Tuesday, 12 November 2013

Citrix, Windows 7 Thin PC, Thin kiosk and Wireless limitations

We have decided to go with a Xenapp model with predominately wireless devices. The challenge is how to get Windows 7 Embedded, write filtered, non-domain joined devices to connect to a wireless network and work smoothly. Our solution was to provision an open wireless network and present only a pair of DNS servers and a Citrix VPX cluster into the wireless network. This is effectively an internet style DMZ network that allows our internal wireless and BYOD machines to all connect in the same manner.

Thinkiosk is a great free product from Andrew Morgan that provides a locked down environment for launching VDI. As part of our adoption of Xenapp we wanted to modify our existing Windows 7 Thin PC image to support Thinkiosk in wired and wireless configurations.

Thinkiosk works great in wired deployments, but there are some limitations with wireless. If you are using Thinkiosk in an auto login, non-domain joined scenario, Thinkiosk launches very quickly, often before the wireless connection has initialized.



Making Thinkiosk work smoothly with wireless

To get around the existing limitations we have created a vbscript that waits for the Thinkiosk URL to become available before launching Thinkiosk. After 24 seconds if a connection isn't established, the wireless control panel applet is launched. After 60 seconds if a connection to the URL still can't be established then Thinkiosk is launched regardless.

You can modify these thresholds and URLs very easily in the below.

The script is available from my pastebin here

To launch the script on logon, simply replace your windows shell with cscript and the script path as per below
reg add "HKEY_local_machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v shell /t reg_sz /d "cscript c:\windows\thinkiosklauncher.vbs" /f



Supporting wireless persistence with write filters

The other major limitation with Wireless and Windows 7 Embedded is the ability to retain wireless configurations when write filters are enabled. Write filters do a great job of keeping a consistent device and lower support, but they can also be restricted if local changes are required.

We want users to take the devices home and connect in the same manner as they would if they on site. We have configured split-brain DNS so the Citrix URL is accessible both internally and externally. For this to work smoothly our users need to be able to connect to their home wireless networks and the settings need to be remembered. Could you imaging typing in your uber secure 64 character WPA key every time you turn the device on? Yuck, no thanks.

We have determined the following exclusions need to be added to support wireless persistence on write filter enabled machines.
File: c:\programdata\microsoft\wlansvc\profiles
Registry: HKLM\software\microsoft\windows nt\currentversion\networklist\profiles
Registry: HKLM\software\microsoft\wlansvc\interfaces
Adding the above exclusions in conjunction with Thinkiosk wireless support gives your users the ability to connect and remember wireless networks on their thin client. Depending on the write filter method you are using you will may a different command, but for file based write filters you can add the file exclusion as per below.

fbwfmgr /addexclusion c: "\programdata\microsoft\wlansvc\profiles"

The registry settings are a little more involved, we suggest reading the following blog to get some more insight on how that's achieved http://geekswithblogs.net/WallabyFan/archive/2008/12/24/everything-you-wanted-to-know-about-fbwf-but-were-afraid.aspx

Thinkiosk wireless client support can be enabled with the following registry key.

reg add "HKEY_local_machine\Software\THINKIOSK" /v ShowWifi /t reg_dword /d "1" /f

We have also added a line to the above Thinkiosk wireless launcher script to re-import our internal wireless network after each boot. This is just to ensure our users don't accidentally (or intentionally) delete our wireless network.

objShell.exec("Netsh wlan add profile filename=c:\windows\wireless-open.xml user=all")

The above wireless-open.xml configuration can be exported with the netsh wlan export tool and then re-imported on each boot or login to ensure your network is never permanently removed.