Creating a mandatory profile on Windows 10 1803

Microsoft hate mandatory profiles, but they are useful. Here’s a guide to creation on Win10.

Note:- this article refers to the mandatory profile creation process on Windows 10 version 1803, fully patched as of 16/07/2018. Further servicing updates (Windows patches) or feature updates (OS upgrades) will possibly invalidate this, although I will strive to keep this article as up-to-date as humanly possible.

About mandatory profiles

Mandatory profiles (or their bigger brother, super-mandatory profiles) are a variant of the Windows roaming profile that many people still find useful. Changes to a mandatory profile are discarded at logoff, meaning that any modifications the user has made in-session are purged and the profile deleted. This is ideal for educational or kiosk scenarios where a default set of configuration items is required for every logon, or even for environments where people are using third-party profile solutions to hold user settings, such as Ivanti UWM or LiquidWare ProfileUnity.

Mandatory and super-mandatory

The difference between a mandatory and super-mandatory profile is very simple, the super-mandatory profile will prevent logon if the specified profile is unavailable. A standard mandatory profile allow the logon to continue if it cannot find the configured profile, and simply load a temporary profile instead. Configuring super-mandatory is essentially the same as configuring a mandatory profile and setting the “Log users off if roaming profile is unavailable” GPO. This is handy for ensuring users can’t sidestep any restrictions built into the profile by logging on with a temporary profile. To make a mandatory profile super-mandatory, you need to name the profile folder with a “.man” suffix, in the same way you rename the ntuser.dat file to ntuser.man.

Profile version suffixes

Of course, we don’t want to forget about profile version suffixes. XP and 2003 used “v1” profiles, whereas 7 and 2008/2008 R2 gave us the first version change as they moved to “v2” profiles. Later OSes originally used .v2 by default, but after Windows 8.1 they decided to implement strict versioning for all later implementations of the Windows operating system. You can convert profiles upstream (e.g. take a .v2 profile and make it .v6), but they will no longer be backwards compatible.

So let’s put in a table of what you would have to name your mandatory and super-mandatory profile folders on each OS version (assuming your folder structure was \\SERVER\SHARE\Profile). Remember, the OS appends the suffix to the folder name, there is NO NEED to change the name of the folder specified in AD on the user object, or in the GPO. (This also applies to standard roaming profiles as well)

Windows XP
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man

Windows 2003
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man

Windows Vista
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man

Windows Server 2008
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man

Windows 7
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE.v2
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man.v2

Windows 2008 R2
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE.v2
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man.v2

Windows 8
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE.v3
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man.v3

Windows 2012
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE.v3
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man.v3

Windows 8.1
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE.v4
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man.v4

Windows 2012 R2
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE.v4
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man.v4

Windows 10 RTM/1511
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE.v5
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man.v5

Windows 10 1607/1703/1709/1803
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE.v6
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man.v6

Windows Server 2016
Profile folder in AD or GPO – \\SERVER\SHARE\PROFILE
Actual mandatory profile folder – \\SERVER\SHARE\PROFILE.v6
Actual super-mandatory profile folder – \\SERVER\SHARE\PROFILE.man.v6

Storing mandatory profiles

Should you store them locally in the image, or on the network? The choice is yours, depending on whether you need to maintain access in the event of a network outage, and how easy you want any updates to be. I usually try and get the best of both worlds by having the mandatory profile in the image but updating it from a central file location using scripting, Group Policy Preferences or a tool like Ivanti UWM. Here’s an example of it being updated centrally and pushed out via UWM.

Deployment of mandatory profiles

Mandatory profiles can be defined on the user object in AD (on the Profile tab, RDS Profile tab or both of them, as required) or pushed via a Group Policy Object (for RDSH only). Bear in mind, though, that if you define the GPO it is a Computer setting, and will apply to all users logging on to the machine (including Administrators), so if you’ve over-restricted the base profile, test your admin access. I’ve also seen people deploy mandatory profiles in a more targeted fashion using scripts to modify the profile settings.

I know I already mentioned this in the previous section, but because so many people fall down on this point I will mention it again 🙂 The path to a mandatory or roaming profile is independent of the actual folder path. For instance, if we defined the path in AD or via GPO as C:\Users\MandatoryProfile, the OS would look for a folder unique to the OS as in the table above. This is because dependent on the operating system that the user logs on to, the “.vx” extension will be automatically added as required. So if a user had a mandatory profile path defined as C:\Users\MandatoryProfile, and they logged on to a Windows 7 machine, the operating system would actually look for the profile in C:\Users\MandatoryProfile.v2 rather than the specific path. This is very handy and means we can define a single mandatory profile path yet have multiple, OS-dependent profiles available.

