What is the best practice UEM alternative for saving the following personalizations: Desktops, Favorites, Programs Menu, and Roaming AppData? I have used folder redirection in Citrix non-persistent and persistent XenDesktop environments with Citrix Profile Manager for years without issues.
Given that UEM discourages the use of folder redirection, how then do we persist (save) these folders while using Mandatory Profiles with Instant Clones on Windows 10 v1803?
We are using:
Thanks,
James
Hi JamesMartin8383,
The default Start Menu layout (tiles) can be created using the before mentioned article (read the Create a Default Start Menu Layout for All Users part) and make sure you import StartLayout.xml only once using UEM. I recommend using either a default local user profile or an optimized mandatory profile (assuming you are using non-persistent desktops).
The IncludeRegistryTrees, etc. can be done on the Personalization tab.
Assuming you already have the Windows Settings folder, right click this folder and click Create Config File
Select Use a Windows Common Setting and click Next
Select Windows 10 Start Menu - Windows 10 Version 1703 and higher (assuming you have Windows 10 v1703 or higher) and click Next
Give your config file a name, for instance Windows Settings - Start Menu and click Finish
You now have a new config file that contains the settings that you want to have saved for the users.
Because this is a built-in template you don't see the settings that are saved and restored for the user. If you want to see the settings click the Manage button and click Expand.
Click Yes
You will now see the settings that are saved and restored for the user.
You can use this content as a starting point and add additional registry keys, values, files, folders. For instance the ones I provided in my previous answer.
I hope this step-by-step helps you getting started.
Hi James,
UEM's folder redirection settings just configure Microsoft's folder redirection feature that's built into Windows. We have that warning in the Management Console based on the general consensus that it's typically not a great idea to redirect certain folders (AppData in particular.) If you've successfully redirected those folders in the past, without performance issues, you should be OK in continuing to do so.
Hello UEMDev,
Thank you very much for your reply. My goal is to implement a solution that will conform with UEM established best practices. Kindly educate me on what is the recommended procedure for ensuring data kept in Desktops, Favorites, Programs Menu, and Roaming AppData will persist in an instant clone Windows 10 environment without using Folder Redirection.
In a quest to find the answer to the aforementioned question, I have read all available online documentation, to no avail. UEMDev, you are my only hope in finding the answer to the question. Thank you very much in advance for your guidance.
--James
Here are some notes I put together from both the official documentation as well as some experience with customers in their implementations of Folder Redirection / Profile Mgmt.
Deployment Considerations:
1. https://techzone.vmware.com/resource/user-environment-manager-deployment-considerations-guide
- Do not select the Scale-Out File Server for application data option, because it is incompatible with User Environment Manager data, user profiles, redirected folders, and home drives
- have a separate shared folder for "Folder Redirection" which is not within the UEM_Profile (or) UEM_Config shares (have seen some customers redirected their users "folders" like the 'My Documents' 'Desktop' into the "UEM_Profile" share and later when testing or the need to just clear off the UEM_Profile for a user, end up deleting the user's data folders.)
- For profile folders that contain the application and Windows configurations, such as Application Data, use the User Environment Manager import and export functionality instead of folder redirection to strictly manage which "personalization settings" to store.
- Either export the data as a per-app setting using the "personalization settings" of the captured application, or create a generic "Windows Setting" or "Custom Settings" under the "personalization settings" and capture the ENTIRE <AppData> Folder and use Exclude states (to exclude Files/Folders/Registry values) - this however makes it a bit complicated at the beginning but is controlled if there are Mandatory Profiles in place.
- If you are using UEM in a physical environment, it's recommended to use standard GPO to redirect Folders instead of UEM, thereby enabling any additional options like user access to Offline Files, etc.
