Highlighted
Enthusiast
Enthusiast

AppVolume/Stack with different sets of HKLM GPO settings

Hi.

I'm working in an environment where users will get one appstack where most of our default applications will be published.

But, since our users are located in different locations/sites, they need to get some HKLM settings for some applications to point to different Databases etc.

Since UEM is for the user environment, settings in HKLM will not change, and then i created a GPO that will deploy depending on where the user are located and what kind of database it needs to connect to. But my problem is that the GPO runs during logon before the appstack is mounted, and therefore the HKLM registry setting recorded in the appstack will overwrite the GPO settings, and user have to wait for x minutes before the client will get the GPO settings written back.

How do you guys deploy HKLM settings for a non-presistent VDI where different users need different registry values for the same keys, and i'm not able to record this in an appstack.

0 Kudos
12 Replies
Highlighted
Virtuoso
Virtuoso

We don't have that issue to be honest but my guess is you have a few options. It would still require you to do a check on where the user is located.

You can use the .bat files on the appstack itself to trigger specific actions after the appstack is attached. Make sure to use the .bat file that is being executed by the system account, otherwise you could end up with a permission denied.

Are you using writables? Your other option could be to attach this specific appstack to the computer accounts but this only works if you are NOT using writables, this way the appstack is already attached before the user logs in and then the policy can be applied to the appstack.

And my last option would be to silently run gpupdate /force as a logon process. This way the appstack is attached and the policy is forced..

Depending on your wishes one of these should do the trick.

0 Kudos
Highlighted
Enthusiast
Enthusiast

Can you make use of the Registry section in UEM?

pastedImage_1.png

Create different sets of registry keys and apply them conditionally?

Horizon Client 5.4.3 Appvol Manager 2.18 Appvol Client 2.18.6 UEM 9.10
0 Kudos
Highlighted
Enthusiast
Enthusiast

As far as i know, this is for HKCU and not HKLM... since regular users are not allowed to do changes in the HKLM settings in registry, and then it will not work.

Please correct me if i'm wrong.

0 Kudos
Highlighted
Enthusiast
Enthusiast

Thanks, we'lll use writabels late on in our windows 10 environment, when we get the UIA without profile to work.

But i have considered to run the GPUPDATE without /force(if you use /force, you need to log off and on again, and this is effective when you have user settings that need a refresh, gpupdate alone will effect HKLM)

But since we also struggelig with a bit long logontime that i need to work out, i'm not sure how gpupdate will effect this as we speak, therefore i want to use GPO for HKLM and UEM for HKCU.

But i'll give it a try and see how it works.

UEM is a great way to manage our users, and i wish that UEM also will be able to manage lokal machine settings depending on its conditions. So we'll be able to have all settings stored in one place. even though i do not that going to happen since UEM is a USER ENVIRONMENT MANANGER.

Thanks.

0 Kudos
Highlighted
Virtuoso
Virtuoso

Yes, AFAIK UEM can only set HKCU settings, if you create the regkey it will only select that.

Regarding the logontime, we have been struggling very hard to get this down for our students which have stateless desktops.

We found out that you should remove as much modern apps as possible (check using get-appxprovisonedpackage -online) and using UEM you could also collect the activesetup information. We found out that logon times are about 5 seconds less with only adding the following lines. This zip file is only about 1KB large so it won't cost you a large amount of storage.

[IncludeRegistryTrees]

HKCU\Software\Microsoft\Active Setup\Installed Components

HKCU\Software\Wow6432Node\Microsoft\Active Setup\Installed Components

0 Kudos
Highlighted
Enthusiast
Enthusiast

Okei, i have figured out that our IE webcache is generating a long logontime. In UEM Personalization/INternet Explorer i have these settings:

[IncludeFolderTrees]

<Cookies>

<Favorites>

<LocalAppData>\Microsoft\Windows\WebCache

And the webcache.dat its about 26mb, and generate 15-20 seconds longer logontime, but as far as i have figured out, i need this DAT file because users credentials and history are stored here. If i remove this setting, users have to input username and password for every sites they want IE to remember...

Thats my bottleneck as we speak, but i'll have a closer look at you suggestions as well.

0 Kudos
Highlighted
Virtuoso
Virtuoso

Can't you do the following? When looking at my file it is also 42MB large so that might not be of use.

To be honest I don't know how to get that one out..

[IncludeFiles]

<LocalAppData>\Microsoft\Windows\WebCache\*.dat

0 Kudos
Highlighted
Enthusiast
Enthusiast

AS you can see from my log file, it takes almost 10 seconds:

2018-11-28 13:24:31.920 [INFO ] Importing profile archive 'Internet Explorer user.zip' (\\server\uem-profiles\user\Archives\Windows Settings\Internet Explorer user.zip)

2018-11-28 13:24:40.720 [DEBUG] Read 148 entries from profile archive (size: 43858; compressed: 23700; took 8796 ms; largest file: 3677 bytes; slowest import took 8 ms)

I have also tried just to export and import the webcache.dat file, when i exclude that file, it takes under a second to import...

0 Kudos
Highlighted
Enthusiast
Enthusiast

Where is that log file that you are referring to?  I'm troubleshooting slow logon time as well but cannot see as many details in my log file as you have?

0 Kudos
Highlighted
Enthusiast
Enthusiast

They are loacted where you said where your UEM-userprofiles will be stored. they are located into the user-folder.

My GPO is called: "Horizon Agent All Users" and are applied to users.

User Config/Administrative Templates/VMWare UEM/FlexEngine

Make sure to change your loglevel to DEBUG, then it will write more details to the log.

0 Kudos
Highlighted
Virtuoso
Virtuoso

If you only want to check with 1 user you could also create a file in the log folder of that specific user. The logfile name should be FlexDebug.txt and it can be empty. UEM just checks for existence of this file and if exists goes into debug logging mode.

Highlighted
Enthusiast
Enthusiast

Thank you I will try that

0 Kudos