VM (VDI)Security

Hello guys,
I would like to ask a question about the security of the VDI.
actually I am using VDIs with Windows embedded in, and many specific applications. these VDIs will communicate with an application server to do some results of the applications embedded in. the communication is based on Windows Communication Foundation (WCF).
The question is: are there some mechanisms to disable the access to the VDIs, and change some settings.
Thanks

Hi michael,
please try execute this powershell command.
Grant-VmConnect Access -username (user account to boot the VM) -VmName (VM name).
See if this work. I just tested and work on my side. For more detail, you can refer to http://www.ms4u.info/2014/01/cannot-start-imported-hyper-v-vm.html
Lai (My blog:- http://www.ms4u.info)

Similar Messages

Security issue: Are the "r" commands needed by VDI 3?

Do we need rlogin, or any of the other r-commands, for VDI 3?
Description: The .rhosts files is supported in PAM.
Status: Open
For example:
GEN002100: /etc/pam.conf is supported by the pam .rhost file.

The right document syntax for this is:
UNIX: Do I Need To Use The "oinstall" Group? (Doc ID 463052.1)
FRançois

Security Issue: VDI 3 creates a number of world writable files?

Customer states:
I need to limit permissions to just owners and groups; not the others setting, will that be a problem?
Description: There are world writeable files or world writeable directories that are not public directories.
Status: Open
For example:
/usr/oasys/tmp/TERRLOG
/var/dt/dtpower/_current_scheme
/var/opt/SUNWvda
/var/opt/SUNWvda/webadmin
/var/opt/SUNWvda/log

Customer states:
I need to limit permissions to just owners and groups; not the others setting, will that be a problem?
Description: There are world writeable files or world writeable directories that are not public directories.
Status: Open
For example:
/usr/oasys/tmp/TERRLOG
/var/dt/dtpower/_current_scheme
/var/opt/SUNWvda
/var/opt/SUNWvda/webadmin
/var/opt/SUNWvda/log

APP-V 5.0 VDI A Temporary Profile is created when I log into the Virtual Desktop

Dear Sirs
I'm Enzo , an Italian System Engineer. Together with other fellows we created a test environment :
- a VDI machine (POC-VDI,10.102.94.219, Windows Server 2012 R2) with
RD Web Access, RD Connection Broker, RD Virtualization Host, RD Session Host Installed
The Hyper-V Environment includes :
- DHCP Server (to provide addresses to Virtual Desktop Collections)
- APP-V_5.0_Server , Application Virtualization Management Console 5.0, with 2 published packages (Office 2010 and Open    Office 4)
- Sequencer_W8-1, Application Virtualization Sequencer 5.0
- Client_8-1 , Client Windows 8.1 with Application Virtualization Client 5.0
From the Client_8-1 we can download and run the two published packages from the server (user VDI_TEST_1)
The Client_8-1 has been used as the template (sysprep /oobe /generalize /shutdown) for the Virtual Dektop (APP-0 and APP-1)
included in the collection 'APPV' (Pooled, Automatically Manage Virtual Desktop, Roll Back Virtual Desktops Enabled).
I connect to the 'RD Web Access' ( http 10.102.94.219 RDWeb, user VDI_TEST_1) , I then connect to APPV collection .
When I get logged into the Virtual Desktop (APP-0 or APP-1, user VDI_TEST_1), a Temporary Profile is created. Why ?
We configured :
User Profile Disk : share Location 10.102.94.219 UPD
   UPD : Share      Everyone Full Control
                              Security   SYSTEM    Full Control
                                         Network Service
Full Control
                                       POC-VDI$   Full
Control
                                         Administrators (POC-VDI\Aministrators)
Full Control
                                         Users (POC-VDI\Users)
Read & Execute
I am puzzled as long as when I get logged into the Virtual Desktop, a Temporary Profile is created. Why ?
Thanks in advance for your kind attention
Enzo

Highly unlikely it has anything to do with App-V.
Start troubleshooting by looking at permissions on shares and folder under the shares for the profile.
Tim Mangan MVP for App-V and Citrix CTP Author of AppV books: "The Client Book" and "OSD Reference Book" (http://www.tmurgent.com/Books )

