Windows 365 Frontline Shared provides profile persistence through User Experience Sync. This is a fully managed profile solution and is not based on FSLogix. In this article, the focus is on a temporary profile issue you might encounter when you enable User Experience Sync in your provisioning policy.
If you are not yet familiar with User Experience Sync and how it works, I have covered the basics in a previous blog post.
The “Temporary User Experience” Error
You are getting started with Windows 365 Frontline Shared and, after creating your first provisioning policy, you suddenly run into the following error when trying to connect to your pool of Cloud PCs.
Alongside this error, you are also presented with a “We can’t sign in to your account” message. The first error is related to User Experience Sync, while the second indicates that Windows is unable to map the user profile folder to the account. If you are familiar with other VDI solutions, you have likely seen this behavior before. If not, you are very lucky. 🙂
This means that no profile preferences can be saved to the profile folder located under “C:\Users”. The user can still sign in and perform their regular work, but anything normally stored in the profile folder, or by extension in “%AppData%”, will not be available. Any changes made during the session will be lost once the user signs out.
The Troubleshooting Process
Looking at the error message it boils down to one issue:
| Your user storage was not attached and you are using a temporary profile. None of your previous settings are available and changes made to your applications or settings during this session will not be saved. |
It indicates that the profile is not attached. However, when you open Disk Management using LAPS or a configured local admin account, you can see that the profile disk is in fact attached successfully. However, there is no volume label associated with it.
When you check Intune and look at the User Storage tab in the Windows 365 provisioning policy, you can see that Intune also confirms that the user storage is attached.
Looking for Clues in Event Viewer
The next step is to start looking for clues in the event viewer. When opening the Administrative Events view, we can easily find some related logs to the user storage in the Task Category “cldprof” and “User Profile Service“.
The first log I find is the one associated to the missing volume label. We noticed earlier that it was missing, the next error The second error (PrepareDiskAsync:[IOException] Media write is protected) is about missing write access to the profile.
And the last two errors are both related to the mapping of a temporary profile: “Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time the user logs in.” and “Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.”
The Solution
This “media write is protected” error typically points to a BitLocker policy. In my case it was the “Deny write access to fixed drives not protected by BitLocker.” setting which was applied to “All Windows” devices.
Windows 365 already applies data encryption, but it does not support BitLocker as this is meant for physical disks. So it’s safe to exclude our Windows 365 Cloud PCs from any BitLocker policy.
During my tests, I set this policy to Not Configured. However, because it applies to all Windows devices, it is better to use a filter that excludes Cloud PCs from any BitLocker related policy. After this change User Experience Sync started working again, and the volume label was again applied successfully.
Leave a Reply