MED-V: GPO Settings That Could Potentially Cause Issues with current features

  • Article

MED-V V2 leverages underlying VPC and RDP\RemoteApp technologies to facilitate support for URL, Print, and document redirection. In addition, a special BHO is used by the host browser to redirect URL’s configured for legacy guest browsing to the guest browser. There are certain group policies that could impact MED-V’s functionality and/or performance if they are configured. If you are encountering issues with MED-V, verify your applied GPO’s to determine the following.

Terminal Services/RDP Logon User Rights

Policy Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments\

Policy: Allow log on through Terminal Services

Policy: Deny log on through Terminal Services

Impact: If applied to the XP guest, this could prevent MED-V SSO (single sign-on) with the guest.

Policy Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Policy: Interactive logon: Message text for users attempting to log on

Policy: Interactive logon: Message title for users attempting to log on

Impact: If applied to the XP guest, this could affect MED-V SSO (single sign-on) with the guest where users will always see an additional prompt.

Internet Explorer Policies

Policy Location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Advanced Page\

Or User Configuration\Administrative Templates\Windows Components\Internet Explorer\Advanced Page\

Policy: Allow third-party browser extensions

Impact: This could prevent URL redirection if applied to the host.

Policy Location: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management

or

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management

Policy: Deny all add-ons unless specifically allowed in the Add-on List

Impact:  This could also prevent URL redirection if applied to the host.

TS Client-Server Redirection Policy

Policy Location: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client-server data redirection

Policy: Do not allow clipboard redirection

Policy: Do not allow drive redirection

Impact: This could prevent access to redirected host folders if these policies are applied to the guest Windows XP OS.

Policy Location: Computer Configuration\Administrative Templates\System\Group Policy

Or User Configuration\Administrative Templates\System\Group Policy

Policy: Group Policy Slow Link Detection

Impact: MED-V Workspaces configured for NAT mode may notice significant delays in startup and possibly even logon delays. This can appear to the end user in the form of an application taking a tremendous amount of time to start up or shut down.

Requiring NLA for RDP

Policy Location: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services

Policy: Remote Desktop Connection Client

Impact: For Windows 7 hosts, if "Configure server authentication for the client" is Enabled and set to "Do not connect if authentication fails" then the MED-V applications will fail to start. If this policy must be set, then set it to   "Always connect, even if authentication fails."