Manage User Experience Virtualization on the Modern Desktop

in Microsoft
Manage User Experience Virtualization on the Modern Desktop

Use Microsoft User Experience Virtualization on Azure AD-joined Windows desktops to roam user’s Windows and applications preferences between devices.

Since this article was written, Microsoft has enabled Proactive Remediations and the Settings Catalog in Endpoint Manager. This means that a scheduled task is no longer required, and User Experience Virtualization can be configured directly via policy. For an update approach to this implementation, see the new scripts here: User Experience Virtualization scripts.

On the modern Windows 10/11 desktop with Office 365 and Azure AD Premium, application preferences are roamed by two components - the Microsoft 365 desktop applications roam settings when used with Office 365 and when enabled, Enterprise State Roaming synchronises specific settings.

Before you ask - yes, User Experience Virtualization is still a thing. UE-V is a component of Windows 10 Enterprise that can roam a user’s application preferences across desktops. UE-V works by defining user profile locations specific to an application and importing and exporting those settings into and out of the profile at login / logout or application launch / close.

Why

User-driven device provisioning via Windows Autopilot can make a Windows PC ready for the user in about an hour. This includes their applications, and preferences I’ve covered above.

When a user signs into a new PC, their key Windows and Office settings will sync, but not preferences for any application that Enterprise State Roaming does not manage.

Application preferences not roamed to a newly provisioned PC is likely to be a disruptive experience. User Experience Virtualization can be configured to roam those application settings on an Azure AD-joined PC using the right synchronisation tool.

Consider a common example such as Google Chrome. Chrome implements its own sync mechanism via Google accounts, but this often means that users will sign into Chrome with their personal Google accounts. Chrome and ChromeOS can be managed via Chrome Enterprise where it is possible to use Azure AD as the IdP source. The browser can then be managed across your PC estate; however, this requires Google Workspace licensing. If Google isn’t a strategic play, then UE-V can capture Chrome settings and ensure a consistent experience across managed Windows devices.

I highly recommend that you migrate from Google Chrome to Microsoft Edge. Edge supports signing into the browser with a Microsoft 365 account, enabling the you to better secure corporate credentials, while roaming the end-user’s preferences between devices.

How

Azure AD-join and Windows Autopilot enable a consistent provisioning experience for Windows PCs regardless of location, but unlike a traditional domain-joined PC, you lose management features including Group Policy. UE-V would typically be enabled with Group Policy and a file share, but our target PCs are often not used within the corporate network, so synchronising application preferences between PCs requires another mechanism. Additionally we need to re-think enabling UE-V on the end-point and delivering UE-V templates to those devices.

OneDrive for Business as a Sync Mechanism

Most organisations we see deploying Windows 10 in a modern management context with Microsoft Intune are also Office 365 customers. This naturally makes OneDrive for Business available as a sync mechanism and it’s a solution that Microsoft even mentions in the UE-V documentation. Any enterprise file and sync solution could be used including Citrix ShareFile or Dropbox.

Managing UE-V with Microsoft Intune

To manage UE-V on Windows PCs via Microsoft Intune, we need to implement a few things:

  1. Windows 10/11 Enterprise - UE-V is only a feature of Windows 10/11 Enterprise devices. This might be implemented by Intune via the Upgrade Windows 10 Edition configuration profile or via a Microsoft 365 / Windows 10/11 Enterprise E3/E5 license
  2. UE-V settings templates - these define the profile locations for application preferences to roam
  3. A public HTTPS location to host UE-V templates. In my test configuration, I’ve used an Azure Storage Account so that I can use the List Containers API to query the storage for the templates to download. This location will only host XML files that clients will download, but uploads should be controlled and validated
  4. Intune proactive remediations to download the UE-V templates on managed clients
  5. A Settings Catalog configuration profile to configure the UE-V client

To this end, I’ve written a script to enable UE-V on managed PCs and setup a second script that runs as a scheduled task to download the UE-V templates.

Deploy UE-V via Intune

Proactive Remediations

Proactive remediations is used to detect the status of the UE-V service on the client and ensure the require UE-V settings templates are downloaded.

  • Detect-Uev.ps1 - a Proactive remediation script to detect the status of the UE-V client including the UE-V service and the settings catalog XML files
  • Invoke-Uev.ps1 - a Proactive remediation script that enables the UE-V client, and downloads a set of UE-V settings templates from an Azure storage account

The scripts will determine whether the UE-V settings templates located in C:\ProgramData\Microsoft\UEV\CustomTemplates match those stored on the specified Azure storage account. If they don’t match, Invoke-Uev.ps1 will ensure they do.

Import these scripts and assign to your target devices. The status of the clients will then be reported in the Endpoint Manager admin center:

Intune proactive remediation status

Settings Catalog Configuration Profile

The UE-V client can be configured using a Settings Catalog configuration profile. UserExperienceVirtualization-Profile.json is an export of a configured profile in my own tenant that you can import into your own tenant for testing.

Settings Catalog Device Configuration Profile

This profile includes several key settings to ensure the UE-V agent is configured to match the script and store user settings in OneDrive:

  • Configure Sync Method - Enabled
  • Sync Method: (Device) - External
  • Enable UE-V - Enabled
  • Settings storage path - %OneDriveCommercial%
  • Settings template catalog path (Device) - %ProgramData%\Microsoft\UEV\CustomTemplates

Review the following documentation on UE-V to understand how the client could be configured in your environment - Settings and data roaming FAQ and Set-UevConfiguration.

