Advanced Configuration Settings
In this section:
Logon sub-triggers
Environment Manager provides three logon sub-triggers. This enables flexibility and allows you to create fast logon times as Environment Manager actions can be configured to run at their most appropriate point during the user logon process:
- Pre-Session - Actions take effect before terminal services is notified of the logon. Registry, Group Policy and Environment actions are compatible with this sub-trigger.
- Pre-Desktop - Actions take effect when the user logs on to the system but before the desktop shell has started.
- Desktop Created - Actions take effect after the desktop shell and Explorer has started. To improve efficiency and logon times, any non-critical Logon actions should be added to this trigger, for example, mapping drives and printers.
Early releases of Environment Manager (v8.4 SP4 and earlier) included a single logon trigger only, and although not widely recommended, it remains supported if required.
From the Manage ribbon, select Advanced Settings > Configuration Settings.
Clear the Enable logon sub-triggers checkbox.
For the setting to take effect on managed endpoints, the Environment Manager Agent must be restarted.
When applying an upgrade to an early configuration, you will be prompted to upgrade to the sub-triggers model - or to keep the single logon trigger.
The screenshots below show an early configuration before and after logon sub-triggers upgrade.
Configuration with single logon trigger before upgrade:
After enabling Logon sub-triggers:
- Logon Condition 1 has been moved from the Logon Environment tab to a new Pre-Trigger node beneath the Pre-Session trigger
- Nodes 1, 2, 3 and 4 have been moved from the Logon node to the Pre-Desktop trigger
- The Desktop Created sub-trigger has been added
For layered configurations, each layer must be upgraded individually or in bulk using the BatchConfigTool before being added back to the upgraded base configuration.
If a configuration already includes nodes converted from triggers, they will revert to sub-triggers when enabled.
The Pre-Session sub-trigger is only compatible with Registry, Group Policy and Environment actions. When a node is converted back to the Pre-Session trigger, non-compatible actions are removed.
When you disable sub-triggers, a node structure is automatically created to replicate the sub-triggers.
The option to use the single logon trigger is included to enable backwards compatibility. Functionality reverts to that of the 8.4 SP4 release, and all changes to this feature made subsequently are excluded.
Configuration with single logon trigger after upgrade:
After disabling sub-triggers:
- Nodes 1, 2, 3 and 4 have been moved from the Pre-Desktop sub-trigger to being direct child nodes of the Logon trigger.
- Any nodes, actions and conditions in the Pre-Session and Desktop Created sub-triggers are moved to newly created nodes of the same name.
- Any actions which are moved to the newly created DesktopCreated node run before the desktop is displayed to users.
When switching from sub-triggers to the single Logon node, we recommend that you review the actions in the Pre-Session node for Environment actions which would be better placed in the Logon trigger Environment tab.
See Trigger Environment.
Change the logon sub-trigger setting
- On the Manage ribbon, select Advanced Settings.
- Select the Configuration Settings tab.
- Select the Enable logon sub-triggers option as required.
For the setting to take effect on managed endpoints, the Environment Manager Agent must be restarted.
Mid-session config changes
This setting allows you to determine when configuration changes are delivered to users.
From the Manage ribbon, select Advanced Settings > Configuration Settings.
Select the Mid-session config changes option as required:
- Immediately - Changes are implemented as soon as the configuration is pushed out to endpoints. Unapply (or revert) actions are also executed immediately.
- At logon - When the updated configuration is deployed, changes are implemented the next time a user logs on, before the User Logon triggers are fired. Unapply actions work as normal - executed at logoff.
- At startup - When the updated configuration is deployed, changes are implemented the next time the endpoint is started, before the Computer Startup trigger is fired. Unapply actions work as normal - executed at the next restart.
The default setting is At logon.
Note, to preserve the original behavior, the Immediately setting
is applied to configurations upgraded from v8.4 SP4.
If using cache roaming with mid-session configuration changes you will need to set the PreventUnapplyOnConfigChange registry key on all endpoints. Refer to Cache Roaming for further information.
Many policy actions within a configuration have a revert method applied. This reverts (or unapplies) the action when the session closes. For example, the action to create a set of shortcuts at user logon, is unapplied when the configuration is removed at logoff.
