VMware Horizon Community
amarsden
Contributor
Contributor
‎03-23-2017 06:52 AM

Hk Local Machine - is there really no way ? (plus questions about logon task)

Hi

I'm trying to set up Oracle ODBC drivers which seem to HAVE to have components in HKLM - I accept that normmaly this can't be done (Cannot capture or insert values in the HKEY_LOCAL_MACHINE registry hive in UEM (2146182) | VMware KB  is quite clear on that)

However, even running a "reg import  "\\server\filename.reg"" doesn't work

So a few questions;

  1. is this not working because nothing in UEM can touch HKLM?
  2. Is it not running because the location cannot be found, despiteme putting the reg file in a pretty relaxed share location?
  3. Is it not working because logon tasks are run with the user rights and our normal users can't run such commands?
  4. If 3 - is there anyway to get logon (and logoff) commands to run with elevated rights?

Cheers


ACM

Reply
0 Kudos
10 Replies
VDIMega
Enthusiast
Enthusiast
‎03-24-2017 08:55 AM

I'm using UEM to modify HKLM.  Just be mindful that the user needs to have write permissions to the HKLM tree you're trying to modify.

For example, Bloomberg Professional installs in a way that gives local users write permission to its HKLM registry tree.  I use UEM to create a predefined registry setting to influence how Bloomberg stores user settings:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Bloomberg L.P.\User Info]

"Use HKCU"=dword:00000001

Reply
amarsden
Contributor
Contributor
‎03-24-2017 08:57 AM

Thanks - I think that answers the question as our normal users can't write to HKLM - poop!

Reply
0 Kudos
VDIMega
Enthusiast
Enthusiast
‎03-24-2017 09:03 AM

You can modify the registry settings of an HKLM tree, just be sure that you're not over-permissioning and causing a security exposure.

For example with Adobe Reader DC, I use UEM to put in a value in HKLM to disable auto-updating:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown]

However, [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Adobe] is not writable by default, so we had to change the permissions in the parent VM to allow the user to write there.

What would not have been good is if we modified [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies] because that would allow users to override any GPO policies settings.

Reply
amarsden
Contributor
Contributor
‎03-24-2017 09:05 AM

Ta - this is just me being lazy as I wanted to distribute ODBC DSNs purely via UEM - but it looks like I may have to put them in a stack - lots of users use databases specific to stacks, but without actually having the application stack.


Cheers


ACM

Reply
0 Kudos
VDIMega
Enthusiast
Enthusiast
‎03-24-2017 09:13 AM

I tried doing registry changes via appstacks and the only way I found worked involved having the hidden appstack batch files import the regedits.  I didn't like this because it was cumbersome to update the regedits.

But you're saying that your oracle app doesn't accept ODBC connections in HKCU?  If it did, you could just have UEM import them into HKCU instead easily.  I would not change the permissions on HKLM\Software\ODBC or HKLM\Software\Wow6432Node\ODBC.

Can you share the registry edit in HKLM that you need to make?

Reply
0 Kudos
amarsden
Contributor
Contributor
‎03-24-2017 09:18 AM

In HKLU ODBC works, as long as the driver is in the base image.  In this case the Driver and Oracle Home are on a network location and not in the base image, which means I need to add the relevant driver settings as well - which seem to only work in HKLM.  Going home now!

Reply
0 Kudos
iforbes
Hot Shot
Hot Shot
‎12-01-2017 12:47 PM

Hi. Could you outline in more detail how you accomplish this? I also have Bloomberg and would like to do the exact same thing via UEM.

Thanks

Reply
0 Kudos
iforbes
Hot Shot
Hot Shot
‎12-01-2017 01:53 PM

Could I not just create "Use HKCU"=dword:00000001 in the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Bloomberg L.P.\User Info of the VDI "Golden" image? Is there even a need to have UEM create that key? This of course assumes I'm installing Bloomberg locally on the image, and not delivered via App Volumes.

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee
‎12-02-2017 01:11 AM

Hi iforbes​,

If Bloomberg does indeed grant non-admin users modify permissions on its HKLM key (as VDIMega stated in Re: Hk Local Machine - is there really no way ? (plus questions about logon task)), you could use UEM to set that Use HKCU value, but if you can make the change in your golden image, you indeed do not need UEM for that.

Reply
0 Kudos
iforbes
Hot Shot
Hot Shot
‎12-02-2017 07:57 AM

Thanks UEMdev,

I think this has answered my other questions around HKLM and UEM. I know UEM is strictly a user profile capture solution and only supports the HKCU hive. It sounds like if we are able to allow users permissions to specific registry keys, then UEM can actually read and write to HKLM?

Lastly, when I use Application Profiler to capture an app config. I notice many HKLM references. Why does UEM even bother capturing any HKLM references if it can't do anything with them anyways?

Reply
0 Kudos