Настройка перемещаемых профилей windows server 2019

Deploy primary computers for Folder Redirection and Roaming User Profiles

Applies to: Windows Server 2022, Windows 10, Windows 8, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2

This topic describes how to enable primary computer support and designate primary computers for users. Doing so enables you to control which computers use Folder Redirection and Roaming User Profiles.

[!IMPORTANT]
When enabling primary computer support for Roaming User Profiles, always enable primary computer support for Folder Redirection as well. This keeps documents and other user files out of the user profiles, which helps profiles remain small and sign on times stay fast.

Prerequisites

Software requirements

Primary computer support has the following requirements:

• The Active Directory Domain Services (AD DS) schema must be updated to include Windows Server 2012 schema additions (installing a Windows Server 2012 domain controller automatically updates the schema). For information about updating the AD DS schema, see Adprep.exe integration and Running Adprep.exe.
• Client computers must run Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.

[!TIP]
Although primary computer support requires Folder Redirection and/or Roaming User Profiles, if you are deploying these technologies for the first time, it is best to set up primary computer support before enabling the GPOs that configure Folder Redirection and Roaming User Profiles. This prevents user data from being copied to non-primary computers before primary computer support is enabled. For configuration information, see Deploy Folder Redirection and Deploy Roaming User Profiles.

Step 1: Designate primary computers for users

The first step in deploying primary computers support is designating the primary computers for each user. To do so, use Active Directory Administration Center to obtain the distinguished name of the relevant computers and then set the msDs-PrimaryComputer attribute.

[!TIP]
To use Windows PowerShell to work with primary computers, see the blog post Digging a little deeper into Windows 8 Primary Computer.

Here’s how to specify the primary computers for users:

1. Open Server Manager on a computer with Active Directory Administration Tools installed.
2. On the Tools menu, select Active Directory Administration Center. Active Directory Administration Center appears.
3. Navigate to the Computers container in the appropriate domain.
4. Right-click a computer that you want to designate as a primary computer and then select Properties.
5. In the Navigation pane, select Extensions.
6. Select the Attribute Editor tab, scroll to distinguishedName, select View, right-click the value listed, select Copy, select OK, and then select Cancel.
7. Navigate to the Users container in the appropriate domain, right-click the user to which you want to assign the computer, and then select Properties.
8. In the Navigation pane, select Extensions.
9. Select the Attribute Editor tab, select msDs-PrimaryComputer and then select Edit. The Multi-valued String Editor dialog box appears.
10. Right-click the text box, select Paste, select Add, select OK, and then select OK again.

Step 2: Optionally enable primary computers for Folder Redirection in Group Policy

The next step is to optionally configure Group Policy to enable primary computer support for Folder Redirection. Doing so enables a user’s folders to be redirected on computers designated as the user’s primary computers, but not on any other computers. You can control primary computers for Folder Redirection on a per-computer basis, or a per-user basis.

Here’s how to enable primary computers for Folder Redirection:

1. In Group Policy Management, right-click the GPO you created when doing the initial configuration of Folder Redirection and/or Roaming User Profiles (for example, Folder Redirection Settings or Roaming User Profiles Settings), and then select Edit.
2. To enable primary computers support using computer-based Group Policy, navigate to Computer Configuration. For user-based Group Policy, navigate to User Configuration.
   • Computer-based Group Policy applies primary computer processing to all computers to which the GPO applies, affecting all users of the computers.
   • User-based Group Policy to applies primary computer processing to all user accounts to which the GPO applies, affecting all computers to which the users sign on.
3. Under Computer Configuration or User Configuration, navigate to Policies, then Administrative Templates, then System, then Folder Redirection.
4. Right-click Redirect folders on primary computers only, and then select Edit.
5. Select Enabled, and then select OK.

Step 3: Optionally enable primary computers for Roaming User Profiles in Group Policy

The next step is to optionally configure Group Policy to enable primary computer support for Roaming User Profiles. Doing so enables a user’s profile to roam on computers designated as the user’s primary computers, but not on any other computers.

Here’s how to enable primary computers for Roaming User Profiles:

1. Enable primary computer support for Folder Redirection, if you haven’t already.
   This keeps documents and other user files out of the user profiles, which helps profiles remain small and sign on times stay fast.
2. In Group Policy Management, right-click the GPO you created (for example, Folder Redirection and Roaming User Profiles Settings), and then select Edit.
3. Navigate to Computer Configuration, then Policies, then Administrative Templates, then System, and then User Profiles.
4. Right-click Download roaming profiles on primary computers only, and then select Edit.
5. Select Enabled, and then select OK.

Step 4: Enable the GPO

Once you have completed configuring Folder Redirection and Roaming User Profiles, enable the GPO if you have not already. Doing so permits it to be applied to affected users and computers.

Here’s how to enable the Folder Redirection and/or Roaming User Profiles GPOs:

1. Open Group Policy Management
2. Right-click the GPOs that you created, and then select Link Enabled. A checkbox should appear next to the menu item.

Step 5: Test primary computer function

To test primary computer support, sign in to a primary computer, confirm that the folders and profiles are redirected, then sign in to a non-primary computer and confirm that the folders and profiles are not redirected.

Here’s how to test primary computer functionality:

1. Sign in to a designated primary computer with a user account for which you have enabled Folder Redirection and/or Roaming User Profiles.

2. If the user account has signed on to the computer previously, open a Windows PowerShell session or Command Prompt window as an administrator, type the following command and then sign off when prompted to ensure that the latest Group Policy settings are applied to the client computer:

3. Open File Explorer.

4. Right-click a redirected folder (for example, the My Documents folder in the Documents library), and then select Properties.

5. Select the Location tab, and confirm that the path displays the file share you specified instead of a local path. To confirm that the user profile is roaming, open Control Panel, select System and Security, select System, select Advanced System Settings, select Settings in the User Profiles section and then look for Roaming in the Type column.

6. Sign in with the same user account to a computer that is not designated as the user’s primary computer.

7. Repeat steps 2–5, instead looking for local paths and a Local profile type.

[!NOTE]
If folders were redirected on a computer before you enabled primary computer support, the folders will remain redirected unless the following setting is configured in each folder’s folder redirection policy setting: Redirect the folder back to the local userprofile location when the policy is removed. Similarly, profiles that were previously roaming on a particular computer will show Roaming in the Type columns; however, the Status column will show Local.

