Policy CSP - ADMX_UserProfiles

Tip

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

CleanupProfiles

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/CleanupProfiles

This policy setting allows an administrator to automatically delete user profiles on system restart that haven't been used within a specified number of days.

Note

One day is interpreted as 24 hours after a specific user profile was accessed.

  • If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that haven't been used within the specified number of days.

  • If you disable or don't configure this policy setting, User Profile Service won't automatically delete any profiles on the next system restart.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name CleanupProfiles
Friendly Name Delete user profiles older than a specified number of days on system restart
Location Computer Configuration
Path System > User Profiles
Registry Key Name Software\Policies\Microsoft\Windows\System
ADMX File Name UserProfiles.admx

DontForceUnloadHive

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/DontForceUnloadHive

This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys.

Note

This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It isn't recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.

  • If you enable this policy setting, Windows won't forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed.

  • If you disable or don't configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DontForceUnloadHive
Friendly Name Do not forcefully unload the users registry at user logoff
Location Computer Configuration
Path System > User Profiles
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name DisableForceUnload
ADMX File Name UserProfiles.admx

LeaveAppMgmtData

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LeaveAppMgmtData

This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.

By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they'll need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.

  • If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine.

  • If you disable or don't configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted.

Note

If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name LeaveAppMgmtData
Friendly Name Leave Windows Installer and Group Policy Software Installation Data
Location Computer Configuration
Path System > User Profiles
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name LeaveAppMgmtData
ADMX File Name UserProfiles.admx

LimitSize

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LimitSize

This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.

  • If you disable this policy setting or don't configure it, the system doesn't limit the size of user profiles.

  • If you enable this policy setting, you can:

  • Set a maximum permitted user profile size.

  • Determine whether the registry files are included in the calculation of the profile size.

  • Determine whether users are notified when the profile exceeds the permitted maximum size.

  • Specify a customized message notifying users of the oversized profile.

  • Determine how often the customized message is displayed.

Note

In operating systems earlier than Microsoft Windows Vista, Windows won't allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows won't block users from logging off. Instead, if the user has a roaming user profile, Windows won't synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name LimitSize
Friendly Name Limit profile size
Location User Configuration
Path System > User Profiles
Registry Key Name Software\Microsoft\Windows\CurrentVersion\Policies\System
Registry Value Name EnableProfileQuota
ADMX File Name UserProfiles.admx

ProfileErrorAction

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/ProfileErrorAction

This policy setting will automatically log off a user when Windows can't load their profile.

If Windows can't access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from loggin on the user with a temporary profile.

  • If you enable this policy setting, Windows won't log on a user with a temporary profile. Windows logs the user off if their profile can't be loaded.

  • If you disable this policy setting or don't configure it, Windows logs on the user with a temporary profile when Windows can't load their user profile.

Also, see the "Delete cached copies of roaming profiles" policy setting.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ProfileErrorAction
Friendly Name Do not log users on with temporary profiles
Location Computer Configuration
Path System > User Profiles
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name ProfileErrorAction
ADMX File Name UserProfiles.admx

SlowLinkTimeOut

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/SlowLinkTimeOut

This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed.

To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer, the network's latency and connection speed are determined.

This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load.

  • If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow.

  • If you disable or don't configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.

Important

If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name SlowLinkTimeOut
Friendly Name Control slow network connection timeout for user profiles
Location Computer Configuration
Path System > User Profiles
Registry Key Name Software\Policies\Microsoft\Windows\System
ADMX File Name UserProfiles.admx

USER_HOME

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/USER_HOME

This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session.

  • If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name.

To use this policy setting, in the Location list, choose the location for the home folder. If you choose "On the network," enter the path to a file share in the Path box (for example, \ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose "On the local computer," enter a local path (for example, C:\HomeFolder) in the Path box.

Don't specify environment variables or ellipses in the path. Also, don't specify a placeholder for the user name because the user name will be appended at logon.

Note

The Drive letter box is ignored if you choose "On the local computer" from the Location list. If you choose "On the local computer" and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter.

  • If you disable or don't configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account.

If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the "Set user home folder" policy setting has no effect.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name USER_HOME
Friendly Name Set user home folder
Location Computer Configuration
Path System > User Profiles
Registry Key Name Software\Policies\Microsoft\Windows\System
ADMX File Name UserProfiles.admx

UserInfoAccessAction

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/UserInfoAccessAction

This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information.

  • If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options:

"Always on" - users won't be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS.

"Always off" - users won't be able to change this setting and the user's name and account picture won't be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability won't be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources.

  • If you don't configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name UserInfoAccessAction
Friendly Name User management of sharing user name, account picture, and domain information with apps (not desktop apps)
Location Computer Configuration
Path System > User Profiles
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name AllowUserInfoAccess
ADMX File Name UserProfiles.admx

Policy configuration service provider