Running Permission Scripts for App-V packages in VDI environment

Hi
We use App-V 5.0 SP1 in VDI environment.
We have a major problem with packages' permissions
Our users don't have administrative privileges on their machines.
As the option for "Security Descriptors" is discontinued, the only way to give permissions to a folder in a package is to use the VFSCACLS.vbs as a startup script of a package.
This way the first time users launch an application they're prompt to reopen it, and the second time they can use the application with the needed permissions.
The problem:
The script saves those permission changes under LOCALAPPDATA\AppV...
Therefore, everytime the users logoff the folder is deleted (VDI...) and again, they must run the script for the first again to get the permissions back after logon!
We cannot roam the LOCALAPPDATA\AppV folder as its size can be dozens of GBs...
Folder permissions with group policy is also not a solution, as the folder name changes everytime we upgrade a package and it's impossible to follow with hundreds of packages.
So it's either we're missing something critical in the architecture with VDI environment or there's a normal solution for these situations.
Would love to get some help
Thanks
Tamir Levy

Hi Nicke
that's what I did! the problem is that I find my self over and over again want to sequence packages in App-V 5.0 and forced to sequence it in App-V 4.6.
I really hope that it wasn't App-V team's goal. announcing App-V 5.0 and tell us it doesn't support many things so we will still need App-V 4.6 forever.
I have to maintain 2 different App-V environments with 4 different servers , 4 different sequencers and 2 clients on each computer. it doesn't make any sense for me to forced to stay with both of the versions forever.
correct me if I'm wrong but App-V 4.6 is a legacy application. the new versions cover only support on newer operating systems and nothing more. I won't be surprised if in the next version of MDOP won't come with App-V 4.6 anymore and Microsoft will announced
it's unsupported very soon.
Every time I open a ticket with MS Support the best thing I get is "It's a known issue, we can't tell when it will be fixed"
can you help me more ? move it forward to other people from the inside? at least agree with me that something is not as expected in App-V 5.0... :(
I love the technology, I believe in it, I'm kinda depend on it and I only want it to be better
Tamir Levy

App-V packages not streaming on VMWare View VDI

Hello All,
We are currently running SCCM 2012 R2 CU2 on VMware View VDI's.
We maintain our golden image using SCCM OSD.
NExt to applications installed in the image, we are also using app-v packages.
Before we can deploy the image, it needs to be stripped (or sysprepped) so as to garantuee that the clones will not report to the Management Point using the same SCCM Guids etc.
There for we perform the following:
net stop "CcmExec"
Remove-Item c:\windows\smscfg.ini
Get-ChildItem -Path cert:\LocalMachine\SMS | Remove-Item
Get-wmiObject -Namespace root\ccm\invagt -class inventoryActionStatus | where {$_.inventoryactionID -eq "{00000000-0000-0000-0000-000000000001}" } | remove-wmiobject
Clear-EventLog -logname Application
Clear-EventLog -logname System
Clear-EventLog -logname Security
Get-ChildItem c:\windows\ccm\logs | remove-item
When we deploy the new version of an image, we see that APP-V packages are not being streamed immediately to the clients.
While troubleshooting, I noticed that whenever I login and run a Machine Policy Evaluation & Retrieval cycle, that a ccmrepair and ccmrestart is being executed.
After the restart, the client immediately starts streaming the App-V packages.
Can anyone help me in pinpointing where the ccmrestart gets triggered from?
I've searched to already a lot of logs (ccmexec, execmgr, policyagent, policyevaluator,..) for the root cause but am unable to find it.
Many thanks in advance!
Filip Theyssens

Hi,
I just ran the action "Machine Policy Evaluation & Retrieval cycle" on my client, the Ccmrepair and Ccmrestart were not being executed from the logs.
You could trigger the CcmRestart by running "%windir%\CCM\CcmRestart.exe".
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Server 2012 R2 Remote Desktop Gateway. Most Simple and Secure Design For Small Environment?

