Hp BLADESYSTEM BC1500 CCI Design & Implementation Guide

CCI Design & Implementation Guide

for a 100 Blade Deployment

Introduction......................................................................................................................................... 3

Scope ................................................................................................................................................ 3

Server Roles Overview ......................................................................................................................... 4

Active Directory – Group Policy............................................................................................................. 6

Policy Application ............................................................................................................................ 7

Remote Connection .......................................................................................................................... 8

Policy Function: Allow remote connection to the blade ...................................................................... 8

Computer Environment...................................................................................................................... 9

Policy Function: Prevent System Restore functionality ......................................................................... 9

User Environment ........................................................................................................................... 10

Policy Function: Redirects Specific Folder Locations To Alternate Network Location............................. 10

Policy Function: Turn Off Offline Files........................................................................................... 13

Policy Function: Remove Access to Windows Update...................................................................... 14

Policy Function: Remove Access to Local Hard Drives...................................................................... 14

Policy Function: Prevent Unauthorized Application Installation / Upgrades........................................ 15

Policy Function: Start Menu Lockdown........................................................................................... 16

Policy Function: Roaming User Profile Management........................................................................ 16

Troubleshooting ............................................................................................................................. 17

Blade Image ..................................................................................................................................... 19

Blade image checklist ..................................................................................................................... 19

ROM Version............................................................................................................................. 19

Operating System (OS) ............................................................................................................... 20

Blade PC Drivers ........................................................................................................................ 20

Remote Connection..................................................................................................................... 21

System Restore ........................................................................................................................... 21

Local Policy ............................................................................................................................... 21

Local Security Policy ................................................................................................................... 22

Required Services....................................................................................................................... 22

Required Services and Processes - Dynamic SAM Environment......................................................... 22

Unnecessary Services.................................................................................................................. 23

Optional CCI Utilities.................................................................................................................. 23

Optional Tweaks ........................................................................................................................ 24

Installed Software....................................................................................................................... 25

References..................................................................................................................................... 25

1

Networking....................................................................................................................................... 26

Server and Blade Infrastructure ........................................................................................................ 27

Static IP Address Assignment Summary............................................................................................. 28

IP Subnet Summary ........................................................................................................................ 29

Network Service Requirements......................................................................................................... 30

Interface IP Infrastructure ................................................................................................................. 31

DHCP Scope Infrastructure........................................................................................................... 32

HP PC Blade Enclosure Infrastructure ................................................................................................ 33

Ethernet Wiring Map .................................................................................................................. 34

Interface IP Infrastructure ............................................................................................................. 35

Considerations........................................................................................................................... 35

Session Allocation Manager (SAM)...................................................................................................... 36

Client login................................................................................................................................ 36

HP SAM Client........................................................................................................................... 37

HP SAM Blade Service................................................................................................................ 37

Using the HP SAM software in CCI .................................................................................................. 38

Creating an account ................................................................................................................... 38

Administrative rights ................................................................................................................... 38

Licensing ................................................................................................................................... 38

Administrative tasks with HP SAM Web Server.................................................................................. 39

Connecting with the PC Session Allocation Client............................................................................... 40

Connecting with the Internet Explorer Client ...................................................................................... 41

Considerations for the IE client ..................................................................................................... 41

Defining the HP SAM Registration Service Configuration File............................................................... 42

Thin Clients ....................................................................................................................................... 44

Appendix ......................................................................................................................................... 45

CCI user environment considerations ................................................................................................ 45

Recommended image capture and creation process........................................................................... 48

SAM terms .................................................................................................................................... 50

2

Introduction

This document provides a sample end to end Design and Implementation Guide for a 100

Blade Deployment. It is assumed that you have been through the HP CCI training classes and

understand the fundamental principles of CCI. Further it is expected that you are very familiar

with the design principles of Active Directory and knowledgeable of the Altiris’ management

system: Deployment Server or HP’s Rapid Deployment Pack.

All the suggestions contained herein are based on the current CCI product available at the

time of this writing. In the future, as the solution or its components change the suggestions and

recommendations in this document may need to be updated to take advantage of new

features or updated learnings from the field. Therefore, please ensure that you are working

with the latest revision of this document.

