Highlighted
Hot Shot
Hot Shot

Allowing DEM to Apply Computer Environment Settings - "disabled via configuration"

I'm trying to leverage the new DEM Computer Smart Policies to apply the new "Idle time until disconnect" value on some VMs used in an Operating Room.

Annotation 2020-08-21 152222.jpg

For some reason, I cannot get it to work.

The EventLogs in the VM state: Event ID 24601 -- "Both Horizon Smart Policies computer settings and ADMX-based computer settings are disabled via configuration, so computer environment settings are disabled."

I have already manually applied the registry keys to allow Computer Policies, and recomposed the pool.

the ConfigFilePath attribute is pointing to the DEM Config share.  I'm wondering if there are Share Permission changes required for access by the computer object?!   Normal DEM accesses via the logged in user, and I'm assuming this is happening BEFORE user login, so maybe the Authenticated Computer needs read access?

The documentation does not mention permissions, so I was wondering if anyone has actually got this working.   I'd just add it, but it requires a Change Form, and having a Storage Team process the Change.

John

0 Kudos
4 Replies
Highlighted
VMware Employee
VMware Employee

Hi JohnTwilley,

The EventLogs in the VM state: Event ID 24601 -- "Both Horizon Smart Policies computer settings and ADMX-based computer settings are disabled via configuration, so computer environment settings are disabled."

Can you show what's configured under HKLM\SOFTWARE\VMware, Inc.\VMware UEM\Agent\Computer Configuration?

I'm wondering if there are Share Permission changes required for access by the computer object?!   Normal DEM accesses via the logged in user, and I'm assuming this is happening BEFORE user login, so maybe the Authenticated Computer needs read access?

Indeed, the note at the bottom of that configuration page you linked to, states "Computer accounts rather than user accounts access the file shares that host the configuration folder and the log file." and references the share configuration topics where the additional requirements for computer environment settings are described.

0 Kudos
Highlighted
Hot Shot
Hot Shot

Here are my settings.  I've added Domain Computer (Read) to the share, but still cannot get this to work properly.

Where would I find additional logging for the Computer policies?

Screenshot 2020-10-01 075752.jpg

I guess I'll add a couple more variables to capture the logs as found here:  FlexEngine Configuration for Computer Environment Settings (vmware.com)

I was kinda hoping that Computer Logging would be available via Group Policy, as it is for the User Flex Engine Logging...

0 Kudos
Highlighted
Hot Shot
Hot Shot

I added Debug Logging via the following Registry variables...but still no logging.

I don't really see much discussion in the forums about the new Computer-Based policies.

Is anyone using it yet?

My Event Log still states that DEM Computer Policies are "disabled via configuration".

Screenshot 2020-10-01 113029.jpg

I'm hoping that in the next release, there will be ADMX files to manage the Computer Policies for DEM...because this is a mess.

If I manually run the FlexEngine.exe -UemRefreshHorizonComputerPolicy

I still get EventID 24601 -- "Both Horizon Smart Policies computer settings and ADMX-based computer settings are disabled via configuration, so computer environment settings are disabled."

UPDATE:

The Online Guide states the following:

"To configure VMware Dynamic Environment Manager to apply computer environment settings, edit the Windows registry settings in the HKLM\SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration key as necessary until they comply with the descriptions that follow."

UPDATE2:

Turns out it was some strange hidden character (or something) in my Group Policy that added the Computer Configuration key and values.

I deleted them and recreated them locally and it worked fine.   Very odd, as the Reg keys looked perfect.

0 Kudos
Highlighted
VMware Employee
VMware Employee

Hi JohnTwilley,

Turns out it was some strange hidden character (or something) in my Group Policy that added the Computer Configuration key and values.

I deleted them and recreated them locally and it worked fine.   Very odd, as the Reg keys looked perfect.

Happy to hear that you got things to work.

I'm hoping that in the next release, there will be ADMX files to manage the Computer Policies for DEM

Applying this configuration through AD computer policy will be too late, unfortunately. We are considering a two-step approach like we have for NoAD, where at least some of the configuration can come from an XML file on the config share.

0 Kudos