In my previous post I covered how VMware UEM can redirect the OST file and Search Indexes to a User Installed Application (UIA) writable volume. Because it’s still a UIA writable volume, any user with administrative rights can (ab)use these rights and install any application onto his/her own writable volume or the writable volume of another user for when they for example try to solve an incident in a quick and dirty way.

In my case I’ve seen this (ab)use of the administrative rights a bit too much, so I came up with the idea of creating a custom writable volume that only saves the Outlook OST file and search indexes and prevent it from getting polluted with anything else.

The first step is to create a new custom writable volume and adjust the snapvol.cfg to only virtualize the folder where the OST file and search indexes are located.

Follow the steps untill step 18 in this article to create a new writable volume template.

  1. After you have copied the files in step 18, open the snapvol.cfg file with notepad.
  2. Set the location you want to virtualize. In my case I want to virtualize C:\OUTLOOKDATA. later on I’ll explain why I use this location.
  3. Remove all the items that get virtualized in the registry.
  4. Save the Snapvol.cfg and complete the steps to finish creating the custom writable volume.

Now you’ve created a new writable volume template, assign it to a user.

  1. Open the App Volumes Manager
  2. Click Writables > Create.
  3. Specify the username, select the writable volume you created and click Create.
  4. Close the App Volumes Manager.

The last thing we need to do now is set the location for the OST files and Search indexes to C:\OUTLOOKDATA. I’m using the App Volumes setting in VMware UEM to do this.

  1. Open the VMware UEM Management Console.
  2. Select User Environment > App Volumes and click Create.
  3. Specify the Name for the App Volumes Settings.
  4. Tick the checkbox “Store Offline Outlook Data File (.ost) on writable volumes”.
  5. Click Advanced.
  6. Change the default location to C:\OUTLOOKDATA.
  7. The UEM configuration is now completed. Click OK and save the settings.

When the user logs in to the machine, the OST files and search indexes are redirected to C:\OUTLOOKDATA. This will be the only thing saved on the user’s writable volume, and anything else that’s installed with administrative rights is not.

I’ve tested this by logging in to a non-persistent machine. I started and configured Outlook, installed an application and rebooted the machine. When the machine was rebuild, I logged in and noticed that VMware UEM saved my Outlook profile, the writable volume with my OST file was attached and the application I previously installed was no longer installed on that specific machine.

The reason why I virtualize C:\OUTLOOKDATA and not the default Outlook OST location (drive:\Users\%username%\AppData\Local\Microsoft\Outlook) is because the snapvol.cfg only accepts environment variables that are defined on a machine before the user logs in. So %username% won’t work and App Volumes will create a folder %username% in C:\Users as you can see in the screenshot below.

The default App Volumes setting in VMware UEM also didn’t work for me. When I edited the snapvol.cfg to only virtualize C:\SnapVolumesTemp\writeable\UEM\OST and setup VMware UEM to use the default location. I got the error message that outlook was not able to start.

When I browsed to C:\SnapVolumesTemp\MountPoints\{GUID} I saw that there was a folder structure created “SnapVolumesTemp\writeable\UEM\OST” and the OST file was not redirected to C:\SnapVolumesTemp\writeable.

If you’re struggling with the same problem as me, I hope this article will help you in finding a solution. If you have any questions or comments, please let me know.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.