Navigation
As of version 9.9, User Environment Manager (UEM) was renamed to Dynamic Environment Manager (DEM).
This post applies to all Dynamic Environment Manager (aka User Environment Manager) versions including DEM 2312 (10.12) ESB, DEM 2212 (10.8) ESB, DEM 2111 ESB (10.4), and DEM 9.9 (ESB).
- Change Log
- Upgrade
- Installation Prerequisites
- Local Profile
- DEM Console Installation
- Configure Dynamic Environment Manager
- Personalization and DEM Templates
- Additional DEM Configuration
- DEM Application Profiler
- DEM Support Tool
💡 = Recently Updated
Change Log
- 2024 Jul 28 – updated install instructions for DEM 2406 (aka 10.13)
- 2023 Oct 28 – Horizon Smart Policies – DEM 2309 adds FIDO2 and Storage Drive
- 2023 Apr 1 – Search button in DEM Console 2303
- 2022 Apr 11 – added Licensing section for 2203 and newer.
- 2021 June 18 – added info from Omnissa 83679 Dynamic Environment Manage(DEM) User File Type Association(FTA) Delay in Applying after Login.
Upgrade
If you are performing a new installation, skip to the Installation Prerequisites section.
When upgrading an existing installation of DEM or UEM, upgrade the FlexEngine on the Horizon Agents first.
The newest FlexEngine can still interpret the INI files from older DEM console. After your clients (FlexEngine) have been upgraded, you can upgrade the management console, which allow for new options, like elevated privileges and others, which (when enabled) can now be correctly interpreted by the upgraded clients (FlexEngine). After that update the ADMX files.
DEM 2203 and newer move FlexEngine licensing to the configuration share and DEM console. If you are upgrading existing FlexEngines, then the previous license will continue functioning. New FlexEngines need the new licensing configuration method.
Installation Prerequisites
Before performing the procedures detailed on this page, make sure you’ve created the DEM File Shares, imported the DEM GPO ADMX templates, created the GPOs for Horizon, and configured the Horizon GPOs for Dynamic Environment Manager.
Omnissa Tech Zone Antivirus Considerations in a Horizon Environment: exclusions for Horizon, App Volumes, User Environment Manager, ThinApp
Omnissa Workspace Tech Zone has an excellent Quick-Start Tutorial for Dynamic Environment Manager. It’s around 130 printed pages.
Local Profile
At user logon, DEM restores profile archives on top of a Windows profile, which is typically a local profile.
If your Horizon Agent machines are single-user, non-persistent that reboot at logoff, then local profiles are deleted at logoff.
If your Horizon Agent machines are multi-user machines (e.g. RDSH) that don’t reboot every day, then you might need a process to delete local profiles when the user logs off. Here are some options:
- Schedule a delprof2.exe script that runs daily.
- A more advanced option is to add users to the local Guests group, which causes their profile to be deleted at logoff.
DEM Console Installation
In Horizon 2006 (aka 8.0), DEM is available in all editions of Horizon. There are two editions of DEM, each with different downloads and different DEM capabilities.
- Horizon 8 (2006+) Enterprise Edition and Horizon 7.13 Enterprise Edition are entitled to DEM Enterprise Edition, which has all features.
- Horizon 8 (2006+) Standard Edition and Horizon 8 Advanced Edition are entitled to DEM Standard Edition, which is limited primarily to Personalization features. If you are using FSLogix Profile Containers, then you don’t need DEM Standard Edition.
DEM 2406 (10.13) is the latest release. DEM 2312 (10.12) is an Extended Support Branch (ESB). DEM 2312 (10.12) is an Extended Support Branch (ESB).
- Based on your entitlement, download either DEM 2406 (10.13) Enterprise Edition or DEM 2406 (10.13) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.
- If upgrading, don’t upgrade the DEM Console until all of your DEM Agents have been upgraded.
- On your administrator machine, run the downloaded VMware Dynamic Environment Manager 2406 10.13 x64.msi.
- In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, check the box next to I accept and click Next.
- In the Destination Folder page, click Next.
- In the Choose Setup Type page, click Custom.
- In the Custom Setup page, change the selections so that only the console is selected and then click Next.
- In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
- In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
Configure Dynamic Environment Manager
Here is a summary of the major Dynamic Environment Manager functionality:
- Personalization (aka import/export user settings) – saves application and Windows settings to a file share. This is the roaming profiles functionality of Dynamic Environment Manager. You configure folders and registry keys that need to be saved. The import/export can happen at logon/logoff or during application launch/exit.
- Pre-configure application settings – configures files and registry keys for specific applications so users don’t have to do it themselves. Some examples: disable splash screen, default folder save location, database server name, etc.
- Self–support tool – users can use this tool to restore their application settings.
- DEM Standard Edition supports all Personalization features.
- User Environment – configures Windows settings like drive mappings, Explorer settings, printer mappings, etc. This is similar to group policy but offers significantly more options for conditional filtering. Dynamic Environment Manager can configure any registry setting defined in an ADMX file.
- DEM Standard Edition only has a limited set of User Environment settings (e.g., drive mappings). Most User Environment features require DEM Enterprise Edition.
- Most settings in DEM are only for users, not computers. DEM 2006 (aka 10.0) and newer support ADMX templates for Computer Settings. In older DEM, use Group Policy to configure Computer Settings.
- Best practice is to not mix Dynamic Environment Manager and user group policy. Pick one tool. If the same setting is configured in both locations then group policy will win.
- UEM 9.6 and newer support Windows Server 2019 as an Operating System condition.
- Horizon Smart Policies – Use Horizon Conditions (e.g., client IP) to control device mappings (e.g., client printing) and PCoIP/Blast Bandwidth Profile.
- Privilege Elevation (UEM 9.2 and newer) – allow apps to run as administrator even though user is not an administrator. Installers can also be elevated.
Links:
- Dynamic Environment Manager (DEM) documentation can be found at Omnissa Docs.
- VMware has posted several User Environment Manager videos at YouTube.
- Fabian Lenz Let’s troubleshoot User Environment Manager (#UEM) 9.X: How to avoid errors during the installation
Initial Configuration (Easy Start)
To perform an initial configuration of Dynamic Environment Manager, do the following:
- Launch the DEM Management Console from the Start Menu.
- Enter the path to the DEMConfig share and click OK.
- DEM Console 2306 and newer might ask you to join Omnissa Customer Experience Improvement Program (CEIP).
- In the ribbon, click Configure. These Settings checkboxes define what is displayed in the management console. Leave it set to the defaults and click OK.
- In the Personalization ribbon, on the far right, click Easy Start.
- Select your version of Office and click OK. Office 2019 and Office 2016 are essentially the same.
- Click OK when prompted that configuration items have been successfully installed.
- Review the pre-configured settings to make sure they are acceptable. For example, on the ribbon named User Environment, under Shortcuts, Dynamic Environment Manager might create a Wordpad shortcut that says (created by VMware UEM). You can either Disable this item or delete it.
- Go to the ribbon name User Environment. On the left, expand Windows Settings and click Policy Settings. On the right, if there is a setting to Remove Common Program Groups, then click Edit.
- Consider adding a condition so it doesn’t apply to administrators.
- Consider adding a condition so it doesn’t apply to administrators.
DEM Licensing
DEM 2203 and newer moved FlexEngine Agent licensing to the DEM Configuration Share and DEM Console.
- Download the Production License File from the same place you downloaded DEM: DEM 2312 (10.12) Enterprise Edition, or DEM 2312 (10.12) Standard Edition.
