ProfileDisk Setup and Client Configuration — ProfileUnity

How does ProfileDisk get configured on client machines? What does LwL.ProfileUnity.Client.Startup.exe do?

ProfileDisk Setup and Client Configuration

This article explains how ProfileUnity configures ProfileDisk on client machines — covering the clientsettings.xml file generated by the Management Console, how LwL.ProfileUnity.Client.Startup.exe consumes it, and the resulting update to LwlLogonNotifier.exe.config. It also covers the full logon-time workflow, prerequisites, common deployment scenarios (non-persistent VDI, persistent desktop, secure/CAC environments), and a reference for the key clientsettings.xml fields.

For a general overview of ProfileDisk capabilities and configuration options in the Management Console, see ProfileDisk Full User Profile Delivery in the product documentation. For highly secured and CAC environments, see the dedicated CAC Authentication Best Practices guide.

📄 Contents

› How the Configuration Flow Works
› Prerequisites
› Step 1 — Configure ProfileDisk in the Management Console
› Step 2 — Deploy clientsettings.xml to the Network Share
› Step 3 — Run LwL.ProfileUnity.Client.Startup.exe
› What Gets Written to LwlLogonNotifier.exe.config
› Logon-Time Workflow
› CAC / Smart-Card Mode Setup
› Deployment Scenarios
› clientsettings.xml Field Reference
› Related Articles

How the Configuration Flow Works

ProfileDisk configuration follows a three-stage pipeline:

Management Console → clientsettings.xml. After you define a ProfileDisk group in the Console (Administration → ProfileDisk), the Console generates an encrypted clientsettings.xml file containing the broker connection, license server, FlexDisk service endpoint, disk mode, virtual disk path, size, and group-to-AD-group assignments.
clientsettings.xml → Deployment Share. You deploy this file to the NETLOGON share (or the custom path shown under Administration → ProfileUnity Tools → Deployment Path) so that machines can reach it at logon time or during image preparation.
LwL.ProfileUnity.Client.Startup.exe → LwlLogonNotifier.exe.config. The Startup executable reads clientsettings.xml, decrypts the relevant sections, and writes the ProfileDisk configuration into C:\Program Files\ProfileUnity\FlexApp\LwlLogonNotifier.exe.config. At user logon, the NP credential manager (mpnotify.exe) reads this config and launches LwlLogonNotifier.exe to mount the correct VHDX.

Why a two-file approach?
clientsettings.xml is stored on a network share and is readable by all machines. Its sensitive values (connection strings, license endpoint) are encrypted. LwlLogonNotifier.exe.config is a local machine file written during startup or image preparation, keeping the logon-time path fast and offline-tolerant.

Prerequisites

ProfileUnity Console and Client Tools must be on the same version. See the ProfileUnity Version Matrix for current build numbers.
A dedicated file share for ProfileDisk VHDX files is recommended. Grant the Domain Computers group Create / Read / Modify permissions on the share and the folder that will contain the per-user VHDX files.
Create an AD group to assign users to the ProfileDisk configuration group.
Secondary Logon service: ProfileDisk mounts the VHDX using an impersonation token by default. If the Secondary Logon service is disabled in your environment, add the registry value pdusecomputerperms = 1 (DWORD) under HKLM\Software\Liquidware Labs\ProfileUnity on the master image or via GPO before running the Startup executable. See How to enable ProfileDisk with Secondary Logon Disabled.
CAC / smart-card environments: Additional Kerberos delegation steps are required. See ProfileDisk not Mounting in Highly Secured Environments using CAC Authentication and the CAC Best Practices guide.
Server OS used as a desktop: VHD/VHDX mounting on Server editions requires the Hyper-V role or VHD-mount capability. See ProfileDisk does not mount on Server Operating Systems used as a desktop.

Step 1 — Configure ProfileDisk in the Management Console

In the Management Console, navigate to Administration → ProfileDisk.
Click Add ProfileDisk Group and configure:
- AD Group Assignment — the group whose members will receive this ProfileDisk.
- Storage Type — VHD or VHDX (VHDX recommended for Windows 8.1/Server 2012 R2 and later).
- Virtual Disk Path — UNC path with the %username% variable, e.g. \\server\ProfileDiskShare\ProfileDisk\%username%\%username%.vhdx.
- Disk Size — initial size in GB (expandable disks grow as needed up to this limit).
- Disk Format — Fixed or Expandable.
- Multi-Session — enable if users may log on to multiple machines simultaneously (e.g. RDS/Citrix).
Click Save Assignments, then Update.
Verify that Communication Type to Broker Messages is set to VHDX ProfileDisk. Click Update if you change it.

