VMware Dynamic Environment Manager (DEM) 2312

Last Modified: Jan 25, 2024 @ 7:14 am

Navigation

As of version 9.9, User Environment Manager (UEM) was renamed to Dynamic Environment Manager (DEM).

This post applies to all Dynamic Environment Manager (aka User Environment Manager) versions including DEM 2312 (10.12) ESB, DEM 2212 (10.8) ESB, DEM 2111 ESB (10.4), and DEM 9.9 (ESB).

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new installation, skip to the Installation Prerequisites section.

When upgrading an existing installation of DEM or UEM, upgrade the FlexEngine on the Horizon Agents first.

The newest FlexEngine can still interpret the INI files from older DEM console. After your clients (FlexEngine) have been upgraded, you can upgrade the management console, which allow for new options, like elevated privileges and others, which (when enabled) can now be correctly interpreted by the upgraded clients (FlexEngine). After that update the ADMX files.

DEM 2203 and newer move FlexEngine licensing to the configuration share and DEM console. If you are upgrading existing FlexEngines, then the previous license will continue functioning. New FlexEngines need the new licensing configuration method.

Installation Prerequisites

Before performing the procedures detailed on this page, make sure you’ve created the DEM File Shares, imported the DEM GPO ADMX templates, created the GPOs for Horizon, and configured the Horizon GPOs for Dynamic Environment Manager.

VMware Tech Zone Antivirus Considerations in a VMware Horizon Environment: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

VMware Workspace Tech Zone has an excellent Quick-Start Tutorial for User Environment Manager. It’s around 130 printed pages.

Mandatory Profile

At user logon, DEM restores profile archives on top of a Windows profile, which is typically a local profile, or a mandatory profile.

If your Horizon Agent machines are single-user, non-persistent that reboot at logoff, then local profiles are essentially the same as mandatory.

If your Horizon Agent machines are multi-user machines (e.g. RDSH) that don’t reboot every day, then you might need a process to delete local profiles when the user logs off. Here are some options:

  • Schedule a delprof2.exe script that runs daily.
  • Configure mandatory profiles, which are automatically deleted a logoff.
  • A more advanced option is to add users to the local Guests group, which causes their profile to be deleted at logoff.

If you choose Mandatory profile, then here are some mandatory profile creation instructions:

DEM Console Installation

As of version 9.9, User Environment Manager (UEM) was renamed to Dynamic Environment Manager (DEM).

In Horizon 2006 (aka 8.0), DEM is available in all editions of Horizon. There are two editions of DEM, each with different downloads and different DEM capabilities.

  • Horizon 8 (2006+) Enterprise Edition and Horizon 7.13 Enterprise Edition are entitled to DEM Enterprise Edition, which has all features.
  • Horizon 8 (2006+) Standard Edition and Horizon 8 Advanced Edition are entitled to DEM Standard Edition, which is limited primarily to Personalization features. If you are using FSLogix Profile Containers, then you don’t need DEM Standard Edition.

DEM 2312 (10.12) is the latest release. DEM 2312 (10.12) is an Extended Support Branch (ESB). DEM 2212 (10.8) is an Extended Support Branch (ESB).

  1. Based on your entitlement, download either DEM 2312 (10.12) Enterprise Edition or DEM 2312 (10.12) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  2. If upgrading, don’t upgrade the DEM Console until all of your DEM Agents have been upgraded.
  3. On your administrator machine, run the downloaded VMware Dynamic Environment Manager 2312 10.12 x64.msi.
  4. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Choose Setup Type page, click Custom.
  8. In the Custom Setup page, change the selections so that only the console is selected and then click Next.
  9. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  10. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.

Configure Dynamic Environment Manager

Here is a summary of the major Dynamic Environment Manager functionality:

  • Personalization (aka import/export user settings) – saves application and Windows settings to a file share. This is the roaming profiles functionality of Dynamic Environment Manager. You configure folders and registry keys that need to be saved. The import/export can happen at logon/logoff or during application launch/exit.
    • Pre-configure application settings – configures files and registry keys for specific applications so users don’t have to do it themselves. Some examples: disable splash screen, default folder save location, database server name, etc.
    • Selfsupport tool – users can use this tool to restore their application settings.
    • DEM Standard Edition supports all Personalization features.
  • User Environment – configures Windows settings like drive mappings, Explorer settings, printer mappings, etc. This is similar to group policy but offers significantly more options for conditional filtering. Dynamic Environment Manager can configure any registry setting defined in an ADMX file.
    • DEM Standard Edition only has a limited set of User Environment settings (e.g., drive mappings). Most User Environment features require DEM Enterprise Edition.
    • Most settings in DEM are only for users, not computers. DEM 2006 (aka 10.0) and newer support ADMX templates for Computer Settings. In older DEM, use Group Policy to configure Computer Settings.
    • Best practice is to not mix Dynamic Environment Manager and user group policy. Pick one tool. If the same setting is configured in both locations then group policy will win.
    • UEM 9.6 and newer support Windows Server 2019 as an Operating System condition.
  • Horizon Smart Policies – Use Horizon Conditions (e.g., client IP) to control device mappings (e.g., client printing) and PCoIP/Blast Bandwidth Profile.
  • Privilege Elevation (UEM 9.2 and newer) – allow apps to run as administrator even though user is not an administrator. Installers can also be elevated.

Links:

Initial Configuration (Easy Start)

To perform an initial configuration of Dynamic Environment Manager, do the following:

  1. Launch the DEM Management Console from the Start Menu.
  2. Enter the path to the DEMConfig share and click OK.
  3. DEM Console 2306 and newer might ask you to join VMware Customer Experience Improvement Program (CEIP).
  4. These Settings checkboxes define what is displayed in the management console. Leave it set to the defaults and click OK. You can later click the Configure button from the ribbon to change these settings.

  5. In the Personalization ribbon, on the far right, click Easy Start.
  6. Select your version of Office and click OK. Office 2019 and Office 2016 are essentially the same.
  7. Click OK when prompted that configuration items have been successfully installed.
  8. Review the pre-configured settings to make sure they are acceptable. For example, on the ribbon named User Environment, under Shortcuts, Dynamic Environment Manager might create a Wordpad shortcut that says (created by VMware UEM). You can either Disable this item, or delete it.