Scope

The scope of this guide is limited to the deployment of 100 blades into a single datacenter

with a basic Active Directory environment. While there are many different configuration and

deployment options for Active Directory this paper will focus on just a single implementation

configuration. This is NOT to say that the recommendations within this paper will fit every

customer which is why you will need to be able to adjust this design to meet your customer’s

needs. The following is a list of the main items that will be covered in this document.

9 Server Configuration Recommendation
9 Active Directory GPO Recommendations
9 Network Recommendations
9 Blade Image

3

Server Roles Overview

Within this guide the hardware server models have been identified as DL385 servers. This is

the hardware platform that was chosen for this implementation; however this is not to say that

this is the only server hardware allowed for the CCI solution. You are able to adjust the server

hardware as needed to best fit your customers needs, however it is recommended that you

start with the specifications listed below as a starting point. Severs in this implementation will

perform the following operations; Domain Controller (not PDC but a member server),

HP/Altiris Remote Deployment (RDP), Session Allocation Manager (SAM) (Primary) and

Session Allocation Manager (failover). This server will also contain the Microsoft SQL

database which will be used by SAM and RDP. It is assumed that the current environment will

have an existing Active Directory that will be leveraged for this CCI implementation. Figure 1

contains a high-level overview of the servers and their functions:

4

Figure 1.

Tape

5 5

44

Server Roles: User Profile Storage
User Data Storage

Drive Configuration: (Drives 2 – 5) RAID 5

Tape

5 5

44

Server Role: RDP Image Volume
Drive Configuration: (Drives 2 – 5) RAID 5

Tape

5 5

44

Tape

5 5

44

300GB 15k

Ultra 320

300GB 15k

Ultra 320

146GB 15k

Ultra 320

146GB 15k

Ultra 320

3 3

22

3 322

3 322

3 322

21

ch ch

300GB 15k

Ultra 320

300GB 15k

00 11

Ultra 320

Server Role: Domain Controller (Member Server)
Base Operating System:

Windows Server 2003 R2, Enterprise Edition

Drive Configuration:

Drives 0, 1 - RAID 1 (Mirrored)

146GB 15k

Ultra 320

146GB 15k

00 11

Ultra 320

Server Role: RDP
Base Operating System:

Windows Server 2003 R2, Enterprise Edition

Drive Configuration:

Drives 0, 1 - RAID 1 (Mirrored)

00 11

Server Roles: SAM 1
Base Operating System:

Windows Server 2003 R2, Enterprise Edition
Drive Configuration: RAID 1 (Mirrored)

00 11

Server Roles: SAM 2 (failover), SQL
Base Operating System:

Windows Server 2003 R2, Enterprise Edition
Drive Configuration: RAID 1 (Mirrored)

36GB 15k

Ultra 320

36GB 15k

Ultra 320

36GB 15k

Ultra 320

36GB 15k

Ultra 320

36GB 15k

Ultra 320

36GB 15k

Ultra 320

36GB 15k

Ultra 320

36GB 15k

Ultra 320

UID

Duplex

Simplex

21

ch ch

UID

Duplex

Simplex

21

ch ch

UID

Duplex

Simplex

21

ch ch

UID

Duplex

Simplex

Logical ViewPhysical View

264007-B21

DVD-ROM

ATI Video
Gigabit LAN
Gigabit LAN

Kbd/Mouse

Serial

3 x USB

ILO

Hot Plug NA (NEMA)

PS

355892-001

o

H

t

P

l

u

A

N

g

(

N

E

2nd PS

3

5

5

8

9

0

2

0

-

1

Redundant

DL380/5 Fan

Fans

293048-B21

264007-B21

ATI Video
Gigabit LAN
Gigabit LAN

Kbd/Mouse

Serial

3 x USB

ILO

Hot Plug NA (NEMA)

PS

355892-001

u

o

A

H

N

g

t

P

l

(

N

E

2nd PS

3

5

5

8

9

0

2

-

0

1

Redundant

DL380/5 Fan

Fans

293048-B21

264007-B21

ATI Video
Gigabit LAN
Gigabit LAN

Kbd/Mouse

Serial

3 x USB

ILO

Hot Plug NA (NEMA)

PS

355892-001

o

H

t

P

l

(

u

A

N

N

g

E

2nd PS

3

5

5

8

9

0

2

0

-

1

Redundant

DL380/5 Fan

Fans

293048-B21

264007-B21

ATI Video
Gigabit LAN
Gigabit LAN

Kbd/Mouse

Serial

3 x USB

ILO

Hot Plug NA (NEMA)

