VMware User Environment Manager 9.2.1

Last Modified: Oct 14, 2017 @ 10:06 am

Navigation

This post applies to User Environment Manager versions including: 9.0, 9.1, and 9.2.1.

ūüí° = Recently Updated

Upgrade¬† ūüí°

If you are performing a new installation, skip to the Installation Prerequisites section.

When upgrading an existing installation of User Environment Manager, upgrade the FlexEngine on the Horizon Agents first.

From UEM Upgrade 8.7 to 9.2.1 at VMware Communities: The newest FlexEngine (v9.2.1) can still interpret the INI files from v8.7. After your clients (FlexEngine) have been upgraded, you can upgrade the management console, which allow for new options, like elevated privileges and others, which (when enabled) can now be correctly interpreted by the upgraded clients (FlexEngine). After that update the ADMX files.

Installation Prerequisites

Before performing the procedures detailed on this page, make sure you’ve imported the UEM ADMX templates, created the GPOs for Horizon,¬†and configured the Horizon GPOs for User Environment Manager.

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Mandatory Profile

Mandatory Profile Creation instructions:

If you want to use User Environment Manager with a Mandatory Profile then follow these basic instructions to create the mandatory profile.

Note: these instructions no longer work in Windows 10 1703. See James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703) for updated instructions.

  1. The mandatory profile is stored in a sub-folder of a file share. Either identify an existing file share (e.g. UEMConfig) or create a new file share.
  2. Login to the Horizon 6 Agent machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4. Copy C:\Users\%username% to your fileshare and rename the folder to mandatory.v2 or something similar. It is important that .v2 (or .v3 or .v4 or .v5 or .v6 depending on the operating system version) is on the end of the path. (e.g. \\fs01\UEMConfig\mandatory.v6).
  5. Note: the mandatory profile must be a subfolder of the file share. You cannot share the mandatory profile directly.
  6. You can copy C:\Users\Default instead of copying a template user. If so, remove the hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  7. Rename \\fs01\UEMConfig\mandatory.v6\ntuser.dat to ntuser.man.
  8. Delete the NTUSER.DAT log files.
  9. Open the AppData folder and delete the Local and LocalLow folders.
  10. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  11. Open regedit.exe.
  12. Click HKEY_LOCAL_MACHINE to highlight it.
  13. Open the File menu and click Load Hive.
  14. Browse to the mandatory profile and open NTUSER.MAN in the Mandatory profile folder.
  15. Name it a or similar.
  16. Go to HKLM\a, right-click it and click Permissions.
  17. Add Authenticated Users and give it Full Control. Click OK.
  18. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ for some suggestions.
  19. Also see How to create a Windows Server 2012 / Windows 8 Mandatory Profile for more profile cleanup.
  20. Highlight HKLM\a.
  21. Open the File menu and click Unload Hive.
  22. Create/Edit a GPO that applies to the Horizon 6 Agents and configure the following GPO settings:
    • Computer Configuration | Policies | Administrative Templates | System | User Profiles
      • Do not check for user ownership of Roaming Profile Folders = enabled
      • Set roaming profile path for all users logging onto this computer = \\fs01\UEMConfig\mandatory (Do not include the .v6 in this path)
    • Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles
      • Use mandatory profiles on the RD Session Host server = enabled
      • Set path for Remote Desktop Services Roaming User Profile = \\fs01\UEMConfig\mandatory (Do not include the .v6 in this path)

UEM Console Installation

  1. Browse to the extracted User Environment Manager 9.2.1 files, and run VMware User Environment Manager 9.2.1 x64.msi.
  2. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  3. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  4. In the Destination Folder page, click Next.
  5. In the Choose Setup Type page, click Custom.
  6. In the Custom Setup page, change the selections so that only the console is selected, and click Next.
  7. In the Ready to install VMware User Environment Manager page, click Install.
  8. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Configure User Environment Manager

Here is a summary of the major User Environment Manager functionality:

  • Personalization (aka import/export user settings) ‚Äď saves application and Windows settings to a file share. This is the roaming profiles functionality of User Environment Manager. You configure folders and registry keys that need to be saved. The import/export can happen at logon/logoff or during application launch/exit.
    • Pre-configure application settings ‚Äď configures files and registry keys for specific applications so users don‚Äôt have to do it themselves. Some examples: disable splash screen, default folder save location, database server name, etc.
    • Selfsupport tool ‚Äď users can use this tool to restore their application settings.
  • User Environment ‚Äď configures Windows settings like drive mappings, Explorer settings, printer mappings, etc. This is similar to group policy but offers significantly more options for conditional filtering. User Environment Manager can configure any registry setting defined in an ADMX file.
    • User Environment Manager only supports user settings. Computer settings should be configured using group policy.
    • Best practice is to not mix User Environment Manager and user group policy. Pick one tool. If the same setting is configured in both locations then group policy will win.
  • Horizon Smart Policies – Use Horizon Conditions (e.g. client IP) to control device mappings (e.g. client printing) and PCoIP/Blast Bandwidth Profile.
  • Privilege Elevation (UEM 9.2 and newer) ¬†– allow apps to run as administrator even though user is not an administrator. Installers can also be elevated.