  9. Go to the ribbon name User Environment. On the left, expand Windows Settings and click Policy Settings. On the right, if there is a setting to Remove Common Program Groups, then click Edit.

    1. Consider adding a condition so it doesn’t apply to administrators.

DEM Licensing

DEM 2203 and newer moved FlexEngine Agent licensing to the DEM Configuration Share and DEM Console.

  1. Download the Production License File from the same place you downloaded DEM:  DEM 2312 (10.12) Enterprise Edition, or DEM 2312 (10.12) Standard Edition.
  2. In the DEM console, click the top-left star icon and then click License.
  3. Click Manage.
  4. Choose License File and then select the downloaded VMware-DEM-10.11.0-GA.lic file.
  5. Click OK.

DEM Console places the license info in the DEM Configuration Share file under \general\FlexRepository\AgentConfiguration.

Common Configurations

  1. DEM 2303 (10.9) and newer have a Search button to help you find configuration files.
  2. To roam the Start Menu in Windows 10 1703 and newer, see VMware 2150422 How to roam Windows 10 Start Menu layout.
    1. Go to the ribbon named Personalization, click a folder, and click Create Config File.
    2. Select Use a Windows Common Setting and click Next.
    3. Select Windows 10 Start Menu – Windows 10 Version 1703 and higher. This option is only available in newer versions of DEM. It should work with Windows Server 2019, but it doesn’t apply to Windows Server 2016, which is actually version 1607.
    4. Enter a file name. DEM will create a .zip file for each user with this name. Click Finish when done.
  3. You can run Triggered Tasks when a session is reconnected, workstation is unlocked, or on a schedule (DEM 2306 and newer). This is useful for re-evaluating Smart Policies, as detailed below.

    • DEM 2111 and newer have a Trigger named App Volumes logon-time apps delivered. This was renamed from the older All AppStacks Attached trigger. It was renamed because App Volumes 2111 supports on-demand apps.

    • DEM 2306 (10.10) and newer have a Schedule trigger.

    • You can pick one of the predefined Actions or choose Run custom command to run a script. Some scripts might need an additional configuration under Privilege Elevation.
  4. UEM 9.3 and newer have a setting to store Outlook OST file on App Volumes writable volumes. Go to the ribbon named User Environment. Right-click App Volumes and create a setting. Check the box next to Store Offline Outlook Data File (.ost) on writable volume. Configure other fields as desired. Note: this setting only applies to new Outlook profiles. More info in the YouTube video VMware User Environment Manager Outlook OST on App Volumes User Writable Volume Feature Walkthrough.

Links:

Horizon Smart Policies

Horizon Smart Policies let you control (e.g. disable) Horizon functionality for external users or other conditions.

  1. In UEM 9.0 and newer, go to User EnvironmentHorizon Smart Policies, and create a policy.
  2. DEM 9.11 has an expanded list of settings configurable using Horizon Smart Policies.
  3. DEM 2309 (10.11) and newer can control FIDO2 and Storage drive.
  4. DEM 2306 (10.10) and newer can control Browser Content Redirection.
  5. UEM 9.8 and newer have many Horizon Smart Policy Settings, including Drag and drop. See VMware User Environment Management 9.8 Feature Walk-Through at YouTube.
  6. On the Conditions tab, you can use any of the available conditions, including the Horizon Client Property conditions.

    • To detect external users, select Horizon Client Property > Client Location = External. UAG and Security Server set the session’s location to External.
  7. You can also enter a Horizon Client Property condition that corresponds to the ViewClient_ registry keys. In the Property field, type in a property name (remove ViewClient_ from the property name). See VMware Blog Post Enhancing Your VMware Horizon 7 Implementation with Smart Policies. And the 28-page PDF Reviewer’s Guide for View in Horizon 7: Smart Policies, VMware Horizon 7.

  8. There’s Endpoint Platform as a policy condition. Create a Policy, go to the Conditions tab, and select the Endpoint Platform condition.
  9. Some of the conditions have Matches Regex. For example, Endpoint name and Horizon Client Property > Pool name.

  10. To reapply Horizon Policies when users reconnect to an existing session, go to User Environment > Triggered Tasks, and click Create. Or you can edit one of the existing Triggered Tasks settings.

    1. Change the Trigger to Session Reconnected.
    2. Change the Action to User Environment refresh. Select Horizon Smart Policies and click Save.

Application Blocking

  1. UEM 9.0 adds an Application Blocking feature. To enable it, go to User Environment > Application Blocking, and click the Global Configuration button.
  2. Check the box to Enable Application Blocking. Specify Conditions where, if true, then App Blocking is enabled. These are the same conditions available in other policies and settings. Click OK.
  3. Then you can create an Application Blocking setting to designate the folders that users can run executables from, or what file hashes are allowed.
  4. You can add folders that allow or block apps. Any executable in these paths will be allowed or blocked. By default, executables in Windows and Program Files (including x86) are allowed.
  5. UEM 9.1 and newer allows File Hashes in addition to File Paths. Set the Type to Hash-based, click Add, browse to an executable, UEM will compute the hash, and add it to the list.
  6. UEM 9.2 and newer supports Publisher-based allow. Set the Type to Publisher-based, click Add, browse to an executable, UEM will read the certificate, and add it to the list. Note: A challenge with hash-bashed and publisher-based rules is that the policy might have to be updated whenever the app is updated.

