Installing and Configuring VMware
Dynamic Environment Manager
VMware Dynamic Environment Manager 2306
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright
©
2023 VMware, Inc. All rights reserved. Copyright and trademark information.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 2
Contents
About Installing and Configuring VMware Dynamic Environment Manager 6
1 Introduction to VMware Dynamic Environment Manager 7
Application Configuration Management 8
User Environment Settings 8
Personalization of Application and Windows Settings 9
Migration of Application Settings 9
Dynamic Configuration of the Desktop 9
2 VMware Dynamic Environment Manager Scenario Considerations 11
Using VMware Dynamic Environment Manager with Mandatory Profiles 11
Using VMware Dynamic Environment Manager with Roaming Profiles 12
Using VMware Dynamic Environment Manager with Local Profiles 13
3
Installation and Deployment Prerequisites
15
VMware Dynamic Environment Manager Infrastructure and Terminology 15
Overview of the VMware Dynamic Environment Manager Deployment 17
Infrastructure Requirements 18
VMware Dynamic Environment Manager Configuration Share 19
Profile Archives Share 20
Software Requirements 21
Registry Access Requirements 22
Licensing Requirements 22
4 Installing VMware Dynamic Environment Manager 23
Overview of the VMware Dynamic Environment Manager Deployment 24
Install VMware Dynamic Environment Manager Manually 24
Unattended Installation of VMware Dynamic Environment Manager 26
Upgrade VMware Dynamic Environment Manager 27
Upgrade FlexEngine on all Windows Desktops and Terminal Servers 27
Upgrade the VMware Dynamic Environment Manager Management Console 28
Upgrade the ADMX Templates 29
Cleanup Actions after Upgrading Group Policy-based Installation 29
5 Configuring VMware Dynamic Environment Manager 30
Configuring the FlexEngine Group Policy Object 30
Create a VMware Dynamic Environment Manager Group Policy Object 31
Configure the VMware Dynamic Environment Manager Group Policy Object 32
VMware, Inc.
3
Open the VMware Dynamic Environment Manager Group Policy Object 34
Configure the Flex Configuration Files Setting 34
Configure Run FlexEngine at Logon and Logoff Setting 35
Configure FlexEngine Logging Setting 35
Configure Profile Archives Setting 36
Configure Profile Archive Backups Setting 36
Configure Application Blocking Logging to the Windows Event Log Setting 37
Configure Privilege Elevation Logging to the Windows Event Log Setting 37
Configure Certificate Support for Mandatory Profiles Setting 38
Configure DirectFlex - Advanced Settings 38
Configure FlexEngine Logging to the Windows Event Log Setting 38
Configure Paths Unavailable at Logon Setting 39
Configure Access to VMware DEM Self-Support for End Users 40
Configure Printer Mapping Timeout Setting 40
Configuring the VMware Dynamic Environment Manager Management Console 41
6
Installing and Configuring FlexEngine in NoAD Mode 43
Install FlexEngine in NoAD Mode 43
Configuring FlexEngine in NoAD Mode 44
Configuring Profile Archives Settings 45
Configuring FlexEngine Logging Settings 45
Configuring Profile Archive Backups Settings 46
Configuring Application Blocking Logging to the Windows Event Log Setting 46
Configuring Privilege Elevation Logging to the Windows Event Log Setting 46
Enable Certificate Support for Mandatory Profiles Setting 47
Configure DirectFlex – Advanced Settings 47
Configure FlexEngine Logging to the Windows Event Log Setting 47
Configure Paths Unavailable at Logon Setting 48
Prevent Access to VMware Dynamic Environment Manager Self-Support to End Users 49
Configuring Printer Mapping Timeout Setting 49
Disable the NoAD Mode for Certain Users 50
Remove Registry Settings for the NoAD Mode 50
Targeting NoAD Settings Based on Group Membership 50
Sample NoAD.xml File 51
7
Computer Environment Settings 52
Perform Installation with Computer Environment Settings Support 52
FlexEngine Configuration for Computer Environment Settings 53
Windows Configuration for Computer Environment Startup and Shutdown Tasks 55
8
Referencing Active Directory Attributes 57
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 4
About Installing and Configuring VMware
Dynamic Environment Manager
Installing and Configuring VMware Dynamic Environment Manager
provides information about
installing and configuring VMware Dynamic Environment Manager
â„¢
on Terminal Services or
Windows desktop environments.
Intended Audience
This information is intended for experienced Windows administrators who want to deploy
VMware Dynamic Environment Manager in their Terminal Services or Windows desktop
environments to provide dynamic management of desktop, user, and application settings.
VMware, Inc. 6
Introduction to VMware Dynamic
Environment Manager
1
VMware Dynamic Environment Manager provides end users with a personalized and dynamic
Windows desktop. Through VMware Dynamic Environment Manager, you can customize the
desktop by providing access to IT resources based on the role, device, and location of the user.
In this way, you can create a desktop that adapts to the specific needs of the user.
VMware Dynamic Environment Manager is available in Standard and Enterprise editions. DEM
Standard Edition assists VMware Horizon
®
Standard Edition and VMware Horizon
®
Advanced
Edition customers with user profile management. DEM Enterprise Edition is the full-featured
version of
VMware Dynamic Environment Manager. For a list of the specific options available in
DEM Standard Edition, see the
VMware Dynamic Environment Manager Administration Guide
.
VMware Dynamic Environment Manager is available in standalone mode and integration mode.
Use integration mode to integrate VMware Dynamic Environment Manager with VMware
Workspace ONE
®
UEM. Both modes use configuration files for personalization and application
configuration management of VMware Dynamic Environment Manager. In standalone mode,
the configuration files are stored in a configuration SMB share, which is a central share on
a file server. In integration mode, the configuration files are contained in a VMware Dynamic
Environment Manager config profile file. Using Workspace ONE UEM, you can target the VMware
Dynamic Environment Manager config profile file to specific smart groups to distribute the
VMware Dynamic Environment Manager configuration to Workspace ONE UEM endpoints.
VMware Dynamic Environment Manager manages user and Windows settings and dynamically
configures the desktop. For example, it can create drive and printer mappings, file type
associations, and shortcuts. VMware Dynamic Environment Manager can also manage and
provide shortcuts to applications such as ThinApp to users.
This chapter includes the following topics:
n Application Configuration Management
n User Environment Settings
n Personalization of Application and Windows Settings
n Migration of Application Settings
n Dynamic Configuration of the Desktop
VMware, Inc.
7
Application Configuration Management
With VMware Dynamic Environment Manager, you can configure the initial settings of an
application without having to rely on the defaults of the application. You can define the
application settings that the user can personalize and the settings that always remain unchanged
each time the user opens the application. In this way, you can combine policy-enforced settings
and user personalization.
You can also use VMware Dynamic Environment Manager to manage certain user environment
settings when an application starts. For example, you can configure drive and printer mappings,
apply custom settings for files and folders, and registry, and run custom tasks. You can also
define settings and configurations for all users to guarantee compliance and provide a consistent
environment.
You can use the VMware Dynamic Environment Manager Application Profiler to capture
predefined settings for an application. You can run the application on a reference system that
Application Profiler monitors and configure the settings that you want.
User Environment Settings
You can use VMware Dynamic Environment Manager to centrally manage user settings that users
require to perform their daily tasks. The settings are applied when a user logs in or starts a
certain application.
For example, a multinational corporation has end users from multiple countries. The company can
centrally manage the different display languages, wallpapers, keyboard configurations, and other
regional settings.
By using VMware Dynamic Environment Manager, you can manage the following settings:
n ADMX-based settings
n Application blocking
n Application shortcuts and file type associations
n Display language
n Drive and printer mappings
n Environment variables
n Files, folders, and registry settings
n Folder redirection
n Hide drives
n Horizon Smart Policies
n Logon and logoff tasks
n Privilege Elevation
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 8
n Triggered tasks
Personalization of Application and Windows Settings
VMware Dynamic Environment Manager is a profile management capability that enables users
to roam their personal desktop and application settings. Personalization separates user-specific
desktop and application settings from the Windows operating system. This way, the settings are
available across OS versions, devices, and application instances.
Personalization works independent from the Windows user profile management and facilitates
the management of virtualization technologies and application delivery mechanisms. VMware
Dynamic Environment Manager personalization integrates seamlessly with natively installed and
virtualized applications, providing a consistent user experience across Windows platforms that
are physical or virtual, local, or remote.
VMware Dynamic Environment Manager personalization lets users create their own personal
settings. For example, developers might want to configure Eclipse according to their own habits
and apply that configuration across multiple environments. Quality engineers might want to set
the bug tracking Web site as the home page of all browsers.
Migration of Application Settings
VMware Dynamic Environment Manager can transfer personal application settings of users from
one OS to another, for example from Windows 7 to Windows 10. This is default behavior of
VMware Dynamic Environment Manager, the only requirement is that the application must store
its configuration at the same registry and AppData locations in the user profile.
VMware Dynamic Environment Manager also provides an XML-based mechanism for settings
migration between application versions. In this way, you can avoid situations where personalized
data is lost during application upgrade, because it is stored at different location after the
upgrade.
The VMware Dynamic Environment Manager download package contains XML migration file
samples for migrating between different versions of Microsoft Office.
Dynamic Configuration of the Desktop
By using VMware Dynamic Environment Manager, you can provide dynamic adaptation of
the content and appearance of the end-user desktop by using conditions. VMware Dynamic
Environment Manager includes ready-to-use conditions that you can combine for the user,
location, and device characteristics.
For example, by using conditions you can provide access to a network printer that is based on
the current physical location of the user, or create an application shortcut on the desktop that is
based on the user's identity.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 9
You can re-evaluate conditions when users unlock their workstation or reconnect to a remote
session. You can manage conditions from the VMware Dynamic Environment Manager console
and apply them to all configurable items within VMware Dynamic Environment Manager.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 10
VMware Dynamic Environment
Manager Scenario Considerations
2
You can use VMware Dynamic Environment Manager to optimize the experience of Windows
users with all types of user profiles: mandatory, roaming, and local.
This chapter includes the following topics:
n Using VMware Dynamic Environment Manager with Mandatory Profiles
n Using VMware Dynamic Environment Manager with Roaming Profiles
n Using VMware Dynamic Environment Manager with Local Profiles
Using VMware Dynamic Environment Manager with
Mandatory Profiles
Mandatory profiles are mostly used in Terminal Services environments, although you can use
them with Windows desktops as well. With mandatory profiles, personalization changes of the
desktop are effective only during a Windows session. When the user logs out, all changes
are deleted. With VMware Dynamic Environment Manager, you can eliminate the need of
customizing mandatory profiles, manage the settings that are available for personalization, and
customize the user environment settings.
The following are the advantages and disadvantages of mandatory profiles:
Advantages
n Short login and logout times.
n Consistent user experience, no matter what the user changes.
n Minimal troubleshooting on user profiles.
Disadvantages
n None of the personalization changes made by users are saved.
n Creating a usable and customized mandatory profile requires a high level of skill.
n Scripting is often necessary to create shortcuts, drive mappings, and so on.
VMware, Inc.
11
When using VMware Dynamic Environment Manager with mandatory profiles, you can address
the disadvantages in the following ways:
n Select the settings that users are allowed to personalize within their environment. Settings
that you do not manage with VMware Dynamic Environment Manager are discarded when
the user logs out.
n Configure specific settings for applications or Windows settings by using the Predefined
Settings feature of VMware Dynamic Environment Manager. By using predefined settings,
you do not need to customize a mandatory profile. A mandatory profile that is based on the
Default User profile is sufficient.
n Customize the user environment by creating shortcuts, drive mappings, and so on.
Using VMware Dynamic Environment Manager with
Roaming Profiles
Roaming profiles are mostly used in a managed desktop environment. With roaming profiles,
all personalization changes that users make during a Windows session are stored in the central
roaming profile when users log out. When a user logs in to a Windows session, the roaming
profile is copied again from the central location. With
VMware Dynamic Environment Manager,
you can manage the size of roaming profiles, reduce login times, and achieve greater flexibility in
managing application and Windows settings for roaming profiles.
Avoid using roaming profiles with VMware Dynamic Environment Manager for a longer time.
Typically, VMware Dynamic Environment Manager only runs with roaming profiles when you
start migrating from the roaming profile to either local or mandatory profiles being managed
by VMware Dynamic Environment Manager. The VMware Dynamic Environment Manager best
practice is to use either local or mandatory profiles.
Advantages
n No specific administration necessary besides enabling the roaming profiles.
n Personalized settings roam with the user across different machines that are running the
same operating system.
Disadvantages
n Limited control over the settings that the users can change. Everything is saved by
default.
n Large roaming profiles might get corrupted and cause the individual roaming profile to
reset completely. As a result, users might spend a lot of time getting all personalized
settings back.
n Troubleshooting an application defect might cause the individual roaming profile to reset
completely because all application and Windows settings are stored in a single container.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 12
n Roaming profiles do not roam across different operating systems. This results in multiple
roaming profiles per user in a mixed environment, like desktops and Terminal Services.
n Potential for unnecessary growth of roaming profile, causing long login times.
n Application shortcuts and file type associations get retained in roaming profiles and
often cause confusion when users roam to devices where the applications might not be
installed.
