How to: Build a ThinBased-PC with Windows 7/XP
- Details
- Published: Wednesday, 14 March 2012
As described in an earlier published article PDI: Physical Desktop Infrastructure real Thin Clients are getting richer featured. While this is needed to satisfy the requirements of the Remote Based Products like Citrix XenApp, Citrix XenDesktop en VMware View, this has also some side effects:
- Real Thin Clients are getting more expensive, in such way prices are currently compatible with normal PCs.
- Thin Clients nowadays need to be fully managed, because much more features are available and should be updated. Also nowadays several ThinClient Operating Systems really needs updates for fixes and security vulnerabilities. So the big advantage of lower maintenance tasks in comparison with traditional PCs is disappeared mostly.
- With current techniques like VDI additional Microsoft licenses are required when using a Thin Client OS, where traditional Microsoft Windows XP/Vista/7 PCs don't have that requirement.
- Still the newest techniques/features (especially within Citrix products) are available at first in the Windows client of the product.
Summarized the reason that Thin Clients are often used (lower costs) is currently not the case anymore in many cases. Using a traditional workstation for connecting to a SBC/VDI infrastructure is getting more and more logical, although the users is working on Full Desktop where all applications are running in the data center.
However if the user is connecting to a Full Desktop, you don't want to bother the user with a full client, but directly showing the (probably) portal to connect to the SBC/VDI infrastructure. Also you would like to lock-down the OS as much as possible, so it needs at less as possible maintenance and the user can change only required settings (and nothing more).
Andrew Morgan did a tremendous job with releasing the freely available ThinKiosk utility, that transforms the PC into a ThinBasedPC with a single executable and central management using Micrsoft GPO. However the biggest advantage of freeware is that it's freeware. What I mean with that, that freeware never will have official support and you never know if and when updates will become available. Because of that companies don't allow to use freeware utilities in their infrastructure.
If this is the case at your organization than you don't need to go for third party products, but you create a ThinBased PC pretty easily with Microsoft GPOs and some basis scripts.
In this article I will describe the basic configuration and best practices to build a ThinBased PC using standard available tools within a Microsoft Active Directory Domain. The first step is to show the portal to the end-user without any manual interaction. Because centralized management is one of the starting points the PC should be member of Active Directory.
Autologon
A autologon is most usable method and also to manage the configuration of the user settings (for that autlogon user) it's preferable to use a standard domain user account. Within the registry you can define a user and corresponding settings which will autologon on a Windows system. To centrally manage this, I created a simple but effective ADM template.
When using an XP or lower based system, you can use a value of 2 at the AutoAdminLogon. This is also disable CTRL+ALT+DEL on the local workstation, so users can lock the local workstation via those keys. This does not work anymore in Windows 7 (not tested on Vista), so you should use 1 at this point.
; Group Policy template for Autologon CATEGORY "System" KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" PART "ForceAutoLogon" NUMERIC REQUIRED TXTCONVERT PART "DefaultUserName" EDITTEXT REQUIRED PART "DefaultPassword" EDITTEXT REQUIRED PART "DefaultDomainName" EDITTEXT REQUIRED PART "AltDefaultUserName" EDITTEXT REQUIRED PART "AltDefaultDomainName" EDITTEXT REQUIRED |
Auto Start Portal
The second step is to autostart the portal for the end-users. By default this will be opening an Internet Explorer with as start page the Citrix Web Interface or RD Web Access. This can be accomplished via several methods, some examples are:
- Arranging a shortcut file to IE in the startup folder of the autologon user
The simplest solution, by creating a default user profile and adding the shortcut file in the start-up folder. Also simple copy scripts (as a logon script can be used), but there can be some timing issues there if the file is copied after the OS is checking the startup folder. Also GPO Preferences could be used to set-up this scenario.
- Adding a Run key in the User Registry starting Internet Explorer
Executables defined in the Run key will be started during the logon of the user. Big advantage is the time this is called, so there are now timing issues. The Run key can be added via importing a registry file (with the configured keys) via a script during logon (AD) or added in the default user profile. Also GPO Preferences could be used to set-up this scenario.
