cbaptiste's Posts

Hey guys, I am trying to use argument base Privilege Elevation but I can not get it to work. I don't see why. A little help please :smileylaugh: Executable: %SystemRoot%\system32\WindowsPo... See more...
Hey guys, I am trying to use argument base Privilege Elevation but I can not get it to work. I don't see why. A little help please :smileylaugh: Executable: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Argument: -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File "\\isilon1.corp.nychhc.org\uemshare$\general\FlexRepository\Scripts\Disable_VMware_Virtual_Mic.ps1" For now I am creating a shortcut in start menu startup to execute it. The plan is to execute it as a RunOnce through regedit Target: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Argument: -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File "\\isilon1.corp.nychhc.org\uemshare$\general\FlexRepository\Scripts\Disable_VMware_Virtual_Mic.ps1" Start in: %SystemRoot%\system32\WindowsPowerShell\v1.0\ One liner script $Device = Get-PnpDevice -FriendlyName "VMware Virtual Microphone" | Disable-PnpDevice -Confirm:$false What am i doing wrong?
Now what am I supposed to do with my production shares. That is why I dislike using products name in anything I do
Assuming you are referring to IE Favorites, you can go to User Environment Manager > Files and Folders > Create > Give a name and description > Select the Create button and Wndows will open wit... See more...
Assuming you are referring to IE Favorites, you can go to User Environment Manager > Files and Folders > Create > Give a name and description > Select the Create button and Wndows will open with multiple folders > Select Favorites > Stores your favorites shortcuts and click Save
You can customize the layout the way you wish it to look. Use the Export-StartLayout command in powershell to export it and use the -Path to tell it where to save it. Example:  Export-StartLayo... See more...
You can customize the layout the way you wish it to look. Use the Export-StartLayout command in powershell to export it and use the -Path to tell it where to save it. Example:  Export-StartLayout –path <path><file name>.xml Create a GPO either in AD or local to the computer to specify the start menu for all users To configure Start Layout policy settings in Local Group Policy Editor On the test computer, press the Windows key, type gpedit, and then select Edit group policy (Control panel). Go to User Configuration or Computer Configuration > Administrative Templates >Start Menu and Taskbar. Start Layout > Enabled > Start Layout File > Type the path the the exported layout All the details are here Manage Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs You don't really need to follow the steps on that article anymore. In UEM, Select > Create Config File > Use a Windows Common Setting > Windows 10 Start Menu - Windows 10 Version 1703 and higher Suggestion: Name it "Windows 1803 Start Menu" or whatever the version of Windows 10 it is. I noticed using multiple version of Windows 10 with the same UEM profile breaks the start menu since Microsoft, in each version has changed thing in the start menu that isn't compatible with other versions of Windows 10. You will need to set a condition so that UEM knows to only apply this specific start menu with this specific version. Condition Tab > Registry Value > HKLM \ SOFTWARE\Microsoft\Windows NT\CurrentVersion \ ReleaseId  Is equal to 1803 Hope that helps.
See this thread. Might give you some insight on your issue. Office 365 Yellow Exclaimation "Sorry, we can't get to your account right now."
To fix your issue, the following should work. After working with Microsoft and doing a tons of research. Add an exclusion Personalization > Microsoft Office 2016 > Shared Office [Exclu... See more...
To fix your issue, the following should work. After working with Microsoft and doing a tons of research. Add an exclusion Personalization > Microsoft Office 2016 > Shared Office [ExcludeRegistryTrees] HKCU\Software\Microsoft\Office\16.0\Common\Identity Remove both Personalization > Windows Settings > Personal Certificates & IE Passwords. Why do you need to remove both personal certificates and IE passwords? Because they both roam credentials in credential manager and Microsoft recommends not to do that as Office stores credentials manger and apparently that credential is tied to the computer but not necessarily the user. Also they do not recommend roaming the license token folder.  [IncludeFolderTrees] <AppData>\Microsoft\Protect <LocalAppData>\Microsoft\Vault P.S You will need to remove these files from existing uemprofiles Deleted the following zip files Personalization > Microsoft Office 2016 > Shared Office.zip Personalization > Windows Settings > Personal Certificates.zip Personalization > Windows Settings > IE Passwords
I would say all. The reason is that applications normally store user's settings in registry or %AppData% and in this case the FsLogix volumes will stores the whole user's profile so there really ... See more...
I would say all. The reason is that applications normally store user's settings in registry or %AppData% and in this case the FsLogix volumes will stores the whole user's profile so there really any needs to use personalization for any apps.
