Dynamic Environment Manager Configuration

This chapter is one of a series that make up the VMware Workspace ONE and VMware Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of Workspace ONE and Horizon solutions. This chapter provides information about common configuration and deployment tasks for VMware Dynamic Environment Manager.

Creating SMB Shares

Dynamic Environment Manager utilizes two SMB shares. The configuration share contains policy configuration data and is updated by administrators. The profile archive share is used to store and persist customized user settings and log files.

See Infrastructure Requirements for detailed information about creating and configuring NTFS and share permissions for these shares.

Note: NTFS security permissions must be created properly to ensure users are able to automatically create folders on first use, and to limit a user’s access to only their own folder.

The following sections illustrate the NTFS and share permissions used in the reference architecture.

Permissions for the Configuration Share

The following figure shows the NTFS permissions used in this reference architecture.

Graphical user interface, text, application, email

Description automatically generated

Figure 1: NTFS File Permissions on the Configuration Share

The following figure shows the share permissions used in this reference architecture.

Figure 2: Share Permissions for the Configuration Share

Permissions for the Profile Archive Share

The following figure shows the NTFS permissions used in this reference architecture.

Figure 3: Full Control Is Limited to CREATOR OWNER, SYSTEM, and Dynamic Environment Manager Admins

The following figure shows the share permissions used in this reference architecture.

Figure 4: Share Permissions for the Profile Archive Share Are Granted to Everyone

Optional, computer-based VMware Horizon® Smart Policies are available to customize the Horizon user experience for settings stored in the HKLM registry hive. Implementing computer-based policies requires agent and management console configurations, in addition to additional share permissions. See Horizon Smart Policies for additional information.

Computer-based Horizon Smart Policy settings were configured for FlexEngine (that is, the Dynamic Environment Manager agent) on the instant-clone master image. Logging computer-based settings was configured for \\vmweuc.com\share\DEM_Profiles\ComputerLogs\%computername%.log

Graphical user interface, table

Description automatically generated with medium confidence

Figure 5: LogFileName Is Set to the Computer Name for Computer-Based Smart Policies

In this case, the computer account of the instant-clone VM will create a log file in the ComputerLogs folder with a unique computer name.

The following additional NTFS advanced permissions were configured on the ComputerLogs folder: For Domain Computers, the Create files / write data and Create folders / append data check boxes were selected.

Graphical user interface, text, application, email

Description automatically generated

Figure 6: Additional Computer-Based Permissions Using Domain Computers Group

Group Policy Settings

Dynamic Environment Manager provides a number of mandatory, optional, and advanced policy settings to optimize your deployment. The following instructions are excerpted from the Dynamic Environment Manager Administration Guide. Refer to this guide for more details on Group Policy settings.

Mandatory GPO Settings

  1. Copy the VMware DEM.admx and VMware DEM FlexEngine.admx ADMX template files (and their corresponding ADML files) from the download package to the ADMX location as described in the Managing Group Policy ADMX Files Step-by-Step Guide on the Microsoft Web site.
  2. Open the Group Policy Management Console and create a new GPO or select an existing GPO that is applied to the users for which you want to configure FlexEngine.
  3. Open the Group Policy Management Editor by right-clicking the selected GPO and clicking Edit. The FlexEngine ADMX template is available under User Configuration > Administrative Templates > VMware DEM > FlexEngine.
  4. Configure the appropriate Group Policy settings for Dynamic Environment Manager. At a minimum, the following must be set:
    1. Flex config files – Location of the Dynamic Environment Manager configuration share.
    2. Profile archives – Location of the Dynamic Environment Manager user profile archive share.
  5. Configure FlexEngine to run during the Windows login process so that Dynamic Environment Manager can get all the settings for the Windows device and apply some of them as soon as the user logs in. Use either of the following mechanisms:
    1. Configure FlexEngine to run as a Group Policy extension (recommended).
    2. Configure FlexEngine to run using a logon script.
  6. Define a logoff script to configure FlexEngine to export and store profile settings when the user logs off the operating system. The syntax of the logoff script is:

“C:\Program Files\VMware\Horizon Agents\Dynamic Environment Manager\FlexEngine.exe” -s

The Group Policy settings to use are listed in the following tables.

