Creating a custom default profile on Windows 10 1803

Creating a custom default profile is a good way to streamline a Windows 10 deployment. How do you achieve this?

Note:- this article refers to the default profile creation process on Windows 10 version 1803, fully patched as of 05/07/2018. Further servicing updates (Windows patches) or feature updates (OS upgrades) will possibly invalidate this, although I will strive to keep this article as up-to-date as humanly possible.

The best way to set up a custom default user profile is to run from Audit Mode. This is a special mode of Windows that is invoked during the build process. The original purpose of it was for corporations to complete installation tasks before shipping them to users who could then complete the installation in the usual fashion. In Audit Mode, the device is logged on as the local Administrator account (which will be disabled afterwards) and allows changes to be made to the device prior to sysprep. However, if sysprep is run with the /copyprofile switch, the local user profile will then be copied into the default user profile and then become the default profile for the image.

Be aware that you can only run Audit Mode a specified number of times if you reach the stage of running sysprep when you’re finished – four times will be your limit, unless you use the /skiprearm switch. I find it easy simply to take a VM snapshot of the reference image prior to running sysprep and restoring if necessary.

In order to invoke Audit Mode, start a Windows 10 build and wait until you reach the point shown in the image below, then press Ctrl Shift and F3.

The machine will then boot into Audit Mode, where it will automatically log on as the built-in Administrator account.

Click on Cancel on the sysprep dialog box. Now, you can set about making any changes you want on a device or user level. Normally at this point I remove UWP apps as specified in this article. However, as this post is merely about the user perspective, here are some of the things I tend to do here:-

  • Set background and branding
  • Set Explorer to show file extensions
  • Set File Explorer to open at “my PC” instead of “Quick Access”
  • Set the Start Tiles as required
  • Set desktop icons as required (add My Computer and Control Panel)
  • Set Taskbar Pinned Items as required
  • Set browser homepage and search options

After this, we just need to do a quick bit of tidying up. Simply run this command to grab a copy of the Start Tiles layout to deploy to new users. Run it from an elevated PowerShell session

Export-StartLayout -Path $ENV:LOCALAPPDATA\Microsoft\Windows\Shell\LayoutModification.xml

Once you’ve got this done, you need to create an answer file for sysprep to read to tell it what to do. You can either create one using Windows tools, or simply steal the pre-canned one I have prepared here πŸ™‚ If you’re just interested in running with the pre-determined version, skip ahead to the section marked “Pre-canned answer file”

If you want to do this manually, download and install the Windows ADK, the 1803 version is currently available from this link. Next, install the Deployment Tools option from the ADK only.

Make sure you’ve got your Windows 10 source files available. You will need read/write access to the source files for Windows , so take a copy of the install.wim file from the \sources folder and put it somewhere you can access it with Read/Write permissions.

Once this has completed, run Windows System Image Manager from the Start Menu. From the File menu, choose New Answer File. Click on Yes and locate the install.wim file from your Windows image. Click on Yes to create a catalog file.

Now, we can go to work to customize the answer file as required. Under Components in the bottom left pane, select the folder that starts with amd64_Microsoft-Windows_Shell-Setup (or x86_Microsoft-Windows_Shell-Setup if you’re on a 32-bit platform), select it and choose Add Setting to Pass 4 specialize

Next you will see this is now added to the Answer File section in the middle pane. Expand this out and set the CopyProfile flag on the right-hand pane to True

You can set any of the other options within the answer file as you wish, but this one is the only one we actually need. Once finished, validate the answer file by using Tools | Validate answer file, then save it somewhere as an .xml file. In this case, we are just saving to c:\unattend.xml.

You can then open the file up in a text editor if required and check it.

Pre-canned answer file

If you want to avoid all this mess, here’s a pre-made answer file I use on a regular basis πŸ™‚ Items highlighted in bold you may need to check to match your environment, but otherwise you should just be able to copy and paste into an text file and use it with impunity!

