VMware User Environment Manager and Sysinternals BGinfo

If you want to use VMware User Environment Manager in combination with BGinfo, follow these three steps to allow users to choose their own wallpaper, while still allowing the BGinfo information to appear on the wallpaper.

Step 1: Capture the BGinfo wallpaper

Step 2: Start BGinfo at login to add the info to the wallpaper

Step 3: Undo the BGinfo at logoff to prevent ‘ghosting’ of old information.

These three steps are explained in detail in this article:

Step 1.

BGinfo changes the wallpaper (adds the BGinfo information/text) and stores the wallpaper in a different location: %LocalAppData%\Temp\BGInfo.bmp

Therefore the default UEM template to capture the wallpaper no longer works successfully. First, we have to fix this by adding the following two lines to the UEM Wallpaper config file:

[IncludeFiles]

<LocalAppData>\Temp\BGInfo.bmp

The UEM config file for the Wallpaper then looks like picture 1:

Picture 1. UEM Config File to capture the Wallpaper

Step 2.

Automatically start BGinfo at login to write the correct information to the wallpaper.

We want to call BGinfo with the following parameters to silently start BGinfo at login:

“C:\Program Files\BGInfo\Bginfo.exe” “%ProgramFiles%\BGInfo\bginfo.bgi” /timer:0 /silent /nolicprompt

To accomplish this, create a shortcut in the ‘Start Menu – Startup’ folder to call BGinfo. This can be accomplished very simply with UEM. See picture 2 for an example configuration of this shortcut.

Step 3.

Undo the BGinfo at logoff to remove the BGinfo information from the wallpaper. This is to prevent ‘ghosting’ of old information.

To do this, we first have to create a ‘BGundo.bgi’ file that is empty, so that BGinfo replaces the text on the wallpaper with an empty configuration, effectively removing all text from the wallpaper.

To create this file, start BGinfo, remove all information and only type a space. You must type a space otherwise you cannot save the .bgi file. Safe this empty BGinfo configuration to a file called BGundo.bgi.

We want to call BGinfo with the following parameters to silently run BGinfo at logoff:

“C:\Program Files\BGInfo\Bginfo.exe” “%ProgramFiles%\BGInfo\bgundo.bgi” /timer:0 /silent /nolicprompt

This can be accomplished very simply by creating a Logoff task with UEM. Make sure to change the logoff task to run ‘Before profile archive export’.

See picture 3 for an example configuration of this logoff task.

Picture 3. UEM Logoff task

Picture 2: UEM Startup shortcut

VMware EUC Win10 Compatibility Components

Updated: 1/4/2019

Supported

S

Semi-Annual Channel

SAC

Supported Fresh Install Only

SF

Broad Deployment

BD

Supported, reference KB

S-KB

Not Supported

NS

Windows 10 OS Version: 1607
LTSB
(Ent)
1607
CBB
(Ent, Pro)
1703 CBB
Semi-Annual Channel
(broad deployment)
(Ent, Pro, Edu)
1709
Semi-Annual Channel
(broad deployment)
(Ent, Pro, Edu)
1803
Full support 
1809
Full
Support
Horizon 7            
Horizon Agent 7 NS NS NS NS NS NS
Horizon Agent 7.0.1 NS NS NS NS NS NS
Horizon Agent 7.0.2 SF SF NS NS NS NS
Horizon Agent 7.0.3 S S NS NS NS NS
Horizon Agent 7.1 S S S NS NS NS
Horizon Agent 7.2 S S S S-KB NS NS
Horizon Agent 7.3.2 S S S S-KB S NS
Horizon Agent 7.4 S S S S-KB S NS
Horizon Agent 7.5 S NS S S S NS
Horizon Agent 7.5.1 S NS S S S NS
Horizon Agent 7.6 S NS S S S S
Horizon Agent 7.7 S NS S S S S
App Volumes            
App Volumes 2.12 S S NS NS NS NS
App Volumes 2.13 S S S NS NS NS
App Volumes 2.14 S S S S S NS
App Volumes 2.15 S S S S S S
User Environment Manager            
User Environment Manager 9.2 S S S NS NS NS
User Environment Manager 9.3 S S S S NS NS
User Environment Manager 9.4 S S S S S NS
User Environment Manager 9.5 S S S S S NS
User Environment Manager 9.6 S S S S S S

Download this chart in Excel format!