We would like users to be able to connect remotely over the Internet from their personal devices to their primary Windows 7 workstation (a physical box on their desk) by using the Microsoft RDP Client For Windows, Mac, iOS and Android. There is no
plan to use RDWeb or Remote Apps, or VDI. Just plain remote access to their desktop PC without VPN plus a third party 2nd factor authentication product that can text them back a code to enter with their AD credentials (AuthAnvil or Duosecurity)
We do not have TMG or ISA.
We would like to get these services all running in a single server and be as simple as possible while still being very secure.
The recommendations I see seem to suggest putting the RDG in a DMZ with either a domain controller on a new domain with a one-way trust to your internal domain or else a read-only domain controller on your domain and then RD Session Host and License server
located on different servers on your internal LAN.
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
That sounds like a lot of separate servers and cost for not a lot of users in our environment.
Do we even need a separate session host server if there are no RDP sessions being hosted directly on the servers because the users are only being redirected to connect to their workstations and will never be using terminal sessions on the server?
Can the RODC or the Domain controller on new domain with the one-way trust be the same server as the Remote Desktop Gateway server and not separate servers?
What is the most minimalist way to set this up with good security when opening all the ports needed to authenticate with internal DC is not secure enough?

#2 sounds like we would need 2 Essentials servers and we will not have that.
We currently have Server 2008 R2 and have 2012 Standard licenses that are not yet used.
We have much more than 75 users total, but 75 is more than the number of users that will probably take advantage of using RD Gateway any time soon. It will probably take time to catch on.
If RD Gateway usage was to get super popular and more than 75 users were depending on access to it, then we could financially justify paying to buy all the CALs needed to run RD Gateway without Essentials. Right now, they are skeptical that it will
be worth spending much money on this and don't want to invest a lot of money up front.
My understanding is that if we have 75 or fewer users using RD Gateway then we need to by no CALs, just apply a Server Standard Edition License to the server, but if we had 76, we would need to turn off Essentials and buy 76 new CALs.
Or would we need to add 50 CALs to the 25 that automatically come with Essentials?
Also does "turning off" Essentials mean we would have to reinstall and redeploy the RDG or is it just a matter of enabling the RD license server and adding purchased CALs?
No, when you buy essentials you get the right to create 25 users that access the server, when you create the 26th user you will need to have 26 CAL and RDS CAL.

How to make WinTPC a direct VDI w/2012 Server from login(SSO) Pooled VM Collection SOLVED !

Pre-Reqs:
WinTPC machines must be domain joined
All VDI infrastructure is 2012(RD Web, CB, VH, GW) you might be able to use 2008R2 I did not use any so dunno..
All certificates must be in place for SSO
1. Setup 2012 VDI infrastructure to use SSO
2.Set group policy applied to WinTPC machines OU to allow Credential Delegation see:
http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx
3. Steal the RDP file from RDWeb (do a view source to get the path to the RDP file then download it) place in a network location, we use a folder in netlogon. Alternatively you could create your own RDP file and include the loadbalanceinfo:s:tsv://VMResource.1.MYPOOLEDCOLLECTION_Name
4. Use a GPO to set a Custom Interface on the WinTPC machines it should execute a powershell or vbscript that runs the .rdp file, in our case we use a logon script to copy a powershell script to the local machine, then use that
as the custom interface, it loops watching for the mstsc process to end..when it does it logs the user off. (sample)
#VDI-RDP.ps1
& 'c:\windows\system32\mstsc.exe' c:\start\myrdpfile.rdp
sleep -s 10
while(get-process mstsc){sleep -s 10}
logoff.exe
Custom Interface GPO is here:
User\Administrative Templates\System\Custom User Interface\
"powershell.exe" -windowstyle hidden c:\start\vdirdp.ps1
Voila !
When domain users login to the WinTPC they get a VDI session only... once they close the session either by logging off or closing the RDP session.. they are logged off of the WinTPC machine
MS really should document this somewhere.. not everyone wants to access VDI from RDweb.... :( nor do they wish to have to authenticate multiple times...
Good luck with it !