<?xml version=”1.0″ encoding=”utf-8″?><unattend xmlns=”urn:schemas-microsoft-com:unattend”>
<settings pass=”specialize”>
<component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”amd64” publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<CopyProfile>true</CopyProfile>
</component>
</settings>
<cpi:offlineImage cpi:source=”wim:D:/sources/install.wim#Windows 10 Enterprise” xmlns:cpi=”urn:schemas-microsoft-com:cpi” />
</unattend>

Watch out – these lines may wrap.

So once you’ve created your answer file, either manually or using the one above, you now need to run sysprep. Open up an elevated command prompt and run this command

c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown /unattend:c:\unattend.xml

Naturally, replacing the correct path to your own answer file.

An interesting aside – sometimes I get an error here that directs me to the sysprep log (setupact.log), and I commonly find this happens when I have been removing UWP apps at this stage. If you have removed a provisioned app that still exists in the user profile, sysprep will fail. You need to make sure any provisioned apps removed using Remove-AppxProvisionedPackage have also been removed from the active user account using Remove-AppxPackage. Also it is possible to get an error here if the Windows Media Player Network Sharing Service is running.

Once this is run, sysprep will do its stuff and then shut down the image

The system is now shut down and ready for image deployment with your custom default profile baked-in, but what I usually find is that the default profile will be a bit bloated and contain some references that are not necessary (like PowerShell command history, for instance). To get around this, I run the following script either during imaging or post-imaging just to ensure that the default profile is fully tidied up and as streamlined as possible. There are batch commands in here but they will run from PowerShell without issue, it does however need to run elevated.

takeown /f c:\users\default\appdata\local\Microsoft\WindowsApps /r /a /d Y
icacls c:\users\default\appdata\local\Microsoft\WindowsApps /grant Administrators:F /T /C /L
get-childitem C:\Users\Default\AppData\LocalLow -force | foreach ($_) {remove-item $_.fullname -force -recurse -confirm:$false}
get-childitem C:\Users\Default\AppData\Local\Microsoft\Windows -exclude “Shell”,”WinX” -Force | foreach ($_) {remove-item $_.fullname -force -recurse -confirm:$false}
get-childitem C:\Users\Default\AppData\Local\Microsoft -exclude “Windows” -Force | foreach ($_) {remove-item $_.fullname -force -recurse -confirm:$false}
get-childitem C:\Users\Default\AppData\Local -exclude “Microsoft” -Force | foreach ($_) {remove-item $_.fullname -force -recurse -confirm:$false}
get-childitem C:\Users\Default\AppData\Roaming\Microsoft\Windows -exclude “Start Menu” -Force | foreach ($_) {remove-item $_.fullname -force -recurse -confirm:$false}
get-childitem C:\Users\Default\AppData\Roaming\Microsoft -exclude “Windows” -Force | foreach ($_) {remove-item $_.fullname -force -recurse -confirm:$false}
get-childitem C:\Users\Default\AppData\Roaming -exclude “Microsoft” -Force | foreach ($_) {remove-item $_.fullname -force -recurse -confirm:$false}
Get-ChildItem c:\users\default -Filter “*.log*” -Force | Remove-Item -Force
Get-ChildItem c:\users\default -Filter “*.blf*” -Force | Remove-Item -Force
Get-ChildItem c:\users\default -Filter “*.REGTRANS-MS” -Force | Remove-Item -Force

This script will strim your default profile from around 125MB to about 4MB. Now, you are ready to deploy the image fully using your default profile that you have customized!

Summary

Setting up the default profile is an easy way to make general customizations, improve logon times, and make the whole user experience a lot more slick. It also cuts down on the amount of baseline policies that are required for the user environment, as they can be baked in. Ideally, this process should be repeated for each new iteration of Windows 10 feature releases.

You can also, if you wanted to, centralize the deployment of your default profile by copying the profile you created into a folder in the NETLOGON share and calling this folder Default User.v6 (for Windows 10 1703 and above, prior Windows 10 versions use the suffix .v5). In this situation, you could make changes in one location and have them reflected everywhere (assuming that DC connectivity is available for the client).

