Advance Configurations
Direct RDP/Console Block
In some deployments, it is required to block direct access (console/RDP) of users. The feature is integrated in HyWorks DVM agent, administrator will be able to configure access block using following registry settings in desktop VMs.
From HyWorks v3.4 onwards, session host server is having integrated DVM agent (Lite) and uses the same set of registries as DVM agent. Direct access can be blocked via registry entries of Session Host Server machine using following registry keys:
Registry key for Direct RDP Block:
HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpBlocked
- Default Value: True
- Change to true and restart DVM agent service for changes to take effect. Now any non-admin users will be logged-out if attempted to take a direct RDP.
Registry key for Direct RDP Block for Admin Users:
HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpAdminBlocked
- Default value: False
- Change as true and restart DVM agent for changes to take effect. Now even admin users will be logged-out if directly taking RDP of this desktop VM.
Registry key for Direct RDP/Console Block Timeout: (default: 15 seconds)
HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpBlockTimeoutSec
- Default value: 15
- Desktop agent will wait for configured number of seconds for session validation. If it is not recognized as authorized session within configured time-limit, the session will be logged-out.
Registry key for Direct Console Block: (default: false), to block console access for desktop VM for non-admin users.
HKLM\SOFTWARE\Accops\DVMAgent\DirectConsoleBlocked
Registry key for Direct RDP/Console Block for Admin users: (default: false), to block console access for desktop VM for admin-users.
HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpAdminBlocked
Important
- The direct RDP block is enabled by default in latest DVM agent.
- In some cases, where profile loading or connection is taking more time than configured time limit of direct RDP block, agent may interpret the session as a direct RDP connection and may log it out. The cases can be understood from logs and as per environment, the timeout can be increased.
Logs:
-
Following log will be created for sessions being logged-out by agent as direct RDP
-
Agent Log location: C:\Program Files (x86)\Accops\HyWorks Desktop Agent\Logs
-
Sample Log:
Logging-out direct (Non-Accops) RDP session WTS ID [3] for user domain/username. Direct RDP session is not authorized. Logon-Time (34sec) and Connect-Time (37sec)
External log Settings
-
In some deployments, it is required to get user session monitoring for audit purpose, the feature is integrated in HyWorks DVM Agent. Two types of monitoring are available:
- User Session Monitoring
- Process Monitoring
Registry Base:
HKEY_LOCAL_MACHINE\SOFTWARE\Accops\DVMAgent\ADVANCE SETTINGS\EXTERNAL LOG SETTINGS
The administrator will be able to configure the session monitoring via updating the registry entries. Details about the registry key values are as follow.
| Key Name | Default Value | Type | Value Range |
|---|---|---|---|
| TrackingType | 0 | String | 0: Disabled 1: User Session Monitoring 2: Process Monitoring 3: Both |
| IgnoreList | C:\Windows\System32* | Multi String | Processes/folders to be ignored for process tracking |
| SyslogHost | 0.0.0.0 | String | Syslog server or Accops ARS Server IP address or Hostname |
| SyslogPort | 514 | String | Syslog server or Accops ARS Server Port number |
| DumpProcessMonToSyslog | False | String | On setting as true, it will start pushing process monitoring logs to configured syslog server. |
| DumpUserSessionMonToSyslog | False | String | On setting as true, it will start pushing user session monitoring logs to configured syslog server. |
| ### Session change event scripts support |
In some deployments, it is required to execute some scripts in case of session change events, the feature is integrated in HyWorks. Six types of session change event types are supported here:
- CONNECT
- DISCONNECT
- LOCK
- LOGOUT
- RECONNECT
- UNLOCK
Registry Base:
HKEY_LOCAL_MACHINE\SOFTWARE\Accops\DVMAgent\EVENTS
The administrator will be able to configure the session change event via updating the registry entries. Details about the registry key values are as follow.
