Logoff actions fail to run when "Disable command prompt script processing" GPO is enabled

Version 1

    Verified Product Versions

    AppSense Environment Manager 8.4AppSense Environment Manager 8.2AppSense Environment Manager 8.1AppSense Environment Manager 8.3

    Introduction

    When using Environment Manager 8.1 or later, you find that no Logoff actions are applied, and Desktop Settings / Session Data / Windows Settings Groups are not syncd at logoff.

    Monitoring a user logoff, you observe that EmUserLogoff.exe (the process that handles all logoff actions) is never launched.

    Detail

    In Environment Manager 8.1 through to 8.4, EmUserLogoff.exe is launched via EMExit.bat, which is configured to run at logoff.

    If the 'Prevent access to the Command Prompt' Group Policy is enabled (User Configuration\Administrative Templates\System\DisableCMD), with the 'Disable the command prompt script processing' option, EmExit.bat is blocked and logoff actions are not applied.

    NOTE: By default, this will not affect Environment Manager 8.5 onwards, however, if the new "Logon Sub-triggers" are disabled within the configuration, this reverts the logoff mechanism to use this legacy method, which will expose this issue.