In a Virtual, desktop Infrastructure, managing user profiles are one of the biggest challenges. These profiles may get corrupted or contain incorrect settings, which require the complete removal of the profile and reconfiguration of the user environment. This may require a lot of time and effort, resulting in decreased productivity and inconsistent user experience.
Dynamic Environment Manager provides various features that help organizations to solve the challenges encountered with user profiles. Let us look at how Dynamic Environment Manager can help address the limitations of the following user profiles:
Mandatory profiles are the most commonly used profiles in terminal services environments. Personalization changes to these profiles are only in effect during a Windows session.
There are two types of mandatory profiles you can use within Windows: a mandatory profile based on the “Default User” profile without any customizations or a customized mandatory profile which already contains the application settings and Windows-specific settings you desire for your environment. Both of these need to be created by an administrator before users can use them.
The advantages of using mandatory profiles are:
- Short logon/logoff times.
- Consistent user experience, no matter what a user changes.
- Minimal troubleshooting on user profiles.
- Personalization changes made by users are not saved.
- Creating a usable and customized mandatory profile requires a high skill level.
- Scripting is often necessary to create shortcuts, drive mappings, etc. relevant to the user.
Roaming profiles are frequently used in a managed desktop environment. Any personalization changes made by users during a Windows session are stored in the central roaming profile when you log out.
A roaming profile has several advantages:
- They do not require administration.
- They need to be enabled.
- Personalized settings roam with the user across different VMs running the same OS.
Roaming profiles have several limitations:
- Limited control over the settings that users can change.
- Large roaming profiles can get corrupted, which leads to the total reset of the relevant roaming profile.
- Troubleshooting an application error might also result in the total reset of the roaming profile.
- Roaming is not possible across different operating systems.
- Application shortcuts and file type associations are part of roaming profiles. If the user roams to devices where the application is not installed, it can cause some confusion.
Local profiles are commonly used in a loosely managed desktop environment. All personalization changes made by users during a Windows session are stored on the local disk.
The advantages of using local profiles are:
- No specific administration is necessary.
- No storage is required on the network.
The disadvantages of using local profiles are the same as with a roaming profile but also:
- No personalized settings will be roamed across different machines.
- Each desktop a user logs on to will be polluted with a local profile for that specific user.
- If local disk failure or corruption occurs, all user settings are lost.
Folder redirection is built-in Windows functionality that allows administrators to redirect certain folders to a central location outside the traditional profile. Folder redirection is available for a set of folders which can either store user data, like My Documents, or store application and Windows configuration, like Application Data. When a folder redirection is applied, the folders are typically redirected to the user’s home directories.
For profile folders that contain the application and Windows configuration, like Application Data, it is recommended not to use folder redirection, but use the “Import / Export” functionality within Dynamic Environment Manager to strictly manage what personalization settings will be stored.
Folder redirection can be configured through standard group policies available in the AD. If you redirect profile folders that contain the application and Windows configurations.
Use VMware Dynamic Environment Manager only for managing registry information from the user profiles.
Recommendations and Best Practices
When designing user profiles for production deployments, the following best practices should be considered.
- Don’t use Roaming Profiles. Instead, use Local Profiles for desktops and laptops and use Mandatory Profiles for the Terminal Servers and VDI desktops. Use Dynamic Environment Manager for Windows and Applications settings and use Folder Redirection for your personal data (documents, pictures, etc.).
- Recommended redirecting profile folders that contain actual user data, like My Documents and My Pictures, to the user’s home directories. The Desktop location is always open for debate because it stores personal data like documents and profile data like shortcuts.
- For profile folders that contain the application and Windows configurations, such as Application Data, use the User Environment Manager import and export functionality instead of folder redirection to manage which personalization settings to store.
- Use a dedicated share to store user profile archives instead of the existing home drive.
- To ensure that the Group Policy client-side extension runs during each login, enable the Always wait for the network at computer startup and logon computer Group Policy setting. Apply this Group Policy to an OU in Active Directory where all the Windows clients are located.
VMware Dynamic Environment Manager Installation
Prepare your environment to meet the VMware Dynamic Environment Manager infrastructure requirements.
There are several physical components in VMware Dynamic Environment Manager design.
- Active Directory Servers – AD servers will be used to configure the User Environment Manager GPO’s. (ADMX template files are provided with the product.)
- Config File Share – DEM stores its configuration in a Windows-based file share. This share has minimal storage requirements but must be accessible to all clients and any individuals who use the DEM management console. (This can be a replicated share for multiple sites. In such a case, you can use multiple Active Directory GPOs to configure the path to the share for all client devices based on the location.)
The share and underlying folder require the following permissions to be configured:
- UEM administrators (UEM_Admins)—change
- UEM users (UEM_Users)—read
- UEM administrators (UEM_Admins)—full control
- UEM users (UEM_Users)—read and execute
- Profile Archive Share – This will be configured on an existing File server and will host the individual user setting files for User Environment Manager.
The share and underlying folder require the following permissions to be configured:
- UEM administrators (UEM_Admins)—change
- UEM users (UEM_Users)—change
- UEM administrators (UEM_Admins)—full control; apply to This folder, subfolders, and files
- UEM users (UEM_Users)—read and execute and Create folders/append data; apply to This folder only
- Creator-owner (default Windows security principle)—full control; apply to Subfolders and files only
Both shares can be replicated shares if each share’s path is the same for all client devices. Distributed file system (DFS) namespaces are supported.
Besides these requirements, you must also consider where to store user profile archives and profile archive backups. You must use a location that is unique for each user. From a security point of view, you must ensure that non-administrators do not have write permissions on the VMware Dynamic Environment Manager configuration share.