Privilege Elevation

  1. UEM 9.2 adds a Privilege Elevation feature, which allows executables to run as administrator even if users are not administrators. To enable it, go to User Environment > Privilege Elevation, and click the Global Configuration button.
  2. Check the box to Enable Privilege Elevation. Specify Conditions where, if true, then Privilege Elevation is enabled. These are the same conditions available in other policies and settings.
  3. If you allow installers to be elevated, elevate the installer’s child processes too, check the box. This checkbox only applies to installers. Child processes of elevated applications is enabled when creating a Privilege Elevation configuration setting.
  4. When an application is elevated, the user can be asked to allow it. This prompt is intended to inform the user that the application has more permissions than it should, and thus be careful with this application. Click OK.
  5. Then you can create a Privilege Elevation setting to designate the applications that should be elevated. The applications can be specified by a path, a hash, or a publisher certificate. These are essentially the same options as Application Blocking.
  6. Path-based user-installed application lets you elevate installers. The other three options elevate applications, but not installers.
  7. The child processes checkbox applies to applications.
  8. UEM 9.4 adds Argument-based elevated application, which lets you elevate specific scripts and/or Control Panel applets. For details, see the YouTube video VMware User Environment Manager 9.4 Argument Based Privilege Elevation Feature Walk-through.
  9. DEM Group Policy settings can be enabled to log both Application Blocking and Privilege Elevation to Event Viewer

Computer Settings

DEM Enterprise Edition 2006 and newer can deploy computer-based ADMX settings.

  • Domain Computers must have Read permission to the DEM Config file share.

DEM 2006 and newer Agents (FlexEngines) must be configured to enable computer settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at VMware Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. If you use group policy, then make sure the group policy applies to your master image. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at VMware Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at VMware Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
    msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2312-10.12-GA\VMware Dynamic Environment Manager Enterprise 2312 10.12 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

Do the following to enable Computer Environment settings in the DEM Console:

  1. In the DEM Management Console, at the right side of any ribbon, click Configure.
  2. At the bottom of the General tab, check the box next to Computer Environment.
  3. A new Computer Environment ribbon is added. DEM 2009 and newer have Startup Tasks and Shutdown Tasks.
  4. With ADMX-based Settings highlighted on the left, click Manage Templates in the ribbon.
  5. At the bottom of the window, click Add Folder.
  6. If you have PolicyDefinitions in your SYSVOL, then browse to that. Or you can point it to C:\Windows\PolicyDefinitions. Click OK.
  7. Click OK after import is successful. DEM copied the .admx files into the DEM Config share. You can run this again any time to update templates.
  8. With ADMX-based Settings selected on the left, click Create in the ribbon.
  9. At the bottom, click Select Categories.
  10. Select a category where your setting is located and click OK.
  11. At the top of the window click Edit Policies.
  12. Only the settings for your chosen categories are shown. Configure these settings the same way you would configure them in group policy. Then close the window.
  13. DEM shows the configured settings.
  14. On the Conditions tab, you can add conditions. Obviously the user-based conditions will not be available for computer-based settings.

Personalization and DEM Templates

VMware has provided a list of Personalization Templates to simplify your configuration.

  1. To save user settings at logoff and restore at logon, you must specify the settings to save.  Easy Start created a bunch of configurations on the Personalization ribbon. Note: DEM 9.11 adds a Find box to this ribbon.
  2. You can see what settings these save. On the tab named Import / Export, on the top right, click Manage, and then click Expand.

    1. Click Yes to expand it.

    2. After reviewing the config, click a different Personalization setting, and then click No to not save your changes.
  3. To save more profile settings at logoff, on the ribbon named Personalization, select a folder (or create a new folder), and then click Create Config File.
  4. A wizard appears. You can use one of the built-in Windows Common Setting or Application Templates. Or you can create your own.


    • DEM 9.10 and newer have a Windows Common Setting named Default applications – File type associations and protocols. For details, see Ivan de Mes at Managing File Type Associations (FTA) natively using Dynamic Environment Manager.

      • Also enable the GPO setting Do not show the ‘new application installed’ notification at Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer.
      • To avoid a delay in applying FTAs after login, VMware 83679 recommends setting HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Serialize\StartupDelayInMSec (DWORD) = 0.
    • UEM 9.4 and newer have a Windows Common Setting for Windows 10 Start Menu – Windows 10 1703 and higher
  5. In UEM 9.5 and newer, the DEM Console has a button in the ribbon to Download Config Templates. You will need a My VMware account to access it. See Ivan de Mes VMware UEM 9.5 introduces the VMware Marketplace for templates.
  6. The Browse button on top lets you choose where in the tree you want to save the new Config File.
  7. DEM 9.11 and newer have a Find box.
  8. For older versions of UEM, download a template, and import it.
    1. In the DEM Console, on the Personalization tab, click the Configure button to locate your DEM Configuration file share.

    2. Extract the downloaded templates to the General\Applications folder in the DEM Config Share.

    3. The downloaded template should then show up in the Personalization tab under the Applications folder. If you don’t see it, click the Refresh Tree icon.
  9. DirectFlex – to speed up logins, enable DirectFlex whenever possible. Instead of restoring the files during logon and thus delaying the login, DirectFlex restores the settings on-demand when the user launches the application. DirectFlex can be enabled on most application configurations. However, Windows settings (e.g. Start Menu) should be loaded during login rather than on-demand after login.

Additional DEM Configuration

User Environment Manager 8.7 and newer has a UEMResult feature that lets you see what settings were applied to the user. The .xml file is only updated at logoff. To enable for a particular user, go to the user’s Logs folder and create a folder named UEMResult. At logoff, DEM will put an .xml file in this folder. More information at VMware Docs.

From VMware 2113514 Enabling debug logging for a single user in VMware User Environment Manager: To configure FlexEngine to log at debug level for a single user, create an empty FlexDebug.txt file in the same folder as the standard log file for this user. This triggers FlexEngine to switch to debug logging for this particular user.

DEM Application Profiler

This tool cannot be installed on a machine that has FlexEngine (aka DEM Agent) installed:

  1. .NET Framework 3.5 is required.
  2. In the Dynamic Environment Manager files, in the Optional Components folder, run VMware DEM Application Profiler 10.6 x64.msi. DEM 2312 (10.12) includes version 10.6 of the Profiler.
  3. In the Welcome to the VMware DEM Application Profiler Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Custom Setup page, click Next.
  6. In the Ready to install VMware DEM Application Profiler page, click Install.
  7. In the Completed the VMware DEM Application Profiler Setup Wizard page, click Finish.

You may now use the tool to determine where applications store their settings and export a default application configuration that can be pushed out using Dynamic Environment Manager.