EUCComponentsWin10V2.4

UEM Supported Version with Windows 10
https://kb.vmware.com/s/article/57386

 Horizon Supported Version with Windows 10
https://kb.vmware.com/s/article/2149393

 App Volumes Release Notes generally has Windows 10 support information
https://docs.vmware.com/en/VMware-App-Volumes/2.14/rn/VMware-App-Volumes-214-Release-Notes.html

Interop Matrix (VMware components)
https://www.vmware.com/resources/compatibility/sim/interop_matrix.php#interop&133=&131=

Special thanks to Steven Hajny (https://www.linkedin.com/in/stevenzhajny/) for gathering this information

Horizon Install Order and Silent Installs

This blog post is regarding the correct order of installing/Uninstalling Horizon Agents, Silent Installs/Uninstalls, and enabling FIPS.

 

VMware Horizon Install Sequence Order 

InstallOrder

 

Installation of various user experience, environment and VDI agents can cause unexpected issues of fail completely if installed in the incorrect order.
If you need to upgrade the Horizon View Agent you will need to reverse this process from the bottom-up.

 

1.     Hypervisor Tools

 

2.     VDI Agent

 

3.     VMware vRealize Operations Manager Agent

  • If you have a View 5.0 or 5.1 environment, you must manually install the desktop agent on your desktops. The vROPs Agent is included with the Horizon View agent 5.2 or later.

 

4.     VMware vRealize Log Insight Agent

  • If Log Insight is not deployed in the environment, skip this step.

 

4.     VMware User Environment Manager (UEM) Agent (formerly Immidio Flex+)

  • If VMware UEM is not deployed in the environment, skip this step.

 

5.     VMware App Volumes Agent

  • If VMware App Volumes is not deployed in the environment, skip this step.

 

Horizon View, Silent Install Instructions:

https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-virtual-desktops/GUID-3096DA8B-034B-435B-877E-5D2B18672A95.html#GUID-3096DA8B-034B-435B-877E-5D2B18672A95

https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-virtual-desktops/GUID-61090F90-186F-4932-BB0F-06902F0908B5.html#GUID-61090F90-186F-4932-BB0F-06902F0908B5

https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-virtual-desktops/GUID-1FD90D4D-0C7C-4E9E-B12D-974ABF15E398.html#GUID-1FD90D4D-0C7C-4E9E-B12D-974ABF15E398

https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-virtual-desktops/GUID-0B32D33F-152F-45EC-AC2C-F523D9432426.html

 

Paul Grevink has a good blog that walks through the View Agent components:

https://paulgrevink.wordpress.com/2016/07/16/view-agent-what-is-installed/

 

1.     In the View desktop, go to Start > Run, type regedit, and click OK. The Registry Editor window opens.

2.     Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

3.     Find the value that corresponds to the version of View Agent software that is installed. For example:

View 4.5 – {6F862EF7-F25E-4B3B-8345-FA005F12F668}
View 4.6 – {EFF57BA4-5BF2-403E-84BC-3469F9DAAACD}
View 5.0 – {5DD04237-3DCD-4735-BF8F-3BEEC0F61A6E}
View 5.1 – {CDA7820C-4849-4E55-A7B1-38E175B5F61C}
View 5.2 – {58D47F5C-618E-11E2-8D25-74C36188709B}
View 5.3 – {E3AD16CE-E5D6-4844-98FF-75E96EF7377F}
View 6.0 – {1230DF2B-7BA0-4AAD-80EA-527A3C3614D4}
View 6.1 – {A2E9FEAC-6D18-4890-9428-A6F53D600E01}

4.     To silently uninstall the View Agent, go to Start > Run, type cmd, and click OK.

5.     The command prompt opens launch a command prompt and run this command:

MsiExec.exe /X {AGENT_VALUE} /forcerestart /qn

 

Where the AGENT_VALUE is the value noted in Step 3.