PS

355892-001

o

H

t

P

l

u

A

N

g

(

N

E

2nd PS

3

5

5

8

9

0

2

0

-

1

Redundant

DL380/5 Fan

Fans

293048-B21

CD-ROM

Floppy

M

CD-ROM

Floppy

M

CD-ROM

Floppy

M

CD-ROM

Floppy

M

Optional

)

A

DVD-ROM

Optional

)

A

DVD-ROM

Optional

)

A

DVD-ROM

Optional

)

A

hp

ProLiant
DL385

1

2

Memory

CPU

1GB (2x512MB)

RAM 376638-B21

1GB (2x512MB)

RAM 376638-B21

AMD O270 2.0GHz-

1MB Dual Core

1st CPU 2nd CPU

393830-B21

1GB (2x512MB)

RAM 376638-B21

1GB (2x512MB)

RAM 376638-B21

AMD O270 2.0GHz-

1MB Dual Core

393830-B21

AMD Opteron 8000 Series Chipset

300GB 10K U320

U320 Disk/Tape Slot

Disk 350964-B22
300GB 10K U320

U320 Disk Slot

Disk 350964-B22
300GB 10K U320

U320 Disk Slot

Disk 350964-B22
300GB 10K U320

U320 Disk Slot

Disk 350964-B22

36GB 15K U320 Disk

U320 Disk Slot

286776-B22

36GB 15K U320 Disk

U320 Disk Slot

286776-B22

hp

ProLiant
DL385

1

2

Memory

CPU

2GB (2x1024MB)
RAM 376639-B21

AMD O270 2.0GHz-

1MB Dual Core

1st CPU 2nd CPU

393830-B21

ProLiant DL385

2ch SmartArray 6i RAID

1 2 3

PCI-X (100/133*)/64

PCI-X 100/64

2GB (2x1024MB)
RAM 376639-B21

AMD O270 2.0GHz-

1MB Dual Core

393830-B21

PCI-X 133/64

* Slot 2 will run

at 133 if slot 1

is left empty

AMD Opteron 8000 Series Chipset

146GB 15K U320

U320 Disk/Tape Slot

Disk 347708-B22
146GB 15K U320

U320 Disk Slot

Disk 347708-B22
146GB 15K U320

U320 Disk Slot

Disk 347708-B22
146GB 15K U320

U320 Disk Slot

Disk 347708-B22

36GB 15K U320 Disk

U320 Disk Slot

286776-B22

36GB 15K U320 Disk

U320 Disk Slot

286776-B22

hp

ProLiant
DL385

1

2

Memory

CPU

2GB (2x1024MB)
RAM 376639-B21

AMD O270 2.0GHz-

1MB Dual Core

1st CPU 2nd CPU

393830-B21

ProLiant DL385

2ch SmartArray 6i RAID

1 2 3

PCI-X (100/133*)/64

PCI-X 100/64

2GB (2x1024MB)
RAM 376639-B21

AMD O270 2.0GHz-

1MB Dual Core

393830-B21

PCI-X 133/64

* Slot 2 will run

at 133 if slot 1

is left empty

AMD Opteron 8000 Series Chipset

ProLiant DL385

U320 Disk/Tape Slot

U320 Disk Slot

U320 Disk Slot

U320 Disk Slot

36GB 15K U320 Disk

U320 Disk Slot

286776-B22

36GB 15K U320 Disk

U320 Disk Slot

286776-B22

hp

ProLiant
DL385

1

2

Memory

CPU

2GB (2x1024MB)
RAM 376639-B21

AMD O270 2.0GHz-

1MB Dual Core

1st CPU 2nd CPU

393830-B21

AMD Opteron 8000 Series Chipset

1 2 3

2ch SmartArray 6i RAID

PCI-X (100/133*)/64

PCI-X 100/64

2GB (2x1024MB)
RAM 376639-B21

AMD O270 2.0GHz-

1MB Dual Core

393830-B21

PCI-X 133/64

* Slot 2 will run

at 133 if slot 1

is left empty

ProLiant DL385

U320 Disk/Tape Slot

U320 Disk Slot

U320 Disk Slot

U320 Disk Slot

36GB 15K U320 Disk

U320 Disk Slot

286776-B22

36GB 15K U320 Disk

U320 Disk Slot

286776-B22

1 2 3

2ch SmartArray 6i RAID

PCI-X (100/133*)/64

PCI-X 100/64

PCI-X 133/64

* Slot 2 will run

at 133 if slot 1

is left empty

5

Active Directory – Group Policy

NOTE:

