin says:

    ALL APPLICATION PACKAGES should be found if you search the local machine accounts on Windows 10.

  13. deny says:

    Thanks james i got it working,
    my case is slightly different cause im using it for aster multiseat..

    http://www.ibik.ru
    I wrote down my approach in details here
    https://pastebin.com/rgw6D0Zf

    It seemed to worked at first but then the next day both profiles can’t log in with this error

    taskhostw (7180) WebCacheLocal: Database recovery failed with error -1216 because it encountered references to a database, ‘C:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat’, which is no longer present. The database was not brought to a Clean Shutdown state before it was removed (or possibly moved or renamed).
    Any idea why?

  14. deny says:

    Edit : i think this is the real cuprit

    Event 1521

    Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

    DETAIL – Access is denied.

    Which is strange because i can access the shared folder that contains the profile just fine,
    And on the system the pc still says it’s connected to the correct domain..
    Pinging to the server works too

  15. […] the past. Also double-check that your Profile Path field for the AD user is correct. You may find this link useful too- it's a bit more tailored to 1703 than the MS […]

  16. denywinarto says:

    Yes, just checked it, it’s owned by Domain name / Administrators
    Any other ideas? Is this corrupted profile?
    Yesterday = 2 terminal worked
    today = 1 terminal worked, other one = we can’t sign in into your account
    then after restarting once,
    terminal 1 = There was a problem with your roaming profile blablabla
    terminal 2 = we can’t sign in into your account

  17. Mark Smith says:

    I’ve had about 6 weeks of fun trying to get Windows 10 1703 deployment working well with MDT with mandatory profiles for our users (Coming from Windows 7 / WDS so complete learning curve).

    I followed this guide to try and create our mandatory profile but every single time I’d end up with a profile that just wasn’t right and for us, Edge just wouldn’t work.

    Having fixed it and now having a working mandatory profile, the key is simply… DON’T CLICK THAT MANDATORY PROFILE CHECK BOX! Using regdiff, all it seems to do is add one regkey, I haven’t got notes but something like Environment\Mandatorysafe=1 but it also right royally messes up the permissions in the ntuser.dat file.

    If you don’t click that box when copying the default profile to your network share and just specify Authenticated Users as Permitted to use, then you don’t need to touch the registry hive. Just rename it to ntuser.man and make sure your folder permissions are Domain admins: Full, System: Full, Authenticated Users / Domain Users (You pick): Read.

    Although your users with the mandatory profile should work perfectly, any user that logs on to the computer with a local profile – say an admin – will have start menu issues. For this scenario, simply use the copyprofile=true command on a VM or a machine you can reimage again in order to copy the default profile and set copyprofile=false on the build you push out.

    Of course everyone else’s mileage may vary but I’m happy with what I’ve got and hope it helps someone!

  18. Danny Field says:

    Hi,

    I have used your method to create both a default profile for staff which is used for creating their roaming profiles, as well as a mandatory profile for students. I am using an exported startlayout xml file for users to force their tile layout. There seems to be an issue with roaming profiles whereby if they don’t create properly, I find tiles are shown blank and clicking on them does nothing, sometimes the tiles are shown blank abd clicking runs the app. Also, tile groups and blank tiles within the groups are shown for apps that aren’t installed on the client, but are on the layout xml for use on desktops with those apps installed. I am updating my enterprise from 1511 Education to 1703 Education. I have found that loading and resaving the layout xml on the file share will partially fix the issue.

  19. Danny Field says:

    Yes I have. I have followed your instructions.

  20. Danny Field says:

    I did have problems adding permissions for All Application Packages, I think because I am on a 2008 domain and DC and file server. This group is shown as Account unknown? Is that normal?

  21. Danny Field says:

    I have put the mandatory profile on my fileshare. Is this the reason I am unable to make the built in administrators group the owner of the profile?

  22. Danny Field says:

    We don’t currently have a newer domain. We should be migrating to a 2016 domain in two weeks.

  23. Danny Field says:

    With enforced tile layout, I am finding that with staff profiles that roam, the 1st login creates the tile layout correclty on the 1703 client. When the user goes to login on a second desktop, all tiles are blank apart from from any universal tiles.Is this something you can verify?

  24. Danny Field says:

    I have the fix. https://technet.microsoft.com/en-us/library/jj649079(v=ws.11).aspx
    Step 7 mentions adding a registry key. This is new since March.

