Moluxtery
Contributor
Contributor

Mandatory User Profile / Start Menu Tiles

Hi,

I try to set up a Windows 10 Golden Image with Window 10 1803 with this guide: https://techzone.vmware.com/creating-optimized-windows-image-vmware-horizon-virtual-desktop and a mandatory profile. But I'm unable to save the start menu (Tiles) layout of a user with UEM 9.5 and after login I'm getting always the same layout:

pastedImage_1.png

I use the follwing settings in UEM:

[IncludeRegistryTrees]

HKCU\Software\Microsoft\Windows\CurrentVersion\CloudStore

[IncludeIndividualRegistryValues]

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\EnableAutoTray

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries

[IncludeFolderTrees]

<LocalAppData>\Microsoft\Windows\Caches

<LocalAppData>\Microsoft\Windows\CloudStore

<LocalAppData>\Microsoft\Windows\Explorer

17 Replies
robsisk1972
Enthusiast
Enthusiast

This is a known issue.    I had the same issue and have a post on this site about it.   Just search for my name.   I ended up going back t0 1709 because of it.

0 Kudos
robsisk1972
Enthusiast
Enthusiast

0 Kudos
pchapman
Hot Shot
Hot Shot

I posted in the other thread as well, but I am seeing the same issue with 1803.  Wondering if anyone has a fix?  It works perfectly without the mandatory profile but as you all know you really need a mandatory profile for Windows 10 otherwise logon times are rough.

0 Kudos
Moluxtery
Contributor
Contributor

Same behavior in my case. If I used mandatory profiles, an adjustment of the start menu is not possible. Without mandatory profiles everything is fine. I hope the bug will be fixed next year when the next windows 10 ltsb version is released.

0 Kudos
robsisk1972
Enthusiast
Enthusiast

pchapman

"I posted in the other thread as well, but I am seeing the same issue with 1803."   The issue is with 1803.

0 Kudos
VentziP
Enthusiast
Enthusiast

I want to add that this is a still issue on  Windows 1809 LTSC. Works fine if you don't use mandatory profile.

Maybe Predefined settings are not capturing what is needed. I checked in all locations under Local App Data folders that are captured in UEM from the previous login and they were restored correctly. What I notice is that I started Pinning new Tiles to start menu and nothing changed in these folders or registry to indicated that something was added.

Does anyone know where exactly the Tiles are stored in the profile?

0 Kudos
EricNichols
Hot Shot
Hot Shot

Has anyone looked in the .zip .reg file to see if the start layout is even being captured? Has anyone tried setting the following key to 1? What does the uem log report in debug mode?

HiveHKEY_LOCAL_MACHINE
Key pathSoftware\Microsoft\Windows\CurrentVersion\Explorer
Value nameSpecialRoamingOverrideAllowed
Value typeREG_DWORD
Value data1 (or 0 to disable)
BaseDecimal

And then there's always my favorite, exclude this key from all configs where it might exist:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuInit

0 Kudos
VentziP
Enthusiast
Enthusiast

I added SpecialRoamingOverrideAllowed setting to local machine registry, but it didn't make any difference. Here is what I see on debug log.

pastedImage_3.png

I still think that the problem is with these 3 files in the Cloudstore folder.  They are still in use when UEM is attempting to capture them. I check what service potentially is holding that folder, but I'm not sure if that is the correct one.

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService

0 Kudos
EricNichols
Hot Shot
Hot Shot

You can use sysinternals handle tool to find which process has the .dat file open: Handle - Windows Sysinternals | Microsoft Docs

Then you can edit the permissions on that service using sdset to allow authenticated users or everyone to stop the service:  Sc sdset | Microsoft Docs

Then you can set a logoff Acton before export to stop that service. I did something similar in 1607: Windows10StartLayout.ini instructions

0 Kudos
VentziP
Enthusiast
Enthusiast

Eric,

I did use your approach in 1607 LTSB, but in 1809 LTSC I can't find the service that is holding these 3 files: THis is what hadle/Process Explorer is showing:

pastedImage_0.png

Is there another way to find the process or approach to be able to capture these files?

0 Kudos
EricNichols
Hot Shot
Hot Shot

Here is a list of things that need to be killed (in order) to free up locks on cloudstore.dat:

Explorer.exe

Searchui.exe

Shellexperiencehost.exe

WpnUserService_##### (sc stop WpnUserService_#####) I'm not sure what generates the random #### per each login.

OneSyncSvc_##### (required elevation) but the service can be disabled on the golden image (sc config OneSyncSvc start= disabled) or you could edit the sddl using sc sdset.

These might not all be running during logoff and there are likely others that will lock cloudstore.dat but it's something I guess. The real question is will killing this stuff with a pre export task allow UEM to get the cloudstore.dat ?

Using a powershell script something like this?:

stop-process -name "explorer.exe" -force

stop-process -name "searchui.exe" -force

stop-process -name "shellexperiencehost.exe" -force

get-service WpnUserService_* | stop-service -force

get-service OneSyncSvc_* | stop-service -force

Have any of you had a chance to try this? VentziPpchapmanrobinskiUEMdevPim_van_de_VisMoluxtery

0 Kudos
Pim_van_de_Vis
VMware Employee
VMware Employee

Running a pre-export task with UEM could work, as long as you mark the task to run "Before profile archive export"

VMware Knowledge Base

0 Kudos
EricNichols
Hot Shot
Hot Shot

For my environment (LTSC 1809) this was all that was needed as a pre export logoff task:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command get-service WpnUserService_* | Stop-Service -force

pchapman
Hot Shot
Hot Shot

Thanks, I tried this and am having mixed success.

I did need to add some quotes to get it to run properly, as shown below:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "get-service WpnUserService_* | Stop-Service -force"

It works sometimes, but it seems that the start menu export happens to quickly after.  Is there any way to put a pause inbetween?  I tried the following command, but it seems that UEM does not wait for it to finish:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "get-service WpnUserService_* | Stop-Service -force" && ping localhost -n 5

MasonLivingston
Contributor
Contributor

Hi

Insofar as scripting, it appears that this is maybe it

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "get-service WpnUserService_* | Stop-Service -force" ; timeout 5

It will sleep for 5 seconds after executing the PS cmdlets.

pchapman
Hot Shot
Hot Shot

I'll have to try that but I think it will have the same result as my method of using the ping, it seems that UEM just shoots the command off and immediately moves on without waiting for it to finish.

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi pchapman,

Can you show how you defined that Logoff Task setting, and provide the log file at log level DEBUG?

0 Kudos