Links:

To perform an initial configuration of User Environment Manager, do the following:

  1. Launch the User Environment Manager Management Console from the Start Menu.
  2. Enter the path to the UEMConfig share, and click OK.
  3. These Settings checkboxes define what is displayed in the management console. Leave it set to the defaults, and click OK.
  4. In the Personalization ribbon, on the far right, click Easy Start.
  5. Select your version of Office, and click OK.
  6. Click OK when prompted that configuration items have been successfully installed.
  7. Review the pre-configured settings to make sure they are acceptable. For example, User Environment Manager might create a Wordpad shortcut (User Environment > Shortcuts) that says (created by VMware UEM).
  8. To roam the Start Menu in Windows 10 1703, see VMware 2150422 How to roam Windows 10 Start Menu layout.
    1. Go to Personalization, click a folder, click Create Config File, select Create a custom config file, and give it a name.
    2. On the Import/Export tab, paste these two lines:
      [IncludeRegistryTrees]
      HKCU\Software\Microsoft\Windows\CurrentVersion\CloudStore
    3. Save the UEM Config file.
  9. Go to User Environment > Policy Settings. If there is a setting to Remove Common Program Groups, then click Edit.

    1. Consider adding a condition so it doesn’t apply to administrators.

Links:

Horizon Smart Policies

  1. In UEM 9.0 and newer, go to User Environment > Horizon Smart Policies, and create a policy.
  2. The Settings tab for a Smart Policy has a Bandwidth profile option. In UEM 9.1 and newer, these apply to both PCoIP and Blast.
  3. UEM 9.1 and newer has an HTML Access file transfer setting.
  4. On the Conditions tab, you can use any of the available conditions, including the Horizon Client Property conditions. These Horizon-specific conditions are available in every policy. Note: UEM 9.2 has more conditions (e.g. Active Directory Site Name) than prior versions.

  5. You can also enter a Horizon Client Property condition that¬†corresponds to the ViewClient_ registry keys.¬†In the Property field, type in a property name (remove¬†ViewClient_¬†from the property name).¬†See VMware Blog Post¬†Enhancing Your VMware Horizon 7 Implementation with Smart Policies. And the 28-page PDF Reviewer’s Guide for View in Horizon 7: Smart Policies, VMware Horizon 7.

  6. UEM 9.1 and newer has Endpoint Platform as a policy condition. Create a Policy, go to the Conditions tab, and select the Endpoint Platform condition.
  7. To reapply Horizon Policies when users reconnect to an existing session, go to User Environment > Triggered Tasks and click Create. Or you can edit one of the existing Triggered Tasks settings.
  8. Change the Trigger to Reconnect session.
  9. Change the Action to User Environment refresh. Select Horizon Smart Policies, and click Save.

Application Blocking and Elevation

  1. UEM 9.0 adds an Application Blocking feature. To enable it, go to User Environment > Application Blocking, and click the Global Configuration button.
  2. Check the box to Enable Application Blocking. Specify Conditions where, if true, then App Blocking is enabled. These are the same conditions available in other policies and settings. Click OK.
  3. Then you can create an Application Blocking setting to designate the folders that users can run executables from, or what file hashes are allowed.
  4. You can add folders that allow or block apps. Any executable in these paths will be allowed or blocked. By default, executables in Windows and Program Files (including x86) are allowed.
  5. UEM 9.1 and newer allows File Hashes in addition to File Paths. Set the Type to Hash-based, click Add, browse to an executable, UEM will compute the hash, and add it to the list.
  6. UEM 9.2 and newer supports Publisher-based allow. Set the Type to Publisher-based, click Add, browse to an executable, UEM will read the certificate, and add it to the list. Note: A challenge with hash-bashed and publisher-based rules is that the policy might have to be updated whenever the app is updated.
  7. UEM 9.2 adds a Privilege Elevation feature, which allows executables to run as administrator even if users are not administrators. To enable it, go to User Environment > Privilege Elevation, and click the Global Configuration button.
  8. Check the box to Enable Privilege Elevation. Specify Conditions where, if true, then Privilege Elevation is enabled. These are the same conditions available in other policies and settings.
  9. If you allow installers to be elevated, elevate the installer’s child processes too, check the box. This checkbox only applies to installers. Child processes of elevated applications is enabled when creating a Privilege Elevation¬†configuration setting.
  10. When an application is elevated, the user can be asked to allow it. This prompt is intended to inform the user that the application has more permissions than it should, and thus be careful with this application. Click OK.
  11. Then you can create a Privilege Elevation setting to designate the applications that should be elevated. The applications can be specified by a path, a hash, or a publisher certificate. These are essentially the same options as Application Blocking.
  12. Path-based user-installed application lets you elevate installers. The other three options elevate applications, but not installers.
  13. The child processes checkbox applies to applications.