Step 2 — Deploy clientsettings.xml to the Network Share

After saving the ProfileDisk group, the Console updates its internal clientsettings.xml. You must push this file to the deployment share so that clients can read it.

In the Management Console, go to Administration → ProfileUnity Tools.
Click Download or Deploy Client Settings. Confirm that the Deployment Path shown (typically \\domain\NETLOGON\ProfileUnity or a custom share) is correct.
Check Overwrite existing files and click Deploy.
Verify that clientsettings.xml is present in the deployment share and has been updated (check the file's last-modified timestamp).

Tip — also redeploy client tools after a Console upgrade
Whenever you upgrade the Console, redeploy both the client tools zip and clientsettings.xml from the same Administration page. Client tools and the Console must be on the same build. See the Version Matrix for compatibility rules.

The deployed clientsettings.xml uses an encrypted format for connection strings. The plaintext structure contains these logical sections (see Field Reference below for details):

<?xml version="1.0" encoding="utf-8"?>
<ProfileDiskConfig xmlns:xsi="..." xmlns:xsd="..." version="3.0">
  <MqConnectionString>[encrypted]</MqConnectionString>
  <LicenseServerConnectionString>[encrypted]</LicenseServerConnectionString>
  <FlexDiskConnectionString>[encrypted]</FlexDiskConnectionString>
  <DiskMode>VHD</DiskMode>
  <ProfileDiskConfigGroups>
    <ProfileDiskConfigGroup>
      <Assignments>
        <Assignment name="domain\AD-Group" sid="S-1-5-..." />
      </Assignments>
      <MultiSession>True</MultiSession>
      <VirtualDiskCompression>False</VirtualDiskCompression>
      <VirtualDiskFormat>Expandable</VirtualDiskFormat>
      <VirtualDiskPath>\\server\share\%username%\%username%_.vhdx</VirtualDiskPath>
      <VirtualDiskSizeInGb>20</VirtualDiskSizeInGb>
    </ProfileDiskConfigGroup>
  </ProfileDiskConfigGroups>
  <LicenseMode>NamedUser</LicenseMode>
</ProfileDiskConfig>

Step 3 — Run LwL.ProfileUnity.Client.Startup.exe

LwL.ProfileUnity.Client.Startup.exe is the bootstrap executable that reads clientsettings.xml from the deployment share and updates the local client configuration. It must run in the SYSTEM context (or with local admin rights) so it can write to C:\Program Files\ProfileUnity\FlexApp\.

How it locates clientsettings.xml

By default the executable looks in the same directory from which it is launched. When launched via GPO Computer Startup Script (the recommended method), the path is the UNC share path of the script itself, e.g.:

\\domain\NETLOGON\GPO-Name\LwL.ProfileUnity.Client.Startup.exe

You can override the path to clientsettings.xml with the registry value ClientSettingsPath (REG_SZ) under HKLM\Software\Liquidware Labs\ProfileUnity.

GPO Computer Startup Script (recommended)

The most reliable delivery mechanism is a Computer Configuration → Windows Settings → Scripts → Startup GPO, targeting the machines that will use ProfileDisk. The image in this article shows an example GPO with the script configured as:

Name:       \\domain\NETLOGON\GPO-Name\LwL.ProfileUnity.Client.Startup.exe
Parameters: (none required)

Script Order
If your GPO shows "Not configured" for Script order, the script still runs; Script order only matters when multiple startup scripts are configured in the same GPO and you need a specific sequence.

What the Startup executable does

Reads clientsettings.xml from the deployment share path.
Decrypts the connection strings (MQ broker, license server, FlexDisk service).
Evaluates the ProfileDiskConfigGroups assignments to determine which groups are configured.
Writes the resolved ProfileDisk configuration into C:\Program Files\ProfileUnity\FlexApp\LwlLogonNotifier.exe.config.
Verifies that the local client tools are current; if the version on the share is newer, it updates the local installation in-place (persistent desktops only — non-persistent images should be recomposed).

What Gets Written to LwlLogonNotifier.exe.config

After a successful run of the Startup executable, the ProfileDisk section of C:\Program Files\ProfileUnity\FlexApp\LwlLogonNotifier.exe.config is populated with the decrypted endpoint addresses and the disk configuration for each assigned group. To verify the update was applied:

Open C:\Program Files\ProfileUnity\FlexApp\LwlLogonNotifier.exe.config in a text editor.
Confirm that the ProfileDiskConfig section contains the correct VirtualDiskPath for your environment.
Confirm that the connection strings are present (they remain encrypted in this file).