More information

• Deploy Folder Redirection with Offline Files
• Deploy Roaming User Profiles
• Folder Redirection, Offline Files, and Roaming User Profiles overview
• Digging a little deeper into Windows 8 Primary Computer

Deploy primary computers for Folder Redirection and Roaming User Profiles

Applies to: Windows Server 2022, Windows 10, Windows 8, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2

This topic describes how to enable primary computer support and designate primary computers for users. Doing so enables you to control which computers use Folder Redirection and Roaming User Profiles.

[!IMPORTANT]
When enabling primary computer support for Roaming User Profiles, always enable primary computer support for Folder Redirection as well. This keeps documents and other user files out of the user profiles, which helps profiles remain small and sign on times stay fast.

Prerequisites

Software requirements

Primary computer support has the following requirements:

• The Active Directory Domain Services (AD DS) schema must be updated to include Windows Server 2012 schema additions (installing a Windows Server 2012 domain controller automatically updates the schema). For information about updating the AD DS schema, see Adprep.exe integration and Running Adprep.exe.
• Client computers must run Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.

[!TIP]
Although primary computer support requires Folder Redirection and/or Roaming User Profiles, if you are deploying these technologies for the first time, it is best to set up primary computer support before enabling the GPOs that configure Folder Redirection and Roaming User Profiles. This prevents user data from being copied to non-primary computers before primary computer support is enabled. For configuration information, see Deploy Folder Redirection and Deploy Roaming User Profiles.

Step 1: Designate primary computers for users

The first step in deploying primary computers support is designating the primary computers for each user. To do so, use Active Directory Administration Center to obtain the distinguished name of the relevant computers and then set the msDs-PrimaryComputer attribute.

[!TIP]
To use Windows PowerShell to work with primary computers, see the blog post Digging a little deeper into Windows 8 Primary Computer.

Here’s how to specify the primary computers for users:

1. Open Server Manager on a computer with Active Directory Administration Tools installed.
2. On the Tools menu, select Active Directory Administration Center. Active Directory Administration Center appears.
3. Navigate to the Computers container in the appropriate domain.
4. Right-click a computer that you want to designate as a primary computer and then select Properties.
5. In the Navigation pane, select Extensions.
6. Select the Attribute Editor tab, scroll to distinguishedName, select View, right-click the value listed, select Copy, select OK, and then select Cancel.
7. Navigate to the Users container in the appropriate domain, right-click the user to which you want to assign the computer, and then select Properties.
8. In the Navigation pane, select Extensions.
9. Select the Attribute Editor tab, select msDs-PrimaryComputer and then select Edit. The Multi-valued String Editor dialog box appears.
10. Right-click the text box, select Paste, select Add, select OK, and then select OK again.

Step 2: Optionally enable primary computers for Folder Redirection in Group Policy

The next step is to optionally configure Group Policy to enable primary computer support for Folder Redirection. Doing so enables a user’s folders to be redirected on computers designated as the user’s primary computers, but not on any other computers. You can control primary computers for Folder Redirection on a per-computer basis, or a per-user basis.

Here’s how to enable primary computers for Folder Redirection:

1. In Group Policy Management, right-click the GPO you created when doing the initial configuration of Folder Redirection and/or Roaming User Profiles (for example, Folder Redirection Settings or Roaming User Profiles Settings), and then select Edit.
2. To enable primary computers support using computer-based Group Policy, navigate to Computer Configuration. For user-based Group Policy, navigate to User Configuration.
   • Computer-based Group Policy applies primary computer processing to all computers to which the GPO applies, affecting all users of the computers.
   • User-based Group Policy to applies primary computer processing to all user accounts to which the GPO applies, affecting all computers to which the users sign on.
3. Under Computer Configuration or User Configuration, navigate to Policies, then Administrative Templates, then System, then Folder Redirection.
4. Right-click Redirect folders on primary computers only, and then select Edit.
5. Select Enabled, and then select OK.

Step 3: Optionally enable primary computers for Roaming User Profiles in Group Policy

The next step is to optionally configure Group Policy to enable primary computer support for Roaming User Profiles. Doing so enables a user’s profile to roam on computers designated as the user’s primary computers, but not on any other computers.

Here’s how to enable primary computers for Roaming User Profiles:

1. Enable primary computer support for Folder Redirection, if you haven’t already.
   This keeps documents and other user files out of the user profiles, which helps profiles remain small and sign on times stay fast.
2. In Group Policy Management, right-click the GPO you created (for example, Folder Redirection and Roaming User Profiles Settings), and then select Edit.
3. Navigate to Computer Configuration, then Policies, then Administrative Templates, then System, and then User Profiles.
4. Right-click Download roaming profiles on primary computers only, and then select Edit.
5. Select Enabled, and then select OK.

Step 4: Enable the GPO

Once you have completed configuring Folder Redirection and Roaming User Profiles, enable the GPO if you have not already. Doing so permits it to be applied to affected users and computers.

Here’s how to enable the Folder Redirection and/or Roaming User Profiles GPOs:

1. Open Group Policy Management
2. Right-click the GPOs that you created, and then select Link Enabled. A checkbox should appear next to the menu item.

Step 5: Test primary computer function

To test primary computer support, sign in to a primary computer, confirm that the folders and profiles are redirected, then sign in to a non-primary computer and confirm that the folders and profiles are not redirected.

Here’s how to test primary computer functionality:

1. Sign in to a designated primary computer with a user account for which you have enabled Folder Redirection and/or Roaming User Profiles.

2. If the user account has signed on to the computer previously, open a Windows PowerShell session or Command Prompt window as an administrator, type the following command and then sign off when prompted to ensure that the latest Group Policy settings are applied to the client computer:

3. Open File Explorer.

4. Right-click a redirected folder (for example, the My Documents folder in the Documents library), and then select Properties.

5. Select the Location tab, and confirm that the path displays the file share you specified instead of a local path. To confirm that the user profile is roaming, open Control Panel, select System and Security, select System, select Advanced System Settings, select Settings in the User Profiles section and then look for Roaming in the Type column.

6. Sign in with the same user account to a computer that is not designated as the user’s primary computer.

7. Repeat steps 2–5, instead looking for local paths and a Local profile type.

[!NOTE]
If folders were redirected on a computer before you enabled primary computer support, the folders will remain redirected unless the following setting is configured in each folder’s folder redirection policy setting: Redirect the folder back to the local userprofile location when the policy is removed. Similarly, profiles that were previously roaming on a particular computer will show Roaming in the Type columns; however, the Status column will show Local.

More information

• Deploy Folder Redirection with Offline Files
• Deploy Roaming User Profiles
• Folder Redirection, Offline Files, and Roaming User Profiles overview
• Digging a little deeper into Windows 8 Primary Computer

Deploying Roaming User Profiles

Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2

This topic describes how to use Windows Server to deploy Roaming User Profiles to Windows client computers. Roaming User Profiles redirects user profiles to a file share so that users receive the same operating system and application settings on multiple computers.

