Today’s blog is going to cover some issues around customizing default user profiles when deploying Windows. There are a number of resources available on the CopyProfile topic
- 973289 How to customize the default local user profile for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2
- The blog on the Deployment Guys website does a good job of describing the issues around the changes with this functionality.
I wanted to let add some additional points around this topic to help with your deployments:
- The Copy Profile button in control panel, system, advanced system settings, Advanced, User Profiles, Settings, is greyed out on accounts to address issues found in the Shell when using this legacy method from NT4 days to overwrite the Default user profile so although this process appeared to work there were issues in Windows that were traced back to this process. Although not blocked in previous operating systems it was considered unsupported and was one of the reasons SP2 was modified to copy the administrator account customizations automatically instead of using the manual method of overwriting the default user profile
- Microsoft-Windows-Shell-Setup\CopyProfile setting in unattend.xml is the only supported method for customizing default user
- With this change not all customizations persist even when using CopyProfile
- Since there are so many settings in the Shell we do not have a list of what persists and what is reset.
- In order to determine what will persist we recommend testing of your specific scenario and the settings you are configuring
- When a new user logs in many different components in Windows must execute some first run actions to prepare the user account. These first run actions can sometimes reset the customizations that were set prior to running sysprep
- For those settings that do not persist you can check group policy to see if there is setting to control it. The Group Policy Settings Reference is a good place to look. There are some also some specific group policies for Start Menu and TaskBar here
- If the CopyProfile process does not copy the setting then ultimately you must find some other method to configure the setting.
- Many of the settings that are lost are related to the Start Menu and the Taskbar
- At times Microsoft Customer Service and Support (CSS)is asked if there is a way to script changes to these but as this blog outlines there is limited programmatic access to them. Additional CSS does not help with authoring scripts.
- There are supported methods for adding additional icons using steps outlined in this blog but it is difficult to remove icons without some type of custom scripting
- The CopyProfile code copies the profile based on modified time.
- If you have multiple accounts on the computer it is possible that some account other than the one that was customized may be copied. So to ensure that the customizations are copied from the correct account we recommend that the computer only have the local administrator account and customizations be configured in this account
- You cannot use a domain account either because the CopyProfile process occurs later in the specialize phase and by then Sysprep has unjoined the machine from the domain and the profile is deleted
- To check to see if the CopyProfile worked and what account it copied you can review the Windows\Panther\UnattendGC\Setupact.log and search for CopyProfile
- For more information on this see the following KB article: http://support.microsoft.com/kb/2101557
- Use of CopyProfile in reference build
- When installing the OS initially do not specify CopyProfile=true in the autounattend.xml. Used during reference build can problems with themes, Aero, and other unknown issues
- It should only be specified in the answer file you supply to sysprep.exe when creating a custom image
- Use of CopyProfile with ConfigMgr
- Since ConfigMgr runs in the system context when building an image it is not possible to use it to copy customizations to default user
- One option is to use Microsoft Deployment Toolkit 2010 to build your reference image and then deploy that image with ConfigMgr
- Use of CopyProfile with Terminal Servers
- We would recommend using group policy to lock down or configure desktops vs using CopyProfile to configure user profiles.
How you use CopyProfile depends on how the image is created and how it is deployed. Some of the common scenarios are listed below
Manual build of image (not recommended)
If you are building the image manually you should follow these basic steps
- Install Windows. Note: Do not specify CopyProfile in unattend.xml
- Login as administrator. Note: Make sure other accounts do not exist
- Customize your settings
- Create c:\windows\system32\sysprep\unattend.xml that contains at minimum the entry for Microsoft-Windows-Shell-Setup\CopyProfile and set it to true. Sysprep by default looks for unattend.xml in the sysprep folder
- Run %windir%\system32\sysprep\sysprep.exe /generalize /oobe /shutdown
If you use ConfigMgr to deploy this image you do not need to do anything special in ConfigMgr to deploy it to get CopyProfile to work. So you do not need to modify any unattend settings in the task sequence
Use MDT 2010 to build the image and to deploy the image
Note: I would recommend that if you are using MDT 2010 to upgrade to MDT 2010 Update 1 because there have been a number of fixes in the sysprep and capture task sequence. You must always re-created your sysprep and capture task sequence after installing update 1 in order to get these fixes.
Because MDT runs setup.exe to apply an image (instead of just using imagex to apply it) the following outlines the steps required
- In MDT 2010 Update 1 create a task sequence "Deploy Windows" to install Windows
- In MDT 2010 Update 1 create a task sequence based on the Sysprep and Capture Task. For more information on this see this blog
- Boot the Lite Touch image and choose the "Deploy Windows" Task Sequence. If prompted by lite touch wizard say NO to prompt to capture image
- After Windows is installed and you login as administrator make the changes to the shell you desire. Note: Microsoft would generally recommend that changes to the profile be done via automated fashion and not manually. See http://blogs.technet.com/b/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx for more information.
- Map network drive to the MDT 2010 Update 1 DeploymentShare$.
- Run Scripts\Litetouch.wsf
- Run the Sysprep and capture task sequence. Note if you may run into issue with multiple connections you are likely still running MDT 2010. See this blog. This issue is resolved in MDT 2010 Update 1
- Import the captured image from DeploymentShare$\captures\image.wim.
- Create a task sequence "Deploy customized Windows image" to deploy the custom image you just imported
- In properties of the task sequence choose OS info tab
- Click edit unattend.xml
- Modify Microsoft-Windows-Shell-Setup under the Specialize phase and change CopyProfile to true
- Click File, exit, and save changes
- Boot lite touch image and choose the "Deploy customized Windows image" task sequence
- To test create a new user and login as the user. Look for the changes you made. Note not all changes are carried over in this process. If a setting is not carried over you must find alternative means to make the change. Use group policy, scripts, or other means
Note: If you use MDT 2010 to capture the image it does not capture the Windows\Panther folder so if you were to deploy it manually using imagex, WDS, or some other manner then CopyProfile would not execute. It would be better to manually capture the image using imagex if you are not going to deploy it with MDT
Use MDT 2010 to build the image and capture it then use ConfigMgr to deploy the image
- Follow steps 1-7 above to create and capture your image
- Create a CopyProfile.xml in Windows System Image Manger that contains at least the following
<?xml version="1.0" encoding="utf-8"?>
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="<a href="http://schemas.microsoft.com/WMIConfig/2002/State"">http://schemas.microsoft.com/WMIConfig/2002/State"</a> xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance"">http://www.w3.org/2001/XMLSchema-instance"</a>>
<cpi:offlineImage cpi:source="catalog:c:\flat\install_windows 7 enterprise.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
Note: I would not recommend copying/pasting the example since you need to account for different architectures.
- Create a package in ConfigMgr that contains the copyprofile.xml file created in Step 2.
- Import the image into ConfigMgr
- In the ConfigMgr console modify the “Use an unattended or sysprep answer file for custom installation” property in the Apply Operating system task. Specify the package created in Step 3 and the file created in Step 2.
If you use the ConfigMgr capture media to capture the image instead of MDT 2010 you should follow steps 2-5.
The benefit of specifying the unattend.xml in this manner is that the file is located outside the image and is easy to update or change.
Hopefully this helps to explain more around this issue and if a specific customization is not copied as part of the CopyProfile process I would encourage readers of this blog to post the exact setting that was lost. We would also need exact steps on how the setting was configured so we can evaluate the impact of this issue
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support