  25. JJ says:

    Hi James,

    Thank you for your post. Everything thus far has worked a treat. My problem now is that I’m trying to set an Automatic Logon for the AD profile which I have the profile path pointing to the share for. I would the PC to automatically login to this profile without a prompt for username and password. This is for a student lab. But after I set the Autologon details via the registry and reboot I get the following error on boot up: “The ProSvc service failed the sign-in. User Profile cannot be loaded”

    Any idea James. I’m really stuck here, any help would be much appreciated

  26. Martin says:

    YES, very Helpfull. Thank You! Unbeliveble! Uncheck the Mandatory Chebox to get a working Mandatory Proflile..

  27. Imanol says:

    After Sysprep, When creating the account it says “Something went Wrong”. A “try again” boton appears, and after hitting it the account is created, but without the configurations of Internet Explorer, for example.

    I’ve check that the ntuser.dat file in the “default” folder is been replaced, after the “Something went Wrong” message.

    i’ve try twice, but getting the same error. Any ideas?

    Thanks!!!!

  28. Dave Micko says:

    Hello James, thank you for this HowTo.
    I need to make a Mandatory Profile but not on a Domain PC but on a standalone Kiosk PC.
    What are the differences? For instance in Registry Settings etc.

    Cheers and many Thanks again
    Dave

  29. Imanol says:

    I’ve checked out, an it was stopped.

    the good news is I’ve tried again and it works.

    Thanks again.

  30. Jad says:

    Hi James,
    Thanks for the guide, its very clear and helpful!
    I’ve created a profile that works well for Windows 10, however when a user with this mandatory profile tries to log on to a Windows 2016 server (via RDP) it fails to logon and show the following error:
    The Group Policy client service failed the sign-in. Access is Denied.

    I have tried setting the reg key, but it didn’t help. Also cleaning the mandatory profile hive as much as possible did not help. Or i cleaned the wrong items.
    Have you ever come across this error, or have any ideas?

    thank you.

    Jad

  31. Jad says:

    The administrators have ownership on the files and the registry keys and also full controll permissions. The profile seems to be working fine when logging on to a Windows 10 VDI desktop. But on a Windows 2016 server it fails. In the event log it show these alerts afte the logon attempt:
    The winlogon notification subscriber failed a critical notification event. ID 6004
    The winlogon notification subscriber failed a notification event. ID 6001

  32. Jad says:

    Hi James, sorry for the late reply.
    Yes they are the same version. .v6 for windows 10 (1703) windows 2016.

    I have also created a new profile without removing anything from the registry, but it gives the same error.

    Thanks,
    Jad

  33. Jad says:

    Hi James, sorry for the delayed response. It took a while to set things up.
    With a mandatory profile created on Windows Server 2016 we get the same error logging on to the Windows 2016 RDP session. This profile doesn’t work with windows 10 either.
    There was 1 difference in te process, when copying the default user profile there was no checkbox for mandatory profile.

  34. JAD says:

    Hi, i tried to do some more research. The moment the sign-in fails on the windows server 2016 session the following entry shows up in procmon: HKU\S-1-5-21-1417001333-308236825-682003330-22650 ACCESS DENIED for read/write

    so for testing i gave the authenticated users groups Full control permissions on the reg hive of the .man file and now it works.

    But i am not sure if setting full control permissions on the reg hive could be harmfull in any way to the mandatory profile. Is there a reason why it is set to read only?

    thanks
    JAd

    • James Rankin James Rankin says:

      I always set Full Control permissions on the whole Registry hive. Technically this would lead to a minor security issue, but you could always work around it by resetting the permissions to %USERNAME%\Full Control at first logon.

  35. JAD says:

    Hi James,

    ok. Thanks again for the help and the guide.

    JAD

  36. Rik says:

    Hi,

    I created a mandatory profile following your user guide with success. Only now I am having issues with Skype for Business related to the following articles:
    http://www.michev.info/Blog/Post/1235

    I am wondering if you, having all this mandatory profile knowledge, maybe see any solution to this problem? Anything is much appreciated.

    Kind regards,
    Rik

    • James Rankin James Rankin says:

      That’s interesting. The operating system sees a profile type based on the Registry value of HKLM\Software\Microsoft\Windows\CurrentVersion\ProfileList\[SID]\State (1 indicates mandatory). If you were to use a post-logon script to set this to 0 or 256, then run Skype, it might work? Obviously you would also need a logoff script to set the value back to 1 though, otherwise it would never get purged 🙂

      You will also need to pull the user SID in the scripts to feed into the Registry edit. Here’s a couple of examples for doing it:-

      for /f “skip=5 tokens=2 delims= ” %%a in (‘whoami /user /fo list’) do set USERSID=%%a (BATCH)

      $USERSID = ([Security.Principal.WindowsIdentity]::GetCurrent()).User.Value (POWERSHELL)

    • James Rankin James Rankin says:

      Hi

      I have a solution to this, will blog and video it up in the next day. Basically as my comment, you just set the profile type in the Registry at logon and logoff 🙂

    • James Rankin James Rankin says:

      Video and article about this now live – How to use Skype for Business with a mandatory profile – video https://youtu.be/mBYWX349Jn0 article http://htguk.com/using-skype-for-business-with-a-mandatory-profile/

  37. Jason B says:

    Awesome Job James! this article saved my sanity. Thumbs up.

