{"id":5369,"date":"2013-08-05T12:00:26","date_gmt":"2013-08-05T10:00:26","guid":{"rendered":"https:\/\/ingmarverheij.com\/?p=5369"},"modified":"2014-01-10T14:16:49","modified_gmt":"2014-01-10T13:16:49","slug":"hybrid-local-profile-with-res-workspace-manager","status":"publish","type":"post","link":"https:\/\/ingmarverheij.com\/en\/hybrid-local-profile-with-res-workspace-manager\/","title":{"rendered":"Hybrid local profile with RES Workspace Manager"},"content":{"rendered":"<p>In a virtual desktop environment the profile solution provided by Microsoft, the roaming profile,\u00a0 is not sufficient. With the \u201c<a href=\"https:\/\/blog.ressoftware.com\/index.php\/tag\/zero-profile\/\" target=\"_blank\">Zero Profile<\/a> Technology\u201d <a href=\"https:\/\/www.ressoftware.com\/product\/res-workspace-manager\" target=\"_blank\">RES Workspace Manager<\/a> has a feature that captures users settings and injects them whenever needed, offering a more flexible solution than the roaming profile. More importantly only the required settings are captured and profile bloating and corruption is prevented.<\/p>\n<p>Of course <a href=\"https:\/\/www.ressoftware.com\/\" target=\"_blank\">RES Software<\/a> can\u2019t replace the Windows profile so you end up with a hybrid solution, also referred to as a \u201chybrid profile\u201d. Theoretically you can use any of flavor of the Microsoft profile solutions: local, roaming or mandatory and add the RES feature on top. A common used hybrid solution is a mandatory profile + RES Workspace Manager, but as Wilco van Bragt mentioned in his article about alternatives for the mandatory profile (<a href=\"https:\/\/www.virtualization.vanbragt.net\/index.php?option=com_content&amp;view=article&amp;id=1382:the-alternatives-for-mandatory-profiles&amp;catid=26:articles&amp;Itemid=477\" target=\"_blank\">link<\/a>) this has it drawbacks.<\/p>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Event-13-CertificateServicesClient-CertEnroll.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; margin: 0px 0px 0px 5px; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: right; display: inline; background-image: none;\" title=\"Event 13, CertificateServicesClient-CertEnroll\" alt=\"Certificate enrollment for failed to enroll for a VUserAuthentication certificate with request ID N\/A from Issuing 1 CA (The profile for the user is a temporary profile. 0x80090024 (-2146893788)).\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Event-13-CertificateServicesClient-CertEnroll_thumb.png\" width=\"119\" height=\"84\" align=\"right\" border=\"0\" \/><\/a>One of the biggest \u201cchallenges\u201d with mandatory profiles, or roaming profiles where <a href=\"https:\/\/support.microsoft.com\/kb\/274152\" target=\"_blank\">cached copies are deleted<\/a>, is the use of <strong>certificates<\/strong>. Especially if you use <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc947849(v=ws.10).aspx\" target=\"_blank\">auto-enrollment of certificates<\/a>. What we\u2019re looking for in a profile are the following characteristics:<\/p>\n<ul>\n<li><strong>Works with certificates<\/strong> \u2013 as described above<\/li>\n<li><strong>Removed after logoff <\/strong>\u2013 to prevent the computer from filling up with <em>garbage<\/em><\/li>\n<li><strong>Stateless <\/strong>\u2013 or non-persistent. In other words, it does not store changes made by the user. Each time a user starts a session it should consist of the exact same settings, the profile solution (RES Workspace Manager) will inject the settings.<\/li>\n<\/ul>\n<p>As Wilco describes in his article the <strong>local profile <\/strong>is the best candidate for a hybrid profile. But the local profile has one drawback: it persists on the computer.<\/p>\n<p><!--more--><\/p>\n<h1>Enforce Local Profiles<\/h1>\n<p>On your RES Workspace Manager (WM) agents (your Windows desktop machines or <a href=\"https:\/\/ingmarverheij.com\/virtual-desktop-word-bingo-xendesktop-7\/\" target=\"_blank\">Hosted Shared \/ Private Desktops<\/a>) you want to enforce the use of local profiles. Especially in a mixed environment where roaming profiles are used they can be configured at multiple levels, by enforcing the use of local profiles you can prevent them from being used.<\/p>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Computer-Configuration-Policies-Administrative-Templates-System-User-Profiles-Only-all.