VMware DEM advanced settings and the missing ADMX
Dynamic Environment Manager is a component in the VMware Horizon stack, allowing IT to deliver dynamic profiles, applications, and user policies and provides end users with personalized settings that follows them across devices and locations in real time. It can also create a persistent environment for users, on a non-persistent Windows Desktop or Hosted Application (RDS) platform.
Technically, the product consists of an agent, running on the users desktop, file shares for storing the configuration and the user settings, and is dependent on Microsoft Active Directory for Role based functions and configuration through GPO. The ADMX that comes with the product has everything in it needed for the basic configuration of the product.
There are however a lot of advanced settings, that are not included in this default ADMX template. For this, you will have to visit https://kb.vmware.com/s/article/2145286, and use https://docs.vmware.com/en/VMware-Dynamic-Environment-Manager/2206/com.vmware.dynamic.environment.manager-install-config/GUID-B1A66BEB-A170-4A8A-8E7A-8A1500CFC8C6.html as a reference to all specific settings.
One example of such a setting is the Remove local profile at logoff. This setting will make sure that the local profile is removed at user logoff. For a non-persistent W10/W11 VDI environment, this setting isn't useful, as the entire desktop is destroyed after logoff. For an RDS environment however, this could be the key to a consistent user experience at logon, by making sure this process is always the same. Since an RDS server is not destroyed at logoff, a situation could occur, where the local profile remains and is either reused with all sorts of unforeseen consequences, or a cumulation of local profiles happens, filling up the C:\ drive of the RDS servers in the farm.
Importing the ADMX, downloaded from the aforementioned KB, will enable you to apply this advanced configuration setting. The file itself can be hard to spot, it's all the way on the right bottom of the KB screen:
A reference of all Advanced Settings in the current build:
Allow processing ADMX-based settings, Application Blocking, Horizon Smart Policies and Privilege Elevation configuration during a session
Enable this setting to allow DEM to revert ADMX-based settings, application blocking, and Horizon Smart Policies and Privilege Elevation configuration if a DEM export is triggered during a session. By default, DEM reverts these settings only during logoff to prevent security issues.
Note: Changing the default behavior has a security impact, as it allows users to circumvent restrictions.
Symantec Endpoint Protection DirectFlex export fix
Enable this setting if DirectFlex exports are not being performed on clients where Symantec Endpoint Protection is running.
Compatibility fix for Sophos EndPoint Protection
Certain versions of Sophos Endpoint Protection can affect DEM functionality. Enable this setting to solve the issue.
Compatibility fix for VMware Horizon PCoIP smartcard redirection
Certain DEM functionality can prevent the PCoIP smartcard redirection feature of VMware Horizon Agent 7.1 or newer from functioning correctly. Enable this setting to solve the issue.
Enable this setting to disable the DirectFlex. This setting can be used to migrate VMware Persona Management to VMware Dynamic Environment Manager. For more information, see Migrate VMware Persona Management to VMware User Environment Manager (2118056).
There are two options for this setting:
Environment variable prefix
Enable this setting to configure another prefix than 'UEM' for the %UEMSessionID%, %UEMConfigShare% and %UEMScripts% environment variables.
Enable this settings to apply global exclusions across all Flex config files. Specify the absolute or relative path to your global excludes Flex config file here. If a relative path is specified, it is resolved against the General folder.
Enable this setting to run a custom command before or after the DEM agent performs a path-based import or path-based export.
Enable this setting to perform the specified number of retries when mapping and unmapping network printers. Ensure to map printers asynchronously to minimize the impact on login times.
Remove local profile at logoff
Enable this setting to let Windows remove a local profile at logoff.
Note: All settings and user data stored in the user profile are deleted.
DirectFlex compatibility fix for BeyondTrust and Avecto
In some scenarios, enabling DirectFlex could stop the privilege elevation functionality with certain versions of BeyondTrust PowerBroker and Avecto Privilege Management. Enable this setting to solve the issue.