You can address many of the disadvantages of roaming profiles by using VMware Dynamic
Environment Manager.
n You can use the Profile Cleanup feature to clean up unimportant or obsolete parts of each
user profile at logout.
n Create a mandatory set of settings for business-critical applications by using the Predefined
Settings feature. You can also use Predefined Settings to disallow personalized settings for
certain applications.
n Decouple and segment personalized application and Windows settings from the roaming
profile by using the Import / Export and the Profile Cleanup features.
n Compress all settings that VMware Dynamic Environment Manager manages including files
and folders to provide shorter login times.
n Save all settings for roaming profiles in a central place that makes the settings available after
a total reset.
n Reset certain application or Windows settings without performing a complete reset of the
roaming user profile.
n Provide roaming for personalized application and Windows settings across different
operating systems for a consistent user experience.
n Provide different application and Windows settings depending on a user's business case by
using Condition Sets.
Using VMware Dynamic Environment Manager with Local
Profiles
With local profiles, personalized changes that users make during a Windows session are stored
on the local disk. When a user logs in to the same desktop again, the user environment is the
same as in the previous session of the user. When a user logs in to another desktop, none of the
settings are the same, as a new local profile is created and stored locally on that desktop.
Advantages
n No specific administration is needed.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 13
n No network storage is required.
Disadvantages
n Personalized settings are not roamed across different machines.
n Each desktop a user logs on to is polluted with a local profile for that specific user.
n If local disk failure or corruption occurs, all user settings are lost.
With VMware Dynamic Environment Manager, you can eliminate the disadvantages of local
profiles.
n Introduce roaming functionality for application and Windows settings that VMware Dynamic
Environment Manager manages.
n Create redundancy for application and Windows settings by managing these settings with
VMware Dynamic Environment Manager when local disk failure or corruption occurs.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 14
Installation and Deployment
Prerequisites
3
To install and deploy VMware Dynamic Environment Manager, your environment must meet
certain infrastructure, system, access, and licensing requirements. You must also get familiar with
the VMware Dynamic Environment Manager terminology.
This chapter includes the following topics:
n VMware Dynamic Environment Manager Infrastructure and Terminology
n Overview of the VMware Dynamic Environment Manager Deployment
n Infrastructure Requirements
n Software Requirements
n Registry Access Requirements
n Licensing Requirements
VMware Dynamic Environment Manager Infrastructure and
Terminology
To install and configure VMware Dynamic Environment Manager, become familiar with the
VMware Dynamic Environment Manager components and terminology.
Table 3-1.
VMware Dynamic Environment Manager Terminology
Component or Term Description
Management Console The VMware Dynamic Environment Manager Management Console that is the main
interface that you can use to manage user profiles.
Flex configuration file A configuration file where you define all application, Windows, and user environment
settings. You create and manage Flex configuration files using the Management
Console.
VMware Dynamic
Environment Manager
configuration share
For standalone mode.
The UNC path to the share where the Management Console configuration and the
configuration files are stored.
VMware Dynamic
Environment Manager config
profile file
For integration mode.
A container file with a .DEMConfig extension, where the Management Console
configuration and the
VMware Dynamic Environment Manager configuration files
are stored. Use Workspace ONE UEM to deploy this file to Workspace ONE UEM
endpoints.
VMware, Inc. 15
Table 3-1. VMware Dynamic Environment Manager Terminology (continued)
Component or Term Description
FlexEngine The VMware Dynamic Environment Manager client component that you must install
on each physical or virtual Windows device where you use VMware Dynamic
Environment Manager.
Profile archives Profile archives are ZIP files where FlexEngine stores the personalized settings of
users, based on the content of Flex configuration files. For each Flex configuration file
that you create, FlexEngine creates a profile archive for each user.
Profile archives path The path that FlexEngine uses to store the profile archives for individual users.
Profile archives backup path The path that FlexEngine uses to store backups of the profile archives.
General folder A folder that is named General, that the Management Console creates in the VMware
Dynamic Environment Manager configuration share. This folder is the location where
Flex configuration files are created, managed, and used from by FlexEngine.
VMware Dynamic Environment Manager Infrastructure
Besides the core VMware Dynamic Environment Manager components, you can use other
VMware Dynamic Environment Manager tools. The supported components and the way the
components communicate with one another depends on which VMware Dynamic Environment
Manager mode you are using: standalone mode or integration mode.
Figure 3-1. VMware Dynamic Environment Manager Standalone-Mode Infrastructure
Active Directory
GPO SMB SMB
SMBSMB
SMBSMB
Clients with
VMware Dynamic
Environment
Manager FlexEngine
VMware Dynamic
Environment
Manager
Helpdesk
Support Tool
RDSH or VDI
SyncTool
Laptops Desktops
VMware Dynamic
Environment Manager
Management Console
Central
configuration share
Network folder per user
VMware Dynamic
Environment Manager
Application Profiler
VMware Dynamic
Environment
Manager GPO
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 16
In standalone mode, you can deploy Application Profiler, SyncTool, and Helpdesk Support Tool.
All the VMware Dynamic Environment Manager components that you deploy communicate with
each other using the SMB protocol.
Figure 3-2. VMware Dynamic Environment Manager Integration-Mode Infrastructure
SMB
Clients with
VMware Dynamic
Environment
Manager FlexEngine
Persistent Dedicated VDI
Laptops Desktops
VMware Dynamic
Environment Manager
Management Console
VMware Dynamic Environment Manager
config in VMware Workspace ONE UEM
Network folder per user
VMware Dynamic
Environment Manager
Application Profiler
In integration mode, you can deploy
Application Profiler. Deploying SyncTool in integration
mode is an extremely uncommon use case. Helpdesk Support Tool is not currently supported
in integration mode. In this mode, communication between components is more limited. You use
VMware Dynamic Environment Manager to create the VMware Dynamic Environment Manager
config profile file. Thereafter, you use Workspace ONE UEM to distribute the VMware Dynamic
Environment Manager config profile file to Workspace ONE UEM endpoints.
Overview of the VMware Dynamic Environment Manager
Deployment
Prepare your environment to meet the VMware Dynamic Environment Manager infrastructure
requirements, and then install and configure the VMware Dynamic Environment Manager
components.
n Determine the mode that you want to deploy VMware Dynamic Environment Manager in,
standalone mode or integration mode. For standalone mode, create a VMware Dynamic
Environment Manager configuration share on a file server.
n Create a VMware Dynamic Environment Manager profile archives share.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 17
n Install FlexEngine on Windows desktops or Terminal Servers.
n Create the VMware Dynamic Environment Manager Group Policy by using the administrative
template that is provided in the VMware Dynamic Environment Manager package. If you have
installed FlexEngine in NoAD Mode, provide the agent configuration settings in the NoAD.xml
file.
n Install the Management Console on the administrator's machine.
n Perform initial configuration of the Management Console.
After you install and configure the VMware Dynamic Environment Manager components, you
can start managing personalization and application management settings by creating Flex
configuration files. You can use the VMware Dynamic Environment Manager Application Profiler
to capture application settings in Flex configuration files.
Note The VMware Dynamic Environment Manager MSI file has a digital signature, which the
Windows Installer infrastructure validates when the installation starts. The installation process
includes a certificate revocation check for which the system requires Internet access. If the
Internet connectivity is not sufficient, the installation continues, but only after several timeouts.
During the process, the installer seems to hang without providing any feedback.
Infrastructure Requirements
To deploy VMware Dynamic Environment Manager, your environment must meet certain
infrastructure requirements.
Requirement
Description
Active Directory Active Directory is required for Group Policy configuration
of FlexEngine. You configure FlexEngine by creating
an Active Directory Group Policy Object (GPO). See
Configure the VMware Dynamic Environment Manager
Group Policy Object. You can configure FlexEngine
without Group Policy, but it requires command-line
arguments. For more information, see Chapter 9
FlexEngine Command-Line Arguments.
VMware Dynamic Environment Manager configuration
share
For standalone mode.
A central share on a file server, which can be a replicated
share for multiple sites. In such a case, you can use
multiple Active Directory GPOs to configure the path to
the share for all client devices, based on the location.
This share uses the Server Message Block (SMB) protocol
for communication. For more information about the
configuration share requirements, see VMware Dynamic
Environment Manager Configuration Share.
Profile archives share You must consider a location to store the profile archive
ZIP files for the user settings and the profile backups. The
profile archives share also uses SMB. For details about the
profile archives share, see Profile Archives Share.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 18
VMware Dynamic Environment Manager Configuration Share
The VMware Dynamic Environment Manager configuration share is a central share on a file
server. It contains all the configuration files for personalization and application configuration
management of VMware Dynamic Environment Manager. FlexEngine reads configuration data
from the VMware Dynamic Environment Manager configuration share when a user logs in or logs
out of the environment, or when the user opens or closes applications that are configured with
DirectFlex.
Folder Structure
The VMware Dynamic Environment Manager configuration share has a predefined structure.
The first time when you start the Management Console, the General folder is created in the
configuration share. The General folder contains the Flex configuration files that you use to
define settings for personalization and application configuration management.
The General folder also contains the mandatory FlexRepository folder. The Management
Console creates the FlexRepository folder the first time you configure a user environment
setting, such as a printer mapping. The
FlexRepository folder contains all the configuration files
for the user environment settings, computer environment settings, and condition sets.
Requirements
Requirement
Description
Networking To optimize login times, ensure that the computer from
which the user logs in has a 1-Gbps connection to the
configuration share.
Storage Storage requirements might vary based on the specific
deployment. A general guideline is to have at least 200
kB per application with a starting minimum size of 1 GB.
Share permissions The Everyone group must have Change permissions
applied.
NTFS security permissions n Administrators must have Full Control permissions
applied to This folder, subfolders and files.
n End users must have Read & execute permissions
applied to This folder, subfolders and files.
Note If you want to use VMware Dynamic
Environment Manager computer environment settings,
remote computer accounts must also have Read &
execute permissions applied to This folder, subfolders
and files.
Caution For security reasons, ensure that NTFS
permissions for end users are configured as described,
and that end users do not have Write permissions.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 19
Profile Archives Share
The profile archives share stores the personal settings for users as FlexEngine creates a
subfolder for each user. The share contains VMware Dynamic Environment Manager profile
archives, which are ZIP files. FlexEngine reads personal user settings from the profile archives
share when a user logs in to the environment or launches a DirectFlex-enabled application.
FlexEngine writes the modified settings when the user logs out, or closes a DirectFlex-enabled
application.
In a typical deployment, profile archive backups and log files are stored on the same share, but
you can configure different locations in the FlexEngine GPO.
Use a share that is dedicated to the profile archives. A dedicated share improves performance,
simplifies configuring the VMware Dynamic Environment Manager SyncTool, and makes it easier
to configure permissions for the Helpdesk Support Tool.
Note Do not use the Home drive share. Using this share can cause synchronization conflicts
between Offline Files and the VMware Dynamic Environment Manager SyncTool, and allows
users to delete their profile archives.
Folder Structure
The profile archives share has a one-on-one relation to the naming and folder structure of the
VMware Dynamic Environment Manager configuration share and the Management Console.
Requirements
Requirement
Description
Networking requirements For best performance and to optimize login times, ensure
that the computer from which the end user logs in has a
1-Gbps connection to the profile archives share. If an end
user has limited bandwidth or has a laptop that is often
offline, use the SyncTool. This tool improves connectivity
to the profile archives share under these conditions.
Storage Storage requirements can vary based on the specific
deployment. A general guideline is to have at least 100
MB per user.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 20
Requirement Description
Share permissions The Everyone group must have Change permissions
applied.
Helpdesk staff using the optional Helpdesk Support Tool
must have Full Control permissions applied.
NTFS security permissions Setting the following NTFS security permissions on the
profile archives share creates a folder for each user on
first login and limits the user to their own folder.
n For VMware Dynamic Environment Manager
administrators and help desk: Full Control applied to
This folder, subfolders and files.
n For End users: Create folders / append data applied
to This folder only.
Note If you want to use VMware Dynamic
Environment Manager computer environment settings,
remote computer accounts must also have Create
folders / append data permissions applied to This
folder only.
n For Creator Owner: Full Control applied to Subfolders
and files only.
Software Requirements
The system on which you plan to install VMware Dynamic Environment Manager must meet
certain software requirements.
Supported Windows Versions
n Windows 7 Professional, Enterprise, and Ultimate x86 and x64 SP1
n Windows Server 2008 R2 Standard and Enterprise x64 SP1
n Windows Server 2012 Standard and Datacenter x64
n Windows 8.1 Professional and Enterprise x86 and x64 with Update
n Windows Server 2012 R2 Standard and Datacenter x64 with Update
n Windows 10 Professional and Enterprise x86 and x64
n Windows Server 2016 Standard and Datacenter x64
n Windows Server 2019 Standard and Datacenter x64
n Windows 11 Professional and Enterprise x64
n Windows Server 2022 Standard and Datacenter x64
See VMware Product Interoperability Matrix for more details about supported Windows 10
and Windows 11 versions.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 21
Supported Application Virtualization Products and Versions
n App-V 5.x
n ThinApp 5.2
Registry Access Requirements
Access to Regedit.exe or Reg.exe must not be disabled through Group Policy. FlexEngine
uses Regedit.exe to add user-specific settings to the registry. Depending on the User Account
Control (UAC) settings on Windows 7 or later, FlexEngine might use
Reg.exe.
VMware Dynamic Environment Manager might not work properly on some Windows versions if
access to Regedit.exe is disabled through Group Policy, unless the option Disable regedit
from running silently? is set to No. However, this setting is insufficient for Reg.exe. This
means that if Regedit.exe cannot run due to UAC, this policy must remain unset.
