Leveraging VMware UEM to reduce Microsoft GPO usage

Microsoft GPOs

We all know (well most reading this post) well enough about Microsoft Group Policy Objects (GPOs) and how they can help automate or control a desired action or state of a computer system. We also know that we have either created too many or come across customer environments that just have a huge excess of GPOs. Rightfully so, that excess might have been a necessary evil to get a printer or drive mapped, an application blocked, or even to tweak PCoIP settings for a VMware Horizon install. Well did you know that VMware’s User Environment Manager (UEM) can also handle a bunch of Group Policy tasks by accessing ADMX files within Active Directory also?



VMware User Environment Manager

VMware UEM

VMware User Environment Manager, or UEM as we most affectionately call it, is VMware’s end-user profile management solution that more or less can replace VMware Persona Management. UEM can offer personalization and dynamic policy configuration across any virtual, physical and cloud-based Windows desktop environment. VMware UEM is also a key component in JMP (pronounced Jump). JMP is the next-generation desktop and application delivery platform included with VMware Horizon Enterprise and leverages UEM, Instant Clones, and App Volumes.

UEM is mostly used for profile management of user settings such as appearance or compliance with corporate policy. It can also be used to reduce the number of Microsoft GPOs as it can access ADMX files within Active Directory. How you ask? Well, I am going to walk us through choosing a few things for UEM to handle vs. setting up yet another Microsoft GPO.

Getting Started

We will step the process of creating an ADMX policy to block the Control Panel from the end user. This walkthrough will assume that you already have UEM running in your Lab or Production environment. If you do not yet have UEM, please review these great guides from Chris HalsteadCarl Stalhood, and Dale Carter before moving on.

  1. First we will launch the UEM Management Console, and click the User Environment tab
  2. With “ADMX-based Settings” selected on the left, click Create
  3. Give the policy a name that makes sense; Remove Control Panel
  4. Once your policy has been named, click Select Categories
  5. Next we will check the box next to Control Panel
  6. Click OK to return back to the policy main screen
  7. Next click on Edit Policies…
  8. From here double click on the setting “Prohibit access to the Control Panel”
  9. Be sure to select “Enabled” and then click OK to save the change
  10. Notice your ADMX setting is now Enabled
  11. Close the window with the X
  12. At this point your policy is configured and can be reviewed from here before clicking Save to continue
  13. This brings you back to the UEM Management console where you can see your newly created ADMX policy

This policy will now apply to all Horizon 7 desktops that are using UEM. To limit usage of this policy, or any policy for that matter,  you could setup a Condition within the policy to only apply if a certain condition was met. Think about something like a Call Center user does not need Control Panel access vs. an IT user who may need Control Panel access. You could use a Condition that would apply to an Active Directory Security Group called “Call Center Users” for instance. When the UEM config is read it would only apply the Remove Control Panel policy if the end user was a member of the “Call Center Users” group.


As you can see from the steps in this post, it can be fairly simple to leverage UEM to do the same thing you may be doing with a Microsoft GPO. In my example we blocked the Control Panel from end users. You may consider removing a GPO that blocks applications, maps printers, or customizes an Office setting. Whatever that may be, User Environment Manager will be here to help.




Leave a Reply

Your email address will not be published. Required fields are marked *