Optimize Login Speed on SharedPC Domain-Joined Devices: Best Practices for AppData-Heavy Applications

Question

Hello Everyone!

We manage over 3,000 domain-joined computers in an on-premises environment. We do not use Intune and prefer to manage our infrastructure via Group Policy and MDT.

We aim to deploy a shared Windows image (created in Audit Mode), where all necessary software is preinstalled. However, many of these applications store large amounts of data in %AppData% (>20GB), which significantly increases login times for students due to profile copying from C:\Users\Default.

Our Workaround is to move the appdata to C:\AppData\ , change many registry items to comply with this change, also we use UWF to clean all changes made by our students and teachers.

Our questions are:

1. Is it possible to configure Windows (perhaps using Shared PC mode or another method) so that %AppData% Is it not copied for each new user login, and instead points to a shared location?
2. Would enabling SharedPC mode help in this scenario?
3. What is Microsoft's recommended solution for handling applications that are forcibly installed AppData without impacting login speed and user experience in shared computer environments?

We are exploring symbolic links (Junctions) as a workaround, but would like to understand the supported and most reliable approach from Microsoft for this use case.

Thank you for your support.

Best regards, Victor

Answer 1

To optimize login speed on shared, domain-joined Windows devices with AppData-heavy applications, while ensuring minimal impact on user experience in an on-premises environment managed via Group Policy and MDT, here are tailored recommendations addressing your questions. These solutions aim to reduce profile copying overhead, leverage shared configurations, and align with Microsoft’s best practices for shared computer environments.

1. Configuring %AppData% to Avoid Per-User Copying

Objective: Prevent %AppData% from being copied from C:\Users\Default for each new user login and point it to a shared location.

Recommended Approach: Use Folder Redirection or symbolic links (junctions) to redirect %AppData% (or specific subfolders) to a shared, centralized location. This avoids duplicating large AppData content for each user profile, reducing login times.

• Folder Redirection via Group Policy:
  • Configure Group Policy to redirect the AppData (Roaming) folder to a network share (e.g., \\Server\Share\AppData\%username%).
  • Path: User Configuration > Policies > Administrative Templates > System > Folder Redirection.
  • Benefits:
    • Reduces local profile size, as AppData is stored on a network share.
    • Only user-specific data is copied during login, not the entire AppData structure.
    • Works well in domain-joined environments and is fully supported by Microsoft.
  • Considerations:
    • Requires a reliable, low-latency network to avoid delays when accessing redirected folders.
    • Ensure the network share has appropriate permissions (e.g., user-specific subfolders).
    • Test with a small group to measure login performance, as network latency can impact access to redirected AppData.
  • Steps:
    1. Open Group Policy Management Console (GPMC).
    2. Create or edit a GPO linked to the OU containing your shared PCs.
    3. Navigate to User Configuration > Policies > Windows Settings > Folder Redirection > AppData/Roaming.
    4. Set to “Redirect to the following location” and specify the network path.
    5. Apply security filtering to target student and teacher accounts.
• Symbolic Links (Junctions):
  • Create a junction to redirect %AppData% (or specific application subfolders) to a shared local or network location (e.g., C:\AppData\Shared or \\Server\SharedAppData).
  • Example:
    • Move application data to C:\AppData\Shared\<AppName>.
    • Create a junction: mklink /J "C:\Users\%username%\AppData\Roaming\<AppName>" "C:\AppData\Shared\<AppName>".
    • Use Group Policy or a script to apply junctions during image deployment or login.
  • Benefits:
    • Avoids copying large AppData content for each user.
    • Works locally, reducing network dependency compared to Folder Redirection.
    • Compatible with your current workaround of relocating AppData to C:\AppData.
  • Considerations:
    • Junctions are supported but require careful management to avoid breaking application functionality.
    • Ensure applications are compatible with shared data locations, as some may expect exclusive access to AppData.
    • Test thoroughly, as misconfigured junctions can cause application errors.
    • Use with Unified Write Filter (UWF) carefully, as UWF may reset junctions unless they are configured in the protected image.
• Why Not Avoid Copying Entirely?
  • Windows requires a user profile to be created during first login, which includes copying default profile data from C:\Users\Default. Completely bypassing this is not supported, but redirecting AppData minimizes the data copied.
  • Your current workaround of moving AppData to C:\AppData and updating registry keys is a form of customization that works but is not Microsoft’s recommended approach due to potential application compatibility issues and maintenance complexity.

