RG059 – Things WM does per default

By Max Ranzau

 

This article is to inform and help you plan for the way that Workspace Manager 2012 SR3 currently works in terms of default registry changes when you enable it. When you install the Workspace Manager software on any target environment, absolutely nothing happens to any users state or configuration. This is as long as the Workspace Composer component of WM remains dormant. However even though all subsystems are disabled per default in a fresh WM installation, this is not the case when you set the Workspace Composer mode to Automatic on any workstation or publish a Citrix/RDS application through Workspace Manager. Several registry keys are being modified in the HKCU of the managed session per default.

The point of this article is not to discuss why this is happening, if it should or not. The fact remains is that is how the product operates at present time of writing. You need to be aware of these things as an integrator, especially if you are implementing RES Workspace Manager into an as-is/existing production environment as the outcome may affect the user experience if not taken into consideration.

Most of the mentioned registry changes are of minimal – if any effect, as they are not restrictive. However if the current environment is currently configured restrictive, for example currently hiding the Control Panel, chances are that it will be re-exposed, just alone by enabling the Workspace Composer on a given agent.

default-regsWorkspace Manager provides a way for you to see the mentioned registry changes: First, in the RES WM Console, go to Diagnostics | Workspace Analysis | Composition | User Registry. You will notice there are two entries; Common shell settings and Microsoft Windows Shell Settings. These contain multiple mandatory settings which cannot be changed directly. If you double-click on the End result entry, you will see all the registry settings that are applied. Each of the policies below are linked to their corresponding TechNet page or other sources of information:

De-restrictive policy
Effect
NoControlPanel=0 Control Panel will be enabled
NoInternetIcon=0 Internet Explorer desktop icon will be shown
NoNetConnectDisconnect=0 Users are allowed to manually map network drives
NoNetHood=0 My Network Places shortcut will be displayed
NoPropertiesMyComputer=0 Properties context menu on My Computer is enabled
NoRecentDocsHistory=0 Recent Documents History is enabled
NoRecentDocsMenu=0 Documents menu item is enabled in the start menu
NoSetFolders=0 Controlpanel, Printers and Network settings will be shown.
StartMenuAdminTools=Yes Show administrative tools. Windows Vista and newer. Note: This registry entry is probably not working as expected: About 3000+ google results says it’s a REG_DWORD valued 0 or 1)
NoViewContextMenu=0 Rightclick context menu is enabled on Desktop and Start menu.
NoChangeStartMenu=0 Drag-and-drop context menus on the Start Menu is enabled
NoTrayContextMenu=0 Access to the context menus for the taskbar is enabled
NoSimpleStartMenu=0 Disables the use of classical theme = Regular themed desktop per default.
NoSetTaskbar=0 Allow changes to Taskbar and Start Menu settings
NoSMHelp=0 Enables safeword (I’m kidding! ;) It enables help in the startmenu.
NoFavoritesMenu=0 Enable the Favorites shortcut in the Startmenu
NoStartMenuNetworkPlaces=0 Shows Network Places in the Start Menu
NoNetworkConnections=0 Show Network connections in the Start Menu
NoFind=0 Enable search in the start menu
NoSMConfigurePrograms=0 Shows the “Set Program Access and Defaults” item in the Start Menu
NoNTSecurity=0 Make sure that Windows Security is available from the Start Menu
NoActiveDesktopChanges=0 Allow changes to Active Desktop. This one is weird as it looks like it’s out of whack with the NoSetActiveDesktop=1 further down. By the looks of it, Active Desktop was only relevant up to WinXP (wiki) so it does probably not affect anything anymore.
NoAddRemovePrograms=0 Enables Add-Remove Programs/Programs and Features
Enum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}=0 Unhides My Computer icon (WinXP references it by CSIDL)
Enum\{450D8FBA-AD25-11D0-98A8-0800361B1103}=0 Unhides My Documents icon (same as above)
Enum\{645FF040-5081-101B-9F08-00AA002F954E}=0 Unhides Recycle Bin (same as above)

The above registry based Explorer policy settings are configured per default by Workspace Manager to their non-restrictive state. However be aware of the following policy registry keys, as they are configured restrictively by Workspace Manager:

Restricting policy
Effect
NoManageMyComputerVerb=1 Computer Management context menu on My Computer is disabled per default
IntelliMenus=No Personal menus are turned off (Note: this registry value is probably not working as expected: Technet says that this value should be a REG_DWORD valued 0 or 1)
NoCommonGroups=1 Common program groups are removed from the start menu
NoSetActiveDesktop=1 Active desktop settings are disabled. Note: According to MS this setting is obsolete as it only applies to NT4 and Win9x. This is probably a legacy setting that can be ignored.
NoSMMyDocs=1 Removes “My Documents” shortcut from startmenu.
NoStartBanner=1 Not a bad thing. This removes the anoying “Click here to start” popup on the Windows Xp startmenu.

While the application of all the above registry settings cannot be changed directly, some can be configured indirectly by the corresponding items in the Composition | Desktop | Lockdown & Behavior section in the WM console. Also, it’s worth noting that the built-in Administrative notes within the registry view in Workspace Analysis gives a different picture of what is happening:

reg-doc

In order to make sense of this, remember that the built-in Administrative Notes merely describes what all the policies would do if they were enabled. The description in this field is static and is not referencing dynamically what’s going to happen as a result of what’s being applied regardless if it’s being enabled or disabled. However as the values do change, checking values being displayed here (as shown in the example below) is the only way you can reverse lookup Lockdown & Behavior configuration within Workspace Analysis.

change As mentioned before, you can make changes indirectly to the applied default registry settings by way of the settings available in the Lockdown and Behavior console node. Note that just turning this subsystem on by itself does not as far as I can see make any additional changes to the registry. However, let’s say you want to hide the Recycle Bin: When you configure this in in Lockdown & Behavior (as shown on right), this will instantly be reflected in the Workspace Analyis of the applied User Registry, as shown below:

result

shutresultThis leads me to the last item on the list of items affected just by turning on the Workspace Composer. You may perhaps notice that a Workstation OS will loose the option to shut down the computer on the start menu. While confusing to the user, the shutdown option is however still available from the logon-screen after a regular logout, as this screen is not affected by this. This is a bit weird since the Lockdown & Behavior node at this point is disabled. For the record, the resulting registry in Workspace Analysis does not get updated either:

shutconfig

Even though the checkboxes for disabling shutdown are checked, they are evidently still being processed initially even though they shouldn’t. Until this is fixed, here is a quick workaround for it:

  1. Enable the Lockdown & Behavior node, save settings
  2. Uncheck both shutdown boxes.
  3. Disable Lockdown & Behavior node, save settings.

This will straighten out the wires, uncross the streams and reset the flux capacitor so things work as expected in terms of the Shutdown availability. With the above article in hand you should be armed well with the knowledge of what can and will happen when you enable the Workspace Composer in an existing production environment.

 

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

You must be logged in to post a comment.