 

VMware Horizon View, Silent Uninstall Instructions:

https://kb.vmware.com/s/article/2064845

 

VMware vRealize Log Insight Manager, Silent Install Instructions:

https://docs.vmware.com/en/vRealize-Log-Insight/4.5/com.vmware.log-insight.agent.admin.doc/GUID-8E1DF3DB-3D91-4F2E-A66F-EB754F074297.html

  1. Log in to the Windows machine on which to install or update the vRealize Log Insight Windows agent.
  2. Open a Command Prompt window.
  3. Change to the directory where you have the vRealize Log Insight Windows agent .msi file.
  4. Run the following command to install or update with default values. Replace Version-Build_Number with your version and build number.

The /quiet option runs the command silently, and the /lxv option creates a log file in the current directory.

Drive:\path-to-msi_file>VMware-Log-Insight-Agent-Version-Build_Number.msi /quiet /lxv* li_install.log

 

(Optional) : Specify a user service account for the vRealize Log Insight Windows agent service to run under.

Drive:\path-to-msi_file>VMware-Log-Insight-Agent-*.msi SERVICEACCOUNT=domain\user SERVICEPASSWORD=user_password

 

VMware User Environment Manager, Silent Install Instructions:

https://docs.vmware.com/en/VMware-User-Environment-Manager/9.2/com.vmware.user.environment.manager-install-config/GUID-2105963C-C101-4934-9433-85519910827E.html

 

Syntax:

msiexec.exe /i “VMware User Environment Manager 9.2 x64.msi” /qn INSTALLDIR=”C:\Program Files\Immidio” ADDLOCAL=”FlexProfilesSelfSupport” LICENSEFILE=”\\filesrv1\share\VMware UEM.lic” /l* InstallUEM.log

 

Examples:

msiexec.exe /i “VMware User Environment Manager 9.2 x64.msi” /qn INSTALLDIR=”D:\Apps\VMware UEM” ADDLOCAL=”FlexProfilesSelfSupport” LICENSEFILE=”\\filesrv1\share\VMware UEM.lic” /l* InstallUEM.log

msiexec.exe /i “VMware User Environment Manager 9.2 x64.msi” /qn INSTALLDIR=”D:\Apps\VMware UEM” ADDLOCAL=”FlexProfilesSelfSupport” LICENSEFILE=”\\filesrv1\share\VMware UEM.lic” /l* InstallUEM.log\Flex Profiles\FlexEngine.exe

 

VMware App Volumes, Silent Install Instructions:

https://docs.vmware.com/en/VMware-App-Volumes/2.12.1/com.vmware.appvolumes.user.doc/GUID-03F11B40-2D24-4CCD-ABC5-4E875928FB35.html

 

Syntax:

msiexec.exe /i “App Volumes Agent.msi” /qn MANAGER_ADDR=<Manager_FQDN/IP> MANAGER_PORT=<port>

 

Example:

msiexec.exe /i “App Volumes Agent.msi” /qn MANAGER_ADDR=appvm.vmbucket.com MANAGER_PORT=443

 

VMware App Volumes, Silent Upgrade Instructions:

https://docs.vmware.com/en/VMware-App-Volumes/2.13/com.vmware.appvolumes.install.doc/GUID-013F8935-6BFA-4837-9F49-78404E6C056D.html

  1. Open a Windows command prompt on your machine.
  2. Type the following command to upgrade the agent:

msiexec.exe /i “App Volumes Agent.msi” /qn REINSTALLMODE=vomus REINSTALL=ALL

 

Disabling EnforceSSLCertificateValidation with REGKEY

NewImage

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You can disable SSL certificate validation after you have installed the App Volumes agent. To do this manually make the modification to registry to create your own .reg file to import. You will need to disable EnforceSSLCertificateValidation if you have FIPS enabled in your environment.

