none
Mandatory roaming profiles with Windows 10 Pro RRS feed

  • Question

  • I am encountering serious issues working with mandatory roaming profiles on Windows 10 Pro. i will try to summarize the issues. So here's what I do:
    Preparations:
    - Set up Windows 10 Pro
    - Install all apps and programs
    - Join client to domain

    User profile:
    - Create domain user on server
    - Configure roaming profile path of this user (\\server\profiles\℅username℅)
    - Logon with this user
    - Configure user settings (launching browser, word, excel etc.)
    - Log off

    Now preparing the mandatory profile:
    - Rename NTUSER.DAT to NTUSER.MAN on the roaming profile path
    - Log on with local admin rights on the client and go to system control panel to delete the cached user profile. Alternatively log on to another physical client on next step
    - Log on to any client using the user with mandatory profile

    Starting from here things go terribly wrong.
    Symptoms:
    - Thw user start menu sometimes cannot be opened at all (start button in taskbar does not have any functionality besides right click menu to show)
    - Sometimes the menu opens but does not show start area but instead only the all apps area
    - Right after login the start menu all apps area is empty besides about 5 modern apps. These apps can be clicked and opened
    - After some seconds Windows starts "rebuilding the icons and you will see the all apps menu growing quickly (filled with icons). Soon after this starts the start menu becomes "read only". One can still scroll but there is no mous-over highlight and none of the items can be launched by clicking them. Keyboard navigation still works
    - The start area to the right is hidden, when expanded its completely empty
    - There seems to be a lot of background activity going on and slowing down the client. I have found Windows deploying aroind 50 apps in ℅localappdata%\ Packages. This takes minutes on our (slightly dated) hardware with mechanical disks and core2 CPUs
    - There is no settings button to the left of the start menu
    - Restarting explorer fixes the non-clickable issue as well as it allows meto click the all apps icons. Still there is no start/pinning area

    I was first trying to wor around the start menu roaming issue using a GPO for a mandatory start layout. But it seems to be ignored entirely for mandatory profiles. Even worse the bug about re-populating the all apps area and the inability to click any item renders the start menu unusable.

    I am operating Windows environments at primary schools where students get automatically logged on to mandatory profiles. Tis works very well on Windows 7.

    In Windows 10 I don't know how to fix this. I can't tell a 6 year old child to log on, wait for the start menu to populate, then press ctrl+shift+esc to opennthe task manager, look for the explorer app, right-click it and restart it. Just to beable to use the start menu with limited functionality (no pinned apps, just all apps menu) looking for his application in a list of roughly 200 icons.


    Analysis:
    It looks like Windows 10 app platform in general is broken by design. Modern apps are populated to %localappdata℅. Moreover it looks like for mandatory profiles this folder is cleaned on logoff. As a result Windows re-deploysall the apps on 'resumably' first login but fails miserably on the shellexperience app (startmenu).
    This forced redeployment also causes a lot of load and its simply inefficient to redeploy all modern apps on each login. In our case some machines take up to 15 minutes under heavy disk activity on each logon. This is unacceptable.
    However its of course even worse to leave the users with a broken start menu.

    As a workaround i have tried to set a GPO to configure a mandatory start layout. But for the user with mandatory profile it does not have any effect. The menu is still broken and not showing any start pinning area. If the area is dragged it shows up empty.

    A similar issue regarding roaming profiles has been reported here: https://social.technet.microsoft.com/Forums/en-US/win10itprogeneral/thread/69b4e29d-0a57-4d3d-a620-c6ab49923c7f/
    There was no solution provided yet. Using roaming profiles is a very important feature for us. Folder redirection does not solve the problem as it mainly does not deal with NTUSER.DAT and the HKCU portion of the registry to roam user settings to different machines. Moreover mandatory profiles are really important for us to assure student profiles look the same on every reboot while still allowing them to change settings like pinned start items, desktop icons, desktop background and all sorts of settings for educational purposes but discarding them after logoff to assure the next student will get the same pre-defined environment. Teachers are simply not trained to solve issues like "my start icon is not there" on-the-fly with every student.

