Managing Microsoft Windows Profiles is one of those subjects that is really close to my heart, simply because it is always an underestimated issue that affects virtual desktops in a big way. In this paper we will be covering what a profile is, what are the different types of profiles, Profile management solutions and best practices. Along with this is I will be explaining how we handle profiles that I believe will give you a fresh perspective on profiles as a whole and I hope you will find it useful.
What is a profile?
A windows profile stores copy of the users personal desktop and application settings which will consist of a copy of the users registry hive, application data settings, personal files and Junk, in fact, loads of junk. Over 90% of the data stored in the users profile is made up of unnecessary temporary junk like temporary Internet Files.
The Windows profile ensures that the user’s personal settings are retained at log off and re-applied when you next logon. Without a Windows profile you would need to set up all your applications at each logon, you will lose any files saved in your profile as well as any bookmarks, saved passwords in IE etc. Basically without Windows Profiles, life would be much harder for your user base.
With just that basic information we can get a little bit of insight into some of the problems we can experience
What is the problem?
If you are reading this article from a personal laptop you are probably wondering what all the fuss is about. You logon each time and all your settings are retained and you have nothing to worry about right? Now imagine you buy a new laptop and you want to transfer all your settings from your old laptop to your new one, how do you do it? Well the text book answer is to use Microsoft Roaming profiles which stores your settings on a network share so when you log on to your new laptop all your settings come across, simple yes? Now imagine that your old laptop runs Windows XP and your new laptop is Windows 10, will your old XP setting work on your new Windows 10 laptop, the answer is no. Then imagine if you wanted to still use your Windows XP machine what would happen if you tried applying a Windows 10 profile on a XP machine. To complicate things even further what if you needed to be logged on to both laptops at the same time and you want your profiles synchronised, given that Roaming profiles work on a last out wins scenario whereby the last machine to log off writes it’s settings to the network share, you will lose changes. Also what happens if you log off both machine at the same time? And there is the 32bit\64 bit OS consideration because the registry structures differ. These are all things we need to consider on any virtual desktop project because this scenario is real and in my world this is in fact the norm.
In the virtual desktop world there is no such thing as a one shoe fits all so we have to build numerous systems to cover the different use needs and typically that will include hosted desktops with Window Server 2008 R2\2012 R2 along with Published applications running on various Windows Server platforms as well as VDI Desktops which could be XP\7\8.1 & 10 and local desktops (non VDI) which can also be any flavor of Windows and you can be logged on all these at the same time.
Now you see can the challenges we face and why in almost all Citrix solutions I am asked to look at there are always profile problems. I have seen so much suffering because of poorly implement solutions with some companies experiencing hundreds of corrupt profiles a day and their poor helpdesks have been over loaded because the problems were not understood. Who do you think gets the blame? Citrix..
To understand the how we overcome these issues you first need to understand the basics:
What are the types of profiles?
There are five types of Windows Profiles types each with their merits and limitations:
- Roaming Mandatory
A Microsoft Local Profile is a solution that where your profile is stored on your hard drive locally on the machine you use. That is it us unique to that machine and if you log on to another machine you will have a separate profile for each machine. There is no shchronisation and any settings or files saved in each profile will be private that each machine.
This may sound pointless to you and in the corporate world it is, but for local laptops and workstations it is a (partially) acceptable solution because it is quick because there is no need to copy your profile at the point of logon but it is very unlikely that any of your files and settings are being backed up hence it is very rarely used.
A Microsoft Roaming Profile is where you take your Windows profile and store it on a network share not the local machine (though it can be cached). This has the advantages of allowing you to log on to different machines and to retain your settings. But, there is a big BUT here, Roaming profiles only really work if you only ever logon to machines that were built identically and are of the same operating systems and you only ever logon to one machine at the same time otherwise you will have problems.
Out of the box a Roaming Windows profiles can get very big pretty quickly and in the hosted desktop world running Citrix and RDSH you will want to delete the locally cached profiles at log off otherwise you will run out of disk space and you can hit the limits of the system registry. Imagine you are providing hosted desktops to say 500 users and have built a pool of load balanced servers to service these users, each server may take between 30-50 user sessions and whilst they are logged on their Roaming Profile is cached on the server they connected to. When they log off their locally cached profile will need to be deleted otherwise you will eventually end up with all 500 users profiles cached on each server and you will most likely run out of disk space, now imagine you are providing desktops to say 2,000. To add more complexities to this issue, locally cached profile settings take precedence over setting stored on the network share which also causes problems with lost settings and an inconsistent experience. You have to delete profiles at logoff!