Creating a mandatory profile

So, we’ve run through all of the considerations and given you a lovely table of OS profile versions, but what do we have to do to create a mandatory profile? Specifically, we’re going to talk about doing it on Windows 10 1803, but the instructions below should be valid in their most part for other operating systems as well.

Create the customized profile

The most time-consuming part needs to be done first 🙁 What you need to do is create a custom default profile as specified in this article. When creating the custom default profile, make sure you add all required user-level customizations into your default profile, because this is what we will convert into the mandatory profile. On Windows 10, you can’t convert anything other than the default profile into a mandatory profile (although you could copy and paste the underlying profile folder, but this way is technically unsupported, and make sure you grab all the hidden and system files too if you go this way). Personally, although it takes a bit of time and may involve spinning up an additional Windows 10 image (which you can just discard as soon as you’re finished), I would go this way – at least it means you know you’re not giving any support vendors a “get out of jail free” card.

Copy the profile to your profile store

When you’re finished all the steps from the previous article (including running the PowerShell scripts which tidy up the default profile!), log on to the machine that now has your custom default profile. Make sure you log on as an administrative user. At this point I like to make sure the device we’re using is fully patched, so ensure this is so. Next, open the Advanced section of System settings from Control Panel. (Easiest way to do this – press Windows-R for the Run command and type sysdm.cpl). Click on the Advanced tab, and click on Settings. You will see this dialog

Click on Default Profile so it is highlighted. The Copy To button will now become available. Click on it and another dialog box will open. Fill in the Copy profile to location with the folder you wish to store the mandatory profile in. Ensure the Mandatory checkbox is ticked. Click on Change under Permitted to use and type “Authenticated Users” into the Object field. The dialog box should now look like this

When you click OK, the folder you have specified as a destination will be created if it didn’t already exist. Also, if the user account does not have access to the destination folder you will get an error like this

Once you have resolved any access issues, click OK and the profile will be copied. What is odd is that there is no success dialog and the window for copying the profile remains open – once you’ve clicked OK and it has copied, you must then click Cancel to exit the dialog box.

Tidy up after 1803 bugs

The folder should now contain your copied default profile. Well, hopefully it should, but in some isolated instances I’ve seen it fail to copy some of the files, although not all, so we need to check on them. Make sure that your destination folder contains the ntuser.dat and ntuser.ini files. This is very annoying, when it happens – in 1709 there was a bug that wouldn’t work on network paths, now in 1803 we have a bug that sometimes fails to copy two of the (admittedly most important) files in the profile. If this happens to you – browse to c:\users\default and literally copy and paste them to the destination folder. (Thanks to Rich Thompson for helping verify this wasn’t something that happens every time!)

Set permissions on filesystem

Now that we’ve actually got the right files copied, we can check that the filesystem permissions are OK. The file copy will have added Authenticated Users with RX permissions, but we also need to make sure the All Application Packages user has access as well. Make the permissions on the root folder of your mandatory profile store as below, and set them to propagate. Also, make sure that the Administrators group owns the folder, and all subfolders. The pertinent settings are highlighted below.

Set permissions on Registry

Now we need to do the same for the Registry, but we need to be a little more careful here. Open the Registry file (ntuser.dat) from your mandatory profile folder by running regedit.exe, highlighting the HKEY_USERS hive, then clicking on File and choosing Load Hive. Browse to the folder where the mandatory profile is and select the ntuser.dat file (it is hidden, so make sure you are showing hidden files before running the Registry Editor).

Once you do this it will ask you to give the hive a name, simply type anything in as this will not be saved anywhere. The hive will now show as loaded under HKEY_USERS with the name you have given it. You can then right-click on the root of the hive and select Permissions. Modify it again so that it looks like this (this time we have given Authenticated Users Full Control, because the Registry is essentially a filesystem within a file that has its own ACLs).

When clicking OK, it is normal to see an error like this, as some of the subkeys cannot be accessed.