    I am running Windows 10 Pro 1607 with all updates applied asof 2016-08-25.

    Anyone esperiencing the same issues? Any suggestion how to fix?


    Many thanks.

    Friday, August 26, 2016 6:16 AM

All replies

  • Hi,

    Roaming profile was not working perfectly on Windows 10 before, recently some users have reported that the "roaming profile" issue has been fixed by the V6 version in Windows 10 version 1607. I will discuss with my colleagues and check if we have a environment to test and prove it. It may take a couple of days. Will let you know as soon as possible we get any result.

    Best regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 29, 2016 9:52 AM
    Moderator
  • recently some users have reported that the "roaming profile" issue has been fixed by the V6 version in Windows 10 version 1607.

    Indeed the situation improved slightly. Though it's still not working properly.

    Normal roaming profiles now work with some limitations. For example on first logon the settings button is still missing from the start menu and start layout does not roam at all. If the %AppData%\Microsoft\Windows\Recent folder is excluded from roaming via GPO then even the settings app keeps crashing.

    The situation is worse with mandatory roaming profiles when NTUSER.DAT is renamed to NTUSER.MAN on server side. In such case the start menu does not work (no pinned area, items not clickable).

    I did some further debugging and found that Windows seems to remove the complete mandatory profile during logon  (not at logoff). Thus breaking also the %LocalAppData% folder each single time. As a result the ShellExperienceHost fails to build the start menu. I actually worked around this issue by including %LocalAppData%\TileDataLayer\Database\vedatamodel.edb on the server-side profile. Which should actually not even work as roaming profiles only include %AppData% and not %LocalAppData% but Windows seem to copy down the %LocalAppData% part as well if it exists on server side.

    I don't know why Windows cleans the %LocalAppData% folder for mandatory profiles each time but perhaps this is by design to assure no persistency on those data is kept. Though it badly breaks apps registered there. The whole process seems just to be very badly engineered.

    The result of including vedatamodel.edb is:

    • User gets start menu with tiles
    • Start items still discovered some seconds after logon and then locked/unclickable
    • Start tile icons missing, tiles just show up with solid color
    • Apps not working (empty solid tiles deployed in start menu)

    To solve the second and third issue I found that killing ShellExperienceHost.exe process after logon "unlocks" the start menu and re-builds the icons. So I have included a startup shortcut in the mandatory profile which executes "taskkill /f /im "ShellExperienceHost.exe". Unfortunately this is only executed somthing like half a minute after user logon. So the user is left with a broken start menu until autorun jumps in and kills the process. So users might start to use the system some seconds after login. This is ridiculous situation but at least it work.

    I have not found any possibility yet to make the apps working. During login it looks like Windows deploys 21 packages to %LocalAppData%\Packages but seem to fail for additional ones (calculator, webcam, mail, weather, store...). Actually I don't care too much right now as the app platform seems to be badly broken by design anyway currently and we strongly encourage our users not even to use it.

    Monday, August 29, 2016 10:15 AM
  • Hi Rainer Meier,

    Thanks for your working, we have followed your steps and tested it on our side.
    Indeed, it does cause start menu cannot be opened and other issues. We also notice that there are many error message recorded in Event View when this issue occurred. We decide to report this issue on our side, you could try the built-in "Feedback" tool to submit the issue on your side. I hope it could be fixed in the near future.

    In addition, We would appreciate it if you could upload your Event Log to OneDrive share the link with us, it will be very useful. Thanks for your working again.

    Best regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 30, 2016 8:56 AM
    Moderator
  • Hello

    Many thanks for the confirmation. Very appreciated and I am glad it's not only me facing the issues. Some of them might be related to "normal" roaming profile issues as linked in original post.

    As written in my second post I found a work-around on how to get the start menu working but it's really just a hack including %LocalAppData%\TileDataLayer\Database\vedatamodel.edb in the mandatory profile and then hard kill ShellExperienceHost.exe after login to get the start menu going again.