Thank you dear Steve for the detailed steps,
I have an issue to set the RD Web Access for SSO.
I followed below article without success and I saw your comment.
http://www.anilerduran.com/index.php/2012/sso-single-sign-on-thoughts-on-rds-remote-desktop-services-2012/
I am using RDS 2012 R2 environment.
Could you please provide more steps on how to run SSO for the RD Web?:
Point Number 2 is not clear.
To turn on Windows Authentication:
- uncomment <authentication mode="Windows"/> section
- and comment out:
1) <authentication mode="Forms"> section.
2) <modules> and <security> sections in <system.webServer> section at the end of the file.
3) Optional: Windows Authentication will work in https. However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR.
Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and
click Apply in the top right in the right pane. Repeat the steps for RDWeb/Pages VDIR.
Kind regards,

Very Slow VDI Login Time

Hi,
My environment contains two Hyper-V Servers for DCs, Connection Broker, RD-Web, and two Hyper-V servers as virtualization host to thin clients. All Hyper-V servers are only 35% utilized and all client VMs don't have a performance issue.
After setting up the roles and creating the "Personalized Pools", I open the RD-Web, click on the collection and here it takes a very long time in securing connection part, then a warning message appears for the connection broker self-signed certificate,
I accept it and again a very long time to open the VM.
After searching the internet I figured out that I should install "PFX" certificates for the connection broker (SSO, Publisher). In my environment, we don't use a public certificate from trusted root CAs, however, we have our own "Enterprise
Root CA".
I then figured that I should create a certificate with the following attributes:
Advanced Key Usage: Server Authentication, Client Authentication
Key Usage: Data encipherment, Digital Signature, Key Agreement
I created the certificate and imported it to the RD CB, however, the "securing connection" part was even slower than before, so I duplicated the "Computer" certificate, and configured 1024 bit certificate instead of the old one "2048".
The "securing connection" part is taking half the time now, however it is still very long "+60 seconds" to open the VM.
I still suspect that it is a certificate issue and not sure if I have done the correct certificate.
Would anyone help in this case and providing the correct steps to install a certificate for the RD CB from internal CA.
Thanks.

Hi,
Thank you for your posting in Windows Server Forum.
Did you receive any particular Error message for your case?
What’s the Server and client version in your environment?
If you are using windows 7 in VDI and have slow logon then please check below article.
Windows 7 Slow Boot / Slow Logon (Why I do what I do) ( Refer Point:
Are you doing VDI and having slow performance? Have you done any of these steps (at a minimum)?)
Apart from this, for installing certificate you can go through beneath article for detail.
Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
Hope it helps!
Thanks,
Dharmesh

Very Slow VDI Client Login Time

Hi,
My environment contains two Hyper-V Servers for DCs, Connection Broker, RD-Web, and two Hyper-V servers as virtualization host to thin clients. All Hyper-V servers are only 35% utilized and all client VMs don't have a performance issue.
After setting up the roles and creating the "Personalized Pools", I open the RD-Web, click on the collection and here it takes a very long time in securing connection part, then a warning message appears for the connection broker self-signed certificate,
I accept it and again a very long time to open the VM.
After searching the internet I figured out that I should install "PFX" certificates for the connection broker (SSO, Publisher). In my environment, we don't use a public certificate from trusted root CAs, however, we have our own "Enterprise
Root CA".
I then figured that I should create a certificate with the following attributes:
Advanced Key Usage: Server Authentication, Client Authentication
Key Usage: Data encipherment, Digital Signature, Key Agreement
I created the certificate and imported it to the RD CB, however, the "securing connection" part was even slower than before, so I duplicated the "Computer" certificate, and configured 1024 bit certificate instead of the old one "2048".
The "securing connection" part is taking half the time now, however it is still very long "+60 seconds" to open the VM.
I still suspect that it is a certificate issue and not sure if I have done the correct certificate.
Would anyone help in this case and providing the correct steps to install a certificate for the RD CB from internal CA.
Thanks.