Supported Windows Versions
- Windows 7 Professional, Enterprise, and Ultimate x86 and x64 SP1
- Windows Server 2008 R2 Standard and Enterprise x64 SP1
- Windows Server 2012 Standard and Datacenter x64
- Windows 8.1 Professional and Enterprise x86 and x64 with Update
- Windows Server 2012 R2 Standard and Datacenter x64 with Update
- Windows 10 Version 1903 (May 2019 Update) Professional and Enterprise x86 and x64
- Windows Server 2016 Standard and Datacenter x64
- Windows Server 2019 Standard and Datacenter x64
Supported Application Virtualization Products and Versions
- App-V 4.6 Service Pack 3
- App-V 5.0 Service Pack 3
- App-V 5.1
- ThinApp 5.2
FlexEngine requires a valid license file. To switch from an evaluation license file to a production license file, reinstallation of any VMware Dynamic Environment Manager component is not required. You must only replace the old license file with the new license file, retaining both license filename and location in the file system.
Access to Regedit.exe or Reg.exe must not be disabled through Group Policy. FlexEngine uses Regedit.exe to add user-specific settings to the registry. Depending on the User Account Control (UAC) settings on Windows 7 or later, FlexEngine might use Reg.exe.
DEM Management Console Installation
Install the Dynamic Environment Manager Management Console on any supported Windows desktop or server that you want to use for managing Dynamic Environment Manager.
- Download and extract the Dynamic Environment Manager installer file.
- Double-click the installer file to start the wizard, and follow the prompts.
- In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
- Check the box next to I accept the terms and click Next.
- Select the Destination Folder location and click Next.
- Click Custom Setup Type
- Confirm Console is selected and click Next.
- Browse to a license file and click Next.
- click Install.
- click Finish.
- DEM Management Console Initial Configuration.
- Enter the path to the DEM configuration share and click OK.
- Select or deselect any options desired and click OK. This completes the initial configuration of the Dynamic Environment Manager management console.
- Click the Easy Start icon in the ribbon.
- Select the Office versions you are using and click OK.
- Click OK to complete Easy Start configuration.
- The DEM management console is ready to be used to customize the DEM installation.
DEM group policy settings
After you install VMware Dynamic Environment Manager, you must configure GPOs. Configure FlexEngine by creating a GPO in the AD Group Policy with the Dynamic Environment Manager ADMX templates provided in the VMware Dynamic Environment Manager download package.
Copy the Dynamic Environment Manager ADMX files and their corresponding ADML files from the download package to your Active Directory Servers to the following location:
- Copy the .admx files to the following location:
- C:\Windows\SYSVOL\sysvol\domainname\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions (if PolicyDefinitions doesn’t exist in SYSVOL)
- Copy the .adml files to the following location:
- C:\Windows\SYSVOL\sysvol\domainname\Policies\PolicyDefinitions\en-US (if it exists), or C:\Windows\PolicyDefinitions`en-US (if PolicyDefinitions doesn’t exist in SYSVOL)
The following steps will provide instructions on the configuration of the user AD GPOs needed to enable DEM:
- You can create a GPO or select an existing GPO.
- Log in as a user who has privileges to create and edit GPOs in the AD domain, open the AD Group Policy Management Console (GPMC).
- Browse to an OU with the computer object that contains your virtual desktops.
- Create a GPO and link it to the newly created or existing OU.
After adding VMware Dynamic Environment Manager administrative templates, you can configure all VMware Dynamic Environment Manager settings through the GPO:
Navigate to User Configuration > Policies > Administrative Templates>VMware DEM > FlexEngine.
Configuring the Flex Configuration Files
This setting is used to configure the central location of the Dynamic Environment Manager Flex Configuration files for use by Dynamic Environment Manager FlexEngine.
- Enable the policy. This is a mandatory setting to enable FlexEngine.
- Enable the option Process folder recursively option.
Use a UNC path for this setting. Typically, this path points to the General folder created by the Management Console in the VMware Dynamic Environment Manager configuration share.
Configuring the Profile Archives Policy
Configure the profile archives share from where FlexEngine reads and stores user profile archives and other settings related to the profile archives.
Configuring the Profile Archives Backup Policy
Use the Profile Archive Backups setting to configure the location where FlexEngine stores the backups of profile archives.
Running FlexEngine as a Group Policy Extension
FlexEngine runs automatically during login as a Group Policy client-side extension. By running FlexEngine as Group Policy Extension, settings that VMware Dynamic Environment Manager manages are applied earlier during the logon phase rather than when running FlexEngine from a logon script. This way, the range of settings managed by VMware Dynamic Environment Manager is extended, such as the Windows Multilanguage User Interface or slideshow backgrounds.
As a best practice, the following GPO Computer Configuration\Policies\Administrative Templates\System\Logon\Always Wait for the network at computer startup and logon should also be configured.
- Enable the Always wait for the network at computer startup and logon Computer Group Policy setting to ensure that the FlexEngine Group Policy client-side extension runs during each logon. Apply this setting to an OU in Active Directory where all the Windows clients are located.
Configuring FlexEngine Logging
Configure the location and file name of the FlexEngine log file, the level of logging detail, and the maximum size of the log file.
Configuring FlexEngine to Run from Logon and Logoff Scripts
For VMware Dynamic Environment Manager to run correctly, FlexEngine must run during the logon and logoff process.
The FlexEngine Group Policy client-side extension runs only during the login process. The FlexEngine log out command is configured through a Group Policy log-out script. This method ensures that the user’s profile is exported and stored.
The best practice is to use the User Configuration\ Windows Settings\Scripts for this purpose.
The FlexEngine logout command that must run during the logout process is:
C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe” -s.