    The broken start menu issue also applies to normal roaming profiles when roaming to a new host or when the profile is erased from the host (first login with a roaming profile).

    However I am not receiving many application or system events. In application event log it's mainly event ID 1534, failed profile notification on event create on component {2c86c843-77ae-4284-9722-27d65366543c} with error code "not implemented". Sorry needed to translate this from german:

    Fehler bei der Profilbenachrichtigung des Ereignisses Create für Komponente {2c86c843-77ae-4284-9722-27d65366543c}. Fehlercode: Nicht implementiert

    And event ID 10016 in system event log with the text:

    Durch die Berechtigungseinstellungen für "Anwendungsspezifisch" wird dem Benutzer "SCHULEALTWIS\user01" (SID: S-1-5-21-4241501702-3891211479-2139531464-1005) unter der Adresse "LocalHost (unter Verwendung von LRPC)" keine Berechtigung vom Typ "Lokal Aktivierung" für die COM-Serveranwendung mit der CLSID
    {260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}
     und der APPID
    {260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}
     im Anwendungscontainer "Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy" (SID: S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708) gewährt. Die Sicherheitsberechtigung kann mit dem Verwaltungstool für Komponentendienste geändert werden.

    So it fails on "local activation" on CLSID {260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}.

    I have uploaded a clean event log to OneDrive here

    Note: Please disregard the event about slow network link. The prfoile is only about 3MB in size and I had to load it via slow VPN link. So the group policy to ignore slow links is set.

    The event log just contains the logon with user01 which has a mandatory profile on server side and the local profile was deleted from system control panel before the logon as well as the event log was just cleared out before the logon.

    Please let me know if there is any log or debug data I could potentially provide.

    I have filed a report in the feedback-hub too but it's even hard or impossible to find the right category for it and I never ever got any feedback from these reports. One doesn't even get a reference or ticket number. Frustrating.

    Tuesday, August 30, 2016 10:12 PM
  • Just to complete the issue. Here is a Thread about issues with Windows 10 Start menu using normal Roaming profiles (non-mandatory).

    I think this is very much related or even would be fixed by the same changes of correctly building the start tile database during logon of roaming profiles. I think it all boils down to invalid handling of profiles downloaded where %AppData% is fetched from Server but %LocalAppData% is not populated and needs to be re-initialized on logon.

    Thursday, September 1, 2016 7:59 PM
  • Rainer.. This is a fantastic post.  We are noticing the same issues with mandatory profiles, but something additional because I agree that it seems like this ties directly to the issues with roaming profiles.

    Here is one thing I would like to add about what we are seeing:

    I can consistently get certain start menu sections of the all programs list in 1607 to not function when roaming to another machine. Everything under C,M, and V works. All the applications and folders. Everything that falls under any other letter in the start menu doesn't work. You can't click on them. I can get this to for different users on different machines on a regular basis. This lines up exactly with which sections have universal Windows Apps in them. Sections with only Desktop Applications in them do not work. If there is an universal app in the lettered section, then all the universal apps and desktop applications work fine. If there is no universal app, then the lettered section does not function.  I can't click on or open any of those shortcuts.

    Restarting explorer or a log out and logging in again on the same machine fixes the issue as long as the roaming profile caching is enabled.  Its like Windows is able to rebuild the start menu for the roaming profile, but it doesn't happen until after explorer is started so it doesn't use it until next login.

    Thank you again for all the testing you have done!

    Wednesday, September 7, 2016 2:20 PM
  • Hello from Austria!

    Nearly a year is gone since the last post, I installed Win 10 1703 with Server 2016 and nothing changed at all! After finding the reg key for the Roaming Profiles to get the Start Menu to work at all, everything is missing afert changing to mandantory profiles.

    Is there anything new about this Situation? Do we really have to KILL Windows Services after Logon to geht a Start Menu at all?

    greetings daniel

    Saturday, August 5, 2017 7:06 PM