If users are not allowed to run Regedit.exe silently, an error message might appear when they
log in. An error message is also written to the FlexEngine log file.
Licensing Requirements
VMware Dynamic Environment Manager FlexEngine licensing requirements vary depending on
the details of your deployment scenario.
If you are using VMware Dynamic Environment Manager on VMware Horizon, no license is
required. In all other scenarios, FlexEngine requires a valid license at runtime.
Starting with VMware Dynamic Environment Manager version 2203, you will no longer be
prompted to select a license file during installation. The Management Console provides an option
to configure a license after the installation is complete. For more information, see
Managing the
License
in the
VMware Dynamic Environment Manager Administration Guide
at VMware Docs.
Note For existing deployments that have a valid license file, VMware Dynamic Environment
Manager will continue to work as expected after an upgrade to version 2203. When you want to
update the license file, you must use the Management Console.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 22
Installing VMware Dynamic
Environment Manager
4
You must install VMware Dynamic Environment Manager on your environment to manage
personalization and application configuration settings. The VMware Dynamic Environment
Manager MSI consists of several installation features that you can install on your environment.
Table 4-1. VMware Dynamic Environment Manager Installation Features
Installation Feature Description
VMware DEM FlexEngine Client component that you must install on each desktop or Terminal Server that you want
to manage by using VMware Dynamic Environment Manager.
If you are deploying FlexEngine to physical machines, you can use any software
deployment tool to perform batch deployment or use Active Directory Group Policy
software deployment.
If you deploy FlexEngine in a VDI or RDSH environment, such as VMware Horizon, you
can manually install FlexEngine in the template or parent virtual machines and then
deploy pools and farms of VMware Horizon desktops and RDSH servers based on these
templates.
Important When you are deploying FlexEngine in virtual machines used in VMware
Horizon
®
Cloud Service
â„¢
, some differences apply, such as installation paths and
other specifics related to use in the Horizon Cloud environment. For details about
deploying FlexEngine when using a Horizon Cloud environment, see the administration
documentation that is appropriate for your Horizon Cloud deployment mode. Horizon
Cloud documentation is available from the Horizon Cloud documentation landing page.
VMware DEM
Management Console
Administration console that you can install on any desktop or Terminal Server where you
want to manage VMware Dynamic Environment Manager.
Application Migration Optional. You can install Application Migration on desktops or Terminal Servers if you
want to migrate application settings across application versions. This feature depends on
FlexEngine and cannot work standalone.
Self-Support Optional. You can install the Self-Support tool on desktops or Terminal Servers where
you want users to support their application settings by themselves, without administrator
intervention. This feature depends on FlexEngine and cannot work standalone.
This chapter includes the following topics:
n Overview of the VMware Dynamic Environment Manager Deployment
n Install VMware Dynamic Environment Manager Manually
n Unattended Installation of VMware Dynamic Environment Manager
n Upgrade VMware Dynamic Environment Manager
VMware, Inc.
23
Overview of the VMware Dynamic Environment Manager
Deployment
Prepare your environment to meet the VMware Dynamic Environment Manager infrastructure
requirements, and then install and configure the VMware Dynamic Environment Manager
components.
n Determine the mode that you want to deploy VMware Dynamic Environment Manager in,
standalone mode or integration mode. For standalone mode, create a VMware Dynamic
Environment Manager configuration share on a file server.
n Create a VMware Dynamic Environment Manager profile archives share.
n Install FlexEngine on Windows desktops or Terminal Servers.
n Create the VMware Dynamic Environment Manager Group Policy by using the administrative
template that is provided in the VMware Dynamic Environment Manager package. If you have
installed FlexEngine in NoAD Mode, provide the agent configuration settings in the NoAD.xml
file.
n Install the Management Console on the administrator's machine.
n Perform initial configuration of the Management Console.
After you install and configure the VMware Dynamic Environment Manager components, you
can start managing personalization and application management settings by creating Flex
configuration files. You can use the VMware Dynamic Environment Manager Application Profiler
to capture application settings in Flex configuration files.
Note The VMware Dynamic Environment Manager MSI file has a digital signature, which the
Windows Installer infrastructure validates when the installation starts. The installation process
includes a certificate revocation check for which the system requires Internet access. If the
Internet connectivity is not sufficient, the installation continues, but only after several timeouts.
During the process, the installer seems to hang without providing any feedback.
Install VMware Dynamic Environment Manager Manually
You install VMware Dynamic Environment Manager by launching a setup wizard that guides you
through the installation.
Prerequisites
n Verify that you have administrative privileges on the account where you will run the MSI file.
n Download and extract the MSI file package for your operating system.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 24
Procedure
1 Run the MSI that corresponds to your OS architecture and DEM
edition
(Standard or
Enterprise), and click Next.
Option Description
x86 VMware Dynamic Environment Manager edition 2306 10.10
x86.msi
x64 VMware Dynamic Environment Manager edition 2306 10.10
x64.msi
2 Read and accept the End User License Agreement and click Next.
3 Select the destination folder where you want to install the application and click Next.
As a best practice, install VMware Dynamic Environment Manager in the default folder.
4 Select an installation option for VMware Dynamic Environment Manager.
Option Description
Typical Install the VMware Dynamic Environment Manager FlexEngine, Application
Migration, and Self-Support tool.
Custom Manually select components to install.
Complete Install VMware Dynamic Environment Manager FlexEngine, Application
Migration, Self-Support tool, and Management Console.
5 Click Install, and after the installation is complete, click Finish.
What to do next
n Create the VMware Dynamic Environment Manager Group Policy by using the administrative
template that is provided in the VMware Dynamic Environment Manager package. See
Configuring the FlexEngine Group Policy Object.
n Configure the Management Console. See Configuring the VMware Dynamic Environment
Manager Management Console.
n Configure the license. Use the License menu option in the Management Console to
configure a license after you have installed VMware Dynamic Environment Manager. For
more information, see
Managing the License
in the
VMware Dynamic Environment Manager
Administration Guide
at VMware Docs.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 25
Unattended Installation of VMware Dynamic Environment
Manager
The VMware Dynamic Environment Manager MSI supports unattended installations by using MSI
properties to specify installation parameters. To perform an unattended installation, run the
misiexec utility from the command line with the following properties.
Property Description
INSTALLDIR
The absolute path to the installation directory.
The default value is %ProgramFiles%\Immidio\Flex Profiles.
ADDLOCAL
The features that you want to install. The default values are FlexEngine, FlexMigrate,
and
FlexProfilesSelfSupport.
The following values are supported:
n ALL.
n FlexEngine. Installs FlexEngine.
n FlexMigrate. Installs Application Migration and FlexEngine.
n FlexProfilesSelfSupport. Installs the Self-Support tool and FlexEngine.
n FlexManagementConsole. Installs the Management Console.
To install multiple features, separate the values with commas, without any spaces. For
example, to select FlexMigrate and FlexProfilesSelfSupport:
ADDLOCAL="FlexMigrate,FlexProfilesSelfSupport"
Note The property values are case-sensitive.
COMPENVCONFIGFILEPA
TH
The path to enable computer environment settings support as described in Perform
Installation with Computer Environment Settings Support.
INTEGRATION_ENABLED
Installs FlexEngine in Workspace ONE UEM integration mode.
The following is an example of a custom unattended installation command:
msiexec.exe /i "VMware Dynamic Environment Manager Enterprise 2306 10.10 x64.msi" /qn
INSTALLDIR="D:\Apps\VMware DEM" ADDLOCAL="FlexProfilesSelfSupport" /l* InstallDEM.log
For DEM Standard Edition, replace Enterprise with Standard in the preceding command.
The following is an example of a typical unattended installation that installs FlexEngine,
Application Migration, and Self-Support in the default installation directory:
msiexec.exe /i "VMware Dynamic Environment Manager Enterprise 2306 10.10 x64.msi" /qn /l*
InstallDEM.log
For the DEM Standard edition, replace Enterprise with Standard in the preceding command.
The following is an example of a typical unattended integration-mode installation that installs
FlexEngine.
msiexec.exe /i "VMware Dynamic Environment Manager Enterprise 2306 10.10 x64.msi" /qn
INTEGRATION_ENABLED=1
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 26
Upgrade VMware Dynamic Environment Manager
You can upgrade to the latest version of VMware Dynamic Environment Manager from earlier
versions of the product, such as from Immidio Flex+ 8.x or VMware User Environment Manager
versions.
Important If you choose to switch between VMware Dynamic Environment Manager editions,
DEM Standard Edition and DEM Enterprise Edition, within the same release, you must manually
uninstall the current edition and perform a fresh install of the other edition.
To upgrade VMware Dynamic Environment Manager, you must upgrade FlexEngine, the
Management Console, and the ADMX templates in the given order.
Upgrade FlexEngine on all Windows Desktops and Terminal Servers
To upgrade VMware Dynamic Environment Manager, you must first upgrade FlexEngine on all
Windows desktops and Terminal Servers.
Important If you choose to switch between VMware Dynamic Environment Manager editions,
DEM Standard Edition and DEM Enterprise Edition, within the same release, you must manually
uninstall the current edition and perform a fresh install of the other edition.
Procedure
1 As an administrator, run the MSI file that corresponds to your OS architecture and DEM
edition
(Standard or Enterprise).
Option
Description
x86 VMware Dynamic Environment Manager edition 2306 10.10
x86.msi
x64 VMware Dynamic Environment Manager edition 2306 10.10
x64.msi
2 Read and accept the End User License Agreement and click Next.
3 Select only FlexEngine and its subfeatures to upgrade and click Next.
4 Click Upgrade.
Note When upgrading to VMware Dynamic Environment Manager 2203 and later, a
previously provided license file remains valid. Any future updates to the license must be
performed using the Management Console. For more information, see
Managing Licenses
in
the
VMware Dynamic Environment Manager Administration Guide
at VMware Docs.
5 Select the destination folder where you want to install the application and click Next.
Install VMware Dynamic Environment Manager in the default folder.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 27
What to do next
Upgrade the VMware Dynamic Environment Manager Management Console.
Upgrade the VMware Dynamic Environment Manager Management
Console
After you upgrade FlexEngine, you must upgrade the Management Console on the Windows
desktop or Terminal Server it is installed on.
Important If you choose to switch between VMware Dynamic Environment Manager editions,
DEM Standard Edition and DEM Enterprise Edition, within the same release, you must manually
uninstall the current edition and perform a fresh install of the other edition.
Prerequisites
Upgrade FlexEngine.
Procedure
1 As an administrator, run the MSI file that corresponds to your OS architecture and DEM
edition
(Standard or Enterprise).
Option
Description
x86 VMware Dynamic Environment Manager edition 2306 10.10
x86.msi
x64 VMware Dynamic Environment Manager edition 2306 10.10
x64.msi
2 Read and accept the End User License Agreement and click Next.
3 Select the destination folder where VMware Dynamic Environment Manager is installed and
click Next.
4 Select only the Management Console feature to upgrade and click Next.
5 Click Upgrade.
6 Select all Flex configuration files that contain Application Templates or Windows Common
Settings to have them automatically updated to the new definitions. If an updated template is
available, you are prompted for your approval of the update.
What to do next
Upgrade the ADMX Templates.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 28
Upgrade the ADMX Templates
Install the ADMX templates from the VMware Dynamic Environment Manager download package
to complete the upgrade process.
Important If you choose to switch between VMware Dynamic Environment Manager editions,
DEM Standard Edition and DEM Enterprise Edition, within the same release, you must manually
uninstall the current edition and perform a fresh install of the other edition.
Prerequisites
n Upgrade FlexEngine.
n Upgrade the Management Console.
Procedure
1 Remove the previous ADMX templates from the Central Store on the Windows domain
controller.
2 Open the VMware Dynamic Environment Manager download package.
3 Copy the new ADMX templates from the download package to the Central Store on the
Windows domain controller.
Results
You successfully upgraded VMware Dynamic Environment Manager.
Cleanup Actions after Upgrading Group Policy-based Installation
You can perform cleanup actions after upgrading a Group Policy-based installation from VMware
Dynamic Environment Manager 2106 or older versions.
Note The cleanup actions are applicable only for Group Policy-based setups. NoAD mode
deployments do not require any cleanup.
n Any logon and logoff scripts used to launch FlexEngine.exe can be removed.
n The existing logon and logoff scripts are skipped (with a message in the logs).
n The following Windows Group Policy settings are no longer required for VMware Dynamic
Environment Manager.
n User Policy setting - Run logon scripts synchronously
n Windows Computer Policy setting - Always wait for the network at computer startup and
logon
n There is no impact on the functionality of Dynamic Environment Manager if you do not clean
up these settings immediately.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 29
Configuring VMware Dynamic
Environment Manager
5
After you install VMware Dynamic Environment Manager on Windows desktops or Terminal
Services, you must configure FlexEngine and the Management Console.
To have VMware Dynamic Environment Manager running correctly, you must configure
FlexEngine.
n Create and configure an Active Directory GPO for VMware Dynamic Environment Manager.
You must configure Group Policies to enable FlexEngine to run when the users log on to and
log off from their Windows machines, and set up the locations of configuration and profile
archives shares. The remaining
VMware Dynamic Environment Manager Group Policies are
optional.
n If you do not use a GPO to configure FlexEngine, you can use the NoAD mode. See Chapter 6
Installing and Configuring FlexEngine in NoAD Mode.