For more detailed information about Group Policy functionality,
please see the white paper "Policy Implementation /
Recommendation Guide for the HP Consolidated Client
Infrastructure" (HP Part Number 379971-003)

The following polices are required for proper operation of the CCI environment and are
strongly recommended. Before putting these policies in place, it is essential for the domain
administrator to examine the current policies to ensure there are no settings that conflict with
each other. Failure to do so could result in real problems for not only CCI users but other
users in the domain. The policies listed below are not the only policies available to the CCI
environment rather they are the minimum policies in order to create a dynamic CCI
infrastructure.

Best Practice:

• In the CCI environment, create at least 2 OUs, one to include all the blade PC systems, at
least one for users. This allows for tighter control of the Group Policy and is easier to manage.

• When naming GPOs, be as descriptive as possible. The name of the GPO should make it
as easy as possible to identify what the GPO is applied to, e.g. a policy that applies to the
Sales group should be named “Sales” or “Sales Department Policy”.

• Use OUs rather than permission restrictions to control who receives which policy. For
example, a policy for an administrator would need to be more relaxed than a general user.
Instead of using one policy and trying to filter who it is applied to, create 2 OUs, create one
policy per OU and apply these to the respective OU.

• Deleting a GPO, Windows will no longer apply the GPO under any circumstances.
Therefore, a GPO must never be deleted until certain it is not used anywhere else. Best
practice is to disable the link to the applicable OU, site or domain, especially if the GPO
applies to other Active Directory Containers.

• To keep a handle on GP complication, minimize the use of settings such as No Override
and Block Policy Inheritance, and customize GPO ACLs (Access Control Lists) only when
absolutely necessary. To keep it simple, use options visible on the GPO Properties, GP tab.

6

Policy Application

The polices described above must be linked to the appropriate OU. Below is a diagram
indicating where the policies should be linked:

Figure 2. Policy Placement

Domain

Policies Applied:

CCI Blades

Allow Remote Connection to the Blade
Prevent System Restore Functionality

All polices applied to the CCI Blades OU will automatically
be inherited by any child OU below it in the directory tree.

CCI User Groups

Human Resources

(HR)

IT

Marketing

Policies Applied:

Folder Redirection
Turn off Offline Files
Remove Access to Windows Update
Remove Access to Local Hard Drives
Prevent Unauthorized Application Installation / Upgrade
Start Menu lockdown
Roaming User Profile Management

All polices applied to the CCI User Groups OU will
automatically be inherited by any child OU below it in the
directory tree.

7

Remote Connection

Policy Function: Allow remote connection to the blade

Overview

These settings remove all control from the Remote Tab in the System Properties and open the
appropriate ports for a remote connection.

Setting 1: Allow Remote Connection Using Terminal Services

This setting prevents any users, including Administrators, from clearing the “Allow users to
connect remotely to this computer” box, ensuring remote access cannot be turned off:

Computer Configuration > Administrative Templates > Windows Components >
Terminal Services > Allow users to connect remotely using Terminal Services –

Enabled.

Setting 2: Allow Remote Desktop Connection

This setting allows incoming RDP traffic on port 3389, but only

from the specified addresses
or subnets. When set, no users, including Administrators, can change the scope or close the
port:

Computer Configuration > Network > Network Connections > Windows Firewall >
Domain Profile > Windows Firewall: Allow Remote Desktop exception – Enabled. (IP

address or subnet that the incoming requests are coming from, such as 172.16.1.0/24).

Note that by default, only Administrators are allowed remote access to the blade PC.
Therefore, to set permissions to allow other users that same right, use either of the following
methods:

At this point, enter the individual users or user security groups that you want to give access
permissions to, such as. ccidomain\jsmith, ccidomain\cciusers).

NOTE:

The benefit of the previous method is that you can add specific
users. However, maintaining individual user lists can significantly
increase administrative overhead. Wherever possible, security
groups should be used.

