VMware Workspace ONE Cloud-Based Reference Architecture

Component Design: User Environment Manager Architecture

VMware User Environment Manager™ provides profile management by capturing user settings for the operating system and applications. Unlike traditional application profile management solutions, User Environment Manager does not manage the entire profile. Instead it captures settings that the administrator specifies. This reduces login and logout time because less data needs to be loaded. The settings can be dynamically applied when a user launches an application, making the login process more asynchronous. User data is managed through folder redirection.

Figure: User Environment Manager

Note: VMware App Volumes AppStack applications are not currently supported on Microsoft Azure.

User Environment Manager is a Windows-based application that consists of the following components.


Table: User Environment Manager Components



Active Directory Group Policy

  • Mechanism for configuring User Environment Manager.
  • ADMX template files are provided with the product.

NoAD mode XML file

  • An alternative to using Active Directory Group Policy for configuring User Environment Manager. With NoAD mode, you do not need to create a GPO, write logon and logoff scripts, or configure Windows Group Policy settings.


IT configuration share

  • A central share (SMB) on a file server, which can be a replicated share (DFS-R) for multi-site scenarios, as long as the path to the share is the same for all client devices.
  • Is read-only to users.
  • If using DFS-R, it must be configured as hub and spoke. Multimaster replication is not supported.


Profile Archives share

  • File shares (SMB) to store the users’ profile archives and profile archive backups.
  • Is used for read and write by end users.
  • For best performance, place archives on a share near the computer where the User Environment Manager FlexEngine (desktop agent) runs.

UEM FlexEngine

  • The User Environment Manager Agent that resides on the virtual desktop or RDSH server VM being managed.

Application Profiler

  • Utility that creates a User Environment Manager Flex configuration file from an application by determining where the application stores configuration data in the registry and file system. User Environment Manager can manage settings for applications that have a valid Flex configuration file in the configuration share.

Helpdesk Support Tool

  • Allows support personnel to reset or restore user settings.
  • Enables administrators to open or edit profile archives.
  • Allows analysis of profile archive sizes.
  • Includes a log file viewer.


  • Optional self-service tool to allow users to manage and restore their configuration settings on an environment setting or application.

The following figure shows how these components interact.

Figure: User Environment Manager Logical Architecture

User Profile Strategy

A Windows user profile is made of multiple components, including profile folders, user data, and the user registry. See About User Profiles for more information about Windows user profiles.

There are a number of user profile types, such as local, roaming, and mandatory. User Environment Manager complements each user profile type, providing a consistent user experience as end users roam from device to device. User Environment Manager is best-suited to run long-term with local and mandatory profile types. See User Environment Manager Scenario Considerations in the VMware User Environment Manager documentation for more information and considerations when using roaming profiles.

Folder redirection can be used to abstract user data from the guest OS, and can be configured through GPO or using the User Environment Manager user environment settings.

Figure: User Environment Manager User Profile Strategy

Design decision: Mandatory profiles and folder redirection were used in this reference architecture. A mandatory user profile is a preconfigured roaming user profile that specifies settings for users. With mandatory user profiles, a user can modify their desktop during a session, but the changes are not saved when the user logs out. Because all settings are managed by User Environment Manager, there is no need to persist these settings on log-out.

To learn more, see the blog post VMware User Environment Manager, Part 2: Complementing Mandatory Profiles with VMware User Environment Manager.

We followed the process outlined in Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop to create the mandatory profile. Restrictions in the Microsoft Azure interface interfere with the creation of a mandatory profile on an Azure VM. Instead, we completed the process on a vSphere VM in the on-premises data center, and copied the mandatory profile to Azure.

Important: If you take this approach, use the same Windows build and profile version when building the mandatory profile as you will deploy in Horizon Cloud on Microsoft Azure. See the VMware Horizon Cloud Service on Microsoft Azure Release Notes in the VMware Horizon Cloud Service on Microsoft Azure documentation for a list of supported guest OS versions. For a list of associated profile versions, see Create Mandatory User Profiles.


User Environment Manager requires little infrastructure. AD GPOs are used to specify User Environment Manager settings, and SMB shares are used to host the configuration data and profile data. Administrators use the User Environment Manager Management Console to configure settings.

Figure: User Environment Manager Infrastructure

Design decision: Active Directory Group Policy was chosen over NoAD mode. This design choice provides the flexibility to apply different user environment configuration settings for different users. An ADMX template is provided to streamline configuration.

If you choose to use NoAD mode:

  • The FlexEngine agent must be installed in NoAD mode.
    Important: If you use the Import Image wizard from the Azure Marketplace with Horizon Cloud on Microsoft Azure, the FlexEngine agent will be automatically installed for use with GPOs. You will need to reinstall the agent in NoAD mode.
  • Be sure to configure your User Environment Manager configuration share before installing the FlexEngine agent. You must specify the path to the configuration share as part of the NoAD-mode installation process.