SettingValueNotes
ComputerTrueApplies the settings to all users on the computer.
DisableSyncProviderPingTrueDisables the synchronization provider from pinging the network. Not needed for OneDrive.
DisableSyncUnlistedWindows8AppsTrueDisables the synchronization of unlisted Windows Store apps. Assuming ESR is used
EnableDontSyncWindows8AppSettingsTrueUE-V does not synchronize Windows Store app settings. Assuming ESR is used
EnableSettingsImportNotifyTrueIf the settings import takes longer than the amount of time that you specify for the SettingsImportNotifyDelayInSecond parameter, UE-V notifies the user
EnableSyncTrueUE-V synchronizes the settings that are defined in the settings location templates that you have enabled
EnableWaitForSyncOnApplicationStartTrueEnsures that application settings are synced locally and imported before starting the app
SettingsStoragePath%OneDriveCommercial%Specifies the path of the location where UE-V stores the user settings
SyncMethodExternalTells UE-V that OneDrive will manage sync
WaitForSyncTimeoutInMilliseconds2000This is the default wait timeout value. Test various network scenarios before increasing

Results

With %OneDrive% or %OneDriveCommercial% as the target UE-V Settings Storage Path, the user’s OneDrive sync folder will host a SettingsPackages folder that contains application settings.

UE-V Settings Packages folder in OneDrive

With OneDrive Files On Demand, settings packages will download as applications are launched. The folder can be set to always offline with the attrib command.

Continuous Deployment to Azure Blob Storage

As a location for storing scripts and UE-V templates, Azure Blob storage enables us to create a continuous deployment solution for new UE-V templates. As these settings templates are added, modified, or removed, automatic validation of the template, upload to blob storage, then reflection of these changes on clients will ensure the entire end-to-end process can be automated.

I’m using an Azure Pipeline with a connection to the scripts and templates stored on GitHub (the code could also be stored in Azure DevOps). The project uses service connections to GitHub to retrieve the code and templates, and to the Azure subscription for rights to the target storage account.

The pipeline performs two tasks:

  1. Validate the UE-V settings templates against the template schema. This ensures that clients only receive valid templates
  2. Upload the UE-V settings templates to the target Azure storage account using the Azure File Copy task, only if the settings templates pass validation

Here’s the pipeline which includes a trigger to run any time the settings templates are updated:

trigger:
  branches:
    include:
    - main
  paths:
    include:
    - Uev/templates/*
    - Uev/tests/*
    - Uev/Publish-Templates.yml

jobs:
- job: push_templates
  pool:
    vmImage: windows-latest
  steps:
  - checkout: self
    persistCredentials: true

  - task: PowerShell@2
    displayName: "Install Pester"
    inputs:
      targetType: 'inline'
      script: |
        Install-Module -Name "Pester" -Force -Confirm:$False
      verbosePreference: 'SilentlyContinue'
      pwsh: true
      workingDirectory: '$(Build.SourcesDirectory)'

  - task: PowerShell@2
    displayName: "Validate templates against UE-V schema"
    inputs:
      targetType: 'inline'
      script: |
        Import-Module -Name "Pester" -Force
        $Config = [PesterConfiguration]::Default
        $Config.Run.Path = '$(Build.SourcesDirectory)\Uev\tests'
        $Config.Run.PassThru = $True
        $Config.CodeCoverage.Enabled = $False
        $Config.TestResult.Enabled = $True
        $Config.TestResult.OutputFormat = "NUnitXml"
        $Config.TestResult.OutputPath = ".\TestResults.xml"
        Invoke-Pester -Configuration $Config
      verbosePreference: 'SilentlyContinue'
      pwsh: true
      workingDirectory: '$(Build.SourcesDirectory)\Uev\tests'

  - task: AzureFileCopy@4
    displayName: "Push templates to storage account"
    inputs:
      sourcePath: '$(Build.SourcesDirectory)\Uev\templates\*.xml'
      azureSubscription: 'Visual Studio Enterprise Subscription(63e8f660-f6a4-4ac5-ad4e-623268509f20)'
      destination: 'AzureBlob'
      storage: 'stpydeviceause'
      containerName: 'uev'
      additionalArgumentsForBlobCopy: '--log-level=INFO'

The pipeline execution relies on a few components:

  • UE-V settings templates - storing these in a git repository allows you to track changes and use branches to test the templates before pushing to production
  • Template tests via Pester - this approach is used to validate the templates against the schema and save the test output for reporting purposes
  • The Azure Pipeline - the pipeline is stored here in YAML format for easy deployment to new tenants

Each time a commit and push is made to the templates in the repository, the Azure Pipeline will execute, validate the templates, upload to Azure blog storage. Clients will then check for updated templates and download them.

Azure Pipelines output

Azure Blob Storage Configuration

For this configuration, I’ve created an Azure storage account to store the files on blob storage. Microsoft provides 5 GB of blob storage free for 12-months, so it’s simple to get started.

Azure blob storage containers

Anonymous read access is enabled on each of these containers, so that the UE-V templates can be downloaded to end-points, without having to storage secure access keys in each PowerShell script.

Azure blob storage container access level configuration

Summary

In this article I’ve outlined an approach to roaming additional application settings on a Windows 10/11 modern desktop with User Experience Virtualization and OneDrive for Business.

While the Microsoft 365 Apps, Microsoft Edge, and Windows 10 provides their own mechanisms for roaming user preferences, UE-V can roam preferences for those additional applications that matter to your users. Alternatively, UE-V could handle roaming of all Windows and application settings if you’re not keen to use those cloud-native features.

The PowerShell scripts I’ve provided can be used with Microsoft Intune or a 3rd party management tool. Additionally, 3rd party sync tools (e.g., Dropbox) should also work.

In another article on this topic, I’ll discuss how UE-V can be used to provide a consistent application experience across physical and virtual desktops.