How To Implement Modern Profile Management

What’s up, everyone! 

Windows user profiles are important to the user experience. It holds all of the bits and settings together that our users love. So we need to implement the right solution for each scenario. 

Let’s say we are moving away from traditional roaming profiles to modern profile management. What does that journey look like? And does it really work? 

Let’s find out!

Prerequisites

I’ve created a local environment for this demo;

  • A Windows Server 2022 with AD DS
  • Two Windows 11 Enterprise VM’s
  • Three demo users
  • Home folder and Profile path are configured
  • Configured a wallpaper
  • Azure AD Connect to sync the identities to Azure AD
For Enterprise State Roaming:
  • Azure AD Premium or MS license
  • Endpoints are joined to Azure AD

Different Types Of Profile Management

I talked a bit about profile management in the intro. Just as a quick reminder, here’s a mindmap of the common profile management solutions we can use;

Local User Profiles are created when the user logs into Windows for the first time. They are stored on the local hard drive of the endpoint.

Temporary User Profiles are used if there’s are problem with the profile of the user.

Roaming User Profiles are stored on a file share. They are copied from the file share if the user logs in and copied back to the file server when the user logs off. Depending on the size of the profile, this process can take up more time.

Mandatory User Profiles are used as a template with preconfigured settings. A new copy of the profile is created each time the user logs in. Customizations done by the users are not saved.

FSLogix is a great solution for remote computing environments such as Remote Desktop Service or Azure Virtual Desktop. It has a profile container which stores the user profile, an office container which is used to store Office data and optimize the Office experience. It can perform application masking and has Java Version Control, but that’s for a different post 🙂

Modern Profile Management is a great solution to migrate from other profile types to a local profile while the most important bits of the user profile are stored in the cloud by using Enterprise State Roaming, OneDrive for Business (Known Folder Move), Microsoft Edge sync options and Office Roaming Features. This is a great solution for the Windows 365 Cloud PC because local profiles are preferred for the Cloud PC.

Modern Profile Management

Let’s take a look at how we can configure each component and use it to migrate from a different profile management solution to a local profile for the Cloud PC with Modern Profile Management enabled. And of course, let’s test it out!

Enterprise State Roaming

We can synchronize the following Windows Settings for hybrid joined devices by enabling Enterprise State Roaming;

  • Keyboard: turn on toggle keys (off by default)
  • Date, Time, and Region: country/region
  • Date, Time, and Region: region format (locale)
  • Language: language profile
  • Language: list of keyboards
  • Mouse: Primary Mouse Button
  • Passwords: Web Credentials
  • Pen: Pen Handedness
  • Touchpad: Scrolling Direction
  • Wi-Fi: Wi-Fi profiles (only WPA)
If you have the correct licenses in your tenant (Azure AD Premium or EMS), you can turn the feature on in the Azure Portal. Go to Azure AD, Devices, Enterprise State Roaming and turn the feature on.

The data is encrypted and sent over the internet to a Microsoft datacenter that is in a region that aligns best with the Azure AD instance.

You can view the sync status in Azure AD, Users, All Users. Select the user accounts, Devices, View devices syncing settings and app data.

We can configure which settings are synchronized with Azure. For Windows 10, go to Settings, Accounts, Sync your settings. For Windows 11, go to Settings, Accounts, Windows backup.

If you just configured Enterprise State Roaming, it’s possible that the controls are still greyed out. Try to reboot the endpoint and give it a couple of hours to apply the device policy. If nothing happens, you can check the Windows Viewer, Applications and Services Logs, follow the Microsoft troubleshooting guide. Here’s a screenshot where the controls are still greyed out.

OneDrive for Business (Known Folder Move)

One of the key things we need to sync are the Desktop, Documents and Pictures folders from the user profile. That’s where Known Folder Move comes in. You can configure the Known Folder Move on your local client or use a Group Policy to configure the options on your endpoints. 

At this point I created a Central Store so that the policies are readily available for my endpoints. In a real-world scenario you might have the Central Store already setup so you can just go ahead and copy the .admx & .adml file to the Central Store. You can find the latest OneDrive policy templates on an endpoint in the following location;

x64 -> C:\Program Files\Microsoft OneDrive\BuildNumber\adm\OneDrive.admx & .adml

x86 -> C:\Program Files (x86)\Microsoft OneDrive\BuildNumber\adm\OneDrive.admx & .adml

The Central Store is available at \\dom.ain\sysvol\dom.ain\Policies\PolicyDefinitions\ (and the .adml file goes into the corresponding language subfolder)

Now it’s time to create the Group Policy object;

If you want to speed up the process, just launch an administrative prompt and enter ‘gpupdate /force’ or reboot the endpoint and login as the user. The OneDrive client will now try to connect. You should see a blue cloud or something like this;

You can see the sync icons appear in File Explorer or on your desktop;

Microsoft Edge browser 

The Microsoft Edge browser is another part of the modern profile management solution. If our users login to Microsoft Edge, we can synchronize the following profile data:

  • Favorites
  • Passwords
  • Form-fill data
  • History
  • Open tabs (Sessions)
  • Settings (Preferences)
  • Extensions

We can enable the synchronization by logging into Microsoft Edge. Just use the first-run option if you open Edge for the first time, or use the profiles button on the top right corner of the browser.

It makes sense to use a Group Policy object to configure the synchronization since you’re migrating to modern profile management. Let’s download the administrative templates first. Extract the templates and copy them to the Central Store as shows before.

Configure the Force synchronization of browser data and do not show the sync consent prompt and set it to enable.

Make sure the Group Policy object is applied and login to your endpoint. Open the Microsoft Edge browser. Give it a couple of seconds to login. You can click on the profiles icon in the top right corner of the browser to see if it logged in and syncs successfully. Another way to check the status is to browse to edge://policy and see if the policy applied.

Office Roaming Features

And last but not least; the Microsoft Office roaming features. They are enabled by default in Microsoft Office 365 apps and sync the following settings to the cloud;

  • Most recently used files (all apps)
  • Most recently used locations (all apps)
  • Most recently used templates  (all apps)
  • Custom dictionary
  • Office personalization
  • Word’s resume reading feature
  • PowerPoint’s last viewed slide feature
  • Mounted services
  • OneNote notebook name
  • Visio device settings
  • Outlook signature (delayed)
While enabled by default, you can check the Outlook signature setting in the Outlook Options, General. Check the box next to Store my Outlook settings in the cloud.

To test this feature I created a word document and saved it to OneDrive. Both the physical machine and Cloud PC have the document in the recent file list. Nice!

Another test is to enable week numbers in the calender view. I changed the setting in the Cloud PC and synced without a problem to the physical endpoint. 

And we simply got to test the Outlook Signature roaming feature! So I created one in Outlook on the Cloud PC… and it did absolutely nothing. After a bit of searching I noticed that the feature was delayed until October 2022, so we’ll just have to wait a bit before this feature is released. 

Put It All Together

You can use all of the solutions described here, but moving to modern profile management doesn’t mean that you have to use all of them. Check each solution and decide if you want to use it. Some might be a bit tricky if they don’t work at first, so don’t let it become a rabbit hole. 

If your solutions are in place, make so to test them out with demo users or a pilot group before disabling the existing profile management solution. 

Resources

Related Post

Leave a Reply

Your email address will not be published.