After some research, as you probably know, VNC requests through port 5900 is what causes the remote shadow prompt. Whether it’s a legitimate request or some other software on the server (I believe the requests are coming from the server) information sent to port 5900 TCP will trigger it.
Since we are running Windows Server 2003 on these few check in clients and under the assumption that they are only prompted when they have a session on the server, then we were thinking blocking inbound connections to TCP 5900 on the windows firewall would prevent the clients from receiving any activity on 5900 as long as they are connected to the server (which is the only time they would receive the remote shadow prompt).
However, we are not experts at thin clients; it’s could be the case that the TCP 5900 connections are managed by the Wyse thin OS and even blocking within windows cannot block 5900 from the thin OS.
The issue is that it happens to the thin clients one at a time, it doesn’t happen to all of the thin clients at the same time which is weird.