- In the DEM console, click the top-left star icon and then click License.
- Click Manage.
- Choose License File and then select the downloaded VMware-DEM-10.13.0-GA.lic file.
- Click OK.
DEM Console places the license info in the DEM Configuration Share file under \general\FlexRepository\AgentConfiguration.
Common Configurations
- DEM 2303 (10.9) and newer have a Search button to help you find configuration files.
- To roam the Start Menu in Windows 10 1703 and newer:
- Go to the ribbon named Personalization, click a folder, and click Create Config File.
- Select Use a Windows Common Setting and click Next.
- Select Windows 10 Start Menu – Windows 10 Version 1703 and higher. This option is only available in newer versions of DEM. It should work with Windows Server 2019, but it doesn’t apply to Windows Server 2016, which is actually version 1607.
- Enter a file name. DEM will create a .zip file for each user with this name. Click Finish when done.
- Go to the ribbon named Personalization, click a folder, and click Create Config File.
- You can run Triggered Tasks when a session is reconnected, workstation is unlocked, or on a schedule (DEM 2306 and newer). This is useful for re-evaluating Smart Policies, as detailed below.
- DEM 2111 and newer have a Trigger named App Volumes logon-time apps delivered. This was renamed from the older All AppStacks Attached trigger. It was renamed because App Volumes 2111 supports on-demand apps.
- DEM 2306 (10.10) and newer have a Schedule trigger.
- You can pick one of the predefined Actions or choose Run custom command to run a script. Some scripts might need an additional configuration under Privilege Elevation.
- DEM 2111 and newer have a Trigger named App Volumes logon-time apps delivered. This was renamed from the older All AppStacks Attached trigger. It was renamed because App Volumes 2111 supports on-demand apps.
- UEM 9.3 and newer have a setting to store Outlook OST file on App Volumes writable volumes. Go to the ribbon named User Environment. Right-click App Volumes and create a setting. Check the box next to Store Offline Outlook Data File (.ost) on writable volume. Configure other fields as desired. Note: this setting only applies to new Outlook profiles. More info in the YouTube video VMware User Environment Manager Outlook OST on App Volumes User Writable Volume Feature Walkthrough.
Links:
- Nigel Hickey Leveraging VMware UEM to reduce Microsoft GPO usage: Configure ADMX settings in UEM.
Horizon Smart Policies
Horizon Smart Policies let you control (e.g. disable) Horizon functionality for external users or other conditions.
- In UEM 9.0 and newer, go to User Environment > Horizon Smart Policies, and create a policy.
- DEM 9.11 has an expanded list of settings configurable using Horizon Smart Policies.
- DEM 2309 (10.11) and newer can control FIDO2 and Storage drive.
- DEM 2306 (10.10) and newer can control Browser Content Redirection.
- UEM 9.8 and newer have many Horizon Smart Policy Settings, including Drag and drop. See VMware User Environment Management 9.8 Feature Walk-Through at YouTube.
- On the Conditions tab, you can use any of the available conditions, including the Horizon Client Property conditions.
- To detect external users, select Horizon Client Property > Client Location = External. UAG and Security Server set the session’s location to External.
- To detect external users, select Horizon Client Property > Client Location = External. UAG and Security Server set the session’s location to External.
- You can also enter a Horizon Client Property condition that corresponds to the ViewClient_ registry keys. In the Property field, type in a property name (remove ViewClient_ from the property name). See VMware Blog Post Enhancing Your VMware Horizon 7 Implementation with Smart Policies.
- There’s Endpoint Platform as a policy condition. Create a Policy, go to the Conditions tab, and select the Endpoint Platform condition.
- Some of the conditions have Matches Regex. For example, Endpoint name and Horizon Client Property > Pool name.
- To reapply Horizon Policies when users reconnect to an existing session, go to User Environment > Triggered Tasks, and click Create. Or you can edit one of the existing Triggered Tasks settings.
- Change the Trigger to Session Reconnected.
- Change the Action to User Environment refresh. Select Horizon Smart Policies and click Save.
Application Blocking
- UEM 9.0 adds an Application Blocking feature. To enable it, go to User Environment > Application Blocking, and click the Global Configuration button.
- Check the box to Enable Application Blocking. Specify Conditions where, if true, then App Blocking is enabled. These are the same conditions available in other policies and settings. Click OK.
- Then you can create an Application Blocking setting to designate the folders that users can run executables from, or what file hashes are allowed.
- You can add folders that allow or block apps. Any executable in these paths will be allowed or blocked. By default, executables in Windows and Program Files (including x86) are allowed.
- UEM 9.1 and newer allows File Hashes in addition to File Paths. Set the Type to Hash-based, click Add, browse to an executable, UEM will compute the hash, and add it to the list.
- UEM 9.2 and newer supports Publisher-based allow. Set the Type to Publisher-based, click Add, browse to an executable, UEM will read the certificate, and add it to the list. Note: A challenge with hash-bashed and publisher-based rules is that the policy might have to be updated whenever the app is updated.
Privilege Elevation
- UEM 9.2 adds a Privilege Elevation feature, which allows executables to run as administrator even if users are not administrators. To enable it, go to User Environment > Privilege Elevation, and click the Global Configuration button.
- Check the box to Enable Privilege Elevation. Specify Conditions where, if true, then Privilege Elevation is enabled. These are the same conditions available in other policies and settings.
- If you allow installers to be elevated, elevate the installer’s child processes too, check the box. This checkbox only applies to installers. Child processes of elevated applications is enabled when creating a Privilege Elevation configuration setting.
- When an application is elevated, the user can be asked to allow it. This prompt is intended to inform the user that the application has more permissions than it should, and thus be careful with this application. Click OK.
- Then you can create a Privilege Elevation setting to designate the applications that should be elevated. The applications can be specified by a path, a hash, or a publisher certificate. These are essentially the same options as Application Blocking.
- Path-based user-installed application lets you elevate installers. The other three options elevate applications, but not installers.
- The child processes checkbox applies to applications.
- UEM 9.4 adds Argument-based elevated application, which lets you elevate specific scripts and/or Control Panel applets. For details, see the YouTube video VMware User Environment Manager 9.4 Argument Based Privilege Elevation Feature Walk-through.
- DEM Group Policy settings can be enabled to log both Application Blocking and Privilege Elevation to Event Viewer
Computer Settings
DEM Enterprise Edition 2006 and newer can deploy computer-based ADMX settings.
- Domain Computers must have Read permission to the DEM Config file share.
DEM 2006 and newer Agents (FlexEngines) must be configured to enable computer settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs.
- Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. If you use group policy, then make sure the group policy applies to your master image. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at Omnissa Docs.
- Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2406-10.13-GA\VMware Dynamic Environment Manager Enterprise 2406 10.13 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general
Do the following to enable Computer Environment settings in the DEM Console:
- In the DEM Management Console, at the right side of any ribbon, click Configure.
- At the bottom of the General tab, check the box next to Computer Environment.
- A new Computer Environment ribbon is added. DEM 2009 and newer have Startup Tasks and Shutdown Tasks.
- With ADMX-based Settings highlighted on the left, click Manage Templates in the ribbon.
- At the bottom of the window, click Add Folder.
- If you have PolicyDefinitions in your SYSVOL, then browse to that. Or you can point it to C:\Windows\PolicyDefinitions. Click OK.
- Click OK after import is successful. DEM copied the .admx files into the DEM Config share. You can run this again any time to update templates.
- With ADMX-based Settings selected on the left, click Create in the ribbon.
- At the bottom, click Select Categories.
- Select a category where your setting is located and click OK.