Registry location, set value to ‘00000000’ to disable:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svservice\Parameters] “EnforceSSLCertificateValidation”=dword:00000000

 

Registry file import command: regedit.exe /s path of .reg file

 

Example of importing a registry file:

 

reg import c:\location\regfile.reg

 

 

Rarely needed, unless your organization has a hard security requirement, you may need to enable FIPS mode. Please keep in mind, enabling FIPS mode, can break a lot of things if not properly setup. You can Enable or disable the FIPS setting via a registry setting, GPO, or Local Policy. To check whether FIPS is enabled or disabled in the registry, follow the following steps:

  1. Press Windows Key+R to open the Run dialog.
  2. Type “regedit” into the Run dialog box (without the quotes) and press Enter.
  3. Navigate to “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\”.
  4. Look at the “Enabled” value in the right pane.
  5. If it’s set to “0”, FIPS mode is disabled. If it’s set to “1”, FIPS mode is enabled.
  6. To change the setting, double-click the “Enabled” value and set it to either “0” or “1”.
  7. Restart the computer.

FIPS mode needs to be enable on the Windows servers and on the golden image. 

For more information on FIPS mode, visit https://docs.vmware.com/en/VMware-Horizon-7/7.0/com.vmware.horizon-view.installation.doc/GUID-8A3ACF3D-05C5-4216-BD79-A53A72EE1D91.html

UEM Migrations

Persona Management to UEM, Preparation

Figure 1. UEM Preparation Overview

 

Follow the UEM Easy Start Guide to setup UEM. In short, installation of UEM is done through the following actions:

 

  • Install the FlexEngine on all machines
  • Create two file shares. One share will store the UEM configuration files. The other share will store application customizations per user profile.
  • Configure the UEM GPO and link it to all users.
  • Create UEM Config Files for all applications that are used in the environment. Read the ‘Application Profiler – Admin Guide’ to learn the easiest way to create Config Files.
    • Application Profiling should be done for only those applications your organization needs to manage or enforce. If no configuration file is created for an application the application will run like normal but any personalization done to the application will not be saved once the user logs-off.

 

Note: It is critical that UEM is fully configured and applications are profiled prior to Migration. We have had customers who did not profile their applications such as Internet Explorer, which might have saved passwords etc. If you go through the migration process and disable Persona Management, any settings from Internet Explorer that were previously customized will be lost.

 

Persona Management to UEM, Migration

Figure 2. Persona to UEM Migration Overview

 

The following are high-level steps that need to be executed for a successful migration:

 

  1. Disable DirectFlex using the unique GPO obtained from VMware support. Only during the migration DirectFlex needs to be disabled in order to save all application settings at log off. Use the ‘VMware UEM FlexEngine Advanced DirectFlex Settings.admx’ template to configure DirectFlex to be disabled and to process DirectFlex Config Files at logon and log off.
  2. Configure folder redirection for user’s data (My Documents, Pictures, etc.)
  3. Create Desktop redirect configuration through UEM Management console (only if applicable)
  4. Have user’s login/logoff at least once. This will allow UEM to pick-up current registry settings from Persona Management.
  5. Disable Persona Management by changing the View pools to point at a different OU or remove the linked Persona Management GPO in the OU.
  6. Enable DirectFlex

 

PM, Disable DirectFlex

Only during the migration, DirectFlex needs to be disabled in order to save all application settings at log off. Use the ‘VMware UEM FlexEngine Advanced DirectFlex Settings.admx’ template to configure DirectFlex as disabled and to process DirectFlex Config Files at logon and log off. Figure 3 gives an example of this policy that should be disabled. To disable this policy, you need to select ‘Enabled’.

 

Note: Contact VMware support at https://www.vmware.com/support/contacts/ to obtain the “VMware UEM FlexEngine Advanced DirectFlex Settings.admx” template. Don’t be confused by the imported policy of ‘DirectFlex – advanced settings’ (shown in Figure 3) which stems from the ‘VMware UEM FlexEngine.admx’ template.

 

Figure 3. Not the correct policy as mentioned above.

 

The correct policy is shown in Figure 4 and you will ‘Enable’ and select ‘Disable DirectFlex and process DirectFlex config files during logon and logoff” drop-down, to partially disable DirectFlex:

 

Figure 4. Advanced policy setting to disable DirectFlex.
2015-09-21_22-22-00

 

 

 

 

 

 

 

PM, Configure folder redirection

 

Figure 5. Editing UEM Policy for Redirection Figure 6. Folders for redirect

 

Move the Persona Management GPO Folder Redirection settings to a Folder Redirection GPO using the standard Windows policy settings as shown in Figure 5 and Figure 6. That way the PM GPO can be removed completely. So verify your user profile naming format.

