My Top 3 Favorite/Informative UEM Community Forum Discussions – July 2017
In this blog post I want to share my top 3 favorite/informative UEM Community Forum discussions of July 2017.
#3 – Browser plugins – How to deal with browser plugins in a VMware UEM environment.
#2 – Privilege elevation – How to automatically launch a privileged executable/application.
#1 – Missing Icon-Fonts on web browser in Windows 10 1607 – Excluding processes from Flexhook. Specifically the fontdrvhost.exe process in this case.
#3 – Browser plugins
Key takeaway: How to deal with browser plugins in a VMware UEM environment.
Forum user iforbes reported:
Hi. How can UEM be used to ensure browser plugins persist? I want to be able to launch IE, install a plugin, close IE, logoff, log back in and when I open the browser, the previously installed plugin is there. I thought the default IE UEM template that captures personal settings would do the trick, but it didn’t. Any ideas?
This is a “it depends” answer.
First, the default IE template in UEM does not save plugins itself, which you already found out. It does however save the settings that specify which plugins are enabled/disabled (HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings).
Second, it depends where the plugin is installed. Is this a plugin that installs in the user profile? If this is the case, you should really check up front if you want to save that plugin using UEM. If the plugin takes much space, you must ask your self if you want to save it using UEM, because it may impact user logon/logoff duration. If you choose to save the plugin using UEM, create a new Config File (INI) and specify the file/registry locations that need to be saved. You can use the UEM Application Profiler, Procmon or Regshot for that.
If the plugin is installed on computer level, make it part of the base image and use the registry or ADMX templates for enabling/disabling the plugin for specific users using conditions or condition sets. You can use the resources below for that. You can use ADMX-based Settings or Registry Settings from the User Environment tab in the UEM Management Console.
Disable Particular IE add-on via registry – Siva Mulpuru’s Blog –> can also be used for enabling
#2 – Privilege Elevation
Key takeaway: How to automatically launch a privileged executable/application.
Forum user deep184 reported:
I am attempting to to run a logon task that updates files in program files(x86).
I have created a powershell script to replace the file and converted the power shell script into a executable that I have listed to run with elevated permissions. It doesn’t seem to run. Could this be because it’s being process prior to elevations are being set? Also, is there a better method that could be used to update files in program files that regular user accounts do not have permissions for?
UEMdev his answer:
Elevating launches from UEM components is a bit of a chicken and egg situation… Does it work if you launch it via a shortcut in the StartUp folder, or via an entry in the RunOnce key?
Indeed, in the UEM Shortcut dialog, pick Programs folder as destination, and enter StartUp in the corresponding text field:
That way it’ll be Explorer launching your tool, instead of the UEM agent itself.
#1 – Missing Icon-Fonts on web browser in Windows 10 1607
Key takeaway: Excluding processes from Flexhook. Specifically the fontdrvhost.exe process in this case.
Forum user Phil reported:
I have an issue where certain website the icon-fonts are missing.
1. firewall is off
2. enabled protection mode is disabled
3. Font download is enabled
What is interseting is that if UEM GPO is disabled the icons appears normally; however, once the UEM GPO is applied the icons are missing. The GPO is simiple there are no logon scripts running, and the user’s profile folders are redirected to a SMB share.
I also created a new UEM GPO that points to another freshly created config file. I disbaled all the Config Files in the Personalization Tab and I still get the same experince where the icons are missing.
UEMdev his answer:
So, indeed, this is related to DirectFlex. Specifically, the fontdrvhost.exe process does not seem to like the fact that we inject our FlexHook*.dll (which we do as soon as DirectFlex is enabled — it does not matter for which Flex config file.)
So, DirectFlex blacklist to the rescue: adding fontdrvhost.exe to the blacklist seems to keep the webfonts working perfectly fine in my test setup. To configure this, create a Blacklist.xml file in …\General\FlexRepository\DirectFlex folder (which does not exist by default), with the following content:
<?xml version='1.0' encoding='utf-8'?> <userEnvironmentSettings> <setting type='blacklist' list='fontdrvhost.exe'/> </userEnvironmentSettings>
The attachment contains this XML file with the correct folder structure. If you already have this Blacklist.xml file, just update its list attribute by adding |fontdrvhost.exe at the end of the current value (note the ‘|‘ (pipe character), which acts as a separator).