Table 1: Dynamic Environment Manager GPO Settings for User Configuration > Policies > Administrative Templates > VMware UEM > FlexEngine



Flex config files


(Enter Dynamic Environment Manager configuration share)

Profile archives


(Location of the Dynamic Environment Manager user profile archive share)

Run FlexEngine as Group Policy Extension


Table 2: Dynamic Environment Manager GPO Settings for User Configuration > Policies > Windows Settings > Scripts




Script Name: C:\Program Files\VMware\Horizon Agents\Dynamic Environment Manager\FlexEngine.exe

Script Parameters: -s

Note: If you are using Horizon Cloud Service on Microsoft Azure and you use the Import Image wizard to import from the Azure Marketplace, the FlexEngine agent is automatically installed when the image is created, but the installation directory may differ from a standard installation. See Create a Base Virtual Machine Automatically from the Microsoft Azure Marketplace and Pair it with Horizon Cloud for the installation path and additional information. 

Optional GPO Settings

Dynamic Environment Manager has several optional GPO settings. Although not required, the following optional settings are recommended.

  • Use the Profile Archive Backups Group Policy setting to configure the location and number of backups to create. Users can restore a profile archive using either the Self-Support tool or the Helpdesk Support Tool. Keeping several backup copies increases the likelihood of successfully restoring to a known good working state. For additional information, see:
  • Use the FlexEngine Logging Group Policy setting to configure the location and filename of the FlexEngine log file, the level of log detail, and the maximum size of the log file.
  • For test environments or troubleshooting purposes, you can select the Debug log level to produce verbose log files. For production deployments, consider using a log level other than Debug or Info to prevent delayed logon times and excessive log growth.
  • Note: Debug logging can be enabled for an individual user without changing the log level for all users. This is useful for troubleshooting individual user issues. See the VMware Knowledge Base article Enabling debug logging for a single user in VMware User Environment Manager (2113514).

The Group Policy settings to use are listed in the following table.

Table 3: Dynamic Environment Manager GPO Settings for User Configuration > Policies > Administrative Templates > VMware DEM > FlexEngine



Profile archive backups


Location: \\server\ProfileArchiveShare\%username%\Backups

Number of backups: 5

FlexEngine Logging


Location: \\server\ProfileArchiveShare\%username%\Logs\FlexEngine.log

Log level: Warn

Horizon Smart Policies

Horizon Smart Policies represent an integration between Dynamic Environment Manager and Horizon. Although a number of ADMX templates are available to configure Horizon, Dynamic Environment Manager provides you the ability to fine tune the Horizon user experience by combining policy settings with conditions, while removing the dependency on GPOs. See Create a Horizon Smart Policy in Dynamic Environment Manager to learn more.

Many of the Horizon Smart Policy settings can be used to optimize the VMware Blast Extreme display protocol.

Figure 7: User-Based (on Left) and Computer-Based (on Right) Horizon Smart Policy Settings

The Dynamic Environment Manager Enhanced Horizon Smart Policies feature walk-through provides an overview of both user- and computer-based Horizon Smart Policy options.

See the VMware Blast Extreme Optimization Guide for guidance on tuning Blast Extreme for your use cases and network conditions.

The following tables contain some simple sample Horizon Smart Policies, which are defined in the Dynamic Environment Manager Management Console. Adapt them to suit the use case and environment.

Table 4: Horizon Smart Policies – External

Policy settings

USB redirection: Deny

Printing: Deny

Clipboard: Deny

Blast Extreme Switch encoder: Enable


Horizon Client property Client location is equal to External

Table 5: Horizon Smart Policies – Internal

Policy settings

USB redirection: Enable

Printing: Enable

Clipboard: Enable

Client drive redirection: Enable

Blast Extreme Switch encoder: Enable


Horizon Client property Client location is equal to Internal

Table 6: Horizon Smart Policies – ZContractor

Policy settings

USB redirection: Deny

Printing: Enable

Clipboard: Deny

Client drive redirection: Deny

Blast Extreme Switcher Encoder: Enable


Horizon Client property Client location is equal to Internal


User is a member of an Active Directory group Contractor

You should also configure a triggered task to ensure that Smart Policies are reevaluated every time a user reconnects to a session, so the user gets the appropriate policy applied. See Configure Triggered Tasks for more information.