- At the top of the window click Edit Policies.
- Only the settings for your chosen categories are shown. Configure these settings the same way you would configure them in group policy. Then close the window.
- DEM shows the configured settings.
- On the Conditions tab, you can add conditions. Obviously the user-based conditions will not be available for computer-based settings.
Personalization and DEM Templates
Omnissa has provided a list of Personalization Templates to simplify your configuration.
- To save user settings at logoff and restore at logon, you must specify the settings to save. Easy Start created a bunch of configurations on the Personalization ribbon. Note: DEM 9.11 adds a Search box to this ribbon.
- You can see what settings these save. On the tab named Import / Export, on the top right, click Manage, and then click Expand.
- Click Yes to expand it.
- After reviewing the config, click a different Personalization setting, and then click No to not save your changes.
- Click Yes to expand it.
- To save more profile settings at logoff, on the ribbon named Personalization, select a folder (or create a new folder), and then click Create Config File.
- A wizard appears. You can use one of the built-in Windows Common Setting or Application Templates. Or you can create your own.
- DEM 9.10 and newer have a Windows Common Setting named Default applications – File type associations and protocols. For details, see Ivan de Mes at Managing File Type Associations (FTA) natively using Dynamic Environment Manager.
- Also enable the GPO setting Do not show the ‘new application installed’ notification at Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer.
- To avoid a delay in applying FTAs after login, Omnissa 83679 recommends setting HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Serialize\StartupDelayInMSec (DWORD) = 0.
- Also enable the GPO setting Do not show the ‘new application installed’ notification at Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer.
- UEM 9.4 and newer have a Windows Common Setting for Windows 10 Start Menu – Windows 10 1703 and higher
- DEM 9.10 and newer have a Windows Common Setting named Default applications – File type associations and protocols. For details, see Ivan de Mes at Managing File Type Associations (FTA) natively using Dynamic Environment Manager.
- Download a template and import it.
- In the DEM Console, on the Personalization tab, click the Configure button to locate your DEM Configuration file share.
- Extract the downloaded templates to the General\Applications folder in the DEM Config Share.
- The downloaded template should then show up in the Personalization tab under the Applications folder. If you don’t see it, click the Refresh Tree icon.
- In the DEM Console, on the Personalization tab, click the Configure button to locate your DEM Configuration file share.
- DirectFlex – to speed up logins, enable DirectFlex whenever possible. Instead of restoring the files during logon and thus delaying the login, DirectFlex restores the settings on-demand when the user launches the application. DirectFlex can be enabled on most application configurations. However, Windows settings (e.g. Start Menu) should be loaded during login rather than on-demand after login.
Additional DEM Configuration
- VMware Blog Post VMware User Environment Manager, Part 2: Complementing Mandatory Profiles with VMware User Environment Manager details the following:
- Personalization Settings (what settings are roamed)
- Predefined App Settings
- User Environment Settings (shortcuts, drive mappings, and so on)
- Active Directory Attribute References – DEM 2009 and newer support Active Directory Attribute References like %{AD$extensionAttribute8}%\%username%\Archives.
- ViewClient Property References – DEM 2009 and newer support ViewClient Property References in the %{ViewClient_propertyName}% format.
- File Type Associations – Ivan de Mes Export/Import File Type Associations (FTA) successfully using UEM uses GetUserFTA.exe and SetUserFTA.exe to backup and save file type associations at logoff and logon.
- Start Menu – Customize Windows 10 Start Menu Layout via UEM and App Volumes.
- Predefined settings – Fabian Lenz has a series of articles on Predefined settings in UEM:
- Predefined settings (Basic concepts) explains the four types of Predefined Settings.
- Predefined settings – Deep how-to (Internet Explorer) explains how to use Application Profiler, or a regular user DEM profile archive, to create Predefined Settings.
- Predefined settings – Dynamic Placeholder explains how to use environment variables in Predefined Settings.
- Predefined settings (Basic concepts) explains the four types of Predefined Settings.
- ThinApp – To integrate ThinApp with UEM, configure DEM to save the application’s setting (e.g. AppData, HKCU registry key). You can use Application Profiler to identify these settings locations. Then configure ThinApp with Merged Isolation Mode for those locations. Also enable DirectFlex.
- Run Once – Omnissa 2146336 Run Once option behave differently in combination with a Local User Profile: The Run Once option for DEM configurations, such as shortcuts, has no effect when a Local User Profile is used. As a result, the UEM configuration runs at each login. To work around, set the
RunOnceSpecial
attribute in DEM XML configuration files.
User Environment Manager 8.7 and newer has a UEMResult feature that lets you see what settings were applied to the user. The .xml file is only updated at logoff. To enable for a particular user, go to the user’s Logs folder and create a folder named UEMResult. At logoff, DEM will put an .xml file in this folder. More information at Omnissa Docs.
From Omnissa 2113514 Enabling debug logging for a single user in VMware Dynamic Environment Manager: To configure FlexEngine to log at debug level for a single user, create an empty FlexDebug.txt file in the same folder as the standard log file for this user. This triggers FlexEngine to switch to debug logging for this particular user.
DEM Application Profiler
This tool cannot be installed on a machine that has FlexEngine (aka DEM Agent) installed:
- .NET Framework 3.5 is required.
- In the Dynamic Environment Manager files, in the Optional Components folder, run VMware DEM Application Profiler 10.6 x64.msi. DEM 2406 (10.13) includes version 10.6 of the Profiler.
- In the Welcome to the VMware DEM Application Profiler Setup Wizard page, click Next.
- In the End-User License Agreement page, check the box next to I accept the terms and click Next.
- In the Custom Setup page, click Next.
- In the Ready to install VMware DEM Application Profiler page, click Install.
- In the Completed the VMware DEM Application Profiler Setup Wizard page, click Finish.
You may now use the tool to determine where applications store their settings and export a default application configuration that can be pushed out using Dynamic Environment Manager.
- See Omnissa Docs for details.
- vDelboy VMware User Environment Manager Application Profiler has an overview of the process.
- VMware Blog Profiling Applications with VMware User Environment Manager details how to use Application Profiler to determine where Chrome settings are stored and upload that configuration to Dynamic Environment Manager.
DEM Support Tool
vDelboy – VMware UEM Helpdesk Support Tool
Do the following to configure the environment for the support tool:
- In the Dynamic Environment Manager Console, click the star icon on the top left, and click Configure Helpdesk Support Tool.
- Click Add.
- In the Profile archive path field, enter the user folder share (the same one configured in Dynamic Environment Manager GPO). At the end of the path, enter \[UserFolder]\Archives.
- Check the other two boxes. The paths should be filled in automatically. Make sure they match what you configured in the Dynamic Environment Manager group policy object. Click OK.
- Click Save.
- Omnissa recommends creating a new GPO for the Support Tool. This GPO should apply only to the support personnel.
- On the Scope tab, change the filtering so it applies to DEM Support and DEM Admins. If this GPO applies to machines with group policy loopback processing enabled, then also add Domain Computers.
- Edit the GPO.
- Go to User Configuration | Policies | Administrative Templates | VMware DEM | Helpdesk Support Tool.
- Double-click the setting DEM configuration share.
- Enable the setting, and enter the path to the DEMConfig share. Click OK.
- Consider enabling the remaining GPO settings. Read the Explain text or refer to the documentation.
Do the following to install the support tool.
- .NET Framework 3.5 is required.
- Some support tool functions require the FlexEngine (aka DEM Agent) to be installed on the help desk machine.
