PC Reuse for VDI with Lockdown Policies
Almost on every VDI implementation you’ll be asked to configure the old desktops to be reused as Thin Clients or Terminals as I like to call them (the word Terminal is just more geeky I guess ;-)).
Anyway, reading the hereunder will aid you in getting your Windows 7 PCs ready to be some how a thin client.
Summary of steps:
First we’re going to configure the PC for auto log-on with a domain based account, then we’re going to set the powershell execution policy on it as well until finally we’re going create our nifty GPO to wrap things up.
[Set PowerShell Execution Policy]
- Open PowerShell and type Set-ExecutionPolicy Unrestricted.
[Autologon]
- On the PC, start -> run -> regedit.
- Go to this key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- By default you’ll find AutoAdminLogon string, you have to set its value to 1.
- Then you have create the following:
- DefaultDomainName add it as a string and put your default domain name (either NETBIOS name if you’re on the same subnet or full FQDN in case you have different subnets).
- DefaultUserName add it as a string and put the a username which you’ve previously created on AD, the users should have no privileges at all.
- DefaultPassword add is as a string and fill it with the password of the default user name (this will be in plain text).
- And we’re done, restart the PC and autologon should be in effect although sometimes there were awkward situations where I had to restart the PC multiple times to get the autologon in effect.
[Group Policies]
- Create a new GPO named “Terminal PC Lockdown“
- Create an OU for terminal PC and link the GPO to it.
- [Change User Shell from Explorer to VMVware-View.exe]
- Here we will be replacing Explorer.exe with the VMware-View.exe executable, so that whenever the user logs on nothing will be visible but the client connection window.
- Edit the group policy: User Configuration -> Expand Administrative Templates -> Expand System -> In System you’ll find Custom User Interface
- Set it to Enabled and use this path “C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe”
- Computer Configuration (Policies):
- System/Logon:
- Hide entry points for Fast User Switching -> Enabled (this will disable switching users).
- VMware View Client Configuration/Scripting definitions (the VMware Client ADM template can be imported from the VMware Horizon View GPO bundle):
- DesktopLayout -> Full Screen
- Logon DomainName -> NETBIOS domain name or FQDN.
- Server URL -> Your View connection server.
- VMware View Client Configuration/Security Settings (this is only to be used for testing, in a production you’re out to get certificates from either a public or private CA):
- Certificate verification mode -> No Security
- Ignore certificate revocation problems -> Enabled
- System/Logon:
- User Configuration (Policies):
- Windows Settings -> Scripts -> Logon -> vmware_view_process_checker.ps1 (With script order powershell runs last) <- this script will monitor the VMware-View.exe process and will make sure if a user closes it it will restart after a time interval or 10 seconds or less.
-
while($true) { $VMwareViewProcessName = "vmware-view" $GetVMwareViewProcess = Get-Process | Where-Object {$_.ProcessName -eq $VMwareViewProcessName} if ($GetVMwareViewProcess) { continue } elseif (!$GetVMwareViewProcess) { Start-Process "C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe" } sleep 10 } - Administrative Templates
- System/Ctrl+Alt+Del Options – (Remove Change Password, Remove Lock Computer, Remove Logoff, Remove Task Manager) Enabled.
- VMware View Client Configuration -> Always on top Enabled
- VMware View Client Configuration -> Enable the shade Disabled
And you’re done, restart the PC one last time and you’ll have a nice secure Terminal that users can connect from.
12988 Total Views 1 Views Today