Personalization and UEM Templates

VMware has provided a list of Personalization Templates to simplify your configuration.

  1. To save user settings at logoff and restore at logon, you must specify the settings to save.  Easy Start created a bunch of configurations on the Personalization tab.
  2. You can see what settings these save by clicking Manage, and then Expand.

  3. To save more settings, select a folder (or create a new folder), and then click Create Config File.
  4. A wizard appears. You can use one of the built-in Windows Common Setting or Application Templates. Or you can create your own. UEM 9.2 has more built-in templates than previous versions.


  5. The VMware community also uploads additional templates to VMware Communities.
  6. http://www.ivandemes.com/uemtemplates/ hosts a search engine for these templates.¬† ūüí°
  7. In the UEM Console, on the Personalization tab, click the Configure button to locate your UEM Configuration file share.

  8. Extract the downloaded templates to the General\Applications folder in the UEM Config Share.

  9. The downloaded template should then show up in the¬†Personalization¬†tab under the¬†Applications folder. If you don’t see it, click the¬†Refresh Tree icon.

Additional UEM Configuration

User Environment Manager 8.7 and newer has a UEMResult feature that lets you see what settings were applied to the user. The .xml file is only updated at logoff. To enable for a particular user, go to the user’s Logs folder and create a folder named UEMResult. At logoff, UEM will put an .xml file in this folder. More information in Appendix G of the User Environment Manager Administrator Guide.

From VMware 2113514 Enabling debug logging for a single user in VMware User Environment Manager: To configure FlexEngine to log at debug level for a single user, create an empty FlexDebug.txt file in the same folder as the standard log file for this user. This triggers FlexEngine to switch to debug logging for this particular user.

UEM Application Profiler

This tool cannot be installed on a machine that has FlexEngine installed:

  1. .NET Framework 3.5 is required.
  2. In the User Environment Manager files, in the Optional Components folder, run VMware UEM Application Profiler 9.2.1 x64.msi.
  3. In the Welcome to the VMware User Environment Manager Application Profiler Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Custom Setup page, click Next.
  6. In the Ready to install VMware User Environment Manager Application Profiler page, click Install.
  7. In the Completed the VMware User Environment Manager Application Profiler Setup Wizard page, click Finish.

You may now use the tool to determine where applications store their settings and export a default application configuration that can be pushed out using User Environment Manager.

UEM Support Tool

vDelboy – VMware UEM Helpdesk Support Tool

Do the following to configure the environment for the support tool:

  1. In the User Environment Manager Console, click the star icon on the top left, and click Configure Helpdesk Support Tool.
  2. Click Add.
  3. In the Profile archive path field, enter the user folder share (the same one configured in User Environment Manager GPO). At the end of the path, enter \[UserFolder]\Archives.
  4. Check the other two boxes. The paths should be filled in automatically. Make sure they match what you configured in the User Environment Manager group policy object. Click OK.
  5. Click Save.
  6. VMware recommends creating a new GPO for the Support Tool. This GPO should apply only to the support personnel.

  7. On the Scope tab, change the filtering so it applies to UEM Support and UEM Admins. If this GPO applies to machines with group policy loopback processing enabled, then also add Domain Computers.
  8. Edit the GPO.
  9. Go to User Configuration | Policies | Administrative Templates | VMware UEM | Helpdesk Support Tool.
  10. Double-click the setting UEM configuration share.
  11. Enable the setting, and enter the path to the UEMConfig share. Click OK.
  12. Consider enabling the remaining GPO settings. Read the Explain text or refer to the documentation.

Do the following to install the support tool.