2. Does Shared PC Mode Help in This Scenario?

Overview: Shared PC mode is a Windows feature designed to optimize devices for shared use (e.g., schools, libraries) by enabling maintenance-free configurations, automatic profile deletion, and simplified account management. It can be configured via Group Policy or MDT provisioning packages.

Relevance to Your Scenario:

• Benefits:
  • Automatic Profile Deletion: Shared PC mode can delete user profiles at sign-out or based on inactivity/disk space thresholds, reducing disk usage and preventing profile bloat. This is particularly useful for your environment with 3,000 shared PCs and transient student logins.
  • Guest Account Support: Allows guest logins without persistent profiles, which could reduce AppData copying for temporary users.
  • Maintenance Periods: Optimizes system maintenance (e.g., updates) during idle times, ensuring devices remain performant.
  • OneDrive Sync Option: The EnableSharedPCModeWithOneDriveSync policy allows selective OneDrive synchronization, which could offload some AppData storage to the cloud if applicable.
• Limitations:
  • Shared PC mode does not directly prevent %AppData% from being copied during profile creation. You would still need Folder Redirection or junctions to manage AppData-heavy applications.
  • It’s primarily designed for lightweight, non-persistent profiles and may not fully address the needs of applications with large, complex AppData structures.
  • Some applications may not function correctly if profiles are deleted too aggressively, especially if they rely on cached AppData between sessions.
• Recommendation:
  • Enable Shared PC Mode to complement your strategy, particularly for profile cleanup and guest account support.
  • Use the EnableSharedPCMode policy (or EnableSharedPCModeWithOneDriveSync if OneDrive is used) via Group Policy:
    • Path: Computer Configuration > Administrative Templates > System > Shared PC.
    • Settings: Enable account deletion at sign-out or based on inactivity (e.g., 7 days) to manage disk space.
  • Combine with Folder Redirection or junctions to handle AppData specifically.
  • Test Shared PC mode in a pilot group, as it may require tweaking to align with your application requirements and UWF usage.

3. Microsoft’s Recommended Solution for AppData-Heavy Applications in Shared Environments

Microsoft’s guidance for shared computer environments with AppData-heavy applications focuses on minimizing local profile size, optimizing Group Policy processing, and ensuring application compatibility. Key recommendations include:

• Profile Management:
  • Use Roaming Profiles Sparingly: Traditional roaming profiles are not recommended for AppData-heavy applications due to slow login times caused by synchronous profile loading. Instead, use Folder Redirection for specific folders (e.g., AppData) to offload data to a network share.
  • Local Profiles with Cleanup: Configure Shared PC mode or Group Policy to delete local profiles after a set period (e.g., Computer Configuration > Administrative Templates > System > User Profiles > Delete User Profiles Older Than X Days). This aligns with your use of UWF to reset changes.
  • FSLogix Profile Containers (if feasible): While FSLogix is typically used in virtual desktop environments, it can be adapted for physical shared PCs. FSLogix stores user profiles in VHD/VHDX containers on a network share, reducing local profile overhead and improving login times. However, this requires additional infrastructure (file server) and licensing, which may not align with your on-premises, non-Intune setup.
• Application Optimization:
  • Relocate AppData Storage: Work with application vendors to configure applications to store data outside %AppData% (e.g., C:\ProgramData or a network share) whenever possible. This reduces per-user profile size.
  • Exclude Unnecessary AppData Subfolders: Use Group Policy to exclude specific AppData subfolders from roaming profiles (e.g., User Configuration > Administrative Templates > System > User Profiles > Exclude directories in roaming profile). This minimizes data copied during login.
  • Pre-Stage Application Data: Pre-install application data in a shared location (e.g., C:\AppData\Shared) and use junctions or registry tweaks to point applications to this location. This aligns with your current workaround but should be formalized with scripting or Group Policy.
• Group Policy Optimization:
  • Disable Fast Logon Optimization (if needed): Fast Logon Optimization (enabled by default) allows asynchronous Group Policy application, which can speed up logins but may delay settings like Folder Redirection. If login times remain slow, disable it via Computer Configuration > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon. Be aware this may increase login times slightly but ensures policies apply reliably.
  • Optimize GPO Processing: Minimize the number of GPOs applied to shared PCs. Use Replace mode for loopback processing to reduce processing overhead. Audit GPOs with Resultant Set of Policy (RSoP) to identify bottlenecks.
  • Tune Slow Link Detection: Adjust slow link detection thresholds to ensure Group Policies apply correctly over your network. Set Computer Configuration > Administrative Templates > System > Group Policy > Configure Group Policy slow link detection to a higher threshold (e.g., 10 Mbps) or disable it if network performance is reliable.
• Network and Storage:
  • Ensure domain controllers and file servers have low-latency connections to shared PCs. Slow network initialization can exacerbate login delays.
  • If using network shares for Folder Redirection or junctions, optimize SMB settings (e.g., disable client-side caching) to reduce latency.
• Shared PC Mode: As noted, Shared PC mode is Microsoft’s recommended feature for shared devices in educational or multi-user environments. It optimizes profile management and system maintenance but requires integration with Folder Redirection or junctions for AppData-heavy applications.

4. Symbolic Links (Junctions) as a Workaround

Current Use: You’re exploring junctions to redirect AppData to a shared location, which is a viable approach.

Microsoft’s Stance:

• Junctions are fully supported in NTFS and can redirect AppData subfolders to a shared location (local or network).
• Microsoft recommends using junctions cautiously, as applications may behave unpredictably if they expect exclusive access to AppData or if junction targets are unavailable (e.g., network share offline).

Best Practices for Junctions:

• Scope Junctions to Specific Applications: Instead of redirecting the entire %AppData% folder, target specific application subfolders (e.g., AppData\Roaming\<AppName>). This reduces complexity and minimizes compatibility issues.
• Automate Creation: Use a PowerShell script or Group Policy startup script to create junctions during system boot or image deployment. Example:

  
    $source = "C:\Users\%username%\AppData\Roaming\<AppName>"
  
    $target = "C:\AppData\Shared\<AppName>"
  
    New-Item -ItemType Junction -Path $source -Target $target
  
  

• Integrate with UWF: Ensure junctions are part of the protected image or recreated after UWF resets. Exclude the shared AppData location (C:\AppData\Shared) from UWF protection to persist application data.
• Test Application Compatibility: Some applications may require registry changes or configuration files to recognize redirected AppData. Validate with each application vendor.
• Monitor Performance: Junctions to local paths (e.g., C:\AppData\Shared) are faster than network paths but may still incur I/O overhead if many users access the same location simultaneously.

Comparison to Folder Redirection:

• Junctions are more flexible for local storage and don’t require network shares, making them suitable for your UWF-based setup.
• Folder Redirection is Microsoft’s preferred method for network-based AppData management due to its native integration with Group Policy and better application compatibility.

5. Integrated Solution for Your Environment

Based on your setup (3,000 domain-joined PCs, on-premises, Group Policy/MDT, UWF, AppData-heavy apps), here’s a comprehensive strategy:

1. Enable Shared PC Mode:
   • Use Group Policy to enable EnableSharedPCMode with account deletion at sign-out or after 7 days of inactivity.
   • Configure via Computer Configuration > Administrative Templates > System > Shared PC.
   • Benefits: Cleans up profiles, supports guest accounts, and aligns with UWF resets.
2. Implement Folder Redirection for AppData:
   • Redirect AppData\Roaming to a network share (e.g., \\Server\AppData\%username%) for applications that support it.
   • Use Group Policy to apply redirection selectively to student and teacher OUs.
   • Fallback to junctions for applications that require local storage.
3. Use Junctions for Local AppData:
   • For applications incompatible with network redirection, create junctions to C:\AppData\Shared\<AppName>.
   • Script junction creation in your MDT task sequence or via Group Policy startup scripts.
   • Exclude C:\AppData\Shared from UWF to persist shared data.
4. Optimize Group Policy:
   • Audit GPOs with RSoP to eliminate redundant or slow policies.
   • Use Replace mode for loopback processing.
   • Disable Fast Logon Optimization if login delays persist.
   • Adjust slow link detection to match your network performance.
5. Refine UWF Configuration:
   • Ensure UWF excludes critical paths (e.g., C:\AppData\Shared, junction targets) to avoid resetting shared application data.
   • Test UWF with Shared PC mode to confirm profile deletion and system resets work harmoniously.
6. Application Tuning:
   • Collaborate with application vendors to relocate data to C:\ProgramData or a shared location where possible.
   • Exclude unnecessary AppData subfolders from profile copying via Group Policy.
7. Pilot and Monitor:
   • Deploy to a small group of PCs (e.g., one lab) to measure login times and application performance.
   • Use tools like Windows Performance Analyzer or Event Viewer (Group Policy Operational Logs) to identify bottlenecks.
   • Adjust based on feedback from students and teachers.

6. Addressing Your Current Workaround

Your approach of moving AppData to C:\AppData, updating registry keys, and using UWF is functional but has risks:

• Registry Complexity: Manually updating registry keys for AppData paths is error-prone and may break applications during updates.
• Application Compatibility: Some applications may not support non-standard AppData locations without vendor approval.
• UWF Overhead: Resetting all changes may conflict with applications requiring persistent cached data.

Improvements:

• Replace manual registry edits with junctions or Folder Redirection for better maintainability.
• Document all applications and their AppData requirements to ensure compatibility with shared locations.
• Use Shared PC mode to automate profile cleanup, reducing reliance on UWF for profile management.

7. Why This Approach Works

• Scalability: Folder Redirection and Shared PC mode are designed for large-scale environments like yours (3,000+ PCs).
• Microsoft Support: These solutions align with Microsoft’s recommendations for shared devices and domain-joined environments.
• Flexibility: Junctions provide a fallback for applications that don’t support network redirection, preserving your UWF-based reset strategy.
• Performance: Reducing profile size and optimizing GPO processing directly addresses login delays caused by AppData copying.

8. Additional Notes

• Avoid Roaming Profiles: Given your AppData size (>20GB), roaming profiles would significantly slow logins due to synchronous loading.
• Consider OneDrive (Optional): If your organization uses OneDrive, explore EnableSharedPCModeWithOneDriveSync to offload some AppData to the cloud. However, this requires internet connectivity and may not suit all applications.
• Network Considerations: If using Folder Redirection or network-based junctions, ensure your network infrastructure (e.g., domain controllers, file servers) is optimized for low latency.
• Documentation: Maintain detailed documentation of all GPOs, junctions, and UWF exclusions to simplify troubleshooting and future updates.

9. Next Steps

1. Pilot Test:
   • Select 10-20 PCs in a lab environment.
   • Apply Shared PC mode, Folder Redirection for AppData, and junctions for specific applications.
   • Measure login times using Event Viewer or performance monitoring tools.
2. Engage Vendors:
   • Contact application vendors to confirm compatibility with redirected AppData or shared storage locations.
   • Request guidance on minimizing AppData usage.
3. Refine MDT Image:
   • Update your Windows image to include pre-configured junctions and Shared PC settings.
   • Test the image with UWF enabled to ensure resets don’t disrupt application functionality.
4. Monitor and Scale:
   • Use Group Policy Operational Logs and user feedback to fine-tune settings.
   • Roll out to additional PCs once the pilot is successful.

By combining Shared PC mode, Folder Redirection, junctions, and Group Policy optimizations, you can significantly reduce login times while maintaining a robust, scalable solution for your shared PC environment. If you need specific scripts or GPO configurations, let me know, and I can provide examples tailored to your setup.