The Case of Missing UE-V Templates

Tuesday, 03 September 2019 12:20

The Case of Missing UE-V Templates

Written by Anton Romanyuk

font size decrease font size increase font size
Print
Email
1 comment

Rate this item

(0 votes)

My customers often deal with unexpected Windows behavior and this case is no different. This particular one is especially interesting because it is common in infrastructures that use the "User Environment Virtualization" (UE-V) extension. UE-V provides capture of user-customized Windows and application settings as well as storage on a centrally managed network file share. This case opened when a customer mentioned during an on-site engagement that they experienced issues that in some cases personalized settings of logged-on users did not apply to their work session.

I knew from past experience that Windows registers UE-V settings template location via a scheduled task which enables UE-V to synchronize application settings between client computers. In this case, the fact that stood out was that the scheduled task did not run properly on systems on which the problem had occurred. Normally, the task would execute a PowerShell script which will then proceed to enumerate the Inbox UE-V Templates and register those and then disable the scheduled task (as it needs to run only once on a machine). Following a brief investigation, we determined that the task runs through only if the logged-on user has administrative permissions (which in an Enterprise environment usually spells trouble as it significantly increases the risk of lateral escalation (Pass-the-Hash (PtH))).

Now that the problem was understood, we needed a way to work around the issue. I was aware of two possible workarounds:

Run the C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1 script during OS deployment.
Configure the "Settings template catalog path" group policy setting (it controls the "Template Auto Update" scheduled task which is configured to run as SYSTEM.)

This led me to the recommendation to deploy the second workaround as it would fix the issue for the existing install base. The customer configured the "Settings template catalog path" group policy setting to point to "C:\ProgramData\Microsoft\UEV\InboxTemplates" and selected the checkbox to replace the default Microsoft templates that are installed with the UE-V service, verified the suggestion and confirmed that the issue was solved.

I believe that this issue is fixed in Windows 10, version 19H2. However, I did not have time or need to verify this (yet).

Read 3102 times Last modified on Tuesday, 03 September 2019 12:37

Published in Windows 10

Anton Romanyuk

Latest from Anton Romanyuk

More in this category: « The Case of Corrupted Store Apps

Comments (1)
Add yours

F.Lemay

about 2 weeks ago
#213

This comment was minimized by the moderator on the site

Having the same issue with the "auto-register inbox template". It doesn't run in the context of none-admin users' the "Register-UEVTemplate" commands requires admin right.

I don't understand your solution in #2. The "Template Auto Update" Scheduled Task is already there as soon as I Enable the "Enable-UEV" Policy, even if I leave the "Settings template catalog path" Computer Policy set to "Not Configured". But that task doesn't seem to Register the Inbox Template?

So I tried anyway - I enabled that policy ("Settings template catalog path"). But it requires a path? So I tried using %ProgramData%\Microsoft\UEV\InboxTemplates (where the templates are) but that didn't make a difference; It's still not registering the templates.

F.Lemay

There are no comments posted here yet

Leave your comments

Posting comment as a guest.

Name (Required)

Website

Background

0 Characters

Attachments (0 / 3)

Share Your Location