— Update 2017-12-15 —

I think Roaming Profiles are now deprecated. I will be moving all my users to Local Profiles supplemented by User Experience Virtualisation (UE-V) over the next 12 months. See comments below.

—

I have recently been imaging Microsoft Surface 3 computers for use by staff in a school. All our staff have roaming profiles so that they have the same desktop on every device that they logon to. This makes it easier for them and reduces support costs.

• Unfortunately Windows 10 roaming profiles don’t work properly

The second time the user logs in they cannot launch Edge and some other packaged applications.

While it seems absolutely incredible that Microsoft would launch Windows 10 with this key feature broken they seem to have done so and this is a widely reported problem with no official solution (2016-02-10).

To reproduce the issue

1. Download Microsoft Windows 10 Enterprise version 1115 (Threshold) from the Microsoft Volume Licensing Centre
2. Create bootable installation media
   • Optionally use Rufus to put the downloaded ISO onto a high quality USB stick using a GPT partitioning scheme.
3. Unbox a new Microsoft Surface 3 computer (say)
4. Connect power
5. Boot to Bios (Volume Up + Power on Surface) and
   1. Disable Secure Boot
   2. Set boot order to (Network) > USB > SSD
   3. Exit
6. The computer will boot to Windows on exit. Shutdown
7. Boot to USB (Volume Down + Power on Surface)
8. Install Microsoft Windows 10.
   • If boot fails verify that you are using a GPT scheme on the USB stick (Admin Command Prompt > Diskpart > List Disk)
   • If using a Surface you will need to have the Type Cover attached.
   • If installation fails then verify you have used a high quality USB stick
   • If installation fails due to being unable to write to C: and this was not a new computer then you may have a partition protected with Bitlocker. Remove Bitlocker protection either through the Windows 10 UI or by formatting the disk.
9. When prompted to create a user during installation create one called User with a blank password
10. Reboot – you should automatically login as User
11. Verify that you are connected to a network
    • If using a Surface you should use a genuine Microsoft USB Ethernet dongle
12. Run Windows Update lots of times, rebooting as necessary until you have fully patched computer
    • Note that since your are not joined to the domain you patch level will be non-standard. We are doing it this way to show that it Microsoft who is at fault not us.
13. Optionally backup your computer
    • I use the excellent Veeam Endpoint Backup. It is free and works very well.
14. Verify that Edge launches
15. Have a nice cup of tea because you have now built a clean Windows 10 Enterprise machine.
16. Create a NEW user on the domain say RoamingUserTest – do not reuse an old user
17. Join to the domain
18. Logon as the NEW domain user with a roaming profile (say RoamingUserTest)
19. Verify that Edge launches
20. Logout
21. Reboot
22. Logon as the same user RoamingUserTest
23. Verity that Edge does not launch – it should flash up for a second or two and then stop.
24. We have now demonstrated the bug

The workaround – preparation

Fix known profile version issue

The first thing we need to do is fix known incompatibility issues in domains that have both Windows 10,8 and Windows 7 users before moving on to fixing our issue.

• Apply hotfix to computer to support both roaming profiles in a heterogeneous environment.

Create a WMI filter for group policies

• Target group policies to Windows 10

REview your Applocker rule

• You must have one or more Applocker rules for packaged applications.

The workaround

The root cause seems to be that when a user logs out Windows 10 sets essential registry keys to read only. When they logon again these keys are in the wrong state and packaged applications including Edge cannot launch.

We will fix this with a logon script.

powershell-script-to-allow-roaming-logins.ps1

#!PowerShell. De pilo pendet.

# https://social.technet.microsoft.com/Forums/en-US/fd436515-6423-4015-9afe-d7e6034909ab/windows-10-threshold-2-edgesearch-issues-for-domain-joined-pcs
#(c) Christian Ullrich
# copied by James Bayley 2016/01/25

function MakeACE() {

# S-1-15-2-1 is WELL_KNOWN_SID_TYPE::WinBuiltinAnyPackageSid, "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES".
# The self-documenting NTAccount type results in an object that "cannot be translated".
$id = New-Object System.Security.Principal.SecurityIdentifier("S-1-15-2-1")
New-Object System.Security.AccessControl.RegistryAccessRule($id,
[System.Security.AccessControl.RegistryRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow)

}

function GrantRequiredAccess($key) {

$acl = Get-Acl $key
$acl.AddAccessRule((MakeACE))
Set-Acl $key $acl

}

# All Windows 10, since Microsoft apparently managed to break build 10240 as well in December 2015, after having shipped 10586 broken from the start.
#New-EventLog –LogName Application –Source “LogonScript”
#Write-EventLog -LogName Application -Source LogonScript -EntryType Information -EventId 1 -Message "In LoginScript to fix roaming profiles"
if ([Environment]::OSVersion.Version.Major -eq 10) {
# Write-EventLog -LogName Application -Source LongScript -EntryType Information -EventId 1 -Message "Windows 10 detected"
GrantRequiredAccess "HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe"
GrantRequiredAccess "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy"

}

You will see the this script can write to the Application Event Log for debugging purposes but I have commented it out on production.

Create a group policy to apply this as a logon script

Create a group policy for your domain users called “User-Windows10RoamingProfileFix”. This will be targeted to Windows 10 computers using the WMI filter we created in an earlier step.

The actual group policy is created by Edit > User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) > PowerShell Scripts > Edit Script as shown below.

The actual script location will depend on your existing configuration.

Test for resolution

1. Create a NEW domain user say “RoamingUserTest1”
2. Login to the computer as .\user (local admin, blank password)
3. At the administrative command prompt type

    gpupdate /force 

4. Logout and reboot
5. Login to the computer as RoamingUserTest1
6. Verify that Edge launches
7. Logout
8. Login to the computer as RoamingUserTest1 again
9. Verify that Edge launches – We have fixed the issue

What if it fails?

The first thing to do is verify that your group policy is being applied. Logon as RoamingUserTest1 and open an Administrative Command Prompt.

gpresult /r /user roamingusertest1

Look in the USER SETTING to verify that the User-Windows10RoamingProfileFix is being applied. If you have uncommented the debugging statements you may also wish to look in the Application event log to verify that the script is running.

If the script is running then Edge is not running for other reasons. Check your Applocker settings.

It is possible that either your Windows user profile or your Windows build is now corrupt.

• retest with a NEW domain user
• restore the clean build from the backup you made above.

And finally

You now have a working domain joined laptop but remember that this has taken its updates from Windows Update before you joined it to the domain. If you use SCCM for your updates you may wish to do a clean build, join it to domain and install the SCCM client. You can then manage updates through SCCM.

Acknowledgements

This is a difficult solution and I relied on the contributions of many authors, thanks must go to my own colleagues and to Christian Ullrich and Ben Hastings72 who contributed so generously to the thread on the Microsoft Community forums.