- In the extracted Dynamic Environment Manager files is an Optional Components folder. From inside that folder run VMware DEM Helpdesk Support Tool 2111 10.4 x64.msi. This tool was not updated for the DEM 2406 (10.13) release.
- In the Welcome to the VMware DEM Helpdesk Support Tool Setup Wizard page, click Next.
- In the End-User License Agreement page, check the box next to I accept the terms and click Next.
- In the Destination Folder page, click Next.
- In the Ready to install VMware DEM Helpdesk Support Tool page, click Install.
- In the Completed the VMware DEM Helpdesk Support Tool Setup Wizard page, click Finish.
Once the Helpdesk Support Tool is installed, you can launch it from the Start Menu, search for users, and then perform operations on the archives.
Related Pages
- Back to Omnissa Horizon 8
Hi,
In Horizon 7, we have used Linked Clones with Floating Assignment, and Persona Management to keep the users’ settings (like favorites in Firefox, Chrome, desktop files, taskbar settings, application settings, autostart settings and so on).
Is it even possible to do this in Horizon 8 Standard, using Instant Clones and DEM? i have poked around a bit in the DEM (Standard) Management Console, but don’t understand how to configure it to resemble the Persona Managemant settings we use in Horizon 7.
I recommend FSLogix instead of DEM Profiles.
Thanks!
..or is maybe FSLogix better for our needs (to resemble the Persona Management-settings capabilities)?
Hello Carl,
If I use DEM’s Silo Support option, is there any special configuration I need to do to use the Helpdesk Support Tool?
I’m asking because I’ve got everything set up as described, but when I start the application I can search for my users, I can see the logs for those users, but I can’t see the zip files. I thought it might be a rights issue, but here too, if I go with Windows Explorer to the same path, I see all the zip files.
Thanks in advance for your reply.
Hi Cal,
Ever since I upgraded DEM from 2009 to 2312, my User Environment options have shrinked. I am referring to where you can add Horizon Smart Policies and drive mappings. I currently only have drive mappings, folder redirection, login tasks, logoff tasks, and printer mappings. I am missing a critical piece to configure Smart Policies and I do not see it. Any help is appreciated.
Did you install DEM Standard Edition instead of DEM Enterprise Edition?
Hey Carl,
We have an app pool for our Help Desk and trying to find a way to make it so they can run admin apps (ADUC, LAPS, Print Management, etc.) using their admin accounts. They come in using non-admin accounts externally, and we have these apps available, but trying to figure out a way so they can basically do a “run as” and enter the admin creds. Tried VM Support and they didn’t have a way. Could you think of something that would work?
Publish a desktop? Does publishing Explorer help? Explorer can point to the Start Menu folder.
Hi Carl,
We have built out the Horizon 8 environment and just making some final tweaks before we deploy into production. Shared drive and printer mappings are done through GPO. One of the challenges we are facing is that we have one-off users who map network drives or shared network drives. In our tests, manually mapped drives and shares are not persistent and go away once the user logs off. Is there a way to prevent this prom happening?
Are roaming profiles configured? I recommend FSLogix.
Good afternoon Carl,
We have a customer using Horizon non-persistent RDSH sessions integrated with DEM and AppVols.
We are trying to achieve persistency in Teams/OneDrive credentials across RDSH sessions using DEM, but nothing seems to work.
VMware support is trying to help us for months with no success as when a user logs to a different RDSH server from time to time it asks again for credencials or returns an error.
I attach the best Teams DEM config that we have tested applied for a set of users:
[IncludeFolderTrees]
\Teams
\Microsoft\Teams
[IncludeRegistryTrees]
HKCU\Software\Microsoft\Office\
On the other hand, we have tested FSLogix Apps with DEM agent removed but we are not able to retain user credentials. I attach redirections.xml:
AppData\Roaming\Microsoft\Teams\media-stack
AppData\Local\Microsoft\Teams\meeting-addin\Cache
AppData
LocalAppData
A colleague of mine have read that the problem could not be within DEM or FSLogix but in Teams/OneDrive themselves, as Microsoft has changed the way that credentials are saved.
Can someone put some light in this weird behaviour?
Thank you.
Useful info:
Windows Server 2022 21H2
DEM 2209
AppVols 2303
Horizon 2303
FSLogix Apps 2.9.8612.60056 (Latest version)
Teams 1.6.0.22378
Try this – https://communities.vmware.com/t5/Dynamic-Environment-Manager/DEM-template-for-Office-365-is-insufficient/m-p/2905802/highlight/true#M7618
Hi Carl good morning,
We have added the two registry keys mentioned in the communities but we’re still having users being asked for credentials:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
“DisableADALatopWAMOverride”=dword:00000001
“DisableAADWAM”=dword:00000001
Is it possible that the problem resides in the Teams application itself and not in DEM or FSLogix?
VMware Support does not seem to know what’s going on, they are telling us to add or remove lines in the [IncludeFolderTrees] but they don’t have a clue.
Anything that pops out of mind?
Thank you.
Hi Carl – I have a brand new Horizon 8 instant clone environment that uses FSLogix for profile containment. I’ve added DEM solely to handle a logon task to target a specific group of users to have the VMWare Printer Redirection Service turned on when they log in. They are WFH users and we want them to be able to print to their home printers. Everyone else who works in the office has physical printers in their office locations pushed via GPO. After setting up DEM and installing the agent, the log on script isn’t working and some very basic test stuff like adding the README.txt file aren’t working. Additionally, all users are now getting the error message with the following title: “VMware Dynamic Environment Manager” Error message states: “Archive argument is missing” I’m at a loss; I can’t find anything using Google Fu on how to correct this issue. I had this working in a test pool several months ago without issue. Nothing has changed that I’m aware of.
Did you configure the GPO to specify the path to the DEM Profiles file share? DEM group policy settings are in the User half so make sure group policy loopback processing is enabled.
Hi Carl – We’ve recently implemented Horizon Next Gen(V2) on Azure, and We are planning to configure DEM, User Writable, Profile Redirection, and Roaming Profiles for Horizon Next Gen Windows 11 floating machines. The requirement is to set up these profiles on an Azure file share instead of a Windows server. Could you please provide guidance or any relevant documentation on the steps to configure DEM, User Writable, Profile Redirection, and Roaming Profiles on an Azure file share? Your assistance is greatly appreciated.
I assume all you need is to join Azure Files to your domain. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable
We are setting up the same.
Follow https://learn.microsoft.com/en-us/azure/virtual-desktop/fslogix-profile-container-configure-azure-files-active-directory?tabs=adds if you are using FSLogix (or want to setup the file share for other profile types).
I don’t think Writable is supported on Next-Gen, but App Volumes is.
For DEM what we are trying is to create another Environment on our on-prem DEM console and point to the Azure file share.
Hi Carl, I have configured folder redirection for appdata via DEM, however, the folder “Local”, “LocalLow”, and “Roaming” is not there. Any idea?
What do you see in the user’s DEM log?
AppData usually only redirects the Roaming folder. Note that redirecting AppData usually incurs performance problems.
So far not found any error from the log.
Does it have any specific path or symbols that need to be input?
https://kb.vmware.com/s/article/2113514
Hi Carl
thank you for your excellent article.
Recently, I implemented Horizon and DEM based on the 2303 version. we need to protect our VDI desktops according to DLP policies. so by DEM, I created a policy that blocks “Drag and drop, client drive, clipboard, USB, Web and Chrome file transfer”. everything that I wanted to block is blocked but on the horizon client side, Drive & folder sharing, “Global sharing” is not working according to policy so it is nice, BUT on the “Exclusive sharing” Tab, the user can share local storage drives.