✓ Quick verification after image prep or GPO startup
Run the Startup executable once on the master image (or wait for the first GPO-driven machine reboot), then open LwlLogonNotifier.exe.config and search for VirtualDiskPath. If the path matches what you configured in the Console, the client is correctly configured and ready for logon.

Logon-Time Workflow

Once LwlLogonNotifier.exe.config is in place, the following sequence occurs automatically each time a member of the assigned AD group logs on interactively. All executables below reside in C:\Program Files\ProfileUnity\FlexApp\.

1 — mpnotify.exe — NP notification & group check

Reads LwlLogonNotifier.exe.config · checks AD group · builds notifier command line

lwl_cred_mgr_*.txt

↓

Member of assigned AD group?

No →

Skip

Yes

↓

2 — LwlLogonNotifier.exe — VHDX attach

Resolves %username% in VHD path · calls vhd.exe · writes registry on success

LwlLogonNotifier.log

↓

3 — vhd.exe — low-level VHDX attach

Opens VHDX read/write · attaches as \\?\PhysicalDriveN · exits RC=0

vhd.log

↓

4 — mpnotify.exe — mount point, cap import & reparse

Locates disk by volume label · creates C:\ProfileDiskMounts\<user> · imports userprofile.cap · sets reparse via Container Service (HTTP 200)

C:\Users\<user>

→ C:\ProfileDiskMounts\<user>\<user>

C:\Users\ProfileDisk\<user>

→ C:\ProfileDiskMounts\<user>\<user> (legacy)

lwl_cred_mgr_*.txt

↓

5 — lwl_profile_mgr.exe — profile setup & registry export

Sets Chrome/Edge policy paths · creates AppV target dir · exports 12 ProfileList values → userprofile.cap on VHDX

lwl_profile_mgr_*.txt

↓

Windows loads profile from VHDX via reparse point

userprofile.cap re-imported by mpnotify at next logon (step 4)

mpnotify.exe — NP notification and group membership check. (logged in lwl_cred_mgr_*.txt) Windows calls the ProfileUnity Network Provider via mpnotify.exe immediately after the user authenticates. It confirms the logon is interactive (station name Winsta0, Authentication Type: MSV1_0:Interactive or KERBEROS:Interactive) — programmatic logons detected via station name SvcCtl are silently skipped. It then:
- Reads LwlLogonNotifier.exe.config and loads all configured AD group assignments.
- Obtains the user's token, resolves the user's SID and group list (up to 14+ groups checked), and confirms the user is a member of the assigned AD group.
- Resolves the configured VHD path (%username% substitution) and constructs the LwlLogonNotifier.exe command line:
```
"LwlLogonNotifier.exe" -u <username> -s <SID> -v <VHDPath> -q <size> -c <compression> -f <format>
```
- Launches LwlLogonNotifier.exe in the user's security context and waits for it to exit.
LwlLogonNotifier.exe — VHDX attach. Resolves %username% in the virtual disk path, checks whether the VHDX exists on the share, and calls vhd.exe to attach it:
```
"vhd.exe" /p \\server\share\<username>\ProfileDisk\<username>.vhdx /attachonly /log C:\Windows\Temp\ProfileUnity
```
On success, records the resolved VHDX path and attach time (ms) in the registry at HKLM\Software\Liquidware Labs\ProfileDisk\<UserSID> (ProfileVhdPath, ProfileAttachTimeMs), then exits with code 0. The LwlLogonNotifier.log file is written to C:\Windows\Temp\ProfileUnity\.
vhd.exe — low-level VHD attach. Opens the VHDX file with read/write access and attaches it as a loopback disk (\\?\PhysicalDriveN). Logs to C:\Windows\Temp\ProfileUnity\ as vhd.log.
mpnotify.exe — disk location, cap import, mount point, and reparse. (logged in lwl_cred_mgr_*.txt) After LwlLogonNotifier.exe exits (code 0), mpnotify resumes and:
1. Locates the attached disk by volume label (e.g. <username>-pd) via \\?\PhysicalDriveN / \\?\Volume{guid}\.
2. Creates the mount point at C:\ProfileDiskMounts\<username> and grants the user full control to the volume.
3. Imports userprofile.cap from the VHDX (C:\ProfileDiskMounts\<username>\<username>\userprofile.cap), restoring all 12 ProfileList registry values including ProfileImagePath = C:\Users\<username>.
4. Sends the reparse point operations to the Container Service (local Kestrel HTTP endpoint); each returns HTTP 200 on success:
  - C:\Users\<username> → C:\ProfileDiskMounts\<username>\<username>
  - C:\Users\ProfileDisk\<username> → C:\ProfileDiskMounts\<username>\<username> (legacy path compatibility)
5. Builds the lwl_profile_mgr.exe command line and writes it to the registry as ExportCommand under HKLM\SOFTWARE\Liquidware Labs\ProfileDisk\<UserSID>:
```
"lwl_profile_mgr.exe" /profilepath C:\ProfileDiskMounts\<username>\<username>
```
Windows then follows the reparse point and loads the user profile from the VHDX, transparently treating it as C:\Users\<username>.
lwl_profile_mgr.exe — profile path setup and registry export. Called by mpnotify.exe at logon using the ExportCommand written in the previous step. It performs two roles:
- App and path fixup. Applies Chrome and Edge user data directory policy keys pointing into the mounted VHDX (C:\ProfileDiskMounts\<username>\<username>\AppData\Local\...) and creates the AppV target path on the disk.
- Registry export. Exports the current ProfileList registry key (all 12 values including ProfileImagePath) to C:\ProfileDiskMounts\<username>\<username>\userprofile.cap on the VHDX. This cap file is what mpnotify imports at the start of the next logon (step 4c above) to restore the correct profile registry state before Windows loads the profile. Finally, it restores the default profile path registry value to %SystemDrive%\Users.

