Hi, I have some issues regarding very slow import of personal settings from UEM.
UEM Management 9.2.0.701
Horizon Client 4.5.0
Mandatory profile
I see that some of the import are very slow, it takes like 5-6 minutes to import these settings.
It "stops" on "Personal Sertificates.zip" and "Internet Explorer.zip"
When these files are Zipped, they are 6655kb(cert) and 5100kb(ie).
When i unzip these files, they are 7,24mb(cert) and 49,2mb(ie).
My Configfiles looks like this:
Personal Certificates:
[IncludeRegistryTrees]
HKCU\Software\Microsoft\Cryptography
HKCU\Software\Microsoft\Identities
HKCU\Software\Microsoft\SystemCertificates
HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS
[ExcludeRegistryTrees]
HKCU\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
[IncludeFolderTrees]
<AppData>\Microsoft\CLR Security Config
<AppData>\Microsoft\Credentials
<AppData>\Microsoft\CryptnetUrlCache
<AppData>\Microsoft\Crypto
<AppData>\Microsoft\Protect
<AppData>\Microsoft\SystemCertificates
<LocalAppData>\Microsoft\Credentials
Internet Explorer:
[IncludeRegistryTrees]
HKCU\Software\Microsoft\IdentityCRL
HKCU\Software\Microsoft\Internet Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
[IncludeFolderTrees]
<Favorites>
<LocalAppData>\Microsoft\Windows\WebCache
[ExcludeFiles]
<Favorites>\desktop.ini
<Favorites>\links\desktop.ini
Why does UEM import these files sooo frustrating slow?
Users get restless and complain a lot...
How does your settings look like, and if you have any changes, why do you have them?
How do you guys experience logons for your users?
BR
Stian
Just to make sure, I meant a "Windows" logon script, not a UEM logon task. There's actually a logon script configured in your Horizon Agent All Users GPO:
Just remove that, and your logons should be at least twice as fast 🙂
As for folder redirection, I don't see anything in the two GPOs you attached, but there's definitely a few more folders redirected than the ones you configured through UEM. Is there maybe another GPO in play as well, or could this have been "tattooed" into the mandatory profile? If you hive in the registry file from your mandatory profile, or log on without UEM installed or configured, what do you see in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer User Shell Folders?
Mapping the home drive through user settings in AD is perfectly fine. There's nothing wrong with folder redirection per se either (although, again, redirecting AppData will probably not result in a nice experience for your users).
Most important note regarding folder redirection in combination with UEM is that you should not manage files residing in redirected locations with UEM: it's not necessary (as those files are already no longer local to the profile, i.e. they reside on the network, "safe" in non-persistent scenarios), and it will slow down things considerably (as UEM will persist such settings by reading files from the redirected folders (on the network) and storing the resulting profile archive zip file (also on the network), and will restore them by reading from the UEM profile archive zip file (on the network), and then saving them to the redirected folder location (also on the network)...)
Hi lansti,
Can you provide a FlexEngine log file (at log level DEBUG) that covers a full logon/logoff cycle, so includes information from both the path-based import and the path-based export? That should give us some more information to go on in troubleshooting your performance issue.
Are you using folder redirection for AppData and Favorites?
Hi lansti,
You are indeed redirecting a number of profile folders:
2017-10-13 19:19:48.593 [DEBUG] Redirected folders: AppData, Desktop, Favorites, Personal, ProgramsMenu, StartMenu, StartupMenu
Some of these are redirected through UEM, but I guess folder redirection for the other folders is configured through standard Group Policy? Either way, how exactly the folders have been redirected is not very important.
What is important, is that AppData and Favorites are redirected, but you're also using UEM to manage settings in those folders. That's not necessary, as those files already live on the network – there is no need for UEM to persist and restore them. Doing so means that there's a lot of additional (slow...) network traffic (both at logon and at logoff), which I'm sure is the main explanation for your performance issues.
Another thing I noticed, is that you're running UEM both as a Group Policy client-side extension:
2017-10-13 19:13:21.665 [INFO ] Starting FlexEngine v9.2.0.701 [IFP#00e15d53-T5>>]
2017-10-13 19:13:21.666 [INFO ] Running as Group Policy client-side extension
2017-10-13 19:13:21.666 [DEBUG] Performing path-based import
[...]
2017-10-13 19:14:05.033 [INFO ] Done (43392 ms) [<<IFP#00e15d53-T5]
And shortly after that, again from (most probably) a logon script:
2017-10-13 19:14:24.530 [INFO ] Starting FlexEngine v9.2.0.701 [IFP#02bd874f-8a0ae>>]
2017-10-13 19:14:24.533 [DEBUG] Running as child of process #4912
2017-10-13 19:14:24.533 [DEBUG] Performing path-based import
[...]
2017-10-13 19:19:06.489 [INFO ] Done (282047 ms) [<<IFP#02bd874f-8a0ae]
That second invocation is not necessary, and removing that should already massively improve the performance, given that it took nearly 5 minutes to finish...
Thank you for you time and feedback, but i do not understand where we run as GPO and logonscript.
I have added our GPO's.
In UEM i have the following Folder redirection:
We do not have any logonscriot running with these kind of settings, the only logontasks we have are some regimports in UEM...
All users are moved to a new OU directory that do not inherit anything from OUs above...
UsersAccounrs in AD has a homefolder mapped like this:
So, is it these mappings in AD and UEM that causing our issues?
What is the best practice here for H:\ and folder redir?