| Key Name | Name | Value | Type | Meaning |
|---|---|---|---|---|
| EVENTS | EnableForAdmins | FALSE | String | Set this flag as True to enable Session Change Events scripts execution for Admin users too. |
| ================ | ========================== | ============================ | ==== | ========= |
| EVENTS\CONNECT | ISENABLED | FALSE | String | Set this flag as True to enable Connect Event script execution. |
| EVENTS\CONNECT | SYSTEM_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Connect_System.bat | String | The script is used execute batch commands in System context while Connect event. |
| EVENTS\CONNECT | USER_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Connect_User.bat | String | The script is used execute batch commands in User context while Connect event. |
| ================ | ========================== | ============================ | ==== | ========= |
| EVENTS\DISCONNECT | ISENABLED | FALSE | String | Set this flag as True to enable Disconnect Event script execution. |
| EVENTS\DISCONNECT | SYSTEM_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Disconnect_System.bat | String | The script is used execute batch commands in System context while Disconnect event. |
| EVENTS\DISCONNECT | USER_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Disconnect_User.bat | String | The script is used execute batch commands in User context while Disconnect event. |
| ================ | ========================== | ============================ | ==== | ========= |
| EVENTS\LOCK | ISENABLED | FALSE | String | Set this flag as True to enable Lock Event script execution. |
| EVENTS\LOCK | SYSTEM_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Lock_System.bat | String | The script is used execute batch commands in System context while Lock event. |
| EVENTS\LOCK | USER_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Lock_User.bat | String | The script is used execute batch commands in User context while Lock event. |
| ================ | ========================== | ============================ | ==== | ========= |
| EVENTS\LOGOUT | ISENABLED | FALSE | String | Set this flag as True to enable Logout Event script execution. |
| EVENTS\LOGOUT | SYSTEM_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Logout_System.bat | String | The script is used execute batch commands in System context while Logout event. |
| EVENTS\LOGOUT | ExecutePreLogoutScriptInSystemContext | FALSE | String | Script will be executed in system context before logout. |
| EVENTS\LOGOUT | ExecutePreLogoutScriptInUserContext | FALSE | String | Script will be executed in user context before logout. |
| ================ | ========================== | ============================ | ==== | ========= |
| EVENTS\RECONNECT | ISENABLED | FALSE | String | Set this flag as True to enable Reconnect Event script execution. |
| EVENTS\RECONNECT | SYSTEM_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Reconnect_System.bat | String | The script is used execute batch commands in System context while Reconnect event. |
| EVENTS\RECONNECT | USER_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Reconnect_User.bat | String | The script is used execute batch commands in User context while Reconnect event. |
| ================ | ========================== | ============================ | ==== | ========= |
| EVENTS\UNLOCK | ISENABLED | FALSE | String | Set this flag as True to enable Unlock Event script execution. |
| EVENTS\UNLOCK | SYSTEM_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Unlock_System.bat | String | The script is used execute batch commands in System context while Unlock event. |
| EVENTS\UNLOCK | USER_CONTEXT_SCRIPT_PATH | C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Unlock_User.bat | String | The script is used execute batch commands in User context while Unlock event. |
| ================ | ========================== | ============================ | ==== | ========= |
The scripts can be updated for other custom usage. Scripts root folder:
C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\
Note
- HyWorks only provides platform to execute the scripts on different events on system. The scripts have to be generated as per requirements.
- HyWorks v3.4 or later is having integrated DVM agent (Lite) and thus same set of registry keys (from DVM agent) and scripts are used.
Allow calls from authorized controller(s) only
In some deployments, it is required to block unauthorized access to the DVM Agent service. The feature is integrated in HyWorks v3.3, administrator will be able to configure unauthorized access block by updating authorized controller IPs list at: (default value: '*')
HKLM\SOFTWARE\Accops\DVMAgent\AuthorizedControllerIPs
Note
- Default value is set as '*', which means all controllers are open to connect
- Replacing '*' with one or more (multi-string) controller IPs results in allowing only those listed controller(s) to communicate with the local DVM Agent Service
- In case, if unauthorized controller try to communicate an error log will come into both DVM Agent and controller logs
Pre-Post OS Customization Batch Scripts
In some deployments, it is required to execute some scripts before the OS customization (SysPrep or HyPrep) executes, the feature is integrated in HyWorks v3.3. Two types of customization scripts are supported here:
- Pre-customization [Pre_Customization_System.bat]
- Post-customization [Post_Customization_System.bat]
Path:
C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts
Post Reset Computer Domain Trust Batch Script
In some deployments, it is required to execute some scripts after broken domain trust is being reset, the feature is integrated in HyWorks. The path of the script is as follow:
C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Post_Reset_ComputerDomainTrust.bat
Note
- HyWorks only provides platform to execute the scripts on different events on system. The scripts have to be generated as per requirements.
Suspending Processes in Disconnected Sessions
HyWorks Session Host Server and HyWorks DVM Agent (v3.3-R2 or later) can be configured to suspend process in disconnected sessions. The feature can help in freeing up resources (CPU) in disconnected sessions and thus, providing resources (CPU) to rest of the users on the system.
How does it work
- On session disconnection, session host server/DVM agent will suspend processes
- On session reconnection, suspended processes will be resumed
Configurations to Suspend Processes on Session Disconnection
To enable process suspending:
- Open registry editor with administrator privileges
-
Update registry settings, as mentioned below:
- Registry Location: HKEY_LOCAL_MACHINE\SOFTWARE\Accops\DVMAgent\SUSPEND PROCESS
- Registry Name/ Type: Enable (String)
- Registry Value: Set as True to enable process suspending/ Set as False to disable process suspending
-
Save registry settings
- Open services with administrator privileges
- Locate Accops HyWorks Desktop Agent service and restart it
Advance Configurations
Following additional registry configurations are available, which can be used to enable process suspending for specific users/ processes only:
• exclude_users: To exclude suspension of processes for a particular user. Provide list of users in comma separated format, for example: user1.demo,user2.demo,user3.demo. Use this option to enable process suspension for all users except a few.
• exclude_processes : Provided processes will not get suspended. Provide list of processes in comma separate format, for example: notepad,write,mspaint. Use this option to enable process suspension for all processes except few.
Note
- Some critical system processes are already added into the exclude processes list and should not be removed for smooth operations.
• include_users: Suspend process will work only for provided list of users. All other users will be exempted. Use this option to enable process suspension for specific users only.
• include_processes : Only provided processes will get suspended, all other processes will be exempted. Use this option to enable process suspension for specific processes only.
Important
- For any registry changes, DVM agent service needs to be restarted for changes to take effect.