When the mid-session config change setting is enabled and the changes are set to implement immediately, unapply actions will be triggered as the current configuration is removed. This can result in the loss of mapped drives, shortcuts, file type associations etc. as the create actions are reverted.
Note that any edit to your current configuration applied mid-session will result in the triggering of unapply actions.
Example:
In the case of an action to create a set of shortcuts on the endpoint, unless the Apply Permanently option is selected for the shortcut action, the shortcuts will be removed at logoff. Equally, they will be reverted when the current configuration is removed as a mid-session change is applied.
Although a common use of the revert action applies to the mapping of printers, drives and shortcuts, revert will apply to a wide range of actions. Note however, the revert action does not apply to mounted VHD connections when a mid-session change is applied. Here, the VHD connection is preserved until user logoff. See Cache Roaming for virtual sessions - additional information).
Network Events
This setting controls when the Network Connected and Network Disconnected events are handled.
From the Manage ribbon, select Advanced Settings > Configuration Settings.
Select or clear the Network events checkbox as required:
- Enabled - The Network Connected and Network Disconnected triggers fire when each network adapter establishes or disconnects a connection, regardless of whether a connection to the same network already exists.
- Disabled - The Network Connected trigger fires when the first network adapter establishes a connection to the network. The Network Disconnected trigger fires when the last network adapter disconnects a connection to the network. Each trigger will fire only once for each network.
The default setting is Enabled.
Note, to preserve the original behavior, the setting
is disabled in configurations upgraded from earlier versions of Environment Manager.
For the setting to take effect on managed endpoints, the Environment Manager Agent must be restarted.
To control the number of network events, we recommend conditions are applied to restrict actions based upon network connection attributes.
Folder Copy Actions
This setting determines whether folder copy actions that are interrupted at logoff are resumed at next user logon.
From the Manage ribbon, select Advanced Settings > Configuration Settings.
Select or clear the Folder copy actions checkbox as required:
- Enabled - Folder copy actions that are running at logoff are resumed at the next user logon.
- Disabled - Folder copy actions that are running at logoff are not resumed at the next user logon.
Undo Action Sequencing
To view this setting, you may need to increase the size of the Advanced Settings dialog.
The setting allows you to define whether user actions on Logoff, Session Disconnect and Network Disconnect triggers are executed before undo (revert or unapply) actions.
Undo actions are added by the console to reverse the effect of certain user actions at logoff. For example, mapping printers is the undo action when ‘unmap at logoff’ is set.
The following options are available:
•Enabled - The agent executes any user actions on the trigger before any undo actions.
•Disabled - Actions execute in parallel
To maintain legacy behavior the default setting is Disabled.
Custom Settings
Configure additional settings which will be applied on managed endpoints when an Environment Manager configuration is deployed. Settings such as the default node timeout can be configured in the console, removing the need to manually set the appropriate registry keys (see also Node Management).
If a Custom Setting is added, it will be created on endpoints or override any existing setting. Custom Settings can be configured to apply the default value for that setting or to use the value you assign it; both will override existing settings.
If a Custom Setting is not added, that setting will not exist unless it is already configured on the endpoint, in which case that value is used.
When upgrading a configuration, a setting which already exists on an endpoint will be overwritten by the value of the corresponding Custom Setting.
Manage Custom Settings
- Select the Policy Configuration navigation button.
-
From the Manage ribbon, select Advanced Settings.
The Advanced Configuration Settings dialog opens. select the Custom Settings tab.
- Click Add. The Custom Settings dialog opens.
-
Select the setting(s) you want to configure and click OK. Multiple settings can be selected using the Ctrl and Shift keys or all settings can be added by pressing Ctrl + A.
The selected settings are added to the Configure Custom Settings dialog.
Settings which are added will be configured on endpoints. Any settings which already exist on an endpoint are used.
- Set the values as required. All settings are initially set as Use Default, deselect the option to update its value. Any updated settings are displayed in bold. If Use Default is selected for a setting, the corresponding key is removed from the registry as it is not required for the default behavior to apply.
- Click OK.
The settings are applied when the configuration is applied to managed endpoints.
