I have a strange issue here. I Have a group Policy that contains several desktop shortcuts that is linked to my users OU and security filtered to a specific group of users. I am using GP to do this, because these shortcuts have to be applied to physical devices as well.
The issue is, the policy will NOT apply if my UEM policy is applied. If the UEM policy is NOT applied, the shortcuts gpo works. It is almost like the user policies are being "filtered out" by UEM.
I hope this made sense. Thanks. Really frustrated here.
EDIT: I should also note, that the user polices I am referring to, work 100% on physical devices where no UEM policy is being applied.
Message was edited by: Patrick Castafero
Do you have loopback policy processing enabled on the UEM policy ?
If this has been set to replace, other user policies will not be applied.
Hi Oneboss302,
UEM's only relation to Group Policy is that it gets its own configuration settings from a GPO, and that the Group Policy Client service hosts the UEM agent at logon – UEM has no way to influence other Group Policy activities.
If the UEM policy is in effect, does GPResult show that both GPOs are applied? Are you maybe redirecting the desktop folder using UEM?
Thanks for the reply.
I am indeed redirecting the desktop via UEM. It was my understanding that the GPO that is adding the shortcuts to the users desktop would simply add them via the redirection. Is that not the case with UEM?
On my windows 7 environment I am not using UEM and using Folder Redirection via GPO. This seems to work properly and add the icons to the users redirected desktop there.
It was my understanding that the GPO that is adding the shortcuts to the users desktop would simply add them via the redirection. Is that not the case with UEM?
I suppose that depends on how and when those shortcuts are created. As a test, can you check whether those shortcuts end up in the non-directed C:\Users\username\Desktop folder?
On my windows 7 environment I am not using UEM and using Folder Redirection via GPO. This seems to work properly and add the icons to the users redirected desktop there.
It may or may not be relevant (depending on the timing of the shortcut creation), but one difference between UEM's folder redirection and the "Microsoft GPO" way, is that UEM does not copy or move any existing data. So, if those shortcuts were created before the folder redirection kicked in, and you configured Microsoft folder redirection to move existing folder content, that might explain why you'd see your shortcuts in the redirected folder in that case.
Never thought to check the C:\Users\username\Desktop folder. Very good point. I am in the middle of rebuilding the master image and will test that when it's complete. thank you for adding that. I will update with results.
I have re-provisioned the pool from a new master image and having the same results. The GPO that is applied to the user group is not applying to the linked clone machines. I was able to get them to apply if I linked the GPO (all user settings) to the OU that contains the machines.
I have noted that I removed "Authenticated users" from the security filtering and replaced it with a Security group. I did add Authenticated users to the delegation with Read access.
The GPO that is applied to the user group is not applying to the linked clone machines.
What does GPResult show?
It does not show the 2 GPO’s being applied at all.
I'm afraid that's outside my scope of expertise... I know enough about Group Policy to configure it for my own UEM-related testing, but I have no experience in troubleshooting Group Policy issues...
You're logging on to a linked clone from your newly provisioned pool, with a user that's in an OU that your UEM GPO is linked to, but GPResult does not show that GPO as having been applied it all? Is there anything policy-related in the event log? DNS issues? Is the clock on the VM set to the correct date and time?
Do you have loopback policy processing enabled on the UEM policy ?
If this has been set to replace, other user policies will not be applied.
I think this is very important, not to get off topic, I had our security team applying hardning policies that broke everything. Making sure the loopback policy was implace solved alot of my problems, since that prevented the user policies from being applied. I now instead place those settings directly into the parent image for our desktops.
Well, the Loopback was the issue. The document that I was following to create the UEM GPO has it listed as "REPLACE". Changing the setting to MERGE seems to have fixed it.
Much appreciate all the assistance.
The difference between the two are
https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy
Replace is optimal with UEM in most cases because the GPOs are based of what machine you are logging into to, which for UEM in most cases I think are non persistent desktops. I have a strict policy in our enviornment to no have any GPOs applied to virtual desktop users because they effect login times. If these are physical machines then in may not apply as much.
Do you happen to know if this was a VMware document ?
If so, we need to change this.
Thnanks
I don't think its spelled out which one to use in the latest vmware documenation, I've been enjoying the new techzone documents, and the one for UEM doesn't actually say which one to use either
Quick-Start Tutorial for User Environment Manager | VMware
it just says enable loopback processing, not which one to use. The admin guide only says
Through its integration into group policy, User Environment Manager allows separate configuration seĴings for application silos. You can do this by using the appropriate VMware User Environment Manager administrative template seĴingsǰ and combining them with the MIcrosoft Loopback processing of Group Policy solution.
but never talks about merge vs replace either.
Hi,
sjesse, I don't get how replace is optimal. I have my UEM policy which is only linked to the OU where my instant clones are set to merge because the configuration for the FlexEngine stuff is under User Configuration. So if i set it to replace surely those settings would be ignored and therefore UEM would not function?