DEM Support Tool

vDelboy – VMware UEM Helpdesk Support Tool

Do the following to configure the environment for the support tool:

  1. In the Dynamic Environment Manager Console, click the star icon on the top left, and click Configure Helpdesk Support Tool.
  2. Click Add.
  3. In the Profile archive path field, enter the user folder share (the same one configured in Dynamic Environment Manager GPO). At the end of the path, enter \[UserFolder]\Archives.
  4. Check the other two boxes. The paths should be filled in automatically. Make sure they match what you configured in the Dynamic Environment Manager group policy object. Click OK.
  5. Click Save.
  6. VMware recommends creating a new GPO for the Support Tool. This GPO should apply only to the support personnel.

  7. On the Scope tab, change the filtering so it applies to DEM Support and DEM Admins. If this GPO applies to machines with group policy loopback processing enabled, then also add Domain Computers.
  8. Edit the GPO.
  9. Go to User Configuration | Policies | Administrative Templates | VMware UEM | Helpdesk Support Tool.
  10. Double-click the setting DEM configuration share.
  11. Enable the setting, and enter the path to the DEMConfig share. Click OK.
  12. Consider enabling the remaining GPO settings. Read the Explain text or refer to the documentation.

Do the following to install the support tool.

  1. .NET Framework 3.5 is required.
  2. Some support tool functions require the FlexEngine (aka DEM Agent) to be installed on the help desk machine.
  3. In the extracted Dynamic Environment Manager files is an Optional Components folder. From inside that folder run VMware DEM Helpdesk Support Tool 2111 10.4 x64.msi. This tool was not updated for the DEM 2312 (10.12) release.
  4. In the Welcome to the VMware DEM Helpdesk Support Tool Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Ready to install VMware DEM Helpdesk Support Tool page, click Install.
  8. In the Completed the VMware DEM Helpdesk Support Tool Setup Wizard page, click Finish.

Once the Helpdesk Support Tool is installed, you can launch it from the Start Menu, search for users, and then perform operations on the archives.

Related Pages

284 thoughts on “VMware Dynamic Environment Manager (DEM) 2312”

    1. If you create a FlexDebug.txt file in the user’s log location then you should see what DEM is doing, including time stamps. I normally see slowness when expanding Personalization .zip files and enumerating AD groups.

  1. In the vmware docs, when specifying the permissions for the config & profile share: If you want to use VMware Dynamic Environment Manager computer environment settings, remote computer accounts must also have Read & execute permissions applied to This folder, subfolders and files
    Im a little bit confused by this. Does this imply the machines on which the users work? What remote machines are they referring to?

    Regards,

    Tim

    1. “Computer environment settings” is a new setting in DEM 9.10 and newer. It allows DEM Agents to apply settings as the computer (independent of the user), which means that DEM client machines must have access to the share. One easy option is to add “Domain Computers” to the permissions.

      1. Thanks for your quick response, in our case the machines where users are working on are all VDIs, so computer environment settings are already applied with the image itself. We are thinking about using DEM so that everytime we release a new VDI image, the users wont have to re-adjust all their settings etc. Am I correct that we would not need the “computer environment permissions” for that?

        Regards,

        Tim

        1. DEM definitely replaces Persona, but I usually recommend FSLogix for profiles.

          DEM can replace user GPOs, but not machine GPOs. You use a GPO to enable DEM.

  2. Carl,

    I think that your guides are very beneficial. Some people need spoon fed everything. These are just real solid baseline guides. Thank you for all your work it has help me tons.

  3. probably the most confusing and jacked up article I have ever read. you are all over the place with no consistency or logic in your writing. This was absolutely useless!!

    1. I consider this DEM article to be supplemental to the main group policy article https://www.carlstalhood.com/horizon-group-policy-and-profiles/. Otherwise I’d be duplicating content, which might cause more confusion. Initial DEM setup is mostly about the group policies.

      Once DEM is implemented, there is no one DEM configuration that will meet the needs of every environment. The best I can do is provide a tour of the features.

  4. Hi Carl, View Desktop configured with DEM for user profiles and Workspace App with SSO enumerating CVAD resources. Have some applications that add shortcuts on user desktop, UEM creates duplicate icons on the desktop every time user logs in. Can we exclude a particular desktop folder if shortcuts are created under that? Or any recommendations.

    1. Are you redirecting Desktop folder to a UNC path?

      Which Personalization Setting is saving your Desktop? You can certainly configure exclusions.

      1. Hello Carl,

        We are using Folder Redirection (under User Environment). Is there any way to Exclude certain folders created on the desktop from being synch’d? Is there any way to use ‘User Personalization’ to save Desktop?

        1. If you’re using Folder Redirection to redirect the Desktop, then there’s no need to save the Desktop since it’s already located on a file share. If you want to exclude a folder, you could write a logoff script to delete the folder at logoff.

  5. First of all, excellent guide Carl.

    I’ve got a couple of questions that I hope you can help me.

    1. Folder redirection. It appears that when this is set, for example the Desktop folder on Windows 10, only the Desktop folders under This PC and Quick Access will redirect? Pretty much any folder that can have its ‘Location’ properties amended.

    If a user decides to browse to their profile to the local C drive on a persistent VM, C:\Users\Username\Desktop and saves a file, this will not redirect to the share upon log off. Is this correct? I am seeing this behavior.

    To avoid users losing or misplacing data, is the method to overcome this to create a configuration in Personalization and export the files upon log off?

    How have you managed this?

    2. Windows Search of redirected folders, the files do not come up when using the Search function next to the Start menu, although searching within the redirected folders brings up results. Is there a way to get this to work?

    Thanks.

  6. Hi Carl

    Thanks again for the great post. I have a question about Horizon Cloud on Azure. imagine you are building a farm of 3 RDS Servers (Windows 2019) and you have file server to store your redirected folders etc. What would you do for roaming profiles? Windows Profile Disks or DEM? I ‘m just very confused about it 🙁

    much appreciated in advance.

    Cheers,
    Omid

  7. Hi Carl,

    We implemented silos in our DEM environement (9.8).
    We do have issues with helpdesk tool.
    It is not able to display user archives that are locates under silos. The archives undee general are displayed.

