Getty Images


How to address roaming profiles with GPOs

Organizations with virtual desktops should plan out their profile management strategy, and one key component is profile management. GPOs can help.

When organizations deploy a new virtual desktop environment, user profiles can improve the user experience significantly.

Unfortunately, it's easy for IT administrators -- especially newer admins -- to overlook user profile strategy. Understanding user profiles is an important aspect of virtual desktops, so IT administrators should learn how roaming profiles work and how to define user profile types.

Note: The following only applies to non-persistent virtual desktops, as persistent virtual desktops provide the customization retention that some profiles offer.

What is a user profile?

User profiles include the option to modify settings such as the start menu and taskbar appearance, background and colors within a virtual desktop. For example, a left-handed user would be frustrated if their virtual desktop presented a right-handed mouse. Being able to designate the left or right mouse setting is not only important for user productivity, but it may also be a legal requirement.

When users request a non-persistent virtual desktop, they generally just access the base operating system. The user profile strategy determines which settings the user can access and how the virtual desktop applies these settings.

3 user profile options

There are three types of basic user profiles.

  • Local. Temporary settings that the user makes on the virtual desktop but are not permanent are considered local profiles. The virtual desktop platform creates a local profile at logon based on a copy of the default profile. Users may become frustrated with local profiles because they require them to adjust the same settings at the start of each session. For example, left-handed mouse users will need to modify the left/right mouse setting at each logon. While local profiles are the default setting, they're often not optimal, and IT administrators should avoid them.
  • Mandatory. When the environment forces a profile upon users and users cannot permanently modify it, this is a mandatory profile. For example, a call center may deploy a mandatory profile for all agents that provides the corporate colors, streamlined presentation of application icons, and more. That left-handed user can modify the left/right mouse setting, but the virtual desktop will not write this into the mandatory profile. While these profiles are easy for IT admins to install and manage, mandatory profiles often frustrate users because they cannot customize the virtual desktops.
  • Roaming. This type of profile enables users to modify and customize settings. When the left-handed user changes the left/right mouse setting, the desktop writes it to the roaming user profile, and the virtual desktop saves it. Therefore, the left-handed mouse setting is in effect at the next virtual desktop session, and the user doesn't need to modify the setting again. From an administrative standpoint, roaming profiles have higher overhead and require more storage, but the UX is optimized and users are generally happier.

With both mandatory and roaming profiles, the user profile appends to the virtual desktop before the user accesses it. As a result, logon time may slightly increase while the environment writes profiles to the new image.

In addition to the basic user profile types, numerous third-party user profile management offerings are available, and Microsoft also offers the FSLogix profile management option. IT departments often deploy these platforms in conjunction with virtual desktops due to their advanced functionality and faster load times.

Why use roaming profiles for virtual desktops?

Of the three inherent user profile types, roaming profiles provide the best user experience because settings are personalized based on user modifications. Users typically only modify a few settings for their desired level of personalization, and this level of customization is important for usability, accessibility and productivity. 

Administratively, roaming profiles require more work effort -- mainly configuration and storage. Configuration is via the roaming profile's Group Policy Object (GPO). User profiles can become quite large, thus affecting storage requirements and load times.

Keep in mind there are two possible ways to configure roaming profiles: a roaming profile for all user sessions or a roaming profile that applies only to remote desktop sessions.

A roaming profile can become corrupted, in which case IT will need to restore the profile from storage. A known reason for profile corruption is when multiple OS versions are in use, and the environment applies the same roaming profile to both of them. For example, the user profile version with Windows 10 is v5, whereas Windows 10 versions 1607 and 1703 utilize v6. Distinct profile versions are often incompatible.

Organizations often implement roaming profiles in conjunction with folder redirection to centralize user data and reduce the roaming profile size. Folder redirection is generally recommended for most environments, and IT must enable it before roaming profiles.

How to deploy roaming profiles via Group Policy Objects

Once the IT department has determined that roaming profiles are the best option for the virtual desktop environment, setting them up within the roaming profiles GPO is a straightforward process.  Most commonly, IT only enables roaming profiles for virtual desktops because a centralized profile management platform provides the best experience for the user.

Keep in mind there are two possible ways to configure roaming profiles: a roaming profile for all user sessions or a roaming profile that applies only to remote desktop sessions. These instructions apply only to remote desktops. Also, if both a standard roaming profile and a remote desktop roaming profile are in place, the remote desktop roaming profile will apply itself to the remote sessions.

IT administrators should configure GPOs within Active Directory Group Policy Management. The organization unit where the virtual desktops reside should be the basis for the roaming profiles' GPO designation. IT should also assign the appropriate security group or groups. In addition, IT must designate a file share location with ample storage to house the roaming profiles.

IT administrators should enable roaming profiles for virtual desktops as a computer GPO. Specifically, they should configure this within this GPO: Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles. 

Then, choose Set path for Remote Desktop Services Roaming User Profile. Within the Profile path box, administrators should designate the storage location. In addition, IT should append %username% to provide a unique profile directory for each user (Figure 1).

The option to set a profile path within Active Directory's GPOs
Figure 1. The pathing for the user profile within Remote Desktop Services

Within many organizations, virtual desktop administrators may not have security clearance to configure roaming profile GPOs. Organizations should ensure that admins have a lab environment to thoroughly test roaming profile GPO settings before creating a change control order for production rollout.

Dig Deeper on Virtual and remote desktop strategies

Enterprise Desktop
Cloud Computing