Hi,
To avoid confusion, let's focus on the same thread.
http://social.technet.microsoft.com/Forums/en-US/17fb24d7-61a7-49be-83b3-35bd9d8b6863/very-slow-vdi-login-time?forum=winserverTS
Thanks.
Jeremy Wu
TechNet Community Support

Deploying Acrobat X in VDI environment

Hi
we're moving to a VDI environment in our organization with Windows 7 image.
one of the goals is to have the minimum amount of master images for the users. therefore only components and middleware are installed on the master image and our main solution for dynamic deploying of applications is Microsoft App-V.
now the issue is with deploying Acrobat X (Standard or Pro). Acrobat X can be packaged with App-V but one of the main features that don't work is to grab a docx file and convert it to PDF.
I thought it's because the Adobe PDF printer is missing from the package though I tried to installed it locally and still I didn't manage to oporate it so I'm not sure if this is the problem and obviously not that easy to debug.
the error message is :
Unable to find "Adobe PDF" resource files. Do you want to run the installer in repair mode?
as Adobe Acrobat is one of the most common 3rd party software in the market I wanted to hear what Adobe has to offer for companies that are headed for this type technology. I know that for example Adobe Reader XI comes with the App-V Deployment kit that installs all the necesary components of the product locally in order to deploy the software by App-V with all the features available, but I didn't find anything similar for Acrobat XI.
obviously my last option is to add 2 seperate images (one with Acrobat Pro and one with Standard) and have a security group for every group of product users. but it's the hardest to maintain.
hope to get a solution from you here
thanks

Hi Tomtomlevy,
I can't give you the good answer you deserve because App-V was not supported in X. However, it's apparently been delivered that way successfully by many admins. Probably the component you need is PDFMaker, but I'm not sure.
In any case, maybe someone who has experience will post here, but you may have better luck on an App-V forum.
Ben

DTUs freezing randomly in XP VDI sessions

Software:
VDI 3.2 (upgraded from 3.1) on three Solaris 10 10/09 x64 servers in the recommended HA bundled MySQL config (primary, first secondary, second secondary)
Desktop provider is VSphere 4.0.
This issue primarily affects a VDI pool of ~65 Windows XP 32-bit desktops.
Any affected desktops already have the Oracle VDI Tools and SunRay Windows Components which were bundled with VDI 3.2.
Hardware:
Sun Ray 2 and 2FS models, upgraded with the firmware provided with the VDI 3.2 release (GUI4.2_140993-03_2010.06.21.19.00)
Smartcards are mandated for hardware Sun Rays.
In the last month or so, we have started seeing more and more random "freezing" of sessions whilst users are already logged in and working - users are typically just using Office, Firefox, Thunderbird etc. - nothing complicated!
Essentially, their screen will randomly freeze completely and the mouse pointer cannot be moved. The only way to fix it is to remove the card or kill the session with CTRL-ALT-DEL-DEL-Bkspc-Bkspc.
Upon doing so, the session comes back to life immediately and they can continue working.
Here is a portion from /var/opt/SUNWut/log/messages which is produced at the moment the session freezes on the server that happens to be hosting the session (I've changed the server hostname, username and domain name for security reasons):
Dec 14 10:56:57 vdiserver utauthd: [ID 794400 user.info] SessionManager0 NOTICE: EMPTY: ACTIVE session
Dec 14 10:56:57 vdiserver Sun Ray Connector proxy:[21218]: [ID 855542 user.error] Child closed socket prematurely, session shutdown
Dec 14 10:56:57 vdiserver kiosk:vda[22715]: [ID 702911 user.error] /opt/SUNWuttsc/bin/uttsc exited with error code 141 - exiting
Dec 14 10:56:58 vdiserver kioskcritd[20958]: [ID 422571 user.info] Info: a critical application has exited.
Dec 14 10:56:58 vdiserver kioskcritd[20958]: [ID 342793 user.info] Terminating Kiosk Primary Session ( pid=21106 )
Dec 14 10:56:58 vdiserver kioskcritd[20958]: [ID 308018 user.info] kioskcritd stopped
Dec 14 10:57:04 vdiserver dtlogin[22800]: [ID 118685 user.info] pam_sunray_amgh::[DPY=6] AMGH_SUMMARY: token=user.1290677160-1567, username=, AMGH_Done?=NO(Local Session), Details=AMGH is not configured., AMGH_Target=*NONE*
Dec 14 10:57:04 vdiserver dtlogin[22800]: [ID 976841 user.info] pam_kiosk: pam_sm_authenticate: Initiating Kiosk session with user utku35
Dec 14 10:57:05 vdiserver kioskcritd[22946]: [ID 190395 user.info] kioskcritd started
Dec 14 10:57:10 vdiserver cacao:default[26773]: [ID 702911 daemon.warning] com.sun.vda.service.client.ClientRequestWorker.run : Failed executing vda-client request: serverList([email protected], token=user.1290677160-1567
, clientAddress=127.0.0.1): No preferred servers found for [email protected][ExitCode=15]
Can anyone offer any help? I know about the "no preferred servers found" error, which I think is produced since we're not using the "Global VDI Center" feature - correct?
The main issue certainly looks to be caused by uttsc, which is simply crashing...
Any ideas?

