• Learning the Basics of VMware Horizon 7.12 – Part 13 -Dynamic Environment Manager Prep Work

    June 17, 2020

    Blog, VMware

    VMware Dynamic Environment Manager (DEM) is a multiple purpose product. DEM can manage profiles and policies across virtual, physical, and cloud-based Windows desktops. DEM can also handle mappings such as drives, networks, and printers. DEM can also dynamically apply end-user policies and personalization based on a wide variety of conditions.

    In this article and the two following articles, we only scratch the surface of the capabilities of DEM. We will only look at saving application settings.

    In this article, we do the environment preparation work for DEM. In the following two articles, we will install DEM, configure the DEM Management console, configure the DEM Helpdesk Support Tool, and finally test everything with our users and the Instant Clone desktops and published applications.

    Configuration Share

    Create a file share for the DEM configuration share. I named mine DEMConfig.

    For the Share permissions, Everyone must have Change, as shown in Figure 1.

    Figure 1
    Figure 1

    The VMwHelpDesk security group needs Read access on the Share, as shown in Figure 2. and NTFS permissions.

    Figure 2
    Figure 2

    I also disable Caching, as shown in Figure 3.

    Figure 2
    Figure 2

    Now on to NTFS Permissions.

    As shown in Figure 4, the DEMAdmins security group must have Full Control permissions applied to This folder, subfolders, and files.

    As shown in Figure 5, the DEMUsers security group must have Read & execute permissions applied to This folder, subfolders, and files.

    As shown in Figure 6, the Domain Computers security group must also have Read & execute permissions applied to This folder, subfolders, and files.

    As shown in Figure 7, the VMwHelpDesk security group needs Read & execute permissions applied to This folder, subfolders, and files.

    Figure 4
    Figure 4
    Figure 5
    Figure 5
    Figure 6
    Figure 6
    Figure 7
    Figure 7

    Profile Share

    Create a file share for DEM profiles share. I named mine DEMProfiles.

    For the Share permissions, Everyone must have Change, as shown in Figure 8.

    Figure 8
    Figure 8

    VMwHelpDesk needs Change permissions, as shown in Figure 9.

    Figure 9
    Figure 9

    I also disable Caching, as shown in Figure 10.

    Figure 10
    Figure 10

    Now on to NTFS Permissions.

    As shown in Figures 11 and 12, DEMAdmins and VMwHelpDesk must have Full Control permissions applied to This folder, subfolders, and files.

    As shown in Figure 13, DEMUsers must have Create folders / append data applied to This folder only.

    As shown in Figure 14, Domain Computers must have Create folders / append data applied to This folder only.

    As shown in Figure 15, Creator Owner must have Full Control applied to Subfolders and files only.

    Figure 11
    Figure 11
    Figure 12
    Figure 12
    Figure 13
    Figure 13
    Figure 14
    Figure 14
    Figure 15
    Figure 15

    Access to Regedit.exe or Reg.exe must not be disabled through Group Policy.

    Make sure User Configuration/Policies/Administrative Templates/System/Prevent access to registry editing tools is either Not Configured or Disabled, as shown in Figure 16.

    Figure 16
    Figure 16

    The FlexEngine uses Regedit.exe to add user-specific settings to the registry. Depending on the User Account Control (UAC) settings on Windows 7 or later, FlexEngine might use Reg.exe.

    Note: What is FlexEngine? It is an Agent component, which is installed on the virtual or physical machines that you want to manage.

    Registry Access Requirements

    Group Policy Setup

    In the extracted file for DEM is folder Administrative Templates (ADMX), as shown in Figure 17.

    Figure 17
    Figure 17

    Copy the DEM ADMX/ADML files, shown in Figure 17, to the correct location. The location of this folder might vary, but often the location is C:\Windows\PolicyDefinitions. If you use the central store for administrative templates, you should instead copy the files to the Sysvol share on the primary domain controller, in the following location: \\<PDCName>\SYSVOL\<DomainName>\Policies\PolicyDefinitions

    I use the Group Policy Central Store in my lab, as shown in Figure 18.

    Figure 18
    Figure 18

    In the Group Policy Management Console (GPMC), create a GPO at the location where your Horizon machine accounts are located, as shown in Figures 19 and 20.

    Figure 19
    Figure 19
    Figure 20
    Figure 20

    VMware requires that the policy setting Always wait for the network at computer startup and logon is enabled and a logoff script.

    In the new GPO, configure the following settings, as shown in Figure 21:

    Computer Configuration:

    • Policies/Administrative Templates/System/Logon/Always wait for the network at computer startup and logon: Enabled

    User Configuration:

    • Policies/Administrative Templates/VMware DEM/FlexEngine
      • Flex config files: Enabled, replace <YOUR CONFIGURATION SHARE> with the DEM Config share. i.e., \\LabFS\DEMConfig
      • FlexEngine logging: Enabled, replace <YOUR PROFILE ARCHIVES SHARE> with the DEM Profile share. i.e., \\LabFS\DEMProfiles
      • Profile archive backups: Enabled, replace <YOUR PROFILE ARCHIVES SHARE> with the DEM Profile share. i.e., \\LabFS\DEMProfiles
      • Profile archives: Enabled, replace <YOUR PROFILE ARCHIVES SHARE> with the DEM Profile share. i.e., \\LabFS\DEMProfiles
      • Run FlexEngine as Group Policy Extension: Enabled
    • Windows Settings/Scripts/Logoff: Add, Script Name: C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe, Script Parameters: -s
    Figure 21
    Figure 21

    Because we are applying User settings to a Computer, link the Loopback GPO to the location where your Horizon machine accounts are located, as shown in Figure 22.

    Figure 22
    Figure 22

    Up next: Dynamic Environment Manager Installation and Configuration







    About Carl Webster

    Webster is a Sr. Infrastructure Consultant for Conversant Group and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    No comments yet.

    Leave a Reply