For a list of recent changes to this topic, see the Change history section of this topic.

[!IMPORTANT]
Due to the security changes made in MS16-072, we updated Step 4: Optionally create a GPO for Roaming User Profiles in this topic so that Windows can properly apply the Roaming User Profiles policy (and not revert to local policies on affected PCs).

[!IMPORTANT]
User customizations to Start is lost after an OS in-place upgrade in the following configuration:

• Users are configured for a roaming profile
• Users are allowed to make changes to Start

As a result, the Start menu is reset to the default of the new OS version after the OS in-place upgrade. For workarounds, see Appendix C: Working around reset Start menu layouts after upgrades.

Prerequisites

Hardware requirements

Roaming User Profiles requires an x64-based or x86-based computer; it isn’t supported by Windows RT.

Software requirements

Roaming User Profiles has the following software requirements:

• If you are deploying Roaming User Profiles with Folder Redirection in an environment with existing local user profiles, deploy Folder Redirection before Roaming User Profiles to minimize the size of roaming profiles. After the existing user folders have been successfully redirected, you can deploy Roaming User Profiles.

• To administer Roaming User Profiles, you must be signed in as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

• Client computers must run Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.

• Client computers must be joined to the Active Directory Domain Services (AD DS) that you are managing.

• A computer must be available with Group Policy Management and Active Directory Administration Center installed.

• A file server must be available to host roaming user profiles.

  • If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
  • If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
  • If the file share is clustered, disable continuous availability on the file share to avoid performance issues.

• To use primary computer support in Roaming User Profiles, there are additional client computer and Active Directory schema requirements. For more information, see Deploy Primary Computers for Folder Redirection and Roaming User Profiles.

• The layout of a user’s Start menu won’t roam on Windows 10, Windows Server 2019, or Windows Server 2016 if they’re using more than one PC, Remote Desktop Session Host, or Virtualized Desktop Infrastructure (VDI) server. As a workaround, you can specify a Start layout as described in this topic. Or you can make use of user profile disks, which properly roam Start menu settings when used with Remote Desktop Session Host servers or VDI servers. For more info, see Easier User Data Management with User Profile Disks in Windows Server 2012.

Considerations when using Roaming User Profiles on multiple versions of Windows

If you decide to use Roaming User Profiles across multiple versions of Windows, we recommend taking the following actions:

• Configure Windows to maintain separate profile versions for each operating system version. This helps prevent undesirable and unpredictable issues such as profile corruption.
• Use Folder Redirection to store user files such as documents and pictures outside of user profiles. This enables the same files to be available to users across operating system versions. It also keeps profiles small and sign-ins quick.
• Allocate sufficient storage for Roaming User Profiles. If you support two operating system versions, profiles will double in number (and thus total space consumed) because a separate profile is maintained for each operating system version.
• Don’t use Roaming User Profiles across computers running Windows Vista/Windows Server 2008 and Windows 7/Windows Server 2008 R2. Roaming between these operating system versions isn’t supported due to incompatibilities in their profile versions.
• Inform your users that changes made on one operating system version won’t roam to another operating system version.
• When moving your environment to a version of Windows that uses a different profile version (such as from Windows 10 to Windows 10, version 1607—see Appendix B: Profile version reference information for a list), users receive a new, empty roaming user profile. You can minimize the impact of getting a new profile by using Folder Redirection to redirect common folders. There isn’t a supported method of migrating roaming user profiles from one profile version to another.

Step 1: Enable the use of separate profile versions

If you are deploying Roaming User Profiles on computers running Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012, we recommend making a couple of changes to your Windows environment prior to deploying. These changes help ensure that future operating system upgrades go smoothly, and facilitate the ability to simultaneously run multiple versions of Windows with Roaming User Profiles.

To make these changes, use the following procedure.

1. Download and install the appropriate software update on all computers on which you’re going to use roaming, mandatory, super-mandatory, or domain default profiles:

   • Windows 8.1, or Windows Server 2012 R2: install the software update described in article 2887595 in the Microsoft Knowledge Base (when released).
   • Windows 8 or Windows Server 2012: install the software update described in article 2887239 in the Microsoft Knowledge Base.

2. On all computers running Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 on which you will use Roaming User Profiles, use Registry Editor or Group Policy to create the following registry key DWORD Value and set it to 1. For information about creating registry keys by using Group Policy, see Configure a Registry Item.

   HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesProfSvcParametersUseProfilePathExtensionVersion
   

   [!WARNING]
   Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

3. Restart the computers.

Step 2: Create a Roaming User Profiles security group

If your environment is not already set up with Roaming User Profiles, the first step is to create a security group that contains all users and/or computers to which you want to apply Roaming User Profiles policy settings.

• Administrators of general-purpose roaming user profiles deployments typically create a security group for users.
• Administrators of Remote Desktop Services or virtualized desktop deployments typically use a security group for users and the shared computers.

Here’s how to create a security group for Roaming User Profiles:

1. Open Server Manager on a computer with Active Directory Administration Center installed.

2. On the Tools menu, select Active Directory Administration Center. Active Directory Administration Center appears.

3. Right-click the appropriate domain or OU, select New, and then select Group.

4. In the Create Group window, in the Group section, specify the following settings:

   • In Group name, type the name of the security group, for example: Roaming User Profiles Users and Computers.
   • In Group scope, select Security, and then select Global.

5. In the Members section, select Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.

6. If you want to include computer accounts in the security group, select Object Types, select the Computers check box and then select OK.

7. Type the names of the users, groups, and/or computers to which you want to deploy Roaming User Profiles, select OK, and then select OK again.

Step 3: Create a file share for roaming user profiles

If you do not already have a separate file share for roaming user profiles (independent from any shares for redirected folders to prevent inadvertent caching of the roaming profile folder), use the following procedure to create a file share on a server running Windows Server.

[!NOTE]
Some functionality might differ or be unavailable depending on the version of Windows Server you’re using.

Here’s how to create a file share on Windows Server:

1. In the Server Manager navigation pane, select File and Storage Services, and then select Shares to display the Shares page.

2. In the Shares tile, select Tasks, and then select New Share. The New Share Wizard appears.

3. On the Select Profile page, select SMB Share – Quick. If you have File Server Resource Manager installed and are using folder management properties, instead select SMB Share — Advanced.

