Restore: Fresh Client Build
A new Windows installation is deployed via SCCM, MDT, Intune Autopilot, or manual setup. The user's previous application profiles need to be restored after software installation completes. This is the most common restore scenario and serves as the reference pattern for all others.
Restore Sequence Overview
| Phase | Action | Context | When |
|---|---|---|---|
| 1 | Deploy Windows, join domain, install software | SCCM / MDT / Intune | During provisioning |
| 2 | Import machine-level settings | SYSTEM (task sequence step) | After software install, before first user logon |
| 3 | First user logon — apps run first-launch setup | User session | At logon |
| 4 | Import user-level settings | User (logon script or manual batch) | After first-launch routines complete |
The order matters. Machine settings must be in place before the user logs in. User settings must wait until after applications have initialized their defaults. See Handling First-Launch Overwrites for the reasoning behind the delay.
Phase 2 — Machine Import
Run as part of the SCCM/MDT task sequence, after all software is installed:
:: SCCM Task Sequence step — runs as SYSTEM
AppProfileSafe.CLI.exe --import ^
--manifestFile "\\server\backups\%OLD_COMPUTERNAME%\Machine\Manifest.xml" ^
--apps "Firefox-Machine,Office-Machine,Citrix-Machine" ^
--mappingFile "\\server\mappings\%USERDOMAIN%.xml" ^
--unc-credential-store --silentMode --noRestorePointNotes:
--noRestorePoint— Restore points are meaningless on a fresh image. Skip them to save time.--mappingFile— Required if the new machine has a different hostname, drive layout, or directory structure than the source. See What Is a Mapping File?.%OLD_COMPUTERNAME%— You need to know the previous machine name to locate the backup. Pass this as a task sequence variable or derive it from a CMDB/AD lookup.
Phase 4 — User Import
The user-level import must run in the user's session so that %APPDATA%, %LOCALAPPDATA%, and HKCU resolve correctly. It must also wait until first-launch routines have finished.
Option A — Delayed logon script (recommended):
@echo off
:: restore-user-profile.cmd
:: Deploy via GPO logon script or Scheduled Task (at logon, as user)
set MARKER=%LOCALAPPDATA%\AppProfileSafe\restore-done.flag
:: Skip if already restored
if exist "%MARKER%" exit /b 0
:: Wait for first-launch routines (2 minutes)
echo Waiting for applications to initialize...
timeout /t 120 /nobreak > nul
:: Run import
AppProfileSafe.CLI.exe --import ^
--manifestFile "\\server\backups\%OLD_COMPUTERNAME%\%USERNAME%\Manifest.xml" ^
--apps "Firefox-User,Office-User,Chrome-User" ^
--mappingFile "\\server\mappings\%USERDOMAIN%.xml" ^
--unc-credential-store --silentMode --ignoreRestorePointLimit
:: Mark as done
if %ERRORLEVEL% EQU 0 (
mkdir "%LOCALAPPDATA%\AppProfileSafe" 2>nul
echo Restored on %DATE% %TIME% > "%MARKER%"
)
echo Done. Please restart your applications to apply restored settings.
pauseOption B — Desktop shortcut (user self-service):
Place the batch file on the user's desktop with instructions: "After all applications have started at least once, double-click this to restore your settings." This gives the user full control over timing and avoids first-launch conflicts entirely.
See Deployment Methods for User Import for a full comparison of delivery mechanisms.
Providing the Old Machine Name
The restore scripts need to know the previous machine name (%OLD_COMPUTERNAME%) to locate the backup on the share. Common approaches:
| Method | How |
|---|---|
| Task sequence variable | Set OldComputerName as a SCCM/MDT variable before the import step. |
| Environment variable | Set a persistent environment variable during provisioning: setx OLD_COMPUTERNAME WS-PC042 /M |
| Lookup file | Place a text file on the share that maps new machine names to old machine names. |
| User input | For self-service scripts, prompt the user: set /p OLD_COMPUTERNAME=Enter your old machine name: |
| AD attribute | Store the old name in a custom AD attribute and query it via PowerShell during the task sequence. |
When No Mapping Is Needed
A mapping file is only necessary when paths differ between source and target. Common cases where no mapping is needed:
- Same username on source and target
- Same drive letters (C: on both)
- App definitions use only environment variables (not absolute paths)
When in doubt, run a DryRun first to see which paths would be affected.
See Also
- Handling First-Launch Overwrites — Why the delay before user import is critical
- Deployment Methods for User Import — All delivery options compared
- Split Jobs by Permission Scope — Setting up the export jobs that feed this restore
- Import via CLI — Full CLI import reference
- What Is a Mapping File? — Path transformation for cross-machine restores
- System Restore Points — When to use
--noRestorePoint