Tags
applocker, Group Policies, Group Policy, imaging, profiles, Roaming Profiles, Surface, veeam, veean endpoint backup, Windows 10
— Update 2017-12-15 —
I think Roaming Profiles are now deprecated. I will be moving all my users to Local Profiles supplemented by User Experience Virtualisation (UE-V) over the next 12 months. See comments below.
—
I have recently been imaging Microsoft Surface 3 computers for use by staff in a school. All our staff have roaming profiles so that they have the same desktop on every device that they logon to. This makes it easier for them and reduces support costs.
- Unfortunately Windows 10 roaming profiles don’t work properly
The second time the user logs in they cannot launch Edge and some other packaged applications.
While it seems absolutely incredible that Microsoft would launch Windows 10 with this key feature broken they seem to have done so and this is a widely reported problem with no official solution (2016-02-10).
To reproduce the issue
- Download Microsoft Windows 10 Enterprise version 1115 (Threshold) from the Microsoft Volume Licensing Centre
- Create bootable installation media
- Optionally use Rufus to put the downloaded ISO onto a high quality USB stick using a GPT partitioning scheme.
- Unbox a new Microsoft Surface 3 computer (say)
- Connect power
- Boot to Bios (Volume Up + Power on Surface) and
- Disable Secure Boot
- Set boot order to (Network) > USB > SSD
- Exit
- The computer will boot to Windows on exit. Shutdown
- Boot to USB (Volume Down + Power on Surface)
- Install Microsoft Windows 10.
- If boot fails verify that you are using a GPT scheme on the USB stick (Admin Command Prompt > Diskpart > List Disk)
- If using a Surface you will need to have the Type Cover attached.
- If installation fails then verify you have used a high quality USB stick
- If installation fails due to being unable to write to C: and this was not a new computer then you may have a partition protected with Bitlocker. Remove Bitlocker protection either through the Windows 10 UI or by formatting the disk.
- When prompted to create a user during installation create one called User with a blank password
- Reboot – you should automatically login as User
- Verify that you are connected to a network
- If using a Surface you should use a genuine Microsoft USB Ethernet dongle
- Run Windows Update lots of times, rebooting as necessary until you have fully patched computer
- Note that since your are not joined to the domain you patch level will be non-standard. We are doing it this way to show that it Microsoft who is at fault not us.
- Optionally backup your computer
- I use the excellent Veeam Endpoint Backup. It is free and works very well.
- Verify that Edge launches
- Have a nice cup of tea because you have now built a clean Windows 10 Enterprise machine.
- Create a NEW user on the domain say RoamingUserTest – do not reuse an old user
- Join to the domain
- Logon as the NEW domain user with a roaming profile (say RoamingUserTest)
- Verify that Edge launches
- Logout
- Reboot
- Logon as the same user RoamingUserTest
- Verity that Edge does not launch – it should flash up for a second or two and then stop.
- We have now demonstrated the bug
The workaround – preparation
Fix known profile version issue
The first thing we need to do is fix known incompatibility issues in domains that have both Windows 10,8 and Windows 7 users before moving on to fixing our issue.
- Apply hotfix to computer to support both roaming profiles in a heterogeneous environment.
Create a WMI filter for group policies
REview your Applocker rule
- You must have one or more Applocker rules for packaged applications.
The workaround
The root cause seems to be that when a user logs out Windows 10 sets essential registry keys to read only. When they logon again these keys are in the wrong state and packaged applications including Edge cannot launch.
We will fix this with a logon script.
powershell-script-to-allow-roaming-logins.ps1
#!PowerShell. De pilo pendet.
# https://social.technet.microsoft.com/Forums/en-US/fd436515-6423-4015-9afe-d7e6034909ab/windows-10-threshold-2-edgesearch-issues-for-domain-joined-pcs
#(c) Christian Ullrich
# copied by James Bayley 2016/01/25
function MakeACE() {
# S-1-15-2-1 is WELL_KNOWN_SID_TYPE::WinBuiltinAnyPackageSid, "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES".
# The self-documenting NTAccount type results in an object that "cannot be translated".
$id = New-Object System.Security.Principal.SecurityIdentifier("S-1-15-2-1")
New-Object System.Security.AccessControl.RegistryAccessRule($id,
[System.Security.AccessControl.RegistryRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow)
}
function GrantRequiredAccess($key) {
$acl = Get-Acl $key
$acl.AddAccessRule((MakeACE))
Set-Acl $key $acl
}
# All Windows 10, since Microsoft apparently managed to break build 10240 as well in December 2015, after having shipped 10586 broken from the start.
#New-EventLog –LogName Application –Source “LogonScript”
#Write-EventLog -LogName Application -Source LogonScript -EntryType Information -EventId 1 -Message "In LoginScript to fix roaming profiles"
if ([Environment]::OSVersion.Version.Major -eq 10) {
# Write-EventLog -LogName Application -Source LongScript -EntryType Information -EventId 1 -Message "Windows 10 detected"
GrantRequiredAccess "HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe"
GrantRequiredAccess "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy"
}
You will see the this script can write to the Application Event Log for debugging purposes but I have commented it out on production.
