Automate Mandatory Profile for Windows 10 v1607

Published by Richard on

Below are the steps to automate the creation of a mandatory profile for Windows 10 version 1607 (Long Term Servicing Channel release). The following steps are based on an automated sequence for Ivanti Workspace Control. This tool makes use of variables in modules to create re-usable modules. All steps can be performed manually but there are some additional steps required to postphone actions for a few seconds if you automate this process.

1. Determine the profile version

This step needs to be done since each version of Windows 10 will have it’s own profile version. Ref: https://support.microsoft.com/en-us/help/3056198/roaming-user-profiles-versioning-in-windows-10-and-windows-server

For Windows 10 1607 the version number is V6. Store this version number in a variable for later use:
$MandatoryProfileName = Mandatory.V6

2. Copy the Default User Profile to a Mandatory profile

Copy C:\Users\Default C:\Users\$MandatoryProfileName

3. Unhide the Mandatory profile folder

attrib.exe -H “C:\Users\$MandatoryProfileName”

4. Remove unnecessary folders and junction points from the Mandatory profile

Delete the following files or folders:
C:\Users\$MandatoryProfileName\AppData\Local\Application Data\Application Data
C:\Users\$MandatoryProfileName\Local Settings\Application Data\Application Data
C:\Users\$MandatoryProfileName\Application Data
C:\Users\$MandatoryProfileName\Cookies
C:\Users\$MandatoryProfileName\Local Settings
C:\Users\$MandatoryProfileName\My Documents
C:\Users\$MandatoryProfileName\NetHood
C:\Users\$MandatoryProfileName\PrintHood
C:\Users\$MandatoryProfileName\Recent
C:\Users\$MandatoryProfileName\SendTo
C:\Users\$MandatoryProfileName\Start Menu
C:\Users\$MandatoryProfileName\Templates

5. Load Default User NTUSER.DAT into “HKEY_USERS\Temp” registry Hive

REG LOAD “HKEY_USERS\Temp” “C:\Users\$MandatoryProfileName\NTUSER.DAT”

6. Set “Full Control” permissions for “Authenticated Users” (powershell script)

New-PSDrive HKU Registry HKEY_USERS
$acl = Get-Acl HKU:\Temp
$inherit = [system.security.accesscontrol.InheritanceFlags]”ContainerInherit, ObjectInherit”
$propagation = [system.security.accesscontrol.PropagationFlags]”None”
$AuthenticatedUsersGroup = System.Security.Principal.SecurityIdentifier
$permission = $AuthenticatedUsersGroup,”FullControl”,$inherit,$propagation,”Allow”
$rule = New-Object System.Security.AccessControl.RegistryAccessRule $permission
$acl.SetAccessRule($rule)
$acl | Set-Acl HKU:\Temp

7. Set Dutch Language Localization using an XML for lockscreen, systemaccounts and new user accounts (https://msdn.microsoft.com/en-us/goglobal/bb964650)

xml contents:

<!-- user list -->
<gs:UserList>
    <gs:User UserID="Current" CopySettingsToDefaultUserAcct="true" CopySettingsToSystemAcct="true"/>
</gs:UserList>

<!-- GeoID -->
<gs:LocationPreferences>
    <gs:GeoID Value="176"/>
</gs:LocationPreferences>

<!-- UI Language Preferences -->
<gs:MUILanguagePreferences>
    <gs:MUILanguage Value="nl-NL"/>
</gs:MUILanguagePreferences>

<!-- system locale -->
<gs:SystemLocale Name="nl-NL"/>

<!-- input preferences -->
<gs:InputPreferences>
    <gs:InputLanguageID Action="add" ID="0413:00020409" Default="true"/>
    <gs:InputLanguageID Action="remove" ID="0409:00000409"/>
</gs:InputPreferences>

<!-- user locale -->
<gs:UserLocale>
    <gs:Locale Name="nl-NL" SetAsCurrent="true" ResetAllSettings="true"/>
</gs:UserLocale>

</gs:GlobalizationServices>

Apply the XML using the following command:
control.exe intl.cpl,, /”f:filename.xml”

