Certain ADMX policies applied inconsistently

Version 1

    Verified Product Versions

    AppSense Environment Manager 10.0AppSense Environment Manager 8.6AppSense Environment Manager 8.5

    Introduction

    Some group policy settings are read very early during computer startup and user logon and therefore can be applied inconsistently.  Upon investigation, you will find that Environment Manager correctly sets the registry value relating to the policy but the Operating System reads the value before it has been set.

    Detail

    The following Client Side Extensions can be unreliable when set in Environment Manager as the timings cannot be guaranteed.

    • Offline files
    • Windows desktop search preference

    EXAMPLE: Using EM 8.6 and configure the ADMX “Remove Make Available Offline” at the Pre-Desktop trigger during logon.

    Upon checking the registry on the client after logging on, all seems well. The registry value NoMakeAvailableOffline has been correctly set to 1 but, the policy has not applied and users can still set files to be available offline in Explorer.

    Pre-EM 8.5 this was a fairly common issue. In EM 8.5 onwards a new logon trigger (called Pre-Session) was introduced that applies much earlier during the logon process and therefore sets the value before the Operating System checks the policy.

    You can confirm this by using Process Monitor to check the time the policy is set versus when the Operating System checks the registry key.

    18:26:55.1811314 EmUser.exe 2916 RegSetValue HKU\S-1-5-21-436374069-1958367476-839522115-25877\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOffline SUCCESS Type: REG_DWORD, Length: 4, Data: 1 0.0000055
    18:26:55.2964279 svchost.exe 584 RegQueryValue HKU\S-1-5-21-436374069-1958367476-839522115-25877\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOffline SUCCESS Type: REG_DWORD, Length: 4, Data: 1 0.0000016

    This behaviour is discussed briefly in the Policy Product guide, search for "Client Side Extensions".

    In order to get these type of policies to work with Environment Manager you will need to configure them to run under the Pre-Session trigger (8.5 onwards).