VMware Horizon Community
renevanduren
Contributor
Contributor
Jump to solution

UEM problem mapping network drives Windows 10

Hello,

We use UEM 9.1 and are migrating the desktops from Windows 7 to Windows 10.

With the Windows 7 desktops we had no problem with the UEM network drive mappings, but the Windows 10 desktops do not show the network mappings at startup.

On the Windows 10 desktops the log file shows that the mapping was succesful but the drive letter does not appear.

We tried many different settings, and we also the setting "Special Drive Mapping Logic" (admx flexengine advanced settings), but there are no network drive mappings at the startup of Windows 10.

The standard flexengine refresh "C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe -uemrefresh" does also make no difference, but if we do

"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe -r" the network drives do appear.

Also when we lock the desktop and login again the drives appear, because of the triggered task (User Environment refresh / Drive Mappings).

Why can we only get the drive mappings appear with FlexEngine.exe" -uemrefresh -r or the triggered task (User Environment refresh / Drive Mappings) and not at first login.

Thanks in advance.

1 Solution

Accepted Solutions
DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi René,

Thank you for the log files. The (F) after the user name in [DEBUG]    User: GC\test-rene (F), Computer: ... indicates that we're dealing with a UAC-related split token issue, even though the user is not an admin.

I managed to reproduce the issue by making my non-admin user a member of the "Power Users" group, which causes the user to have a split token due to UAC. Is test-rene a member of "special" groups like account operators, backup operators, print operators, power users, etc, or does he have some special privileges?

Either way, this is an UAC-related scenario that we weren't previously aware of, so, umm, thanks for bringing it to our attention 🙂

Instead of disabling UAC (please don't do that!), I see the following workarounds/solutions:

  • Create a shortcut in the Startup folder to run FlexEngine.exe -UEMRefreshDrives.
  • Switch to NoAD configuration. The way the UEM agent runs during logon in NoAD mode does not suffer from this UAC split token issue w.r.t. drive mappings.

View solution in original post

16 Replies
Sravan_k
Expert
Expert
Jump to solution

can you try typing the drive path in address bar of windows explorer and see you can drive through it are not?

I think your network drives are hiding

UEMdev ijdemes​ any thoughts on this issue?

Thank you,

Vkmr.

0 Kudos
renevanduren
Contributor
Contributor
Jump to solution

The mapped network drives are not there in explorer and also not in a command prompt when we login into Windows 10. And we cannot access them by typing in the drive letter. And also not with an elevated command prompt with net use.

Only after starting "FlexEngine.exe -r", or by locking the desktop and login again (because of the triggered task: User Environment refresh / Drive Mappings), the network drive mappings appear and are accessible in explorer and command prompt.

Any thought is welcome on how we can resolve this.

Thanks.

0 Kudos
DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi René,

Just to make sure: the users for which this issue occurs are local admins? Do you see the mapped drives when your run NET USE in an elevated command prompt? Are these drive mappings configured as asynchronous? If not, could you try and see whether that makes them appear correctly?

renevanduren
Contributor
Contributor
Jump to solution

It seems to make no difference if the user is local admin or not. In both cases there are no drive mappings, and within an elevated command prompt NET USE does not show any mapped network drives. Wheter we select "Run asyncronously" or not also does not seem to make a difference. The drive mappings are not there.

Only when we lock the desktop and login again, after a few seconds the drive mappings appear (because of the triggered task: User Environment refresh / Drive Mappings)

And also when we run "C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe -r" the mappings appear.

We will continue to search for a solution.

Any help is still welcome. Thanks.

0 Kudos
DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi René,

Sorry, the async option is indeed irrelevant. I did some further tests which made me realize that – sorry to have wasted your time on that.

I'm very surprised to hear that this happens whether the user is a local admin or not. Which version of Windows 10 are you using? Can you provide a FlexEngine log file at log level DEBUG?

0 Kudos
renevanduren
Contributor
Contributor
Jump to solution

Hello,

I have added a Windows 10 and a Windows 7 log.

Windows 10 is ver1607 (build 14393.1358).

In the beginning of the log you can see some network drive mappings.

Since we enabled "Special drive mapping logic" we get the message: Special drive mapping logic is active for all users

and: Special drive mapping logic is enabled. Async drive mappings are not supported -- mapping synchronously

For the test we have enabled "Run Asynchronously"  for drive H and L.

Wheter we have "Special drive mapping logic" enabled or not did not make a difference for us.

In Windows 10 the mapped drives do not appear at first login.

Thanks for your help.

0 Kudos
renevanduren
Contributor
Contributor
Jump to solution

Hello,

It looks like the problem has to do with the UEM setting: Run FlexEngine as Group Policy Extension in combination that we have UAC enabled for Windows 10. When we disable UAC on one pc, on this pc the mapped network drives do appear at first login.

We are still looking for the best solution for the drive mapping problem.

0 Kudos
Sravan_k
Expert
Expert
Jump to solution

If you are using firewalls to block unwanted traffic and healthy image, you can disable UAC on parent image [as temp workaround until this issue get fixed]

Thank you,

Vkmr.

0 Kudos
DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi René,

Thank you for the log files. The (F) after the user name in [DEBUG]    User: GC\test-rene (F), Computer: ... indicates that we're dealing with a UAC-related split token issue, even though the user is not an admin.

I managed to reproduce the issue by making my non-admin user a member of the "Power Users" group, which causes the user to have a split token due to UAC. Is test-rene a member of "special" groups like account operators, backup operators, print operators, power users, etc, or does he have some special privileges?