@turbotiga - thanks a lot for all this info. Really helpful.
A few questions/comments:
a) Is this information about which patches are already (or not) applied to the full VDI releases published anywhere? I can't see mention of it on any of the wikis - how have you discovered this? It would be great to know this detailed info - for future releases too - e.g. what patches are already rolled into in the SRSS/SRWC components included with VDI 3.1, 3.2, 3.2.1, and which have not been and why? EDIT: Just noticed that the release notes mention that VDI 3.2 includes "SRS 5 Patch 3", whilst 3.2.1 includes "SRS 5 Patch 5" - guess that explains that....
b)Our suppliers (who also initially installed the systems) had recommended that the versions of SRSS and SRWC etc. that are bundled with the complete VDI packages are included for a reason at that very specific patch level to provide the best matches/compatibility, and that we shouldn't ordinarily install patches for other versions of SRSS etc. against the VDI installation as a whole (I guess unless otherwise instructed to do so from Oracle/Sun). That is why I had assumed that upgrading to 3.2.1 would be a better solution (albeit it will involve considerable downtime compared to patching individual components since it involves taking down the database and rebooting etc.)
The patches now only seem to be available from the My Oracle Support site (which requires a contract number to access) so it's a moot point anyway since we don't have the rights to get at them any more...are they available from anywhere else?
I would be very happy to give the installation of patches a go rather than upgrading fully to 3.2.1 in the first instance purely since we can't afford the amount of downtime that a full VDI upgrade produces right at the minute...is it definitely safe to patch our 3.2 installation with later SRSS/SWRC patches (against the recommendations of our suppliers) rather than going the whole hog and upgrading to 3.2.1?
Edited by: Hutch on 20-Dec-2010 06:03

SQL 2012 failover cluster\mirroring VS AlwaysOn for VDI?

Hi, we have to build high availability SQL 2012 cluster for VDI and we have two options. One option is to build a server cluster with combination of failover and mirroring and other option is to build failover cluster with AlwaysOn.
We are not sure which option to chose. We have contacted Microsoft support to provide us some documents and instructions for failover\mirroring combination but they have send us instructions for AlwaysOn option.
What would be best way to build high availability cluster for VDI? Also, since first option is very complicated, we would appreciated if someone could provide us with some documentation for it (how to build it, what to look out for, etc.) because that is the probably the option we are going to use.
Thank you in advance.
This topic first appeared in the Spiceworks Community

I was recently quoted in eCampus News regarding the recent cyber attack against Penn State, which triggered a number of conversations with CISO’s at various academic institutions. One of these conversations was with Helen Patton, theChief Information Security Officer for Ohio State University. I had a very interesting dialogue with her via email, and asked […]…Read MoreThe post In the Trenches: Helen Patton, Ohio State University CISO appeared first on The State of Security.
Read More

SCEP 2012 and VDI offline servicing

I've seen this question being asked before in another thread (Best practice to run Microsoft Endpoint Protection client in VDI environment) however the answer doesn't provide enough information (for me at least)
We are planning to use a Citrix XenDesktop environment with Provisioning services providing VDI clients. As far as I know the SCCM client will be installed in the VDI golden image and after some adjustments SCCM client registration will go well. We will
also use SCCM 2012 and deploy SCEP 2012 for anti-malware scanning.
SCCM 2012 provides offline servicing for Software Updates in WIM images, but what is a best practice in keeping the VDI's up-to-date? I can't find any good information about this, so maybe the answer is very simple?... Is there a way to offline service the
VDI image so Software Updates and Anti-Malware updates are injected in the image?
Or do the VDI's get updated as physical systems, at the time they are logged in to the network, discarding all changes when logging off. This doesn't seem the right way to go.
Any help would be appreciated.
thx. Niels