  1. .NET Framework 3.5 is required.
  2. Some support tool functions require the FlexEngine to be installed on the help desk machine.
  3. In the extracted User Environment Manager files is an Optional Components folder. From inside that folder run VMware UEM Helpdesk Support Tool 9.2.1 x64.msi.
  4. In the Welcome to the VMware UEM Helpdesk Support Tool Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Ready to install VMware UEM Helpdesk Support Tool page, click Install.
  8. In the Completed the VMware UEM Helpdesk Support Tool Setup Wizard page, click Finish.

Once the Helpdesk Support Tool is installed, you can launch it from the Start Menu, search for users, and then perform operations on the archives.

Related Pages

49 thoughts on “VMware User Environment Manager 9.2.1”

  1. Carl, your articles are the best by far on the internet and truly follow real world scenarios. Thank you for having a great site and providing wonderful help to all professionals.

    I am about to deploy a new linked-clone 7.3 horizon deployment and am trying to understand which ti use for profile management. In reading everything, manual profiles in UEM don’t persist at log off and if a user logs back on personal settings are not kept. What scenario would I use for linked-clones and have the user keep all individual changes when they log back in?

    Horizon (linked-clones) -> UEM – Mandatory profiles?
    – Roaming Profiles?

    Horizon (linked-clones) -> Persona M. – ?

    Just curious what is the best approach.

    Also, using AppVolumes for Office, Apps, Etc…

    Thank you in advance.

    1. UEM provides the greatest flexibility – you can specify what is saved, and by extension, what is not saved. But, you have to tweak the config as apps are updated or introduced. The saved configurations are stored on a per-app basis, thus allowing for settings to apply to multiple profile versions. The Personalization tab is where you configure what is saved at logoff.

      Persona generally only requires an initial configuration, but it saves everything. However, VMware seems to be deprecating Persona, so they recommend UEM.

      VMware is also deprecating Writable Volumes for user profiles.

  2. Hi carl !!
    I am setup roaming profiles and UEM, however when I set redirection desktop folder the customizations were lost, due UEM setting.

    is there some way to fix it ?

    Kinde regards,

      1. Sure !!
        I did the setup mandatory profile on Windows 10 1607 and it is working pretty well. Every time that I made login i get the profile from mandatory.
        I setup UEM with folder redirection and GPOs to UEM, it is working too, perfectly !
        But, when I did login on VDI desktops ,the UEM setting have preference over mandatory profile setting, and the desktop shortcuts that I had on mandatory aren’t imported. If I disable redirection of desktop on UEM setting, the desktops setting from mandatory profile works.

        Sorry, for my english.
        Do you understand my issue ?

        1. Let me see whether I understand: you have desktop shortcuts configured as part of your mandatory profile, but you’re also redirecting the desktop folder? In that case, the shortcuts in the mandatory profile will indeed be ignored, as Windows is looking to the redirected location instead.

          1. Hi Wesley,

            Somehow the site didn’t give me the option to reply to your latest post, so I’m replying to myself instead ūüôā

            There is no behavior te address: with folder redirection you’re telling Windows to ignore the original location, and look for files in the redirected location. That’s why the shortcuts you defined in your mandatory profile are “ignored” ‚Äď you’re telling Windows to do that, as you’ve redirected the desktop folder.

            If you want to provide “admin-defined” desktop shortcuts to your users, why not use UEM for that? Much easier to manage (and modify) than baking them into the mandatory profile, and you also don’t run into this “conflict” with folder redirection.

  3. Hi Carl, lot’s of good info. I’ve been experimenting with ways to get Win10 1607 to take default apps and file extensions and trying to stop Edge from hijacking pdfs. There are different approaches, what do you suggest?

    thanks,

    James

  4. Hi Carl, Is there any way to base a condition on a specific AD Username? I can find AD Group, but it would be good to condition a certain action on a handful of AD users too, at least just for testing.

    1. Hi Barry, there’s no specific username condition, but you can use the environment variable condition, and check against the “username” env var.

  5. Hi Carl, Thanks for great artical. Could you please suggest how we can manage 2 different java versions (Java 6u45 and Java 8 u101) on one VDI using UEM. There are fews users how access web links few links required java 6u45 and few links required java 8 u101. We’ve installed both the version on VDI using app volume but it’s getting conflict. Only java latest version is working. Could you please suggest us. Thank You!

