Windows AppVM from Windows TemplateVM can't acess the User Profile

Hello!

Context: So I’ve followed this tutorial (“How to install Windows qubes in Qubes OS | Qubes OS”) on how to create a HVM Windows VM and opted to follow the Windows Template tutorial too. I opted to not install the QWT because of the security warnings. I installed a version of Windows 11 and used a valid key to license it.

I’m having an issue when starting an AppVM that uses the created Windows Template VM as its template. As per the tutorial, I’ve moved the “C:/Users/” folder to the private storage “Q:”, in the Windows Template, using the .exe provided by the tutorial. The process seems to have been successful, but the AppVm cannot login to Windows. When starting the VM, the usual Windows login page appear (I’ve set no password and a local user) and it automatically tries to enter Windows normally (as I’ve set no password). This is then interrupted with the following text: “The User Profile Service service failed the sign-in. \n User profile cannot be loaded” and it locks me out again, preventing me from even reaching the desktop page.
I can use Windows normally in the TemplateVM, but cannot in any VM created using it. I think there’s something wrong with the way the private storage volume “Q:” is set to the AppVM, but I don’t really know how to troubleshoot it.
I’ve been searching online for something close to this problem in the qubes os forum, but haven’t found anything yet. Do you know what could’ve happened?

Thanks.

I have now checked this with a new Windows 11 template. After performing the directory relocation, drive Q: has, as is to be expected, a directory Q:\Users\, and in this directory, a public directory and a directory for the current user’s file, e.g. Q:\Users\USERNAME\.

But the current user has no access to this latter directory, and so no access to the user profile stored there! For the template, this does not seem to matter, because a copy of the profile can still be found in C:\Users\USERNAME\, but for any AppVM based on that template, this is fatal.

This situation can be changed by clicking on Q:\Users\USERNAME\ in the explorer. Then, a pop-up is shown asking if access should be granted, using administrator privileges for this operation. If this is done, the directory and its contents can be accessed. Any AppVM created after shutting down the template should be working.

I would be interested if this sequence of actions works for you, too. In this case, I’ll amend the documentation.

The error will not occur if the user disk is called Q: and is empty. So a reliable way to use the relocate_dir.exe utility is to format the use disk and give it the drive letter Q: before booting, using the windows disk manager.