To assign permissions to groups, navigate as follows:

Computer Configuration > Windows Settings > Security Settings > Restricted Groups

Right click on the Restricted Groups Icon and select Add Group… . Once selected, these
groups can be added to various built-in groups. Using the Add… button next to the This
group is a member of box, add the groups to the appropriate built-in group. For most users,
this would be “Remote Desktop Users”.

8

Computer Environment

Policy Function: Prevent System Restore functionality

Overview

In a highly-managed environment such as a dynamic CCI implementation, System Restore has
limited value, and allowing users to perform this action could create problems. As there is no
personal data on the blade, administrators can simply restore the blade to the original image
using Altiris or other image management solution. The use of System Restore in a static CCI
implementation should be determined by business rules and network administrators. This set of
policies replaces the System Restore tab in System Properties.

Setting 1: Turn Off System Restore

This setting turns off the System Restore function:

Computer Configuration > Administrative Templates > System > System Restore > Turn
off System Restore – Enabled.

Setting 2: Turn Off Creation of System Restore Checkpoints

By default, Windows XP creates System Restore Points when applications are installed. The
following policy setting turns off this function:

Computer Configuration > Administrative Templates > Windows Components >
Windows Installer > Turn off creation of System Restore Checkpoints – Enabled.

Setting 3: System Restore Service

Even if the System Restore Service is already turned off, disabling the service removes any
memory overhead that may still be used, even in the idle state.

Computer Configuration > Windows Settings > Security Settings > System Services >
System Restore Service – Disabled.

NOTE:

This setting requires a system reboot.

9

User Environment

Policy Function: Redirects Specific Folder Locations To Alternate Network Location

Overview

In CCI architecture, folders holding user application data, desktop data, documents, and start
menu data can be redirected to a Network Attached Storage (NAS) array.

NOTE:

Although common applications such as Microsoft Office support
redirection, some applications do not. Therefore, testing this
basic functionality with all applications to be used in the CCI
environment is imperative.

Redirection saves space on the blade PC and allows users to access their information and
programs from any access device and blade PC. Redirection is imperative in a dynamic CCI
implementation, but optional in a static environment, where the blade PC is dedicated to a
single user.

The four folders that can be redirected are found in the User node of Group Policy, as shown
in Figure 3 below:

Figure 3. Group Policy window

10

To set the appropriate policy settings, perform the following steps:

1. Navigate to the appropriate folder using one of more of the navigational strings:

Setting 1, User Applications:
User Configuration > Windows Settings > Folder Redirection > Application Data
Setting 2, User Desktop:

User Configuration > Windows Settings > Folder Redirection > Desktop

Setting 3, User Documents:

User Configuration > Windows Settings > Folder Redirection > My Documents

Setting 4, User Start Menu:

User Configuration > Windows Settings > Folder Redirection > Start menu

2. Right-click on the folder to redirect. Selecting Properties from the drop down menu for the

My Documents folder (setting 3) will open the Window as shown in Figure 4.

Figure 4. My Documents Properties window

11

3. Entered as a Fully Qualified Domain Name (FQDN). As an example, to redirect My

Documents, the path structure would appear as follows:

\\(Share Name)\(Parent Data Folder)\%USERNAME%\My Documents

Windows Server 2003 fills in the last two parts automatically, so all that needs to be
entered is the Share Name and Parent Data Folder, (e.g. \\CCINAS\UserData\) and
Windows will fill in the rest of the FQDN.

4. To control folder security and User Data movement, click the Settings tab. The settings

window for the My Documents folder appears as shown in Figure 5.

Figure 5. My Documents Properties window

Checking the Grant the user exclusive rights for My Documents sets folder permissions so
that ONLY the user set in the Root Path has access to the My Documents folder. No one
else, including administrators, is able to access the folder.

Checking the Move the contents of My Documents to the new location, will, on the next
boot, move the contents of the My Documents on the machine the user logged into (if they
are stored locally) into the folder determined in the Root Path under the Target tab.

The Policy Removal section determines what happens if and when the policy is removed.

The My Pictures Preferences section determines if the My Pictures folder moves with the
My Documents folder or not.

5. When finished, click OK.

12

Policy Function: Turn Off Offline Files

Overview

These policy settings affect the availability of offline files. These policy settings replace the
Offline files tab in Windows Explorer.

