<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: ADMX Policy to Allow Registry to run silently no longer working in Dynamic Environment Manager</title>
    <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828451#M6651</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/146813"&gt;@GTO455&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;OK, so that explains why you're getting the "Policy prevents access to registry editing tools -- please disable this policy" error messages if that ADMX-based setting is configured.&lt;/P&gt;&lt;P&gt;If your users don't get the error even if the ADMX-based setting is configured, I assume their logs show that regedit.exe is being used instead of reg.exe?&lt;/P&gt;&lt;P&gt;Also, I guess you're an admin and your users aren't? That would affect the UAC-related impact on DEM, which causes it to decide whether to user regedit.exe or reg.exe.&lt;/P&gt;&lt;P&gt;Would it be an option to put a condition on that ADMX-based setting to make it only apply to (non-admin) users?&lt;/P&gt;</description>
    <pubDate>Mon, 08 Feb 2021 16:27:34 GMT</pubDate>
    <dc:creator>DEMdev</dc:creator>
    <dc:date>2021-02-08T16:27:34Z</dc:date>
    <item>
      <title>ADMX Policy to Allow Registry to run silently no longer working</title>
      <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2827969#M6639</link>
      <description>&lt;P&gt;We have had an ADMX policy set since we created our VDI environment to disable registry editing for users, but still allow it to run silently.&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GTO455_0-1612560081007.png" style="width: 227px;"&gt;&lt;img src="https://communities.vmware.com/t5/image/serverpage/image-id/86626i3F43DC29E0CBFF52/image-dimensions/227x182/is-moderation-mode/true?v=v2" width="227" height="182" role="button" title="GTO455_0-1612560081007.png" alt="GTO455_0-1612560081007.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;It has been working fine until today when I logged into VDI and noticed that I could not see any history in Chrome or any bookmarks. It looks like it is happening for other apps too like MS Word.&lt;/P&gt;&lt;P&gt;Checking the DEM logs I found entries like this...&lt;/P&gt;&lt;P&gt;[INFO ] Importing profile archive 'Chrome.zip' (\\Server1\UEMProfiles$\User1\Archives\Applications\Chrome.zip)&lt;BR /&gt;[FATAL] Policy prevents access to registry editing tools -- please disable this policy&lt;BR /&gt;[FATAL] ImportRegistry::Import: Error creating command line&lt;BR /&gt;[FATAL] Error importing archive '\\Server1\UEMProfiles$\User1\Archives\Applications\Chrome.zip'&lt;/P&gt;&lt;P&gt;I verified it was the admx policy because I toggled the setting off and logged back into VDI and was able to see history for certain apps. And the errors in the DEM logs went away.&lt;/P&gt;&lt;P&gt;Has anyone else run into this? What was your approach to resolve it?&lt;/P&gt;&lt;P&gt;Environment into:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Horizon 7.10&lt;/LI&gt;&lt;LI&gt;DEM 9.9&lt;/LI&gt;&lt;LI&gt;Windows 10 1909 VDI&lt;/LI&gt;&lt;/UL&gt;</description>
      <pubDate>Fri, 05 Feb 2021 21:28:23 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2827969#M6639</guid>
      <dc:creator>GTO455</dc:creator>
      <dc:date>2021-02-05T21:28:23Z</dc:date>
    </item>
    <item>
      <title>Re: ADMX Policy to Allow Registry to run silently no longer working</title>
      <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828187#M6644</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/146813"&gt;@GTO455&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;To import registry settings, the DEM agent use regedit.exe by default. Depending on UAC settings, regedit.exe can't be used, in which case DEM switches to using reg.exe.&lt;/P&gt;&lt;P&gt;Both executables are controlled by that particular Group Policy setting, but with an important difference: &lt;A href="https://docs.vmware.com/en/VMware-Dynamic-Environment-Manager/2009/com.vmware.dynamic.environment.manager-install-config/GUID-6425146B-C3E1-4281-9D62-B03A417892F4.html?hWord=N4IghgNiBcIE4FMDmA6BAPBIC+Q" target="_self"&gt;reg.exe is not allowed to run if the setting is enabled&lt;/A&gt;, even if the sub-setting allows running silently...&lt;/P&gt;&lt;P&gt;If this was working fine previously, I assume that DEM was previously using regedit.exe, and a recent UAC-related change made it switch to reg.exe.&lt;/P&gt;</description>