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; margin: 0px 0px 0px 5px; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: right; display: inline; background-image: none;\" title=\"Computer Configuration - Policies - Administrative Templates - System - User Profiles - Only allow local profiles\" alt=\"Computer Configuration - Policies - Administrative Templates - System - User Profiles - Only allow local profiles\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Computer-Configuration-Policies-Administrative-Templates-System-User-Profiles-Only-all1.png\" width=\"119\" height=\"76\" align=\"right\" border=\"0\" \/><\/a>The computer policy <strong>Only allow local user profiles<\/strong> prevents the users configured to use roaming profiles from receiving their profile. The policy setting is in the <strong>Computer Configuration\\Administrative Templates\\System\\User Profiles<\/strong> node.<\/p>\n<h1><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Only-allow-local-user-profiles.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; margin: 0px auto; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: none; display: block; background-image: none;\" title=\"Only allow local user profiles\" alt=\"Only allow local user profiles\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Only-allow-local-user-profiles_thumb.png\" width=\"154\" height=\"142\" border=\"0\" \/><\/a><\/h1>\n<p>&nbsp;<\/p>\n<h1>Remove at logoff<\/h1>\n<h4>Guest profile<\/h4>\n<p>To avoid the agent from filling up with profiles, and to ensure a user always get a clean profile, the profile needs to be removed when a users logs off. Windows has no built-in functionality to remove a local profile at logoff, like it does for a roaming profile, except for <a href=\"https:\/\/support.microsoft.com\/kb\/300489\/en-us\" target=\"_blank\">guest users<\/a>. If you make Windows believe that the users profile is a guest profile it will treat it accordingly, and <a href=\"https:\/\/support.microsoft.com\/kb\/165398\" target=\"_blank\">remove the profile<\/a> at logoff.<\/p>\n<h6>\u00a0<\/h6>\n<h4>Profilelist<\/h4>\n<p>Windows registers each profile in the registry key <strong>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList<\/strong>. For each user a key is created with the users unique <strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Security_Identifier\" target=\"_blank\">secure identifier<\/a><\/strong> (or SID). Besides specifying where the profile is located (ProfileImagePath) and what the users secure identifier is (Sid) the state of the profile is stored in the <strong><a href=\"https:\/\/networkadminkb.com\/KB\/a39\/how-to-determine-the-type-of-user-profile-loaded.aspx\" target=\"_blank\">State value<\/a><\/strong>. The name state implies this is a dynamic value which can change (unlike the Sid).<\/p>\n<p>The value of the State value is an enumeration of values. For instance with\u00a0 a mandatory profile the <strong>state <\/strong>is set to <strong>0x1 <\/strong>and when a profile can\u2019t be loaded the state will be set to <strong>0x800<\/strong> (temporary profile loaded). The value for a guest profile is <strong>0x80<\/strong> (or 128 decimal).<\/p>\n<p>&nbsp;<\/p>\n<h4>Change state value<\/h4>\n<p>The only reason we want to change the state value is to trick Windows in believing it\u2019s a guest profile at logoff, so it will remove the profile. So the best moment to change the value is <a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Logoff-command-properties.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; margin: 0px 0px 0px 5px; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: right; display: inline; background-image: none;\" title=\"Logoff command - properties\" alt=\"Logoff command - properties\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Logoff-command-properties_thumb.png\" width=\"154\" height=\"127\" align=\"right\" border=\"0\" \/><\/a>during logoff.<\/p>\n<p>With RES Workspace Manager you can create a command that runs at logoff. Changing the value can be done with a batch or PowerShell script (slower and requires <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/ee176961.aspx\" target=\"_blank\">ExecutionPolicy<\/a> to be lowered).