- Use the GPO option called Custom User Interface
Within Microsoft GPOs you can use the Custom User Interface to specify an alternate user interface. This is probably the most easy to configure however logically also has a down size. Because it taking over the complete user interface this is the only part that is shown to the user. In situations where you would offer the user some settings to configure (like the screen resolution or keyboard/mouse settings), this option could not satisfy your needs.
Lockdown
The third and most important step is to lock-down the workstation. It depends on requirements and wishes of the organization/customer how many settings should be removed out of the user interface. There are scenarios where you would like to remove as much as possible, but also offering some applications or configuration settings are pretty logical. Think again of adjust screen resolution, keyboard/mouse settings and regional settings.
What should be carefully considered is Internet Access. Many organizations are using a proxy server and when using for example Citrix XenApp HDX Flash Redirection you can offload the Flash load to the client, but by default the client needs to have (logically) access to the internet (there is policy to download the content via the Citrix server, but in some situations this is not the way to go). In the case the proxy server is used to track down which user has accessed which websites, you should lockdown both the OS as the browser users cannot type in any other URL If the user can do that they will Internet on the autologon account and tracking the websites are not possible anymore. In Windows 7 this is real hard job, because you can type almost anywhere a URL (just use the navigation bar in Configuration Panel for example; I don't have a solution for that till now).
Enclosed at the end of the article I have added the output of a GPO I used to build a ThinBasedPC based on Windows 7. Which will lead to the following user environment on the PC as displayed in the next figure.
Final Configuration
Besides arranging the auteo logon, the auto start of the portal and locking down the client the last step is to preconfigure the user environment and do a final lockdown of settings that are not available in standard GPOs. This can be accomplished using several methods. Many settings are retained in the profile of the, so you can preconfigure the profile of the autologon user with the desired configuration. Using this method also implies that you need to find a way to change the configuration when needed using a central way, for example copy-ing the profile at startup.
A second method is creating custom ADM(X) templates and imports those in your GPO. From a system administration point this is a preferred format, but will take the most time to create those ADM templates.
The third options I use are creating REG files with the desired setting and import those using the startup or logon script option of the GPO. In this way it is still centrally managed and can be adjusted easily. However you should document thoroughly which REG file is being used for which purpose.
Some example of settings I define using aboven methods are the Citrix Client Access Resources, Citrix Full Screen Message, Disable Windows+L and Remove specific folders out of the start menu.
Conclusion
While there are both very good third parties as freeware products available to use a standard workstation as a Thin Client you can do it also using default Microsoft technologies, when there is no budget or freeware is not allowed in the company. With the article I would like to show you the basic steps and an example configuration to change your workstation to ThinBasedPC.
Add-on GPO Example of LockDown ThinBasedPC
Lockdown Win 7 to ThinBasedPC |
|
Data collected on: 3/6/2012 10:37:05 AM |
General
Details
Domain |
vanbragt.local |
Owner |
VANBRAGT\Domain Admins |
Created |
3/6/2012 10:35:04 AM |
Modified |
3/6/2012 10:36:36 AM |
User Revisions |
1 (AD), 1 (sysvol) |
Computer Revisions |
1 (AD), 1 (sysvol) |
Unique ID |
{B9D3D44E-F090-44B9-ADF0-97C5733AD0BB} |
GPO Status |
Enabled |
Links
Location |
Enforced |
Link Status |
Path |
None |
This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name |
NT AUTHORITY\Authenticated Users |
Delegation
These groups and users have the specified permission for this GPO
Name |
Allowed Permissions |
Inherited |
NT AUTHORITY\Authenticated Users |
Read (from Security Filtering) |
No |
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS |
Read |
No |
NT AUTHORITY\SYSTEM |
Edit settings, delete, modify security |
No |
VANBRAGT\Domain Admins |