 

Figure 7. User accounts example

 

If your naming format ends with “.V2” you need to consider this when setting the SMB paths for the UEM GPO so take account for this extra “.V2” after the %username%. To do this, create a new GPO or utilize the existing UEM GPO that contains Folder Redirection settings for all folders that are currently redirected with the ProfileUnity.

 

Note: Just the folders that contain User Data (Documents, Desktop, Downloads, Music, Pictures and Videos) should be redirected. All the other folders (like AppData) should NOT be redirected, because Flex+ managed those folders.

 

 

Figure 8 shows an example of folder redirection for the My Documents folder using the PM GPO. In this example, the My Documents folder is redirected to \\dfs1\persona$\%username%.V2\Documents. (\\server\share\%username%.V2\Documents).

Figure 8. Folder redirection path Figure 9. Folder redirection properties

 

You will want to uncheck the “Grant the user exclusive” option. The problem is that by default, the Grant the user exclusive rights to My Documents check box is selected, with the following consequence (quote from the Technet library article about folder redirection):

If you select this check box, the user and the local system have full control over the folder, and no one else, not even the administrator, has any rights to it. If you clear this check box, no changes are made to the permissions on the folder. Whatever permissions are in effect by default remain in effect.

Source: https://technet.microsoft.com/en-us/library/cc781907.aspx

 

  • Do not select the ‘Move the content of Documents to the new location’ (Figure 9)
  • Repeat these steps for all folders that contain Personal Data (Documents, Desktop, Downloads, Music, Pictures and Videos).

 

Note: In some cases we have observed folders in the Folder Redirection GPO should specified in this exact format per share: \servername\share\%username%.V2 excluding the share name such as \Documents or \Desktop.

 

 

After selecting ‘OK’ and you have chose not to apply the redirection policy to older platforms such as Windows 2000, XP, 2003 you will be presented with the following dialog box (Figure 10):

 

Figure 10. Folder redirection properties warning

Select ‘Yes’ to continue.

 

Note: After you select ‘OK’ on the dialog box if you re-open the properties of a folder you will see a similar screen as in Figure 11:

 

Figure 11. Folder redirection confirmation

 

Take note of the yellow highlight section that it matches the naming format you were looking for.

 

PM, Desktop redirected (only if applicable)

If the Desktop folder is redirected and UEM is configured to start though the Group Policy Extension (GPE) a timing issue might occur, because the UEM GPE runs before the Folder Redirection GPE.

 

The following scenario could happen: UEM creates a shortcut on the Desktop, which is not yet redirected so it’s created in C:\Users\%username%\Desktop. After that, Folder Redirection redirect the Desktop to \\server\share\%username%.V2\Desktop and the user does not see the created shortcut.

 

To solve this timing issue, UEM should remember and restore the redirected folder location of the Desktop. Create a Config File within UEM to do this. The steps to execute this is as follows:

 

Figure 12. Create Config Figure 13. Custom Config Figure 14. Config Name

 

  1. Select ‘Create Config File’
  2. Select ‘Create a custom config file’
  3. Name this Config File ‘Desktop Folder Redirection settings’

 

Figure 15. Insert registry settings Figure 16. Save Config

4. Copy the following two lines to the Import/Export section of the Config File:

[IncludeIndividualRegistryValues]
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop

5. Select ‘Save Config File’

 

Run PM and UEM side-by-side to migrate the user profile

Run Persona Management and UEM side by side during a specific period to allow all users to log in/log off at least once. To do this make sure you have both UEM and Personal Management GPO’s linked to the same OU where your View Pools will be pointing to.

 

Figure 17. GPOs linked to same OU Figure 18. Horizon View Pool pointing to shared OU

 

Once both GPO’s are in-place log in and log off with a test user to make sure the settings are migrated successfully. After all the Persona Management profiles are successfully migrated to UEM, continue with section 3.1 and disable Persona Management.