Give it a try and report your findings. I plan on giving it a spin soon. Just been reading mostly and Microsoft seems to have high hopes. I have a few colleagues at use to be AppSense and they sa... See more...
Give it a try and report your findings. I plan on giving it a spin soon. Just been reading mostly and Microsoft seems to have high hopes. I have a few colleagues at use to be AppSense and they said the way FsLogix works with the filter drivers to integrate with the OS, even they couldn't replicate it so well. I must say AppSense is pretty great suite with a great and smart team behind it. I value their opinion.
I have been busy dealing with some issues at work. Did you ever get this resolved. I believe the SSLHash registry would revert if it can not find the certificate in the store. Also import the cer... See more...
I have been busy dealing with some issues at work. Did you ever get this resolved. I believe the SSLHash registry would revert if it can not find the certificate in the store. Also import the certificate as importable. Yes, that would be done on your golden image or perhaps your clones. Not sure if that is something that requires a reboot. I would do it on the parent image.
Here are my thoughts on how to deploy this solution side by side with UEM. Note: This is untested. I merely have been doing research on FSLogix and implying my knowledge on how things work in ... See more...
Here are my thoughts on how to deploy this solution side by side with UEM. Note: This is untested. I merely have been doing research on FSLogix and implying my knowledge on how things work in UEM to see how to deploy both of them on the same VM. Take everything I say with a grain of salt Personalization - It looks like to get both UEM and FSLogix to behave well together you will have to configure DireFlex to only export at logoff all items under "Personalization" just to backup user configurations in case of the vhd disk corruption. Or simply disable all the items. You wouldn't want a user to start completely from scratch in case of a disk corruption. However, in theory you should be backing these vhd disks as part of your solution. One could argue why not just restore the vhd from backup and voila. User is back to working in minutes. Picking up exactly where he/she left off at. - Importing Personalization items at logon could cause some serious issues as the data already exists on the mounted disk and both UEM and FSLogix may end up importing the same data at the same time. User Environment - I would still use UEM for ADMX-base settings deployments. - I would disable OST policy from UEM "App Volumes" - I would still utilize the following: Drive mappings, Environment Variables, File Type Associations, Horizon Smart Policies, Logon Tasks, Log off Tasks, Printer Mappings, Privilege Elevation, Triggered Tasks, - I am sort of undecided about Application Blocking considering FSLogix has a similar module called "App Masking" that seems to be doing the same thing but better. I do not need to block an application if I am already masking it for those who are not entitled to it. I am a little conflicted but I do however still find some good use cases for Application Blocking. Especially for an environment like where I currently worked at. We block applications like mstsc.exe to prevent users from remoting to another workstation and potentially copy and paste PHI documents. I don't believe I should/can mask an application like mstsc. - I would use Registry Settings with a condition if key value doesn't already exists. - I would use shortcut with a condition if folder exists and also check "Skip if shortcut already exists." - I never used the Windows Settings feature. It is the legacy way of doing things. Condition Set - I would still use condition sets
The way to do is to leverage UAGs for the use cases. Personally, I would enforce 2FA for all external users. UAG does support multiple different types of auth including radius. The caveat is you ... See more...
The way to do is to leverage UAGs for the use cases. Personally, I would enforce 2FA for all external users. UAG does support multiple different types of auth including radius. The caveat is you need to decide whether you wish to split your connection brokers between, in your case, internal users and external or keep them the same. Personally I always keep them the same. I have yet to find a use case where I couldn't use the same connection servers for both. However, I believe as best practice, mostly unwritten, VMware would suggest segregating the brokers between internal and external within the same pod. The downside of using the same brokers for both internal and external use means you can no longer enable tunneling on the connection brokers. The gain is less management overhead.
Did you also validate the pool is added to the global entitlement as well? I am asking because I am sure to do the upgrade you had to remove the pool from the global entitlement at some point. ... See more...
Did you also validate the pool is added to the global entitlement as well? I am asking because I am sure to do the upgrade you had to remove the pool from the global entitlement at some point. --------------------------------------------------------------------------------------------------------- Was it helpful? Let us know by completing this short survey here.
That's interesting. I know of that key but since I stopped using mandatory profile I removed the GPO. I came across a new problem now with the start menu. I moved forward with my 1803 deployment.... See more...