4. On the Share Location page, select the server and volume on which you want to create the share.

5. On the Share Name page, type a name for the share (for example, User Profiles$) in the Share name box.

   [!TIP]
   When creating the share, hide the share by putting a $ after the share name. This hides the share from casual browsers.

6. On the Other Settings page, clear the Enable continuous availability checkbox, if present, and optionally select the Enable access-based enumeration and Encrypt data access checkboxes.

7. On the Permissions page, select Customize permissions…. The Advanced Security Settings dialog box appears.

8. Select Disable inheritance, and then select Convert inherited permissions into explicit permission on this object.

9. Set the permissions as described in Required permissions for the file share hosting roaming user profiles and shown in the following screen shot, removing permissions for unlisted groups and accounts, and adding special permissions to the Roaming User Profiles Users and Computers group that you created in Step 1.

   

   Figure 1 Setting the permissions for the roaming user profiles share

10. If you chose the SMB Share — Advanced profile, on the Management Properties page, select the User Files Folder Usage value.

11. If you chose the SMB Share — Advanced profile, on the Quota page, optionally select a quota to apply to users of the share.

12. On the Confirmation page, select Create.

Required permissions for the file share hosting roaming user profiles

Step 4: Optionally create a GPO for Roaming User Profiles

If you do not already have a GPO created for Roaming User Profiles settings, use the following procedure to create an empty GPO for use with Roaming User Profiles. This GPO allows you to configure Roaming User Profiles settings (such as primary computer support, which is discussed separately), and can also be used to enable Roaming User Profiles on computers, as is typically done when deploying in virtualized desktop environments or with Remote Desktop Services.

Here’s how to create a GPO for Roaming User Profiles:

1. Open Server Manager on a computer with Group Policy Management installed.

2. From the Tools menu select Group Policy Management. Group Policy Management appears.

3. Right-click the domain or OU in which you want to setup Roaming User Profiles, then select Create a GPO in this domain, and Link it here.

4. In the New GPO dialog box, type a name for the GPO (for example, Roaming User Profile Settings), and then select OK.

5. Right-click the newly created GPO and then clear the Link Enabled checkbox. This prevents the GPO from being applied until you finish configuring it.

6. Select the GPO. In the Security Filtering section of the Scope tab, select Authenticated Users, and then select Remove to prevent the GPO from being applied to everyone.

7. In the Security Filtering section, select Add.

8. In the Select User, Computer, or Group dialog box, type the name of the security group you created in Step 1 (for example, Roaming User Profiles Users and Computers), and then select OK.

9. Select the Delegation tab, select Add, type Authenticated Users, select OK, and then select OK again to accept the default Read permissions.

   This step is necessary due to security changes made in MS16-072.

[!IMPORTANT]
Due to the security changes made in MS16-072A, you now must give the Authenticated Users group delegated Read permissions to the GPO — otherwise the GPO won’t get applied to users, or if it’s already applied, the GPO is removed, redirecting user profiles back to the local PC. For more info, see Deploying Group Policy Security Update MS16-072.

Step 5: Optionally set up Roaming User Profiles on user accounts

If you are deploying Roaming User Profiles to user accounts, use the following procedure to specify roaming user profiles for user accounts in Active Directory Domain Services. If you are deploying Roaming User Profiles to computers, as is typically done for Remote Desktop Services or virtualized desktop deployments, instead use the procedure documented in Step 6: Optionally set up Roaming User Profiles on computers.

[!NOTE]
If you set up Roaming User Profiles on user accounts by using Active Directory and on computers by using Group Policy, the computer-based policy setting takes precedence.

Here’s how to set up Roaming User Profiles on user accounts:

1. In Active Directory Administration Center, navigate to the Users container (or OU) in the appropriate domain.

2. Select all users to which you want to assign a roaming user profile, right-click the users and then select Properties.

3. In the Profile section, select the Profile path: checkbox and then enter the path to the file share where you want to store the user’s roaming user profile, followed by %username% (which is automatically replaced with the user name the first time the user signs in). For example:

   \fs1.corp.contoso.comUser Profiles$%username%

   To specify a mandatory roaming user profile, specify the path to the NTuser.man file that you created previously, for example, fs1.corp.contoso.comUser Profiles$default. For more information, see Create mandatory user profiles.

4. Select OK.

[!NOTE]
By default, deployment of all Windows® Runtime-based (Windows Store) apps is allowed when using Roaming User Profiles. However, when using a special profile, apps are not deployed by default. Special profiles are user profiles where changes are discarded after the user signs out:

To remove restrictions on app deployment for special profiles, enable the Allow deployment operations in special profiles policy setting (located in Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsApp Package Deployment). However, deployed apps in this scenario will leave some data stored on the computer, which could accumulate, for example, if there are hundreds of users of a single computer. To clean up apps, locate or develop a tool that uses the CleanupPackageForUserAsync API to clean up app packages for users who no longer have a profile on the computer.

For additional background information about Windows Store apps, see Manage Client Access to the Windows Store.

Step 6: Optionally set up Roaming User Profiles on computers

If you are deploying Roaming User Profiles to computers, as is typically done for Remote Desktop Services or virtualized desktop deployments, use the following procedure. If you are deploying Roaming User Profiles to user accounts, instead use the procedure described in Step 5: Optionally set up Roaming User Profiles on user accounts.

You can use Group Policy to apply Roaming User Profiles to computers running Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.

[!NOTE]
If you set up Roaming User Profiles on computers by using Group Policy and on user accounts by using Active Directory, the computer-based policy setting takes precedence.

Here’s how to set up Roaming User Profiles on computers:

1. Open Server Manager on a computer with Group Policy Management installed.

2. From the Tools menu, select Group Policy Management. Group Policy Management will appear.

3. In Group Policy Management, right-click the GPO you created in Step 3 (for example, Roaming User Profiles Settings), and then select Edit.

4. In the Group Policy Management Editor window, navigate to Computer Configuration, then Policies, then Administrative Templates, then System, and then User Profiles.

5. Right-click Set roaming profile path for all users logging onto this computer and then select Edit.

   [!TIP]
   A user’s home folder, if configured, is the default folder used by some programs such as Windows PowerShell. You can configure an alternative local or network location on a per-user basis by using the Home folder section of the user account properties in AD DS. To configure the home folder location for all users of a computer running Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012 in a virtual desktop environment, enable the Set user home folder policy setting, and then specify the file share and drive letter to map (or specify a local folder). Do not use environment variables or ellipses. The user’s alias is appended to the end of the path specified during user sign on.

