Print this page
Tuesday, 03 September 2019 12:20

The Case of Missing UE-V Templates

Written by
Rate this item
(0 votes)


My customers often deal with unexpected Windows behavior and this case is no different. This particular one is especially interesting because it is common in infrastructures that use the "User Environment Virtualization" (UE-V) extension. UE-V provides capture of user-customized Windows and application settings as well as storage on a centrally managed network file share. This case opened when a customer mentioned during an on-site engagement that they experienced issues that in some cases personalized settings of logged-on users did not apply to their work session.

I knew from past experience that Windows registers UE-V settings template location via a scheduled task which enables UE-V to synchronize application settings between client computers. In this case, the fact that stood out was that the scheduled task did not run properly on systems on which the problem had occurred. Normally, the task would execute a PowerShell script which will then proceed to enumerate the Inbox UE-V Templates and register those and then disable the scheduled task (as it needs to run only once on a machine). Following a brief investigation, we determined that the task runs through only if the logged-on user has administrative permissions (which in an Enterprise environment usually spells trouble as it significantly increases the risk of lateral escalation (Pass-the-Hash (PtH))).

Now that the problem was understood, we needed a way to work around the issue. I was aware of two possible workarounds:

  1. Run the C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1 script during OS deployment.
  2. Configure the "Settings template catalog path" group policy setting (it controls the "Template Auto Update" scheduled task which is configured to run as SYSTEM.)

This led me to the recommendation to deploy the second workaround as it would fix the issue for the existing install base. The customer configured the "Settings template catalog path" group policy setting to point to "C:\ProgramData\Microsoft\UEV\InboxTemplates" and selected the checkbox to replace the default Microsoft templates that are installed with the UE-V service, verified the suggestion and confirmed that the issue was solved.

I believe that this issue is fixed in Windows 10, version 19H2. However, I did not have time or need to verify this (yet).

Read 20696 times Last modified on Tuesday, 03 September 2019 12:37