Now, one of the questions that always comes up here is, because Authenticated Users now have Full Control over the Registry in the mandatory profile, does that mean that a tech-savvy user could access the Registry of a user on the same system, or another? Well, firstly, the Registry as I said is a filesystem within a file, and the “file” outside of it is locked down on an NTFS basis. So really, a user shouldn’t be able to load or access the Registry of another user in any normal situation. But just in case there was an instance where they could, there are a couple of things you can do to mitigate this. Firstly. prevent the running of regedit.exe or cmd.exe/PowerShell.exe (because you can invoke Registry changes from the command prompt) for non-admin users via GPO, AppLocker or another tool. Secondly, maybe even run a script just after logon that resets the permissions on the current user’s Registry so that the entry for Authenticated Users is replaced by one for the user themselves. In a high-security environment this might be necessary, but for most normal operations the NTFS protection on the ntuser.dat file should suffice to prevent any unauthorized access.

Registry sanitization

Whilst we’ve got the Registry file “open”, we can remove stuff from the Registry that shouldn’t be there. Firstly, we can remove references to the user who the profile was created under, which if you used the default profile method will be “Administrator”. Remove all references to the Administrator username from the Registry hive (there is a Find command you can use for this in regedit). If you’ve used a domain account to create the mandatory profile, then also at this point search for any references to the SID of the user and remove them as well (psgetsid is ideal if you need to find the user SID).

You can also go through, if you wish, and delete any Registry keys or values that you deem unnecessary. Prime example of unnecessary keys would be any Policies keys – generally found in HKCU\Software and also in HKCU\Software\Microsoft\Windows\CurrentVersion.

You can also remove any other items from the Registry you think shouldn’t be there (you will be amazed at the references you find). HKCU\Software\AppDataLow is generally useless, as are references to the likes of Adobe and Google (how do they get there when I’ve no software from either installed?) Be careful, though, that you don’t break something by being over-exuberant (although I’ve been pretty brutal in the past, to be fair, and I’ve yet to cause an issue). You may find some keys (like Google, naming no names) have keys that are locked via permissions and you will need to take ownership of them and edit permissions to get rid of them. How far you go here is up to you – I’ve (in the past) gotten the ntuser.dat file down to about 256KB by being gung-ho, but don’t take that as a challenge, the Registry file sizes tend to grow as Windows moves on to newer versions 🙂

Once you’ve done all of this, don’t forget to unload the profile by clicking File | Unload Hive with the top-level key selected, otherwise you will lock the profile and no-one will be able to access it. This has happened to me in the past, so be warned, it’s easy to do!

Delete extraneous files

Once you’ve edited the Registry file you will notice a bunch of *.log* and *.blf files in the folder where your profile is stored. Just delete these.

Rename the dat file

Now, to truly make this “mandatory” rename the ntuser.dat file to ntuser.man. If you’re going super-mandatory, rename the holding folder to one with a .man.vx suffix (if you hadn’t already).

Check Group Policy

Check that you have got the Group Policy Object configured for Computer Config | Admin Templates | Windows Components | App Package Deployment | Allow deployment operations in special profiles set to Enabled. If you have UWP apps in your image, without this GPO set it cannot deploy them into special (roaming/mandatory/super-mandatory) profile types and you will end up with a broken Start Menu.

Deploy

The final step is to populate the user’s Profile or Remote Desktop Services Profile field in ADUC with the path to the mandatory profile (minus the suffix, remember!) If you’re using RDSH and you want to use the GPO method, populate the path into the GPOs for mandatory profiles (found in Computer Config | Policies | Admin Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles | Use mandatory profiles on the RD Session Host server and Set path for Remote Desktop Services Roaming User Profile).

Now log in as a (different) test user and see if you get the mandatory profile loaded (you can check the profile type from the sysdm.cpl applet or Registry, or simply see if the user profile changes persist between logons).

Troubleshooting

If you’ve followed everything in this article, you should hopefully have no issues. Adding the All Application Packages to the ACL for filesystem and Registry and making sure the GPO for deployment operations is set are the two biggest mistakes people make. Check that the User Profile Service is running and that you can access the location where the profile is stored, be it local or networked.

If you do get issues, especially if logon fails, then checking the event log is paramount. The User Profile Service logs any errors here and you should be able to figure them out from the details here.

Summary

For those of us who still use mandatory profiles (and there are more of them than anyone would think), using this guide should help you avoid the pitfalls you may well encounter on Windows 10 version 1803. I will try and record a video to go along with this, as well as possibly keep it updated for newer Windows 10 versions.

Loading

75 comments

  1. Hi, I am following your instructions and am stuck at the point of setting permissions on filesystem. I cannot work out how to add all application packages when editing permissions on the file share. The file server is 2008 r2. That group is not found.