6. In the Properties dialog box, select Enabled

7. In the Users logging onto this computer should use this roaming profile path box, enter the path to the file share where you want to store the user’s roaming user profile, followed by %username% (which is automatically replaced with the user name the first time the user signs in). For example:

   \fs1.corp.contoso.comUser Profiles$%username%

   To specify a mandatory roaming user profile, which is a preconfigured profile to which users cannot make permanent changes (changes are reset when the user signs out), specify the path to the NTuser.man file that you created previously, for example, \fs1.corp.contoso.comUser Profiles$default. For more information, see Creating a Mandatory User Profile.

8. Select OK.

Step 7: Optionally specify a Start layout for Windows 10 PCs

You can use Group Policy to apply a specific Start menu layout so that users see the same Start layout on all PCs. If users sign in to more than one PC and you want them to have a consistent Start layout across PCs, make sure that the GPO applies to all of their PCs.

To specify a Start layout, do the following:

1. Update your Windows 10 PCs to Windows 10 version 1607 (also known as the Anniversary Update) or newer, and install the March 14th, 2017 cumulative update (KB4013429) or newer.
2. Create a full or partial Start menu layout XML file. To do so, see Customize and export Start layout.
   • If you specify a full Start layout, a user can’t customize any part of the Start menu. If you specify a partial Start layout, users can customize everything but the locked groups of tiles you specify. However, with a partial Start layout, user customizations to the Start menu won’t roam to other PCs.
3. Use Group Policy to apply the customized Start layout to the GPO you created for Roaming User Profiles. To do so, see Use Group Policy to apply a customized Start layout in a domain.
4. Use Group Policy to set the following registry value on your Windows 10 PCs. To do so, see Configure a Registry Item.

1. (Optional) Enable first-time logon optimizations to make signing in faster for users. To do so, see Apply policies to improve sign-in time.
2. (Optional) Further decrease sign-in times by removing unnecessary apps from the Windows 10 base image you use to deploy client PCs. Windows Server 2019 and Windows Server 2016 don’t have any pre-provisioned apps, so you can skip this step on server images.

   • To remove apps, use the Remove-AppxProvisionedPackage cmdlet in Windows PowerShell to uninstall the following applications. If your PCs are already deployed you can script the removal of these apps using the Remove-AppxPackage.

     • Microsoft.windowscommunicationsapps_8wekyb3d8bbwe
     • Microsoft.BingWeather_8wekyb3d8bbwe
     • Microsoft.DesktopAppInstaller_8wekyb3d8bbwe
     • Microsoft.Getstarted_8wekyb3d8bbwe
     • Microsoft.Windows.Photos_8wekyb3d8bbwe
     • Microsoft.WindowsCamera_8wekyb3d8bbwe
     • Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe
     • Microsoft.WindowsStore_8wekyb3d8bbwe
     • Microsoft.XboxApp_8wekyb3d8bbwe
     • Microsoft.XboxIdentityProvider_8wekyb3d8bbwe
     • Microsoft.ZuneMusic_8wekyb3d8bbwe

[!NOTE]
Uninstalling these apps decreases sign-in times, but you can leave them installed if your deployment needs any of them.

Step 8: Enable the Roaming User Profiles GPO

If you set up Roaming User Profiles on computers by using Group Policy, or if you customized other Roaming User Profiles settings by using Group Policy, the next step is to enable the GPO, permitting it to be applied to affected users.

[!TIP]
If you plan to implement primary computer support, do so now, before you enable the GPO. This prevents user data from being copied to non-primary computers before primary computer support is enabled. For the specific policy settings, see Deploy Primary Computers for Folder Redirection and Roaming User Profiles.

Here’s how to enable the Roaming User Profile GPO:

1. Open Group Policy Management.
2. Right-click the GPO that you created and then select Link Enabled. A checkbox appears next to the menu item.

Step 9: Test Roaming User Profiles

To test Roaming User Profiles, sign in to a computer with a user account configured for Roaming User Profiles, or sign in to a computer configured for Roaming User Profiles. Then confirm that the profile is redirected.

Here’s how to test Roaming User Profiles:

1. Sign in to a primary computer (if you enabled primary computer support) with a user account for which you have enabled Roaming User Profiles enabled. If you enabled Roaming User Profiles on specific computers, sign in to one of these computers.

2. If the user has previously signed in to the computer, open an elevated command prompt, and then type the following command to ensure that the latest Group Policy settings are applied to the client computer:

3. To confirm that the user profile is roaming, open Control Panel, select System and Security, select System, select Advanced System Settings, select Settings in the User Profiles section and then look for Roaming in the Type column.

Appendix A: Checklist for deploying Roaming User Profiles

Appendix B: Profile version reference information

Each profile has a profile version that corresponds roughly to the version of Windows on which the profile is used. For example, Windows 10, version 1703 and version 1607 both use the .V6 profile version. Microsoft creates a new profile version only when necessary to maintain compatibility, which is why not every version of Windows includes a new profile version.

The following table lists the location of Roaming User Profiles on various versions of Windows.

Appendix C: Working around reset Start menu layouts after upgrades

Here are some ways to work around Start menu layouts getting reset after an in-place upgrade:

• If only one user ever uses the device and the IT Admin uses a managed OS deployment strategy such as Configuration Manager they can do the following:

  1. Export the Start menu layout with Export-Startlayout before the upgrade

  2. Import the Start menu layout with Import-StartLayout after OOBE but before the user signs in

     [!NOTE]
     Importing a StartLayout modifies the Default User profile. All user profiles created after the import has occurred will get the imported Start-Layout.

• IT Admins can opt to manage Start’s Layout with Group Policy. Using Group Policy provides a centralized management solution to apply a standardized Start Layout to users. There are 2 modes to modes to using Group Policy for Start management. Full Lockdown and Partial Lockdown. The full lockdown scenario prevents the user from making any changes to Start’s layout. The partial lockdown scenario allows user to make changes to a specific area of Start. For more info, see Customize and export Start layout.

  [!NOTE]
  User made changes in the partial lockdown scenario will still be lost during upgrade.

• Let the Start layout reset occur and allow end users to reconfigure Start. A notification email or other notification can be sent to end users to expect their Start layouts to be reset after the OS upgrade to minimized impact.

Change history

The following table summarizes some of the most important changes to this topic.

More information

• Deploy Folder Redirection, Offline Files, and Roaming User Profiles
• Deploy Primary Computers for Folder Redirection and Roaming User Profiles
• Implementing User State Management
• Microsoft’s Support Statement Around Replicated User Profile Data
• Sideload Apps with DISM
• Troubleshooting packaging, deployment, and query of Windows Runtime-based apps

Deploying Roaming User Profiles

Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2

This topic describes how to use Windows Server to deploy Roaming User Profiles to Windows client computers. Roaming User Profiles redirects user profiles to a file share so that users receive the same operating system and application settings on multiple computers.