Printer Mapping
Setting | Default | Description |
---|---|---|
PrinterErrorCodes |
|
List of error codes separated by a comma. |
AddPrinterSequential | False | Map printer actions can be performed concurrently or sequentially. Updating this setting to True removes issues created when the AddPrinterConnection API call is hit concurrently. |
Certificates
Setting | Default | Description |
---|---|---|
SpoofProfileForWholeSession | False | Windows mandatory profiles have a limitation restricting users from installing and exporting private keys. PFX certificate types contain embedded private keys and cannot be installed when the profile is set to mandatory. This setting changes the session so Windows thinks a roaming profile is being used, allowing users to install PFX certificates with private keys. |
Policy Engine
Setting | Default | Description |
---|---|---|
RegexTimeout | 2000 | Set a timeout limit in milliseconds for invalid regexes which may otherwise evaluate for a long time. |
NodeTimeout | 30000 | Set a time, in milliseconds, which determines the default timeout for all nodes. This timeout controls the delay after which any children of that node are run. |
TriggerTimeout | Infinite | Set the length of time a trigger is given to complete its processing. If the value is not present, the timeout will wait forever. |
ShutdownBailTimeout | Infinite | Timeout value in milliseconds for actions still running at logoff or shutdown. This applies to all running actions regardless of which trigger originally instigated it. This should only be used in for long running threads at logoff or shutdown. |
Default Timeout Settings
Default timeouts are set for triggers, nodes, conditions and logon actions. If a timeout limit is exceeded, the configuration element still runs to completion but is considered a fail and therefore child nodes do not run.
Active Directory
Setting | Default | Description |
---|---|---|
UseAlternativeUserGroupTest | False |
Specifies that when checking user group membership, it should be dynamic and use the OID_LDAP_MATCHING_RULE_IN_CHAIN filter. If set to true, user group conditions use a more efficient method of lookup which can also reflect group changes during a session. This only works if the Active Directory server is later than Server 2003 R2. |
ADUserGroupMembershipTimeout | 120 | When the UseAlternativeUserGroupTest setting is used, you can specify a timeout value in seconds for the OID_LDAP_MATCHING_RULE_IN_CHAIN query before the request to the personalization server and for policy user group OU Membership conditions. |
System
Setting | Default | Description |
---|---|---|
LegacyAppInit | False | Set this value to True to use AppInit_DLLs value for injecting Environment Manager components into processes during startup. If set to false, DLLs are loaded by a kernel driver. |
EnableNestedComputerGroupQueries | False | Allow the client to query Active Directory for nested computer groups. This setting can affect the performance of the client. |
Shell
Setting | Default | Description |
---|---|---|
CreateSpecialPaths | False | When set to true, the folder exists check is performed on CSIDs. |
End Point Merging
Setting | Default | Description |
---|---|---|
BaseConfigMergeBehavior | Remerge | Controls whether new base configurations override end point layers or are merged with them. Remerge- When a new configuration.aemp is deployed to endpoints, a merge with the existing configurations in the MergeConfigs directory is triggered. The new Merged_Configuration.aemp becomes the live configuration. Replace- When the new configuration.aemp is deployed to endpoints, it replaces the Merged_Configuration.aemp as the live configuration. |
Custom Scripts
Setting | Default | Description |
---|---|---|
PowerShellLoadUserProfile | False |
This setting allows the PowerShell User Profiles to load when PowerShell Custom actions and conditions execute. When set to False, PowerShell is hosted by Environment Manager and is no longer used natively. If the PowerShellRunInHost engineering key is set to set to on, it overrides any setting you have in PowerShellLoadUserProfile and PowerShell will always be hosted by Environment Manager. |
Override XenDesktop Session Connect Triggers
Setting | Default | Description |
---|---|---|
OverrideIcaSessionConnectTriggers | False |
When this setting is enabled and set to True, XenDesktop environments execute the Session Lock/Unlock triggers when a user disconnects/reconnects from their session. This applies to XenDesktop versions 7.6 - 7.8 inclusive. This setting has no affect if users are running XenDesktop 7.9 or later because these versions execute the Disconnect/Reconnect triggers anyway. |
Desktop Refreshes
Setting | Default | Description |
---|---|---|
ExcludedRefreshRegistryKeys | N/A | Exclude named registry keys from being parsed during the desktop refresh setting check. |
Custom Setting and Engineering Key Interaction
PowerShellRunInHost=0 | PowerShellRunInHost=1 | |
---|---|---|
PowerShellLoadUserProfile=0 | Hosted | Hosted |
PowerShellLoadUserProfile=1 | Native | Hosted |