8. Apply Registry settings, modify as needed! These are based on our best practices:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\]

[HKEY_LOCAL_MACHINE\]

[HKEY_USERS\]

[HKEY_USERS\Temp]

[HKEY_USERS\Temp\Control Panel]

[HKEY_USERS\Temp\Control Panel\Desktop]
"ScreenSaverIsSecure"="0"
"UserPreferencesMask"="9012038010000000"
"DragFullWindows"="0"
"FontSmoothing"="2"
"FontSmoothingType"=dword:00000002
"WaitToKillAppTimeout"="20000"
"HungAppTimeout"="20000"
"AutoEndTasks"="1"

[HKEY_USERS\Temp\Control Panel\Desktop\WindowMetrics]
"MinAnimate"="0"

[HKEY_USERS\Temp\Software]

[HKEY_USERS\Temp\Software\Classes]

[HKEY_USERS\Temp\Software\Classes\AppX43hnxtbyyps62jhe9sqpdzxn1790zetc]
"NoOpenWith"=""

[HKEY_USERS\Temp\Software\Classes\AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9]
"NoOpenWith"=""

[HKEY_USERS\Temp\Software\Classes\AppX6eg8h5sxqq90pv53845wmnbewywdqq5h]
"NoOpenWith"=""

[HKEY_USERS\Temp\Software\Classes\AppX9rkaq77s0jzh1tyccadx9ghba15r6t3h]
"NoOpenWith"=""

[HKEY_USERS\Temp\Software\Classes\AppXcc58vyzkbjbs4ky0mxrmxf8278rk9b3t]
"NoOpenWith"=""

[HKEY_USERS\Temp\Software\Classes\AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723]
"NoOpenWith"=""

[HKEY_USERS\Temp\Software\Classes\AppXde74bfzw9j31bzhcvsrxsyjnhhbq66cs]
"NoOpenWith"=""

[HKEY_USERS\Temp\Software\Classes\AppXk0g4vb8gvt7b93tg50ybcy892pge6jmt]
"NoOpenWith"=""

[HKEY_USERS\Temp\Software\Classes\AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs]
"NoOpenWith"=""

[HKEY_USERS\Temp\Software\Classes\AppXvhc4p7vz4b485xfp46hhk3fq3grkdgjg]
"NoOpenWith"=""

[HKEY_USERS\Temp\Software\Microsoft]

[HKEY_USERS\Temp\Software\Microsoft\Active Setup]

[HKEY_USERS\Temp\Software\Microsoft\Active Setup\Installed Components]

[HKEY_USERS\Temp\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
@="Themes Setup"
"ComponentID"="Theme Component"
"Enabled"=dword:00000001
"IsInstalled"=dword:00000001
"Locale"="EN"
"LocalizedName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6D,00,52,00,\
  6F,00,6F,00,74,00,25,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,\
  00,5C,00,74,00,68,00,65,00,6D,00,65,00,75,00,69,00,2E,00,64,00,6C,00,6C,00,\
  2C,00,2D,00,32,00,36,00,38,00,32,00,00,00
"ShellComponent"="themeui.dll"
"StubPath"="/UserInstall"
"Version"="1,1,1,9"

[HKEY_USERS\Temp\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
@="Microsoft Windows"
"CloneUser"=dword:00000001
"ComponentID"="MailNews"
"Dontask"=dword:00000002
"Enabled"=dword:00000000
"IsInstalled"=dword:00000001
"Locale"="*"
"StubPath"=hex(2):22,00,25,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,46,00,\
  69,00,6C,00,65,00,73,00,25,00,5C,00,57,00,69,00,6E,00,64,00,6F,00,77,00,73,\
  00,20,00,4D,00,61,00,69,00,6C,00,5C,00,57,00,69,00,6E,00,4D,00,61,00,69,00,\
  6C,00,2E,00,65,00,78,00,65,00,22,00,20,00,4F,00,43,00,49,00,6E,00,73,00,74,\
  00,61,00,6C,00,6C,00,55,00,73,00,65,00,72,00,43,00,6F,00,6E,00,66,00,69,00,\
  67,00,4F,00,45,00,00,00
"Version"="10,0,14393,0"