So, How can I Block this type of drive sharing?
Thanks
We are facing issue with windows login time (20-30 mins) for few users in instant clones. Any suggestions? Only DEM is configured.
Have you setup exclusions with your AV software? Don’t have the link off hand but you can find it easily.
Here the problem is only for 2-4 users and other 300 users don’t have any issue. Issue only for few users. Could you please suggest what need to be check in this situation? Thank you!
Create FlexDebug.txt in the user’s log directory and then examine the user’s log after the user logs in. https://kb.vmware.com/s/article/2113514
Why is it that after installing Dynamic Environment Manager, in the management interface, open any tab, and the interface “does not show buttons”
Are you saying that the ribbon is not showing anything?
Did you install the Enterprise version of DEM?
One of the (very old) known issues mentioned in the release notes is that on some Asian versions of Windows operating systems, button text cannot be displayed.
Does it work if you launch the Management Console with the “/NoScale” command-line argument?
We are seeing DEM taking forever to load on a users profile, it was fine but now random people get stuck waiting for DEM and can take 4 hours for it to log in. I have seen this in the logs of a user where it fails. Do you know what this means and what the problem would be?
Error 1788 looking up group domain\group name – falling back to group’s SID
It hangs for a minute on each one of these and when you have about 400 to check through you can see why its taking 4 hours to log in.
However, some users log in and it goes straight through and finds the groups no problem.
Hi Graham,
For most common Windows error codes we try to log a friendly message, but I hadn’t come across 1788 before. That’s “The trust relationship between the primary domain and the trusted domain failed.”, which should give you an indication how to troubleshoot.
I’ll add a friendly message for this error code in a future release – thank you for pointing this out.
Carl,
I am new to using DEM (we are still implementing). I use network locations rather than Mapped Drives. I have been trying to get these to sync but I am having no luck and need to redefine them at each logon. Do you have any suggestions on how to do this? I want the network locations to show up in Folder Explorer under My PC
Are you creating shortcuts in %AppData%\Microsoft\Windows\Network Shortcuts? Or are you running a script to create them?
I have a script that I manually run. It ends up creating short cuts in %AppData%\Microsoft\Windows\Network Shortcuts. These do not sync. I have also opened a session and just copied the shortcuts into the %AppData%\Microsoft\Windows\Network Shortcuts locations and I get the Network Locations to show up. They again do not sync, so they are not there when I reconnect. I want to also let you know that I am not an IT professional if any of this sounds like an amateur, it is with good reason.
Your DEM has Personalization settings configured? Do any of your Personalization configurations include %AppData%\Microsoft\Windows\Network Shortcuts?
Yes, I have Personalization settings configured.
I have a configuration that I was using as a test that has [IncludeFolderTrees] \Microsoft\Windows\Network Shortcuts in Import/Export, but that does not seem to do anything. I have also tried to include %AppData%\Microsoft\Windows\Network Shortcuts in Folder Redirection. That did not work either.
Try <AppData>\Microsoft\Windows\Network Shortcuts
You can also try flexdebug.txt https://kb.vmware.com/s/article/2113514 to log the configuration file applying.
Sorry, I did have [IncludeFolderTrees] \Microsoft\Windows\Network Shortcuts. I will try the FlexDubug.txt
Hi Carl. Thank you for this detailed configuration. Is there a way to get SSO working for internal sites, or sites like O365 using DEM? I’m always getting prompted with login when I try to get to share point and other sites that work fine with my work laptop.
Is Seamless SSO enabled in your Azure AD Connect? Or are your machines Azure AD Hybrid Join? https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Unfortunately, we do not have Seamless SSO enabled.
We have enabled Seamless SSO and tested to confirm it works on myapps.Microsoft.com, and it works, but I’m still prompted every where else.
Hi Carl! Thanks a lot for your work in this!
I have the following question: How can I hide the local profile folders when I’m using Folder Redirection?
When I click on the “favourite” shortcut of “documents” it shows me the correct redirected profile I made with DEM. But when I go to C:/users/user01 it shows me all the profile folder and they are local (not redirected to the File server) So when a user put any information there, it’s lost. How can I hide those folders?
Thanks!
Maybe a login script to delete those folders.
Ok! I will try that! Thanks a lot
Hi Carl,
We are using DEM on MS terminal servers (Vm’s)
Currently we are using 10.1 (2009) without any problems on the W2016 vm’s
When we upgrade to 10.2 (2103) al is working fine
When we upgrade to 10.3 (2116) al is working fine
When we upgrade to 10.4 (2111) at logoff nothing is saved to the VMware-UEM folder
When we upgrade to 10.5 (2203) at logoff nothing is saved to the VMware-UEM folder
When we remove 10.4/10.5 and install 10.1/10.2/10.3 all is working fine
(same problem occurs when running the command manual)
At debugging there is only 1 rule in the log:
2022-07-14 12:30:12.433 [DEBUG] Skipping legacy path-based export
How is your DEM logoff script configured?
Same like it was in 10.1
GPO -> logoff ->FlexEngine.exe -s
Hi MikeT,
I got the same issue like you described. Old version 2106 works fine.
Seems like Flexengine.exe -s is not supported anymore.
I could see this issue in the moment only on our instant clone pool.
Here’s a thread – https://communities.vmware.com/t5/Dynamic-Environment-Manager/DEM-2111-Intermittently-fails-to-load-profiles/td-p/2901023
So if Flexengine.exe -s is not supported anymore what to use at logoff?
{DEM 2206 (aka 10.6) has the same issues}
Support Request is openen, but the response is very slow
Look here –> https://docs.vmware.com/en/VMware-Dynamic-Environment-Manager/2206/dynamic-environment-manager2206-install-config.pdf
–> Any logon and logoff scripts used to launch FlexEngine.exe can be removed.
–> Run FlexEngine at logon and logoff Group Policy
This is new. You don’t need a separate logoff script anymore. But this shouldn’t be an issue when still exist.
I opened also a ticket at vmware why it doesn’t work on our pool. I have a remote session on Thursday.
Hello Eric,
Where you able to solve the case with het support of VMWare?
Im sending them a lot of information all the time (logs, eventlog, procmon) but still did not find any solution
Tested the 10.6 wit the same error results
Hi MikeT,
yes I could fix it (without VMware). It was my fault. I had a logoff task (in DEM) which never finished because I cleaned up to much in my golden image 🙁 . So after disable this DEM task everything works like before the upgrade.
I didn’t change my GPO settings but I inserted the newer DEM GPO bundle to my domain.
If you like we can get in touch.
Hi Eric,
I think we did all that.
We never used a script only GPO login/logoff.
Would like to get in touch. (but how)
Found the solution together with the VMWare team.
In the past Drive shares (in GPO) where working: Z:\VMWare-UEM
After 10.4 (2111) release this is not working anymore.
Now using UNC-paths is mandatory: \\Server\User\VMWare-UEM
Hey Carl!
Maybe you know this from the top of your head: isn’t a bookmark from Microsoft Edge browser synchronized automatically along with the profile data?
I have a couple of servers users can connect to (5 in total). If you store a new bookmark, log off, log on again to a different server that bookmark does not exist, only if you come back to the server previously connected to …
In an earlier reply (https://www.carlstalhood.com/vmware-user-environment-manager/comment-page-2/#comment-14388) you mentioned community provided solutions (= templates). Sorry to ask to bluntly, but where do I find these or how are these implemented? I just realized after more than two years of working with a basic DEM setup I’ve never done this before. Thank you very much for the blog!
