Managing UE-V Settings Location Templates with Group Policy

As a follow up to the previous post on working with UE-V templates catalog, let’s look at what it takes to manage those custom templates using the Group Policy ADMX template provided by Microsoft.

After downloading and installing the UE-V ADMX template, we can open the Group Policy Management Console and see the available settings for the Settings Location Templates:

These are located under both Computer Configuration and User Configuration in the following path:

    Policies\Administrative Templates\Windows Components\Microsoft User Experience Virtualization\Applications

There are a couple things to note here.  First, there are three templates from the out-of-box set that don’t appear:

  • Desktop Settings
  • Theme Settings
  • Ease of Access Settings

While these three have a corresponding XML template just like the others, they are handled separately by Group Policy as agent configuration settings (“Roam Windows settings”):

By Enabling/Disabling and selecting the appropriate options, these settings can be managed by this GPO.

Second, we also see that the ADMX only includes the default out-of-box set of applications (IE 8/9/10, Office 2007/2010, Notepad, Wordpad, and Calculator).  With the Settings Template Catalog we can centrally manage the availability of custom location settings templates, but it would be great if we could also enable and disable them via Group Policy so that it’s not an “all or nothing” deal.

For this exercise, we’ll look to add the ability to manage the Adobe Reader X template available from the TechNet Gallery.  I’ve already downloaded the template, placed it in the Settings Template Catalog configured for the UE-V agent, initiated the scheduled task to sync the templates, and verified that it is enabled.

However, I have a group of users whose settings I do not want to have roaming from system to system, so I want to manage this exception with Group Policy. To do that, we need to edit the ADMX template (or create a new one). We could use the FullArmor ADMX Migrator to create/edit the ADMX template through the MMC interface, but since the template is straightforward XML we’ll just do it the old fashioned way in a text editor.

First, let’s find an example of one of the apps in the UserExperienceVirtualization.admx template…Internet Explorer 8.  The XML for the entry looks like this:

    <policy name=”InternetExplorer8″ class=”Both” displayName=”$(string.InternetExplorer8)” explainText=”$(string.InternetExplorer8_Help)” key=”Software\Policies\Microsoft\UEV\Agent\Configuration\Applications” valueName=”MicrosoftInternetExplorer.Version8″>
<parentCategory ref=”Applications” />
<supportedOn ref=”windows:SUPPORTED_Windows7″ />
<enabledValue>
<decimal value=”1″ />
</enabledValue>
<disabledValue>
<decimal value=”0″ />
</disabledValue>
</policy>

The key and valueName values give us the registry key and value, respectively, that gets set by Group Policy for the UE-V agent.  The valueName must be the Template ID of the settings location template (seen in the middle column of the above PowerShell output, in this case Adobe-Reader-AcroRd32-v-10-1).

There’s another important item here that needs to be addressed: the language resource file (.ADML).  This file contains the language specific information needed by the .ADMX template and is stored under the appropriate language subfolder (ex – C:\Windows\PolicyDefinitions\en-us). You can find more information on the ADMX file structure here.  If we don’t add a corresponding section in the language resource file, when we attempt to edit the GPO we’ll get an error:

Let’s look in the UserExperienceVirtualization.adml file for the corresponding Internet Explorer 8 section:

<string id=”InternetExplorer8″>Internet Explorer 8</string>
<string id=”InternetExplorer8_Help”>This policy setting configures the roaming of user settings for Internet Explorer 8.
By default, the user settings of Internet Explorer 8 roam between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from roaming between computers.
If you enable this policy setting, the Internet Explorer 8 user settings continue to roam.
If you disable this policy setting, Internet Explorer 8 are excluded from the roaming settings.
If you do not configure this policy setting, any defined values will be deleted.
</string>

This gives us the corresponding text in the GPMC:

So, by copying and pasting the corresponding sections in the .ADMX and .ADML file, and replacing the Internet Explorer 8 references with Adobe Reader X references (including the correct Template ID), we can add Adobe Reader X as an option in the Group Policy Object.

With a quick edit of the GPO to disable the Adobe Reader X template, and a quick gpupdate command on the client, we can see the template is still available but is now disabled.

We can now enable or disable the location settings templates provided by our Settings Template Catalog as granularly as we like while both maintaining a single catalog and avoiding targeting scripts at certain machines or users.

A few things to note here:

1. While the additional configuration information resides within the GPO, it can only be accessed and modified on machines with the corresponding ADMX template.  This means that the customized .ADMX and .ADML files will need to be made available to anyone who will be managing those settings.

2. The Group Policy takes precedence over any locally defined agent settings, per the product documentation:

Order of precedence for UE-V settings

  1. User-targeted settings managed by Group Policy – These configuration settings are stored in the registry key by Group Policy underHKEY_CURRENT_USER\Software\Policies\Microsoft\Uev\Agent\Configuration.
  2. Computer-targeted settings managed by Group Policy – These configuration settings are stored in the registry key by Group Policy underHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Uev\Agent\Configuration.
  3. Configuration settings defined by the current user using PowerShell or WMI – These configuration settings are stored by the UE-V agent under this registry location: HKEY_CURRENT_USER\Software\Microsoft\Uev\Agent\Configuration.
  4. Configuration settings defined for the computer using PowerShell or WMI. These configuration settings are stored by the UE-V agent under theHKEY_LOCAL_MACHINE \Software\Microsoft\Uev\Agent\Configuration.

 

email

Written by , Posted .