For a list of recent changes to this topic, see the Change history section of this topic.

[!IMPORTANT]
Due to the security changes made in MS16-072, we updated Step 4: Optionally create a GPO for Roaming User Profiles in this topic so that Windows can properly apply the Roaming User Profiles policy (and not revert to local policies on affected PCs).

[!IMPORTANT]
User customizations to Start is lost after an OS in-place upgrade in the following configuration:

• Users are configured for a roaming profile
• Users are allowed to make changes to Start

As a result, the Start menu is reset to the default of the new OS version after the OS in-place upgrade. For workarounds, see Appendix C: Working around reset Start menu layouts after upgrades.

Prerequisites

Hardware requirements

Roaming User Profiles requires an x64-based or x86-based computer; it isn’t supported by Windows RT.

Software requirements

Roaming User Profiles has the following software requirements:

• If you are deploying Roaming User Profiles with Folder Redirection in an environment with existing local user profiles, deploy Folder Redirection before Roaming User Profiles to minimize the size of roaming profiles. After the existing user folders have been successfully redirected, you can deploy Roaming User Profiles.

• To administer Roaming User Profiles, you must be signed in as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

• Client computers must run Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.

• Client computers must be joined to the Active Directory Domain Services (AD DS) that you are managing.

• A computer must be available with Group Policy Management and Active Directory Administration Center installed.

• A file server must be available to host roaming user profiles.

  • If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
  • If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
  • If the file share is clustered, disable continuous availability on the file share to avoid performance issues.

• To use primary computer support in Roaming User Profiles, there are additional client computer and Active Directory schema requirements. For more information, see Deploy Primary Computers for Folder Redirection and Roaming User Profiles.

• The layout of a user’s Start menu won’t roam on Windows 10, Windows Server 2019, or Windows Server 2016 if they’re using more than one PC, Remote Desktop Session Host, or Virtualized Desktop Infrastructure (VDI) server. As a workaround, you can specify a Start layout as described in this topic. Or you can make use of user profile disks, which properly roam Start menu settings when used with Remote Desktop Session Host servers or VDI servers. For more info, see Easier User Data Management with User Profile Disks in Windows Server 2012.

Considerations when using Roaming User Profiles on multiple versions of Windows

If you decide to use Roaming User Profiles across multiple versions of Windows, we recommend taking the following actions:

• Configure Windows to maintain separate profile versions for each operating system version. This helps prevent undesirable and unpredictable issues such as profile corruption.
• Use Folder Redirection to store user files such as documents and pictures outside of user profiles. This enables the same files to be available to users across operating system versions. It also keeps profiles small and sign-ins quick.
• Allocate sufficient storage for Roaming User Profiles. If you support two operating system versions, profiles will double in number (and thus total space consumed) because a separate profile is maintained for each operating system version.
• Don’t use Roaming User Profiles across computers running Windows Vista/Windows Server 2008 and Windows 7/Windows Server 2008 R2. Roaming between these operating system versions isn’t supported due to incompatibilities in their profile versions.
• Inform your users that changes made on one operating system version won’t roam to another operating system version.
• When moving your environment to a version of Windows that uses a different profile version (such as from Windows 10 to Windows 10, version 1607—see Appendix B: Profile version reference information for a list), users receive a new, empty roaming user profile. You can minimize the impact of getting a new profile by using Folder Redirection to redirect common folders. There isn’t a supported method of migrating roaming user profiles from one profile version to another.

Step 1: Enable the use of separate profile versions

If you are deploying Roaming User Profiles on computers running Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012, we recommend making a couple of changes to your Windows environment prior to deploying. These changes help ensure that future operating system upgrades go smoothly, and facilitate the ability to simultaneously run multiple versions of Windows with Roaming User Profiles.

To make these changes, use the following procedure.

1. Download and install the appropriate software update on all computers on which you’re going to use roaming, mandatory, super-mandatory, or domain default profiles:

   • Windows 8.1, or Windows Server 2012 R2: install the software update described in article 2887595 in the Microsoft Knowledge Base (when released).
   • Windows 8 or Windows Server 2012: install the software update described in article 2887239 in the Microsoft Knowledge Base.

2. On all computers running Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 on which you will use Roaming User Profiles, use Registry Editor or Group Policy to create the following registry key DWORD Value and set it to 1. For information about creating registry keys by using Group Policy, see Configure a Registry Item.

   HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesProfSvcParametersUseProfilePathExtensionVersion
   

   [!WARNING]
   Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

3. Restart the computers.

Step 2: Create a Roaming User Profiles security group

If your environment is not already set up with Roaming User Profiles, the first step is to create a security group that contains all users and/or computers to which you want to apply Roaming User Profiles policy settings.

• Administrators of general-purpose roaming user profiles deployments typically create a security group for users.
• Administrators of Remote Desktop Services or virtualized desktop deployments typically use a security group for users and the shared computers.

Here’s how to create a security group for Roaming User Profiles:

1. Open Server Manager on a computer with Active Directory Administration Center installed.

2. On the Tools menu, select Active Directory Administration Center. Active Directory Administration Center appears.

3. Right-click the appropriate domain or OU, select New, and then select Group.

4. In the Create Group window, in the Group section, specify the following settings:

   • In Group name, type the name of the security group, for example: Roaming User Profiles Users and Computers.
   • In Group scope, select Security, and then select Global.

5. In the Members section, select Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.

6. If you want to include computer accounts in the security group, select Object Types, select the Computers check box and then select OK.

7. Type the names of the users, groups, and/or computers to which you want to deploy Roaming User Profiles, select OK, and then select OK again.

Step 3: Create a file share for roaming user profiles

If you do not already have a separate file share for roaming user profiles (independent from any shares for redirected folders to prevent inadvertent caching of the roaming profile folder), use the following procedure to create a file share on a server running Windows Server.

[!NOTE]
Some functionality might differ or be unavailable depending on the version of Windows Server you’re using.

Here’s how to create a file share on Windows Server:

1. In the Server Manager navigation pane, select File and Storage Services, and then select Shares to display the Shares page.

2. In the Shares tile, select Tasks, and then select New Share. The New Share Wizard appears.

3. On the Select Profile page, select SMB Share – Quick. If you have File Server Resource Manager installed and are using folder management properties, instead select SMB Share — Advanced.

