Repurpose PCs with Windows ThinPC

Many companies nowadays take advantage of some sort of VDI type solutions. In some cases where all of the users applications are made available within this environment, there is no need for providing them with a fully loaded desktop or notebook hence the reason why companies are considering the use of Thin Clients. In the long run the use of real thin clients definitely makes sense, not only are they usually cheaper than normal desktops but also do they consume less power and require less management. However a valid option for transitioning into thin client computing can be to repurpose existing desktops.

Enterprises that have a Software Assurance (SA) contract with Microsoft can use Windows ThinPC a locked down version of Windows 7 to repurpose existing desktops as thin clients. In fact Windows ThinPC is really another Windows 7 SKU but builds on Windows Embedded Standard 7. Windows ThinPC runs on any hardware that is capable of running Windows 7. Existing PCs with a minimum processor of 1GHz, 1 GB RAM and 16 GB are perfect candidates for running ThinPC.

More details about Windows ThinPC are described in the FAQ that can be downloaded from here

Now let’s get to the fun part. As I got a number of requests recently about repurposing existing PCs as a thin client, I have created a basic automated ThinPC deployment using MDT 2012 that transforms an existing PC into a thin client kiosk just to get an idea of how this all works.

Required Software

To setup the ThinPC deployment you will need the following:

• Windows ThinPC installation sources. You can download these from Microsoft Volume Licensing portal for via MSDN or TechNet if you have a subscription there.
• Microsoft Deployment Toolkit (MDT) 2012 Update 1
  http://www.microsoft.com/en-us/download/details.aspx?id=25175
• ThinKiosk from Andrew Morgan
  http://andrewmorgan.ie/thinkiosk/
• Microsoft Security Compliance Manager (we use need the LocalGPO tool that’s included in there) http://www.microsoft.com/en-us/download/details.aspx?id=16776
• Citrix Receiver http://receiver.citrix.com/
• Enhanced Write Filter Management Tool for Windows ThinPC
  http://www.microsoft.com/en-us/download/details.aspx?id=27884 and KB2539566
  http://www.microsoft.com/en-us/download/details.aspx?id=27882

Development Environment

I created the entire build on a client running Windows 8 x64 Enterprise with Hyper-V enabled. MDT 2012 including the ADK are also installed on the same client.

 

 

Step 1 – Setup the MDT Deployment Share

First setup the MDT Share for Windows ThinPC and import the ThinPC operating system sources.

Then prepare the bootstrap.ini as shown below.

[Settings]

Priority=Default

 

[Default]

;DeployRoot=\\LAB-ALVE01\WIN7TPC$

DeployRoot=\\AVWIN8-01\Win7TPC$

UserID=BuildUser

UserDomain=AVWIN8-01

UserPassword=BuildUser123

KeyboardLocale=en-US

SkipBDDWelcome=YES

 

Then prepare the customsettings.ini as shown below.

[Settings]

Priority=Default

Properties=DriversApplied

 

[Default]

_SMSTSOrgName=Anything About IT

 

DriversApplied=NO

OSInstall=Y

SkipCapture=YES

SkipAdminPassword=YES

AdminPassword=P@ssWord

SkipProductKey=YES

SkipComputerBackup=YES

SkipBitLocker=YES

ApplyGPOPack=NO

SkipUserData=YES

SkipDomainMembership=YES

SkipComputerName=YES

SkipSummary=YES

SkipFinalSummary=YES

FinishAction=RESTART

SkipLocaleSelection=YES

KeyboardLocale=en-US

UserLocale=en-US

SkipTimeZone=Yes

TimeZoneName=W. Europe Standard Time

 

SkipTaskSequence=YES

TaskSequenceID=001

ComputerName=TPC#Right(“%SERIALNUMBER%”,10)#

 

Then open the unattend.xml and add the creation of an additional local user called “User” with password “User”. Then set the ProtectYourPC value to 3 to disable Windows Update.

Then import any security updates and functional updates for Windows Embedded/ThinPC into MDT.

And finally create the boot media.

Once the boot media wizard has completed you should have the LiteTouchPE_x86.iso located in the deployment share’s boot folder.