    Did you encountered such kind of behavior ?

    Regards

  8. Should this be installed on an exclusive server or can it be installed on the connection server (or some other shared resource)?

    1. It’s just a console. When you launch the console, you point the console to a file share. Thus the only server component is the file share. The console can be installed anywhere.

    2. UEM does not require any database or dependencies, you can install in any operating system like win7,win8,win10,win 2008R2,win2012 R2

  9. Hi Carl

    login time very less in RDSH Server but in Windows 10 Login time is too much with same uem settings.

  10. Hi Carl,
    thank you for a great articles, we learned alot from your posts.
    I need to ask you about the Outlook profile with instant clone . how can we let the user get his outlook profile when he log-in. apart from app-volume writeable volumes methode . any other proceedures to get this done with local exchange

    1. The Outlook profile is in the user’s registry and it should be captured by one of UEM’s built-in Personalization templates.

      Or are you asking about the .ost file? In that case, FSLogix is an alternative to Writable Volumes. Microsoft intends to release FSLogix for free.

  11. Hi,

    What a great document. Thank you very much!

    We are considering using UEM on an RDSH farm for a largish management environment, which will eventually be migrated to a Horizon VDI solution.

    The main reason for this was to help create consistent environment for users and to manage folder redirection to protect against long log in times.

    I notice that you say you usually use group policy to manage folder redirection and I was wondering why you state this because I though that this was one of the main uses for UEM and managing the experience. We need to sync appdata as the users use tools like putty, SQL Management Studio, Winscp which often store their connection strings in appdata.

    Thanks in advance

    1. Folder Redirection and UEM Personalization are two different things. Normally your profile is located under C:\Users on any machine you’re logged in. When Folder Redirection, some of the folders under C:\Users\%username% are instead redirected to a file share, which means the redirected folders don’t need to be synced at logon and logoff. For the files under C:\Users\%username% that are not redirected, UEM Personalization backs up the files to a file share, and then restores that flies at next logon.

      1. Yes that’s my understanding too. I have previously used VMware persona management to do the redirection and it helped a great deal. I think I read that this is due to be EoL, will UEM replace this functionality? We needed to use persona management to help reduce log in times due to some large files in the C:\Users\%username%\appdata folder and PM allowed some of these to be synced after login and helped to reduce this login time (this was several years ago so I may be mistaken as to the exact reason)

  12. Hi Carl,
    We are on Horizon 7 with instant clones and UEM. We are trying to hook up our VDI to TV through HDMI. When we tried doing that we didnt get any audio from the TV. Is there a way to accomplish that ? Thanks.

  13. Hi Carl,

    I have requirement to add the safe sender list in outlook for all the users. How do I create predefined settings for specific settings like safe sender list and import to users. The challenge is that, if I export my configuration of outlook and import to users as predefined settings, then they would get my outlook profiles, would be messed up outlook.

  14. Hi Carl,
    Thanks for this amazing post. I am having issue with desktop pools in which when any virtual desktop gets locked automatically or manually (ctrl + L) and then log off, when user tries to connect to any desktop pool in horizon client again(without signing out from client) it shows administrator account and user has to switch user first and have to enter username and password again. I looked everywhere but couldn’t find a solution. Have you ever came across this issue. ? Thanks.

      1. Hi Carl, Thanks for your reply. Its actually neither of the two. To reproduce this issue below are the steps:
        1. Login to the horizon client
        2. Login into a desktop through any desktop pool
        3. lock the desktop manually or let it lock by itself
        4. Unlock the desktop
        5. Logoff from the desktop and don’t logout of Horizon client
        6. Login into any desktop pool again
        7. It shows desktopname\administrator account
        8. To login back user has to click on “switch user” then click on “other user” and enter his username and password again.

        I looked everywhere but couldn’t find a solution for this. I checked in other environments and everyone seems to have this problem. Not sure if you ever came across this but I think you should be able to reproduce it by following above steps.

        1. Hi Psy, Is your Horizon Thin Client is running Windows? If so, Is it log on as Administrator on the thin. You have to understand that SSO will trigger tu unlock loclly to remote session. Please give it a try by adding you Windows Thin Client part of you domain, and logon to that session inside the thin. Then post your result. We use many 10 zig devices here, and recursive unlock work 100% even behing F5 Load balancers.

  15. Hi Carl,

    Thanks for the update, we are planning to copy the ADMX template to AD, is there any impact to the existing UEM setup and existing group policy in AD, we wan to implement or copy ADMX in sysvol folder,

    kindly let us know impact and issue,

    Thanks in advance
    Regards

    Renu

    1. ADMX files define the available settings, not the configured settings. Updating ADMX files gives you new available settings but doesn’t affect the settings already configured.

      1. Hi Carl,
        We are currently having UEM 9.5 configured for our desktop pools and RDS Apps. Now we are planning to upgrade to DEM 9.10 so I am not sure how to replace existing UEM ADMX Files with DEM ADMX files after installing DEM agent in Master image. I noticed that the ADMX files for UEM and DEM have different names so if we copy new DEM Files to Policy Definitions it wont really be replacing UEM ADMXs. Can you please provide steps to replace UEM ADMXs with DEM ADMXs without affecting existing desktop pools. Thanks.

        1. Paste the new files. Delete the old files. Doing anything with the ADMX files won’t affect the settings already configured in your GPOs. After you swap the files, you’ll see your existing settings under DEM instead of UEM.

  16. Hi Carl,

    We are planning to upgrade DaaS 17.2 to 18.3 version, we are bit confused about UEM console upgrade,
    1. Can we upgrade UEM from 9.2 to 9.4 directly(inplace upgrade)
    2. can we install UEM 9.4 as new installation on different server and point the UEM_config, UEM_archive and home folder,

    Please help understand make the decisions

    Thanks in advance

    Regards

    Renu

    1. The general guidance is to in-place upgrade the UEM Agents first. Then you can upgrade your management consoles, which unlocks new features

      They’re just files and you can certainly point your UEM Agents to a new location for those files.