This chapter includes the following topics:
n Configuring the FlexEngine Group Policy Object
n Create a VMware Dynamic Environment Manager Group Policy Object
n Configure the VMware Dynamic Environment Manager Group Policy Object
n Configuring the VMware Dynamic Environment Manager Management Console
Configuring the FlexEngine Group Policy Object
You configure FlexEngine by creating an Active Directory Group Policy Object (GPO). You use
the VMware Dynamic Environment Manager administrative templates that are provided in the
download package.
If you want to provide different FlexEngine configurations, you can use multiple GPOs. For
example, you can manage multiple VMware Dynamic Environment Manager environments such
as test and production.
GPO Mandatory Settings
After you deploy FlexEngine to the client devices, you must configure FlexEngine to run during
the Windows logon and logoff processes.
VMware, Inc.
30
FlexEngine runs during Windows logon to get all the settings for the client device and apply them
as soon as the user logs in. During Windows logoff, FlexEngine runs to save all the settings for
the client device to the profile archives share. To run FlexEngine, enable the Run FlexEngine
at logon and logoff Group Policy setting. See Configure Run FlexEngine at Logon and Logoff
Setting.
You must also configure the path to the configuration share and the profile archives share in the
GPO. See Configure the Flex Configuration Files Setting and Configure Profile Archives Setting.
GPO Optional Settings
The two most common optional GPO settings for VMware Dynamic Environment Manager are as
follows:
n Use the Profile Archives Backups setting to configure the location and number of backups.
Users can restore their settings from a backup using the Self-Support Tool or help desk
personnel can do this by using the Helpdesk Support tool.
n Use the FlexEngine Logging setting to configure the location and filename of the log file, the
level of log detail, and the maximum file size. The log file helps with troubleshooting.
For more information on all FlexEngine GPO settings, see Configure the VMware Dynamic
Environment Manager Group Policy Object for details.
Create a VMware Dynamic Environment Manager Group
Policy Object
To configure FlexEngine, you must create a GPO for VMware Dynamic Environment Manager by
using the administrative templates that are provided in the download package.
You can create a new GPO for VMware Dynamic Environment Manager or use an existing one
that is applied to the users for which you want to configure FlexEngine.
Procedure
1 Copy the VMware Dynamic Environment Manager ADMX files and their corresponding
ADML files from the download package to the correct PolicyDefinitions folder on your
Windows Domain Controller.
The VMware Dynamic Environment Manager ADMX files are located in the Administrative
Templates (ADMX) folder in the download package, and their corresponding ADML files
are located in the Administrative Templates (ADMX)\en-US folder. For more information
about the location of the PolicyDefinitions folder, go to the Microsoft Web site.
2 Open the Group Policy Management Console.
3 Create a new GPO.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 31
What to do next
n Configure the appropriate VMware Dynamic Environment Manager Group Policy settings. See
Configure the VMware Dynamic Environment Manager Group Policy Object.
n Configure FlexEngine to run during logout by configuring a logoff script. See Configure Run
FlexEngine at Logon and Logoff Setting.
Configure the VMware Dynamic Environment Manager
Group Policy Object
After you create a VMware Dynamic Environment Manager GPO, you must configure its
settings. These settings are required to configure the location of the VMware Dynamic
Environment Manager configuration and profile archives shares, and configure FlexEngine to
start automatically during login.
Prerequisites
You must at least configure the following settings:
n Flex configuration files.
n Profile archives.
n Run FlexEngine at logon and logoff.
The rest of the VMware Dynamic Environment Manager GPO settings are optional and enabling
them depends on your infrastructure and requirements.
Procedure
1 Open the VMware Dynamic Environment Manager Group Policy Object
To configure VMware Dynamic Environment Manager, you must edit the settings of the
VMware Dynamic Environment Manager GPO that you created. Open the settings of
the GPO from the Group Policy Management Editor. The VMware Dynamic Environment
Manager GPO configures FlexEngine with the correct VMware Dynamic Environment
Manager share locations and is therefore a required step.
2 Configure the Flex Configuration Files Setting
You configure the location of the central share that stores the Flex configuration files in
the Flex config files setting. Flex configuration files contain VMware Dynamic Environment
Manager data that FlexEngine uses to read and store user settings. FlexEngine runs with the
user's credentials, and processes each Flex configuration file for which the user has NTFS
read access.
3 Configure Run FlexEngine at Logon and Logoff Setting
Run the FlexEngine when a user logs on to apply the settings and set up the environment,
and save the settings at logoff.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 32
4 Configure FlexEngine Logging Setting
You can configure the location and file name of the FlexEngine log file, the level of logging
detail, and the maximum size of the log file.
5 Configure Profile Archives Setting
Configure the location of the profile archives share from where FlexEngine reads and stores
user profile archives and other settings that are related to the profile archives.
6 Configure Profile Archive Backups Setting
Use the Profile Archive Backups setting to configure the location where FlexEngine stores
the backups of profile archives.
7 Configure Application Blocking Logging to the Windows Event Log Setting
You can enable Application blocking logging to the Windows event log to have the details
on blocked application launches logged to the Windows event log.
8 Configure Privilege Elevation Logging to the Windows Event Log Setting
You can configure VMware Dynamic Environment Manager to log the details of elevated
application launches and, if desired, de-elevated child processes.
9 Configure Certificate Support for Mandatory Profiles Setting
You can enable the use of personal certificates in a mandatory profile. In addition to
enabling this support, you also must create a Flex configuration file with the Personal
Certificates Windows Common Setting.
10 Configure DirectFlex - Advanced Settings
You can configure advanced DirectFlex settings for more fine-grained control over
DirectFlex export settings and visual feedback.
11 Configure FlexEngine Logging to the Windows Event Log Setting
Use FlexEngine logging to the Windows Event Log to configure the events that FlexEngine
logs to the Windows event log. When this setting is enabled, FlexEngine logs informational
messages to the event log indicating the start and finish of path-based import and export
actions.
12 Configure Paths Unavailable at Logon Setting
You can configure Paths Unavailable at Logon to determine the behavior if the Flex
configuration files path or profile archives path is unavailable at login.
13 Configure Access to VMware DEM Self-Support for End Users
You can control whether users have access to VMware Dynamic Environment Manager
Self-Support.
14 Configure Printer Mapping Timeout Setting
You can configure the time that FlexEngine must wait to complete the printer mapping
process, and select an action to either terminate the mapping or continue in the background
(optionally at a lower priority) when the mapping times out.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 33
Open the VMware Dynamic Environment Manager Group Policy
Object
To configure VMware Dynamic Environment Manager, you must edit the settings of the VMware
Dynamic Environment Manager GPO that you created. Open the settings of the GPO from the
Group Policy Management Editor. The VMware Dynamic Environment Manager GPO configures
FlexEngine with the correct VMware Dynamic Environment Manager share locations and is
therefore a required step.
Prerequisites
Create a GPO for FlexEngine. See Create a VMware Dynamic Environment Manager Group Policy
Object.
Procedure
1 Open the Group Policy Management console.
2 Right-click the VMware Dynamic Environment Manager GPO that you created and select Edit.
The Group Policy Management Editor opens.
3 To access the VMware Dynamic Environment Manager administrative templates, navigate to
User configuration > Policies > Administrative Templates > VMware DEM > FlexEngine.
What to do next
Configure the following FlexEngine mandatory settings:
n Flex configuration files.
n Profile archives.
n Run FlexEngine at Logon and Logoff. See Configure Run FlexEngine at Logon and Logoff
Setting.
Configure the Flex Configuration Files Setting
You configure the location of the central share that stores the Flex configuration files in the Flex
config files setting. Flex configuration files contain VMware Dynamic Environment Manager data
that FlexEngine uses to read and store user settings. FlexEngine runs with the user's credentials,
and processes each Flex configuration file for which the user has NTFS read access.
Procedure
1 In the Group Policy Management Editor, double-click the Flex config files setting.
2 Select Enabled.
3 In the Central location of Flex config files text box, enter the location of the central
configuration share.
Use a UNC path for this setting. Typically, this path points to the General folder created by
the Management Console in the VMware Dynamic Environment Manager configuration share.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 34
For example: \\Filesrv\DemConfig$\General
4 Select Process folder recursively to also enable processing Flex configuration files that are
located in subfolders of the specified path.
Configure Run FlexEngine at Logon and Logoff Setting
Run the FlexEngine when a user logs on to apply the settings and set up the environment, and
save the settings at logoff.
Procedure
1 In the Group Policy Management Editor, double-click the Run FlexEngine at Logon and
Logoff setting.
2 Select Enabled.
Configure FlexEngine Logging Setting
You can configure the location and file name of the FlexEngine log file, the level of logging detail,
and the maximum size of the log file.
Procedure
1 In the Group Policy Management Editor, double-click the FlexEngine Logging setting.
2 Select Enabled.
3 Enter the settings for FlexEngine logging.
Option
Description
Path and name of log file Enter a location that is unique for each user, for example:
\\Filesrv\DemUsers$\%username%\Logs\FlexEngine.log
If you enter a subdirectory that does not exist, FlexEngine automatically
creates it when a user logs in.
Log level Set the amount of detail that is logged. Do not use Debug or Info in
production environments, because the amount of logging information might
slow down the logon and logoff process.
Maximum log file size in kB Set the maximum size of the log file. If you set a maximum log file size, the
log file is created again after that size is reached. If you set the maximum
size to 0, the log file expands indefinitely.
Log total size of profile archive and
profile archive backups folders
FlexEngine logs the number of profile archives and profile archives backups,
and their file sizes at the end of a path-based export.
Note You should avoid using Debug log level in production, but it is extremely helpful when
troubleshooting issues.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 35
Configure Profile Archives Setting
Configure the location of the profile archives share from where FlexEngine reads and stores user
profile archives and other settings that are related to the profile archives.
Procedure
1 In the Group Policy Management Editor, double-click the Profile Archives setting.
2 Select Enabled.
3 Configure the settings for storing the profile archives.
Option Description
Location for storing user profile
archives
Enter the location of the profile archives share. Use a location that is unique
for each user, for example:
\\Filesrv\DemUsers$\%username%\Archives
Hide profile archives folder Mark the specified profile archives folder as hidden after FlexEngine
performs a path-based export.
Compress profile archives Enable ZIP compression for the user profile archives.
Retain file modification dates Restore last modified dates when FlexEngine imports profile archives. This
setting is required if you want to use the Do not export files older than ...
days function.
Configure Profile Archive Backups Setting
Use the Profile Archive Backups setting to configure the location where FlexEngine stores the
backups of profile archives.
Procedure
1 In the Group Policy Management Editor, double-click the Profile Archive Backups setting.
2 Select Enabled.
3 Enter the settings for storing profile archives backups.
Option
Description
Location for storing user profile
archive backups
Provide a unique location to store the profile archives backups for every
user. For example:
\\Filesrv\DemUsers$\%username%\Backups
If you enter a subdirectory that does not exist, FlexEngine automatically
creates a subdirectory when a user creates a backup for the first time.
Hide backup folder Mark the specified profile archives backup folder as hidden after a path-
based export.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 36
Option Description
Number of backups per profile
archive
Specify the number of backups you want to create for each profile archive
for each user.
Note You can override this setting in the Flex configuration files by setting
a different value on the Backups tab in the Management Console.
Create single backup per day Treat the number of backups as the number of days for which to keep
backups. This prevents DirectFlex from overwriting backups from the
previous day or older days.
Configure Application Blocking Logging to the Windows Event Log
Setting
You can enable Application blocking logging to the Windows event log to have the details on
blocked application launches logged to the Windows event log.
Procedure
1 In the Group Policy Management Editor, double-click Application blocking logging to the
Windows event log.
2 Select Enabled.
Configure Privilege Elevation Logging to the Windows Event Log
Setting
You can configure VMware Dynamic Environment Manager to log the details of elevated
application launches and, if desired, de-elevated child processes.
The default behavior of this setting is to log the details of the following events to the Windows
event log.
n An application privilege is elevated.
n An elevated application launches a de-elevated child process.
Procedure
1 In the Group Policy Management Editor, double-click Privilege elevation logging to the
Windows event log.
2 Select Enabled.
3 (Optional) If you do not want VMware Dynamic Environment Manager to log de-elevated
child processes, deselect Log de-elevated application launches.
4 Click OK.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 37
Configure Certificate Support for Mandatory Profiles Setting
You can enable the use of personal certificates in a mandatory profile. In addition to enabling this
support, you also must create a Flex configuration file with the Personal Certificates Windows
Common Setting.
Note Do not enable this setting when you are using roaming or local profiles.
Procedure
1 In the Group Policy Management Editor, double-click Certificate Support for Mandatory
Profiles.
2 Select Enabled.
Configure DirectFlex - Advanced Settings
You can configure advanced DirectFlex settings for more fine-grained control over DirectFlex
export settings and visual feedback.
Procedure
1 In the Group Policy Management Editor, double-click DirectFlex - Advanced Settings.
2 Select Enabled.
3 Configure DirectFlex - Advanced Settings settings.
Option
Description
Only export at logoff By default, DirectFlex exports profile information when an application is
closed. When you enable this setting, the export action runs when the user
logs out.
Note This setting can be overridden through the DirectFlex settings in the
Management Console.
Show DirectFlex notifications Enable this option to display a message in the notification area when
DirectFlex performs an import or export.