Create a group policy to apply this as a logon script
Create a group policy for your domain users called “User-Windows10RoamingProfileFix”. This will be targeted to Windows 10 computers using the WMI filter we created in an earlier step.
The actual group policy is created by Edit > User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) > PowerShell Scripts > Edit Script as shown below.
The actual script location will depend on your existing configuration.
Test for resolution
- Create a NEW domain user say “RoamingUserTest1”
- Login to the computer as .\user (local admin, blank password)
- At the administrative command prompt type
gpupdate /force
- Logout and reboot
- Login to the computer as RoamingUserTest1
- Verify that Edge launches
- Logout
- Login to the computer as RoamingUserTest1 again
- Verify that Edge launches – We have fixed the issue
What if it fails?
The first thing to do is verify that your group policy is being applied. Logon as RoamingUserTest1 and open an Administrative Command Prompt.
gpresult /r /user roamingusertest1
Look in the USER SETTING to verify that the User-Windows10RoamingProfileFix is being applied. If you have uncommented the debugging statements you may also wish to look in the Application event log to verify that the script is running.
If the script is running then Edge is not running for other reasons. Check your Applocker settings.
It is possible that either your Windows user profile or your Windows build is now corrupt.
- retest with a NEW domain user
- restore the clean build from the backup you made above.
And finally
You now have a working domain joined laptop but remember that this has taken its updates from Windows Update before you joined it to the domain. If you use SCCM for your updates you may wish to do a clean build, join it to domain and install the SCCM client. You can then manage updates through SCCM.
Acknowledgements
This is a difficult solution and I relied on the contributions of many authors, thanks must go to my own colleagues and to Christian Ullrich and Ben Hastings72 who contributed so generously to the thread on the Microsoft Community forums.
Dr James Bayley 
Any reason not to include every key in Storage in case others fail? This fix does work for Edge (as long as the Applocker section is also done) but IE still fails afterwards. Trouble is last time I tried the script with windows_ie_ac_001 as a package the script failed. I think because that key is not created until after you first use IE11. So my thought would be to enable the script for Storage as a whole rather than just for individual packages, but I’m not completely sure how to do that.
I am sorry that I don’t know enough about registry permission to comment. You may wish to check for the presence of the key and create it if it is missing. My Powershell is limit to Google, cut, paste.
After having changed these permissions, Edge would run but crash immediately when using the address bar. Got it fixed by applying the same permissions fix for “ALL APPLICATION PACKAGES” on “Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children”.
Hello Dr. Bayley,
Just saw your article while surfing through in search for help in setting up the Group Policy for the Roaming profiles.
I have setup the Roaming Profiles security group, necessary folders in the share, and the GPO for this (Folder Redirection and “Set roaming profile path for all users logging into this computer”). So far, the folder redirection portion works, but the Roaming profile for the test user is not working for some reason.
Any word of advise you could give on something that I may have missed?
Thank you!
Nethaj, My original post was one year ago and since then Windows 10 1607 has been released together with multiple patches. The guidance in this article may no longer be applicable. I can only give general advice.
The most important is to ensure that you are using the most recent version of Windows 10 (1607) and that it is fully patched. Do a clean build on a virtual machine and then test with a new user as described above and test WITHOUT the fix first. this will determine whether in production you are suffering from this issue or a different one.
I have asked my team to do this to verify whether it is still required and I will update this post afterwards.
James
Pingback: Windows 10 roaming profiles cause Edge and other packaged applications to fail loading | Creative People IT Days
Hello, would this script also work for Windows 10 1709?? If not could you fix this??
This is a very good question. I am now testing 1709. However the most important thing to know is that Roaming Profiles are dead. Microsoft has (IMHO) stopped developing them and that functionality will be provided by User Experience Virtualisation (UE-V). I have 500 users, in the last three months, six users have had “profile hell” that crashed every machine they touched. This was fixed by moving from Roaming to Local Profiles. I will migrate the rest of my users this year. I may write a longer blog post on it later next year as the project develops.
thanks, yes we should also look to migrate to UE-V, the faster the better now that MS stoppeddeveloping roaming profiles.
I’ve recently discovered your blog, lots to read, did you ever move over to UE-V? I’m in the same boat, I come from a roaming profile background and can get to work but with a big caveat. I have to sacrifice a lot of built-in apps that run as APPX like calculator, sticky notes etc. I can deploy alternatives but as with roaming profiles there is always an issue of bloat which can quickly cause many issues.
I have inherited a new network and have full control over which direction I go in. Currently deploying 20H2 with local profiles and it runs lovely though as we use Chrome for our browser (used with Google Classroom and the rest of the Workspace apps) I would like something that would allow my users to at least get something close to roaming profiles and allow them to “roam” without the bloat following them.
Once this lockdown 3 ends I’ll try and find time to look in to UE-V and see how well it works, I’m just wondering if you moved or if anyone else has and how they find it?
thanks.
I have left educational IT but my strategic advice is that desktop computing is a zombie. It will stay alive for the next 10 years but don’t waste time feeding it. We only run desktop computers to give us a browser and access to the cloud. Hardware works, software works but users are still the weak point. Move your attention up the value chain and train users. I would take away all desktop applications until the user had passed a very hard test set by me (or a Microsoft Qualification). The time I save I would spend on training. Train, train train. It is the future.