[HKEY_USERS\Temp\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
@="Microsoft Windows Media Player"
"ComponentID"="Microsoft Windows Media Player"
"DontAsk"=dword:00000002
"Enabled"=dword:00000001
"IsInstalled"=dword:00000001
"Locale"="EN"
"LocalizedName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6D,00,52,00,\
  6F,00,6F,00,74,00,25,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,\
  00,5C,00,77,00,6D,00,70,00,6C,00,6F,00,63,00,2E,00,64,00,6C,00,6C,00,2C,00,\
  2D,00,31,00,32,00,38,00,00,00
"StubPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6D,00,52,00,6F,00,6F,00,\
  74,00,25,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,75,\
  00,6E,00,72,00,65,00,67,00,6D,00,70,00,32,00,2E,00,65,00,78,00,65,00,20,00,\
  2F,00,46,00,69,00,72,00,73,00,74,00,4C,00,6F,00,67,00,6F,00,6E,00,00,00
"Version"="12,0,10011,16384"

[HKEY_USERS\Temp\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
@="Windows Desktop Update"
"ComponentID"="IE4_SHELLID"
"Enabled"=dword:00000001
"IsInstalled"=dword:00000001
"Locale"="en"
"LocalizedName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6D,00,52,00,\
  6F,00,6F,00,74,00,25,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,\
  00,5C,00,73,00,68,00,65,00,6C,00,6C,00,33,00,32,00,2E,00,64,00,6C,00,6C,00,\
  2C,00,2D,00,33,00,32,00,39,00,36,00,39,00,00,00
"ShellComponent"="shell32.dll"
"StubPath"="U"
"Version"="10,0,14393,2665"

[HKEY_USERS\Temp\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
@="Web Platform Customizations"
"ComponentID"="BASEIE40_W2K"
"Dontask"=dword:00000002
"Enabled"=dword:00000001
"IsInstalled"=dword:00000001
"Locale"="*"
"LocalizedName"="@C:\\Windows\\System32\\ie4uinit.exe,-2000"
"StubPath"="C:\\Windows\\System32\\ie4uinit.exe -UserConfig"
"Version"="11,2608,14393,0"

[HKEY_USERS\Temp\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"ComponentID"="DOTNETFRAMEWORKS"
"DontAsk"=dword:00000002
"Enabled"=dword:00000000
"IsInstalled"=dword:00000001
"StubPath"="C:\\Windows\\System32\\Rundll32.exe C:\\Windows\\System32\\mscories.dll,Install"

[HKEY_USERS\Temp\Software\Microsoft\Windows]

[HKEY_USERS\Temp\Software\Microsoft\Windows\CurrentVersion]

[HKEY_USERS\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer]

[HKEY_USERS\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"TaskbarAnimations"="0"
"ListviewAlphaSelect"="0"
"ListviewShadow"=""

[HKEY_USERS\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects]
"VisualFXSetting"="2"

[HKEY_USERS\Temp\Software\Microsoft\Windows\DWM]
"EnableAeroPeek"="0"
"AlwaysHibernateThumbnails"="0"

[HKEY_USERS\Temp\Software\Microsoft\Windows NT]

[HKEY_USERS\Temp\Software\Microsoft\Windows NT\CurrentVersion]

[HKEY_USERS\Temp\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"LegacyDefaultPrinterMode"=dword:00000001

[HKEY_USERS\Temp\Software\Wow6432Node]

[HKEY_USERS\Temp\Software\Wow6432Node\Microsoft]

[HKEY_USERS\Temp\Software\Wow6432Node\Microsoft\Active Setup]

[HKEY_USERS\Temp\Software\Wow6432Node\Microsoft\Active Setup\Installed Components]