  17. Carl – What are your thoughts on the NoAD mode configuration of UEM? It seems to simplify things by doing away with the GPOs, but I don’t see many people talking about it.

    1. My peers have done it several times, especially in complicated AD environments. If the UEM GPO settings were available per-machine instead of per-user then it would be less of a problem.

      1. Hey Carl, do you (or your peers) often encounter such complicated AD environments where user policy is tricky to configure, but machine policy would help out if that were available?

        Would it help if you could configure the UEM agent through machine policy, even if you would be required to still configure a single setting (“Run FlexEngine as a Group Policy client-side extension”) via user policy? Or would the latter make the former pointless?

        No guarantees either way – just seeing if I can use your response as a feature request 🙂

    2. I’m not aware of any issues with NoAD. The only functional gap compared to GPO-based configuration, is that all UEM agents that use a particular UEM configuration share will get the same “policy”. With GPO-based configuration, you can define multiple GPO’s, so that agents in OU1 create 5 backups, and agents in OU2 10, for instance. With NoAD, all agents get their settings from a single NoAD.xml file, so that granular configuration is (currently…) not possible.

  18. Is there some logic in UEM Helpdesk Support Tool that hides certain profile archives? I have a working system, I recently created a new Personalisation Config (built-in ODBC) and also a custom one (for HKCU\SOFTWARE\VB and VBA Program Settings) – both these appear to function OK, I can see them on disk, but neither of them appear in the Helpdesk Support Tool. All others do. Deleting user’s UEM profile folder doesn’t impact issue.

    1. Hi Nathan,

      At a high level, the Helpdesk Support Tool works like this: it scans the configuration share for .INI files (i.e. Personalization config files), scans the profile archive folder and profile archive backups folder of the selected user for archives and backups corresponding with those .INI files, and displays the config files for which there’s an archive or a backup in the list.

      I’m not aware of any issues with this. Do you see any other archives or backups in the Helpdesk Support Tool?

      1. Now I understand the problem: multiple environments vs Helpdesk Support Tool.

        I have 3 UEM environments, with different configurations. HST’s config file is configured with all 3 environments, but will only look at one config (I’ll call it ‘main’). Hence, if my 2nd or 3rd environments have configuration items that are not present in the main environments, then HST won’t display the archives for those configuration items, as they are not present in Main config. How silly.

        My fix will be to have separate HST configs per environment, and launch HST with -FlexConfig to switch to my 2nd or 3rd environment as required.

    1. Every AppStack is slow? Or just one of them? VMware Communities has many threads on AppStack performance.

  19. Dear Carl,

    first of all: Happy New Year! 🎆 I hope that still counts on January 10th 😉 My best wishes to you!

    I found something interesting within UEM and logging of information and I was wondering if you could help me figuring out where the problem is: What difference is there between a user account in a OU and the same user in a group instead in the same OU?

    Please let me specify:
    I created a OU called ‘Horizon’. Within that OU I had a bunch of users that existed only for testing and they all worked fine in terms of logging information according to the level specified in the GPO “FlexEngine logging”.

    But when I wanted to extend my test and involve some of the colleagues that originally have been placed in other OUs I created a new Group in this Horizon OU and added those users (so to speak) indirectly to that group.

    Now these users can log on but the UEM policies are not applied and also no logging information is written, their user folder is not even created in the UEM user config share 😐

    Is there a way to straighten this behaviour? I was expecting this would work regardless of the users being directly in that OU or indirectly by putting them in a group but as it seems I have been mistaken. Where is the error?

    Thanks in advance for your helpful advice!
    Best regards!

    1. GPOs apply to users or machines. GPOs do not apply to user groups.

      The easy method of handling this is to enable Group Policy Loopback Processing so that these settings apply to machines and any user that logs into those machines. You can optionally filter the GPO so it only applies to the one user group by configuring the Security Filtering section on the first tab of the GPO.

      1. Hey Carl!

        Thank you very much, that helped a lot.
        Together with the loopback processing enabled and the two RDS hosts added as computer accounts in the scope filter I was able to get things going — great stuff!
        Have a great day ahead 🙂

  20. Carl – question about printer mappings – with a single environment printer mappings are taking increasing longer to achieve after logon – as we have more printer mappings with each dept we migrate in this is taking longer. we have multiple large campuses and some people migrate between and others do not. if we create separate environments for each campus then the printer mapping list is divided and would process faster – but- we then have to keep track of where each user goes and add/change memberships in AD – If we have multiple environments – 1 for each campus can we point end point devices to the correct environment automatically ?-So If a user goes from A to B the environment is automatically selected by IP or device name at logon? That way printer mappings could be split without having to go through 600 – 700 lines every time.

  21. Hi Carl, thanks so much for the write up. We are working on a VDI enviorment. Currently we are using 7.5 instant clone with non persistent disks. The issue we are running into is. We want to install Microsoft visaul studio on the “gold”image and be able to save the users settings(ie connection strings) on any instant clone dekstop they connect to. Is that a case where App Volume install is needed or is that something that can be done from the UEM? I am a bit confused of what would be the best direction to go. Thank you for any insight !

  22. Hi Carl, in regards to folder redirection, are you using the setting in the UEM console or the folder redirection option in group policy?

    1. I prefer Microsoft GPO. It’s well understood. It can move files from the old location to the new location.

  23. Hey Carl,
    I have an issue with 7.2 horizon. Seems very intermittently I find that the Volatile Environment variables are not getting written to the registry. I would like to utilize UEM to perhaps refresh the variables or at least prompt me and let me know the VM is no Set properly with the variables.( our app need the device name not the vm name) I cant reproduce the error but it happens randomly. Do you know of a way to use UEM to set the refresh env variables option if a scan finds the Variables(specifically ViewClient_Machine_Name). I have written a vb script to detect this issue . I would run the vbs at logon but would rather be able to run a refresh when detected.
    Hoping that this is clear.
    Cheers
    Ron

    1. Hey Ron,

      Just to make sure I understand correctly: the ViewClient_ values are sometimes missing in HKCU\Volatile Environment?