BR
Stian
Just to make sure, I meant a "Windows" logon script, not a UEM logon task. There's actually a logon script configured in your Horizon Agent All Users GPO:
Just remove that, and your logons should be at least twice as fast 🙂
As for folder redirection, I don't see anything in the two GPOs you attached, but there's definitely a few more folders redirected than the ones you configured through UEM. Is there maybe another GPO in play as well, or could this have been "tattooed" into the mandatory profile? If you hive in the registry file from your mandatory profile, or log on without UEM installed or configured, what do you see in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer User Shell Folders?
Mapping the home drive through user settings in AD is perfectly fine. There's nothing wrong with folder redirection per se either (although, again, redirecting AppData will probably not result in a nice experience for your users).
Most important note regarding folder redirection in combination with UEM is that you should not manage files residing in redirected locations with UEM: it's not necessary (as those files are already no longer local to the profile, i.e. they reside on the network, "safe" in non-persistent scenarios), and it will slow down things considerably (as UEM will persist such settings by reading files from the redirected folders (on the network) and storing the resulting profile archive zip file (also on the network), and will restore them by reading from the UEM profile archive zip file (on the network), and then saving them to the redirected folder location (also on the network)...)
Hi, i have tried to remove what you told me - the logon script in GPO. It was a very fast logon...
But as i thought, i think I need that logonscript, because we are using UEM to deploy shortcuts to startmeny, drive mappings, and setting from different applications with and without predefined settings.
EDIT: And yes, i found another GPO, on the USERS ou... with appdata, desktop, documents, favorites and startmenu redir... they are now removed, since they was ment to be on our main desktops before we moved users to Horizon...
EDIT2: I added USER SHELL FOLDERS with and without UEM.
I uninstalled UEM, and loged on as my testuser...
To start with the screenshots: those are looking good. Glad to hear you found that other GPO that was redirecting some of the other folders.
You don't need to run UEM from a logon script, as you have it already configured to run as a Group Policy client-side extension.
Can you provide a new UEM log file, so we can double check that everything is happening correctly?
Hi, and againg, thank you so much for taking your time with this. ,
Just been testing over again, without this logonscript...
But now, my user-config Archive is empty, i tested with a test user where i deletet the user profile upfront.
I'll do more testing now, and i'll give you an update later on.
Thanks.
Hi lansti,
Just to make sure: you only removed the logon script, but left the logoff script in place, right?
Also, your logon is still pretty slow, most probably caused by importing (lots of) favorites while having the Favorites folder redirected.
2017-10-16 21:49:08.235 [INFO ] Importing profile archive 'Internet Explorer.zip' (\\hznuem\uem-profiles\bet\Archives\Windows Settings\Internet Explorer.zip)
2017-10-16 21:49:08.256 [DEBUG] ImportRegistry::Import: Calling '"C:\Windows\REGEDIT.EXE" /S "C:\Users\bet\AppData\Local\Temp\FLX5B1.tmp"' (RPAL: l=0 (D/E), r=0)
2017-10-16 21:49:44.024 [DEBUG] Read 309 entries from profile archive (size: 41669410; compressed: 2925389)
Importing that single Internet Explorer user profile archive required nearly 36 seconds, of the total 39 seconds that the full path-based import took:
2017-10-16 21:49:46.117 [INFO ] Done (39107 ms) [<<IFP#01c9da0c-T5]
As long as you keep the folder redirection for <Favorites> in place, you don't need to manage the favorites with UEM itself. If you select the Internet Explorer config file in the Windows Settings tree node, and click on the Manage button you see an option to Expand the settings.
If you click Expand, the built-in template is expanded to its underlying settings, and you can see the exact locations that are managed by this config file. Since you have the Favorites folder redirected, you don't need the <Favorites> lines, so you can remove them or comment them out as I've done here:
(I've also commented out the [ExcludeFiles] header as it no longer contains any effective settings, but that's not really necessary.)
Hi UEMdev,
Yes, the logoff script is in place:
I have notised that IE used several seconds to import, but i couldn't understand why it will take 30-40 seconds to import a few MB...
But how does user settings now get stored and where? I do not redirect APPDATA.... and since my archives are empty?
I can see that my Outlook has enabled Direct Flex, and creates a file in my archive for my testuser. But i am prompted for password on every logon.
I have not been able to test everything yet, but will my predefined settings for some applications also run and be imported?
I am taking a VmWare "Horizon 7, Install, Configure and Manage" this week, hope i get a better understanding of UEM in the end of this course...
BR
lansti
Hi lansti,
Can you provide another UEM log file, covering a full session, from logon to logoff?
Hi lansti,
The log file you sent only contains a path-based import (at logon), and a few DirectFlex imports and exports (at application launch and exit).
It does not contain information about the path-based export, which takes place at logoff. If that path-based export does not happen, that would explain why setting for certain applications are not saved.
Did the user actually log off, or just disconnect from a session? Can you export the contents of HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts while logged in to a session and post them here (or privately to me, in case you don't want to have to scrub server names etc)?
Hi lansti,
Thank you for the new logs. However, there are no logoff actions to be seen, so the registry export mentioned previously would be helpful in figuring out why that is the case.
Hi UEMdev
I sent you the registry settings on PM right after i postet the new logs yesterday...you didn't het it?
Hi UEMdev...
I might found a kind of a BUG i GPO...
When you told me to remove the longon script in GPO, i did so, but when i had a look now, it also removed the LOGOFF setting.
When i looked into the settings, this logoff policy was gone:
But as you can see, it is actually there...
WHen i removed the logoff setting in the properties, and added it again:
Then i can see it there, and when my users was testing, UEM was exporting stuff into their profiles...
Next step is to let user credentials be stored into UEM, so they do not get promptet for Outlook credentials everytime they logs on... and other credentials they want the system to remember by clicking "remember me" option...
Hi lansti,
Great, that would indeed explain the behavior you're seeing. Thanks for the update.