19,385 total views, 137 views today

53 comments

  1. Awesome write up. I tried to use your canned unattend.xml file and found when copy and pasting it out I notice the ” s look weird. I had to back them all out and retype them and then everything started working.

  2. Hi James, excellent piece here as I’m trying to get my head around building a custom win 10 pro image for the organisation. Does it make any sense on having applications installed while CTRL SHIFT F3 as I would need to pin them to start for all users?

    Thanks again,
    Albert

  3. Nice tutorial!
    We are stuck in the phase where the sysprepped image starts again and the “specialize” phase is executed.
    The displayed error is “Windows could not parse or process the unattend answer file for pass [specialize]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows-Shell-Setup].”

    C:\windows\Panther\UnattendGC\setupact.log shows “Error [Shell Unattend] CopyProfileDirectory from C:\Users\Administrator failed (0x80070070) ”

    I even tried with clean install in audit mode (no modifications or cutomizations) and still the same result.
    We use a very simple unattend.xml like the one in this tutorial.
    What could be wrong?

    1. Hi Sven

      Have you checked the permissions on the source administrator profile directory? Is the formatting OK in the unattend.xml file (if you’ve copied it from somewhere, the characters may have come across badly)? There are generally only a few tags at that particular section. Is CopyProfile definitely set to True?

      1. I didn’t change the permissions on the source administrator profile. I’ve used Ctrl-Shift-F3 for Audit mode and from there the “sysprep /oobe /generalize /shutdown /unattend:c:\unattend.xml” command.
        Otherwise no special actions or customizations.

        The unattend.xml is generated with the deployment tools as discribed in the tutorial and is very simple:

        true

        1. Very strange then, I’d possibly try with a pre-canned XML file to see if you get the same behaviour (although be careful with the character types if you’re using mine)

          1. Strange, I took your pre-canned XML and it works!
            I see no difference with my XML except the order of the attributes in the line “”

            Thanks a lot!

    2. I saw this somewhere else, I’d double check your file, you may be using the wrong character set.

      “Your unattend.xml is in the UTF-8 with BOM but the Windows setup needs UTF-8 WITHOUT BOM”

  4. Hi James, Thanks so much for taking the time to put this article together.

    I’ve been trying to build my own image, I’ve installed MS Office and some other software then ran decrapifierv1803 and it all goes well. Created the answer file and ran sysprep without any faults BUT when i start up again, it loads the drivers … takes quite a while, prompts me with regional settings then Fails.
    ” Why did my PC restart ? Theres a problem thats keeping us from getting your PC ready….”

    Ive managed to pull out the logs but i have no idea what i should be looking for, any ideas ?

    1. Hmmm….not happened to me. Only thing different is the use of decrapifier, have you tried running a different optimization tool like the Citrix or VMware ones?

  5. Hi James

    I can’t seem to customize the taskbar without activating Windows. We use AD activation for win10 Enterprise and as machine is not domain joined i can’t get past this.

    How do you get around this?

    1. Hi Rob

      This only seems to happen to me if I restart Windows from Audit Mode and return to the same mode. First boot, it allows me to customize fine despite not being activated.

  6. Hi James,

    We wanna use mandatory profiles for our RDSH server 2016 environment, does this work the same way with windows 10 & server 2016? The old-fashioned way of creating mandatory profiles just doesn’t seem to work anymore for server 2016..

    thanks!

    1. It should, just there are some subtle differences – Server 2016 uses the TileDataLayer database still for Start Tiles, so if you’re messing with that, you might have to adapt slightly. But otherwise should be pretty much the same.

  7. I am utilizing the copy profile option and I have a pause in my MDT TS. I am noticing the profile to be around 300-400MB after making my modifications and resuming the TS to capture the .WIM. This unfortunately results in a large default profile (in addition to OneDrive not working properly). I have tried using the profile cleanup script however it put a question mark on the default profile size which I’m assuming will be the same for every user that logs in. Any ideas on the question mark issue? It’s almost like it corrupts things. Thanks!

