As I have written in my last post UEM is a game changer in the way how we can create great VDI solutions.
Having worked a lot with VMware’s User Environment Manager (UEM) within the last month I saw many errors made and occurring during the installation phase.
Even though the the installation is quiet straight forward, some minor mistakes can happen from time to time. I am going to summarize which symptoms might occur, how to check to gather further information and what most possiblely has caused the malfunction.
At the moment the post is focusing on the Active Directory Group Policy based installation & configuration within UEM. The newest version 9.1 allows us to it also in a non-ad way. If demand is there, I can add a section for that topic as well.
I am not going to cover the basic installation steps. Chris Halstead did a great job on that topic (and for all the things he worked on [flings, blogs, etc.]).
Please use that one for the basic installation tasks and come back to this post if you need to troubleshoot further ;-) With the following list you can fix 98% of the problems that might occur during the UEM installation ;-).
The log-file within UEM is pretty valuable. Make sure to configure it initially when setting up UEM. A log-level value of info is enough for daily usage.
To increase the log-level for a specific use-cases or a specific user just add a file (make sure you show the file endings) called flexdebug.txt to the folder where you log-files are created.
After a logoff and logon the log file includes debug data as well:
[Active Directory based installation / configuration]
UEM seems not to work. After the login of a UEM user, no Folders of the users are created on the profile-archive share.
Potential root causes:
During log-on the UEM FlexEngine service starts via group-policy extension and imports the relevant user profile or archive from the defined file-share. Normally during log-off UEM exports the settings back to the file-share (except when DirectFlex is used).
If no single user-folder is created after a logon the following configuration items might have been responsible for it.
- GPO with the UEM relevant settings not applied to the user.
- Incorrect permission on the user profile share.
- Incorrect Config & User profile share location defined within the Group Policies
- UEM Agent not running correctly
- Access to regedit.exe is prohibited
How to verify:
GPO with the UEM relevant settings not applied to the user:
Login with an affected user and run cmd. Within cmd type gpresult /R and verify that the GPO that includes the UEM configuration is being applied.
Fix: Make sure that the UEM configuration is applied to the specific user where UEM should get applied.
Incorrect permission on the user profile share:
Being restrictive with the permissions is really important and can lead to some problems as well. Please verify if you can access and create a folder on the profile share:
If the logged in user cannot manually create folder on the profile-share, UEM will not be able to create this folder as well.
Fix: Check and fix your NTFS and Fileshare permissions:
” Example Name: \\server\UEMProfileData
Share Permissions: UEM Administrators – Change
UEM Users – Change
NTFS Permissions: UEM Administrators – Full Control
apply to: “This Folder, Subfolder and Files”
UEM Users – Read / Execute, Create Folders / Append Data
apply to: “This Folder Only”
Creator Owner – Full Control
apply to: “Subfolders and Files Only”
Incorrect Config & User profile share location defined within the Group Policies
If permissions are right and the UEM GPO gets applied, make sure that the correct data has been configured with the Group Policies.
Make sure the FlexEngine of UEM runs as a Group Policy Extension
For the config file share make sure the path ends with \General. Copy and paste your paths into the windows explorer to ensure that the specified location is valid and reachable via network based file access.
Do the same verification for the User Profile Share. (Leave the %username% section out)
Fix: Enter the correct path settings ;-) (copy and paste is your friend).
UEM Agent not running correctly:
If the UEM Agent is not running (even though all the above mentioned settings are correct) an issue might have happened during the installation. Verify it via services.msc and check for the VMware UEM Service status.
Started –> :)
Stopped –> :(
Fix: In case the service is stopped the best way to deal with it is to uninstall and reinstall the UEM Agent.
Access to regedit.exe is prohibited
How to verify:
Try to run regedit.exe as the user.
Check the log-files of UEM and search for the FATAL messages.
The log-file mentions: [FATAL] Policy prevents access to registry editing tools.
In case you have configured Application blocking for regedit.exe you will find the following message:
[FATAL] Error importing
UEM and the Flexengine use regedit.exe to inject information into the registry. If access to the registry is not possible from a specific user account the whole mechanism will fail. Make sure to allow execution of regedit (via Group Policy and UEM’s Application blocking feature).
and make sure regedit.exe is not configured as blocked application within UEM.
When creating the GPO for UEM the ADMX templates have been imported (e.g. by transferring them to the PolicyDefinitons folder) the UEM settings are not showing up when configuring the GPO and an error message appears.
Make sure to transfer also the language files (en-US) into your domain controller location.
UEM seems not to work. No profile data is stored when logging into a stateless/floating desktop. User folders are created on the profile shares, but with no specific input for the various Windows settings or applications.
Potential root causes:
During logoff the flexengine.exe file must be called with the -s parameter. If that is not the case all non-FlexEngine application data will not be exported at logoff. Since the user folder and the log files were created it is not related to a permission problem.
In a functional environment you can see within the log-file [must be configured via GPO; log-level info or higher] that an export takes place.
If that is not the case and you cannot find any export information, ….
…. check the logout script definitions in your GPO.
C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe Script Parameters: -s
After installation and configuration of UEM a user cannot login to the desktop anymore. After login an automatic logoff appears.
Potential root causes:
A GPO setting has been defined that defines how the desktop reacts if the paths are unavailable at logon.
Make sure that you checked the settings mentioned earlier and check that the ‘always wait for the network at computer startup and logon’ setting is enabled.
I hope this short guide can help you to improve your UEM implementation and gives you some tips and tricks about what you should take care in the future.