      <pubDate>Sun, 07 Feb 2021 11:36:12 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828187#M6644</guid>
      <dc:creator>DEMdev</dc:creator>
      <dc:date>2021-02-07T11:36:12Z</dc:date>
    </item>
    <item>
      <title>Re: ADMX Policy to Allow Registry to run silently no longer working</title>
      <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828237#M6646</link>
      <description>&lt;P&gt;Hi DemDev,&lt;/P&gt;&lt;P&gt;For clarification, are you saying I should disable UAC in the image ompletely? Currently, UAC is set to default. I checked our previous image and it is set the same way. I also checked the registry on both images and&amp;nbsp;&lt;SPAN&gt;HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA is set to 1.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Also, if I elevate my privs to Admin while in a VDI session, I can run regedit.exe from a CMD prompt.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GTO455_0-1612718944305.png" style="width: 400px;"&gt;&lt;img src="https://communities.vmware.com/t5/image/serverpage/image-id/86643i2951B4E08F6D39AC/image-size/medium/is-moderation-mode/true?v=v2&amp;amp;px=400" role="button" title="GTO455_0-1612718944305.png" alt="GTO455_0-1612718944305.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sun, 07 Feb 2021 18:34:09 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828237#M6646</guid>
      <dc:creator>GTO455</dc:creator>
      <dc:date>2021-02-07T18:34:09Z</dc:date>
    </item>
    <item>
      <title>Re: ADMX Policy to Allow Registry to run silently no longer working</title>
      <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828284#M6648</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/146813"&gt;@GTO455&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;No, please do not disable UAC on my behalf! &lt;img class="lia-deferred-image lia-image-emoji" src="https://communities.vmware.com/html/@3CBC42A1E7848F607FD419D398107BF9/emoticons/1f642.png" alt=":slightly_smiling_face:" title=":slightly_smiling_face:" /&gt;&lt;/P&gt;&lt;P&gt;All I'm saying is that some UAC scenarios (I forget which) result in DEM not being able to launch regedit.exe. That's why we have the fallback to reg.exe, but unfortunately that is less configurable via Group Policy.&lt;/P&gt;&lt;P&gt;If you temporarily disable that regedit-related ADMX-based setting, do you see references to reg.exe in the DEM log file where previously (when things were still working correctly with that ADMX-based setting in place) you saw regedit.exe?&lt;/P&gt;</description>
      <pubDate>Sun, 07 Feb 2021 21:19:05 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828284#M6648</guid>
      <dc:creator>DEMdev</dc:creator>
      <dc:date>2021-02-07T21:19:05Z</dc:date>
    </item>
    <item>
      <title>Re: ADMX Policy to Allow Registry to run silently no longer working</title>
      <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828437#M6650</link>
      <description>&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If I disable the policy, I do see an entry in the logs for Chrome using reg.exe&lt;/P&gt;&lt;P&gt;2021-02-08 10:30:30.639 [INFO ] Importing profile archive 'Chrome.zip' (\\server1\UEMProfiles$\User1\Archives\Applications\Chrome.zip)&lt;BR /&gt;2021-02-08 10:30:30.645 [DEBUG] ImportRegistry::Import: Calling '"C:\Windows\System32\&lt;STRONG&gt;REG.EXE&lt;/STRONG&gt;" IMPORT "C:\Users\User1\AppData\Local\Temp\FLX5054.tmp"' (RPAL: l=1 (P), r=0)&lt;BR /&gt;2021-02-08 10:30:34.934 [DEBUG] Read 1097 entries from profile archive (size: 9232980; compressed: 3111493; took 4290 ms; largest file: 733772 bytes; slowest import took 7 ms; registry took 140 ms)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I checked logs of other users and found that these errors do not exist with the policy enabled, which is weird. However, I delete my profile consistently during image testing, so that may have something to do with it.&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2021 15:38:21 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828437#M6650</guid>
