How to create a mandatory user profile for Windows 10

After consulting Microsoft’s documentation and multiple top Google results, my approach.

1. Pre requirements

  1. Clean Windows 10 installation 1
  2. Install latest Windows Updates
  3. Install Google Chrome for all users 3
  4. Disable BitLocker to be able to run sysprep
manage-bde -off %SYSTEMDRIVE%

2. Remove default Windows 10 apps

Uninstalling these apps will decrease sign-in time. If your deployment needs any of these apps, you can leave them installed. 1

   Remove default apps.
   Copyright (C) 2017 Profects B.V.
   Author: Bart van Kleef <[email protected]>
   PS C:\> Remove-Default-Apps.ps1

# List of apps we want to keep installed.
# Get list of apps by `Get-AppxPackage -AllUsers | Select-Object -ExpandProperty Name -Unique`.
$desiredApps = @(

# Register app if it's listed in desiredApps.
ForEach ($app in $desiredApps) {   
    $localPackagePaths = Get-ChildItem -Path "$env:PROGRAMFILES\WindowsApps" -Filter "$app*" -Directory -Recurse | Select-Object -ExpandProperty FullName
    ForEach ($packagePath in $localPackagePaths) {
        # Get all manifests for this package.
        $manifestPaths = Get-ChildItem -Path "$packagePath" -Filter "AppxManifest.xml" -File -Recurse | Select-Object -ExpandProperty FullName
        ForEach ($manifestPath in $manifestPaths) {
            Write-Host "Registering $manifestPath for current user."
            Try {
                Add-AppxPackage -Register "$manifestPath" -DisableDevelopmentMode -ErrorAction Stop                    
            } Catch {
                If ($_.Exception.Message -Match "0x80073D06") {
                    Write-Host "Unable to register $manifestPath for current user. Newer version is already installed."                    
                Else {
                    Write-Host "$_.Exception.Message"                    

# List of apps which are currently installed.
$installedApps = Get-AppxPackage -AllUsers | Where IsFramework -EQ $False | Select-Object -ExpandProperty Name -Unique

ForEach ($app in $installedApps) {
    # Remove all apps except the ones listed in $desiredApps.
    If ($desiredApps -NotContains $app) {
        # Get app packages from all user accounts.
        $userPackages = Get-AppxPackage -AllUsers -Name $app | Select-Object -ExpandProperty PackageFullName    
        ForEach ($package in $userPackages) {
            Write-Host "Removing $package for current user."
            Try {
                Remove-AppxPackage -Package $package -ErrorAction Stop
            } Catch {
                If ($_.Exception.Message -Match "0x80070032") {
                    Write-Host "Unable to remove $package for current user. This app is a part of Windows."
                } ElseIf ($_.Exception.Message -Match "0x80073CF1") {
                    Write-Host "Is not installed for current user."
                } Else {
                    Write-Host "$_.Exception.Message"

        # Get app packages from a current Windows image.
        $imagePackages = Get-AppxProvisionedPackage -Online | Where DisplayName -EQ $app | Select-Object -ExpandProperty PackageName
        ForEach ($package in $imagePackages) {
            Write-Host "Removing $package for all new users."
            Remove-AppxProvisionedPackage -Online -PackageName $package | Out-Null

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content"
$registryKey = "DisableWindowsConsumerFeatures"
$registryValue = "1"

# Prevent "Suggested Applications" from showing up.
If(-Not (Test-Path $registryPath)) {
    Write-Host "Creating $registryPath."
    New-Item -Path $registryPath -ItemType RegistryKey -Force | Out-Null
Write-Host "Setting $registryPath\$registryKey to $registryValue."
Set-ItemProperty -Path $registryPath -Name $registryKey -Value $registryValue -Type DWord -Force

3. Configure the computer settings

3.1 Sound 5

  1. Click the lower-left Start button, input sound and select Sound from the results to open Sound settings
  2. In the Sound dialog, open Sounds and choose Notification in the program events.
  3. Set Sound Scheme to No Sounds

3.2 File Explorer

Open File Explorer.

3.2.1 Folder Options

Click on the View tab to expand the window ribbon. Click on the Options applet at the very end of the ribbon to open up Folder Options.

  1. Set Open File Explorer to to This PC 2
  2. Uncheck Hide extensions of known file types 2

3.2.2 Autoplay

  1. Open AutoPlay by clicking the Start button , and then clicking Control Panel. In the search box, type autoplay, and then click AutoPlay.
  2. In the list next to the device or type of media, click the new action you want to use.

3.3 Default apps

  1. Click on the Start Menu. It’s the Windows logo in the bottom left of your screen.
  2. Click on Settings.
  3. Click on System.
  4. Click on Default apps.
    • Email: Outlook 2016
    • Maps: Maps
    • Music Player: VLC media player
    • Photo viewer: Photo Gallery
    • Video player: VLC media player
    • Web browser: Google Chrome 3

3.4 Start Menu

  1. Schakel Af en toe suggesties in Start weergeven uit

4. Run sysprep

%WINDIR%\System32\Sysprep\Sysprep.exe /oobe /generalize /reboot /Unattend:D:\Unattend.xml

5. Permissions

5.1 NTFS

  • Read & execute: Calvijn College\Domain Users 9

5.2 Registry

  • Read: Calvijn College\Domain Users 9

6. Afterwards

Delete Mandatory.V6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.

  1. Administrative Tools
  2. System Tools
    • Command Prompt
    • Control Panel
    • Run
  3. Windows PowerShell
  4. OneDrive