So here is your first problem with Roaming Profiles, they are slow, because they have to load your whole profile every time you log on and they will get slower and slower the longer you use them because they will bloat and it’s not unusual for these to get over 1GB in size.
The second problem with Roaming Profiles is that they assume you will only ever be logged to one machine at a time because settings are saved at log off and it will overwrite whatever was there before so if you are logged on to more than one machine you will lose settings because whatever you saved on one session will be overwritten by the last logoff.
Another problem with Roaming profiles are that they are specific to the operating system they were created on. So for example you cannot use a Windows 32 bit version Windows 7 Profile on a Windows Server 2008 R2 session host so you will have to have separate profiles which will just confuse your users, they are not going to understand these limitations.
Another common problem I see is what I call the double log off jeopardy, this is where you get two or more sessions trying to log off at the same time and both try to write to their profile to the same network share at the same time and the end result in most cases is a corrupt profile which needs to be restored or deleted. You might think this is rare but it isn’t, if you an organization of any size you will typically have a large number of applications you need to manage, the chances of you getting them all working nicely together on one image is very rare, so you silo applications out to distinct separate servers and this can be a load issue or compatibility problem but most sites have application silo’s. So in this instance you will be logged on more than once, [one] your virtual desktop and [two], one or more published applications. What’s going to happen when you log off? The dreaded double logoff jeopardy.
There are a few things that you can do to a Roaming Profile to improve things like limit is size, redirect elements to improve logon times etc. but these do not resolve all the other things I mention.
Please, I cannot stress enough, if your using Citrix DO NOT use Roaming profiles they were not designed to be used like this. Your users won’t be happy, your help desk will be stressed dealing with these issues and Citrix will get the blame, there are solutions…
A Mandatory Profile is where you turn a profile in to a read only profile where nothing is saved at log off. What is the point you might ask? Well loads, I actually am a huge fan of Mandatory Profiles because you can do a lot with them and because they are read only they are impossible to corrupt and they won’t bloat like Roaming Profiles so logons are consistent.
What you can do with a Mandatory Profile is set up a profile exactly how you want it to be including background colours, start menu items, Background image, Proxy Settings, pretty much anything, then flip it to a read only profile by renaming the fill called NTUSER.DAT to NTUSER.MAN. Windows detects that is now a Mandatory profile and does save anything at logoff. It’s great for kiosks etc. or an Internet Café but beyond this they are useless, or are they?….
A roaming Mandatory Profile is a similar to a Roaming Profile but instead of providing each user with a personal network location for their profile data, everyone uses just the one, that is a read only Mandatory Profile. This profile will be stripped of all junk which can be as small as just 256KB in size. The permissions will be modified so all users have read only access and any personalisation would have been removed and the best way to do this is to simply copy the default users profile on a clean Windows build. You then set a machine group policy to use this mandatory profile which will take precedence over any other profile setting.
The question now is how do we make this usable because if it is read only how do I save my settings? The answer to most of this is through redirection. I am not talking about the limited redirection settings you get with Microsoft Group Policies, no no no, I am talking about the almost unlimited granular settings you can redirect by manipulating the user Registry settings. The Mandatory profile is simple one file called NTUSER.MAN and this file can be loaded in to regedit and you will see it is simply the HKCU registry tree and from there we can manipulate pretty much most personal settings including My Documents, Desktop, Start Menu, Application Data, Cookies, History, you name it, I can redirect it. (Well almost) The only thing I cannot redirect is any personal registry changes which leads me nicely on to my next subject..
A Hybrid Profile is where some form of temporary profile is used like a Mandatory or temporary local profile and all user personalisation is stored somewhere else like a network share or SQL Database and settings are generally recorded at logoff and replayed at logon through various means.
Most hybrid solutions are commercial products like Appsense or Liquidware Labs but there are some free solutions out there like Citrix Profile Manager (CPM), Microsoft UE-V and TPMM.