Log file locations
All ProfileUnity client logs are written to C:\Windows\Temp\ProfileUnity\. Key log files:

lwl_cred_mgr_*.txt — NP credential manager log; one file per logon event. The host process is mpnotify.exe for interactive logons and lsass.exe for programmatic/service logons (both write to this same log name).
LwlLogonNotifier.log — VHDX attach/detach log (LwlLogonNotifier.exe)
vhd.log — low-level VHD attach log (vhd.exe)
lwl_profile_mgr_*.txt — profile registry export/import log (lwl_profile_mgr.exe)
msiexec_monitor*.log — Container Service application virtualization log

CAC / Smart-Card Mode Setup

In environments that require CAC (Common Access Card) or smart-card authentication, the standard ProfileDisk logon flow breaks at step 1 because mpnotify.exe cannot obtain a usable Kerberos token from the smart-card logon to impersonate the user when accessing the VHDX file share. Two resolution options are available; Option 1 (computer account) is recommended.

⚠ Required for all CAC environments — apply before first logon
Regardless of which option you choose, the SmartCardLogonNotify registry value must be present on every client machine before users log on. Without it, the Network Provider is not notified of smart-card logon events and ProfileDisk will not mount.

Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Value: SmartCardLogonNotify — DWORD — 1

Deploy via GPO Registry preference or bake into the master image. A reboot is required after the value is set.

Option 1 — Computer account for VHDX access (recommended)

This option uses the machine account (DOMAIN\ComputerName$) rather than the user's token to mount the VHDX, avoiding Kerberos delegation entirely.

Move ProfileDisk storage outside the user profile share. The VHDX path must reside in a dedicated share separate from user home directories. Update the VirtualDiskPath in the Management Console to point to the new share, then redeploy clientsettings.xml.

Before (avoid): \\server\share\%username%\ProfileDisk\%username%.vhdx
After (CAC): \\server\ProfileDiskShare\ProfileDisk\%username%\%username%.vhdx

The VHDX share must be separate from the share used for user home directories or roaming profiles — the computer account needs access to it independently of the user's credentials.
Grant Domain Computers access to the VHDX share. Give the Domain Computers group Create / Read / Modify permissions on the share and the folder that will contain the VHDX files.
Enable ProfileDisk System Mount/Unmount via GPO ADMX. In the ProfileUnity Computer GPO, navigate to:
Computer Configuration → Administrative Templates → Classic Administrative Templates → Liquidware Labs → ProfileUnity
Under both the 32-bit and 64-bit sections, set ProfileDisk System Mount Unmount to Enabled.
Set the SmartCardLogonNotify registry value as described in the callout above, then reboot.

Option 2 — AD service account for VHDX access

Note: This option requires the Secondary Logon service to be running. If Secondary Logon is disabled in your environment, use Option 1.

Create a dedicated service account in Active Directory with at least Read/Write permissions on the ProfileDisk VHDX share. Consider a share that contains only ProfileDisks (same guidance as Option 1). If the account password expires, the credential file must be regenerated — consider maintaining two accounts for rotation.
Generate the credential file. In the Management Console, hover over your username (top right) → Administration → scroll to ProfileUnity Tools. Enter the service account credentials and click Download or Deploy Service Configuration. Place the resulting LwL.ProfileUnity.Client.Service.exe.creds file in the same share/NETLOGON folder as the ProfileUnity client tools.
Ensure Startup.exe runs on boot from that same path. The creds file must be present alongside it. For Horizon Instant Clones, re-run on the master image after any creds update.
Enable ProfileDisk VHD CAC support via GPO ADMX. In the ProfileUnity Computer GPO, navigate to:
Computer Configuration → Administrative Templates → Classic Administrative Templates → Liquidware Labs → ProfileUnity
Under both the 32-bit and 64-bit sections, set ProfileDisk VHD CAC to Enabled.
Set the SmartCardLogonNotify registry value as described in the callout above, then reboot.