 

Disable Persona Management

 

This last step involves disabling Persona Management by changing the Persona Management GPO. Change the ‘Manage user persona’ policy setting to Disabled.

Figure 19. Disable Persona Management Policy

 

Enable DirectFlex again, this speeds up the log in time. To do this, change the ‘Disable DirectFlex’ policy setting to Disabled. See Figure 19.

 

Optional: If users have a User Profile Path configured on their Active Directory user account, remove that path when switching to UEM. This applies both to the User Profile Path and to the Remote Desktop Services User Profile Path. UEM provides users with one profile that can roam between any Windows version.

 

ProfileUnity to UEM, Preparation

Figure 20. UEM Preparation Overview

 

Follow the UEM Easy Start Guide to setup UEM. In short, installation of UEM is done through the following actions:

 

  • Install the FlexEngine on all machines
  • Create two file shares. One share will store the UEM configuration files. The other share will store application customizations per user profile.
  • Configure the UEM GPO and link it to all users.
  • Create UEM Config Files for all applications that are used in the environment. Read the ‘Application Profiler – Admin Guide’ to learn the easiest way to create Config Files.
    • Application Profiling should be done for only those applications your organization needs to manage or enforce. If no configuration file is created for an application the application will run like normal but any personalization done to the application will not be saved once the user logs-off.

 

Note: It is critical that UEM is fully configured and applications are profiled prior to Migration. We have had customers who did not profile their applications such as Internet Explorer, which might have saved passwords etc. If you go through the migration process and disable ProfileUnity, any settings from Internet Explorer that were previously customized will be lost.

 

ProfileUnity to UEM, Migration

Figure 21. ProfileUnity to UEM Migration Overview

 

The following are high-level steps that need to be executed for a successful ProfileUnity migration:

 

  1. Get ProfileUnity Configuration report and review for information that will be needed to configure UEM
  2. Disable DirectFlex using the unique GPO obtained from VMware support. Only during the migration DirectFlex needs to be disabled in order to save all application settings at log off. Use the ‘VMware UEM FlexEngine Advanced DirectFlex Settings.admx’ template to configure DirectFlex to be disabled and to process DirectFlex Config Files at logon and log off.
  3. Configure folder redirection for user data
  4. Configure folder redirection for the users desktop (optional)
  5. Have user’s login/logoff at least once. This will allow UEM to pick-up current registry settings from ProfileUnity
  6. Remove .INI file from the ProfileUnity Client Files Directory
    1. This is normally in \\domain\netlogon\ProfileUnity Directory
    2. Client may have put this file in a different location.
    3. By removing this file you will stop ProfileUnity from running for clients.
  7. Enable DirectFlex
  8. Configure printer, drive mappings and any other functions that ProfileUnity may have been performing. This may require the creation of other GPOs for users or machines to inject registry settings.

 

ProfileUnity Configuration Report

ProfileUnity uses “Filters” to determine what function needs to be applied to what user. These filters can be complex but must be reviewed to determine any special uses cases for delivery of functions. Examples would be like PCoIP remote machine IP being used for printer mappings.

It is recommended to get the ProfileUnity Configuration PDF from the client prior to any SOW being written. The PDF holds the complete configuration of ProfileUnity. This can be used to determine everything that ProfileUnity is doing for the client. Drive Mapping, Folder Redirection, Printer Mapping and all functions are shows in this PDF.

A full understanding of what ProfileUnity is doing for the client is required before transition to VMware UEM. ProfileUnity has the ability to move certain parts of the profile between OS’ and different profile types. Like Windows XP (v1 Profile) to Windows 8.1 (v2.1 Profile). ProfileUnity Filters may be in use to detect these OS and save different parts of the Persona to different locations. To export the ProfileUnity Configuration PDF you will need to load the ProfileUnity Management Console (Web Interface) and select the magnifying glass icon.

