Thursday, 10 October 2013

Deploy UltraVNC through Group Policy (Windows Server 2008) to Windows 32 and 64 Bit Clients

Background

This article describes the process which I have used in order to deploy UltraVNC to Windows 7 Clients using Group Policy along with pushing out a specific UltraVNC configuration allowing your domain username and password to be entered as the VNC's server authentication method. If you have a lot of machines on your network and wish to save time deploying a VNC solution with a standardised configuration then this guide should help.

What is UltraVNC 

UltraVNC is a very useful remote access software application (similar to TeamViewer, LogMeIn or GoToMyPC, but FREE!) that can display the screen of another computer on your monitor as well as enable remote control via  keyboard and mouse input. Unlike the standard Remote Desktop Connection tool that comes with Windows, these VNC style programs allow your remote sessions to viewed by the remote computer's user rather than locking their screen. In addition, UltraVNC can be configured so your domain username/password is all the authentication required to access client PC's on your network. VNC programs can be a valuable tool in a IT Support environment as you can show users how you are fixing their problem as if you were sitting next to them at their PC - perfect if you are supporting remote users at home, abroad, too lazy to leave your chair or are scared of face to face human contact.

Why Deploy Using Group Policy?

If you have a many computers on your network and within your server domain, you can quickly set up a rule to deploy the UltraVNC software automatically to all machines. You can also standardise the UltraVNC configuration of these machines making support of your network and adding new machines an easier job.

My Environment:-

Server: Windows Server 2008 (SBS 2008)
Local PC: Windows 7 (64-Bit) (Domain member)
Test PC: Windows 7 (32-Bit) - (Domain member) *Can be a 64-Bit PC!

This guide should also apply to many Windows Server environments and can also be used on some Windows XP Clients (although Widows XP Client Side Extension Pack is required).

Overview/Steps

  1. Download latest or most stable UltraVNC Software
  2. Deploy UltraVNC to a Test Computer (Create your desired network-wide configuration profile and associated .ini file)
  3. Configure UltraVNC Firewall using Group Policy
    1. Create your Group Policy and define your UltraVNC Firewall Rules
    2. Refresh the Group Policy Settings on the Test PC
  4. (Optional Step) Modify the UltraVNC Install file(s) to Hide Desktop Shortcuts
  5. Create your UltraVNC Deployment Group Policy with WMI Filters to differentiate 32-Bit and 64-Bit Installations
    1. Create WMI Filters to differentiate the Group Policy required for 32-Bit and 64-Bit Computers
    2. Create your UltraVNC Deployment Organisational Unit

1. Download the latest (or Most Stable) Ultra VNC Install File(s)

Download the latest Ultra VNC install files (.MSI version!) from http://www.uvnc.com/.(At the time of writing, Oct 2013, I downloaded version:1.1.9.3)

If you plan to deploy to both 32-Bit (x86) and 64-Bit(x64) computers, you will need to download both MSI install files: i.e:-

  • UltraVnc_1193_x86.msi
  • UltraVnc_1193_X64.msi
Save these programs to a storage location that is accessible (with read access!) to client computers on the network. You can use an existing mapped network drive location, but due to group policy restrictions, the full network location reference will need to used i.e: -
\\YourServerName\CompanyDrive\Software\GroupPolicyDeploy\UltraVNC\UltraVnc_1193_x86.msi

2. Deploy UltraVNC to a Test Computer (Create your desired network-wide configuration profile and associated .ini file)

Now you have downloaded the required UltraVNC MSI install file(s), you will need to install the UltraVNC software to your Local Machine and a Test computer (both domain members)  in order to create your desired working UltraVNC configuration profile that will, eventually, be deployed to all your target computers via Group Policy.

You can choose to install the viewer only on the local machine and the server just on the client PC if you wish. I installed both components on the local and test pc.
Stick with the default Install options for Install Service and Allow Software Ctrl+alt+del
Stick with the default install location, in this example on a 32-Bit machine with the 32bit MSI install it will be:
C:\Program Files\uvnc bvba\UltraVnc\


Once the installation has been completed, configure the test computers server configuration by opening the start menu and selecting UltraVNC Server Settings 
For my environment, I configured as follows:-
On the Network tab:-
  • Un-tick Allow Loopback connections
On the Security tab:-
  • Enter a random VNC Password (ensure it is fairly complex help keep your systems secure). Note: in my configuration I will not be using this - I am looking to use my domain username and password.
  • Tick the Require MS Logon (User/Password/Domain) option
  • Tick the New MS Logon (Support multiple domains)
  • Hit configure MS Logon Groups and add your domain user(s) who require permission to connect to your VNC clients (i.e Your domain account!).