4. On the Share Location page, select the server and volume on which you want to create the share.

5. On the Share Name page, type a name for the share (for example, User Profiles$) in the Share name box.

   [!TIP]
   When creating the share, hide the share by putting a $ after the share name. This hides the share from casual browsers.

6. On the Other Settings page, clear the Enable continuous availability checkbox, if present, and optionally select the Enable access-based enumeration and Encrypt data access checkboxes.

7. On the Permissions page, select Customize permissions…. The Advanced Security Settings dialog box appears.

8. Select Disable inheritance, and then select Convert inherited permissions into explicit permission on this object.

9. Set the permissions as described in Required permissions for the file share hosting roaming user profiles and shown in the following screen shot, removing permissions for unlisted groups and accounts, and adding special permissions to the Roaming User Profiles Users and Computers group that you created in Step 1.

   

   Figure 1 Setting the permissions for the roaming user profiles share

10. If you chose the SMB Share — Advanced profile, on the Management Properties page, select the User Files Folder Usage value.

11. If you chose the SMB Share — Advanced profile, on the Quota page, optionally select a quota to apply to users of the share.

12. On the Confirmation page, select Create.

Required permissions for the file share hosting roaming user profiles

Step 4: Optionally create a GPO for Roaming User Profiles

If you do not already have a GPO created for Roaming User Profiles settings, use the following procedure to create an empty GPO for use with Roaming User Profiles. This GPO allows you to configure Roaming User Profiles settings (such as primary computer support, which is discussed separately), and can also be used to enable Roaming User Profiles on computers, as is typically done when deploying in virtualized desktop environments or with Remote Desktop Services.

Here’s how to create a GPO for Roaming User Profiles:

1. Open Server Manager on a computer with Group Policy Management installed.

2. From the Tools menu select Group Policy Management. Group Policy Management appears.

3. Right-click the domain or OU in which you want to setup Roaming User Profiles, then select Create a GPO in this domain, and Link it here.

4. In the New GPO dialog box, type a name for the GPO (for example, Roaming User Profile Settings), and then select OK.

5. Right-click the newly created GPO and then clear the Link Enabled checkbox. This prevents the GPO from being applied until you finish configuring it.

6. Select the GPO. In the Security Filtering section of the Scope tab, select Authenticated Users, and then select Remove to prevent the GPO from being applied to everyone.

7. In the Security Filtering section, select Add.

8. In the Select User, Computer, or Group dialog box, type the name of the security group you created in Step 1 (for example, Roaming User Profiles Users and Computers), and then select OK.

9. Select the Delegation tab, select Add, type Authenticated Users, select OK, and then select OK again to accept the default Read permissions.

   This step is necessary due to security changes made in MS16-072.

[!IMPORTANT]
Due to the security changes made in MS16-072A, you now must give the Authenticated Users group delegated Read permissions to the GPO — otherwise the GPO won’t get applied to users, or if it’s already applied, the GPO is removed, redirecting user profiles back to the local PC. For more info, see Deploying Group Policy Security Update MS16-072.

Step 5: Optionally set up Roaming User Profiles on user accounts

If you are deploying Roaming User Profiles to user accounts, use the following procedure to specify roaming user profiles for user accounts in Active Directory Domain Services. If you are deploying Roaming User Profiles to computers, as is typically done for Remote Desktop Services or virtualized desktop deployments, instead use the procedure documented in Step 6: Optionally set up Roaming User Profiles on computers.

[!NOTE]
If you set up Roaming User Profiles on user accounts by using Active Directory and on computers by using Group Policy, the computer-based policy setting takes precedence.

Here’s how to set up Roaming User Profiles on user accounts:

1. In Active Directory Administration Center, navigate to the Users container (or OU) in the appropriate domain.

2. Select all users to which you want to assign a roaming user profile, right-click the users and then select Properties.

3. In the Profile section, select the Profile path: checkbox and then enter the path to the file share where you want to store the user’s roaming user profile, followed by %username% (which is automatically replaced with the user name the first time the user signs in). For example:

   \fs1.corp.contoso.comUser Profiles$%username%

   To specify a mandatory roaming user profile, specify the path to the NTuser.man file that you created previously, for example, fs1.corp.contoso.comUser Profiles$default. For more information, see Create mandatory user profiles.

4. Select OK.

[!NOTE]
By default, deployment of all Windows® Runtime-based (Windows Store) apps is allowed when using Roaming User Profiles. However, when using a special profile, apps are not deployed by default. Special profiles are user profiles where changes are discarded after the user signs out:

To remove restrictions on app deployment for special profiles, enable the Allow deployment operations in special profiles policy setting (located in Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsApp Package Deployment). However, deployed apps in this scenario will leave some data stored on the computer, which could accumulate, for example, if there are hundreds of users of a single computer. To clean up apps, locate or develop a tool that uses the CleanupPackageForUserAsync API to clean up app packages for users who no longer have a profile on the computer.

For additional background information about Windows Store apps, see Manage Client Access to the Windows Store.

Step 6: Optionally set up Roaming User Profiles on computers

If you are deploying Roaming User Profiles to computers, as is typically done for Remote Desktop Services or virtualized desktop deployments, use the following procedure. If you are deploying Roaming User Profiles to user accounts, instead use the procedure described in Step 5: Optionally set up Roaming User Profiles on user accounts.

You can use Group Policy to apply Roaming User Profiles to computers running Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.

[!NOTE]
If you set up Roaming User Profiles on computers by using Group Policy and on user accounts by using Active Directory, the computer-based policy setting takes precedence.

Here’s how to set up Roaming User Profiles on computers:

1. Open Server Manager on a computer with Group Policy Management installed.

2. From the Tools menu, select Group Policy Management. Group Policy Management will appear.

3. In Group Policy Management, right-click the GPO you created in Step 3 (for example, Roaming User Profiles Settings), and then select Edit.

4. In the Group Policy Management Editor window, navigate to Computer Configuration, then Policies, then Administrative Templates, then System, and then User Profiles.

5. Right-click Set roaming profile path for all users logging onto this computer and then select Edit.

   [!TIP]
   A user’s home folder, if configured, is the default folder used by some programs such as Windows PowerShell. You can configure an alternative local or network location on a per-user basis by using the Home folder section of the user account properties in AD DS. To configure the home folder location for all users of a computer running Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012 in a virtual desktop environment, enable the Set user home folder policy setting, and then specify the file share and drive letter to map (or specify a local folder). Do not use environment variables or ellipses. The user’s alias is appended to the end of the path specified during user sign on.