Notification delay in seconds If the DirectFlex import or export takes less time than the configured delay,
no message appears. Configure this setting to only display messages when
the access to the profile archives path is slow. If the delay is set to 0,
messages are shown immediately.
Hide DirectFlex exit notification Enable this option to only show a message when DirectFlex is performing an
import.
Configure FlexEngine Logging to the Windows Event Log Setting
Use FlexEngine logging to the Windows Event Log to configure the events that FlexEngine logs
to the Windows event log. When this setting is enabled, FlexEngine logs informational messages
to the event log indicating the start and finish of path-based import and export actions.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 38
Procedure
1 In the Group Policy Management Editor, double-click the FlexEngine logging to the Windows
Event Log setting.
2 Select Enabled.
3 (Optional) Configure settings for additional settings.
Option Description
Asynchronous user environment
actions
DirectFlex refresh
User environment refresh
Enable these options to instruct FlexEngine to log start and finish events for
these features.
Warn if size of single profile archive
exceeds this size in kB
If you set a size other than 0, FlexEngine logs an event whenever a profile
archive that is exported is larger than the specified size in kB. This behavior
applies both to DirectFlex exports and path-based exports.
Warn if size of profile archive folder
exceeds this size in kB
If you set a size other than 0, FlexEngine logs an event whenever the
total size of profile archives in the profile archives folder is larger than the
specified size in kB. This size check only takes place after a path-based
export.
Include profile archive backup folder
when determining folder size
When set, the size of profile archive backups in the backup folder is included
when computing the size of the profile archives folder.
Configure Paths Unavailable at Logon Setting
You can configure Paths Unavailable at Logon to determine the behavior if the Flex
configuration files path or profile archives path is unavailable at login.
Procedure
1 In the Group Policy Management Editor, double-click the Paths Unavailable at Logon setting.
2 Select Enabled.
3 Configure the Paths Unavailable at Logon options.
Option
Description
If Flex config files path is not
available
Select one of the following options when the Flex configuration files path is
not available at login.
n Skip import. Allows the user to log in. The user profile archives are not
imported and the user environment settings are not applied.
n Logoff. Automatically logs off the user.
If profile archive path is not available Select one of the following options when the profile archives path is not
available at login.
n Skip import. Allows the user to log in. The user profile archives are not
imported and the user environment settings are not applied.
n Apply user environment settings. Applies the user environment settings.
The user profile archives are not imported.
n Logoff. Automatically logs off the user.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 39
Option Description
Optional message to display Use this setting to display a message in case the path is missing. You can
configure this setting separately for the Flex configuration files path, if Skip
import is selected, and for the profile archives path, if Skip import or Apply
user environment settings is selected.
Timeout after which to dismiss
message
Use this setting to configure how long the message remains displayed. The
user can dismiss the message manually at any time.
Note If the Flex configuration files path is not available, the user is immediately logged out
by default. If the profile archives path is not available, only the user environment settings are
applied by default and no user profile archives are imported.
Configure Access to VMware DEM Self-Support for End Users
You can control whether users have access to VMware Dynamic Environment Manager Self-
Support.
Procedure
1 In the Group Policy Management Editor, double-click Prevent access to VMware DEM Self-
Support.
2 Select Enabled.
Configure Printer Mapping Timeout Setting
You can configure the time that FlexEngine must wait to complete the printer mapping process,
and select an action to either terminate the mapping or continue in the background (optionally at
a lower priority) when the mapping times out.
Procedure
1 In the Group Policy Management Editor, double-click Printer mapping timeout.
2 Select Enabled.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 40
3 Configure the settings for printer mapping.
Option Description
Timeout in seconds Configure the time (in seconds) that FlexEngine must wait to complete the
printer mapping process.
If printer mapping is not completing
in configured timeout
Select the action that FlexEngine must take when printer mapping does not
complete within the configured timeout.
n Continue in background. Continue to run the printer mapping in the
background without changing the process priority
n Continue in background at a reduced priority. Reduce the priority of the
printer mapping process, so there is less impact on the CPU
n Terminate. Terminate the printer mapping process
Note You can override this setting for individual printer mappings in the Management
Console.
Configuring the VMware Dynamic Environment Manager
Management Console
After you install and configure VMware Dynamic Environment Manager, you can start the
VMware Dynamic Environment Manager Management Console. The Management Console
requires initial configuration and you can also configure which features you want to manage
through the console.
Fresh Installation
If you install VMware Dynamic Environment Manager as a fresh installation, when you open the
Management Console the first time, you are prompted to select which mode the Management
Console opens in going forward, integration mode or standalone mode.
Whichever mode you select, the Management Console subsequently opens in that mode, unless
you change the mode, such as by selecting Configure > Integration in the Management Console.
Initial Standalone-Mode Configuration
When you use the Management Console in standalone mode for the first time, you must specify
the location of the configuration share. With the configuration share set, you can start using the
Management Console in standalone mode.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 41
Management Console searches for the Immidio Flex Profiles Configuration.xml
configuration file at the specified location. If the file exists, this central file is read and used
as configuration for the Management Console. Otherwise, a new configuration file, with default
values, and a General folder is created.
Note Management Console configuration is stored in the central configuration share. Any
changes that you make to the configuration affect all Management Console installations that
are configured to use this share.
Further Configuration
You can control which features you want to manage through the Management Console by
configuring the Management Console settings. You can display the settings by clicking Configure
in the Management Console.
n Personalization Features. Each check box in the Personalization Features section
corresponds to a Personalization-related tab available in the Management Console, except
the Silo support check box. Silo support lets you use Management Console to manage both
General configuration files and silo-specific ones. When enabled, a Silos folder is created in
the VMware Dynamic Environment Manager configuration share. Within the Silos folder, you
can create subfolders for each silo, and within these subfolders you can create and manage
silo-specific Flex configuration files.
n Additional Features. Each checked item in the Additional Features section appears as a
top-level tab in the Management Console. The Management Console does not display the
Computer Environment and Application Migration tabs by default. Select the corresponding
check boxes if you want one or both of these items to appear as top-level tabs.
n App-V. The App-V tab contains settings for application virtualization support. For more
information, see the
VMware Dynamic Environment Manager Administration Guide
.
n Configuration Changelog. You can view a log of changes to personalization or user
environment settings files. See information about the configuration changelog in the
VMware
Dynamic Environment Manager Administration Guide
.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 42
Installing and Configuring
FlexEngine in NoAD Mode
6
NoAD mode is an alternative to configuring the client component, FlexEngine, with Active
Directory Group Policy. You do not need to create a GPO or configure Windows Group Policy
settings.
In NoAD mode, FlexEngine ignores all VMware Dynamic Environment Manager GPO settings. If
settings from a previous GPO-based deployment are encountered, no actions are performed and
a message is logged to the FlexEngine log file.
This chapter includes the following topics:
n Install FlexEngine in NoAD Mode
n Configuring FlexEngine in NoAD Mode
Install FlexEngine in NoAD Mode
You install the client component, FlexEngine, in NoAD mode by performing an unattended
installation through a command-line interface.
At the same time, you can choose to enable computer environment settings using the
COMPENVCONFIGFILEPATH property, as described in Perform Installation with Computer
Environment Settings Support.
VMware, Inc.
43
Procedure
u To install FlexEngine in NoAD mode, perform the appropriate procedure depending on which
mode you run VMware Dynamic Environment Manager in, standalone mode or integration
mode.
Option Description
Standalone Mode Specify the path to the General folder in the VMware Dynamic Environment
Manager configuration share through the NOADCONFIGFILEPATH MSI
property at the time of installation, as illustrated in the following example.
For DEM Standard Edition, replace Enterprise with Standard.
msiexec.exe /i "VMware Dynamic Environment Manager
Enterprise 2306 10.10 x64.msi" /qn /l* InstallDEM.log
NOADCONFIGFILEPATH=\\Filesrv\DemConfig$\General
Integration Mode Set the INTEGRATION_ENABLED MSI property at the time of installation, as
illustrated in the following example.
msiexec.exe /i "VMware Dynamic Environment Manager
Enterprise 2306 10.10 x64.msi" /qn INTEGRATION_ENABLED=1
Later, in the VMware Dynamic Environment Manager Management Console,
import the NoAD.xml file by selecting the main menu icon, , and Import
NoAD.xml. This file is contained in the VMware Dynamic Environment
Manager config profile file. When FlexEngine runs, it picks up the NoAD.xml
file from the VMware Dynamic Environment Manager config profile file.
Results
This command inserts the basic NoAD configuration in the HKLM registry hive and enables the
NoAD mode.
Note To disable the NoAD mode, uninstall VMware Dynamic Environment Manager, and reinstall
without the NOADCONFIGFILEPATH or INTEGRATION_ENABLED MSI properties.
Configuring FlexEngine in NoAD Mode
You can provide the settings for configuring FlexEngine in NoAD mode by creating an XML file
and making the file available on the central configuration share. When a user logs in, FlexEngine
reads the settings from the XML file and applies them to the registry.
The XML file that you create on the central configuration share is called NoAD.xml and must
reside in the …\General\FlexRepository\NoAD subfolder.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 44
The NoAD.xml is a UTF-8-encoded XML file with an explicit UTF-8 BOM. You can create this
file by using Notepad and selecting the UTF-8 encoding when saving. The file must have the
following basic structure:
<?xml version="1.0" encoding="utf-8"?>
<userEnvironmentSettings>
<setting type="noAD" additionalSetting="…" otherSetting="…" … />
</userEnvironmentSettings>
Configuring Profile Archives Settings
You must configure the location of the profile archives share from where the FlexEngine reads
and stores user profile archives and can configure other settings related to profile archives.
Setting Value
ProfileArchivePath A mandatory setting. Set the location of the profile archives share. Use a location
that is unique for each user. For example:
\\Filesrv\DemUsers$\%username%\Archives
HideProfileArchiveFolder To enable this setting, set the value to 1. This setting marks the specified profile
archives folder hidden after FlexEngine performs a path-based export.
RestoreLastModified To enable this setting, set the value to 1. If enabled, FlexEngine restores last
modified dates when it imports profile archives. This setting is required if you want
to use the Do not export files older than ... days option.
CompressArchives By default, profile archives are compressed.
Set this value to 0 to disable compression.
Configuring FlexEngine Logging Settings
You can configure the location and filename of the FlexEngine log file, the level of logging details,
and the maximum size of the log file.
Setting
Value
LogFileName Set a location that is unique for each user, for example:
\\Filesrv\DemUsers$\%username%\Logs\FlexEngine.log
If you enter a subdirectory that does not exist, FlexEngine creates it when a user
logs in.
LogLevel Configure the amount of details to log by setting this property to one of the
following values:
n 0 (DEBUG)
n
1 (INFO)
n 2 (WARN)
n 3 (ERROR)
n 4 (FATAL)
Note Do not use 0 (DEBUG) or 1 (INFO) in production environments, because the
amount of logging information might slow down the logon and logoff process.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 45
Setting Value
MaximumLogFileSize Set the maximum size of the log file in kB. If you set a maximum log file size, the log
file is created again after that size limit is reached. If you set the maximum size to 0,
the log file expands indefinitely.
LogProfileArchiveFolderSize To enable this setting, set the value to 1. If enabled, FlexEngine logs the number
of profile archives and profile archives backups, and their sizes, at the end of a
path-based export.
Configuring Profile Archive Backups Settings
Use this setting to configure the location where FlexEngine stores the backups of profile
archives.
Setting Value
BackupPath Set a unique location to store the profile archives backups for every user. For
example:
\\Filesrv\DemUsers$\%username%\Backups
If you enter a subdirectory that does not exist, FlexEngine creates a subdirectory
when a user creates a backup for the first time.
HideBackupFolder To enable this setting, set the value to 1. Marks the specified profile archives backup
folder as hidden after a path-based export.
BackupCount Set the number of backups that you want to create for each profile archive for each
user.
Note You can override this setting in the Flex configuration files by setting a
different value on the Backups tab in the Management Console.
BackupDaily To enable this setting, set the value to 1. Treats the number of backups as
the number of days for which to retain backups. This prevents DirectFlex from
overwriting backups from the previous day or recent days.
Configuring Application Blocking Logging to the Windows Event Log
Setting
As an option, you can enable this setting to log the details of the blocked application launches to
the Windows event log.
Setting
Value
AppBlockingEventLog To enable this setting, set the value to 1.
Configuring Privilege Elevation Logging to the Windows Event Log
Setting
You can configure VMware Dynamic Environment Manager to log the details of elevated
application launches and, if desired, de-elevated child processes.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 46
The default behavior of the PrivilegeElevationEventLog setting is to log the details of the
following events to the Windows event log.
n An application privilege is elevated.
n An elevated application launches a de-elevated child process.
Setting Value
PrivilegeElevationEventLog To enable this setting, set the value to 1.
DeElevationEventLog If the value of the PrivilegeElevationEventLog setting is 1 but you do not want
VMware Dynamic Environment Manager to log de-elevated child processes, too, set
this value to 0.
Enable Certificate Support for Mandatory Profiles Setting
As an option, you can enable the use of personal certificates in a mandatory profile.
Setting Value
CertificateSupport To enable this setting, set the value to 1.
Note Do not enable this setting when you are using roaming or local profiles.
Configure DirectFlex – Advanced Settings
As an option, you can configure advanced DirectFlex settings for fine-grained control over
DirectFlex export settings and visual feedback.