      <dc:creator>GTO455</dc:creator>
      <dc:date>2021-02-08T15:38:21Z</dc:date>
    </item>
    <item>
      <title>Re: ADMX Policy to Allow Registry to run silently no longer working</title>
      <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828451#M6651</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/146813"&gt;@GTO455&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;OK, so that explains why you're getting the "Policy prevents access to registry editing tools -- please disable this policy" error messages if that ADMX-based setting is configured.&lt;/P&gt;&lt;P&gt;If your users don't get the error even if the ADMX-based setting is configured, I assume their logs show that regedit.exe is being used instead of reg.exe?&lt;/P&gt;&lt;P&gt;Also, I guess you're an admin and your users aren't? That would affect the UAC-related impact on DEM, which causes it to decide whether to user regedit.exe or reg.exe.&lt;/P&gt;&lt;P&gt;Would it be an option to put a condition on that ADMX-based setting to make it only apply to (non-admin) users?&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2021 16:27:34 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828451#M6651</guid>
      <dc:creator>DEMdev</dc:creator>
      <dc:date>2021-02-08T16:27:34Z</dc:date>
    </item>
    <item>
      <title>Re: ADMX Policy to Allow Registry to run silently no longer working</title>
      <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828463#M6652</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/3228914"&gt;@DEMdev&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I am not an admin in my environment (unless I elevate to admin) and neither are my users. And I am not elevating in this case.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;As a test, I completely deleted my profile and logged in, basically as a new user. ADMX policy to prevent editing the registry is enabled and allowing registry tools to run silently is enabled.&lt;/P&gt;&lt;P&gt;I turned debugging on and I found in the log that regedit is in use successfully;&lt;/P&gt;&lt;P&gt;2021-02-08 11:58:52.603 [DEBUG] ImportRegistry::Import: Calling '"C:\Windows\REGEDIT.EXE" /S "C:\Users\User1\AppData\Local\Temp\FLX5AD4.tmp"' (RPAL: l=0 (F/E), r=1)&lt;BR /&gt;2021-02-08 11:58:52.654 [DEBUG] Read 1 entry from profile archive (size: 700; compressed: 288; took 58 ms)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;However, further down the log, I see that I am still getting the error when launching Chrome&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;2021-02-08 12:00:47.018 [DEBUG] Found 'FlexDebug.txt' - changed log level to DEBUG&lt;BR /&gt;2021-02-08 12:00:47.018 [INFO ] Performing DirectFlex import for config file '\\Server1\UEMShare$\general\Applications\Chrome.ini' [IFP#ffc5e26c-49b0663&amp;gt;&amp;gt;]&lt;BR /&gt;2021-02-08 12:00:47.019 [DEBUG] User: Domain\User1 (A/L), Computer: VDI-059, OS: x64-win10 (Version 1909, BuildNumber 18363.1316, SuiteMask 100, ProductType 1/4, Lang 0409, IE 11.1198.18362.0, VMware VDM 7.10.0, App Volumes 2.18.0.25, DEM 9.9.0.905, ProcInfo 1/2/4/4, UTC-05:00S), PTS: 11012/11540/1C&lt;BR /&gt;2021-02-08 12:00:47.019 [DEBUG] Using profile archive '\\Server1\UEMProfiles$\User1\Archives\Applications\Chrome.zip'&lt;BR /&gt;2021-02-08 12:00:47.019 [DEBUG] Triggered by 'C:\Program Files\Google\Chrome\Application\chrome.exe'&lt;BR /&gt;2021-02-08 12:00:47.038 [INFO ] Importing profile archive 'Chrome.zip' (\\Server1\UEMProfiles$\User1\Archives\Applications\Chrome.zip)&lt;BR /&gt;2021-02-08 12:00:47.043 [FATAL] Policy prevents access to registry editing tools -- please disable this policy&lt;BR /&gt;2021-02-08 12:00:47.043 [FATAL] ImportRegistry::Import: Error creating command line&lt;BR /&gt;2021-02-08 12:00:47.044 [FATAL] Error importing archive '\\Server1\UEMProfiles$\User1\Archives\Applications\Chrome.zip'&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 08 Feb 2021 17:27:15 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828463#M6652</guid>