Here’s a thread for DEM with Edge – https://communities.vmware.com/t5/Dynamic-Environment-Manager/Edge-Chromium-template/td-p/2230674
Great – I will look into it, thank you very much!
Hi Carl!
Not that it would be super interesting, but as this is really a very basic task I created both a log on and a log off task and file copied the “bookmarks” file from Edge to the user share and back – so it’s being synced automatically when logging on or off. This was the nicer approach (for me) as it absolutely doesn’t create any overhead.
In case anyone is interested the file location is this: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks
Carl, I followed the instructions from VMware and the only hangup I have with Edge Chromium is getting Extensions to install. Is there something else that needs to be done to allow this?
Did you follow this guide? https://www.avanite.com/blog/roaming-edge-chromium
Yes, I went back and tried these instructions once again with the same output. When trying to manually install extensions, I get the error “Could not install package: ‘COULD_NOT_GET_TEMP_DIRECTORY'”
Try running procmon which reproducing the problem to see what is missing.
Are you using profile disks, like FSLogix? By default, %temp% should be located on the C: drive instead of inside the profile disk.
What does %temp% resolve to?
I have an application called chrome that is rolled out to all users through DEM.
I want to make changes to chrome to exclude some file paths.
How do i create a condition that only roll it out to me?
Personalization items have a Conditions tab.
You might have to delete your existing Chrome .zip file so a new file is created with your new exclusions.
If i want to make changes to chrome, there must be a better way rather than deleting the existing chrome.zip file and creating a new chrome.zip and rolling that out to production.
What happens if the new chrome.zip breaks production.How would you roll back to the chrome.zip that worked before?
what is the best way of testing new changes?
You can probably rename it and then rename it back to restore it.
If you are adding exclusions, then I’m not sure how that affects existing profiles that never had the exclusion. If DEM recreates the entire .zip file at logoff, then the new exclusions might apply at next logoff.
Hey Carl,
thanks for all the efforts and time put into your blogs here.
VMware Horizon Cloud on Azure
DEM 2111
Simple ADMX Template to set Desktop Wallpaper
Things are working well, but there are a handful of DEM policies that are not applying.
Flex Engine Log states: ADMX-based settings were not (fully) processed successfully
This leads me to the situation where enterprise User-Based GPOs are already being run using a particular ADMX template.
My DEM policy
is trying to set Desktop wallpaper as well but based on particular environment variables. Well, the Conditions are working great, but the Wallpaper is not applied most likely due to a conflict with an existing enterprise User GPO using this same ADMX Template.
I tried setting loopback to “replace” instead of “Merge” but didn’t seem to help.
Not sure if I have options, or if I need to try to Re-architect the existing AD enterprise GPOs (which may be difficult).
Any Way that DEM can overwrite, or take precedence over existing ADMX GPOs in my VDI environment?
The DEM 2111 and newer has an Advanced Setting “Override existing user policy settings”. https://docs.vmware.com/en/VMware-Dynamic-Environment-Manager/2203/com.vmware.dynamic.environment.manager-install-config/GUID-B1A66BEB-A170-4A8A-8E7A-8A1500CFC8C6.html
Wow… Thank you so much for the reply. I can’t believe I did not come across this setting already. I am glad I don’t have to look at any current state active directory re-architecture. Really appreciate the time and quick answer
Hi Kevin,
As of 2111, DEM has an advanced “Override existing user policy settings” configuration setting that does exactly what you’re looking for.
Great thank you very much for the info much appreciated
Hi Carl, thanks for this blog, enjoyed it for years
have you ever seen it where DEM is missing certain things, such as i cant find my ‘import templates button ‘ in this new instance i installed
https://ibb.co/brsvv9D
I just want to add in some onedrive admx files
I think they removed that feature from the latest release. You might be about to go to VMware Communities and search for a DEM configuration file.
Hi Paul, the screenshot you showed is for the Standard Edition, which only supports a subset of the features. ADMX-based settings are only available in the Enterprise Edition.
Great thank you
quick and possibly dumb question. Where is the DEM install taking place? the connection server, fileshare server, or the golden image
The DEM Agent goes on the gold image.
DEM Agents get their configs from a group policy and a file share.
The DEM Console can be installed on any administrator machine. The DEM console creates configuration files in the file share. There’s no DEM Server.
Hi Carl, i’ve got issues with the Logon Tasks in the User Environment in 2111. I’m able to create a subdirectory on the systemdrive under certain conditions, but not to start a browser application. Is this because it’s not possible to start any “interactive” application within a Logon Task, or am i missing certain settings? If it is not possible to start an application with the Logon Task, are there any alternatives?
Hi Carl,
With DEM 2106, you were able to execute the logoff script while the user was still logged in. This was a seamless way to troubleshoot strange issues with settings not persisting, etc. The previous script was “C:\program files\immidio\flex profiles\flexengine.exe” -s. In 2111, I can not figure out how to invoke this logoff script to be sure DEM writes to archives properly. Have you run into this?
Thanks
Hi Carl,
thank you for all your valuable work.
There seems to be a configuration option in DEM 2111 where DEM settings configured using ADMX actually overwrite Group Policy configuration. Based on
https://docs.vmware.com/en/VMware-Dynamic-Environment-Manager/2111/com.vmware.dynamic.environment.manager-install-config/GUID-9843478C-9B1D-42DA-9966-0EF79D7109D1.html
we could create reg key AllowAdmxOverride and set it to “1”.
Did you have a chance to experiment with that?
i can’t figure out if that can be set by individual DEM setting, or is it global setting where either DEM or AD always “wins” .
Do you have any thoughts?
thank you
Hi Goran,
That is a configuration setting for the DEM agent, and takes effect globally.
HI Carl
Can we use DEM to backup Drive as full disk, Is this possabile , or can we did it on App volume, we are in new vdi enviroment and we need to Backup D Drive for all client and we have both app DEM and App voulume?
Can you write logoff/logon scripts to backup and restore?
Another option is to give every user a persistent desktop.
App Volumes Writable Volumes will save changes to C: drive.
Hi carl, can we gave DEM plus Persistent disk both for users? is it possible
Persistent disk is gone from Horizon 8.
There are other disk-type profiles like FSLogix Profile Container, VMware App Volumes Writable Volumes, etc. Liquidware has Profile Disk. But these save C: drive, not D: drive.
May i know how to configure profile container
FSLogix? Here’s a guide – https://www.deyda.net/index.php/en/2019/11/05/fslogix-container-office-profile-in-citrix-environments/
Thank you carl, but can you guide me how to to that please? if there is a link or something i can follow
Hello Carl,I have a query with regards to DEM and FS logix . Actually both solutions are working in my setup . Fs logix is used as profile container where endusrs files, docs and applicaton setting are contained and DEM is for application Personalization and other features. So can i manage profile container through DEM so that i can discard FS logix in my environment.
You usually do DEM Personalization, or FSLogix Profiles, but not both. Pick one or the other. I personally think FSLogix has faster logins and less maintenance than DEM Personalization.
Hi, thanks for the article… always useful stuff.
I’m facing an issue in RunOnce … I configured a logon task which I need it to run once only… I added RunOnceSpecial after RunOnce but still every time the user logs in it runs 🙁
can you advise
Thanks for the document. Request you to help me with document for setting up “Roaming Profile’s” in DEM VMwae Horizon View.
I recommend FSLogix instead of DEM Personalization since FSLogix is faster login and easier to configure. Otherwise, you configure DEM Profiles on the Personalization tab.