      UEM won’t be able to fix that, as those values are set by the Horizon agent. It will also be hard to use UEM to detect that they’re missing, as they don’t exist yet at that location when UEM runs at logon… You could of course use UEM to put a shortcut to your detection VBS in the startup folder, but that’s about it, I’m afraid.

      1. Yes i was hoping for miracles.. I too didnt think UEM could this.. it is strange.. that the vm would launch and the Env variables are not there. this puts our App in the hole because we really need the device name. Would you know of a way to evoke the agent to write the values at all.. Vmware has not been much help yet on this issue. and I cant get logs being that the machine is destroyed before we even know about the issue.. it’s a pickle..

        1. Sorry, I don’t know much about the Horizon agent. When the values are missing from the Volatile Environment key, are they available at the subkey of HKLM\Software\VMware, Inc.\VMware VDM\SessionData that corresponds with the session ID? Just curious.
          As for getting logs: maybe that’s where your detection script can come in? Grab the logs when it detects that the ViewClient_ values are missing?

  24. Carl, Can UEM capable of making entire profile roam including everything %UserName% like perona?

    1. Configuring UEM to store different app settings in different archives gives you benefits. For example, you can reset one archive without affecting others. Most archives will work on multiple OS versions.

      Otherwise, I wonder if you can add a setting to capture everything under AppData\Roaming, AppData\Local and everything under HCKU\Software. Make sure you add exclusions similar to the ones I have listed in my Citrix Profile Management article.

  25. Carl, thank you again for such an amazing write up.

    I have a few questions in regards to UEM:

    – Can the new administrative templates that came with 9.3 still work with UEM management console 9.0?

    – Can a new 9.3 management console utilize the same shares that 9.0 was using?

    That way I can have my 2 environments coexist as I migrate users to a new platform without having to recompose all my 9.0 UEM users.

    1. https://docs.vmware.com/en/VMware-User-Environment-Manager/9.2/com.vmware.user.environment.manager-install-config/GUID-FE6EBDC8-0F0E-499F-8492-471A01594AC4.html Shows the order in which the components need to be upgraded. FlexEngine (agent) first.

      Upgrading the console will sometimes result in upgraded definitions, which might not work in older FlexEngine.

      ADMX templates are last. Technically they only contain the “available” settings, but not the “actual” settings. The “actual” settings are configured in Group Policy. If those don’t change, then updating the templates probably won’t have any effect.

      1. Carl, thanks again for all the great information.

        Great question and great response.

        We are in a similar situation. We are slowly migrating our users to Windows 10 v1709, and found that we need to upgrade to UEM 9.3 for comparability with Windows 10. We found that the latest Flex Engine works with UEM Manager 9.0. Would it be safe to run this mixed versions until the W10 migration is complete? We are trying to avoid upgrading the Console and being forced to recompose thousands of end users.

        Thoughts?

        1. Hi Ivan,

          Your scenario is perfectly supported – it’s exactly why the steps to upgrade UEM are the way they are. New versions of FlexEngine (the UEM agent) are compatible with config files created with earlier versions of the Management Console, so you can indeed run FlexEngine 9.3 with Management Console 9.0.

          Once all your users have been migrated you can upgrade the Management Console and start using the new functionality.

  26. Carl, your articles are the best by far on the internet and truly follow real world scenarios. Thank you for having a great site and providing wonderful help to all professionals.

    I am about to deploy a new linked-clone 7.3 horizon deployment and am trying to understand which ti use for profile management. In reading everything, manual profiles in UEM don’t persist at log off and if a user logs back on personal settings are not kept. What scenario would I use for linked-clones and have the user keep all individual changes when they log back in?

    Horizon (linked-clones) -> UEM – Mandatory profiles?
    – Roaming Profiles?

    Horizon (linked-clones) -> Persona M. – ?

    Just curious what is the best approach.

    Also, using AppVolumes for Office, Apps, Etc…

    Thank you in advance.

    1. UEM provides the greatest flexibility – you can specify what is saved, and by extension, what is not saved. But, you have to tweak the config as apps are updated or introduced. The saved configurations are stored on a per-app basis, thus allowing for settings to apply to multiple profile versions. The Personalization tab is where you configure what is saved at logoff.

      Persona generally only requires an initial configuration, but it saves everything. However, VMware seems to be deprecating Persona, so they recommend UEM.

      VMware is also deprecating Writable Volumes for user profiles.

          1. did you try this? Doesn’t work for me. As I understand this is how I should add it to config file
            “[Include Folder Trees] ”
            “[Include Registry Trees] “

          2. Have you tried this, doesn’t work for me. I added config
            “[Include Folder Trees] ”
            “[Include Registry Trees] “

  27. Hi carl !!
    I am setup roaming profiles and UEM, however when I set redirection desktop folder the customizations were lost, due UEM setting.

    is there some way to fix it ?

    Kinde regards,

      1. Sure !!
        I did the setup mandatory profile on Windows 10 1607 and it is working pretty well. Every time that I made login i get the profile from mandatory.
        I setup UEM with folder redirection and GPOs to UEM, it is working too, perfectly !
        But, when I did login on VDI desktops ,the UEM setting have preference over mandatory profile setting, and the desktop shortcuts that I had on mandatory aren’t imported. If I disable redirection of desktop on UEM setting, the desktops setting from mandatory profile works.

        Sorry, for my english.
        Do you understand my issue ?

        1. Let me see whether I understand: you have desktop shortcuts configured as part of your mandatory profile, but you’re also redirecting the desktop folder? In that case, the shortcuts in the mandatory profile will indeed be ignored, as Windows is looking to the redirected location instead.

          1. Hi Wesley,

            Somehow the site didn’t give me the option to reply to your latest post, so I’m replying to myself instead 🙂

            There is no behavior te address: with folder redirection you’re telling Windows to ignore the original location, and look for files in the redirected location. That’s why the shortcuts you defined in your mandatory profile are “ignored” – you’re telling Windows to do that, as you’ve redirected the desktop folder.

            If you want to provide “admin-defined” desktop shortcuts to your users, why not use UEM for that? Much easier to manage (and modify) than baking them into the mandatory profile, and you also don’t run into this “conflict” with folder redirection.