Special Drive Mapping Logic
Enable this setting to activate a special drive mapping logic that can solve drive mapping issues if users can have multiple concurrent sessions on the same host.
Disable DEM Agent Features
Enable this setting to disable specific DEM agent features, either completely or only during login.
Validate .REG file
Enable this setting to log additional diagnostic information when import of .REG file fails.
Diagnostics: Enable verbose logging for ADMX-based settings, application blocking, Horizon Smart Policies and Privilege Elevation
Enabling this setting creates an additional log file in the same location as the FlexEngine log file. This additional log file will contain debug logging information for the DEM features ADMX-based Settings, Application Blocking, Horizon Smart Policies and Privilege Elevation.
Diagnostics: Collect performance log
Enable this setting to collect a binary performance log while DEM is performing a path-based import. This log can subsequently be viewed and analyzed in Windows Performance Monitor.
Diagnostics: Log CPU and I/O statistics
Enable this setting to log CPU and I/O statistics.
Diagnostics: Log CPU consumption
Enable this setting to log CPU consumption of other processes that were running while DEM performed a path-based import or export. CPU usage is logged for each process that consumed more CPU than the configured threshold (in milliseconds).
Diagnostics: Log slow calls
Enable this setting to configure how long certain calls can take (in milliseconds) before a warning is logged.
DFS namespace support for application blocking (requires DEM 2111 or later)
Paths configured for application blocking referencing a DFS namespace might not be processed correctly on some combinations of client OS and file server OS.
Enable this setting to have DEM also add the resolved target locations to the in-memory configuration.
Folder redirection (requires DEM 2111 or later)
By default, FlexEngine will undo folder redirection settings at logoff, and will let Windows initialize the target folder to enable folder name localization.
If original folder locations cannot be determined (often due to overzealous optimizations of the default Windows user profile), folder redirection will fail. If undo is not required (in non-persistent setups, for instance), it can be disabled.
Target folder initialization sometimes fails. If localization of folder names is not required, it can be disabled.
Multiple concurrent sessions (requires DEM 2111 or later)
If users can have multiple concurrent sessions on the same host, these sessions will share a single Windows user profile. This means that DEM's path-based import at logon should only take place for the first session, and the path-based export at logoff should only be performed when the user logs off from their last session.
This is the default behavior. Disabling this policy setting will result in path-based imports and exports for each session.
In Horizon environments, the default multi-session behavior is to apply Horizon Smart Policies in every session.
Only perform path-based export (requires DEM 2111 or later)
For certain migration scenarios, it can be helpful to have the DEM agent only perform path-based exports. If you need that behavior, enable this setting.
Override existing user policy settings (requires DEM 2111 or later)
By default, FlexEngine does not overwrite existing information in the policy registry locations. If you use VMware Dynamic Environment Manager ADMX-based user settings with Active Directory group policies and configure overlapping user policy settings, the Active Directory settings take effect. The same applies for policy settings that are part of a default user profile.
Enable this policy setting to allow ADMX-based user settings to override existing user policy configuration.
Silo-specific Flex config files
Enter an additional, silo-specific path for Flex config files to be processed in addition to the general Flex config files path.
The silo-specific suffix is used as a subfolder of the configured profile archive path, to separate profile archives for silo-specific Flex config files from general ones.
If no silo-specific suffix is configured, the last component of the silo-specific Flex config files path is used.
OneDrive for Business Integration: Interactive authentication (requires DEM 2111 or later)
By default, OneDrive for Business integration uses Windows Integrated Authentication (ADFS). Enable this setting to use interactive authentication, and specify a domain hint.
Process environment variable settings before folder redirection (requires DEM 2203)
By default, DEM folder redirection settings are processed before DEM environment variable settings.
Enable this setting to process environment variables settings before DEM folder redirection settings.
Override previously hidden drive letters (requires DEM 2203)
By default, Hide Drives Settings are merged with any drive letters that were already hidden through other configuration.
Enable this setting to override the existing Hide Drives Settings.