  2. Hi,

    I am unable to add all application packages to the permissions on the 2008 r2 file share where the profile is stored. This security group doesn’t exist. Please help.

    1. If it’s not there it can’t be added, I believe this group arrived in 2012 or 2012 R2. I would test without it, if it doesn’t work you may need to migrate to an upstream file share.

    1. Sounds like you have put .v6 in the actual profile path on the user object in AD. Remove it, you don’t need the .v6 prefix specidied

  3. Hi,

    Watching the video How to set up a mandatory profile on Windows 10 Creators Update (1703) I saw that we should not put the extension .V6 in the profile path in the DA.

    Thanks

  4. Hi. I need help. I am following your instructions, but I have error:
    “Windows cannot access the specified device, path, or file. You may not have the appropriate perditions to access the item”

  5. Sorry my English is not good.
    I decided this problem. Mandatory profiles no removed after logout user. I added key Delete Roaming Cache in reestr. And rename profile mandatory.man.v6 and path mandatory.man. Now all OK. But i got new problem. In my test system, with mandatory profile, not work Windows 10 modern app. In you video, i see calculator is work.

  6. Hello – followed your instructions – Thanks Very Much!! But, I must be missing something as when assigning mandatory profile to a user, everything seems to work, but Start Menu will not launch. I am testing with ver 1803… also you mentioned upgrading V2 profiles to V6 profiles… how is that done ?

  7. Great write-up. Helped out a lot. One problem I have run into is that the user profile is showing as a roaming profile in the sysdm.cpl instead of a mandatory profile. Any thoughts on why?

  8. Hi James,
    great article. Thanks for the info. You have written that “Microsoft hate mandatory profiles, but they are useful…”. I’m pretty sure that I stumbled upon an official Microsoft article where they mentioned that mandatory profiles are “customized” workarounds and are not recommended, but I’m unable to find it. Do you know if there is anywhere an official statement from Microsoft about it?

    1. There is a Microsoft article around mandatory profiles on their site that is periodically updated, but their official line is always “use local”.

  9. Hi James!

    Thanks al lot for writing these articles!

    I´m just trying to do it with W10 1809 Education.
    Your Script to cleanup the “Default Profile” fails here in those 2 line that should cleanup “Temp. Internetfiles”, but I think that might not be problematic. BUT:
    After the Script my Default Profile Folder ist About 100MB in size, but after copying via Advanced System Setting it´s only about 2MB in size (NTUser.dat and NTUser.ini are in Place) . Can that be OK?

    Another Question, if it is allowed:
    What I did with my Win 7 Machines was to copy a Default Profile via Advanced System Settings an then copy this Profile manually to each users Profile-Folder on my Server. For some Users I mades this profiles mandatory (ntuser.man) for other Users I leave the profile open. Will this work for Win 10 also?

    1. Yes the idea is to reduce the size by a huge amount, it is normally 1-2 MB afterwards.

      That method you describe may well work for Windows 10 but seems like a lot of work, to be fair.

  10. Hi James!
    I did everything as you described but encounter Problems with Startmenu and Layout afterwards (I deploy a Layout-XML via GPO alaong with my RUP).

    I login one User on a machine end everythimg seems to be OK, Startmenue (left) ist OK, all Programs are listed, also Tiles (right) are there as I defined in my XML.
    I then logoff that user and log him in on another machine. Here I see no Tiles and a lot of Programs are missing in the Startmenu.
    I also have this Problem without XML-GPO, on some machines I have a complete Startmenu and Windows “Out-of-the Box-Tiles”, on other Machines I have no Tiles and only an incomplete Startmenu.
    Looks like the source of this Problem ist mein Roaming Profile, because with local Profiles my Startmenu is ALWAYS complete and also my XML-Startmenu-Layout ist ALWYS displayed right.

    My be you have an Idea?

    Thanks!

    TJ

  11. Hi James,

    great tutorial! One problem we have left. We are using 1809 mandatory profiles with redirected folders and when i rename the ntuser.dat to ntuser.man no one is allowed to logon. When a user logs on then a couple of seconds the user is logged out without a warning. When we rename the ntuser.dat to ntuser.man.v6 the user can logon. When the user logs out there is a warning that the Roaming profile was not completely synchronized. In the event viewer there are several events that it isn’t possible to copy the ntuser.dat to the new folder.
    Can you help me out here?