Hey Carl,
Would you agree that if you are using the FSLogix Profile piece (aside form just the Office piece) that it pretty much negates the need for the “personalization” tab in DEM (Unless some old app writes outside the profile and needs a custom setting)? As the FSLogix Profile keeps everything (unless you also use the office container separately to separate the Profile/Office bits) there is no need for the basics that the Personalization tab offers.
You can then compliment the FSLogix profile with the User Environment tab to provide customizations to the user’s profile.
As always, great blog and info!
Correct.
Hi Carl, we’re looking at the option of using DEM (standard) in our environment. Am I missing something or are the “triggered tasks”, “files and folders” (and other) options not there? It has some default settings (e.g. desktop shortcuts and a locked screen triggered tasks) that I wanted to remove but can’t find the option for them.
For example, I can only see “Drive Mappings”, “Folder Redirection”, “Logon Tasks”, “Logoff Tasks” and “Printer Mappings” in the User Environment menu – which is listed as the options available to standard users here: https://docs.vmware.com/en/VMware-Dynamic-Environment-Manager/2103/com.vmware.dynamic.environment.manager-adminguide/GUID-E6C0325B-5DC8-4CAB-955B-8CD1BD52537F.html but how do I go about removing the default options put there by DEM?
I’m probably missing something really obvious but if you know that would be great.
Thanks.
Check the file share. They are just .xml files that you can delete from the general\FlexRepository.
Hi Carl
Can I upgrade from UEM 9.6 to DEM 2103?
I followed the sequence to first upgrade the Engine followed by Console, after that the Engine won’t run at all.
I reverted back to snapshot and also, when I run the install wizard the second time to upgrade the Console it won’t give me an option to upgrade, what I get is ‘change’ , ‘repair’ and ‘remove’, I selected ‘change’ and enable to install the Console after which I rebooted and on the login to that machine I don’t see the Engine starting up.
Any ideas what to do here please?
Hi Carl, We are struck while doing the initial stage of config share to the UEM console, can you guide us what was the issue we followed all as per above for DEM,
I am getting error saving configuration file message,.
Does your account have Modify permission to the share and NTFS permissions on the folder?
Hi Carl – can I upgrade from UEM 9.6.0 to DEM 2103? or has to be staged upgrade?
is this the order:-
1. Flex Engine
2. Management Console
3. and update ADMX templates
also, would that work with Horizon 7.7
The interoperability matrix says it should work – https://interopmatrix.vmware.com
Yes, that seems to be the correct upgrade sequence.
Thank you
How to upgrade UEM 9.8 to DEM 2103?
Upgrade all DEM Agents first. Aftwareds, upgrade your DEM Console and DEM Group Policy admx files.
Hi Carl,
I’m using DEM 2103 and Horizon 7.12. I’m having an issue with a triggered task at session reconnect where the “Horizon Client Property – Client Location = External” is set and a batch file should be ran.
It looks like this condition is not picked up until later in the reconnect. If my initial logon location was “Internal” and I disconnect and reconnect to my session from “External” the triggered task does not run.
Do you know of a condition that will pickup the gateway location change at reconnect and run the triggered task?
Thanks for your time.
I saw a similar problem at a customer but I can’t remember how it was fixed. Do you have a Triggered Task to do a User Environment Refresh?
I have a triggered task to refresh smart policies, but no other options are configured in that task. The other one I’m trying to run is a custom command at reconnect.
I guess that the only thing the support tool for dem are doing is delete the files under the userprofile that are created for the that user?
Correct?
For a specific application, yes.
does the FTA configuration let the user choose what the default application be or does the admin assign which application to use? Cause maybe for broswers the user prefer to use firefox instead of chrome.
DEM can save the user’s FTA preference.
If you use SetDefaultBrowser.exe or SetUserFTA.exe, then the administrator is specifying the FTA.
Thank you for the reply. So I don’t need to do this configuration to let the user pick their defaults? I was looking into that setuserfta because they were never saved when the default browser was changed by the user.
And I noticed the dem doesn’t save all the roaming for Microsoft. The folder redirection saved a few things in the appdata\roaming\Microsoft folder but not everything in the folder? Is there something extra thing I have to do in dem to redirect the entire folder? Cause it seem to redirect all other folders in roaming directory.
Hey Carl, Wondering if you have any recommendations when deploying Horizon View with DEM Shares on Nutanix HCI. Any experience with Nutanix Files or DSFR on Nutanix for the share? trying to figure out what would work best in a new deployment as we build it out.
Nutanix Files has a Distributed Share feature to spread the file activity across multiple file controllers.
My preference for roaming profiles is Microsoft FSLogix and Nutanix Files handles FSLogix very well.
Hello Carl. Can you help me? I enable parameter “Show UEM logon and logoff progress information” in GPO, but when I log on as client, I don’t see any progress information. Maybe you know why?
See https://communities.vmware.com/t5/Dynamic-Environment-Manager/Show-UEM-logon-and-logoff-progress-information-with-NoAD-mode/td-p/1781432
The default templates (Office, Adobe Acrobat, Notepad, etc…) are working without issues but when I try to use config templates downloaded from VMware (Firefox, Chrome, etc…) they are not working at all.
What could be the issue? Have I to make any extra configuration with these dowloaded templates?
Thank you!
Hello,
Thank you for your great work, very useful !
I have a question about DEM, in particular the “Import/export” part in “Personalization”
A path like…
[IncludeFolderTrees]
\AppData\LocalLow\Sun\Java\Deployment
…doesn’t work !
i need to roam some data from the LocalLow folder and subfolder.
but after logoff, this mentionned data isn’t roamed in the same path than the original path ! but it’s present in the archive folder !
The common windows settings like:
“Taskbar” or “Start menu” in the “import/export” works very well, i find roaming data in the userprofile.
In the FlexEngine.log everythings seems to be ok, apparently no error.
Import status flag indicates success, so performing export
2021-01-07 12:07:15.563 [DEBUG] Clearing import status flag for next import
2021-01-07 12:07:15.586 [INFO ] Exporting profile using config file ‘EDV-roamAppdata.INI’ (\\LesRP.ch\vdi\UEM-config-EDV\general\EDV-roamAppdata.INI)
2021-01-07 12:07:15.589 [INFO ] Exporting file information
2021-01-07 12:07:15.589 [DEBUG] ExportFiles: Recursively processing folder ‘\AppData\LocalLow\Sun\Java\Deployment’
2021-01-07 12:07:33.771 [DEBUG] ExportFiles: Processing file ‘\AppData\LocalLow\Sun\Java\Deployment\deployment.properties’
2021-01-07 12:07:33.771 [INFO ] Exported file information successfully
I open a case to Vmware, but no idea for this moment
Any idea
Thank you
Daniel
Try adding <UserProfile> before the folder paths.
Hello,
Yes i already tried, but doesn’t work
Sorry in my first post i write “\AppData\LocalLow\Sun\Java\Deployment” it’s a mistake
but i meant…
[IncludeFolderTrees]
\AppData\LocalLow\Sun\Java\Deployment
[IncludeFiles]
\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
These two paths doesn’t work !
and for example, below these paths works !
[IncludeFolderTrees]
\Microsoft\Internet Explorer\Quick Launch
ok strange !
disapear in our exchange in these posts !
I think WordPress treats the < and > as HTML tags. You can change the < to
& lt;
(without the space) to preserve them.Sorry Carl,
When i write you, the begining of the path (Userprofile) disappear in my reply
Hi Carl,
I have configured a DFS-N share for DEM Profile and Config files (Mesh Topology). I am not using DFS-R, since it only be used for the configuration share, and – if used – must be configured in hub and spoke topology.