      <dc:creator>GTO455</dc:creator>
      <dc:date>2021-02-08T17:27:15Z</dc:date>
    </item>
    <item>
      <title>Re: ADMX Policy to Allow Registry to run silently no longer working</title>
      <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828640#M6659</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/146813"&gt;@GTO455&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;&amp;gt; &lt;EM&gt;I am not an admin in my environment (unless I elevate to admin) and neither are my users. And I am not elevating in this case.&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;That "&lt;STRONG&gt;A/L&lt;/STRONG&gt;" in "2021-02-08 12:00:47.019 [DEBUG] User: Domain\User1 (&lt;STRONG&gt;A/L&lt;/STRONG&gt;), ..." indicates that the user is an &lt;STRONG&gt;A&lt;/STRONG&gt;dmin with a &lt;STRONG&gt;L&lt;/STRONG&gt;imited token (i.e. the non-elevated admin UAC scenario.) That's exactly what DEM checks for in its decision to use reg.exe instead of regedit.exe.&lt;/P&gt;&lt;P&gt;The log fragment you pasted was for a DirectFlex run. Does a path-based import at logon also show "A/L" in that "User: ..." line?&lt;/P&gt;</description>
      <pubDate>Tue, 09 Feb 2021 12:20:36 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828640#M6659</guid>
      <dc:creator>DEMdev</dc:creator>
      <dc:date>2021-02-09T12:20:36Z</dc:date>
    </item>
    <item>
      <title>Re: ADMX Policy to Allow Registry to run silently no longer working</title>
      <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828661#M6660</link>
      <description>&lt;P&gt;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/3228914"&gt;@DEMdev&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;OK, I found the issue, rather, YOU found the issue.&lt;/P&gt;&lt;P&gt;At some point in the past I must of added my normal user account into a group that has admin rights on the desktop for testing. Once I removed my user account from the Admins group, everything works as expected. Apologies for making you go in circles!&lt;/P&gt;&lt;P&gt;It was a beneficial exercise for me though. I picked up from another thread your trick for adding the flexdebug.txt file to the users profile to turn on debug mode. Very useful tip!&lt;/P&gt;&lt;P&gt;Thanks!&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 09 Feb 2021 13:54:19 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828661#M6660</guid>
      <dc:creator>GTO455</dc:creator>
      <dc:date>2021-02-09T13:54:19Z</dc:date>
    </item>
    <item>
      <title>Re: ADMX Policy to Allow Registry to run silently no longer working</title>
      <link>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828666#M6662</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/146813"&gt;@GTO455&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;Happy to hear you tracked it down, with learning about FlexDebug.txt as a nice benefit &lt;img class="lia-deferred-image lia-image-emoji" src="https://communities.vmware.com/html/@3CBC42A1E7848F607FD419D398107BF9/emoticons/1f642.png" alt=":slightly_smiling_face:" title=":slightly_smiling_face:" /&gt;&lt;/P&gt;&lt;P&gt;It's always a bit of a tricky combination to figure out, what with UAC affecting our choice of reg(edit), and that policy setting being interpreted differently between the two tools.&amp;nbsp;At some point in the (far...) future I'd like to drop our dependency on reg(edit), but that's a non-trivial amount of work...&lt;/P&gt;</description>
      <pubDate>Tue, 09 Feb 2021 14:26:57 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Dynamic-Environment-Manager/ADMX-Policy-to-Allow-Registry-to-run-silently-no-longer-working/m-p/2828666#M6662</guid>
      <dc:creator>DEMdev</dc:creator>
      <dc:date>2021-02-09T14:26:57Z</dc:date>
    </item>
  </channel>
</rss>

