VMware User Environment Manager

Last Modified: Feb 13, 2017 @ 8:41 am

Navigation

đź’ˇ = Recently Updated

Prerequisites

Before performing the procedures detailed on this page, make sure you’ve imported the UEM ADMX templates, created the GPOs for Horizon, and configured the Horizon GPOs for User Environment Manager.

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp  💡

Mandatory Profile

Mandatory Profile Creation instructions:

If you want to use User Environment Manager with a Mandatory Profile then follow these basic instructions to create the mandatory profile:

  1. The mandatory profile is stored in a sub-folder of a file share. Either identify an existing file share (e.g. UEMConfig) or create a new file share.
  2. Login to the Horizon 6 Agent machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4. Copy C:\Users\%username% to your fileshare and rename the folder to mandatory.v2 or something similar. It is important that .v2 (or .v3 or .v4 or .v5 or .v6 depending on the operating system version) is on the end of the path. (e.g. \\fs01\UEMConfig\mandatory.v6).
  5. Note: the mandatory profile must be a subfolder of the file share. You cannot share the mandatory profile directly.
  6. You can copy C:\Users\Default instead of copying a template user. If so, remove the hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  7. Rename \\fs01\UEMConfig\mandatory.v6\ntuser.dat to ntuser.man.
  8. Delete the NTUSER.DAT log files.
  9. Open the AppData folder and delete the Local and LocalLow folders.
  10. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  11. Open regedit.exe.
  12. Click HKEY_LOCAL_MACHINE to highlight it.
  13. Open the File menu and click Load Hive.
  14. Browse to the mandatory profile and open NTUSER.MAN in the Mandatory profile folder.
  15. Name it a or similar.
  16. Go to HKLM\a, right-click it and click Permissions.
  17. Add Authenticated Users and give it Full Control. Click OK.
  18. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ for some suggestions.
  19. Also see How to create a Windows Server 2012 / Windows 8 Mandatory Profile for more profile cleanup.
  20. Highlight HKLM\a.
  21. Open the File menu and click Unload Hive.
  22. Create/Edit a GPO that applies to the Horizon 6 Agents and configure the following GPO settings:
    • Computer Configuration | Policies | Administrative Templates | System | User Profiles
      • Do not check for user ownership of Roaming Profile Folders = enabled
      • Set roaming profile path for all users logging onto this computer = \\fs01\UEMConfig\mandatory (Do not include the .v6 in this path)
    • Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles
      • Use mandatory profiles on the RD Session Host server = enabled
      • Set path for Remote Desktop Services Roaming User Profile = \\fs01\UEMConfig\mandatory (Do not include the .v6 in this path)

UEM Console Installation

  1. Browse to the extracted User Environment Manager 9.1 files and run VMware User Environment Manager 9.1 x64.msi.
  2. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  3. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  4. In the Destination Folder page, click Next.
  5. In the Choose Setup Type page, click Custom.
  6. In the Custom Setup page, change the selections so that only the console is selected and click Next.
  7. In the Ready to install VMware User Environment Manager page, click Install.
  8. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Configure User Environment Manager

Here is a summary of the major User Environment Manager functionality:

  • Personalization (aka import/export) – saves application and Windows settings to a file share. This is the roaming profiles functionality of User Environment Manager. You configure folders and registry keys that need to be saved. The import/export can happen at logon/logoff or during application launch/exit.
    • Pre-configure application settings – configures files and registry keys for specific applications so users don’t have to do it themselves. Some examples: disable splash screen, default folder save location, database server name, etc.
    • Selfsupport tool – users can use this tool to restore their application settings.
  • User Environment – configures Windows settings like drive mappings, Explorer settings, printer mappings, etc. This is similar to group policy but offers significantly more options for conditional filtering. User Environment Manager can configure any registry setting defined in an ADMX file.
    • User Environment Manager only supports user settings. Computer settings should be configured using group policy.
    • Best practice is to not mix User Environment Manager and user group policy. Pick one tool. If the same setting is configured in both locations then group policy will win.

Links:

To perform an initial configuration of User Environment Manager, do the following:

  1. Launch the User Environment Manager Management Console from the Start Menu.
  2. Enter the path to the UEMConfig share and click OK.
  3. These Settings checkboxes define what is displayed in the management console. Leave it set to the defaults and click OK.
  4. In the Personalization ribbon, on the far right, click Easy Start.
  5. Select your version of Office and click OK.
  6. Click OK when prompted that configuration items have been successfully installed.
  7. Review the pre-configured settings to make sure they are acceptable. For example, User Environment Manager might create a Wordpad shortcut (User Environment > Shortcuts) that says (created by VMware UEM).
  8. Go to User Environment > Policy Settings. If there is a setting to Remove Common Program Groups, then click Edit.
  9. Consider adding a condition so it doesn’t apply to administrators.
  10. UEM 9.1 adds Endpoint Platform as a new condition.
  11. UEM 9.0 adds User Environment > Horizon Policies. UEM 9.1 renames them to Horizon Smart Policies.
  12. UEM 9.0 has a PCoIP profile. UEM 9.1 renames it to Bandwidth profile since it works with both PCoIP and Blast.
  13. HTML Access file transfer is new in UEM 9.1.
  14. On the Conditions tab, you can use any of the available conditions, including the Horizon Client Property conditions.
  15. You can also enter a Horizon Client Property condition that corresponds to the ViewClient_ registry keys (leave ViewClient_ off of the property name). See VMware Blog Post Enhancing Your VMware Horizon 7 Implementation with Smart Policies. And the 28-page PDF Reviewer’s Guide for View in Horizon 7: Smart Policies, VMware Horizon 7.  đź’ˇ

  16. To reapply Horizon Policies when users reconnect to an existing session, go to User Environment > Triggered Tasks and click Create. Or you can edit one of the existing Triggered Tasks settings.
  17. Change the Trigger to Reconnect session.
  18. Change the Action to User Environment refresh. Select Horizon Smart Policies, and click Save.
  19. UEM 9.0 adds an Application Blocking feature. You first have to go to User Environment > Application Blocking and click the Global Configuration button.
  20. Check the box to Enable Application Blocking. Specify Conditions where, if true, then App Blocking is enabled. Click OK.
  21. Then you can create an Application Blocking setting to designate the folders that users can run executables from. By default, Windows and Program Files (including x86) are allowed.
  22. New in UEM 9.1 is the ability to add File Hashes in addition to File Paths.

Additional UEM Configuration

User Environment Manager 8.7 and newer has a new UEMResult feature that lets you see what settings were applied to the user. The .xml file is only updated at logoff. To enable for a particular user, go to the user’s Logs folder and create a folder named UEMResult. At logoff, UEM will put an .xml file in this folder. More information in Appendix G of the User Environment Manager Administrator Guide.

UEM Templates

VMware has provided a list of Personalization Templates to simplify your configuration.

  1. Download the Templates from VMware Communities.
  2. In the UEM Console, on the Personalization tab, click the Configure button to locate your UEM Configuration file share.

  3. Extract the downloaded templates to the General\Applications folder in the UEM Config Share.

  4. The downloaded template should then show up in the Personalization tab under the Applications folder. If you don’t see it, click the Refresh Tree icon.
  5. The templates contain preconfigured Import/Export configurations.

Desktop Redirection

If the Desktop folder is redirected then VMware recommends configuring User Environment Manager to preserve the folder redirection location. Otherwise there could be a timing issue.

  1. On the Personalization tab, click Create Config File.
  2. Select Create a custom config file and click Next.
  3. Give the Config file a name and click Finish.
  4. On the Import/Export tab, configure the registry key as shown below. You can also copy the text from VMware 2118056 Migrate VMware Persona Management to VMware User Environment Manager.

 

UEM Application Profiler

This tool cannot be installed on a machine that has FlexEngine installed:

  1. .NET Framework 3.5 is required.
  2. In the User Environment Manager files, in the Optional Components folder, run VMware UEM Application Profiler 9.1 x64.msi.
  3. In the Welcome to the VMware User Environment Manager Application Profiler Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Custom Setup page, click Next.
  6. In the Ready to install VMware User Environment Manager Application Profiler page, click Install.
  7. In the Completed the VMware User Environment Manager Application Profiler Setup Wizard page, click Finish.

You may now use the tool to determine where applications store their settings and export a default application configuration that can be pushed out using User Environment Manager.

UEM Support Tool

vDelboy – VMware UEM Helpdesk Support Tool

Do the following to configure the environment for the support tool:

  1. In the User Environment Manager Console, click the star icon on the top left and click Configure Helpdesk Support Tool.
  2. Click Add.
  3. In the Profile archive path field, enter the user folder share (the same one configured in User Environment Manager GPO). At the end of the path, enter \[UserFolder]\Archives.
  4. Check the other two boxes. The paths should be filled in automatically. Make sure they match what you configured in the User Environment Manager GPO. Click OK.
  5. Click Save.
  6. VMware recommends creating a new GPO for the Support Tool. This GPO should apply only to the support personnel.

  7. On the Scope tab, change the filtering so it applies to UEM Support and UEM Admins. If this applies to machines with loopback processing enabled then also add Domain Computers.
  8. Edit the GPO.
  9. Go to User Configuration | Policies | Administrative Templates | VMware UEM | Helpdesk Support Tool.
  10. Double-click the setting UEM configuration share.
  11. Enable the setting and enter the path to the UEMConfig share. Click OK.
  12. Consider enabling the remaining GPO settings. Read the Explain text or refer to the documentation.

Do the following to install the support tool.

  1. .NET Framework 3.5 is required.
  2. Some support tool functions require the FlexEngine to be installed on the help desk machine.
  3. In the extracted User Environment Manager files is an Optional Components folder. From inside that folder run VMware UEM Helpdesk Support Tool 9.1 x64.msi.
  4. In the Welcome to the VMware UEM Helpdesk Support Tool Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Ready to install VMware UEM Helpdesk Support Tool page, click Install.
  8. In the Completed the VMware UEM Helpdesk Support Tool Setup Wizard page, click Finish.

Once the Helpdesk Support Tool is installed you can launch it from the Start Menu, search for users, and then perform operations on the archives.

Related Pages

32 thoughts on “VMware User Environment Manager”

  1. We have set up Horizon 7.0.2 with UEM 9.1 and AppVolume Manager 2.11, however I have noticed that Smart Policy for USB disablement doesn’t work at initial login it does work at re-connect, can someone test this in their environment and advise the outcome?
    Cheers

  2. Hello Carl, Firs of all thank you for really helpful info.
    We have non persistent linked clones environment with Zero clients locally attached USB printers. We have to change define different printer settings for different users. Is it possible to manage this setting with UEM or use Persona roaming profiles ?

  3. Carl question. We are using Windows 10 with Instant Clones. We have some trouble getting some OS Settings out of WIndows 10 for users like Start Menu, Default Programs and other settings that seems to be saved in AppData\Local. Right now we are using Persona Management to also capture AppData\Local. That seems to have resolved our issues. Are you seeing other solutions to issues with Windows 10 specifically and capturing OS related User Settings that are not easily captured via UEM?

    Thanks
    Jesse

  4. Great article! I just finished migration from persona management to UEM, but I have some issues:
    In FlexEngine.log I see warning: “WARN Previous import not marked as successful — skipping export.”
    How fix this issue?

  5. Question – I am rolling out a new non persistant Windows 10 Deployment oN horiz 6.x . Followed the UEM and GPO info to a “T”. The problem I am having is that the Windows would take up to 10 Minutes at times to logon / provide a machine. The backend storage is very robust and all FLASH SAN.

    Why would the logons take so long to process??

      1. Hi Carl – thanks for the prompt response. No we are not using a mandatory profile. I don’t recall doing this for our Win7 deployment. None the less are you saying the mandatory profile is the ticket to quicker logon nirvana for Win 10 Non persistence?

          1. Thanks.. working through it now. However on the template user profile i copied over there is no NTUSER.DAT file. Yes I do have show hidden files ticked and protected operating system files checked. I do see them in the “default” user folder but not the template user. So with that said what would i load the hive with or simply bypass that section?

          2. Thanks again Carl. Looks like my template is borked. I appreciated your prompt responses on this topic.

          3. OK just an update. I essentially started from scratch with my Win 10 NON-persistent Horizon project with mandatory profile v5 created successfully.

            And login times are still slow. Has anyone else on here have done non persistent Windows 10? If so how did you over come your slow login times?

    1. The whole idea of exclusion is to prevent those folders from being saved in the roaming profile. However, redirection removes the folder from the roaming profile and thus there’s nothing to exclude. All data created by the apps is automatically saved in the redirected location.

      You can turn off redirection and then configure exclusions. Or you might have to use scripts to delete content from the redirected folder location.

  6. Hi Carl, Fantastic work by the way! I am trying to use UEM to configure predefined settings that set the default search engine in IE11 to be google rather than Bing. I see there is an IE Application Template. Do I amend this template? How do I configure the above setting?
    Thanks
    Sean

  7. Hi Carl, wonderful post through and through. I have a question as per UEM. I just would like to demonstrate the Application blocking capabilities. What is the minimum install required for this?

    I quote your statement above, “Before performing the procedures detailed on this page, make sure you’ve imported the UEM ADMX templates, created the GPOs for Horizon, and configured the Horizon GPOs for User Environment Manager.”
    Must i do all this to demonstrate Application blocking?
    Thanks for your response.

  8. I cannot make it work with 2012r2 TS, GPOs just
    Use mandatory profiles on the RD Session Host server = enabled
    Set path for Remote Desktop Services Roaming User Profile = \\fs01\UEMConfig\mandatory (Do not include the .v5 in this path)
    Does 2012r2 supports this config?

    1. The folder should be named .v2 or .v4, depending on if you’ve enabled the newer profile version by changing the registry key. But I think it will tell you in the Application Log what path it’s looking for.

  9. Is there a way to have multiple UEM Configuration Shares? We need a test and production share.

    It seems like I seen someone on a video and they had an option to chose from multiple UEM Configuration Shares.

    Thanks
    Sunshine Baines

    1. You can certainly use the console to edit multiple Config Shares. If you click the Star icon on the top left you can add and switch environments.

  10. I’m not able to get the window settings to export. I ran the easy start to do a proof of concept. I made some changes in the IE settings and Taskbar, but it is not exporting the settings at logoff. I do see settings exporting for notepad and wordpad, but I’m not able to get the window settings working. Any ideas?

    Thanks
    Sunshine

Leave a Reply