Table 7: Triggered Task – Horizon Smart Policies




Reconnect Session


Use Environment refresh


Horizon Policies

Additional Configuration

Dynamic Environment Manager provides options to manage many aspects of the user environment. The following configurations were made for this reference architecture.

  • Configure folder redirection to abstract user data to SMB shares. Use the Dynamic Environment Manager user environment settings described in the following table.

Table 8: Folder Redirection – User Environment Policies

Policy Settings

Remote path: User’s Home drive share using the %username% variable. Example:  \\vmweuc.com\share\Users\%username%

Folders to redirect: Documents
Note: Depending on your needs, you might also want to select Downloads, Music, Pictures, and Videos. Be aware that selecting these folders places a larger load on your file servers, requiring additional disk space and higher performance requirements.



  • Configure application blocking to prevent users from running cmd.exe. See Configure Application Blocking to enable and configure the application-blocking rules.
  • Configure Dynamic Environment settings to map the H: drive to the user’s home drive and to map location-based printers. See Using the User Environment Tab for more information.
  • As was described earlier in this chapter, in Group Policy Settings, to configure FlexEngine, you create a GPO in Active Directory. To configure the GPO, use the administrative templates that are provided with Dynamic Environment Manager.

You can use multiple GPOs if you need to provide different FlexEngine configurations, for example, to manage multiple environments for multiple users. An example of different GPOs is shown in the following figure.

Figure 8: Example of Dynamic Environment Manager GPOs

Important: Command-line arguments can override all FlexEngine settings configured through a GPO. FlexEngine command-line arguments have a higher priority than GPO settings. See FlexEngine Command-Line Arguments for additional information.


High Availability with Windows Failover Clustering

Because Dynamic Environment Manager leverages the existing infrastructure, you do not need to take many measures to make a highly available solution.

For an example Dynamic Environment Manager configuration with Microsoft DFS, see the Multi-site Design section in Dynamic Environment Manager Architecture.

You can also use Windows failover clustering for high availability of the Dynamic Environment Manager file shares. A failover cluster is a group of independent computers that provide continuous availability for applications and services. If one computer fails, another computer continues to provide the service, and users experience minimum downtime. For more information, see the Microsoft article, Failover Cluster Step-by-Step Guide: Configuring a Two-Node File Server Failover Cluster.

Select an Option for a Clustered File Server

Figure 9: Select an Option for a Clustered File Server

Important: When Using Windows Server 2012, select File Server for general use. Do not select the Scale-Out File Server for application data option, because it is incompatible with Dynamic Environment Manager data, user profiles, redirected folders, and home drives.

You can combine DFS and clustering for better scalability and high availability. For more information, see the Microsoft blog post, Deploying DFS Replication on a Windows Failover Cluster – Part III.

Folder Redirection

Folder redirection, which is described in the Microsoft topic Folder Redirection and Roaming User Profiles, has been available for many versions of Windows. This technology enables certain folders in a user profile, which contain user data and user configuration data, to be redirected to a network share. Users and applications interact with the folders as if they were local to the guest OS, though the content resides on a remote share.

For the purposes of this section, the following definitions are used:

  • User data – Content created by an end user (examples: document, graphic, or presentation) and saved to one of the predefined Windows profile folders (examples: Documents, Pictures, or Desktop).
  • User configuration data – Windows and application configuration settings that control the look and behavior of Windows and applications. As users customize their desktop environment, configuration data is stored in the registry (HKCU) or in configuration files (examples: INI or XML files stored in the AppData folder).

Folder redirection has been used for years with physical and virtual PCs for two key reasons:

  • End users are free to roam from device to device in their organization, and still have access to user content data and user configuration data.
  • Redirecting data to network shares makes it considerably easier for IT to back up and restore data as needed.

Folder Redirection with Dynamic Environment Manager

Dynamic Environment Manager is designed to manage user configuration data, while relying on complementary technology such as folder redirection to persist user data.

Which folder you choose to redirect will vary. Dynamic Environment Manager environment settings can be used to configure folder redirection. This method provides some guidance on recommended folders to redirect. The Desktop folder requires special consideration. Users may choose to save user data, desktop shortcuts, and more to this location, though it is not an ideal candidate for redirection.