Edit settings, delete, modify security |
No |
VANBRAGT\Enterprise Admins |
Edit settings, delete, modify security |
No |
Computer Configuration (Enabled)
Policies
Windows Settings
Scripts
Startup
For this GPO, Script order: Not configured
Name |
Parameters |
ConfigureThinPCMachinesettings.cmd |
Security Settings
Local Policies/User Rights Assignment
Policy |
Setting |
Log on as a batch job |
------------------------------ |
Local Policies/Security Options
Accounts
Policy |
Setting |
Accounts: Rename administrator account |
------------------------------ |
Interactive Logon
Policy |
Setting |
Interactive logon: Do not display last user name |
Enabled |
User Account Control
Policy |
Setting |
User Account Control: Admin Approval Mode for the Built-in Administrator account |
Disabled |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode |
Elevate without prompting |
User Account Control: Detect application installations and prompt for elevation |
Disabled |
User Account Control: Only elevate UIAccess applications that are installed in secure locations |
Disabled |
User Account Control: Run all administrators in Admin Approval Mode |
Disabled |
Restricted Groups
Group |
Members |
Member of |
BUILTIN\Administrators |
------------------------------ |
|
BUILTIN\Users |
------------------------------ |
Public Key Policies/Trusted Root Certification Authorities
Properties
Policy |
Setting |
Allow users to select new root certification authorities (CAs) to trust |
Enabled |
Client computers can trust the following certificate stores |
Third-Party Root Certification Authorities and Enterprise Root Certification Authorities |
To perform certificate-based authentication of users and computers, CAs must meet the following criteria |
Registered in Active Directory only |
Windows Firewall with Advanced Security
Global Settings
Policy |
Setting |
Policy version |
Not Configured |
Disable stateful FTP |
Not Configured |
Disable stateful PPTP |
Not Configured |
IPsec exempt |
Not Configured |
IPsec through NAT |
Not Configured |
Preshared key encoding |
Not Configured |
SA idle time |
Not Configured |
Strong CRL check |
Not Configured |
Domain Profile Settings
Policy |
Setting |
Firewall state |
Off |
Inbound connections |
Not Configured |
Outbound connections |
Not Configured |
Apply local firewall rules |
Not Configured |
Apply local connection security rules |
Not Configured |
Display notifications |
Not Configured |
Allow unicast responses |
Not Configured |
Log dropped packets |
Not Configured |
Log successful connections |
Not Configured |
Log file path |
Not Configured |
Log file maximum size (KB) |
Not Configured |
Connection Security Settings
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.
Control Panel/Regional and Language Options
Policy |
Setting |
Comment |
||
Force selected system UI language to overwrite the user UI language |
Enabled |
|||
Enabled |
||||
|
Control Panel/User Accounts
Policy |
Setting |
Comment |
Enabled |
Ervik.as - Citrix XenApp and Microsoft Remote Desktop Services/TS Tuning Policy
Policy |
Setting |
Comment |
||||||||
Enabled |
||||||||||
|
Network/Background Intelligent Transfer Service (BITS)
Policy |
Setting |
Comment |
Disabled |
||
Do not allow the computer to act as a BITS Peercaching client |
Enabled |
|
Do not allow the computer to act as a BITS Peercaching server |
Enabled |
Network/Network Connections
Policy |
Setting |
Comment |
Prohibit use of Internet Connection Firewall on your DNS domain network |
Enabled |
|
Prohibit use of Internet Connection Sharing on your DNS domain network |
Enabled |
Network/Network Connections/Windows Firewall/Domain Profile
Policy |
Setting |
Comment |
Disabled |
Network/Network Connections/Windows Firewall/Standard Profile
Policy |
Setting |
Comment |
Disabled |
Network/Offline Files
Policy |
Setting |
Comment |
|
Enabled |
|||
Enabled |
|||
|
|||
Policy |
Setting |
Comment |
|
Enabled |
|||
Enabled |
Network/Windows Connect Now
Policy |
Setting |
Comment |
Enabled |
Printers
Policy |
Setting |
Comment |
||||||||||||||||||
Enabled |
||||||||||||||||||||
Enabled |
||||||||||||||||||||
Enabled |
||||||||||||||||||||
Enabled |
||||||||||||||||||||
|
System/Device Installation
Policy |
Setting |
Comment |
Do not send a Windows error report when a generic driver is installed on a device |
Enabled |
|
Enabled |
||
Turn off "Found New Hardware" balloons during device installation |
Enabled |
System/Filesystem/NTFS
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
System/Group Policy
Policy |
Setting |
Comment |
||
Enabled |
||||
|
System/Internet Communication Management
Policy |