That's interesting. I know of that key but since I stopped using mandatory profile I removed the GPO. I came across a new problem now with the start menu. I moved forward with my 1803 deployment. Login time is under 15 seconds with 3vCPU and 6GB of RAM. Fully deployed in production now. Will soon be running on 20,000 VDIs. I started working on my second environment which supposed to go on 1809. Different environment, different pool, different parent image, different apps. But the same UEM. Now my start menu is broken when I use it with both 1803 and 1809.I wished it was only missing the tiles. It is missing program folders, Windows Accessories, etc...Missing everything :smileyconfused:
Personally, first thing first. I would drop Persona management and migrate to User Environment Manager. Secondly, adopt FSLogix, which I am pretty sure is free for your organization. Third, get r... See more...
Personally, first thing first. I would drop Persona management and migrate to User Environment Manager. Secondly, adopt FSLogix, which I am pretty sure is free for your organization. Third, get rid of full clones unless the users are okay with starting from scratch every year or so. Here's my reasoning: 1) Because agents must be installed in a certain order, it makes it extremely hard to upgrade VMware environments as you will have to revisit each desktops, uninistall, and re-install the agents. That's really not ideal. We have in our organization a full clones environment that was built 6 years ago give or take and it is still running on the same vCenter and the same Horizon View version. We have been migrating them to a newer environment but we certainty can not upgrade. I have spoken to multiple colleagues at VMware and none of them have ever suggested going with full clones. 2) Microsoft crazy upgrade cycle. With each version sometime things are completely incompatible to the point where they break. Example: In 1703, 1803, 1809 the start menu and appx are completely different. I am running two VDI environments simultaneously. One on 1803 and the other on 1809. I just found that the UEM start menu persistent stops working for both as soon as I deployed 1809. Now I need to figure out what to do about it since my 1803 environment is already full blown production and 1809 is scheduled to go into production in 2 weeks. 3) FSLogix allows you to use instant clones and persists your end user's data as if they were on a full clones. Their VHD drives map at logon. The users can install their apps as well. So you can upgrade your instant clones as you wish and it would not make a different since the user's data lives on a separate drive than the operation system.
Sounds like a firewall port issue to me. Make sure 8443, 22443 is open between the brokers, the VM VLAN(s) and your access points on the DMZ. Also make sure to follow this KB for your HTML access... See more...
Sounds like a firewall port issue to me. Make sure 8443, 22443 is open between the brokers, the VM VLAN(s) and your access points on the DMZ. Also make sure to follow this KB for your HTML access to work properly VMware Knowledge Base as well as Allow HTML Access Through a Load Balancer , and Allow HTML Access Through a Gateway Hope that helps. Any of these steps are missed, your connections will failed.
What is the path of the key you need to delete? Go in the application, under Import / Export, exclude the key. Now even if the user select it to autorun at startup, UEM will not import/export t... See more...
What is the path of the key you need to delete? Go in the application, under Import / Export, exclude the key. Now even if the user select it to autorun at startup, UEM will not import/export the key. [ExcludeIndividualRegistryKeys] HKCU\<path to key>
The farm would not care if a connection server is down unless you use restrictions and tied application to a specific connection server. The most that would happen is your users losing connection... See more...
The farm would not care if a connection server is down unless you use restrictions and tied application to a specific connection server. The most that would happen is your users losing connections. Next time a user attempts to reconnect, the load balancer will detect the broker is failing monitoring and will send the traffic to an active broker which if in the same Pod will have the user's existing session and reconnect the user to it.
I used to deal with a similar issue a couple of years back and was able to resolve it by setting these keys at user logon using UEM. Also give that a try and see what happens. The key name is sel... See more...
I used to deal with a similar issue a couple of years back and was able to resolve it by setting these keys at user logon using UEM. Also give that a try and see what happens. The key name is self explanatory [HKEY_CURRENT_USER\Control Panel\Desktop] "AutoEndTasks"="1"
Yes you can manage user personalization on your instant clones, linked clones, full clones and even physical desktops with User Environment Manager.
Request a wildcard cert from your internal CA. You can not use the the blast certificate in your screenshot for that purpose. You are not following the KB hence why you are having issues. Cha... See more...
Request a wildcard cert from your internal CA. You can not use the the blast certificate in your screenshot for that purpose. You are not following the KB hence why you are having issues. Change the Certificate on the virtual machine to satisfy SSL validation Using a wildcard certificate is likely be the most practical. If you are connecting to a virtual machine with Hostname using a wildcard certificate should match. For example: Hostname vm1.vm.company.com using a wildcard certificate *.vm.company.com or *.company.com should match. This is also a very important step as well as the view agent by default connects using ip address. Update the View Agent ADM Template Settings for the Agent VMs Enable the Connect using DNS Name GPO configuration setting.