DEMdev's Accepted Solutions

Hi Super6VCA, All that you need for UEM itself, is a GPO with UEM settings. That GPO should apply to all users that you'd like to manage with UEM (your Doctors OU sounds appropriate). UEM has ... See more...
Hi Super6VCA, All that you need for UEM itself, is a GPO with UEM settings. That GPO should apply to all users that you'd like to manage with UEM (your Doctors OU sounds appropriate). UEM has no need for service accounts.
Hi Super6VCA, Are you using App Volumes as well? If so, maybe you're running into Printer Issues with VMware App Volumes (2150382)?
Hi lansti, Are the share and NTFS permissions on \\SERVER\HOMEFOLDER$ set up correctly? I found the following on the Autodesk site: Error 1325: filename is not a valid short file name | Aut... See more...
Hi lansti, Are the share and NTFS permissions on \\SERVER\HOMEFOLDER$ set up correctly? I found the following on the Autodesk site: Error 1325: filename is not a valid short file name | AutoCAD | Autodesk Knowledge Network, and in general there seem to be quite a few "MSI Error 1325" issues that have to do with permissions on redirected folders.
Hi deep184, Are you by any chance using an older version of the Management Console than the one that was used to create that config file (which I think would be UEM 9.2 or later)?
Hi burgerking68, The Config file is marked as mandatory -- skipping export message appears if predefined settings of type Fully Enforced are configured for that Flex config file: Could th... See more...
Hi burgerking68, The Config file is marked as mandatory -- skipping export message appears if predefined settings of type Fully Enforced are configured for that Flex config file: Could that be the reason in your case? If not, could you post the Flex config file here so we can take a look?
So, indeed, this is just Internet Explorer's Active Setup component messing with us This ProcMon trace is from a logon after the user's profile was removed. The REGEDIT.EXE line is UEM re... See more...
So, indeed, this is just Internet Explorer's Active Setup component messing with us This ProcMon trace is from a logon after the user's profile was removed. The REGEDIT.EXE line is UEM restoring the previously exported setting. 13 seconds later, Active Setup kicks in and removes it again. If you create a new Flex config file, pick Use a Windows Common Setting in the wizard, and then select Active Setup, you prevent Active Setup from running again at subsequent logons. BTW, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData is captured by another Windows Common Setting: Internet Explorer – Personal Settings. Any reason why you're looking at that value in isolation?
Hi ITJef, Some of the user environment settings (like shortcuts) have an explicit Undo at logoff setting, and some of them are automatically undone at logoff (like the Policy Settings). Howeve... See more...
Hi ITJef, Some of the user environment settings (like shortcuts) have an explicit Undo at logoff setting, and some of them are automatically undone at logoff (like the Policy Settings). However, for those undo actions to work (and basically, for UEM to run correctly in general), UEM needs to be run at logoff as well. Did you configure a logoff script to run FlexEngine.exe at logoff? Can you maybe provide a FlexEngine log file at log level DEBUG? Having said that, shortcuts by default do not have Undo at logoff set, so even if you have a logoff script configured, they won't automatically go away. For your test you could re-enable those shortcut settings, edit them to have Undo at logoff set (and make sure that Skip if shortcut already exists is not set), log on and log off again, and then the shortcuts should be gone. However, given that the Run command and the control panel are still hidden, I'd recommend to also take a look at the logoff script. Your understanding of conditions (or the lack of them) is correct: if no conditions are configured, the item applies. There is currently no way around that.
Hi Andreas, We can't distribute Google's ADMX template, but you can download it at https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip (and, just in case that download URL chang... See more...
Hi Andreas, We can't distribute Google's ADMX template, but you can download it at https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip (and, just in case that download URL changes, the page that references it: Set Chrome policies for devices - Chrome for business and education Help​)
Hi edreksler​, Do you you have silo support enabled or did you configure multiple environments? That's required for Import Config File to be enabled, as those are the locations you can import... See more...
Hi edreksler​, Do you you have silo support enabled or did you configure multiple environments? That's required for Import Config File to be enabled, as those are the locations you can import config files from. (See Import a Flex Configuration File From Another Location or Environment for more information).