I struggled with this same problem for a while, and likewise didn't find a great answer anywhere. In our case, this is for an RDS VDI environment, but the solution I ended up employing should work anywhere.
First, set up SCCM/WSUS to download the updates to a UNC share (if you haven't already; here's a helpful guide:
http://blog.thesysadmins.co.uk/sccm-2012-scep-unc-definition-updates-automation-powershell.html). Also, create an antimalware policy for the VDI machines with the definition updates source set to UNC only, and set the UNC Path section accordingly.
Here's the key part: create a scheduled task in your master image to run based on boot or resume (RDS puts the VDI VMs in a Saved state rather than Off). Here are the settings I used for the task:
General tab: I set it to run as the SCCM Network Access Account; Run whether user is logged on or not
Triggers tab: Begin the task On an event; Basic; Log: System; Source: Kernel-General; Event ID: 1 (this pops up on a startup or resume event); Delay task for: 5 minutes (during VM creation, it boots the machine for just a couple minutes, and I
didn't want this task to be interrupted by a shutdown halfway through); Enabled
Actions tab: Action: Start a program; Program/script: "C:\Program Files\Microsoft Security Client\MpCmdRun.exe"; Add arguments: -SignatureUpdate
I left the other tabs with their defaults
In RDS, the VMs on creation are spun up briefly and then put into a Saved state. It then spins up just a few, waiting for users to connect. By the time a user logs in, the machine should have the latest updates, but even if it doesn't, it should be
no more than ~5 minutes before it does.
Hope this helps!
Ryan

Vdi 3 desktop provider error

Dear All,
I have installed the VDI on a solaris 10 X86 machine
installed the sun xVM on the same host and on the VXM installed a copy of windows 2003
When i try to add a new desktop provider i get the following:
Apr 20, 2009 4:46:57 PM com.sun.vda.admin.providers.NewVBoxProviderWizardBean$NewVBoxProviderWizardEventListener handleEvent
INFO: Verification of Virtual Box host failed
Apr 20, 2009 4:46:57 PM NewVBoxProviderWizardBean handleEvent
FINER: THROW
java.lang.reflect.UndeclaredThrowableException
at $Proxy8.checkHost(Unknown Source)
at com.sun.vda.admin.model.VirtualBox.checkStatus(VirtualBox.java:45)
at com.sun.vda.admin.providers.NewVBoxProviderWizardBean$NewVBoxProviderWizardEventListener.handleEvent(NewVBoxProviderWizardBean.java:225)
at com.sun.webui.jsf.component.Wizard.broadcast(Wizard.java:1955)
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:447)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:752)
at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:97)
at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:117)
at com.sun.faces.extensions.avatar.lifecycle.PartialTraversalLifecycle.execute(PartialTraversalLifecycle.java:94)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:244)
at sun.reflect.GeneratedMethodAccessor132.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:283)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
at com.sun.webui.jsf.util.UploadFilter.doFilter(UploadFilter.java:267)
at sun.reflect.GeneratedMethodAccessor131.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:218)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
at com.sun.vda.admin.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:108)
at sun.reflect.GeneratedMethodAccessor130.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:218)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:269)
at org.apache.catalina.valves.RemoteAddrValve.invoke(RemoteAddrValve.java:81)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.rmi.UnmarshalException: Error unmarshaling return; nested exception is:
java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: com.sun.xml.ws.util.localization.LocalizableMessage
As you can see the error is "Verification of Virtual Box host failed"
This is happening at Step 2.2:Verify Certificate
What can be done to resolve this?
Regards,
Scotty

Hey all -
For what it's worth - I might have a partial answer to this issue.
I had a feeling I might have futzed with the host identity after building it, and installing virtualbox the first time.
On a hunch, I did the unthinkable and re-installed Solaris, installed VirtualBox, and was away with everything working.
If I get a chance, I'll boot back into the old env and see if I can work it out. My suspicion is that it's something like the Apache SSL certs not being re-generated on install (or something like that...)
Cheers.

VM (VDI)Security

Similar Messages

Maybe you are looking for