Either way, this is an UAC-related scenario that we weren't previously aware of, so, umm, thanks for bringing it to our attention 🙂

Instead of disabling UAC (please don't do that!), I see the following workarounds/solutions:

  • Create a shortcut in the Startup folder to run FlexEngine.exe -UEMRefreshDrives.
  • Switch to NoAD configuration. The way the UEM agent runs during logon in NoAD mode does not suffer from this UAC split token issue w.r.t. drive mappings.
renevanduren
Contributor
Contributor
Jump to solution

Hello UEMdev and others,

I am also puzzled why we have the split token in Windows 10. The user account GC\test-rene is not local admin, nor is this account member of one of "special" groups. I did a test earlier where I made this account member of the local admins group, but it did not make any difference with the drive mapping problem. The only thing is that we get (A/F) in the log instead of (F).

Well, it seems the drive mapping problem is Windows 10 UAC related.

And the command FlexEngine.exe -UEMRefreshDrives does seem to work for us to get the drive mappings!

We did not know about this option, but we will try this.

As we currently also sometimes have a problem with the printer mapping: [ERROR] Error 87 trying to map printer '\\srv-uniflow\Canon' ('Canon MFC.xml') for a workaround we will now try the UEM logon task: C:\Program Files\Immidio\Flex Profiles\Flexengine.exe -UEMRefreshDrives -UEMRefreshPrinters

Not sure if this last option also works, but could solve two problems at once for us.

I will let you know if this solved our problems for now.

DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi René,

I am also puzzled why we have the split token in Windows 10.

Not that it really matters, but what's the output of whoami /groups /priv?

As we currently also sometimes have a problem with the printer mapping: [ERROR] Error 87 trying to map printer '\\srv-uniflow\Canon' ('Canon MFC.xml') for a workaround we will now try the UEM logon task: C:\Program Files\Immidio\Flex Profiles\Flexengine.exe -UEMRefreshDrives -UEMRefreshPrinters

Instead of using a UEM logon task, I would strongly recommend to go the "shortcut in the Startup folder" route. The UEM logon task would run with the same problematic token, and (less important) you'd end up with a FlexEngine-1.log log file, as the main log file would still be in use by the UEM agent.

As for the printer mapping problem: are the drivers for that printer available in the image, or are they installed dynamically? Having printer drivers in the base image is definitely a best practice, as it will speed up printer mappings and generally prevent printer mapping issues.

Not sure if this last option also works, but could solve two problems at once for us.

If you mean that you're not sure whether -UEMRefreshPrinters is a valid command-line option: it is indeed (Additional FlexEngine Operations).

renevanduren
Contributor
Contributor
Jump to solution

Hello,

The output of whoami /groups /priv does not show any special groups membership.

But the Flexengine.exe -UEMRefreshDrives -UEMRefreshPrinters command does seem to work for us.

As you recommended I will remove the UEM logon task again, and I will try if it works by importing the below registry key:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Immidio\Flex Profiles\ImportMarkers]

"Pre"=dword:86928386

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Refresh"="C:\\Program Files\\Immidio\\Flex Profiles\\FlexEngine.exe -UEMRefreshDrives -UEMRefreshPrinters"

[HKEY_CURRENT_USER\Software\Immidio\Flex Profiles\ImportMarkers]

"Post"=dword:464c582b

I will be testing this today.

But for now this seems to work for us.

Thanks for your help.

0 Kudos
DEMdev
VMware Employee
VMware Employee
Jump to solution

The output of whoami /groups /priv does not show any special groups membership.

Did it list any special privileges? (Again, not that it really matters, but just because I'm curious 🙂

As for using Explorer's Run key to run your UEM refresh: I quickly tried that after you first posted your issue, but I encountered the same token-related issues. I did try with an admin user though, so you might have more luck.

(Also, I think you'll need an extra pair of quotes around the path to FlexEngine.exe in your .REG file.)

0 Kudos
renevanduren
Contributor
Contributor
Jump to solution

Here is the output of the privilege information:

PRIVILEGES INFORMATION

----------------------

Privilege Name                Description                           State

============================= ==================================== ========

SeShutdownPrivilege           Systeem afsluiten                     Disabled

SeChangeNotifyPrivilege       Controle op bladeren negeren          Enabled

SeUndockPrivilege             Computer uit basisstation verwijderen Disabled

SeIncreaseWorkingSetPrivilege Een proceswerkset vergroten           Disabled

SeTimeZonePrivilege           Tijdzone wijzigen                     Disabled

The import of the registry key works, and is executed succesfully at login. It does not seem to need extra quotes.

2017-08-28 08:38:23.263 [INFO ] Importing UEM settings 'RefreshDrivesandPrinters.zip' (\\srv-*****-**\flex_configuration\general\FlexRepository\Settings\Reg\RefreshDrivesandPrinters.zip)

2017-08-28 08:38:23.278 [DEBUG] ImportRegistry::Import: Calling '"C:\Windows\REGEDIT.EXE" /S "C:\Users\FE017~1.ENG\AppData\Local\Temp\FLX24D0.tmp"' (RPAL: l=0 (F/E), r=0)

DEMdev
VMware Employee
VMware Employee
Jump to solution

Hoi René,

Nothing out of the ordinary w.r.t. to those privileges; really weird that your user gets a split token. But anyway...

As for the additional quotes to deal with the space in the path: that would indeed not cause any issues at the time the .REG file is imported, but possibly when Explorer performs its RunOnce launches. Just make sure your users can put a Program.exe in the root of your C: drive 🙂

0 Kudos
DEMdev
VMware Employee
VMware Employee
Jump to solution

UEM 9.3 has been released, with a fix for the issue where a drive mapping is not visible in File Explorer for local administrators or power users.