  38. denywinarto says:

    Hi James, i managed to create 1 mandatory profiles.
    With the method i mentioned here, after gathering methods from various source, including yours.
    https://superuser.com/questions/1190789/windows-10-create-local-mandatory-unchangeable-user-profile/1258085#1258085

    For my multiseat setup im gonna need 9 different mandatory profiles.
    Weird thing is the second mandatory profile that i created wont load even though i did exact same thing. I need to assign the second manprofile to second user, third to third user and so on..

    Any idea why it’s limited to 1?

    • James Rankin James Rankin says:

      OK I will bite – why do you need 9 different mandatory profiles?

      Can’t you just use 1 base profile and deploy any other modifications via GPO/GPP?

      I didn’t know you could only use 1, I will investigate that when I get a chance.

  39. Mike says:

    The profile works great for me, except one thing. Microsft Edge will not load any webpages other than the default ‘my feed’ page.

  40. Mike says:

    Hello. No error, it just “spins” and never times out. It’s very odd. I tried making a copy of profile and setting up the permissions properly again, even going beyond that and enabling FULL CONTROL for everyone (on the profile and in the registry), still same result. I’m stumped.

  41. Mike says:

    I’m going to build another profile and follow up.

  42. Dan says:

    Is there a way of the start menu tile having some basic ones as part of the MP such as maybe one for IE and one for File Explorer. I am having major issues using the “set start layout” gpo. my xml file is very basic (just IE and Explorer) but causes massive delay to logon time and the menu isn’t as the xml file was exported. permsissions on the xml file are set to allow access the same as the profile folder.

  43. Brian says:

    Hi James,

    Thank you for a great article. It was really helpful and saved me tons of time.

    It worked well with 1703.

    Have you tried the same method with 1709?

    I created a new mandatory profile (Following the same steps) on 1709 and it all appears to work, except Edge closes immediately (within 5 seconds) after launch. (All other UWP Apps are ok) An event log states –
    Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    Faulting module path:
    C:\Windows\System32\Edgehtml.dll

    I have tried it 3 / 4 times with the same outcome. (And tried with no GPOs being applied….Just in case).

    When I remove the Mandatory profile and log in with a local or Roaming Profile if all works as expected.

    Have you or anyone else experienced the same thing on 1709?

    Cheers

    Brian

    • James Rankin James Rankin says:

      we always seem to get this problem with Edge. I don’t know why people leave it in their images 🙂

      I will have a look tonight and see if I can solve it. Just updated my PVS images today.

  44. Brian says:

    Much appreciated.

    Thanks James

  45. fbifido (@fbifido) says:

    Hi,
    Could you do a video on your setup?
    from start to now (including the update of the PVS).
    are you using VDI or XenApp?
    are you using “cache overflow to disk”?
    are you using XenServer/Hyper-V/ESXI ?
    have you upgrade/move to Server-2016 & Win10RS2/3?
    do you have HA for DNS, DHCP, AD? how?
    How do you upgrade to next version(apps, hypervisor, server)?

    Please & Thanks.

  46. Arunas says:

    Will this work if I use local mandatory profiles, because i need to create a lab without server, and every profile takes files from local machine.

  47. James says:

    Hi James,

    Thanks for the video/article. Just a quick question – do I need to move the profile to a share/DC to edit permissions or can I just keep it on the same machine and regedit/set permissions before moving it?

    Cheer,

    James

    • James Rankin James Rankin says:

      You can keep it on the same machine, if you want to add domain groups (like Authenticated Users) then just make sure you can see the domain. I generally move it to a file share first though just to keep everything separate for my sanity 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Join our mailing list

Sign up for our newsletter today and we'll send you exclusive content including free guides and articles. We promise not to send you spam and we don't share your details with anybody else.

Contact us

Howell Technology Group
One Trinity Green
Eldon Street
South Shields
NE33 1SA

T. 0191 4813446

Email us

Cookies policy

The HTG website uses cookies to store information on your computer. By continuing to browse this website you are agreeing to our use of cookies. Learn more

Accept

Thank you - you've accepted our cookies policy.