Setting
Value
OnlyExportAtLogoff To enable this setting, set the value to 1. By default, DirectFlex exports profile
information when an application is closed. When you enable this setting, the export
action runs when the user logs out.
Note This setting can be overridden through the DirectFlex settings in the
Management Console.
DirectFlexNotification To enable this setting, set the value to 1. When enabled, a message is displayed in
the notification area when DirectFlex performs an import or export.
DirectFlexNotificationDelay Set the number of seconds to delay. If the DirectFlex import or export takes less
time than the configured delay, no message appears. Configure this setting to
display messages only when the access to the profile archives path is slow. If the
delay is set to 0, messages are shown immediately.
DirectFlexHideExitNotificati
on
To enable this setting, set the value to 1. Enable this option to show a message only
when DirectFlex is performing an import.
Configure FlexEngine Logging to the Windows Event Log Setting
As an option, you can use FlexEngine logging to the Windows event log to configure the
events FlexEngine logs to the Windows event log. When this setting is enabled, FlexEngine logs
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 47
informational messages to the event log indicating the beginning and end of the path-based
import and export actions.
Setting Value
EventLog To enable this setting, set the value to 1. If enabled, FlexEngine logs events for
path-based import and export actions.
EventLogAsync To enable this setting, set the value to 1. If enabled, FlexEngine also logs events for
asynchronous VMware Dynamic Environment Manager actions.
EventLogDirectFlexRefresh To enable this setting, set the value to 1. If enabled, FlexEngine also logs events for
DirectFlex refresh actions.
EventLogUEMRefresh To enable this setting, set the value to 1. If enabled, FlexEngine also logs events for
user environment refresh actions.
EventLogMaxFileSize Set to profile archive file size in kB. If you set a size other than 0, FlexEngine logs an
event when a profile archive that is exported is larger than the specified size in kB.
This applies both to DirectFlex exports and path-based exports.
EventLogMaxFolderSize Set to profile archive folder size in kB. If you set a size other than 0, FlexEngine
logs an event whenever the total size of profile archives in the profile archives
folder is larger than the specified size in kB. This size check only takes place after a
path-based export.
EventLogIncludeBackupFolder To enable this setting, set the value to 1. When set, the size of profile archives
backups in the backup folder is taken into account when computing the size of the
profile archives folder.
Note EventLog must be set to 1 for any of the other settings to take effect.
Configure Paths Unavailable at Logon Setting
As an option, you can configure this setting to determine the behavior if the Flex configuration
path or profile archives path is unavailable at login.
Setting
Value
ConfigPathMissingAction Set to one of the following values when the Flex configuration files path is not
available at login.
n 0 (Skip import). Allows the user to log in. The user profile archives are not
imported and the user environment settings are not applied.
n
1000 (Logoff)
. Automatically logs out the user.
ConfigPathMissingMessage Set a message to display. Use this setting to display a message in case the Flex
configuration path is missing and ConfigPathMissingAction is set to 0 (Skip
import) .
ConfigPathMissingMessageTimeout Set a timeout in seconds. Use this setting to configure how long the message
remains displayed. The user can close the message manually at any time.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 48
Setting Value
ArchivePathMissingAction Set to one of the following values when the profile archives path is not
available at logon:
n 0 (Skip import). Allows the user to log in. The user profile archives are not
imported and the user environment settings are not applied.
n
1 (Apply user environment settings)
. Applies the user environment
settings. The user profile archives are not imported.
n or 1000 (Logoff). Automatically logs off the user.
ArchivePathMissingMessage Set a message to display. Use this setting to display a message in case the
profile archives path is missing and ArchivePathMissingAction is set to 1
(Apply user environment settings).
ArchivePathMissingMessageTimeout Set a timeout in seconds. Use this setting to configure how long the message
remains displayed. The user can close the message manually at any time.
Note If the Flex configuration files path is not available, the user is immediately logged off by
default. If the profile archives path is not available, only the user environment settings are applied
by default and no user profile archives are imported.
Prevent Access to VMware Dynamic Environment Manager Self-
Support to End Users
As an option, you can control user access to VMware Dynamic Environment Manager Self-
Support.
Setting
Value
SelfSupportDisallowed To enable this setting, set the value to 1.
Configuring Printer Mapping Timeout Setting
You can configure the time that FlexEngine must wait to complete the printer mapping process,
and select an action to either terminate the mapping or continue in the background (optionally at
a lower priority) when the mapping times out.
Setting
Value
PrinterMappingTimeout Configure the time (in seconds) that FlexEngine must wait
for the printer mapping to complete.
PrinterMappingTimeoutAction Configure the timeout action by setting this property to
one of the following values.
n 1 Continue to run the printer mapping in the
background without changing the process priority
n
2
Reduce the priority of the printer mapping process,
so there is less impact on the CPU
n 3 Terminate the printer mapping process
Note You can override this setting for individual printer mappings in the Management Console.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 49
Disable the NoAD Mode for Certain Users
As an option, you can use the following additional settings to control the NoAD mode.
Setting Value
DisableForAdmin Set this value to 1 to disable all VMware Dynamic Environment Manager functionality
for local administrators.
DisableForGroupMembers Set this value to a comma-separated list of groups in Domain\GroupName format.
All VMware Dynamic Environment Manager functionality is disabled for members of
those groups.
Remove Registry Settings for the NoAD Mode
Settings in the NoAD.xml file overwrite existing registry settings. As an option, you can remove a
registry setting by specifying an attribute value of -/- in the XML attribute.
Targeting NoAD Settings Based on Group Membership
Use this advanced feature when you want to target specific NoAD configuration to users based
on Windows security group membership.
DEM agent uses the configuration settings from the …\General\FlexRepository\NoAD\NoAD.xml
file. Starting with VMware Dynamic Environment Manager 2206, administrators can configure
the DEM agent using NoAD settings from multiple configuration files and target these files to
users based on Windows security group membership. All the settings from NoAD.xml are first
applied to all the users. If the multiple configuration feature is enabled, other configuration files
are processed subsequently.
Procedure
1 Create one or more configuration files in the …\General\FlexRepository\NoAD folder and save
with the same format as NoAD.xml.
2 Open the standard NoAD configuration file and set the value for MultipleConfig as 1. The
DEM agent processes the other
*.xml files in the …\General\FlexRepository\NoAD folder and
reads them one by one in alphabetical order.
3 Ensure that each additional configuration file(s) you created contains an IfMemberOf attribute
(case-sensitive name), and set to a comma-separated list of group names. If the user is a
member of any of those groups, the configuration file is processed as a NoAD configuration
file for that user.
Example
As an example, assume that you have the standard NoAD.xml file containing ... <setting
type='noAD' MultipleConfig="1" BackupCount="3" ... with other DEM agent configuration
settings.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 50
There are two more configuration files:
n HR.xml containing ... <setting type='noAD' IfMemberOf='Human Resources'
BackupCount="5" ...
n
Remote.xml containing ... <setting type='noAD' IfMemberOf='Remote Employees'
BackupCount="1" ...
When a user logs on, the settings from NoAD.xml are processed first. As MultipleConfig is
enabled, the other two files are processed in an alphabetical order.
n If an HR employee logs on, the number of backups is set to 5.
n If a Remote employee logs on, the number of backups is set to 1.
n If the user logging on is a member of both the Human Resources group and the Remote
Employees group, the number of backups is set to 1, because the settings overwrite.
n If the user logging on is not a member of either of these two groups, the number of backups
remains at 3, as configured in NoAD.xml.
Sample NoAD.xml File
The following sample NoAD.xml file configures the profile archive path, a log file at the INFO
level, allows users to log in if the Flex configuration files path or the profile archive path is not
accessible, and enables certain Windows event logging options.
<?xml version="1.0" encoding="utf-8"?>
<userEnvironmentSettings>
<setting type="noAD"
ProfileArchivePath="\\Filesrv\DemUsers$\%username%\Archives"
LogFileName="\\Filesrv\DemUsers$\%username%\Logs\FlexEngine.log"
LogLevel="1"
ConfigPathMissingAction="0"
ArchivePathMissingAction="1"
AppBlockingEventLog="1"
EventLog="1"
EventLogAsync="1"
EventLogDirectFlexRefresh="1"
EventLogUEMRefresh="1"
/>
</userEnvironmentSettings>
Note This sample configuration file is available in the download package's Agent
Configuration Examples\FlexRepository\NoAD folder.
For integration-mode scenarios, the download package also contains a sample configuration file
for use with Workspace ONE UEM. The main difference with the standalone-mode sample is that
the profile archive path and the log file configuration settings use local paths instead of paths on
a file share.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 51
Computer Environment Settings
7
To enable VMware Dynamic Environment Manager to apply computer environment settings while
end-user computers start up and shut down, configure the required agent settings and local
Group Policy settings.
This chapter includes the following topics:
n Perform Installation with Computer Environment Settings Support
n FlexEngine Configuration for Computer Environment Settings
n Windows Configuration for Computer Environment Startup and Shutdown Tasks
Perform Installation with Computer Environment Settings
Support
You can install VMware Dynamic Environment Manager with computer environment settings
support by using the COMPENVCONFIGFILEPATH installer property. You also have the option of
configuring computer environment settings by installing VMware Dynamic Environment Manager
without the COMPENVCONFIGFILEPATH property, but then configuring the registry settings.
Note Computer accounts rather than user accounts access the file shares that host the
configuration folder and the log file. See VMware Dynamic Environment Manager Configuration
Share and Profile Archives Share for information about Share permissions and NTFS security
permissions.
Procedure
u To install FlexEngine with computer environment settings support, specify the path to the
General folder in the VMware Dynamic Environment Manager configuration share through the
COMPENVCONFIGFILEPATH MSI property at the time of installation.
For DEM Standard Edition, replace Enterprise with Standard.
msiexec.exe /i "VMware Dynamic Environment Manager Enterprise 2306 10.10 x64.msi" /qn /l*
InstallDEM.log COMPENVCONFIGFILEPATH=\\Filesrv\DemConfig$\General
VMware, Inc.
52
u You can also specify the COMPENVMAXCONFIGFILEPATHWAIT MSI property to configure the
amount of time in seconds to wait for the config file path to become available at startup. If
the timeout expires, no computer settings are processed. The default timeout is 30 seconds.
Configuring this setting to 0 disables the retry altogether. In this case, no computer settings
are processed if the path is not immediately available at startup.
msiexec.exe /i "VMware Dynamic Environment Manager Enterprise 2306 10.10
x64.msi" /qn /l* InstallDEM.log COMPENVCONFIGFILEPATH=\\Filesrv\DemConfig$\General
COMPENVMAXCONFIGFILEPATHWAIT=120
u As an alternative to using the COMPENVCONFIGFILEPATH MSI property, you can install
VMware Dynamic Environment Manager without the MSI property and manually configure
the following Windows registry settings in the HKLM\SOFTWARE\VMware, Inc.\VMware
UEM\Agent\Computer Configuration key. If the key does not exist, create it.
n Set Enabled (REG_DWORD) to 1
n Set ConfigFilePath (REG_EXPAND_SZ) to the location of the configuration folder
Use a UNC path. Typically, the path points to the General folder, which the Management
Console creates in the VMware Dynamic Environment Manager configuration share.
FlexEngine Configuration for Computer Environment
Settings
Depending on how you installed and configured VMware Dynamic Environment Manager, you
can configure computer environment settings using an XML-based approach or a registry-based
approach.
XML-Based Configuration
If you installed VMware Dynamic Environment Manager with the COMPENVCONFIGFILEPATH
property, you can configure the settings in the table that follows as XML attributes in the
FlexRepository\AgentConfiguration\Computer.xml file.
A sample configuration file is available in the download package's Agent Configuration
Examples\FlexRepository\AgentConfiguration folder.
This file is a UTF-8-encoded XML file with an explicit UTF-8 BOM. You can create this file by using
Notepad and selecting the UTF-8 encoding when saving. The file must have the following basic
structure:
<?xml version="1.0" encoding="utf-8"?>
<agentConfiguration>
<setting type="compEnv"
setting="..."
otherSetting="..."
/>
</agentConfiguration>
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 53
Registry-based Configuration
If you chose to perform the configuration using the registry-based approach, the table that
follows lists additional registry values that you can configure in the HKLM\SOFTWARE\VMware,
Inc.\VMware UEM\Agent\Computer Configuration key.
Configuration Settings
Setting Name Registry Value Type Default Notes
LogFileName REG_EXPAND_SZ Location of the log file,
specified as a fully qualified
UNC path, including the
filename.
LogLevel REG_DWORD 2 Log level. 0–4 for DEBUG,
INFO, WARN, ERROR,
FATAL, respectively.
Defaults to WARN, if a log
filename is configured.
AdmxLogging REG_DWORD 0 If a log filename
is configured, controls
verbose logging to
a separate LogFileName-
ADMX.log file. To enable,
set this value to 1.
MaximumLogFileSize REG_DWORD 0 Specifies the maximum size
of the log file in kB.
Defaults to 0, indicating no
maximum size.
MaxConfigFilePathWait REG_DWORD 30 The amount of time in
seconds to wait for the
config file path to become
available at startup. If
the timeout expires, no
computer settings are
processed. Configuring this
setting to
0 deactivates
the retry altogether. In this
case, no computer settings
are processed if the path
is not immediately available
at startup.