Hi SummaCollege​, These settings don't live in the registry or elsewhere in the user profile, at least not in a way that can be easily managed with UEM. What's been suggested on the forum a... See more...
Hi SummaCollege​, These settings don't live in the registry or elsewhere in the user profile, at least not in a way that can be easily managed with UEM. What's been suggested on the forum and in some blog posts, is using some third-party tool that can save and restore sound settings to/from a file, and then use UEM to run that tool at logon and logoff, and also to persist and restore the tool's settings file. One such tool is http://www.nirsoft.net/utils/sound_volume_view.html, which supports /SaveProfile and /LoadProfile arguments. If you create a UEM logon task (be sure to keep it at the default After profile archive import setting) to run Your/Path/To/SoundVolumeView.exe /LoadProfile "%LOCALAPPDATA%\SoundProfile.spr", create a UEM logoff task (set to Before profile archive export) with ... /SaveProfile ..., and create a Flex config file with [IncludeFiles] <LocalAppData>\SoundProfile.spr, that should do the trick.
Hi iforbes, The Application Profiler can indeed capture and output HKLM references, but only if you configured it to do so by enabling the Support HKLM setting (which is disabled by default). ... See more...
Hi iforbes, The Application Profiler can indeed capture and output HKLM references, but only if you configured it to do so by enabling the Support HKLM setting (which is disabled by default). This is mainly intended for application virtualization scenarios, where users sometimes do have permissions to the virtualized HKLM. At the moment, there is no real support for scenarios where you need to modify HKLM for user settings, other than granting users modify permissions to those HKLM registry locations. You might be able to leverage UEM's Privilege Elevation feature, but that typically needs some specific development on your side (as you probably don't want your users to run reg.exe or regedit.exe as admins...) We're looking at ways to improve on this for future versions of the product, but currently have no concrete plans or timelines.
Hi QCBenPetersen, Instead of using James Rankin's approach, might I suggest testing with UEM's certificate support for mandatory profiles setting (Configure Certificate Support for Mandatory P... See more...
Hi QCBenPetersen, Instead of using James Rankin's approach, might I suggest testing with UEM's certificate support for mandatory profiles setting (Configure Certificate Support for Mandatory Profiles Setting)? That should pretty much achieve the same thing, and has the advantage that it's built in to the product.
Hi Natestack, These settings seem to be saved under the HKCU\Software\Microsoft\Office\version\application\Security\ProtectedView registry key (where version is 14.0, 16.0, etc, and applicatio... See more...
Hi Natestack, These settings seem to be saved under the HKCU\Software\Microsoft\Office\version\application\Security\ProtectedView registry key (where version is 14.0, 16.0, etc, and application is Word, Excel, etc.) Note that I only did I quick registry check. Testing whether this actually works is left as an exercise to the reader If it does indeed work, you could apply this configuration with UEM as a predefined setting in Personalization, or via Registry Settings on the User Environment tab.
Just to make sure, I meant a "Windows" logon script, not a UEM logon task. There's actually a logon script configured in your Horizon Agent All Users GPO: Just remove that, and your logons s... See more...
Just to make sure, I meant a "Windows" logon script, not a UEM logon task. There's actually a logon script configured in your Horizon Agent All Users GPO: Just remove that, and your logons should be at least twice as fast As for folder redirection, I don't see anything in the two GPOs you attached, but there's definitely a few more folders redirected than the ones you configured through UEM. Is there maybe another GPO in play as well, or could this have been "tattooed" into the mandatory profile? If you hive in the registry file from your mandatory profile, or log on without UEM installed or configured, what do you see in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer User Shell Folders? Mapping the home drive through user settings in AD is perfectly fine. There's nothing wrong with folder redirection per se either (although, again, redirecting AppData will probably not result in a nice experience for your users). Most important note regarding folder redirection in combination with UEM is that you should not manage files residing in redirected locations with UEM: it's not necessary (as those files are already no longer local to the profile, i.e. they reside on the network, "safe" in non-persistent scenarios), and it will slow down things considerably (as UEM will persist such settings by reading files from the redirected folders (on the network) and storing the resulting profile archive zip file (also on the network), and will restore them by reading from the UEM profile archive zip file (on the network), and then saving them to the redirected folder location (also on the network)...)
