Skip to content

Windows DVM RDP Console Block

Direct RDP/Console Block

In some deployments, it is required to block direct access (console/RDP) of users. The feature is integrated in HyWorks DVM agent, administrator will be able to configure access block using following registry settings in desktop VMs.

From HyWorks v3.4 onwards, session host server is having integrated DVM agent (Lite) and uses the same set of registries as DVM agent. Direct access can be blocked via registry entries of Session Host Server machine using following registry keys:

Registry key for Direct RDP Block:

HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpBlocked

  • Default Value: True
  • Change to true and restart DVM agent service for changes to take effect. Now any non-admin users will be logged-out if attempted to take a direct RDP.

Registry key for Direct RDP Block for Admin Users:

HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpAdminBlocked

  • Default value: False
  • Change as true and restart DVM agent for changes to take effect. Now even admin users will be logged-out if directly taking RDP of this desktop VM.

Registry key for Direct RDP/Console Block Timeout: (default: 15 seconds)

HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpBlockTimeoutSec

  • Default value: 15
  • Desktop agent will wait for configured number of seconds for session validation. If it is not recognized as authorized session within configured time-limit, the session will be logged-out.

Registry key for Direct Console Block: (default: false), to block console access for desktop VM for non-admin users.

HKLM\SOFTWARE\Accops\DVMAgent\DirectConsoleBlocked

Registry key for Direct RDP/Console Block for Admin users: (default: false), to block console access for desktop VM for admin-users.

HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpAdminBlocked

Important

  • The direct RDP block is enabled by default in latest DVM agent.
  • In some cases, where profile loading or connection is taking more time than configured time limit of direct RDP block, agent may interpret the session as a direct RDP connection and may log it out. The cases can be understood from logs and as per environment, the timeout can be increased.

Logs:

  • Following log will be created for sessions being logged-out by agent as direct RDP

    • Agent Log location: C:\Program Files (x86)\Accops\HyWorks Desktop Agent\Logs

    • Sample Log:

      Logging-out direct (Non-Accops) RDP session WTS ID [3] for user domain/username. Direct RDP session is not authorized. Logon-Time (34sec) and Connect-Time (37sec)