Each have their merits but the daddy of all profile management solutions is without a shadow of doubt is Appsense. Appsense is the most sophisticated profile management solution on the market with virtual registry keys, all data stored in a SQL database with the ability to roll back individual application settings along with support for various flavors of Office it is very clever. The only downside to Appsense is that it is expensive and it can complicated.
Citrix Profile Manager is also very good and it is simple to use but the things I like about are also its downfall. CPM is really a Citrix only solution and we come across many site that have a hybrid fat client\Laptop Office 365 and Citrix user base. Also the idea that it record most user settings means that it will bloat in the long run just like Roaming profiles.
If you can’t afford Appsense and you want to extend profile management beyond Citrix then I have a solution for you and it is free, it is called TPMM and it is something we have developed in house and we have tens of thousands of happy end users on it.
What is TPMM?
TPMM is our methodology for managing profile and it is not actually product, TPMM stands for ThinTech Profile Management Methodology which is really simple to use once you understand it.
The components that make up TPMM are standard Microsoft tools, an INI file, a logon\logoff script and a bit of know how.
TPMM works on a very simple model, we only record the settings that we tell it to record, meaning it is a managed profile solution that does not degrade because we never record any junk. It has taken us years to perfect this process and we now have managed to get down to a 256K profile for logon and recorded settings are also measured in the kilobytes. Any redirection is hard coded directly into the mandatory profile for an almost instant logon time.
TPMM is also completely agnostic to the operating system because we only ever use system variables to record settings meaning we can take settings from a Windows XP machine and replay them on say a Windows Server 2008 R2 hosted desktop and vice versa. This comes in really handy when we do desktop migrations for virtual desktop projects. I personally worked on a project a large legal firm where we migrated from Windows XP to Windows 7 virtual desktops and the remit was to have pain free migration. We used TPMM to capture the users settings and then replayed them at first log on without a single change to their profiles. They we able to mass roll out Windows 7 with hardly any input from IT, success in my eyes.
Here are the steps to set up TPMM
- Contact me for a copy of TPMM.EXE and the INI
- Create a machine GPO that sets the users home drive
- Create a mandatory profile by copying the default profile (contact me if you need more help doing this)
- Modify the Mandatory profile to redirect these settings to the users home drive:
- Personal (My Documents)
- Modify the HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppSetup registry key to add the logon script that calls TPMM.EXE (Again contact me for an example)
- Create a user GPO with a logoff script that records the user settings (Contact me for example script)
If you do the above, you will have one of the fastest logon processes you have ever seen and I hope you will find it useful. But bear in mind to stick to the best practices listed below:
Here are a few golden rules that I have learnt over the years:
- Always delete cached profiles
- Do not redirect Application Data, certain applications will fail
- Make sure that any redirection is on a file server on the same subnet as the Citrix servers, you do not want to be redirecting via gateway
- Avoid redirecting to UNC paths where possible use mapped drive letters, much faster
- Budget 7.2 IOPS for the concurrent usage on the DFS share where profiles are being redirected to (usually home drive).
- Trick the system in to thinking you are using either a Roaming profile or local otherwise items like saved IE password and personal SSL certificates cannot be saved.
Hot of the Press…
We have just released version 4 of our TPMM where there is “no profile”. We have devised a solution that negates the need for any profiles at all and replaces the logon script with our own custom written StubPath that calls TPMM.EXE which now means we can do away with the Mandatory Profile and provide a single solution that works on the across any desktop on any operating systems which means for the first time we can synchronise profile settings on a fat client PC and a virtual PC desktop, or published application.
If you are having profile problems let me know because right now we are giving TPMM away for free so you have nothing to lose, so contact me if this is of interest to you.
The Future and Beyond
We are excited about TPMM because it was created out of necessity and has it has been a really useful tool for us and our customers also love it because the speed of logon really improves the users Citrix experience. We may look to develop TPMM in to a commercial product or continue to give it away free, seeing it as another value add the ThinTech can bring to the table because we are specialists in our field. What do you think?
Here is what we are working for version 5 of TPMM, watch this space:
- We are looking to integrate TPMM with Microsoft SQL Server which means we could support instant profile rollback on a granular level
- We are working on a GUI front end to make the management even more simple
- Office version migrations to copy setting from earlier versions of Office
- Windows 10 profiles including Microsoft Edge
Despite being quite a wordy document there is so much more to be said about profiles, please I encourage you to ask questions, I am here to answer any query you may have.