Best practice is to redirect profile folders that contain user data to the user’s home directory so that the content is always available and easy to back up.

Unlike a roaming profile solution, which copies user data from the network to the guest and back with each Windows session, folder redirection simply redirects file access to the network share. In comparison, folder redirection can dramatically improve login and logout times, and reduce the likelihood of data corruption.

Configuring Folder Redirection in Dynamic Environment Manager

You can configure folder redirection in the Dynamic Environment Manager Management Console, as shown in the following figure.

Figure 10: Folder Redirection Configuration

Using Dynamic Environment Manager to configure folder redirection offers several advantages:

  • Consolidation of folder redirection settings in a common management interface used for various other user environment settings
  • Flexibility to make changes to folder redirection without having to undergo GPO change control processes
  • Ability to combine folder redirection configurations with the conditions that Dynamic Environment Manager provides

You can alternatively configure folder redirection through standard group policies available in Active Directory. Using the GPO option provides some additional functionality not available when using Dynamic Environment Manager to configure folder redirection.

  • GPO offers the option to move existing user data to the redirected folder.
  • GPO can also enable offline files, which makes the redirected folders available offline. This option is mainly used for roaming laptops.

When users roam across physical or virtual desktops or RDSH servers, we recommend redirecting only profile folders that contain user data, such as the Documents and Pictures folders, to the user’s home directory.

For performance reasons, we do not recommend redirecting folders like AppData and the Programs menu. Instead, for profile folders that contain application and Windows configurations, such as AppData, we recommend creating Flex configuration files and using the Dynamic Environment Manager import and export functionality to manage which personalization settings to store. The following figure shows the import/export configuration for Adobe Acrobat Reader.

Adobe Acrobat Reader Config File Import/Export Section

Figure 11: Adobe Acrobat Reader Configuration File Import/Export Section

Additional benefits of managing profile settings with Dynamic Environment Manager include:

  • Reduced network storage because the folders and files have stricter management and compression
  • Cross-platform usage for settings
  • Fewer open file handles to the file servers


Multiple Environments

Creating and managing multiple Dynamic Environment Manager environments is easy. You can use multiple environments to:

  • Support separation of administrative duties across departments
  • Manage test, development, and production environments independently
  • Support multi-tenant environments

See Managing Multiple Environments for more information.

Using Group Policy to Configure the Management Console

You create multiple environments by creating multiple Dynamic Environment Manager configuration shares and managing them from a central installation of the Management Console. With the Management Console, you can switch between environments and export and import settings between different environments. You can configure the Management Console manually or using a GPO.

Dynamic Environment Manager provides ADMX templates to configure the Management Console. You can configure one or more environments (configuration shares) in the GPO and link the GPO to the appropriate group of users.

When the GPO is used, a user cannot change the Management Console environment settings manually. The settings are mandatory to prevent users from adding other environments. See Configuring Environments Through Group Policy for more information.

If environments are configured using Group Policy, you can also lock down access to the Management Console by using the policy setting Lock down access to VMware DEM Management Console (defined in the Management Console ADMX template). You can lock down the Management Console entirely or choose which Management Console features users can access. See Lock Down Access to the Management Console for more information.

Exporting Settings Between Environments

It is easy to transfer changes from one environment to another. The export feature prevents users from manual-copy errors in the production environment and prevents copy errors when transferring changes from the test environment to production. With this feature, Dynamic Environment Manager supports a tiered change model, which is often seen in organizations that use ITIL-based processes.

To export a setting from one environment to another, right-click the Flex configuration file or setting in the Dynamic Environment Manager Management Console and select Export. You can also select multiple Dynamic Environment Manager settings and export them at the same time.

You can configure Dynamic Environment Manager settings and then send them to another department by using the Management Console export function. When only one configuration share is configured, the export function sends settings to a file. You can then send the exported file using any transport mechanism, such as USB removable media or FTP. If more than one configuration share is configured, you can export Flex configuration files to another share, such as, to a test environment.

If you have access to the Application Profiler, you can also save the output of the Application Profiler in this configuration share.

