Policy CSP - ADMX_UserProfiles
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>
. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
CleanupProfiles
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/CleanupProfiles
This policy setting allows an administrator to automatically delete user profiles on system restart that haven't been used within a specified number of days.
Note
One day is interpreted as 24 hours after a specific user profile was accessed.
If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that haven't been used within the specified number of days.
If you disable or don't configure this policy setting, User Profile Service won't automatically delete any profiles on the next system restart.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | CleanupProfiles |
Friendly Name | Delete user profiles older than a specified number of days on system restart |
Location | Computer Configuration |
Path | System > User Profiles |
Registry Key Name | Software\Policies\Microsoft\Windows\System |
ADMX File Name | UserProfiles.admx |
DontForceUnloadHive
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/DontForceUnloadHive
This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys.
Note
This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It isn't recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.
If you enable this policy setting, Windows won't forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed.
If you disable or don't configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | DontForceUnloadHive |
Friendly Name | Do not forcefully unload the users registry at user logoff |
Location | Computer Configuration |
Path | System > User Profiles |
Registry Key Name | Software\Policies\Microsoft\Windows\System |
Registry Value Name | DisableForceUnload |
ADMX File Name | UserProfiles.admx |
LeaveAppMgmtData
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LeaveAppMgmtData
This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.
By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they'll need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine.
If you disable or don't configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted.
Note
If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | LeaveAppMgmtData |
Friendly Name | Leave Windows Installer and Group Policy Software Installation Data |
Location | Computer Configuration |
Path | System > User Profiles |
Registry Key Name | Software\Policies\Microsoft\Windows\System |
Registry Value Name | LeaveAppMgmtData |
ADMX File Name | UserProfiles.admx |
LimitSize
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LimitSize
This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.
If you disable this policy setting or don't configure it, the system doesn't limit the size of user profiles.
If you enable this policy setting, you can:
Set a maximum permitted user profile size.
Determine whether the registry files are included in the calculation of the profile size.
Determine whether users are notified when the profile exceeds the permitted maximum size.
Specify a customized message notifying users of the oversized profile.
Determine how often the customized message is displayed.
Note
In operating systems earlier than Microsoft Windows Vista, Windows won't allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows won't block users from logging off. Instead, if the user has a roaming user profile, Windows won't synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | LimitSize |
Friendly Name | Limit profile size |
Location | User Configuration |
Path | System > User Profiles |
Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
Registry Value Name | EnableProfileQuota |
ADMX File Name | UserProfiles.admx |
ProfileErrorAction
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/ProfileErrorAction
This policy setting will automatically log off a user when Windows can't load their profile.
If Windows can't access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from loggin on the user with a temporary profile.
If you enable this policy setting, Windows won't log on a user with a temporary profile. Windows logs the user off if their profile can't be loaded.
If you disable this policy setting or don't configure it, Windows logs on the user with a temporary profile when Windows can't load their user profile.
Also, see the "Delete cached copies of roaming profiles" policy setting.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | ProfileErrorAction |
Friendly Name | Do not log users on with temporary profiles |
Location | Computer Configuration |
Path | System > User Profiles |
Registry Key Name | Software\Policies\Microsoft\Windows\System |
Registry Value Name | ProfileErrorAction |
ADMX File Name | UserProfiles.admx |
SlowLinkTimeOut
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/SlowLinkTimeOut
This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed.
To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer, the network's latency and connection speed are determined.
This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load.
If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow.
If you disable or don't configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.
Important
If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | SlowLinkTimeOut |
Friendly Name | Control slow network connection timeout for user profiles |
Location | Computer Configuration |
Path | System > User Profiles |
Registry Key Name | Software\Policies\Microsoft\Windows\System |
ADMX File Name | UserProfiles.admx |
USER_HOME
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/USER_HOME
This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session.
- If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name.
To use this policy setting, in the Location list, choose the location for the home folder. If you choose "On the network," enter the path to a file share in the Path box (for example, \ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose "On the local computer," enter a local path (for example, C:\HomeFolder) in the Path box.
Don't specify environment variables or ellipses in the path. Also, don't specify a placeholder for the user name because the user name will be appended at logon.
Note
The Drive letter box is ignored if you choose "On the local computer" from the Location list. If you choose "On the local computer" and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter.
- If you disable or don't configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account.
If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the "Set user home folder" policy setting has no effect.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | USER_HOME |
Friendly Name | Set user home folder |
Location | Computer Configuration |
Path | System > User Profiles |
Registry Key Name | Software\Policies\Microsoft\Windows\System |
ADMX File Name | UserProfiles.admx |
UserInfoAccessAction
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/UserInfoAccessAction
This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information.
- If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options:
"Always on" - users won't be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS.
"Always off" - users won't be able to change this setting and the user's name and account picture won't be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability won't be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources.
- If you don't configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | UserInfoAccessAction |
Friendly Name | User management of sharing user name, account picture, and domain information with apps (not desktop apps) |
Location | Computer Configuration |
Path | System > User Profiles |
Registry Key Name | Software\Policies\Microsoft\Windows\System |
Registry Value Name | AllowUserInfoAccess |
ADMX File Name | UserProfiles.admx |