wtos 8.6_027 / can’t fully hide admin mode/bar, or effect SC removal logout

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #53473
    Avatarec
    Participant
    • Total Post: 2
    • Newbie

    Hello. New to WTOS, but have been tasked with shoring up some of this in its current 8.x incarnation from the last person who was doing this and left for another dept. We are simply using Windows Server 2019 & 2016 session hosts, with rdping to the broker/ hosts from 3040’s, and using IIS server to dish out the requisite .ini / files.

    On logon or logout (using smartcard) – seems like although we’ve managed to hide some options from users, and they logon fine – they can still get at the admin bar even though I’m pretty sure it is disabled. Some of the features are greyed out though.

    Similarly, despite setting SCRemovalBehavior = 1, smartcard removal doesn’t visibly do anything like lock the screen or log out a user. (You can see the 3040 recognizing removal & reinsertion of smartcards in the on screen System Information Event log if we watch it, however).

    I apologize in advance if I missed some simple wnos.ini setting.  Thanks for your help!

    Some of our wnos.ini –

    *************************************************************
    ;* *
    ;* This wnos.ini file was generated with the *
    ;* Configuration Generator 8.4.01 *
    ;* Copyright by Thomas Moellerbernd *
    ;* *
    ;* https://www.technicalhelp.de *
    ;* *
    ;*************************************************************

    ;*************************************************************
    ;* General 1 *
    ;*************************************************************

    autoload=2 LoadPkg=0

    ;*************************************************************
    ;* General 2 *
    ;*************************************************************

    Fastdisconnect=yes AltKey=yes
    FastDisconnectKey=F12
    Locale=English
    PlatformConfig=all EOLWarning=no

    ;*************************************************************
    ;* General 3 *
    ;*************************************************************

    Autopower=yes
    SysMode=VDI EnableLogonMainMenu=yes DisableAddConnection=yes

    ;*************************************************************
    ;* WDA *
    ;*************************************************************

    WDAService=no

    ;*************************************************************
    ;* Privilege *
    ;*************************************************************

    Privilege=Low HidePP=yes HideConnectionManager=No ShowDisplaySettings=No EnableNetworkTest=No CoreDump=Disabled DisableTerminalName=Yes DisableSerial=Yes DisableChangeDateTime=Yes
    Adminmode=no

    ShowAdmin=no

    ; Uncomment to enable admin on all terminals after reboot (probably don’t do this, assign via MAC)
    ; Adminmode=yes
    ; Privilege=High

    ;*************************************************************
    ;* Peripherals *
    ;*************************************************************

    Device=audio EnableSpeaker=no

    ;*************************************************************
    ;* Redirection *
    ;*************************************************************

    MMRConfig=video flashingHW=yes

    ;*************************************************************
    ;* Time *
    ;*************************************************************

    Timeserver= <i>our timeserver</i>
    Timeformat=”24-hour format”
    Dateformat=yyyy/mm/dd

    ;*************************************************************
    ;* Network *
    ;*************************************************************

    Device=Ethernet Speed=”Auto”
    WDMService=No Quickmode=no Discover=no
    BootpDisable=yes
    IPProto=ICMP
    WakeOnLan=yes
    ConnectionBroker=Microsoft
    Host=our fully qualified host name
    VDISmartcardLogin=yes
    SignOn=Yes EnableOK=Yes DisableGuest=yes LockTerminal=no RequireSmartcard=yes
    SCRemovalBehavior=1
    SignonStatusColor=”240 55 189″
    AddCertificate= our cert server
    AddCertificate= cert server cert
    CCMEnable=No IgnoreMQTT=yes
    DomainList=”our domain
    MaxVNCD=1 VNCD_8bits=yes VNCD_Zlib=yes
    VncPassword=”tempvncpw
    VncPrompt=No Accept=3

    ;*************************************************************
    ;* Services *
    ;*************************************************************

    Service=SNMPD disable=yes
    Service=ThinPrint disable=yes
    Service=WDM disable=yes

    ;*************************************************************
    ;* General Session *
    ;*************************************************************

    SessionConfig=ALL UnmapSerials=no Smartcards=yes MapDisks=yes DisableSound=No Fullscreen=yes
    SessionConfig=ICA HDXFlashUseFlashRemoting=always HDXFlashEnableServerSideContentFetching=enabled

    ;*************************************************************
    ;* RDP *
    ;*************************************************************

    SessionConfig=RDP EnableGFX=yes EnableVOR=no EnableRdpH264=yes USBRedirection=RDP

    #53488
    ConfGenConfGen
    Keymaster
    • Total Post: 11270
    • Jedi Master
    • ★★★★★★★

    What firmware version are you using?

    CG

    #53489
    ConfGenConfGen
    Keymaster
    • Total Post: 11270
    • Jedi Master
    • ★★★★★★★

    1. ShowAdmin=no has to be in the same line as AdminMode.
    So, in your case “Adminmode=no ShowAdmin=no”
    2. Verify that “SCRemovalBehavior=1” is also in the same line as “SignOn=yes”

    CG

    #53540
    Avatarec
    Participant
    • Total Post: 2
    • Newbie

    thanks for the help!  So, confirmed

    Adminmode=no ShowAdmin=no

    While admin options from Admin mode (where the dock is shown on the left side of the screen, along with sysinfo and shutdown) are prevented this way, the user is still able to select ‘admin mode’ at the login prompt. Is there a way to prevent that from happening? I saw that I can do so by using a username & pw for ‘admin mode’ but we don’t want that stored in the .ini file.

    Regarding smartcard removal, I’ve got it now so that removing the smartcard instantly locks the 3040 and disconnects the user from the session host, but it does not force a logoff. Seems like no matter what I set Autosignoff to (if that’s the correct parameter), it will not logoff the user on smartcard removal.

    VDISmartcardLogin=yes
    SignOn=Yes EnableOK=Yes DisableGuest=yes LockTerminal=no RequireSmartcard=yes SCRemovalBehavior=logoff Autosignoff=2

    Thanks again!

    #53557
    ConfGenConfGen
    Keymaster
    • Total Post: 11270
    • Jedi Master
    • ★★★★★★★

    You should not always add any parameters to any line. You have to follow the correct syntax.
    AutoSignOff is an independent parameter. So, do not add it to the “SignOn”-line but in a separate line.

    CG

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.