    1. Hmmm, I’ve seen that question mark before, it usually means the permissions are inconsistent and SYSTEM can’t read it. Not sure that my cleanup script put the ACL in for SYSTEM, that might be something to check?

      1. Not sure what you mean specifically. If you can advise it would be greatly appreciated as I would love to use your script. Anything I can do to trim this profile down. It’s currently at 514mb. The only things I’ve done are remove modern apps and setting some local GP options. Not sure why it’s so high in size. Thank you

  8. Greetings.

    Thanks for the write up but I have a Dell 5490 that I’m installing Win10 Enterprise from a thumb drive. I follow the directions but I’m not finding an install.wim but see a boot.wim in the thumb drive. Where should I find the install.wim?

      1. I used a ISO to USB software and I didn’t see it but then again I booted off that USB stick. After you finish the build in audit mode, if I reboot it goes back to audit mode. How do I get it to continue setting up the unit?

  9. Thanks for this great procedure James and your related videos for a similar process with 1703.
    However, I have a few issues with cleaning up the Provisioned Apps as most of them apart form 2 or 3 produce an error and won’t remove. If I leave these installed and then SysPrep the machine, my Default profile is 175mb. I then ran the script to be-bloat the profile which reduces it down to under 2MB. This issue i then get is that when the profile is copies, the User.dat file does not get copied across which it normally does if I don’t de-bloat the profile?

    1. The ntuser.dat is usually a Hidden System file, is the de-bloat script changing the attributes so it can’t be copied?

      1. I checked all that and have even added specifics permission for logged on user but still won’t copy. I’m tryign again on a different PC as when you see the profiles in the Advanced System Propertis, it is showing the Default Profile size as ‘?’. It only did this after the de-bloat script ran.
        I will confirm the results from my other PC before end of the week.

  10. Hello James, For the command to export the start tiles layout “Export-StartLayout -Path $ENV:LOCALAPPDATA\Microsoft\Windows\Shell\LayoutModification.xml”, is there anything else we need to do, to make sure the new users get the saved tiles? Thank you for your time.

      1. From what I’ve noticed, when a regular user logs in and they attempt to look at Display settings or any other settings, it takes a long time for the box to appear. When an Admin or related account logs in, there is no issue. I’ve read on other forums that it “breaks” when Copy Profile is used.

        1. I also struggled with this issue and argued problems in the sysprep/copyprofile process or system configuration. It took me some time to find out. Apparently, somebody only got this problem – because on special circumstances. But it’s easy to come into or create this problem on a system which was set up by sysprep/copyprofile:
          1) On such a running system logon with the Username “Administrator” (Domain-Admin or BuiltIn-Administrator activated). After that you have and can see a userprofile “c:\users\administrator”.
          2) Now create a new user account and logon with (or with a domainuser). It tooks a very long time perhaps to get in. And ifyou go into settings or launch the edge browser – it opens but doesn’t work.
          3) Solution: Run “systempropertiesadvanced”. Advanced System Properties will open. There, click on the Settings button in the User Profiles section. Delete the Profile “Administrator” .
          4) Try things again. May be you are surprized. No problems anymore.
          5) Workaround to avoid this Problem: Create an empty directory c:\users\administrator
          6) Test all things again
          7) If you logon again with “Administrator”-User then a new profile administrator.xxxxxx will be createtd. Test things again. No problems anymore as seen before.
          8) Reason of the problem (as far as I suppose): In Audit-Mode we work with the Adminstrator-profile c:\users\administrator. By sysprep & copyprofile and boot then in the early specialize-stage this will be (partly) transferred to Default-profile and the administrator-profile will be deleted! But unfortunately some configurations in the Default- and thus also the new User-Profile obviously link furtheron to c:\users\administrator (e.g. special system databases, you can see in the logs).
          The difference is or may be: With no or an empty “administrator”-directory, the system doesnt find things and so just (re-)creates them in the new generatetd user profile. But if the administrator-directory exists and the access is denied and rejected, that seems to be an other kind of error in the setup process of the new user profile and so it comes to failures and problems.
          You don’t get and have this problem on an already existing userprofile. E.g. the first user created at first setup. Only for any new createtd userprofile if an Administrator had logged on before and created its “Administrator” named profile-directory. Therfore a very strange case that can drive you crazy when it happens.
          Hope this can help to somebody who experienced this already or in future.
          Or perhaps, Microsoft would solve the reason sometime.