Hi SanderK0, That blacklist is in place to prevent UEM admins from removing too much by mistake, but it can indeed be overridden: just append \[FORCE DELETE], so in your case: <Desktop>\[FORCE... See more...
Hi SanderK0, That blacklist is in place to prevent UEM admins from removing too much by mistake, but it can indeed be overridden: just append \[FORCE DELETE], so in your case: <Desktop>\[FORCE DELETE].
Hi scoop, I assume you're using local profiles? UEM's "run once" logic for local profiles doesn't really match with non-persistent scenarios like the one you describe. The Local User Profil... See more...
Hi scoop, I assume you're using local profiles? UEM's "run once" logic for local profiles doesn't really match with non-persistent scenarios like the one you describe. The Local User Profiles File and Folders RunOnce Issue thread describes how you can fix this by manually adding the runOnceSpecial="1" attribute. This changes UEM's behavior from checking whether the action has already been performed on this particular machine, to checking whether it has already been performed on any machine. We'll consider a more structural (and less manual...) fix, but can't say anything yet about a time line for that.
Hi warana, Most certainly! On the Personalization ribbon tab, click Create Config File, pick Use a Windows Common Setting in the wizard, and click Next. In step 2 of the wizard, select the ... See more...
Hi warana, Most certainly! On the Personalization ribbon tab, click Create Config File, pick Use a Windows Common Setting in the wizard, and click Next. In step 2 of the wizard, select the Mouse option: Click Next again, pick a suitable file name (Mouse, for instance :-), and click Finish. Voilà!
Hi Jan_v_K, I looks like only shortcuts created in one logon logoff  cycle are removed. Is that normal behaviour? Yes, the undo actions are only performed for items created during that sessio... See more...
Hi Jan_v_K, I looks like only shortcuts created in one logon logoff  cycle are removed. Is that normal behaviour? Yes, the undo actions are only performed for items created during that session – the undo "bookkeeping" information isn't maintained across sessions, so we can't remove those shortcuts the next time around. In this case it's probably best not to use the Skip if shortcut already exists setting, so future updates to your shortcut definitions will correctly be applied.
Hi b34ny, Is this on Windows 10 v1703? There is a known issue with our DLL injection in certain dllhost.exe processes, and you can use the DirectFlex blacklist feature to address this. To c... See more...
Hi b34ny, Is this on Windows 10 v1703? There is a known issue with our DLL injection in certain dllhost.exe processes, and you can use the DirectFlex blacklist feature to address this. To configure this, create a Blacklist.xml file in the ...\General\FlexRepository\DirectFlex folder (which does not exist by default), with the following content: <?xml version='1.0' encoding='utf-8'?> <userEnvironmentSettings>     <setting type='blacklist' list='dllhost.exe'/> </userEnvironmentSettings> If you already have this Blacklist.xml file, just update its list attribute by adding |dllhost.exe at the end of the current value (note the '|' (pipe character), which acts as a separator). The next release of UEM will address this issue.
Hi René, Thank you for the log files. The (F) after the user name in [DEBUG]    User: GC\test-rene (F), Computer: ... indicates that we're dealing with a UAC-related split token issue, even th... See more...
Hi René, Thank you for the log files. The (F) after the user name in [DEBUG]    User: GC\test-rene (F), Computer: ... indicates that we're dealing with a UAC-related split token issue, even though the user is not an admin. I managed to reproduce the issue by making my non-admin user a member of the "Power Users" group, which causes the user to have a split token due to UAC. Is test-rene a member of "special" groups like account operators, backup operators, print operators, power users, etc, or does he have some special privileges? Either way, this is an UAC-related scenario that we weren't previously aware of, so, umm, thanks for bringing it to our attention Instead of disabling UAC (please don't do that!), I see the following workarounds/solutions: Create a shortcut in the Startup folder to run FlexEngine.exe -UEMRefreshDrives. Switch to NoAD configuration. The way the UEM agent runs during logon in NoAD mode does not suffer from this UAC split token issue w.r.t. drive mappings.