LFC
Enthusiast
Enthusiast

Mandatory Profile Behavior

Jump to solution

Hello

I have an interesting 'issue' relating to Mandatory profiles in conjunction with UEM

We have created a mandatory profile for Windows 10 1803, and set the path to be used via Group Policy. Without the UEM agent on the desktop, when users login they load the Mandatory profile, and when you look in the User Profiles applet, the user is listed as having a profile of type 'Mandatory'. The mandatory profile works fine.

When I install the UEM Agent and point at the config share, the user logs on, but the profile is now of type 'roaming'. Its as if the Mandatory profile has been duplicated (as if it where the DEFAULT profile). Everything still work fine, but my customer wants an explanation. All I can think of is that this is by design so that the profile becomes writable to allow UEM to wrap around the imported AppData and registry etc.

Does anyone know (Pim?) is this by design? and if this behaviour is documented anywhere?

Thanks
Sean

1 Solution

Accepted Solutions
LFC
Enthusiast
Enthusiast

Hi Arnaud

Please accept my aploogies for misunderstanding what you meant.
I have disabled the Certificate Support for Mandatory Profiles  in the UEM Group ploicy and now my userprofile is showing as a Mandatory.


Thank you very much for your assistance in resolving this.

Regards,
Sean

View solution in original post

9 Replies
DEMdev
VMware Employee
VMware Employee

Hi LFC,

UEM won't do this just by itself, but this is the behaviour you'd get if you enable the Certificate Support for Mandatory Profiles policy setting. Is that setting enabled in your customer's environment?

LFC
Enthusiast
Enthusiast

Hi Arnout

That's a great start as I think this is possibly set as on. Can you tell me what will we lose by disabling this?


We do not use S4B, so I'm wondering if there is any downside


Regards
Sean

0 Kudos
LFC
Enthusiast
Enthusiast

Hi Arnoud

I have just tried disabling the Personal Certificates policy and I am still gettig my user profile marked as Roaming


Regards,
Sean

0 Kudos
DEMdev
VMware Employee
VMware Employee

I have just tried disabling the Personal Certificates policy and I am still gettig my user profile marked as Roaming

Can you provide a UEM log file at log level DEBUG, that covers a full session from logon till logoff? Are these persistent or non-persistent VMs? Does UEM run correctly at logoff? (That's when we flip the profile state back to mandatory in case certificate support is enabled.)

And, from your other post:

Can you tell me what will we lose by disabling this?

In a mandatory profile, Windows pretty much disallows anything to do with the creation of certificates. If you don't use anything that requires certs, there's no need to enable certificate support.

0 Kudos
LFC
Enthusiast
Enthusiast

Hi Arnaud

I have e-mailed you a zip bundle.

One logon has the Personal Certificates enabled, whilst the second is with it disabled. Looking at both log files, it seems to think Mandatory profile support for certificates is enable on both

Regards,
Sean

0 Kudos
LFC
Enthusiast
Enthusiast

Just to add, these are Linked Clone desktops, with the pool set to refresh at logoff

Regards,S
Sean

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi Sean,

This is about the Certificate Support for Mandatory Profiles setting that you configure through Group Policy, not about the Personal Certificates Windows Common Setting in the UEM Management Console.

Both log files indicate that that Group Policy setting is in effect:

[DEBUG]    Certificate support for mandatory profiles is enabled

[...]

[INFO ] Modifying profile state (certificate support)

Disabling the '\\server\share\general\Windows Settings\Personal Certificates.INI' file (as you did in the No Personal Cert case) is irrelevant for this.

Once you disable the Group Policy setting, you'll see the correct profile state in Windows.

LFC
Enthusiast
Enthusiast

Hi Arnaud

Please accept my aploogies for misunderstanding what you meant.
I have disabled the Certificate Support for Mandatory Profiles  in the UEM Group ploicy and now my userprofile is showing as a Mandatory.


Thank you very much for your assistance in resolving this.

Regards,
Sean

DEMdev
VMware Employee
VMware Employee

Hi Sean,

No worries, happy to hear it's resolved. I do feel bad though about you having marked your own response as the Correct Answer – that cost me 10 points Smiley WinkSmiley Wink