EM Logoff actions not working with mandatory profile

Version 1

    Verified Product Versions

    AppSense Environment Manager 8.4AppSense Environment Manager 8.2AppSense Environment Manager 8.1AppSense Environment Manager 8.3

    Introduction

    Non-administrators using an incorrectly configured mandatory profile may see the following symptoms:
     
    • Actions in Logoff triggers and actions with flow control to run at logoff are not run.
    • Personalised applications that are open when logoff is initiated do not have their settings saved to the Personalisation Server.
    • Session Data, Desktop Settings and Certificates / Credentials are not saved to the Personalization server.
     

    Detail

    Environment Manager logoff actions are initiated by a script, EmExit.bat, which is called from a local group policy.  This is inserted into 'HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff\0\0' if not already present.  The process can fail if the user does not have appropriate access rights to the HKCU registry hive within the mandatory profile (ntuser.man), which leads to logoff actions not being triggered and leading to the symptoms above.

    This issue is most likely to occur with mandatory profiles where permissions on the registry hives have not been configured to allow the logged on user full control.

    Please check the below to amend/correct the registry permissions for your mandatory profile. (We recommend taking a backup before making any changes)
    NOTE: The mandatory profile will be unavailable while loaded in regedit.

    1. As a user with Administrative rights, open regedit and click HKEY_USERS
    2. File > Load Hive and find the appropriate ntuser.man
    3. Give it an arbitrary name - This is only used temporarily during editing
    4. Right click the name you chose and select permissions
    5. Click advanced > Add...
    6. Add a group which will encompass all users of the mandatory profile if not already present.
    7. Grant full control to this group
    8. Click Advanced
    9. Tick Replace all child permissions...."
    10. Ok > Yes > Ok
    11. Finally, highlight the loaded hive and click unload from the file menu. Failure to unload will cause the mandatory profile to be unavailable.