The storage for DFS-N is being replicated using the storage array at the backend on hourly basis (NetApp). I have two Windows files servers one at each site.
Do you think I am missing anything? thanks for all the help
Do you have two active sites? Or is this just for DR?
For DEM Config, you can simply robocopy the files between file servers in each site.
For DEM profiles, I prefer to pin users to specific sites and have their data only in that one site. If that site dies, then have a VM backup/restore method to restore that site’s file servers in a different site. No DFS needed.
I have two active sites behind GLSB with a plan to deploy one DFS-N server per site. Storage is being replicated in the backend (NetApp) between the sites.
Are you doing “home sites”, which is recommended? If so, then configure the Horizon Agent machines in each site to use a file server in the local site. Then backup/replicate/restore the individual file servers instead of using DFS Replication.
Wow, the plan was to have configurations done on one site replicated to the other site as active/Active.
In this case, it looks like we have to go the HUB and Spoke model, but am new to this so still try to figure things out, and confused as DFS-R is not supported in certain DEM configurations.
For DEM configurations, just use robocopy to copy them to a file server in each site. This lets you avoid DFS Replication.
For DEM user settings, it’s important that you never allow the files to be updateable on two file servers at the same time and expect them to merge the settings. Only one file server should be writable. An easy way to ensure this is to only have one file server and rely on VM backup/replication/restore instead of DFS merge replication.
After going through techzone, it appears that I need to setup a hub and spoke (Centralized configuration share) DFS.
Then have the namespace link to only one active server. failover will be manual in case of an outage
https://techzone.vmware.com/resource/dynamic-environment-manager-architecture#configuration-share
Hi Carl,
how can we prevent that DEM is working on Administrator account? In the NO-AD Mode you can configure it in the .xml file. Is there a way to do it in GPO mode?
You could put conditions on all items.
Or try FlexDisable.txt. https://kb.vmware.com/s/article/2138928
Or just target your DEM GPO in such a way that it does not apply to admins? In my understanding (but I’m a developer and not an IT pro 🙂 that’s pretty common, no?
I keep forgetting that DEM Settings are in the user-half of the GPO. 🙂
Hi Carl,
We are using VMware Horizon 7.12 and DEM 9.11 with dedicated linked clones. We also have Microsoft FSLogix. We are seeing a strange issue where DEM does not apply any settings after a desktop is restarted. It does not create any logs as well. After a login, if we logoff from the desktop (not a reboot), it start working from the next logon onwards (it also starts creating logs). Again if we reboot, it worn’t work just after the reboot until we logoff again.
This is the exact issue mentioned in the comments of the thread Let’s troubleshoot User Environment Manager (#UEM) 9.X: How to avoid errors during the installation – vLenzker by TJ Derrick. He resolved it by setting the GPO “System\Logon\Wait for network” but we have installed DEM in NoAD mode, so I don’t this this setting will make any difference.
Any thoughts on why this strange behaviour?
Hi Carl,
Thank you for your great article !
I have a little problem with DEM 2006, in the DEM console i can’t see the “ADMX-based setings” feature in the USER ENVIRONNEMENT tab
Any idea
Thank you
Daniel
Which edition of DEM?
Hi Carl!
Great Job!
Is it possible that only the enterprise edition had this featuers?
We got the the Sandard Editon and dont have the ADMX-based settings, also the Flex Config Path Option is called “VMWare DEM Agent Configuration” ?
Is that the difference between standard and advanced?
regards
https://docs.vmware.com/en/VMware-Dynamic-Environment-Manager/2103/com.vmware.dynamic.environment.manager-adminguide/GUID-E6C0325B-5DC8-4CAB-955B-8CD1BD52537F.html. lists the features in Standard Edition. I don’t see ADMX in the list.
I suspect they created a new .admx template for Standard Edition, which gave them a chance to rename the setting.
Hi Carl,
Vmware techzone article removed the mandatory profile recommendation that they had earlier so do you have any recommendation on how profiles should be configured now ? Also, since we started using local profiles login times became went from 40 seconds to 3 minutes when login through horizon client but the weird part is when I tried to login using vsphere client it was still around 40 seconds. Not sure why such a huge difference. I couldn’t find anything like that on online blogs so I am wondering if you ever encountered something like this. Thanks.
My preference is FSLogix for Profiles. Assuming you have the disk space for it.
Thanks Carl. Do you have any ideas about why would horizon client take longer time than vsphere client ?
First time login seems to always takes a few minutes. Your faster login might be because the profile was already created on the machine and it didn’t revert (go away) at reboot.
We are about to deploy DEM in our second data center. How can we sync DEM between both sites?
They’re just files. You can copy the folders/files to the other data center, share it, and point DEM console to the new path.
In DEM Console, click the star icon to configure environments and switch environments. Many screens have an Import button where you can import a config from a different environment.
Hi Carl
thanks for the post ,
I run into situation in our VDI environment , where user save settings on Office 2016 application , part of the setting are saved on the DEM-USER share appdata folder and some of them are saved on the local hard drive of the VDI machine (therefor erased upon logout since it an instant clone pool)
where in the DEM manager can it be fixed
Did you add Office to the Personalization tab in DEM Console?
Hi Carl,
I am new to DEM. I using VDI environment. I log into my VDI and map my network printer. But when I log out and log back in the printer disappeared. I have to remap the printer again everytime. I am using Horizon 7.12.
In DEM > Personalization ribbon, did you add a configuration file that saves Network Printers? If you Create a Config File, select Windows Common Setting, and Printers is an option.
Hi Carl,
Great articles, we have recently implemented Horizon 7 in our environment, most things seem to be working fine but I find that users appdata or profile for Chrome and Outlook does not save after users log out and log back in. It keeps on resetting the profile data (i.e. Outlook and Chrome would need to run initial setup / welcome page and never saves anything including bookmarks created each time you log back in). Is there a way to fix this in DEM or fslogix will need to be setup?
Thanks!
DEM requires per-app configurations of what to save at logout. It takes time to configure it, test it and fix it. There are templates in the VMware Communities for common applications.
If you think it’s configured correctly, then enable debug logging using the FlexDebug.txt file to see if DEM is properly saving and restoring the .zip files.
FSLogix is “set and forget” since it captures the entire profile. There’s no need to configure it for each application like you do in DEM. However, FSLogix has difficulty with concurrent access to a single profile.
Hi Carl,
We are trying to implement office 365 on windows 10 1909 with DEM. Can you help us with the sample DEM configuration by which we can activate Office 365 and also able to persist outlook profile. Thanks.
DEM Personalization has built-in templates for Office. Have you tried them?
Otherwise, I usually prefer FSLogix for roaming profiles. You can do full Profile Container, or just the Office Container. See https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#fslogix
Thanks Carl, But is it the recommended way to provision Office 365 to Horizon instant clones ?We are trying to install office 365 base components on the master image and appstack Viso and Project so we can assign them only to the users who need them. Thanks.
I usually put all Office components on the base image to avoid licensing issues. You can use NTFS permissions to control access. Or FSLogix App Masking can hide applications.
Hi Carl,I have a legacy application which requires details of VDI client session hostname to function.The application requires an ini file updated in VDI session with vdi client host machine hostname every-time I switch host machines. For example if open vdi session on “thinclient01”, C:\app.ini is updated with {hostname = thinclient01}, if I move to another office on “thinclient99”, c:\app.ini is updated with {hostname=thinclient99}. The user does not logout. Can this be archieved using DEM.
DEM has Triggered Tasks where you can run a script at reconnect.