6. In the Properties dialog box, select Enabled

7. In the Users logging onto this computer should use this roaming profile path box, enter the path to the file share where you want to store the user’s roaming user profile, followed by %username% (which is automatically replaced with the user name the first time the user signs in). For example:

   \fs1.corp.contoso.comUser Profiles$%username%

   To specify a mandatory roaming user profile, which is a preconfigured profile to which users cannot make permanent changes (changes are reset when the user signs out), specify the path to the NTuser.man file that you created previously, for example, \fs1.corp.contoso.comUser Profiles$default. For more information, see Creating a Mandatory User Profile.

8. Select OK.

Step 7: Optionally specify a Start layout for Windows 10 PCs

You can use Group Policy to apply a specific Start menu layout so that users see the same Start layout on all PCs. If users sign in to more than one PC and you want them to have a consistent Start layout across PCs, make sure that the GPO applies to all of their PCs.

To specify a Start layout, do the following:

1. Update your Windows 10 PCs to Windows 10 version 1607 (also known as the Anniversary Update) or newer, and install the March 14th, 2017 cumulative update (KB4013429) or newer.
2. Create a full or partial Start menu layout XML file. To do so, see Customize and export Start layout.
   • If you specify a full Start layout, a user can’t customize any part of the Start menu. If you specify a partial Start layout, users can customize everything but the locked groups of tiles you specify. However, with a partial Start layout, user customizations to the Start menu won’t roam to other PCs.
3. Use Group Policy to apply the customized Start layout to the GPO you created for Roaming User Profiles. To do so, see Use Group Policy to apply a customized Start layout in a domain.
4. Use Group Policy to set the following registry value on your Windows 10 PCs. To do so, see Configure a Registry Item.

1. (Optional) Enable first-time logon optimizations to make signing in faster for users. To do so, see Apply policies to improve sign-in time.
2. (Optional) Further decrease sign-in times by removing unnecessary apps from the Windows 10 base image you use to deploy client PCs. Windows Server 2019 and Windows Server 2016 don’t have any pre-provisioned apps, so you can skip this step on server images.

   • To remove apps, use the Remove-AppxProvisionedPackage cmdlet in Windows PowerShell to uninstall the following applications. If your PCs are already deployed you can script the removal of these apps using the Remove-AppxPackage.

     • Microsoft.windowscommunicationsapps_8wekyb3d8bbwe
     • Microsoft.BingWeather_8wekyb3d8bbwe
     • Microsoft.DesktopAppInstaller_8wekyb3d8bbwe
     • Microsoft.Getstarted_8wekyb3d8bbwe
     • Microsoft.Windows.Photos_8wekyb3d8bbwe
     • Microsoft.WindowsCamera_8wekyb3d8bbwe
     • Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe
     • Microsoft.WindowsStore_8wekyb3d8bbwe
     • Microsoft.XboxApp_8wekyb3d8bbwe
     • Microsoft.XboxIdentityProvider_8wekyb3d8bbwe
     • Microsoft.ZuneMusic_8wekyb3d8bbwe

[!NOTE]
Uninstalling these apps decreases sign-in times, but you can leave them installed if your deployment needs any of them.

Step 8: Enable the Roaming User Profiles GPO

If you set up Roaming User Profiles on computers by using Group Policy, or if you customized other Roaming User Profiles settings by using Group Policy, the next step is to enable the GPO, permitting it to be applied to affected users.

[!TIP]
If you plan to implement primary computer support, do so now, before you enable the GPO. This prevents user data from being copied to non-primary computers before primary computer support is enabled. For the specific policy settings, see Deploy Primary Computers for Folder Redirection and Roaming User Profiles.

Here’s how to enable the Roaming User Profile GPO:

1. Open Group Policy Management.
2. Right-click the GPO that you created and then select Link Enabled. A checkbox appears next to the menu item.

Step 9: Test Roaming User Profiles

To test Roaming User Profiles, sign in to a computer with a user account configured for Roaming User Profiles, or sign in to a computer configured for Roaming User Profiles. Then confirm that the profile is redirected.

Here’s how to test Roaming User Profiles:

1. Sign in to a primary computer (if you enabled primary computer support) with a user account for which you have enabled Roaming User Profiles enabled. If you enabled Roaming User Profiles on specific computers, sign in to one of these computers.

2. If the user has previously signed in to the computer, open an elevated command prompt, and then type the following command to ensure that the latest Group Policy settings are applied to the client computer:

3. To confirm that the user profile is roaming, open Control Panel, select System and Security, select System, select Advanced System Settings, select Settings in the User Profiles section and then look for Roaming in the Type column.

Appendix A: Checklist for deploying Roaming User Profiles

Appendix B: Profile version reference information

Each profile has a profile version that corresponds roughly to the version of Windows on which the profile is used. For example, Windows 10, version 1703 and version 1607 both use the .V6 profile version. Microsoft creates a new profile version only when necessary to maintain compatibility, which is why not every version of Windows includes a new profile version.

The following table lists the location of Roaming User Profiles on various versions of Windows.

Appendix C: Working around reset Start menu layouts after upgrades

Here are some ways to work around Start menu layouts getting reset after an in-place upgrade:

• If only one user ever uses the device and the IT Admin uses a managed OS deployment strategy such as Configuration Manager they can do the following:

  1. Export the Start menu layout with Export-Startlayout before the upgrade

  2. Import the Start menu layout with Import-StartLayout after OOBE but before the user signs in

     [!NOTE]
     Importing a StartLayout modifies the Default User profile. All user profiles created after the import has occurred will get the imported Start-Layout.

• IT Admins can opt to manage Start’s Layout with Group Policy. Using Group Policy provides a centralized management solution to apply a standardized Start Layout to users. There are 2 modes to modes to using Group Policy for Start management. Full Lockdown and Partial Lockdown. The full lockdown scenario prevents the user from making any changes to Start’s layout. The partial lockdown scenario allows user to make changes to a specific area of Start. For more info, see Customize and export Start layout.

  [!NOTE]
  User made changes in the partial lockdown scenario will still be lost during upgrade.

• Let the Start layout reset occur and allow end users to reconfigure Start. A notification email or other notification can be sent to end users to expect their Start layouts to be reset after the OS upgrade to minimized impact.

Change history

The following table summarizes some of the most important changes to this topic.

More information

• Deploy Folder Redirection, Offline Files, and Roaming User Profiles
• Deploy Primary Computers for Folder Redirection and Roaming User Profiles
• Implementing User State Management
• Microsoft’s Support Statement Around Replicated User Profile Data
• Sideload Apps with DISM
• Troubleshooting packaging, deployment, and query of Windows Runtime-based apps