Setting |
Comment |
Enabled |
System/Internet Communication Management/Internet Communication settings
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Turn off Help and Support Center Microsoft Knowledge Base search |
Enabled |
|
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com |
Enabled |
|
Turn off Internet download for Web publishing and online ordering wizards |
Enabled |
|
Enabled |
||
Enabled |
||
Turn off Registration if URL connection is referring to Microsoft.com |
Enabled |
|
Enabled |
||
Enabled |
||
Enabled |
||
Turn off the Windows Messenger Customer Experience Improvement Program |
Enabled |
|
Enabled |
||
Enabled |
||
Turn off Windows Network Connectivity Status Indicator active tests |
Enabled |
|
Enabled |
System/Locale Services
Policy |
Setting |
Comment |
Enabled |
System/Logon
Policy |
Setting |
Comment |
||||||||||||||
Enabled |
||||||||||||||||
Enabled |
||||||||||||||||
|
||||||||||||||||
Policy |
Setting |
Comment |
||||||||||||||
Enabled |
||||||||||||||||
|
||||||||||||||||
Policy |
Setting |
Comment |
||||||||||||||
Enabled |
||||||||||||||||
Enabled |
||||||||||||||||
Enabled |
System/Performance Control Panel
Policy |
Setting |
Comment |
Enabled |
||
Turn off access to the solutions to performance problems section |
Enabled |
System/Power Management/Hard Disk Settings
Policy |
Setting |
Comment |
||
Enabled |
||||
|
System/Power Management/Sleep Settings
Policy |
Setting |
Comment |
||
Enabled |
||||
Enabled |
||||
|
System/Power Management/Video and Display Settings
Policy |
Setting |
Comment |
||
Enabled |
||||
|
System/Remote Assistance
Policy |
Setting |
Comment |
Disabled |
||
Disabled |
System/User Profiles
Policy |
Setting |
Comment |
||
Add the Administrators security group to roaming user profiles |
Enabled |
|||
Enabled |
||||
Delete user profiles older than a specified number of days on system restart |
Enabled |
|||
|
||||
Policy |
Setting |
Comment |
||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
Windows Components/Application Compatibility
Policy |
Setting |
Comment |
Enabled |
Windows Components/AutoPlay Policies
Policy |
Setting |
Comment |
||
Enabled |
||||
|
Windows Components/Desktop Gadgets
Policy |
Setting |
Comment |
Enabled |
Windows Components/Desktop Window Manager
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
Windows Components/Game Explorer
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
||
Turn off tracking of last play time of games in the Games folder |
Enabled |
Windows Components/HomeGroup
Policy |
Setting |
Comment |
Enabled |
Windows Components/Internet Explorer
Policy |
Setting |
Comment |
||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Disable Periodic Check for Internet Explorer software updates |
Enabled |
|||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Prevent participation in the Customer Experience Improvement Program |
Enabled |
|||
Enabled |
||||
|
||||
Policy |
Setting |
Comment |
||
Enabled |
||||
Enabled |
||||
Enabled |
||||
|
||||
Policy |
Setting |
Comment |
||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
||||
|
||||
Policy |
Setting |
Comment |
||
Enabled |
||||
Enabled |
||||
Enabled |
||||
|
||||
Policy |
Setting |
Comment |
||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
Windows Components/Internet Explorer/Accelerators
Policy |
Setting |
Comment |
Enabled |
Windows Components/Internet Explorer/Internet Control Panel
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
Windows Components/Internet Explorer/Internet Control Panel/Security Page
Policy |
Setting |
Comment |
Enabled |
||
Intranet Sites: Include all sites that bypass the proxy server |
Enabled |
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
Policy |
Setting |
Comment |
||
Enabled |
||||
|
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
Policy |
Setting |
Comment |
||
Enabled |
||||
|
||||
Policy |
Setting |
Comment |
||
Enabled |
||||
|
Windows Components/Internet Explorer/Internet Settings/Component Updates/Help Menu > About Internet Explorer
Policy |
Setting |
Comment |
||
Prevent the configuration of cipher strength update information URLs |
Enabled |
|||
|
Windows Components/Internet Explorer/Internet Settings/Component Updates/Periodic check for updates to Internet Explorer and Internet Tools
Policy |
Setting |
Comment |
||
Enabled |
||||
|
Windows Components/Internet Explorer/Security Features
Policy |
Setting |
Comment |
Enabled |
Windows Components/Internet Explorer/Toolbars
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
||
Enabled |
Windows Components/Internet Information Services
Policy |
Setting |
Comment |
Disabled |