Figure 22. ProfileUnity Management Console

Figure 23. Download ProfileUnity PDF/Configuration file

 

Figure 24. Example ProfileUnity Configuration Page

Notice icons with RED numbers. These are the features that are active for your client. Modules that use Elevation: Privilege Elevation, Application Restrictions, Portability (If needed for HKLM), User Defined Scripts, Application Launcher, Registry. FlexApp is the Application Packaging Technology. Examine what advance features have been configured and make note of them. Configured mapped printers or drive mappings will need to be re-setup in UEM once your migration is completed.

 

ProU, Disable DirectFlex

Only during the migration, DirectFlex needs to be disabled in order to save all application settings at log off. Use the ‘VMware UEM FlexEngine Advanced DirectFlex Settings.admx’ template to configure DirectFlex as disabled and to process DirectFlex Config Files at logon and log off. Figure 25 gives an example of this policy that should be disabled. To disable this policy, you need to select ‘Enabled’.

 

Note: Contact VMware support at https://www.vmware.com/support/contacts/ to obtain the “VMware UEM FlexEngine Advanced DirectFlex Settings.admx” template. Don’t be confused by the imported policy of ‘DirectFlex – advanced settings’ (shown in Figure 25) which stems from the ‘VMware UEM FlexEngine.admx’ template.

 

Figure 25. Not the correct policy as mentioned above.

 

The correct policy is shown in Figure 26 and you will ‘Enable’ to disable DirectFlex:

 

Figure 26. Advanced policy setting to disable DirectFlex.

Run ProfileUnity and UEM side-by-side to migrate the user profile

Run ProfileUnity and UEM side by side during a specific period to allow all users to log in/log off at least once. To do this make sure you have the UEM GPO linked where your View Pools will be pointing to. Additionally, the ProfileUnity service should be running and the .INI should be in-place.

 

Figure 27. UEM GPO linked Figure 28. Horizon View Pool pointing to shared OU

 

Once UEM GPO is in-place log in and log off with a test user to make sure the settings are migrated successfully. After all the ProfileUnity profiles are successfully migrated to UEM, continue with the next section and disable ProfileUnity.

 

ProfileUnity, Configure folder redirection

 

Figure 29. Editing UEM Policy for Redirection Figure 30. Folders for redirect

 

ProfileUnity handles folder redirection. Review the ProU PDF to see what folders have been redirected. There will be no “.v2” with ProfileUnity. That is only if they were using roaming profiles or maybe View Persona Manager.

ProfileUnity can handle AppData and AppData Local in several ways.

  • Folder Redirection to a UNC Path

  • Folder Redirection to a Drive that is mapped to a UNC Path – Helps with Compatibility of App

  • Portability – ZIP/Unzip technology

Configure Folder Redirection GPO using the standard Windows policy settings as shown in Figure 29 and Figure 30. To do this, create a new GPO or utilize the existing UEM GPO that contains Folder Redirection settings for all folders that are currently redirected with the ProfileUnity.

 

Note: Just the folders that contain User Data (Documents, Desktop, Downloads, Music, Pictures and Videos) should be redirected. All the other folders (like AppData) should NOT be redirected, because UEM manages those folders.

 

In section 4.1, we covered exporting the ProfileUnity Configuration Report. In this step you should use this report to find the SMB file location where user data is being stored.

Figure 31. ProfileUnity Config folder redirection (Inside the PDF Report)

Figure 32 shows an example of folder redirection for the My Documents folder using ProfileUnity. In this example, the My Documents folder is redirected to \\srv\share1\%username%\My Documents.

 

Figure 32. Folder redirection path Figure 33. Folder redirection properties

 

You will want to uncheck the “Grant the user exclusive” option. The problem is that by default, the Grant the user exclusive rights to My Documents check box is selected, with the following consequence (quote from the Technet library article about folder redirection):

If you select this check box, the user and the local system have full control over the folder, and no one else, not even the administrator, has any rights to it. If you clear this check box, no changes are made to the permissions on the folder. Whatever permissions are in effect by default remain in effect.

Source: https://technet.microsoft.com/en-us/library/cc781907.aspx

  • Do not select the ‘Move the content of Documents to the new location’ (Figure 33)
  • Repeat these steps for all folders that contain user data (Documents, Desktop, Downloads, Music, Pictures and Videos).

Note: In some cases, sometimes profile redirection is done via GPO and not ProfileUnity therefore a review of the GPO may be necessary.