On the Input/File Transfer tab:-
  • Untick the Disable Viewers inputs option
Make no change to the Connections tab
On the Screen Capture tab you can improve your general remote VNC session experience by:-
  • Tick Capture Alpha-Blending
  • Tick Remove Aero while connected
  • Tick Remove Wallpaper while connected
Make no change to the Misc/Logging tab

Hit OK to apply these settings. Note, you will need to restart the uvnc_service before these new settings are applied to the test pc.You can either restart the service using Services.msc:-
OR, by running the following in PowerShell or Command Prompt (both require to be run as Administrator):
net stop uvnc_service
net start uvnc_service


Depending on your environment, at this point, you will probably find that you can not connect to your client pc quite yet as you need to configure the firewall. The next step explains how to roll out required firewall rules across the network.

Now you have configured UltraVNC, you can copy the configuration file from the Test PC located at:-
C:\Program Files\uvnc bvba\UltraVnc\ultravnc.ini
...to a subfolder on the server
\\YourServerName\CompanyDrive\Software\GroupPolicyDeploy\UltraVNC\ConfigINI\ultravnc.ini

3 Configure UltraVNC Firewall using Group Policy

In my environment, Windows Small Business Server 2008, I was unable to disable my Domain level firewall in order to connect to the test PC. This was due to a SBS2008 default Group policy [Windows SBS Client Policy] which set the domain level firewall to always on. This particular rule could not be over-ridden even when logged in with an admin level account on the test pc (a good thing!) unless I removed the rule.

To allow my local machine to connect to the test laptop (and all the other client pc's when the software is deployed) I created a single group policy for computers with two firewall rules to:-
  1. Open up all TCP ports for the C:\Program Files\uvnc bvba\UltraVnc\winvnc.exe (VNC Service) restricting access to my Local Machine's IP address (192.168.1.100) within the domain.
  2. Open up all UDP ports for the C:\Program Files\uvnc bvba\UltraVnc\winvnc.exe (VNC Service) restricting access only to my Local Machine's IP address (192.168.1.100) within the domain.
NOTEThis guide will be using the 32-Bit MSI on 32-Bit machines, and the 64-Bit MSI on 64bit machines, so the above program exception will always be C:\Program Files\uvnc bvba\UltraVnc\winvnc.exe not C:\Program Files (x86)\...

If you know the exact TCP or UDP ports in use, I would be interested in listing them specifically to improve security, but for now, the above rules should do for now since the VNC Service will only be accepting the specified domain user accounts and the IP addresses (within domain) to connect.

3.1 - Create your Group Policy to define your UltraVNC Firewall Rules

Under Group Policy management, create a new Group Policy Object in the Organisational unit containing the computers you wish to deploy UltraVNC to.
Provide a name:
Name: UltraVNC Service GP - Firewall Inbound Rules
...and do not use a starter template.

Once you have created the GPO, update the Security Filtering from Authenticated Users to Domain Computers.


Now edit the Group Policy template by right clicking and selecting edit:-


Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advance Security > Windows Firewall with Advance Security > Inbound and then create a new rule.

Select Rule Type Custom

Set Program to be
%PROGRAMFILES%\uvnc bvba\UltraVnc\winvnc.exe

Select Protocol to be TCP(All)
Since I have a fixed IP address on my network and to lock down VNC connections as much as possible, I want to specify that my Local Machine (e.g IP: 192.168.1.100) is the only IP allowed to connect in. Therefore, under the Scope option for Remote IP addresses, select These IP addresses radio button and click Add, entering your local computer's fixed IP.
On the Action step, leave the default Allow the Connection option selected

Under the Profile, I selected the firewall rule to apply to the Domain only (untick Private and Public).
Provide a name and description for your rule
Name: Custom UltraVNC Server TCP
Description: Custom UltraVNC incoming firewall rule allowing all TCP traffic from my local PC for access to the %PROGRAMFILES%\uvnc bvba\UltraVnc\winvnc.exe program across the domain.

Once you have created the above TCP rule, do exactly the same thing again, but set the Protocol to be UDP. You should then have two firewall rules:-


Now the firewall rules have been configured via group policy, you can now close the Group Policy Management Editor window.

3.2 - Refresh the Group Policy Settings on the Test PC

Back on the Test PC - (Assuming your Test pc is within the Organisation Unit scope), you should now be able to pick up these new firewall settings by issuing the Group Policy Update command: 
gpupdate
This can be run either from PowerShell or a DOS window.