Symptom if SmartCardLogonNotify is missing
The lwl_cred_mgr_*.txt log will show:

"Failed to create process like user: <profileunity.svc@domain>. Error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it."

This error also appears when the Secondary Logon service is disabled (Option 2 only). If you see it with Option 1, confirm the GPO ADMX setting is applied and the machine has rebooted after the SmartCardLogonNotify value was set.

For full details see the CAC Authentication Best Practices guide and KB: ProfileDisk not mounting in highly secured environments using CAC authentication.

Deployment Scenarios

Environment	Recommended Method	Notes
Non-persistent VDI (gold image)	Run `LwL.ProfileUnity.Client.Startup.exe` during image preparation, then seal and recompose.	The updated `LwlLogonNotifier.exe.config` is baked into the image. After a Console upgrade, update the image with new client tools and re-run the Startup executable before recomposing.
Persistent desktops	GPO Computer Startup Script pointing to `\\NETLOGON\GPO-Name\LwL.ProfileUnity.Client.Startup.exe`.	The Startup executable handles in-place client-tool updates and refreshes `LwlLogonNotifier.exe.config` on each reboot. No reimage required after a Console upgrade.
RDS / Citrix (multi-session)	GPO Computer Startup Script on the session host; enable Multi-Session in the ProfileDisk group.	Each session host runs the Startup executable at boot. The multi-session flag allows the same VHDX to be opened concurrently from multiple sessions.
Secondary Logon disabled	Add `pdusecomputerperms` = `1` (DWORD) to `HKLM\Software\Liquidware Labs\ProfileUnity` before running the Startup executable.	Switches the mount mechanism from impersonation to machine-account permissions. See KB: Secondary Logon Disabled.
CAC / smart-card	Follow the CAC Best Practices guide for Kerberos constrained delegation setup in addition to the standard steps.	See also KB: ProfileDisk not mounting in highly secured environments.
Server OS as desktop	Ensure the Hyper-V role (or equivalent VHD-mount capability) is installed.	See KB: ProfileDisk does not mount on Server OS used as a desktop.

clientsettings.xml Field Reference

The table below describes each element in clientsettings.xml. The connection string values are AES-encrypted by the Console and cannot be edited manually; all other values are plaintext and reflect what was configured in the Management Console.

Element	Description
`MqConnectionString`	Encrypted connection string for the ProfileUnity broker message queue (RabbitMQ). Used by the client to communicate mount/unmount events back to the server.
`LicenseServerConnectionString`	Encrypted connection string for the ProfileUnity License Service. The client checks out a seat at logon.
`FlexDiskConnectionString`	Encrypted connection string for the FlexDisk Service (handles VHDX creation and management operations).
`DiskMode`	Disk format used for new ProfileDisk VHDs. Valid values: `VHD`, `VHDX`. VHDX is recommended for all current Windows versions.
`LicenseMode`	Licensing model: `NamedUser` or `ConcurrentUser`, matching the purchased license type.
`ProfileDiskConfigGroup`	Container for a single ProfileDisk group definition. Multiple groups may be present for different AD groups or disk locations.
`Assignments / Assignment`	The AD group (`name` = DOMAIN\Group, `sid` = group SID) whose members receive this ProfileDisk configuration.
`MultiSession`	`True` allows the VHDX to be mounted concurrently across multiple sessions (required for RDS/Citrix). `False` is safer for single-session VDI and physical desktops.
`VirtualDiskCompression`	Whether NTFS compression is applied to the VHDX file itself. Generally `False`; enabling compression can impact performance.
`VirtualDiskFormat`	`Expandable` (thin-provisioned, grows up to `VirtualDiskSizeInGb`) or `Fixed` (full size allocated at creation).
`VirtualDiskPath`	UNC path to the per-user VHDX file. Supports `%username%` expansion. Example: `\\server\share\ProfileDisk\%username%\%username%_.vhdx`
`VirtualDiskSizeInGb`	Maximum size of the VHDX in gigabytes. For expandable disks this is the ceiling, not the initial allocation.

Product	Liquidware ProfileUnity with FlexApp
Applies To	ProfileUnity 6.8.6 and later
Updated	June 2026