The end goal is to install the PolicyPak Cloud (PPC) Client in a non-registered state on the Gold image, then unregister the PPC client on any provisioned VDIs at shutdown before re-provisioning. Below is an example using VMware Horizon 7, though the same process should work for other VDI Solutions as well.
- Boot up the Gold Image VM to the OS screen and login with an account that has local Administrator privileges.
- Create a folder called “PPC Client” under the root of the C: drive on the Gold Image VM.
-
Download the required PolicyPak Cloud Client MSI package (version 20.5.2449.838 or higher) to the Gold Image Desktop, and save it under the “C:\PPC Client” folder on the Gold Image VM.
PolicyPak Cloud Client version 20.5.2449.838 and higher can be found within your PPC Portal on the following page https://cloud.policypak.com/ManageCustomer/UserList under the “Downloads” section, by clicking on the “Download other versions” link at the bottom of the page.
-
On the Gold Image VM while logged in as a local administrator, install the PolicyPak Cloud Client MSI that you copied under “C:\PPC Client”, (double-click MSI to install, etc.)
If you would like all VDIs created from this Master Image to automatically join one or more computer groups you should install the PPC Client using the command line instead, for example:
msiexec /i "PolicyPak Cloud Client for[Customer name].msi" JOINTOKEN="AZAEllLPLTY9XKUA3CYO+ths="
The JOINTOKEN value is specific to each environment, the value used above is provided as an example only. For more information on using JOINTOKEN to automatically assign computers to computer groups in PPC please see this video KB: https://kb.policypak.com/kb/article/911-policypak-cloud-automatically-join-groups-with-jointoken/
-
Next, create an empty text file named “logoff.bat” under the same folder where we saved the PPC Client MSI earlier (“C:\PPC Client”). Edit logoff.bat using notepad and add the line below:
PPCloud /sysprep
Notes:
a) If using JOINTOKEN then you must also specify the JOINTOKEN value for the PPCloud /sysprep command above.
For example: PPCloud /sysprep /jointoken:AZAEllLPLTY9XKUA3CYO+ths=
b) When testing using Logoff, remember to restart the “PolicyPak Cloud Client” service to have it register with the PPC portal again if needed.
c) PPCLOUD /SYSPREP requires local administrator rights, you will need to use PolicyPak Least Privilege Manager to also create a rule to allow PPCloud /SYSPREP to run elevated if the user logging off is not an Administrator of the computer. If you need help with creating this LPM policy please contact support.
More Information:
The “ppcloud /sysprep” switch was intended to be used on the golden image. It can be used only after the PPCloud Client is installed. There's no need to use the full path, and you can run ppcloud /sysprep from the Command Prompt, or PowerShell. It unregisters the computer (no record on PPC portal, no license consumed, etc.), removes all the policies, and stops the “PolicyPak Cloud Client” service. The machine will be registered with the PolicyPak Cloud portal after a REBOOT (i.e. after the image is deployed as a VDI). You can use it regardless of whether Microsoft's sysprep tool is involved or not.
-
Next, run “GPEDIT.MSC” and add an entry under User Configuration > Windows Settings > Scripts (Logon/Logoff) under “Logoff” that points to the logoff.bat file you previously created, then click “OK” to save the settings.
-
Next, shutdown the Gold Image VM.
-
Take a snapshot to be used for new VDIs, then import your updated Gold Image into your VDI solution (update the Desktop Pool settings to use the new snapshot etc.).
-
Next, deploy two VDIs, then check in your PPC portal to ensure the newly created VDIs are registered successfully and have different Unique IDs. The VDIs by default will show up in the “ALL” computer group. Take note of the Unique IDs for these VDIs (screenshot etc.), use the “Columns” button to change which columns are visible so you can see the Unique ID column.
-
Next, log into both VDIs using the VMware Horizon Client, wait for the OS to load completely, then logoff or shutdown both VDIs. Within the PPC portal you should see the two machines disappear almost immediately when the logoff task runs on each machine.
-
Next, wait for the two VDIs to be deleted and re-provisioned, then check in your PPC portal to see if both of the VDIs received new Unique IDs, if they did then the process was successful.
-
If instead you see duplicate machine names similar to the screenshot below then the process failed. Revisit the steps above to see if anything was missed. If after verifying all steps you find that this process still did not work for you please contact support for further assistance.