[HKEY_USERS\Temp\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
@="Microsoft Windows"
"CloneUser"=dword:00000001
"ComponentID"="MailNews"
"Dontask"=dword:00000002
"Enabled"=dword:00000000
"IsInstalled"=dword:00000001
"Locale"="*"
"StubPath"=hex(2):22,00,25,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,46,00,\
  69,00,6C,00,65,00,73,00,25,00,5C,00,57,00,69,00,6E,00,64,00,6F,00,77,00,73,\
  00,20,00,4D,00,61,00,69,00,6C,00,5C,00,57,00,69,00,6E,00,4D,00,61,00,69,00,\
  6C,00,2E,00,65,00,78,00,65,00,22,00,20,00,4F,00,43,00,49,00,6E,00,73,00,74,\
  00,61,00,6C,00,6C,00,55,00,73,00,65,00,72,00,43,00,6F,00,6E,00,66,00,69,00,\
  67,00,4F,00,45,00,00,00
"Version"="10,0,14393,0"

[HKEY_USERS\Temp\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
@="Microsoft Windows Media Player"
"ComponentID"="Microsoft Windows Media Player"
"DontAsk"=dword:00000002
"Enabled"=dword:00000001
"IsInstalled"=dword:00000001
"Locale"="EN"
"LocalizedName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6D,00,52,00,\
  6F,00,6F,00,74,00,25,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,\
  00,5C,00,77,00,6D,00,70,00,6C,00,6F,00,63,00,2E,00,64,00,6C,00,6C,00,2C,00,\
  2D,00,31,00,32,00,38,00,00,00
"StubPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6D,00,52,00,6F,00,6F,00,\
  74,00,25,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,75,\
  00,6E,00,72,00,65,00,67,00,6D,00,70,00,32,00,2E,00,65,00,78,00,65,00,20,00,\
  2F,00,46,00,69,00,72,00,73,00,74,00,4C,00,6F,00,67,00,6F,00,6E,00,00,00
"Version"="12,0,10011,16384"

[HKEY_USERS\Temp\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"ComponentID"="DOTNETFRAMEWORKS"
"DontAsk"=dword:00000002
"Enabled"=dword:00000000
"IsInstalled"=dword:00000001
"StubPath"="C:\\Windows\\SysWOW64\\Rundll32.exe C:\\Windows\\SysWOW64\\mscories.dll,Install"

[HKEY_USERS\Temp\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}]
@="Adobe Reader User Settings"
"IsInstalled"=dword:00000001
"ComponentID"="Adobe Acrobat Reader 2017 MUI"
"StubPath"="\"C:\\WINDOWS\\SysWOW64\\Rundll32.exe\" \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader 2017\\Esl\\AiodLite.dll\",CreateReaderUserSettings"
"Version"="1,2019,1,24"

9. Apply Language Pack Settings (the settings below are based on Dutch, with the inclusion of NL, US, French and German

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\]

[HKEY_LOCAL_MACHINE\]

[HKEY_LOCAL_MACHINE\SYSTEM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\Settings]
"PreferredUILanguages"="nl-NL"

[HKEY_USERS\]

[HKEY_USERS\TEMP]

[HKEY_USERS\TEMP\Control Panel]

[HKEY_USERS\TEMP\Control Panel\Desktop]
"PreferredUILanguages"=hex(7):6E,00,6C,00,2D,00,4E,00,4C,00,00,00,00,00

[HKEY_USERS\TEMP\Control Panel\International]
"Locale"="00000413"
"LocaleName"="nl-NL"
"s1159"=""
"s2359"=""
"sCountry"="Netherlands"
"sCurrency"="€"
"sDate"="-"
"sDecimal"=","
"sGrouping"="3;0"
"sLanguage"="NLD"
"sList"=";"
"sLongDate"="dddd d MMMM yyyy"
"sMonDecimalSep"=","
"sMonGrouping"="3;0"
"sMonThousandSep"="."
"sNativeDigits"="0123456789"
"sNegativeSign"="-"
"sPositiveSign"=""
"sShortDate"="d-M-yyyy"
"sThousand"="."
"sTime"=":"
"sTimeFormat"="HH:mm:ss"
"sShortTime"="HH:mm"
"sYearMonth"="MMMM yyyy"
"iCalendarType"="1"
"iCountry"="31"
"iCurrDigits"="2"
"iCurrency"="2"
"iDate"="1"
"iDigits"="2"
"NumShape"="1"
"iFirstDayOfWeek"="0"
"iFirstWeekOfYear"="2"
"iLZero"="1"
"iMeasure"="0"
"iNegCurr"="12"
"iNegNumber"="1"
"iPaperSize"="9"
"iTime"="1"
"iTimePrefix"="0"
"iTLZero"="1"

[HKEY_USERS\TEMP\Control Panel\International\??????]