You cannot use this
setting for XML-based
configuration.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 54
Setting Name Registry Value Type Default Notes
RefreshInterval REG_DWORD 0 If configured, computer
environment settings are
refreshed starting from
when they are applied at
computer startup. By
default, computer
environment settings are
refreshed until a user logs
in. If
ContinueRefreshAfterLogo
n is set to 1, the settings
continue to be refreshed
after a user logs in.
The configured interval
specifies the amount of
time to wait in seconds
between those refresh
events.
RefreshIntervalOffset REG_DWORD 0 If interval-based refresh
is enabled, this setting
specifies an optional
random component to
the interval length. The
effective interval is equal to
RefreshInterval + Random
(1...RefreshIntervalOffset)
seconds.
ContinueRefreshAfterLogo
n
REG_DWORD 0 If set to 1 and interval-
based refresh is enabled,
computer environment
settings continue to refresh
after a user logs on.
AllowAdmxOverride REG_DWORD 0 If set to 1, ADMX-based
computer settings override
existing computer registry
policy configuration.
Note Computer accounts rather than user accounts access the file shares that host the
configuration folder and the log file. See VMware Dynamic Environment Manager Configuration
Share and Profile Archives Share for information about Share permissions and NTFS security
permissions.
Windows Configuration for Computer Environment Startup
and Shutdown Tasks
You can use VMware Dynamic Environment Manager to configure startup and shutdown tasks,
which allows end-user machines to run other tasks during startup and shutdown. Before
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 55
you configure VMware Dynamic Environment Manager, you must perform certain Windows
configurations.
If you want to use startup and shutdown tasks, use the Windows Local Group Policy Editor
to navigate to the appropriate node and configure the required settings as described in the
following table.
Important The following settings must be configured in local Group Policy.
Node Setting
Local Computer Policy > Computer Configuration >
Administrative Templates > System > Scripts
Disable the Run startup scripts asynchronously policy
setting.
Local Computer Policy > Computer Configuration >
Windows Settings > Scripts (Startup/Shutdown)
Configure the Startup and Shutdown scripts by specifying
the following property values.
Option Setting
Script Name Enter C:\Program
Files\Immidio\Flex
Profiles\FlexEngine.ex
e for both scripts.
Script Parameters n Enter -StartupTasks
for the Startup script.
n Enter -ShutdownTasks
for the Shutdown script.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 56
Referencing Active Directory
Attributes
8
You can use Active Directory attributes in a specified reference format to configure many
VMware Dynamic Environment Manager settings.
Specifically, the following settings can use Active Directory attributes in the %{AD$attributeName}
% reference format:
n FlexEngine Group Policy configuration settings
n Settings in NoAD.xml
n FlexEngine configuration settings for computer environment settings
For example, if the Active Directory "department" attribute is populated for all users, the location
for profile archive backups could be configured as \\Filesrv\DemUsers$\%{AD$department}%\
%username%\Backups. The result is that profile archive backups are organized by department
name.
The AD prefix means that the Active Directory user attribute with the specified name is looked up.
Use ADc to look up computer attributes.
Note Configuration settings for computer environment settings are always interpreted in
computer context, so AD and ADc mean the same thing in that case.
VMware, Inc.
57
FlexEngine Command-Line
Arguments
9
FlexEngine supports the following command-line arguments to refresh settings or launch
elevated tasks.
Tip The example path to FlexEngine.exe is based on the default installation directory. The
default directory does not apply in the following cases.
n You selected a different directory when you installed VMware Dynamic Environment
Manager.
n VMware Dynamic Environment Manager was installed as part of another installation.
For example, if you used the Horizon Cloud Import Image workflow or the Horizon Agent
Installer to install VMware Dynamic Environment Manager for a virtual machine located in
Microsoft Azure, the installation path is different. For details, see Creating Desktop Images for
a Horizon Cloud Pod in Microsoft Azure.
If VMware Dynamic Environment Manager is installed in a non-default directory, adjust the path
accordingly.
-DirectFlexRefresh
DirectFlex configuration is processed during logon. If you add Flex configuration files with
DirectFlex enabled, or modify DirectFlex-related settings of existing files while a user is logged
on, these changes are not automatically picked up during the session.
This behavior might not be a problem, but you can force an update by running the following
command in the user's session:
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -DirectFlexRefresh
-UemRefresh
User environment settings are applied at logon, while computer environment settings are applied
at boot. For certain types of settings, you can perform a refresh while the user is logged in.
VMware, Inc.
58
Table 9-1. Refresh Operations
Operation Description
-UemRefresh
Refresh the VMware Dynamic Environment Manager file type
associations, shortcuts, and printer mappings.
-UemRefreshFtas
Refresh the VMware Dynamic Environment Manager file type
associations.
-UemRefreshShortcuts
Refresh the VMware Dynamic Environment Manager shortcuts.
-UemRefreshPrinters
Refresh the VMware Dynamic Environment Manager printer
mappings.
-UemRefreshADMX
Refresh the VMware Dynamic Environment Manager ADMX-based
user settings.
-UemRefreshADMXComputerPolicy
Refresh the VMware Dynamic Environment Manager ADMX-based
computer settings.
-UemRefreshDrives
Refresh the VMware Dynamic Environment Manager drive mappings.
-UemRefreshEnvVars
Refresh the VMware Dynamic Environment Manager environment
variables.
-UemRefreshApplicationBlocking
Refresh the VMware Dynamic Environment Manager application
blocking settings.
-UemRefreshHorizonPolicy
Refresh the VMware Dynamic Environment Manager Horizon Smart
Policies for user environment settings.
Note You can refresh Horizon Smart Policies at any time. However,
the Horizon remote desktop experience components determine if the
changes take effect at that time.
-UemRefreshHorizonComputerPolicy
Refresh the VMware Dynamic Environment Manager Horizon Smart
Policies for computer environment settings.
Note You can refresh Horizon Smart Policies at any time. However,
the Horizon remote desktop experience components determine if the
changes actually take effect at that time.
-UemRefreshTriggeredTasks
Refresh the VMware Dynamic Environment Manager triggered tasks.
-UemRefreshPrivilegeElevation
Refresh the VMware Dynamic Environment Manager privilege
elevation settings.
-LaunchTask
With privilege elevation, you can define elevated tasks. You can launch elevated tasks with a
command such as the following.
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -LaunchTask "name-of-task"
For more information about elevated tasks, see the
VMware Dynamic Environment Manager
Administration Guide
.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 59
-ApplyNoADSettings
If NoAD mode is enabled, the settings defined in the NoAD.xml config file are applied to the
registry when a user logs on. If there are network or timing related issues that are preventing the
FlexEngine from applying NoAD.xml settings, you can use the -ApplyNoADSettings command to
apply NoAD.xml settings on demand.
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -ApplyNoADSettings
Note All actions are performed in the context of the user running this command. If you are
targeting NoAD settings based on group membership, the group membership of the user running
this command is evaluated. For more information about user group membership, see
Targeting
NoAD Settings Based on Group Membership
in the
Installing and Configuring VMware Dynamic
Environment Manager
documentation at VMware Docs.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 60
Dynamic Environment Manager
FlexEngine Advanced Settings in
NoAD Mode
10
Use these advanced FlexEngine settings to configure VMware Dynamic Environment Manager in
specific scenarios.
Caution These advanced configuration settings must be used only by experienced Windows
administrators when a specific functionality is required.
Setting XML Attribute Description
Symantec Endpoint Protection
DirectFlex export fix
DirectFlexExportFallback="1" Set the value to 1
DirectFlex compatibility fix for
BeyondTrust and Avecto
DirectFlexRenewHook="0" Set the value to 0
Allow processing ADMX-based
settings, application blocking,
privilege elevation and Horizon
Smart Policies configuration during a
session
AllowAdmxInSession="1" Set the value to 1
Remove local profile at logoff RemoveLocalProfileAtLogoff="1"
SkipRemoveLocalProfileAtLogoffFor
GroupsOfUsers="User GroupNames"
SkipRemoveLocalProfileAtLogoffFor
GroupsOfDevices="Device
GroupNames"
SkipRemoveLocalProfileAtLogoffFor
AdminGroup="1"
Note All settings and user data
stored in the user profile are deleted.
Set the value of
RemoveLocalProfileAtLogoff to 1.
To skip removal of local profile at
logoff for certain users or devices,
specify a comma-separated list of
group names.
For example,
SkipRemoveLocalProfileAtLogoffFor
GroupsOfUsers="UserGroup1,
UserGroup2"SkipRemoveLocalProfile
AtLogoffForGroupsOfDevices="Devic
eGroup1, DeviceGroup2"
Set the value of
SkipRemoveLocalProfileAtLogoffFor
AdminGroup to 1 if you do not want to
remove local profile at logoff for the
members of the local administrators
group.
VMware, Inc. 61
Setting XML Attribute Description
Prevent export for failed import SkipExportForFailedImport="1" Set the value to 1
Disable DirectFlex - option 1 DisableDirectFlex="1" n Set the value to 1 to Disable
DirectFlex
n Set the value to
2
to Disable
DirectFlex and process DirectFlex
config files during logon and
logoff
Printer mapping - number of retries
when mapping
MapPrinterRetryCount="20" Set the value to any number (default
20) (decimal)
Printer mapping - number of retries
when unmapping
UnmapPrinterRetryCount="20" Set the value to any number (default
20) (decimal)
Special Drive Mapping Logic SpecialDriveMappingLogic="2" Set the value to 2
Disable DEM agent features - Disable
during logon only
UEMActionDriveMappingDuringLogon=
"0"
Set the value to 0
Disable DEM agent features - Disable
during logon only
UEMActionFileTypeAssociationDurin
gLogon="0"
Set the value to 0
Disable DEM agent features - Disable
during logon only
UEMActionPrinterMappingDuringLogo
n="0"
Set the value to 0
Disable DEM agent features - Disable
during logon only
UEMActionShortCutDuringLogon="0" Set the value to 0
Disable DEM agent features - Disable
completely
UEMActionPrivilegeElevation="0" Set the value to 0
Disable DEM agent features - Disable
completely
UemActionAdmx="0" Set the value to 0
Disable DEM agent features - Disable
completely
UEMActionApplicationBlocking="0" Set the value to 0
Disable DEM agent features - Disable
completely
UEMActionDriveMapping="0" Set the value to 0
Disable DEM agent features - Disable
completely
UEMActionEnvVar="0" Set the value to 0
Disable DEM agent features - Disable
completely
UEMActionFileTypeAssociation="0" Set the value to 0
Disable DEM agent features - Disable
completely
UEMActionFolderRedirection="0" Set the value to 0
Disable DEM agent features - Disable
completely
UEMActionHorizonPolicy="0" Set the value to 0
Disable DEM agent features - Disable
completely
UEMActionImport="0" Set the value to 0
Disable DEM agent features - Disable
completely
UEMActionPrinterMapping="0" Set the value to 0
Disable DEM agent features - Disable
completely
UEMActionShortcut="0" Set the value to 0
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 62
Setting XML Attribute Description
Disable DEM agent features - Disable
completely
UEMActionTask="0" Set the value to 0
Disable DEM agent features - Disable
completely
UemActionHideDrive="0" Set the value to 0
Disable DEM agent features - Disable
completely
UemActionPolicy="0" Set the value to 0
Disable DEM agent features - Disable
completely
UemActionTriggeredTask="0" Set the value to 0
Disable DEM agent features - Disable
completely
UemActionMigrate="0" Set the value to 0
Environment Variable prefix EnvVarPrefix="anyvalue" Set to anyvalue
Validate .REG file ValidateRegFile="1" Set the value to 1
Compatibility fix for Sophos EndPoint
Protection
DirectFlexFollowJMPHook="1" Set the value to 1
Compatibility fix for VMware Horizon
smartcard redirection
DirectFlexHookLoadLibrary="0" Set the value to 0
Global excludes GlobalExcludesConfigFile="filenam
e.INI"
Use this setting to apply global
exclusions across all Flex config files.
Specify the absolute or relative path
to your global excludes Flex config
file here. If a relative path is specified,
it is resolved against the
General
folder.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 63
Setting XML Attribute Description
Diagnostics: Collect performance log PerformanceLogFilename="perflog.b
lg"
PerformanceCounter1="..."
PerformanceCounter2="..."
...
PerformanceCounter10="..."
Enable this setting to collect a
binary performance log while DEM is
performing a path-based import. This
log can be subsequently viewed and
analyzed in Windows Performance
Monitor.
If only the performance log
filename is configured, the following
performance counters are collected.
n \Processor(_Total)\%
Processor Time
n \System\Context
Switches/sec
n \System\Processor Queue
Length
n \PhysicalDisk(_Total)\Avg.
Disk Queue Length
n \PhysicalDisk(_Total)\Disk
Reads/sec
n \PhysicalDisk(_Total)\Disk
Writes/sec
n \PhysicalDisk(_Total)\Avg.
Disk sec/Transfer
n \Memory\% Committed Bytes
In Use
n \Memory\Page Faults/sec
If performance counters are
configured, only the configured
counters are collected.