If you don't already have this like to create MANDATORY Profiles which works well with Folder Redirection (both via UEM or standard GPO)
- https://techzone.vmware.com/creating-optimized-windows-image-vmware-horizon-virtual-desktop
Hello Sujayg15,
Thank you very much for your response. Those links are very helpful. Just to make sure I understand, kindly permit me to summarize as follows:
In our Instant Clone environment with Mandatory Profiles and Windows 10 1803:
1) FOLDER REDIRECTION FOR DESKTOPS, FAVORITES, AND PROGRAMS MENU
It is OK to enable Folder Redirection for Desktops, Favorites, and the Programs Menu so long as the shared folders are stored in a completely distinct and separate folder hierarchy used for UEM (Profile/Archive share and the config share). Example for user JSmith:
2) APPDATA
AppData should never be Folder Redirectted. Instead, capture the ENTIRE AppData ROAMING folder and exclude sections as needed. As for AppData LOCAL, capture only those required by the application.
Do I understand correctly?
Thanks again for the guidance
James
Hi JamesMartin8383,
I do not recommend redirecting the ProgramsMenu. Instead create the shortcuts in de ProgramsMenu using UEM.
For favorites, I have seen both redirection and roaming going well, but it depends on your situation/environment. Thoroughly test this.
For AppData, I recommend not redirecting this. I also recommend using the whitelist approach, instead of the blacklist approach. Only specify what you want to have saved for the users by creating UEM config files. It gives you a better control than blacklisting. For instance, when a new application is added and it saves a lot of data to AppData that you don't want and you are using blacklisting, then the profile may become bloated. Using per app whitelisting also gives you the option to specifically remove or reset profile settings without removing the complete profile.
Basically: what ijdemes says , but let me be a bit more blunt about whitelist vs blacklist: Do not capture <AppData> in its entirety.*
It's perfectly fine to do that for a quick experiment to see if a setting you want to capture lives in that folder, but in a production deployment you really must use specific, targeted configuration files that only capture the locations that need capturing. Creating such a "catch all" config file goes completely against UEM best practices, and will generally result in horrible logon times.
* The same applies for <UserProfile>, <LocalAppData>, HKCU, ... – basically, any location that is "too high up" in the folder or registry hierarchy
Yeah, exactly what UEMdev says :smileysilly:
Thank you both ijdemes and UEMDev for your guidance. Everything you both recommended makes sense.
Follow-up question: How do I implement the following?
"I do not recommend redirecting the ProgramsMenu. Instead create the shortcuts in de ProgramsMenu using UEM."
Do I use the procedure outlined here (for Start Menu)?
Managing Windows 10 with VMware User Environment Manager
Thanks, James
Hi JamesMartin8383,
No problem.
Regarding the start menu, it depends on what you want to achieve. There are two parts of the start menu that you may want to manage. Shortcuts and Tiles.
I recommend to always create the shortcuts dynamically using the Shortcuts option in the User Environment tab. So no roaming of the start menu. The start menu is built during logon (or after, e.g. refresh, reconnect) based on conditions that you configured for your shortcuts. If you change conditions, the start menu adapts to those changes.
Tiles is a different story. You can configure tiles to be default for all users and let them change the default afterwards, but you can also configure tiles to be mandatory. If you want to have the users being able save Tile changes (including Tile Groups) the configuring depends on the Win10 version you are using. For v1803 and up an example of a config file to save the tiles can be found here:
I believe the blog post you mentioned (the tiles/start menu part) is mainly for earlier versions of Win10 (e.g. v1607).
I hope this info helps you. If you need additional help or info, just drop a line in this forum.
Hello idjemes,
Thank you very much for your guidance on Start Menu Shortcuts and Start Menu Tiles.
I found Start Menu Shortcuts under the User Environment Tab as you described; however, I could not locate the place to implement Start Menu Tiles. Your solution, based on a series of IncludeRegistryTrees, IncludeIndividualRegistryValues, and IncludeFolderTrees makes sense; however, I could not find the mechanism of implementing this on UEM. Would it be under User Environment --> ADMX-based Settings --> Create ADMX-based setting definition?
Would I logon with a mandatory profile, make the appropriate global customizations to Start Menu Tiles (i.e. Setup the tiles exactly as I want them as an initial starting point for the majority of users to further customize on their own). Trigger a logoff which would then capture the aforementioned registry entries?
Thank you once again,
James
Hi JamesMartin8383,
The default Start Menu layout (tiles) can be created using the before mentioned article (read the Create a Default Start Menu Layout for All Users part) and make sure you import StartLayout.xml only once using UEM. I recommend using either a default local user profile or an optimized mandatory profile (assuming you are using non-persistent desktops).
The IncludeRegistryTrees, etc. can be done on the Personalization tab.
Assuming you already have the Windows Settings folder, right click this folder and click Create Config File
Select Use a Windows Common Setting and click Next
Select Windows 10 Start Menu - Windows 10 Version 1703 and higher (assuming you have Windows 10 v1703 or higher) and click Next
Give your config file a name, for instance Windows Settings - Start Menu and click Finish
You now have a new config file that contains the settings that you want to have saved for the users.
Because this is a built-in template you don't see the settings that are saved and restored for the user. If you want to see the settings click the Manage button and click Expand.
Click Yes
You will now see the settings that are saved and restored for the user.
You can use this content as a starting point and add additional registry keys, values, files, folders. For instance the ones I provided in my previous answer.
I hope this step-by-step helps you getting started.
Hello Ivan,
Thank you very much for taking the time to document in great detail, your response. I now understand and am ready to implement.
Very grateful,
James
No problem. You're welcome.
Hi. I have the same problem. All the best practices say about not using folder re-direction, but then how do you persist users App Data changes on non-persistent desktops.
I have users that pin icons to task bar, pin document to excel, all of which is stored in Roaming App Data. They log off, the desktop gets destroyed, they log back on and all those changes they made have gone.
I have seen the posts about creating a default layout which is fine to start with but then when users want to make individual changes from that, where are they stored?
I have also seen the IncludeRegistryFolders section but again where are they being included from to load back to the individual users when they log back in. It is all very unclear and sounds like you are better off going back to using roaming profiles where you know the changes write to an area both ways.
Please help and explain more.
What is the best way to Redirect the desktop without using Folder Redirection under the User Environment tab? I understand that can degrade filesystem and/or network performance. I have noticed it seems to length my login time.
I have users that place things on their Horizon desktop and expect them to be there from one session to the next. We use non-persistent desktops so without redirecting the desktop, they will not be there.
Hi @RachelW,
I'd say that redirecting the desktop shouldn't be too much of a problem unless your infrastructure is really under-specced. The only alternative would be to create a personalization config file in DEM to recursively capture <Desktop>, but that will probably have more logon and logoff impact.
I'm surprised to hear that you have "noticed it seems to length my login time." If you enable folder redirection for the desktop in DEM, it might take a little bit of time for Windows to apply that configuration (as part of DEM's logon activity), but that shouldn't take too long.
What exactly is the impact, and what do you see in the log?
Hi @DEMdev ,
Here is a break down of my log file and the items I see with a length of time processing them:
1) 5 sec - Desktop Redirection
2) 4 sec - Documents Folder Redirection
3) 8 sec - Google Chrome Roaming Profile
4) 1 sec - Excel.zip 2016
5) 2 sec - Outlook.zip 2016
6) 1 sec - Office Shared Settings.zip
7) 1 sec - Word.zip 2016
😎 1 sec - Windows Default Applications.zip
9) 4 sec - IE - Personal Settings.zip
10) 1 sec - Taskbar.zip
11) 2 sec Windows Explorer.zip
Total time to process UEM/DEM: 33 seconds-ish (start = 13:08.12, end 13:08.45
We would really like to get the UEM/DEM process down to like HALF that amount of time. Current login times to get to a desktop (Windows 10) is over 1 minute.
Hi @RachelW,
For folder redirection, DEM just asks Windows where that folder is currently located (so we can revert that change at logoff), ensures the redirected location exists, and then tells Windows the new location of that particular profile folder.
Behind the scenes, Windows just performs some simple I/O operations for these actions. If that takes 4-5 seconds, I suspect there's some anti-virus or other security-related software getting in the way (on the local system, the file server, or both.)