    1. Since Layering Technologies don’t isolate apps, you’ll need a different tool to perform isolation. App-V is common.

  6. Trying to run a logoff script (simple .bat file) with UEM but can’t get it to work from network share. Any thoughts?

  7. We have set up Horizon 7.0.2 with UEM 9.1 and AppVolume Manager 2.11, however I have noticed that Smart Policy for USB disablement doesn’t work at initial login it does work at re-connect, can someone test this in their environment and advise the outcome?
    Cheers

  8. Hello Carl, Firs of all thank you for really helpful info.
    We have non persistent linked clones environment with Zero clients locally attached USB printers. We have to change define different printer settings for different users. Is it possible to manage this setting with UEM or use Persona roaming profiles ?

  9. Carl question. We are using Windows 10 with Instant Clones. We have some trouble getting some OS Settings out of WIndows 10 for users like Start Menu, Default Programs and other settings that seems to be saved in AppData\Local. Right now we are using Persona Management to also capture AppData\Local. That seems to have resolved our issues. Are you seeing other solutions to issues with Windows 10 specifically and capturing OS related User Settings that are not easily captured via UEM?

    Thanks
    Jesse

  10. Great article! I just finished migration from persona management to UEM, but I have some issues:
    In FlexEngine.log I see warning: “WARN Previous import not marked as successful — skipping export.”
    How fix this issue?

      1. Hi Iknife and PlumBob,

        Sorry, just found this site… If you’re migrating from Persona to UEM, you probably only run UEM at logoff? In that case you need to “force” the export at logoff by passing the additional “-F” argument (so, “…\FlexEngine.exe -s -F”).

  11. Question – I am rolling out a new non persistant Windows 10 Deployment oN horiz 6.x . Followed the UEM and GPO info to a “T”. The problem I am having is that the Windows would take up to 10 Minutes at times to logon / provide a machine. The backend storage is very robust and all FLASH SAN.

    Why would the logons take so long to process??

      1. Hi Carl – thanks for the prompt response. No we are not using a mandatory profile. I don’t recall doing this for our Win7 deployment. None the less are you saying the mandatory profile is the ticket to quicker logon nirvana for Win 10 Non persistence?

          1. Thanks.. working through it now. However on the template user profile i copied over there is no NTUSER.DAT file. Yes I do have show hidden files ticked and protected operating system files checked. I do see them in the “default” user folder but not the template user. So with that said what would i load the hive with or simply bypass that section?

          2. Thanks again Carl. Looks like my template is borked. I appreciated your prompt responses on this topic.

          3. OK just an update. I essentially started from scratch with my Win 10 NON-persistent Horizon project with mandatory profile v5 created successfully.

            And login times are still slow. Has anyone else on here have done non persistent Windows 10? If so how did you over come your slow login times?

    1. The whole idea of exclusion is to prevent those folders from being saved in the roaming profile. However, redirection removes the folder from the roaming profile and thus there’s nothing to exclude. All data created by the apps is automatically saved in the redirected location.

      You can turn off redirection and then configure exclusions. Or you might have to use scripts to delete content from the redirected folder location.

  12. Hi Carl, Fantastic work by the way! I am trying to use UEM to configure predefined settings that set the default search engine in IE11 to be google rather than Bing. I see there is an IE Application Template. Do I amend this template? How do I configure the above setting?
    Thanks
    Sean

  13. Hi Carl, wonderful post through and through. I have a question as per UEM. I just would like to demonstrate the Application blocking capabilities. What is the minimum install required for this?

    I quote your statement above, “Before performing the procedures detailed on this page, make sure you‚Äôve imported the UEM ADMX templates, created the GPOs for Horizon, and configured the Horizon GPOs for User Environment Manager.”
    Must i do all this to demonstrate Application blocking?
    Thanks for your response.

  14. I cannot make it work with 2012r2 TS, GPOs just
    Use mandatory profiles on the RD Session Host server = enabled
    Set path for Remote Desktop Services Roaming User Profile = \\fs01\UEMConfig\mandatory (Do not include the .v5 in this path)
    Does 2012r2 supports this config?

    1. The folder should be named .v2 or .v4, depending on if you’ve enabled the newer profile version by changing the registry key. But I think it will tell you in the Application Log what path it’s looking for.

  15. Is there a way to have multiple UEM Configuration Shares? We need a test and production share.

    It seems like I seen someone on a video and they had an option to chose from multiple UEM Configuration Shares.

    Thanks
    Sunshine Baines

    1. You can certainly use the console to edit multiple Config Shares. If you click the Star icon on the top left you can add and switch environments.

  16. I’m not able to get the window settings to export. I ran the easy start to do a proof of concept. I made some changes in the IE settings and Taskbar, but it is not exporting the settings at logoff. I do see settings exporting for notepad and wordpad, but I’m not able to get the window settings working. Any ideas?

    Thanks
    Sunshine

Leave a Reply