Key Design Considerations

When designing an infrastructure for User Environment Manager, use the following guidelines:

  • Use DFS-R or file-server clustering to provide HA to configuration and user shares.
  • Use loopback processing when applying the GPO settings to computer objects.

Multi-site Design

User Environment Manager data consists of the following types. This data is typically stored on separate shares and can be treated differently for availability: 

  • IT configuration data – IT-defined settings that give predefined configuration for the user environment or applications
  • Profile archive (user settings and configuration data) – The individual end user’s customization or configuration settings

It is possible to have multiple sets of shares to divide the user population into groups. This can provide separation, distribute load, and give more options for recovery. By creating multiple User Environment Manager configuration shares, you create multiple environments. You can use a central installation of the Management Console to switch between these environments and export and import settings between environments. You can also use User Environment Manager group policies to target policy settings to specific groups of users, such as users within a particular Active Directory OU.

To meet the requirements of having User Environment Manager IT configuration data and user settings data available across two sites, this design uses Distributed File System Namespace (DFS-N) for mapping the file shares. 

Although we used DFS-N, you are not required to use DFS-N. Many different types of storage replication and common namespaces can be used. The same design rules apply.

IT Configuration Share 

For IT configuration file shares, DFS-N is fully supported.

Note: The configuration share should allow users only to read and not to write or make any changes. Only administrators should be able to make changes to the content of the share.

Figure: IT Configuration Share – Supported DFS Topology

Profile Archive Shares 

For user settings file shares, DFS-N is fully supported.

Figure: Profile Archive Shares – Supported DFS Topology

Switching to another file server in the event of an outage requires a few simple manual steps:

  1. Manually disable the active DFS-N folder target.
  2. Enable the passive DFS-N folder target.
  3. Remove the read-only option on the target.

Figure: Profile Archive Shares – Failover State

The User Environment Manager Management Console can be installed on as many computers as desired. If the Management Console is not available after a disaster, you can install it on a new management server or on an administrator’s workstation and point that installation to the User Environment Manager configuration share.


You can install and configure User Environment Manager in a few easy steps:

  1. Create SMB file shares for configuration data and user data.
  2. Import ADMX templates for User Environment Manager.
  3. Create Group Policy settings for User Environment Manager.
  4. Install the FlexEngine agent on the virtual desktop or RDSH server VMs to be managed.
    • If you manually create a master VM, install the FlexEngine agent according to the VMware User Environment Manager documentation.
    • The FlexEngine agent is automatically installed when the image is created using the Import Image wizard to import from the Azure Marketplace.
      The installation directory defaults to C:\Program Files\VMware\Horizon Agents\User Environment Manager.
  5. Install the User Environment Manager Management Console and point to the configuration share.

Refer to Installing and Configuring User Environment Manager in the VMware User Environment Manager documentation for detailed installation procedures. Also see the Quick-Start Tutorial for User Environment Manager. We used User Environment Manager 9.4.

Next Steps

After installing User Environment Manager, perform the following tasks to verify functionality:

  • Install the User Environment Manager Agent (FlexEngine agent) on one or more virtual desktop or RDSH server VMs to be managed.
  • Set a few customizations (for example, desktop shortcuts for VLC, Notepad++).
  • Use the Management Console to download and use configuration templates for one or more applications. Configuration templates are preconfigured Flex configuration files that are designed to facilitate the initial implementation of popular applications.

    The configuration templates are starter templates that you must test in your environment and possibly modify to suit the needs of your organization. See Download Configuration Templates in the VMware User Environment Manager Administration Guide.
  • (Optional) Use the Easy Start feature when performing a proof of concept. Easy Start is not recommended for production implementations.

    Important: If the FlexEngine agent was automatically installed in your Windows desktop image as part of the Horizon Cloud on Microsoft Azure Import Image wizard, any desktop shortcut that references FlexEngine.exe will need to be modified to reflect the correct executable path.
  • Log in to the virtual desktop or RDSH-published application and verify that User Environment Manager has made the requested changes.
  • Check the user log to verify that User Environment Manager is working, or troubleshoot if it is not working as expected. The logs folder is in the SMB share specified for user data.
  • Familiarize yourself with Horizon Smart Policies and Horizon Client Property conditions. See Using Smart Policies in Configuring Remote Desktop Features in Horizon 7 for requirements, settings, and configuration details.

    Important: Take note of the following nuances when using Smart Policies with Horizon Cloud Service with Microsoft Azure as opposed to Horizon 7.
    • The Horizon Client Property Pool Name applies to pools in Horizon 7, but in Horizon Cloud, this property applies to a similar construct called an Assignment.
    • The Horizon Client Property Launch Tags is applicable only to Horizon 7. Horizon Cloud Service on Microsoft Azure does not support the Launch Tags property.