Step 2 – Create the Task Sequence

Create a new Task Sequence based on the New Client Template.

 

 

 

Within the standard task sequence I have added / customized the following:

1. Disabled the default Inject Drivers Task and replaced it with the Driver Management method described here by the Admin Nexus. If you’re only deploying into Hyper-V for now, you can ignore this step.
2. The Install Applications Task installs an Application Bundle I describe in more detail below.
3. A task that creates a scheduled task that enables Autologon
4. A task that enables the Enhanced Write Filter

I suggest that before adding these custom tasks, just launch the installation by booting a VM from the LiteTouchPE_x86.iso to ensure a default install works.

Step 3 – Injecting Drivers

Depending on to how many different hardware platforms you are going to deploy ThinPC you can either just import all drivers directly into MDT and let MDT find out what’s best or use a more enhanced approach as described here. Since we are using the x86 version of Windows Embedded you must download the appropriate x86 drivers for the appropriate hardware models.

Step 4 – The ThinPC Application Bundle

Within the Application bundle I have included the following Software / scripts.

Within the Application Bundle details I have enabled the setting to reboot the computer once completed.

The Citrix Receiver Application contains the CitrixReceiver.exe and a script called install_citrix_receiver.cmd that has the following content:

set CommandLineOptions=/silent /noreboot SERVER_LOCATION=”demo.citrixcloud.net”

CitrixReceiver.exe %CommandLineOptions%

The ThinKiosk Application contains the Kiosk-installer.msi, kiosk.cab and a script called install_thinkiosk.cmd that has the following content:

msiexec /i Kiosk-Installer.msi /qb

The Microsoft Enhanced Write Filter Management Tool application contains the EWFMgmtToolInstall_x86.msi package. The Quiet install command used is:

msiexec.exe /i “EWFMgmtToolInstall_x86.msi” /qb REBOOT=”ReallySuppress”

The Local non-Administrators GPO application contains a GPO Pack I’ve previously created and is installed with the following quiet install command:

cscript.exe “GPOPack.wsf” /MLGPO:Non-Administrators

 

The content of the GPO Pack is as shown below.

 

The local GPO pack I’ve created contains a number of settings to lock down the client, the most important however is the policy that replaces the default explorer shell with ThinKiosk.

Then there are a few ThinKiosk specific GPO settings such as the web interface URL to launch when starting ThinKiosk and the unlock password.

A detailed listing of all applied local GPO setting can be found at the end of this post. If you haven’t used the LocalGPO Tool yet, then watch out for the upcoming blog post I have planned for this.

The ThinPC customization Application contains a script called TPC_Customizations.cmd that applies some further customizations.

cscript.exe trustedsites.vbs

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

netsh advfirewall firewall add rule name=”All ICMP V4″ dir=in action=allow protocol=icmpv4

netsh advfirewall firewall set rule group=”remote administration” new enable=yes

netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes

exit

The trustedsites.vbs contains the code to add demo.citrixcloud.net to the trusted sites.

‘ set trusted site at machine level

 

 

Const HKEY_LOCAL_MACHINE = &H80000002

strComputer = “.”

Set objReg=GetObject(“winmgmts:\\” & strComputer & “\root\default:StdRegProv”)

strKeyPath = “Software\Microsoft\Windows\CurrentVersion\Internet Settings\” _

& “ZoneMap\Domains\demo.citrixcloud.net”

objReg.CreateKey HKEY_LOCAL_MACHINE, strKeyPath

strValueName = “http”

dwValue = 2

objReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue

Code source: Microsoft Scripting Guys.

Step 5 – Enable Autologon via Scheduled Task

At the end of the deployment we want the ThinPC to logon automatically with a user called “User” and then directly launch ThinKiosk. Because the MDT cleanup task removes the Autologon keys, I had to find a way how to enable the Autologon settings “after” MDT finishes. I decided to use a scheduled task that is executed at the next system startup and then deletes itself.