At this point you should now be able to connect to your Test PC from your Local Machine by running the UltraVNC Viewer program from the Start Menu.

4. (Optional Step) Modify the UltraVNC Install file(s) to Hide Desktop Shortcuts

To prevent UltraVNC's shortcut icons being displayed to end users of the Group Policy roll out, we can edit the Installation file in order to remove a few Windows short cut registry entry references. This can be achieved using the Microsoft Software development tool, 'Orca'.

The Orca installation file (Orca.msi) is available in Microsoft Windows Software Development Kit (SDK) - you can also find it elsewhere by searching the web for Orca.msi, but I would recommend downloading from the official source to ensure you do not encounter any nasty surprises (viruses). Once you have downloaded the Windows SDK install file, proceed through the setup process:-

I stuck with the SDK's default installation path of:-
C:\Program Files\Microsoft SDKs\Windows\v7.0

The setup process will try and install many other programs that you may not want, so at the bare minimum,  to obtain the Orca program, you can de-select all the installation options and just tick the option for Win32 Development Tools (Under Developer Tools > Windows Development Tools).


Once the SDK has been installed, you should be able to find the Orca.MSI installer in the following location:-
C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\Orca.Msi

Run the Orca.msi installer and complete the setup process.

Before we edit the downloaded UltraVNC.msi file(s), I would recommend copying the original, un-eddited UltraVNC Install file(s) for future reference and back up purposes. These could go in a sub-folder (\Orig) in the same network accessible location referred to in step 1:
\\YourServerName\CompanyDrive\Software\GroupPolicyDeploy\UltraVNC\Orig\UltraVnc_1193_x86.msi

Now Orca has been installed and the UltraVNC MSI install files have been backed up, open the Orca program from under the Start Menu.

From Orca's File Menu, select Open and locate the UltraVNC msi file you previously downloaded.

Once opened, you will need to locate the Shortcut table from the menu on the left in the Orca program. Whilst holding CTRL, select each of the Shortcut table properties and ensure they are highlighted blue. Then from the file menu, select Tables > Drop Row(s):


The table properties that were highlighted blue should then disappear. You can now save the updated UltraVNC MSI installer using the file menu File > Save option.

5 Create your UltraVNC Deployment Group Policy with WMI Filters to differentiate 32-Bit and 64-Bit Installations

Because my network consists of both 32-Bit and 64-Bit client pc's within the same Organisational Unit and I want to use the corresponding MSI installer for these machines I will deploy UltraVNC using two separate Group Policies with software installation references to either UltraVNC MSI file. These Group Policies will require a WMI filter applied to ensure 32-Bit systems install the 32-Bit MSI and the 64-Bit MSI for 64-Bit machines. By doing this, we also ensure the program path specified in the firewall group policy (step 3.1) remains correct as 64-Bit machines will not be installing the 32-Bit MSI resulting in the installation directory being C:\Program Files (x86).

5.1 - Create WMI Filters to differentiate the Group Policy required for 32-Bit and 64-Bit Computers

Under Group Policy Management, browse into your Local Domain and select WMI Filters. Right Click and select New to create a new WMI filter for your 32-Bit Computers:-

Set the Name and Description fields to something appropriate:-
Name: Custom_32-Bit Computers
Description: Custom WMI filter to identify 32 bit computers
Click the Add button to create the Query to identify 32-Bit machines:-
Namespace (left as default!): root\CIMv2
Query: SELECT AddressWidth FROM Win32_Processor WHERE AddressWidth ='32'

Hit OK and then Save your new WMI Filter.

Repeat the same process in order to create a 64 Bit WMI filter, but instead for the name, description and query values, change 32 to be 64 e.g:-
Name: Custom_64-Bit Computers
Description: Custom WMI filter to identify 64 bit computers
Query: SELECT AddressWidth FROM Win32_Processor WHERE AddressWidth ='64'

You should now have two WMI filters ready to use:-

5.2 - Create your UltraVNC Deployment Organisational Unit

In this step I will create a new Organisational Unit for deploying UltraVNC. By completing this step and the next, we should simply be able to drop computers into this folder to Deploy UltraVNC to when they next boot up.

On the server, create a new Organisational Unit in Group Policy Management by right clicking the OU that contains your current computers (For me, in SBS2008 this is 'Computers\SBSComputers' but you may need to refer to Active Directory if different) and selecting New Organisational Unit

Provide a name::
UltraVNCDeployment

5.3 - Create your UltraVNC Group Policies for 32-Bit and 64-Bit using your WMI Filters

In Group Policy management, under your UltraVNC Deployment organisational Unit, Create a Group Policies by right clicking the newly created UltraVNCDeployment organisational unit and selecting Create a GPO in this domain, and link it here....



