I have been learning powershell this year so whenever I get a chance I try my best to use it. When this came up I looked at devcon.exe and said "let me figure out how to do this with powershell." :smileylaugh:
Little did i know I could have saved a whole day of trying.
I am going to use it instead. Thank you.

Let me know if you figure the powershell out. I will keep trying on my end as well. Never know when the lesson learned today may help a great deal tomorrow. I checked "Also elevate child processes" but that didn't seem to help.

Hi cbaptiste,

Well, I definitely learned a bit about both PowerShell and DevCon today

I hope the DevCon workaround does the trick for you now, and hopefully we get "WMI elevation" to work at some point in the future.

I am actually fighting with it. I can not get it to work the way i expect it

Executable: %SystemRoot%\system32\devcon.exe
Argument: Disable '*vmwvaudioin

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"DisableVMwareVirtualMic"="%SystemRoot%\\system32\\devcon.exe Disable '*vmwvaudioin"

I create a runonce registry key

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"DisableVMwareVirtualMic"="%SystemRoot%\\system32\\devcon.exe Disable '*vmwvaudioin"

Nada. Not sure what am i missing here. When i execute %SystemRoot%\\system32\\devcon.exe Disable '*vmwvaudioin from a command prompt in regular user context it says it disables the device but it actually does not.

Hi  cbaptiste,

Sorry to hear that.

When you log off, do you see something like

2019-08-30 15:24:45.369 [INFO ] Privilege elevation statistics:

2019-08-30 15:24:45.369 [INFO ]    Elevated C:\Windows\System32\devcon.exe 2 times (path-based)

in your log file?

Well i am not doing path-based i am doing argument-based because i don't want potential use of the tool for any other reasons but this use case so my log shows

2019-08-30 12:57:46.883 [INFO ] Privilege elevation statistics:

2019-08-30 12:57:46.883 [INFO ]    Elevated C:\Windows\System32\devcon.exe 1 time (argument-based).

Thanks for helping me with this by the way

Hi cbaptiste,

I just tried with the following argument-based privilege elevation config:

That seems to do the trick for me (I don't have that vmwvaudioin device to test with, unfortunately) :

Without elevation, I get

so it seem to make a difference.

Maybe we should just go back the basics first: does path-based elevation of regedit.exe work for you? If a non-admin user launches regedit.exe, can they create a key under HKLM\SOFTWARE?

I am going to give that a shot again. The device is installed with horizon view.

The only difference i see here is that when you are not using the elevated mode the message return says it can not find the device where as for me it return the message "disabled" regardless of the mode i am in. Obviously never one of them disable it.

Okay for my sanity sake. can you execute that line you have working and validate in device manager that the device is indeed disabled. Because I am receiving the disabled message as well except the device is not really disabled.

Hi cbaptiste,

I reinstalled the Horizon agent on my test VM to include the virtual audio devices, and I can confirm your findings that DevCon does not seem to be able to disable them, when elevated through UEM

We'll continue to look into this (both the PowerShell/WMI-based approach and DevCon.exe), but for now I don't have any suggestions, I'm afraid.

Okay. Well I am glad I am not crazy. In the meantime I scripted something in powershell to do the work. Seems to be working. Crossing my fingers.

I created a function that checked for active sessions on the VM. Since this is a non-persistent VM, there can only be one. I then take that username and check it again a domain group membership to see if the user is a member. If it returns true I disable the device. The script is running as System from task scheduler. Long weekend so I will not be able to thoroughly tested it until Tuesday but with the limited access I have it appears to be working. I have hope again lol

Hi cbaptiste,

That sounds like a viable workaround; glad to hear it! And apologies for making you have to find one...

I can not catch a break. I did the test on my persistent desktop which already have RSAT installed so it worked. When I applied the solution to the non persistent VMs The script did not work. Turns out ActiveDirectory Module is needed to check the user against the group membership.

Oh no! Could you maybe use the Group Membership condition in UEM to set a particular registry value (or create a particular file) that your scheduled task can then check for?

You would still need to find some location that your user can write to and that your scheduled task knows how to find (which might be a bit tricky given that it runs as SYSTEM.) Maybe a file in C:\ProgramData?

Uhmmm...I didn't think of that. Great suggestion. I am going to explore this option. I can have it create a key somewhere under HKCU during the logon process. I could then have the script read that key to determine if the user is a member or not.

Hi cbaptiste,

HKCU might be a bit tricky as you'll need to have your SYSTEM task read that from HKEY_USERS\<logged-on user's SID>\..., so you'd need to have some logic to get the user's SID.

That's why I suggested ProgramData

I was able to do it.
Here's the steps & Script

1. I created a UEM registry policy. The condition is if the user is a member of a group. If returns true, it then imports the registry.

2. I modified the existing script. The script search for the active user. Uses the active user username I to retrieve the user's SID. I mounted the HKU as a psdrive. I query the registry for the key created by UEM. If returns true, it execute the task to disable the device.

3. The script is triggered by task scheduler as SYSTEM when an event occurred. I used the source: Immidio Flex+ Event id: 267. I used that because that's when UEM done completing the sync. For certain the key will be there if it is supposed to be there. I came across an issue where the script would run before the key was created. That prevents it from running until UEM completes its tasks.

<#
.Synopsis
Disable a device when an event occurs.
.DESCRIPTION
This script queries the event log to determine who is the logon user. Returns the username, the user's SID and disables the VMware 
Virtual Microphone device if a registry key exists.
.NOTES   
Name: VirtualMicDisabled
Author: Carlhens Baptiste
Version: 2.0
DateUpdated: 2019-09-04
.PARAMETER computer
The hostname of the local or remote host
.PARAMETER domain
The domain netbios of the Active Directory user account exists in
.EXAMPLE
powershell.exe -ExecutionPolicy Bypass -File "C:\ProgramData\ImageConfig\VirtualMicDisabled.ps1"
#>
## Declaring variables 
$LogOnUser = ((Get-EventLog -LogName Application -Source "Immidio Flex+" -Message 'Processing asynchronous UEM actions finished for user*').UserName).Split("{\}")[1]
$LogOnUserSID = ([WMI] "Win32_UserAccount.Domain='$env:UserDomain',Name='$($LogOnUser.TrimEnd())'").SID
$ErrorActionPreference = 'SilentlyContinue'
## Record a powerShell session to a text file
Start-Transcript -path "$env:SystemRoot\Logs\ImagePrepLog.txt"
Write-Host "The active user account is $LogOnUser"
Write-Host "The user's SID is $LogOnUserSID"
## Create a drive for HKU if it is not already loaded since it is not by default
If (!(Get-PSDrive HKU -ErrorAction SilentlyContinue)) {
    New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null
}
## Validate if the key exists, if true, disable the VMware Virtual Microphone device
If(Get-ItemPropertyValue "HKU:\$LogOnUserSID\Environment" -Name "EpicDragonUser" -ErrorAction Ignore)
{  
    Get-PnpDevice -FriendlyName "VMware Virtual Microphone" | Disable-PnpDevice -Confirm:$false
    Write-Host "Disabled VMware Virtual Microphone device"
} 
## Remove drive for HKU since it is no longer needed
Remove-PSDrive -Name HKU
## End the recording to text file
Stop-Transcript