[HKEY_USERS\TEMP\Control Panel\International\Geo]
"Nation"="176"

[HKEY_USERS\TEMP\Control Panel\International\User Profile]
"Languages"=hex(7):6E,00,6C,00,2D,00,4E,00,4C,00,00,00,65,00,6E,00,2D,00,55,00,\
  53,00,00,00,64,00,65,00,2D,00,44,00,45,00,00,00,66,00,72,00,2D,00,46,00,52,\
  00,00,00,00,00
"ShowAutoCorrection"=dword:00000001
"ShowTextPrediction"=dword:00000001
"ShowCasing"=dword:00000001
"ShowShiftLock"=dword:00000001

[HKEY_USERS\TEMP\Control Panel\International\User Profile\de-DE]
"CachedLanguageName"="@Winlangdb.dll,-1092"
"0407:00000407"=dword:00000001

[HKEY_USERS\TEMP\Control Panel\International\User Profile\en-US]
"0409:00000409"=dword:00000001
"CachedLanguageName"="@Winlangdb.dll,-1121"

[HKEY_USERS\TEMP\Control Panel\International\User Profile\fr-FR]
"CachedLanguageName"="@Winlangdb.dll,-1165"
"040C:0000080C"=dword:00000001

[HKEY_USERS\TEMP\Control Panel\International\User Profile\nl-NL]
"CachedLanguageName"="@Winlangdb.dll,-1545"
"0413:00020409"=dword:00000001

[HKEY_USERS\TEMP\Control Panel\International\User Profile System Backup]
"Languages"=hex(7):65,00,6E,00,2D,00,55,00,53,00,00,00,00,00
"ShowAutoCorrection"=dword:00000001
"ShowTextPrediction"=dword:00000001
"ShowCasing"=dword:00000001
"ShowShiftLock"=dword:00000001

[HKEY_USERS\TEMP\Control Panel\International\User Profile System Backup\en-US]
"0409:00000409"=dword:00000001

[HKEY_USERS\TEMP\Control Panel\Keyboard]
"InitialKeyboardIndicators"="2"

[-HKEY_USERS\TEMP\Keyboard Layout]
@=-

10. Unload Default User NTUSER.DAT into “HKEY_USERS\Temp” registry Hive

REG UNLOAD “HKEY_USERS\Temp”

11. Rename NTUSER.DAT to NTUSER.MAN

Ren C:\Users\$MandatoryProfileName\NTUSER.DAT C:\Users\$MandatoryProfileName\NTUSER.MAN

12. Set Users Rights on mandatory profile folder in C:\Users

$acl = Get-Acl C:\Users\$MandatoryProfileName
$inherit = [system.security.accesscontrol.InheritanceFlags]”ContainerInherit, ObjectInherit”
$propagation = [system.security.accesscontrol.PropagationFlags]”None”
$UsersGroup = New-Object System.Security.Principal.SecurityIdentifier(“S-1-5-32-545”)
$permission = $UsersGroup,”Read”,$inherit,$propagation,”Allow”
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($rule)
$acl | Set-Acl C:\Users\$MandatoryProfileName

13. Remove LOG files

Del C:\Users\$MandatoryProfileName\ntuser.dat.LOG1
Del C:\Users\$MandatoryProfileName\ntuser.dat.LOG2


2 Comments

Graham · August 13, 2019 at 14:27

Hi, where / how are you applying the XML file in step 7?

    Richard · August 20, 2019 at 13:54

    Hi Graham,

    I’ve edited the post, the command to apply the XML was stated in the last line:
    control.exe intl.cpl,, /f:”filename.xml”

Comments are closed.