Deployment Methods for User Import

User-level imports must run in the user's session so that HKCU and environment variables resolve correctly. This page compares delivery mechanisms and provides a reusable marker file pattern to prevent duplicate imports.

Method Comparison

Method	Pros	Cons
GPO Logon Script	Automatic, centrally managed, no user interaction needed.	Runs early in logon — may conflict with first-launch routines. Add timeout delay. Runs on every logon unless guarded by a marker file.
Scheduled Task (at logon, as user)	Configurable delay built into the task trigger. Runs elevated if configured. Deployable via GPO Preferences.	Must be created on each target machine (via GPO Preferences, SCCM, or Intune).
Desktop batch file (self-service)	User controls timing. No first-launch conflicts. Simple to deploy and understand.	Requires user action — user may forget or ignore it.
Intune Remediation Script	Cloud-managed. Runs in user context. Built-in detection/remediation pattern.	Intune-specific. Detection script must check for the marker file. Timing not guaranteed.
SCCM Application (user-targeted)	Full deployment lifecycle. Retry on failure. Reporting and compliance tracking.	More complex setup. May run early unless application dependencies are configured.

Recommended: Scheduled Task with Delay

Create a Scheduled Task via GPO Preferences that triggers at logon with a 2-minute delay:

Setting	Value
Trigger	At log on of any user
Delay task for	2 minutes
Run with highest privileges	Yes (if HKLM writes are needed)
Action	AppProfileSafe.CLI.exe with import parameters
Stop if running longer than	30 minutes

This combines the automation of a logon script with a configurable delay and the ability to run elevated.

Marker File Pattern

To prevent the import from running on every logon, check for a marker file before executing:

@echo off
:: restore-user-profile.cmd
:: Prevents duplicate imports by checking for a marker file.

set MARKER=%LOCALAPPDATA%\AppProfileSafe\restore-done.flag

:: Skip if already restored
if exist "%MARKER%" (
    exit /b 0
)

:: Optional: wait for first-launch routines
timeout /t 120 /nobreak > nul

:: Run import
AppProfileSafe.CLI.exe --import ^
  --manifestFile "\\server\backups\%COMPUTERNAME%\%USERNAME%\Manifest.xml" ^
  --apps "Firefox-User,Office-User,Chrome-User" ^
  --unc-credential-store --silentMode --ignoreRestorePointLimit

:: Create marker on success
if %ERRORLEVEL% EQU 0 (
    mkdir "%LOCALAPPDATA%\AppProfileSafe" 2>nul
    echo Restored on %DATE% %TIME% > "%MARKER%"
    echo Profile restore completed successfully.
) else (
    echo Profile restore failed with exit code %ERRORLEVEL%.
    echo Check the application log for details.
    eventcreate /T ERROR /ID 1002 /L Application /SO "AppProfileSafe" ^
      /D "User profile restore failed with exit code %ERRORLEVEL%"
)

exit /b %ERRORLEVEL%

Marker File Locations

Location	When to use
%LOCALAPPDATA%\AppProfileSafe\restore-done.flag	User-level import. Per-user, per-machine. Survives reboots. Deleted on profile reset (enabling re-import after reset).
%ProgramData%\AppProfileSafe\machine-restore-done.flag	Machine-level import. Shared across all users. Persists across profile resets.

To force a re-import (e.g. after a new backup), delete the marker file and run the script again — or log off and back on if using a logon-triggered method.

Self-Service Batch File

For scenarios where the user should control timing, place this on their desktop:

@echo off
:: Restore My Settings.cmd — double-click to restore application settings

echo ============================================
echo   AppProfileSafe — Restore User Settings
echo ============================================
echo.
echo This will restore your application settings from the latest backup.
echo Please close Firefox, Chrome, Outlook, and Teams before continuing.
echo.
pause

AppProfileSafe.CLI.exe --import ^
  --manifestFile "\\server\backups\%COMPUTERNAME%\%USERNAME%\Manifest.xml" ^
  --apps "Firefox-User,Office-User,Chrome-User" ^
  --unc-credential-store --ignoreRestorePointLimit

if %ERRORLEVEL% EQU 0 (
    echo.
    echo Settings restored successfully.
    echo Please restart your applications.
    mkdir "%LOCALAPPDATA%\AppProfileSafe" 2>nul
    echo Restored on %DATE% %TIME% > "%LOCALAPPDATA%\AppProfileSafe\restore-done.flag"
) else (
    echo.
    echo Restore failed with error code %ERRORLEVEL%.
    echo Please contact IT support.
)

echo.
pause

Note: This script does not use --silentMode so the user can see progress in the console window.

Intune Remediation Script

For Intune-managed devices, create a remediation with:

Detection script (PowerShell):

# Detection: check if restore has already been done
$marker = "$env:LOCALAPPDATA\AppProfileSafe\restore-done.flag"
if (Test-Path $marker) {
    Write-Output "Profile already restored."
    exit 0   # Compliant — no action needed
} else {
    Write-Output "Profile not yet restored."
    exit 1   # Non-compliant — run remediation
}

Remediation script (PowerShell):

# Remediation: wait and restore
Start-Sleep -Seconds 120

$exitCode = Start-Process -FilePath "AppProfileSafe.CLI.exe" -ArgumentList @(
    "--import",
    "--manifestFile", "\\server\backups\$env:COMPUTERNAME\$env:USERNAME\Manifest.xml",
    "--apps", "Firefox-User,Office-User,Chrome-User",
    "--unc-credential-store", "--silentMode", "--ignoreRestorePointLimit"
) -Wait -PassThru | Select-Object -ExpandProperty ExitCode

if ($exitCode -eq 0) {
    New-Item -Path "$env:LOCALAPPDATA\AppProfileSafe" -ItemType Directory -Force | Out-Null
    "Restored on $(Get-Date)" | Out-File "$env:LOCALAPPDATA\AppProfileSafe\restore-done.flag"
}

exit $exitCode

See Also

• Handling First-Launch Overwrites — Why the delay before import is necessary
• Restore: Fresh Client Build — Full restore sequence
• Silent Mode Behavior — How --silentMode affects output
• Exit Codes — Interpreting CLI return values in scripts
• Import via CLI — Full CLI import reference