  11. Any idea what causes the default profile to display a question mark for size in User Profiles under Advanced System Settings? Seems to be hit or miss in my lab on when that appears.

    1. Probably permissions. Try taking ownership of the filesystem and make sure Everyone has RX perms. I think my script is a little screwy and needs a couple of perms-related updates πŸ™‚

  12. I do have a question regarding the Copy Profile. As I said, I found that it “breaks” in W10 Version 1803 and others say it doesn’t. Are people using the “Copy Profile” in the unattend.xml file that is on the server as part of the Task Sequence or the “copy profile” option that is under the properties of the “Computer”? You know, right-click Computer, click Properties, click Advanced System Settings, go under User Profiles\Settings and copy the profile that way.
    I’m interested to see which one people are doing.

  13. Silly question…does the Windows ADK get installed on the reference PC, or a separate/management PC , or does it even matter?

    Thanks!!

  14. Hi James, can you please explain how to clean up the c:\users\default-profile after run the sysprep? Do you mount the Windows image via ImageX? Thanks!

  15. Any idea’s as to when the profile cleanup script is run why you get a ‘?’. Everyone has RX permissions on the ‘Default’ folder. Other than that, the guide was great!

    1. I think the script is slightly erroneous and doesn’t set permissions quite right on the default profile. Hopefully I can update it soon…

  16. Thanks!!! I felt like I got a handle on the process of trimming the cruft and capturing a nice, trim image in the Win7/8.1 days, then Win10 came along and really changed things.

    I appreciate the overview. Many thanks! πŸ™‚

  17. Hello James!

    There are a couple of things I am confused on as far as creating the mandatory profile. When you first press Control+Shift+F3 and enter audit mode during a new installation, the machine is not yet joined to the domain and also vmware tools are no installed so there is no NIC driver, therefore no network connection.

    To install tools and join the PC to the domain, this will require a reboot.

    How do you get back into audit mode after you reboot at this point or do you need to be in audit mode at this point?

    Doesn’t the machine need to be joined to the domain for the mandatory profile creation?

  18. Hello James et all,

    Appreciate the info and do some of the very same you do in regards to creating that custom default profile. I have also used DISM to mount and import App Associations (which MS is good at striping after sysprep).

    I’ve used Copy Profile in the answer file since forever, but the 1803 and now the 1809 have actually felt like MS has done away or eroded some of what it can do over time.

    The LayoutModification.xml should be allowed to be placed in the Default profile (Shell area) area before or even after sysprep (say like while mounting an image with DISM). However I have had no luck in that actually staying when the image to put to a new machine and then booted. That layoutmod.xml gets removed for some reason.
    I was looking to see if it was possible to have the .XML file get pushed when the sysprep is going through its process.

    Thanks for all the information and look forward to an update on your page or answers to some of the other questions in the comments.

    1. Copy profile “breaks” the image being deployed.
      What happens is that certain things. like settings, take forever to come up when logged in as a regular user and not an admin.
      I use the Layout Mod and copy certain files to the default user profile and that seems to work.

  19. Anyone have any experience getting default profiles copied where default app associations actually work under LTSC 2019 (build 1809)? I’m really thinking this is more of a MS thing than anything with my process – never had issues really with LTSC build 1607 or with Ent builds of 1703, 1709 or 1803. Note: We use LTSC for our classroom/lab systems, utilize an app to restore environment upon reboot, so essentially every student login profile is generated from the default profile. Right now, new user login will get ‘Default App reset notifications’. Even attempting to inject .xml into offline .wim after capture/sysprep still does not work.

Leave a Reply

Your email address will not be published. Required fields are marked *