The content of the application is as following:

 

The SetAutologon application executes the script settask.cmd. The script first copies the setautologon.cmd and setautologon.xml to the local drive into c:\Widnows and then creates the scheduled task that will execute setautologon.cmd upon the next system startup.

xcopy setautologon.cmd c:\windows /y

xcopy setautologon.xml c:\windows /y

schtasks.exe /create /TN SetAutologon /XML c:\Windows\setautologon.xml

exit

The content of setautologon.xml is as following

<?xml version=”1.0″ encoding=”UTF-16″?>

<Task version=”1.3″ xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”>

<RegistrationInfo>

<Date>2012-12-04T21:51:37.278125</Date>

<Author>TPC60-4436-70\Administrator</Author>

<Description>Set Autologon</Description>

</RegistrationInfo>

<Triggers>

<BootTrigger>

<Enabled>true</Enabled>

</BootTrigger>

</Triggers>

<Principals>

<Principal id=”Author”>

<UserId>S-1-5-18</UserId>

<RunLevel>LeastPrivilege</RunLevel>

</Principal>

</Principals>

<Settings>

<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>

<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>

<AllowHardTerminate>true</AllowHardTerminate>

<StartWhenAvailable>false</StartWhenAvailable>

<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>

<IdleSettings>

<StopOnIdleEnd>true</StopOnIdleEnd>

<RestartOnIdle>false</RestartOnIdle>

</IdleSettings>

<AllowStartOnDemand>true</AllowStartOnDemand>

<Enabled>true</Enabled>

<Hidden>false</Hidden>

<RunOnlyIfIdle>false</RunOnlyIfIdle>

<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>

<UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>

<WakeToRun>false</WakeToRun>

<ExecutionTimeLimit>P3D</ExecutionTimeLimit>

<Priority>7</Priority>

</Settings>

<Actions Context=”Author”>

<Exec>

<Command>C:\Windows\system32\cmd.exe</Command>

<Arguments>/C C:\Windows\setautologon.cmd</Arguments>

</Exec>

</Actions>

</Task>

And finally the script that is executed at the next system startup is called setautologon.cmd and has the following content:

REG DELETE “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” /v AutoLogonCount /f

REG ADD “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” /v AutoAdminLogon /t REG_SZ /d “1” /f

REG ADD “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” /v DefaultUserName /t REG_SZ /d “User” /f

REG ADD “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” /v DefaultPassword /t REG_SZ /d “User” /f

REG ADD “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” /v DefaultDomainName /t REG_SZ /d “.” /f

REG ADD “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked” /ve /t REG_SZ /d 1 /f

 

C:\Windows\System32\schtasks.exe /Delete /TN SetAutologon /F

C:\Windows\System32\ewfmgr.exe c: -commit

ping localhost -n 5

shutdown -r -t 5

When the scheduled task has completed the system will restart and then automatically logon.

Step 6 – Enable the Write Filter

As a last step of the Task Sequence we are going to enable the write filter.

The Enable Write Filter Application runs the script called enable_writefilter.cmd that has the following content.

:: +——————————————————————–+

:: Enable Write Filter

:: Update BCD to suppress Boot errors caused by enabling the write filter

:: +——————————————————————–+

ewfmgr.exe c: -enable

ping -n 20 localhost

bcdedit /set {current} bootstatuspolicy ignoreallfailures

ping -n 20 localhost

ewfmgr.exe c: -commit

ping -n 20 localhost

exit

Once this task is completed, MDT will end the Task Sequence and because we have set the FinishAction property to RESTART within the customsettings.ini, the client will reboot and then execute the Scheduled Task to enable the Autologon.

The repurposed PC

Below a screenshot of the repurposed PC, using ThinKiosk and configured to directly launch the public Citrix demo environment.

 

You see, reusing existing PCs as a thin client isn’t that hard. I hope this blog post gave you some ideas, any comments are welcome.

The below report shows all the local GPO settings included In the local GPO pack that is applied to “Non-Administrators” only.

User Configuration

Policies

Administrative Templates

Policy definitions (ADMX files) retrieved from the local machine.

Desktop

Start Menu and Taskbar

System

System/Ctrl+Alt+Del Options

ThinKiosk Settings

Windows Components/Windows Mail

Windows Components/Windows Update