  28. Hi Carl, lot’s of good info. I’ve been experimenting with ways to get Win10 1607 to take default apps and file extensions and trying to stop Edge from hijacking pdfs. There are different approaches, what do you suggest?

    thanks,

    James

  29. Hi Carl, Is there any way to base a condition on a specific AD Username? I can find AD Group, but it would be good to condition a certain action on a handful of AD users too, at least just for testing.

    1. Hi Barry, there’s no specific username condition, but you can use the environment variable condition, and check against the “username” env var.

  30. Hi Carl, Thanks for great artical. Could you please suggest how we can manage 2 different java versions (Java 6u45 and Java 8 u101) on one VDI using UEM. There are fews users how access web links few links required java 6u45 and few links required java 8 u101. We’ve installed both the version on VDI using app volume but it’s getting conflict. Only java latest version is working. Could you please suggest us. Thank You!

    1. Since Layering Technologies don’t isolate apps, you’ll need a different tool to perform isolation. App-V is common.

  31. Trying to run a logoff script (simple .bat file) with UEM but can’t get it to work from network share. Any thoughts?

  32. We have set up Horizon 7.0.2 with UEM 9.1 and AppVolume Manager 2.11, however I have noticed that Smart Policy for USB disablement doesn’t work at initial login it does work at re-connect, can someone test this in their environment and advise the outcome?
    Cheers

  33. Hello Carl, Firs of all thank you for really helpful info.
    We have non persistent linked clones environment with Zero clients locally attached USB printers. We have to change define different printer settings for different users. Is it possible to manage this setting with UEM or use Persona roaming profiles ?

  34. Carl question. We are using Windows 10 with Instant Clones. We have some trouble getting some OS Settings out of WIndows 10 for users like Start Menu, Default Programs and other settings that seems to be saved in AppData\Local. Right now we are using Persona Management to also capture AppData\Local. That seems to have resolved our issues. Are you seeing other solutions to issues with Windows 10 specifically and capturing OS related User Settings that are not easily captured via UEM?

    Thanks
    Jesse

  35. Great article! I just finished migration from persona management to UEM, but I have some issues:
    In FlexEngine.log I see warning: “WARN Previous import not marked as successful — skipping export.”
    How fix this issue?

      1. Hi Iknife and PlumBob,

        Sorry, just found this site… If you’re migrating from Persona to UEM, you probably only run UEM at logoff? In that case you need to “force” the export at logoff by passing the additional “-F” argument (so, “…\FlexEngine.exe -s -F”).

  36. Question – I am rolling out a new non persistant Windows 10 Deployment oN horiz 6.x . Followed the UEM and GPO info to a “T”. The problem I am having is that the Windows would take up to 10 Minutes at times to logon / provide a machine. The backend storage is very robust and all FLASH SAN.

    Why would the logons take so long to process??

      1. Hi Carl – thanks for the prompt response. No we are not using a mandatory profile. I don’t recall doing this for our Win7 deployment. None the less are you saying the mandatory profile is the ticket to quicker logon nirvana for Win 10 Non persistence?

          1. Thanks.. working through it now. However on the template user profile i copied over there is no NTUSER.DAT file. Yes I do have show hidden files ticked and protected operating system files checked. I do see them in the “default” user folder but not the template user. So with that said what would i load the hive with or simply bypass that section?

          2. Thanks again Carl. Looks like my template is borked. I appreciated your prompt responses on this topic.

          3. OK just an update. I essentially started from scratch with my Win 10 NON-persistent Horizon project with mandatory profile v5 created successfully.

            And login times are still slow. Has anyone else on here have done non persistent Windows 10? If so how did you over come your slow login times?

    1. The whole idea of exclusion is to prevent those folders from being saved in the roaming profile. However, redirection removes the folder from the roaming profile and thus there’s nothing to exclude. All data created by the apps is automatically saved in the redirected location.

      You can turn off redirection and then configure exclusions. Or you might have to use scripts to delete content from the redirected folder location.

      1. I’m trying to exclude outlook from appdata but it doesn’t work. I tried include folder first and then exclude first but still outlook folder is created. With Citrix is just add exclusion but here I cannot make it work.
        [IncludeFolderTrees]
        \Microsoft
        [ExcludeFolderTrees]
        \Local\Microsoft\Outlook

        Any idea how to make it work?

  37. Hi Carl, Fantastic work by the way! I am trying to use UEM to configure predefined settings that set the default search engine in IE11 to be google rather than Bing. I see there is an IE Application Template. Do I amend this template? How do I configure the above setting?
    Thanks
    Sean

  38. Hi Carl, wonderful post through and through. I have a question as per UEM. I just would like to demonstrate the Application blocking capabilities. What is the minimum install required for this?

    I quote your statement above, “Before performing the procedures detailed on this page, make sure you’ve imported the UEM ADMX templates, created the GPOs for Horizon, and configured the Horizon GPOs for User Environment Manager.”
    Must i do all this to demonstrate Application blocking?
    Thanks for your response.

  39. I cannot make it work with 2012r2 TS, GPOs just
    Use mandatory profiles on the RD Session Host server = enabled
    Set path for Remote Desktop Services Roaming User Profile = \\fs01\UEMConfig\mandatory (Do not include the .v5 in this path)
    Does 2012r2 supports this config?

    1. The folder should be named .v2 or .v4, depending on if you’ve enabled the newer profile version by changing the registry key. But I think it will tell you in the Application Log what path it’s looking for.

  40. Is there a way to have multiple UEM Configuration Shares? We need a test and production share.

    It seems like I seen someone on a video and they had an option to chose from multiple UEM Configuration Shares.

    Thanks
    Sunshine Baines

    1. You can certainly use the console to edit multiple Config Shares. If you click the Star icon on the top left you can add and switch environments.

  41. I’m not able to get the window settings to export. I ran the easy start to do a proof of concept. I made some changes in the IE settings and Taskbar, but it is not exporting the settings at logoff. I do see settings exporting for notepad and wordpad, but I’m not able to get the window settings working. Any ideas?

    Thanks
    Sunshine

Leave a Reply to liu Cancel reply

Your email address will not be published. Required fields are marked *