 

After selecting ‘OK’ and you have chose not to apply the redirection policy to older platforms such as Windows 2000, XP, 2003 you will be presented with the following dialog box (Figure 34):

 

Figure 34. Folder redirection properties warning

Select ‘Yes’ to continue.

 

Note: After you select ‘OK’ on the dialog box if you re-open the properties of a folder you will see a similar image as shown in Figure 35:

 

Figure 35. Folder redirection confirmation

 

Take note of the yellow highlight section that it matches the naming format you were looking for.

 

ProU, Desktop redirected (only if applicable)

If the Desktop folder is redirected and UEM is configured to start though the Group Policy Extension (GPE) a timing issue might occur, because the UEM GPE runs before the Folder Redirection GPE.

The following scenario could happen: UEM creates a shortcut on the Desktop, which is not yet redirected so it’s created in C:\Users\%username%\Desktop. After that, Folder Redirection redirect the Desktop to \\srv\share1\%username%\Desktop and the user does not see the created shortcut.

 

To solve this timing issue, UEM should remember and restore the redirected folder location of the Desktop. Create a Config File within UEM to do this. The steps to execute this is as follows:

 

Figure 36. Create Config Figure 37. Custom Config Figure 38. Config Name

 

  1. Select ‘Create Config File’

  2. Select ‘Create a custom config file’

  3. Name this Config File ‘Desktop Folder Redirection settings’

 

Figure 39. Insert registry settings Figure 40. Save Config

 

4. Copy the following two lines to the Import/Export section of the Config File:

[IncludeIndividualRegistryValues]
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop

5. Select ‘Save Config File’

 

Disable ProfileUnity

This last step involves disabling/removing ProfileUnity.

Step 1. If applies remove ProfileUnity from master image or Physical system:

Option A.

  • Run uninstall.vbs from netlogon\profileunity folder

  • If this does not work. Run CMD elevated (Administrator) and this command:

  • c:\windows\system32\wscript.exe \\server\netlogon\uninstall.vbs

Option B.

  • Remove Profile Unity files on the desktop:

  • Replace userinit.exe in the registry:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • Replace: C:\Program Files\ProfileUnity\userinit.exe
    • With: C:\Windows\System32\userinit.exe

 

Note: Please verify, the userinit.exe is still in C:\Windows\System32 and hasn’t been removed.

Delete profile Unity folder – C:\Program Files\ProfileUnity

Step 2. Delete the GPO

Step 3. Delete Profile Unity Folder (usually in netlogon share)

Step 4. Restart

 

ProU, Extra Configurations

The last step needed to be executed is to re-create any custom printer/drive mappings that ProfileUnity was managing. In some cases, you may have an enforced policy with ProfileUnity to elevate privileges. These special use-cases can be discovered in the exported PDF report. For example, an elevation use-case means an application such as Quick Books only runs as a local admin. Another example is if an application needed adjustments the registry values under HKLM.

Migrating UEM Shares

In some cases it may be necessary to migrate shares created for UEM, in this post I’ve provided the steps to doing such a task.

Picture1

 

 

 

 

 

 

Moving the UEM Config share:

Note:
Only to be performed outside Production/Office hours, preferable during customers’ maintenance window:

NOTE: Only to be performed outside Production/Office hours, preferable during customers’ maintenance window:

  1. Copy the current UEM Config folder to the new server.
  2. Stop sharing the ‘UEM Config share’ on the old server and share it on the new server using the same name.
  3. Install the UEM Management Console on new server and point it to the newly created share.
  4. Edit group policy template in Active Directory to point ‘Flex config files’ policy setting to the new server location of the UEM Config share.
Note:
The above procedure maintains your current name of the UEM Config share.

 Moving the UEM Profile Archive share:

  1. Copy the current UEM Archive share to the new server.
  2. Stop sharing the ‘UEM Archive share’ on the old server and share it on the new server using the same name.
  3. Edit group policy template in Active Directory to point to the new server location of the UEM Profile Archive share for the following policy settings:
  • Profile archives
  • Profile archive backups
  • FlexEngine logging