Windows Components/NetMeeting
Policy |
Setting |
Comment |
Enabled |
Windows Components/Network Projector
Policy |
Setting |
Comment |
Enabled |
Windows Components/Online Assistance
Policy |
Setting |
Comment |
Enabled |
Windows Components/Remote Desktop Services/Remote Desktop Connection Client
Policy |
Setting |
Comment |
Enabled |
Windows Components/RSS Feeds
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
Windows Components/Security Center
Policy |
Setting |
Comment |
Disabled |
Windows Components/Sound Recorder
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows Anytime Upgrade
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows Calendar
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows Customer Experience Improvement Program
Policy |
Setting |
Comment |
Allow Corporate redirection of Customer Experience Improvement uploads |
Disabled |
Windows Components/Windows Defender
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows Error Reporting
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
Windows Components/Windows Installer
Policy |
Setting |
Comment |
||
Enabled |
||||
Enabled |
||||
Enabled |
||||
|
Windows Components/Windows Mail
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows Media Center
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows Media Digital Rights Management
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows Media Player
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
Windows Components/Windows Messenger
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
Windows Components/Windows Mobility Center
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows PowerShell
Policy |
Setting |
Comment |
||
Enabled |
||||
|
Windows Components/Windows Remote Management (WinRM)/WinRM Service
Policy |
Setting |
Comment |
||||||||||||||||||||||||||||
Enabled |
||||||||||||||||||||||||||||||
|
Windows Components/Windows SideShow
Policy |
Setting |
Comment |
Enabled |
Extra Registry Settings
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
Setting |
State |
Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow |
2 |
User Configuration (Enabled)
Policies
Windows Settings
Scripts
Logon
For this GPO, Script order: Not configured
Name |
Parameters |
ConfigureUserEnvironment.cmd |
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.
Control Panel
Policy |
Setting |
Comment |
||||
Always open All Control Panel Items when opening Control Panel |
Enabled |
|||||
Enabled |
||||||
|
Control Panel/Add or Remove Programs
Policy |
Setting |
Comment |
Enabled |
Control Panel/Personalization
Policy |
Setting |
Comment |
||
Disabled |
||||
Enabled |
||||
|
||||
Policy |
Setting |
Comment |
||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
||||
Enabled |
Control Panel/Printers
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
Control Panel/Programs
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
Desktop
Policy |
Setting |
Comment |
Enabled |
||
Prevent adding, dragging, dropping and closing the Taskbar's toolbars |
Enabled |
|
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
Network/Windows Connect Now
Policy |
Setting |
Comment |
Enabled |
Start Menu and Taskbar
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Do not display or track items in Jump Lists from remote locations |
Enabled |
|
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Do not use the search-based method when resolving shell shortcuts |
Enabled |
|
Do not use the tracking-based method when resolving shell shortcuts |
Enabled |
|
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Prevent users from moving taskbar to another screen dock location |
Enabled |
|
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Disabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
||
Enabled |
System/Ctrl+Alt+Del Options
Policy |
Setting |
Comment |
Enabled |
||
Enabled |
||
Enabled |
Windows Components/AutoPlay Policies
Policy |
Setting |
Comment |
||
Enabled |
||||
|
||||
Policy |
Setting |
Comment |
||
Enabled |
||||
|
Windows Components/Desktop Gadgets
Policy |
Setting |
Comment |
Enabled |
Windows Components/Internet Explorer/InPrivate
Policy |
Setting |
Comment |
Disable toolbars and extensions when InPrivate Browsing starts |
Enabled |
|
Enabled |
Windows Components/Microsoft Management Console
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows Anytime Upgrade
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows Calendar
Policy |
Setting |
Comment |
Enabled |
Windows Components/Windows Explorer
Policy |
Setting |
Comment |
||
Enabled |
||||
|
||||
Policy |
Setting |
Comment |
||
Enabled |
||||
|