Wednesday, October 1, 2014

How to send CTRL+ALT+DELETE from Windows 7 Embedded Thin Client to VMware View VDI desktop

Problem

One of the most common questions I get asked from clients setting up thin clients is how to pass key combinations such as CTRL+ALT+DELETE that Windows is designed to intercept for security reasons to a VMware View desktop. For those who have worked with Windows 7 Embedded Thin Clients would know that the default behavior when a user presses CTRL+ALT+DELETE in their VMware View desktop is that the user would get presented with the Thin Client’s CTRL+ALT+DELETE options rather than their VMware View desktop.  This is also the same for other key combinations such as ALT+TAB and CTRL+SHIFT+ESC.

Before I write the solution, note that the following would not work:

How to enable or disable the CTRL+ALT+DELETE sequence for logging on to Windows XP, to Windows Vista, and to Windows 7
http://support2.microsoft.com/kb/308226

The above solution doesn’t work because it disables the need to use the CTRL+ALT+DELETE sequence during user logon.

The following policy that exists in the Windows Embedded operating system also would not work:

Computer Configuration –> Administrative Templates –> System –> Keyboard Filter –> Security Keys –> Block Secure Desktop (Ctrl+Alt+Del)

image

Enabling the policy above only renders the key sequence to not do anything.

It also doesn’t help that trying to Google the words Ctrl+Alt+Del, virtual desktop, thin client, etc. usually yields the 2 results from above.

Solution

The solution to the problem is actually quite simple and that is to load the PCoIP ADM template and enable:

Use Enhanced Keyboard on Windows Client if available

image

image

More information about this configuration can be found here:

View PCoIP Session Variables for the Keyboard
http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.administration.doc/GUID-2FA7564D-FF3E-472B-AD2D-575CCCD82410.html

The requirements for using this feature are as follows:

  1. You need to use the VMware View Client with Local Mode
  2. You need to run the View Client with Local Mode as an administrator

The following summarizes the problems I immediately had with the requirements above:

  1. The View Local Mode capability has been removed from the Windows client in the Horizon View 6.0 release which leads me to believe it will no longer be updated thus requiring a replacment
  2. You cannot simply run the the View Client with Local Mode with a service account that is a local administrator on the thin client because doing so would prevent you from using the “Log on as user feature” and even if that feature worked, it would be a security risk putting a password into a batch file

I was unable to find any workarounds to the above concerns but what I did find was the following setup provided by a user on the VMware forums:

https://communities.vmware.com/message/2332945

What the user did was essentially run the VMware View Client with Local mode via a script that would automatically log the user off if the client is closed. When combining this script with disabling the VMware View client bar, a user is essentially locked into their View VDI until they log off and in which case would log them off the client.

While this isn’t a perfect solution, most administrators may have to live with it until new features are released.  I will update this post if I come across something better.

3 comments:

Anonymous said...

Thank you so much for this, Terence. How have you been handling the new VMware Horizon View Clients?

Terence Luk said...

Unfortunately, VMware has decided to retire the VMware View Client with Local Mode because VMware Horizon View 6 no longer provides the "Local Mode" feature and has since removed the "Transfer Server" role. I actually called into VMware complaining that I was experiencing slow connection performance using the last VMware View Client with Local mode and at first they asked me to use the new Horizon clients assuring me that keyboard filtering works but after trying 2 different versions without any luck, they told me it is no longer supported. I got the case escalated to level 2 but that was as far as I got because I was told to submit this as a "new feature request". I can only imagine the reaction of administrators who have this deployed to thousands of users and rely on this feature.

Michael Stanclift said...

I was so excited to find this, until I read the comments about Local Mode and realized it wouldn't work with the Horizon client.