    Thanks

    Bas

  12. Hello James!

    When you first install Windows 10 on a VMware VM and get to the list of countries and press Ctrl+Shift+F3 and it boots into audit mode, keep in mind the VMware tools are not installed yet and therefore you have no NIC driver at this point. Also, Windows is not activated at this point (company uses KMS activation and machine needs to be on domain to activate in this way).

    Two questions:

    1) After the tools install, a reboot is required. How do you get back into audit mode since you will load past the country selection screen and can’t press Ctrl+Shift+F3 at this screen anymore?

    2) Also, doesn’t the machine need to be joined to the domain so that when you are done modifying the default profile, you can login as a different user to copy the default profile to a network share?

  13. Hello,

    great and useful article.
    I’ve many desktop in schools or library for public access standalone without a DC.
    In the old Windows XP I used Steady state to lock a profile, set access to application and I had a locally mandatory profile .
    With windows 10 I setup a locally mandatory profile all works well but when you have an update all the system is broken.
    After 1803 loose the profile, after 1809 start and cortana doesn’t work and the app store update are pending.

    Do you have a valid and efficient solution to lock windows 10 desktop without a DC ?

  14. Hi James,
    I am getting
    “The User Profile Sevice service failed the sign -in. User Profile cannot be loaded.”
    Any Advice?

    1. Check permissions on the profile? Has it got the ALL APPLICATION PACKAGES permissions set correctly? What is logged in the event log?

  15. I am getting
    “The User Profile Sevice service failed the sign -in. User Profile cannot be loaded.” Also.

    The permissions are set correctly. I’ve tried pointing to a network share for the profile, locally for the profile, naming the profile ManProf.V6, ManProf.Man.V6, and even various other policies.

    What is weird it works if I list the .v6 as part of the path in the policy! That shouldn’t work I thought.

    Wonder if it’s just an LTSC thing…

  16. For me everything was working fine since update to windows 1903.

    I did exactly what is described on this wonderful site except the place where i stored the path for the profile. I setted the path (without “.v6”) on local user settings > profile > profile path.

    Error-IDs:
    – 1511: User Profile Service (local user profile not found)
    – 1521: User Profile Service (server roaming profile not found)

    1. Right I’m going to do a test on default profiles and mandatory profiles on 1903 by next week as many seem to be having problems. Should be out by early next week.

      1. Hey James,

        no pressure, but I think a lot of people would really appreciate your insights about the 1903 problem.

        Me too. 🙂

        Is there a light at the end of the tunnel?

        regards

        Dirk

        1. It certainly seems as if there is a little problem with mandatory in particular, yes. I suspect there are some things need tweaking to do with Registry and filesystem permissions. Default profiles work fine but mandatory has some issues. Hopefully I should be able to identify it soon and issue an update.

        2. OK on 1903 you need to make sure that the Registry permissions are correct. The EVERYONE group and ALL APPLICATION PACKAGES group need to have Full Control cascaded on the Registry hive while loaded in regedit. Without this the mandatory profile will not load.

          1. Also remove a group called “RESTRICTED” from the ACL on the Registry, if it appears.

        3. OK, on 1903 and using a mandatory profile there are issues not just with the Registry permissions, but also with Search roaming, Start Menu performance, and many other things. As far as I can tell, the answer would be to create your mandatory profile on the *previous* version of Windows 10 (I tested using an 1803 profile) and use it on 1903. This should work fine.

          1. Thank you for your effort.

            It’s so sad, that microsoft is treating this issue so neglected.

  17. Hello James,

    I’ve used local mandatory with windows 7 and 8.1 to have computers for schools and libraries locked down and with a restart the computer is fresh.
    With windows 10 many many problems at every updates: no start menu, corrupted profiles, etc … .
    Wich is the best solution to perform a locked down computers with updates?

    my best regards

  18. Hello James 🙂

    Been trying for days to get it working with 1903……it uses the profile but the start menu doesn´t work.

    can´t believe microsoft published 1909 without fixing 1903 😀

    i hope you take another look at it 🙂

    1. I have been trying to write a script to do all of this stuff but as said it suffers from failures on Server 2016 and later W10 versions. Will update as soon as I can.

    2. What worked for me was : create a mandatory profile with windows 10 1803 and then update to 1903. This summer I tried to create a mandatory profile on 1903 but it didnt worked out. So I downgraded to 1803 and then updated few days ago. I use classic shell.

