Windows 10: Issue locking down Windows 10 Pro via Mandatory Network Profile & GPO

I've been trying to lock down some network Windows 10 Pro machines via Mandatory Network Profile & GPO. When I apply StartMenu and Taskbar restrictions, force the gpupdate/restart and log in to the machines I'm getting a Critical Error on the Start button. I disable the policy, force the gpupdate/restart and log in the error is gone. Can't seem to narrow down which GPO or combination of GPOs is breaking it. Any suggestions?

:)

 

Mandatory Profile with Window 10 Pro

Has anyone successfully got mandatory profiles working with Windows 10 (currently running Win10 Pro 1511). My Start Menu and Search option does not work with Mandatory profile.

Please help me on this issue. It's really an urgent.

 

Mandatory Profile (.v5)


Hi
Has anyone successfully got mandatory profiles working with Windows 10 (currently running Win10 Enterprise 1511).

Essentially, I have it 99% of the way there, but whilst the start bar is clickable (which it previously wasn't), it now shows a blank start menu - ignoring either the Mandatory Profile Start Menu, or the XML Start Menu imported via Group Policy.

My steps are based on having a dedicated "mandatory" local account to do all user customisations before copying it up to the netlogon share rather than using the default profile - which works fine but has none of our app customizations built in - unless I start look at importing reg keys etc;

So here are my steps;

Login to the gold image machine as .\mandatory
1. Open Regedit
2. Right Click on HKCU and give the following full permissions – logging in as a domain admin first
a. Everyone
b. All Application Pools
c. Authenticated Users
4. Close Regedit
This is essentially instead of doing it via loading the hive - which seems to really help the start menu (I think)

5. Reboot the machine
6. Login as domain administrator – run Windows Enabler
7. Copy the profile to \\%domaincontroller%\netlogon\profiles\.v5 with everyone as permissions
8. Change a user to use that as their profile
9. Reboot the computer (giving AD enough time to replicate)
10. Login as that user
11. Start Menu is clickable and edge works on the task bar

However!.

It does not pull in the start menu xml that we have configured, nor the start menu contained within the mandatory profile, but the start menu is fully clickable!

I think other ways I have read on mandatory profiles about loading the hive from another machine didn't work because the DeviceAccess registry key seems to be permanantley locked even if I give everyone full permission - if I do it locally and then export the full mandatory profile it works.

In anticipation

John Paul

 

Windows 10 GPO Printer Add issues

A total shot in the dark since this is a very specific issue to our environment, but here it goes...

A little background on this issue, my school district is moving to windows 10. We partially deployed Windows 10 LTSB to some of the labs in the district. We are seeing sporadic issues with our Group Policies deploying printers. We have below 50% success rate with printers actually installing on the Windows 10 client machines.

Thinking it was an issue with LTSB, we downloaded and installed Windows 10 Education version 1709 on a test VM and joined it to the domain. I then applied GPO’s from 4 different servers. 3 Physical Server 2012 R2 servers and the original problem Server 2012 R2 VM Server.

What I found was the same inconsistency after rebooting the Win 10 Edu Test VM. I am getting the same Event 513. See below:





I am 100% sure the naming is right because I can manually add the same printer using the \\SERVER\FerLib path. All printers that fail to add have the Event 513. I am also going to post this on other forums.

We are only seeing this on student accounts which are domain guest accounts, meaning their profiles are non-permanent. We do not have the option to turn them into regular users per district policy. If you need more info that I omitted please let me know. We are getting desperate.

Thanks!