<\/p>\n<h5><span style=\"text-decoration: underline;\">Batch<\/span><\/h5>\n<p><strong>Command line<\/strong>: %script% <br clear=\"all\" \/><strong>Script extension<\/strong>: cmd <br clear=\"all\" \/><strong>Script<\/strong>:<\/p>\n<pre>REM Name        : SimulateGuestUser.cmd\r\nREM Author      : Ingmar Verheij - www.ingmarverheij.com\r\nREM Version     : 1.0, 03-08-2013\r\nREM               1.1, 10-01-2014 (removed first 12 characters from SID instead of 7)\r\nREM Description : Tricks Windows in believing the users profile is a guest profile by\r\nREM               changing the state to 0x80\r\n\r\n@ECHO OFF\r\nREM Expand variables at execution time rather than at parse time\r\nSETLOCAL EnableDelayedExpansion\r\n\r\nREM Determine user SID \r\nFOR \/F  \"skip=5 tokens=2 delims=:\" %%i IN ('WHOAMI \/USER \/FO LIST') DO SET SID=%%i\r\n\r\nREM Remove leading spaces\r\nSET SID=!SID:~12!>REM Set the state of the current users profile to PROFILE_GUEST_USER (0x80) \r\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\%SID%\" \/v State \/t REG_DWORD \/d 0x80 \/f<\/pre>\n<p>&nbsp;<\/p>\n<h5><span style=\"text-decoration: underline;\">PowerShell<\/span><\/h5>\n<p><strong>Command line<\/strong>: %systemroot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe %script%<\/p>\n<p><br clear=\"all\" \/><strong>Script extension<\/strong>: ps1<\/p>\n<p><br clear=\"all\" \/><strong>Script<\/strong>:<\/p>\n<pre lang=\"powershell\"># Name        : SimulateGuestUser.ps1\r\n# Author      : Ingmar Verheij - www.ingmarverheij.com\r\n# Version     : 1.0, 03-08-2013\r\n# Description : Tricks Windows in believing the users profile is a guest profile by\r\n#               changing the state to 0x80\r\n\r\n# Set the state of the current users profile to PROFILE_GUEST_USER (0x80)\r\nSet-ItemProperty -Path (\"HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\{0}\\\" -f \r\n\r\n([Security.Principal.WindowsIdentity]::GetCurrent()).User.Value) -Name State -Type DWORD -Value 0x80<\/pre>\n<p>&nbsp;<\/p>\n<h4>\u00a0<\/h4>\n<h4>Permissions<\/h4>\n<p>By default only administrators can change the values in <strong>ProfileList\\%SID<\/strong>, a normal user can\u2019t. This can be mitigated in (at least) two ways:<\/p>\n<ol>\n<li>Run the task with Dynamic Privileges;<\/li>\n<li>Grant permissions to users to change values.<\/li>\n<\/ol>\n<p>The first option, running the task with Dynamic Privileges, is the most secure method as it\u2019s the most granular. No additional permissions are granted and the users can\u2019t change any value in the registry, instead a token is injected at runtime to grant the required permissions. For this feature you require the the <strong>Security &amp; Performance module<\/strong> which is part of the gold edition and <em>can<\/em> be part of the silver edition.<\/p>\n<p>To limit the risk of granting permissions to users you should minimize the granted permissions as much as possible. By only granting <strong>Authenticated users <\/strong>(instead of everyone) you ensure that users are authenticated, excluding guest users. The only required permissions to write a value are <strong>Set Value<\/strong> and <strong>Create Subkey<\/strong> (see <a href=\"https:\/\/KEY_WRITE (0x20006)\" target=\"_blank\">KEY_WRITE<\/a>). One way to achieve this is via a group policy object:<\/p>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Grant-permissions-to-users-to-change-values.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; margin: 0px auto; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: none; display: block; background-image: none;\" title=\"Grant permissions to users to change values\" alt=\"Grant permissions to users to change values\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Grant-permissions-to-users-to-change-values_thumb.png\" width=\"254\" height=\"74\" border=\"0\" \/><\/a><\/p>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Group-Policy-Management-Editor.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; margin: 0px 5px 0px 0px; padding-top: 0px; padding-right: 0px; padding-left: 0px; display: inline; background-image: none;\" title=\"Group Policy Management Editor\" alt=\"Group Policy Management Editor\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Group-Policy-Management-Editor_thumb.png\" width=\"229\" height=\"104\" border=\"0\" \/><\/a><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/MACHINE-SOFTWARE-Microsoft-Windows-NT-CurrentVersion-ProfileList.