Enter the new Group Policy Object names:
UltraVNCDeploymen32-Bit


Change the Security Filtering from Authenticated Users to Domain Computers and set the WMI filter from <none> to the Custom_32-Bit Computers filter that was created in step 5.1.

Right click the UltraVNCDeploymen32-Bit Group Policy that was just created and hit edit

Browse to Computer Configuration > Policies > Software Settings > Software installation and create a new package by right clicking and selecting New > Package

Browse to your downloaded (and Orca editted!) UltraVNC MSI file using the UNC file path previously mentioned in Step 1 (this must be accessible to your all client PC's within the OU)
e.g:
\\YourServerName\CompanyDrive\Software\GroupPolicyDeploy\UltraVNC\UltraVnc_1193_x86.msi

Select the Assigned option

The next step is to add the UltraVNC configuration file. Still in Group Policy Management Editor, Browse to Computer Configuration > Preferences > Windows Settings > Files and right click and select New.


Under the New File Properties windows that opens up, on the General tab, set the following Options:
Action: Replace
Source File(s): {UNC Location of ultravnc.ini used end of step 2} e.g  \\YourServerName\CompanyDrive\Software\GroupPolicyDeploy\UltraVNC\ConfigINI\ultravnc.ini
Destination File: %ProgramFilesDir%\uvnc bvba\UltraVnc\ultravnc.ini
Attributes: Leave Archived ticked (default).
Then hit OK.
Now, under Computer Configuration > Preferences > Windows Settings > Ini Files, right click and Select New > Ini File
On the New Ini File Properties window, set the following options:-
Action: Replace
File Path: %ProgramFilesDir%\uvnc bvba\UltraVnc\ultravnc.ini
Section Name: admin
Property Name: path
Property Value: %ProgramFilesDir%\uvnc bvba\UltraVnc
Then hit OK.

The next step is to import the registry settings from the TEST PC. This will pull in the specified permitted Domain log on accounts that we specified in step 2. You will need to ensure the Test PC is switched on and accessible to the server over the network. Browse to Computer Configuration > Preferences > Windows Settings >Registry and then right click New > Registry Wizard

Now select to get the registry data from another computer and specify the name of your Test PC and then hit next.

Browse to the following registry directory:-
HKEY_LOCAL_MACHINE/Software/ORL/WinVNC3/
...and then tick the ACL registry key and hit Finish

Rename the Registry entry from Registry Wizard Values to something like:-
UltraVNC ACL

Then browse into the entry UltraVNC ACL/HKEY_LOCAL_MACHINE/Software/ORL/WinVNC3, right click it, select Properties and change the ACL Action Property from Update to Replace


To enable Windows 7+ computers to accept CTRL+ALT+Del logon command from UltraVNC, browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options > Disable or enable software Secure Attention Sequence in Group Policy editor. Select Enable and specify Services within the drop down.

Then hit OK.

To help ensure the UltraVNC software is deployed by group policy, it is worth configuring the following settings to add a delay on the log on screen allowing time for the software to be installed.

Under Computer Configuration > Policies > Administrative Templates > System > Group Policy. enable the Starup policy processing wait time and set the amount of time to wait in seconds to 60.
Under  Computer Configuration > Policies > Administrative Templates > System > Login, set the Always wait for the network at computer startup and logon option to enabled.

Hit OK and then close the Group Policy Management Editor.

You will now have to repeat all of step 5.3 but for 64-Bit computers, this will involve creating a Group Policy Object called UltraVNCDeploymen64-Bit using the 64-Bit WMI filter and specifying the 64-Bit MSI file instead of the 32Bit one.

Summary

Once you have completed the above, dropping computers in Active Directory to the UltraVNCDeployment Organisational Unit should force those machines to install UltraVNC, adopting the settings configured above. You might find that you have to run GPUPDATE on the machines to get the latest group policy settings before rebooting the clients to trigger the install. Once installed, you should be able to take these computers out of the UltraVNCDeployment group and put them back to where they belong. This will help reduce the login delay caused by the group policy settings. You might also want to alter the above configuration so machines taken out of the Deployment folder still have the UltraVNC config file forced out to them in case end users try and change the settings.

If you have any feedback, questions or improvement suggestions about the above article, please use the message board below and I will try and get back to you.

References: