Over a week ago VMware released Dynamic Environment Manager (DEM) version 2006, which now follows the same versioning format as VMware Horizon and App Volumes.
One of the things which got me really excited in this release is the added feature to manage ADMX-based computer settings. This means that any setting in a ADMX file, which reflects a registry key, can now be managed by DEM!
This new feature got me thinking: can we expect to manage regular HKLM settings anytime soon?
I contacted Pim van de Vis, who used to work for Immidio and is now employed by VMware, on Twitter and asked him the very same question.
As expected, he couldn’t confirm nor deny it, but he did provide a workaround using the new Elevated Logon Task introduced in version 2006.
Table of Contents
Preparing the environment
Before we can configure an elevated logon task we need to make sure we meet the following criteria:
- Running DEM version 2006, both agent and management console
- Have Privilege Elevation enabled
To enable privilege elevation, select it on the left side and click Global Configuration on the top.
Tick the checkbox next to Enable Privilege Elevation and click OK. Feel free to configure any conditions on the conditions tab if you like to.
Creating the elevated task
Now the preparations are done we can move on to creating the elevated task itself. Start with selecting privilege elevation on the left and click the Create button.
Fill in a name for the task you’re creating and select Elevated Task from the dropdown menu. Now click Add and in the new window define the task you want to create, in this example I used this:
Executable: | C:\Windows\System32\cmd.exe |
Arguments | /c REG ADD “HKLM\SOFTWARE\VMware, Inc.\VMware UEM\InstallData” /v BlogDemo /t REG_DWORD /d 1 /f |
I’m using CMD.exe to add a simple registry key, but in case you’d want to import a .REG file you could use reg import. The /c in the arguments line is used to let cmd.exe accept my string of arguments and close afterwards.
Click Ok on all open Windows and let’s continue to the final part.
Making sure it runs
The last thing we need to do is make sure the task runs, as this is something we haven’t taken care of yet. In this example we’ll start it as a Logon Task, select this on the left side and click Create.
Fill in a name for the task and tick the checkbox next to Elevated task and select the task we created earlier from the dropdown menu.
Keep the Run task set to After profile archive import if you have configured your GPO for DEM to Run FlexEngine as Group Policy Extension. As you’ll need this to tick the checkbox next to run asynchronously, as stated in the documentation.
If you haven’t done so you’ll see the following message in the FlexEngine.log file:
When running as Group Policy client-side extension, logon tasks must be configured as 'async' to launch an elevated task -- skipping (task_name.xml')
Now it’s time to click Save and start testing!
Confirming it works
This part should be easy, we just log in a VDI desktop and check the registry. And bingo, the key we created is present and contains the data we specified!
Conclusion
Now I’m not suggesting anyone starts creating all their registry keys using this method, unless you’ve got ready to go .REG files and we’re not talking about dozens of them.
But if you only have a handful of registry keys to set, require the options DEM gives you using conditions and condition sets or just prefer a single pane of glass for all settings, this might be your way to go.
A nice feature but I would rather have a browse to registryhive/key like in Ivanti Workspace Control instead of first make export then do import or worse use commandline’s with cmd.exe to get something done. They really should focus on lowering the TCO.
I followed the steps in the article to do a simple registry ADD as described above, but the registry is not updated and I see this in the FlexEngine sync log: ” [ERROR] Invalid settings for privilege elevation”
I’m not sure how to troubleshoot this.
That’s not good!
Just to verify, if you test the action manually does it work? Like in my example I add a registry key, which I tested manually first.
Second, what level is your logging set to? In case it isn’t set to debug yet, could change it so we might get some more information from the logging?
Feel free to contact me through Twitter or Linkedin if you prefer to communicate that way.
Hi Jasper..
It’s working great but we have UNC enabled on our organization and when the registry is applied the UNC window is shown and the user must apply manually the registry settings.
Is there something I can do to bypass this?
Thanks
Hi! I’ll have to check in my lab and see if I can reproduce the same. I’m assuming you mean UAC? If so, what level do you have it configured?