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; margin: 0px 5px 0px 0px; padding-top: 0px; padding-right: 0px; padding-left: 0px; display: inline; background-image: none;\" title=\"MACHINE-SOFTWARE-Microsoft-Windows NT-CurrentVersion-ProfileList\" alt=\"MACHINE-SOFTWARE-Microsoft-Windows NT-CurrentVersion-ProfileList\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/MACHINE-SOFTWARE-Microsoft-Windows-NT-CurrentVersion-ProfileList_thumb.png\" width=\"109\" height=\"104\" border=\"0\" \/><\/a><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Security-for-MACHINE-SOFTWARE-Microsoft-Windows-NT-CurrentVersion-ProfileList.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; margin: 0px 5px 0px 0px; padding-top: 0px; padding-right: 0px; padding-left: 0px; display: inline; background-image: none;\" title=\"Security for MACHINE-SOFTWARE-Microsoft-Windows NT-CurrentVersion-ProfileList\" alt=\"Security for MACHINE-SOFTWARE-Microsoft-Windows NT-CurrentVersion-ProfileList\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Security-for-MACHINE-SOFTWARE-Microsoft-Windows-NT-CurrentVersion-ProfileList_thumb.png\" width=\"87\" height=\"104\" border=\"0\" \/><\/a><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Permission-Entry-for-MACHINE-SOFTWARE-Microsoft-Windows-NT-CurrentVersion-ProfileList.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; margin: 0px 5px 0px 0px; padding-top: 0px; padding-right: 0px; padding-left: 0px; display: inline; background-image: none;\" title=\"Permission Entry for MACHINE-SOFTWARE-Microsoft-Windows NT-CurrentVersion-ProfileList\" alt=\"Permission Entry for MACHINE-SOFTWARE-Microsoft-Windows NT-CurrentVersion-ProfileList\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/08\/Permission-Entry-for-MACHINE-SOFTWARE-Microsoft-Windows-NT-CurrentVersion-ProfileList_thumb.png\" width=\"82\" height=\"104\" border=\"0\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h1>Default profile<\/h1>\n<p>When a new user logs in and no profile exists the default profile is copied. During this phase the users gets permissions granted to his profile, unlike with a mandatory profile where all users have access to the mandatory profile (and as a result on all other profiles!).<\/p>\n<p>With the <a href=\"https:\/\/virtualengine.co.uk\/vet\/puu\/\" target=\"_blank\">Profile Update Utility<\/a> (PuU), which is part of the Virtual Engine Toolkit (VET), you can easily open the NTUSER.dat (the users registry) and for instance enable Aero. Notice that this file is hidden.<\/p>\n<p><strong><em>Be VERY careful when changing the default profile! All users rely on the default profile, including administrative accounts that have no profile on the agent! Breaking the default profile can potentially block access to the machine!<\/em><\/strong><\/p>\n<p>You can use software like <a href=\"https:\/\/If you want\" target=\"_blank\">Microsoft DFSR<\/a> to replicate the folder between a number of agents or use (startup) scripts to pull the profile from a shared location.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a virtual desktop environment the profile solution provided by Microsoft, the roaming profile,\u00a0 is not sufficient. With the \u201cZero Profile Technology\u201d RES Workspace Manager has a feature that captures users settings and injects them whenever needed, offering a more flexible solution than the roaming profile. More importantly only the required settings are captured and [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[290],"tags":[581,582,115,39,580,372],"class_list":["post-5369","post","type-post","status-publish","format-standard","hentry","category-workspace-management","tag-certificates","tag-certificateservicesclient","tag-profile","tag-res","tag-user","tag-workspace-manager"],"_links":{"self":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/5369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/comments?post=5369"}],"version-history":[{"count":9,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/5369\/revisions"}],"predecessor-version":[{"id":6403,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/5369\/revisions\/6403"}],"wp:attachment":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/media?parent=5369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/categories?post=5369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/tags?post=5369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}