HI @DEMdev ,

It seems to be the case for such. For testing purposes I have two ADMX based settings configured. 

Internal - The idle session timeout is set to 1 minute

External - The Idle session timeout is set to 5 minutes

1. I logon internally (new logon, not reconnect), and after 1 minute I get a session idle message - which works as planned.

2. I reconnect to my session externally and have a triggered task to refresh ADMX based settings at reconnect.

3. I can see the ADMX settings get refreshed and the MaxIdleTime key under "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" gets changed to 5 minutes.

4. Even though the regkey is changed and the admx based settings were refreshed. I still receive the 1 minute idle session. 

5. If I disconnect and reconnect to that session again, the new settings start to work.

"As for "Because the regkey is under HKCU\SOFTWARE\Policies I can't use a config file with pre-defined settings unfortunately.": an ADMX-based setting should have the same effect as such a predefined setting – what exactly would you like to do here? "

I noticed in another thread, you mentioned creating a config file and having pre-defined settings with a triggered task at reconnect. With the Config File and pre-defined settings, I don't see the regkey get created at all. 

Our end goal is to attempt to configure different idle session timeouts for external users and internal users. But we have users that would start their day externally and come in the office later in the day and vice versa.

Thanks @burgerking68 . 
I can't use the computer policy in this scenario because it's and RDSH published apps environment. 

Hi @simpss,

Yeah, I'm afraid that that MaxIdleTime setting is read early during session setup (at logon and reconnect), and DEM's refresh only gets to run later. Not much later, but too late.
(Thank you for clarifying the predefined settings bit. Even if that were able to import settings into the Policies key, it would not help as it would be too late as well.)

It's a bit (well, a lot...) of a hack, but maybe you can run tsdiscon.exe at reconnect for internal/external (and vice versa) switches, to force the "disconnect and reconnect to that session again" so the new MaxIdleTime will be picked up?

@DEMdev 

Appreciate the assistance...

Only problem I see with this would be if user was internal and decided to login from another workstation (IP Address change) which would trigger the reconnection task to run when it technically wasn't required.

No way I can get around that possibility right? 

Hi @simpss,

I suppose you currently have a few ADMX-based settings that configure different idle timeouts, using conditions to target internal/external connections, and the perform an ADMX-based settings refresh using a triggered task at reconnect?

If that's a correct assumption, the following would do the trick:

• Change the triggered task from User Environment refresh to Run custom command to run a script.
• Within that script:
  1. Read the current value of HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services@MaxIdleTime
  2. Run FlexEngine.exe -UEMRefreshADMX
  3. Read the value of MaxIdleTime again; if it has changed from step #1, run tsdiscon.exe

It's important that this is robust as you don't want to be disconnecting sessions that shouldn't be disconnected :), but I think the above should work.

@DEMdev ,

That is correct, exactly how I have things setup.

I will try your suggestion to see if this will work. 

Thanks again!

Hi @DEMdev ,

I think I may have this working with another solution. Can you tell me if any of the -UEMrefresh triggers would refresh files and folders at reconnect. Or is this only done at logon?

Thanks again!

Hi @simpss,

Sorry, Files and Folders settings are not refreshable. Depending on what you're trying to do here you might be able to individually import one (or a few) via "manual" FlexEngine.exe invocations, though...

@DEMdev,

I'm trying to remove a .ini file from %appdata% location based on a location condition 

Hi @simpss,

Maybe I misunderstood (as I'm not sure how a Files and Folders setting would allow you to remove a file), but an alternative to refreshing files and folders at reconnect to get one of those settings to apply would be the following:

• Create a new Personalization config file, and disable it through the context menu (so we're in full control over when it will get processed.)
• On the Predefined Settings tab, add a new setting of type Fully Enforced Settings, and Create... its contents or Install... them from the Files and Folders setting you mentioned.
  Put the required location condition on the predefined setting.
• Repeat, in case you want to apply different predefined settings for different locations, etc.
• Running FlexEngine.exe -i "%UEMConfigShare%\relative\path\to\that\config\file.ini" -r dummy.zip (manually or as a custom command in a triggered task) will process this config file, meaning that the conditions on the predefined settings will be evaluated, and the matching predefined settings file will be imported.
  The -r argument is mandatory, but can point to a non-existing file. You can also add -f path\to\other\log.file to log to another log file than the default, to keep things neat and tidy.

If I did misunderstand, and you're not looking to import settings but run a task, tweak the above as follows:

• Instead of configuring any Predefined Settings, enable DirectFlex for dummy.exe. This allows you to add User Environment Settings to the config file.
• Add a Pre-import Task, configure the command to your liking, and add the required location condition.
• Repeat, in case you want to run different tasks for different locations, etc.
• Launch the same command as above, but add -u to enable processing of user environment settings for file-based operations.

If I still misunderstood, please elaborate 🙂

I ran into a similar issue with screensavers. We did not want a screensaver on our virtual desktops; however, we need to have it enabled for remote users so we can implement the screensaver timeout policy to lock the desktop. After months of scratching our heads, it was evidently clear that was not possible for roaming sessions. The reason it was not doable is simply because the setting applies only during logon. Even though the policy changes if the user originally connected internally, disconnect, and reconnect from home but it would not take effect. Security team simply had to write an exception for that and accept it as is.