Centrally Managed Dynamic Environment Manager Environments

The following figure shows an example of two users with separate Dynamic Environment Manager environments, managed centrally with the Dynamic Environment Manager management tools.

Figure 12: Two Dynamic Environment Manager Environments Managed Centrally

A central IT department can manage multiple Dynamic Environment Manager environments. This example assumes that the Dynamic Environment Manager clients for the two users are in different Active Directory domains, and IT uses two GPOs (one in each domain) to configure the clients. Each domain has its own Dynamic Environment Manager configuration and profile shares. IT manages each environment centrally and can create new printer mappings, reset profiles, and so on.

Tiered Dynamic Environment Manager Environments

Dynamic Environment Manager supports a tiered model with development, test, acceptance, and production environments. The following figure illustrates tiered Dynamic Environment Manager environments. Changes are made in the central development environment and then are copied to the department’s acceptance environments. Environment-specific administrators can use their own installed Dynamic Environment Manager management tools to test and accept changes and move them to production.

Figure 13: Tiered Dynamic Environment Manager Environments

This example requires both environments A and B to install their own Dynamic Environment Manager, so each environment can be managed separately. The tiered approach with development, acceptance, and production environments allows users to test the configuration in different environments before moving those changes to production. This setup does not require multiple Active Directory domains.

The setup of FlexEngine and file shares is the same as a regular setup, but additional GPOs are used to link computers to the correct environment. For example, you can create a GPO called Acceptance, and link a set of computers to this GPO. Use these computers to test changes before copying them to the production environment. Using multiple GPOs allows you to separate computers and link them to the correct Dynamic Environment Manager environment.

Functionality is not limited to the use cases depicted in the figures shown in this section and the previous section. For instance, you could also combine the two use cases or design your own approach.

Decentralized IT Infrastructure with Multiple Locations

In a decentralized infrastructure with physical Windows clients dispersed across different locations connected through WAN links, the Dynamic Environment Manager configuration share can be replicated to file servers at multiple locations.

If the locations are connected with a LAN, you can also use a central Dynamic Environment Manager configuration share. As with all infrastructure changes and products, the solution depends on your specific scenario. The only way to determine the best solution for the best performance is to test thoroughly.

In general, it is best to use your existing replication methods. If you have SAN or NAS storage that provides a replication solution for high availability and disaster recovery, use that. The replication method can be either file-based or block-based replication. If you already use Windows Server Failover Clustering (WSFC) or DFS, use that. You can also use scripts to create an infrastructure that supports Dynamic Environment Manager.

You can configure the different clients to connect to the right Dynamic Environment Manager environment by using multiple Active Directory GPOs.


With its few infrastructure dependencies and verbose, human readable logging capabilities, Dynamic Environment Manager is relatively easy to troubleshoot. The following resources will help you quickly resolve common issues.

For more information, also see the following useful VMware Knowledge Base articles:

Summary and Additional Resources

Now that you have come to the end of this configuration chapter on Dynamic Environment Manager, you can return to the landing page and use the tabs, search, or scroll to select your next chapter in one of the following sections:

  • Overview chapters provide understanding of business drivers, use cases, and service definitions.
  • Architecture chapters give design guidance on the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon Cloud Service, Horizon, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
  • Integration chapters cover the integration of products, components, and services you need to create the platform capable of delivering the services that you want to deliver to your users.
  • Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Workspace ONE, Horizon Cloud Service, Horizon, App Volumes, Dynamic Environment Management, and more.

Additional Resources

For more information about VMware Dynamic Environment Manager, you can explore the following resources:


The following updates were made to this guide:


Description of Changes


  • Added this Summary and Additional Resources section to list changelog, authors, and contributors within each design chapter.

Author and Contributors

This chapter was written by:

  • Josh Spencer, Senior Product Line Manager, End User Computing, VMware.
  • Graeme Gordon, Senior Staff End-User-Computing (EUC) Architect in End-User-Computing Technical Marketing, VMware.
  • Pim van de Vis, Lead Solution Engineer in End-User Computing, VMware.


Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Associated Content

home-carousel-icon From the action bar MORE button.

Filter Tags

Horizon Dynamic Environment Manager Document Reference Architecture Advanced Deploy Windows Delivery