  19. Id be interested in knowing how the following works on Windows 10:

    Computer Config | Policies | Admin Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles | Use mandatory profiles on the RD Session Host server and Set path for Remote Desktop Services Roaming User Profile

    1. It *should* do, but check by logging on with multiple users, multiple times and check for Start Menu corruption

      1. Cheers James, i’m using VMware and it won’t recognise the CTRL SHift Command. Any other way to enter into Audit mode?

        1. VMware console? Odd, sorry I don’t know any alternative keystrokes….does the On-Screen Keyboard work in this situation?

  20. Hi James. I’m trying the mandatory profile for Windows 10 1909 but it seems the start menu and the Start Layout is not working. Any idea?

  21. If you want to create a very generic profile do like I did but it was accidental.
    Install Win 10 1809, go into audit mode. Setup your settings, start button and taskbar the way you want, all of this with the XML listed above.
    After this it copies the Administrator profile to your jump drive.
    Rename that profile to Default and remove the admin rights on it.

    After you’ve built your image, rename the default profile to old and copy the above Default to the users folder. Log in. The Start menu will have settings and edge on it and thats it. The taskbar will have edge and folder explorer on it.
    Its not perfect but it is very generic.

  22. Hi James,

    Noticed your Jrankin4 profile is 62MB, i’m a bit confused. Shouldn’t this be the same size as the mandatory profile size?

    1. Not necessarily, the Windows logon spaffs out a load of crap that you would then discard at logoff

  23. Hello! I was wondering if even though the GPO setting shows the path should be something like \\SERVER\SHARE\PROFILE
    Could I actually use a path like C:\MandatoryProfile instead?
    The reason is, I have a VDI environment and a user’s session will be on any one of several servers. I would like the better speed of the profile being pulled from the local server of the connection rather than from a central location where it would then need to be copied over.
    Is this path specifying a server actually required?

    1. Nope, you can put a local path. Sometimes I use a central UNC path and copy this down local using GPP, so all the users use a local path instead.

      However in a VDI environment, the local storage isn’t necessarily any faster than being on the network (dependent on your setup). I would baseline the logon performance and see for yourself if it makes an improvement.

  24. Hello James,
    I’m trying to get my mandatory profiles working on Windows 10 20h2, no problem at all with the start menu but when I log in it gives me an error:
    An app default was reset

    Any idea on how to fix this?

    Many thanks

      1. Whaaaaaaaaaaaaaaaaaat this actually worked. I don’t get any errors. It doesn’t set any app as default, is it right?

        1. When the OS detects any change to the hashed values in the Registry, it then reverts back to whatever is specified in the XML file. If it isn’t there – well, it can’t change them back 🙂 Worst case scenario the user might have to choose an app to use

  25. Hey James,
    followed your how-to and its perfectly working. Copied mandatory profile to fileserver, pointed users profile path to that location and seems to be ok.
    Problem rises when I want to edit mandatory profile, change the .man to .dat and try to login. Instantly get a message about temporary profile and log is fll of errors (permission) any idea how to fix it?
    Thanks, Lukas

    1. Why do you need to log in with the profile to edit it? You can load the Registry hive into regedit, and you can add/remove things from the filesystem using Explorer…

      1. will look into that, thanks
        It seemed to me to be more straightforward to rename the profile back to .dat, make changes in the system and then rename again to .man

  26. Hi James,

    I want to express my gratitude to you. Your video greatly assisted me in creating a Mandatory Profile for my users. I had been trying for days, and the start menu wouldn’t work. However, your video helped me. Thanks.

    I have one question that I am still investigating. I’ve noticed that the start menu now appears, but I am not seeing all the applications that are loaded on the unit. For example, if I have 20 software programs installed, I am only seeing about 14. My next question is, if I install a new software, will it automatically appear in that listing? I look forward to your feedback. Thanks in advance

    1. Make sure shortcuts for new software go into %ALLUSERSPROFILE% and they should always appear in all users’ Start Menus.

  27. Quick one

    I notice that when users log on using mandatory profile, the start menu is not populated maybe 3 icons however when the user log out then log back in the start menu is then population. In essence users get blank desktop and start menu when they logon for the first time but when they log out and back in everything appears why?

    1. That sounds very odd, as with a mandatory profile every logon should be a “first” logon and there should be no difference at the second logon. Something has gone wrong.

Leave a Reply to Noodles Cancel reply

Your email address will not be published. Required fields are marked *