Diagnostics: Log CPU and I/O
statistics at logon and logoff
LogProcessStatsAtLogonAndLogoff="
1"
Set the value to 1 to log CPU and I/O
statistics at logon and logoff
Diagnostics: Log CPU and I/O
statistics for registry import
LogProcessStatsForRegistryImport=
"1"
Set the value to 1 to log CPU and I/O
statistics for registry import
Diagnostics: Log CPU consumption CpuConsumptionLimit="threshold" Enable this setting to log CPU
consumption of other processes that
were running while DEM performed
a path-based import or export. CPU
usage is logged for each process
that consumed more CPU than the
configured threshold (in milliseconds)
Diagnostics: Log slow calls CallTimeLimit="threshold" Enable this setting to configure
how long certain calls can take (in
milliseconds) before a warning is
logged
Diagnostics: Enable verbose logging
for ADMX-based settings, application
blocking, privilege elevation and
Horizon Smart Policies
AdmxLogging="1" Set the value to 1
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 64
Setting XML Attribute Description
DFS namespace support for
application blocking (requires DEM
2111 or later)
ApplicationBlockingSupportDFSPath
="1"
Set the value to 1
Disable undo at logoff (requires DEM
2111 or later)
FolderRedirectionUndo="0" Set the value to 0
Folder redirection - Disable folder
name localization (requires DEM 2111
or later)
FolderRedirectionLocalization="0" Set the value to 0
Multiple concurrent sessions -
Perform single import and export
MultiSession="0" Set the value to 0
Multiple concurrent sessions - Apply
Horizon Smart Policies in every
session
HorizonSmartPoliciesMultiSession=
"0"
Set the value to 0
Only perform path-based export
(requires DEM 2111 or later)
ExportOnly="1" Set the value to 1
Override existing user policy registry
settings (requires DEM 2111 or later)
AllowAdmxOverride="1" Set the value to 1
Silo-specific Flex config files SiloIniFilePath="path" Specify the absolute path with silo-
specific configuration files
Silo-specific suffix SiloSuffix="suffix" Specify silo suffix to use. It defaults
to last component of silo-specific Flex
config files path
Process environment variable
settings before folder redirection
(requires DEM 2203 or later)
ProcessEnvVarBeforeFolderRedirect
ion="1"
Set the value to 1 to process DEM
environment variables settings before
folder redirection settings
Override previously hidden drive
letters (requires DEM 2203 or later)
OverrideHideDrives="1" Set the value to 1 to override the
existing Hide Drives Settings.
Custom Commands
Custom command to run before path-
based import
PreExecutionCommand="command" Specify the command to run
Custom command to run after path-
based import (requires DEM 2111 or
later)
PostLogonCommand="command" Specify the command to run
Custom command to run before path-
based export (requires DEM 2111 or
later)
PreLogoffCommand="command" Specify the command to run
Custom command to run after path-
based export (requires DEM 2111 or
later)
PostLogoffCommand="command" Specify the command to run
Expand environment variables in
custom command settings (requires
DEM 2203 or later)
ExpandCustomCommands="1" Set the value to 1
Custom commands as SYSTEM
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 65
Setting XML Attribute Description
Custom command to run before path-
based import (requires DEM 2303 or
later)
PreLogonCommandAsSystem="command" Specify the command to run.
This command is executed
before its PreExecutionCommand user
counterpart.
Custom command to run after path-
based import (requires DEM 2303 or
later)
PostLogonCommandAsSystem="command
"
Specify the command to run. This
command is executed after its
PostLogonCommand user counterpart.
Custom command to run before path-
based export (requires DEM 2303 or
later)
PreLogoffCommandAsSystem="command
"
Specify the command to run. This
command is executed before its
PreLogoffCommand user counterpart.
Custom command to run after path-
based export (requires DEM 2303 or
later)
PostLogoffCommandAsSystem="comman
d"
Specify the command to run. This
command is executed after its
PostLogoffCommand user counterpart.
Expand environment variables in
custom command settings ran as
SYSTEM (requires DEM 2303 or later)
ExpandCustomCommandsAsSystem="1" Set the value to 1
Use built-in registry parser (requires
DEM 2206 or later)
EnableRegParser="1"
Caution This is a Tech
Preview feature in VMware Dynamic
Environment Manager 2206 and later.
The Tech Preview feature(s) are not
supported by VMware for production
use. VMware strongly recommends
you to enable these features only
when you want to test in a lab or a
UAT environment.
Set the value to 1 to use the
built-in registry parser instead of
regedit.exe or reg.exe to import
registry settings.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 66
Setting XML Attribute Description
License location (requires DEM 2206
or later)
LicenseLocation="path to
FlexEngine.lic"
Set the value to the fully-qualified
absolute path of the license file, to
override the default location where
the DEM agent expects to find its
license.
For example,
LicenseLocation="C:\Users\test\De
sktop\License.xml"
By default, the DEM agent finds its
license in the
General\FlexRepository\AgentConfi
guration\License.xml file on the
config share.
Disable import and export (requires
DEM 2209 or later)
DisableImportExportForGroupsOfUse
rs="UserGroupNames"
DisableImportExportForGroupsOfDev
ices="DeviceGroupNames"
Specify a comma-separated list of
group names to disable import and
export for certain users or devices.
For example,
DisableImportExportForGroupsOfUse
rs="UserGroup1,UserGroup2"
DisableImportExportForGroupsOfDev
ices="DeviceGroup1,DeviceGroup2,D
eviceGroup3"
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 67
Dynamic Environment Manager
FlexEngine Group Policy Object
Advanced Configuration Settings
11
Use these advanced FlexEngine settings to configure VMware Dynamic Environment Manager in
specific scenarios.
These settings can be configured using the Advanced Settings ADMX template attached to the
Knowledge Base Article KB 2145286. Use the ADMX template corresponding to the product you
have installed.
Caution These advanced configuration settings must be used only by experienced Windows
administrators when a specific functionality is required.
Setting
Description
Allow processing
ADMX-based
settings,
Application
Blocking, Horizon
Smart Policies and
Privilege Elevation
configuration
during a session
Enable this setting to allow DEM to revert ADMX-based settings, application blocking, and
Horizon Smart Policies and Privilege Elevation configuration if a DEM export is triggered during a
session. By default, DEM reverts these settings only during logoff to prevent security issues.
Note Changing the default behavior has a security impact, as it allows users to circumvent
restrictions.
Symantec Endpoint
Protection
DirectFlex export
fix
Enable this setting if DirectFlex exports are not being performed on clients where Symantec
Endpoint Protection is running.
Compatibility fix for
Sophos EndPoint
Protection
Certain versions of Sophos Endpoint Protection can affect DEM functionality. Enable this setting
to solve the issue.
Compatibility fix for
VMware Horizon
PCoIP smartcard
redirection
Certain DEM functionality can prevent the PCoIP smartcard redirection feature of VMware
Horizon Agent 7.1 or newer from functioning correctly. Enable this setting to solve the issue.
VMware, Inc. 68
Setting Description
Disable DirectFlex Enable this setting to disable the DirectFlex. This setting can be used to migrate VMware
Persona Management to VMware Dynamic Environment Manager. For more information, see
Migrate VMware Persona Management to VMware User Environment Manager (2118056).
There are two options for this setting:
n Disable DirectFlex Imports and exports for DirectFlex-enabled applications are not
performed.
n Disable DirectFlex and process DirectFlex config files during logon and logoff Import
and export for DirectFlex-enabled applications are performed during logon and logoff,
respectively.
Environment
variable prefix
Enable this setting to configure another prefix than 'UEM' for the
%UEMSessionID%
,
%UEMConfigShare%
and
%UEMScripts%
environment variables.
Global excludes Enable this settings to apply global exclusions across all Flex config files. Specify the absolute
or relative path to your global excludes Flex config file here. If a relative path is specified, it is
resolved against the General folder.
Custom commands Enable this setting to run a custom command before or after the DEM agent performs a path-
based import or path-based export.
Custom commands
as SYSTEM
Enable this setting to run a custom command in SYSTEM context before or after the DEM agent
performs a path-based import or path-based export.
Printer mapping Enable this setting to perform the specified number of retries when mapping and unmapping
network printers. Ensure to map printers asynchronously to minimize the impact on login times.
Remove local
profile at logoff
Note All settings and user data stored in the user profile are deleted.
Enable this setting to let Windows remove a local profile at logoff.
To skip removal of local profile at logoff for certain users or devices, specify a comma-separated
list of group names.
For example,
Do not apply if user is a member of: UserGroup1,UserGroup2
Do not apply if device is a member of: DeviceGroup1,DeviceGroup2,DeviceGroup3
To skip removal of local profile at logoff for members of the local administrators group, enable
Do not apply to members of the local administrators group.
DirectFlex
compatibility fix for
BeyondTrust and
Avecto
In some scenarios, enabling DirectFlex could stop the privilege elevation functionality with
certain versions of BeyondTrust PowerBroker and Avecto Privilege Management. Enable this
setting to solve the issue.
Special Drive
Mapping Logic
Enable this setting to activate a special drive mapping logic that can solve drive mapping issues
if users can have multiple concurrent sessions on the same host.
Disable DEM Agent
Features
Enable this setting to disable specific DEM agent features, either completely or only during login.
Validate .REG file Enable this setting to log additional diagnostic information when import of .REG file fails.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 69
Setting Description
Diagnostics: Enable
verbose logging
for ADMX-based
settings, application
blocking, Horizon
Smart Policies and
Privilege Elevation
Enabling this setting creates an additional log file in the same location as the FlexEngine log file.
This additional log file will contain debug logging information for the DEM features ADMX-based
Settings, Application Blocking, Horizon Smart Policies and Privilege Elevation.
Diagnostics: Collect
performance log
Enable this setting to collect a binary performance log while DEM is performing a path-based
import. This log can subsequently be viewed and analyzed in Windows Performance Monitor.
Diagnostics: Log
CPU and I/O
statistics
Enable this setting to log CPU and I/O statistics.
Diagnostics: Log
CPU consumption
Enable this setting to log CPU consumption of other processes that were running while DEM
performed a path-based import or export. CPU usage is logged for each process that consumed
more CPU than the configured threshold (in milliseconds).
Diagnostics: Log
slow calls
Enable this setting to configure how long certain calls can take (in milliseconds) before a warning
is logged.
DFS namespace
support for
application blocking
(requires DEM 2111
or later)
Paths configured for application blocking referencing a DFS namespace might not be processed
correctly on some combinations of client OS and file server OS.
Enable this setting to have DEM also add the resolved target locations to the in-memory
configuration.
Folder redirection
(requires DEM 2111
or later)
By default, FlexEngine will undo folder redirection settings at logoff, and will let Windows
initialize the target folder to enable folder name localization.
If original folder locations cannot be determined (often due to overzealous optimizations of the
default Windows user profile), folder redirection will fail. If undo is not required (in non-persistent
setups, for instance), it can be disabled.
Target folder initialization sometimes fails. If localization of folder names is not required, it can be
disabled.
Multiple concurrent
sessions (requires
DEM 2111 or later)
If users can have multiple concurrent sessions on the same host, these sessions will share a
single Windows user profile. This means that DEM's path-based import at logon should only take
place for the first session, and the path-based export at logoff should only be performed when
the user logs off from their last session.
This is the default behavior. Disabling this policy setting will result in path-based imports and
exports for each session.
In Horizon environments, the default multi-session behavior is to apply Horizon Smart Policies in
every session.
Only perform path-
based export
(requires DEM 2111
or later)
For certain migration scenarios, it can be helpful to have the DEM agent only perform path-
based exports. If you need that behavior, enable this setting.
Override existing
user policy settings
(requires DEM 2111
or later)
By default, FlexEngine does not overwrite existing information in the policy registry locations.
If you use VMware Dynamic Environment Manager ADMX-based user settings with Active
Directory group policies and configure overlapping user policy settings, the Active Directory
settings take effect. The same applies for policy settings that are part of a default user profile.
Enable this policy setting to allow ADMX-based user settings to override existing user policy
configuration.
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 70
Setting Description
Silo-specific Flex
config files
Enter an additional, silo-specific path for Flex config files to be processed in addition to the
general Flex config files path.
The silo-specific suffix is used as a subfolder of the configured profile archive path, to separate
profile archives for silo-specific Flex config files from general ones.
If no silo-specific suffix is configured, the last component of the silo-specific Flex config files path
is used.
Process
environment
variable settings
before folder
redirection
(requires DEM 2203
or later)
By default, DEM folder redirection settings are processed before DEM environment variable
settings.
Enable this setting to process environment variables settings before DEM folder redirection
settings.
Override previously
hidden drive letters
(requires DEM 2203
or later)
By default, Hide Drives Settings are merged with any drive letters that were already hidden
through other configuration.
Enable this setting to override the existing Hide Drives Settings.
Use built-in registry
parser (requires
DEM 2206 or later)
Caution This is a Tech Preview feature in VMware Dynamic Environment Manager 2206 and
later. The Tech Preview feature(s) are not supported by VMware for production use. VMware
strongly recommends you to enable these features only when you want to test in a lab or a UAT
environment.
Use the built-in registry parser instead of regedit.exe or reg.exe to import registry settings.
License location
(requires DEM 2206
or later)
By default, the DEM agent finds its license in the
General\FlexRepository\AgentConfiguration\License.xml file on the config share.
Enable this setting to specify a different location, as the fully-qualified absolute path of the
license file.
For example, the license file location can be similar to
C:\Users\test1\Desktop\License.xml
.
Disable import and
export (requires
DEM 2209 or later)
Enable this setting to disable the import and export functionality for certain users or devices,
specified by a comma-separated list of group names.
For example,
Disable import and export if user is a member of: UserGroup1,UserGroup2
Disable import and export if device is a member of: DeviceGroup1,DeviceGroup2,DeviceGroup3
Installing and Configuring VMware Dynamic Environment Manager
VMware, Inc. 71