Setting 1: Allow or Disallow use of the Offline files

The following setting turns off the Offline files function:

Computer Configuration > Administrative Templates > Network > Offline Files > Allow or
Disallow use of the Offline Files feature – Disabled.

Setting 2: Remove “Make available Offline” feature

Enabling this setting removes the availability of offline files:

Computer Configuration > Administrative Templates > Network > Offline Files >
Remove 'Make Available Offline – Enabled.

Setting 3: Prevent use of Offline files folder

Enabling this setting inhibits the use of offline files:

Computer Configuration > Administrative Templates > Network > Offline Files > Prevent
use of offline files folder – Enabled.

Setting 4: Turn off Remainder Balloons

Enabling this setting removes the use of remainder balloons:

Computer Configuration > Administrative Templates > Network > Offline Files > Turn off
remainder balloons – Enabled.

Setting 5: Redirected Folder Offline Availability

The system automatically makes redirected folders contained in Group Policy available
offline, regardless of the existing Offline Files policy (settings 1-4). Enabling this setting
prevents this action.

Computer Configuration > Administrative Templates > Network > Offline Files > Do not
automatically make redirected folders available offline– Enabled.

NOTE:

Offline folder synchronization takes up large amounts of network
bandwidth, thereby slowing response times for other users.
Unless absolutely necessary based on business need, folder
synchronization should be avoided.

13

Policy Function: Remove Access to Windows Update

Overview

These policy settings affect Windows update operation. One of the keys in the CCI
environment is uniformity, that is, all blades PC are the same. This ensures consistent
performance. Allowing users to update machines at their own discretion may result in various
problems such as program incompatibility, version conflicts, etc. Locking this function out
secures uniform blade PC functionality.

These settings replace functions provided by the Automatic Update tab in System Properties
tab, and the Windows Update menu items in the Start Menu in Windows Explorer.

Setting 1: Remove Access to Use All Windows Update Features

This setting inhibits the access to the Windows Update features..

User Configuration > Administrative Templates > Windows Components > Win dows
Update > Remove access to use all Windows Update features – Enabled

Setting 2: Windows Automatic Updates

This setting enables automatic Windows Updates.

User Configuration > Administrative Templates > Windows Components > Win dows
Update > Windows Automatic Updates – Enabled

Setting 3: Remove Links and Access To Window Update

This setting inhibits access to Windows Updates. While settings 1 and 2 disable Windows
update functions, this setting removes all links from the Start menu and taskbar areas so that
the option is not even presented to the user.

User Configuration > Administrative Templates > Windows Components > Win dows
Update > Remove links and access to Windows update– Enabled

Setting 4: Automatic Updates

Although the function of Automatic Updates has already been disabled, turning this service off
has the added benefit of removing any memory overhead being used when the service is idle.

User Configuration > Administrative Templates > Windows Components > Win dows
Update > Automatic updates – Disabled

Policy Function: Remove Access to Local Hard Drives

Overview

These policy settings work together and are appropriate for most installations since all
necessary user-accessible information will be redirected to a network share. If business rules
require the user to access the local hard drive (that is, a static configuration), these two policy
settings must

Setting 1: Hide Specified Drives in My Computer

be disabled.

This setting removes the drive icons from Windows Explorer.

User Configuration > Administrative Templates > Windows Components > Win dows
Explorer > Hide these specified drives in My Computer – Enabled; Restrict C drive only

14

Setting 2: Prevent Access to Drives from My Computer

This setting inhibits user access to the drives.

User Configuration > Administrative Templates > Windows Components > Win dows
Explorer > Prevent access to drives from My Computer – Enabled; Restrict C drive only

Policy Function: Prevent Unauthorized Application Installation / Upgrades

Overview

These settings turn off most of the automatic updates that are related to various applications in
Windows XP. This ensures that all applications will maintain the same version, reducing the
possibility of problems that may arise from incompatibility or other issue.

Setting 1: Disable Automatic Install of IE Components

Computer Configuration > Administrative Templates > Windows Components > Internet
Explorer > Disable Automatic Install of Internet Explorer components – Enabled

Setting 2: Disable Periodic Check for IE Software Updates

Computer Configuration > Administrative Templates > Windows Components > Internet
Explorer > Disable Periodic Check for Internet Explorer software updates – Enabled

Setting 3: Disable Windows Installer

Computer Configuration > Administrative Templates > Windows Components >
Windows Installer > Disable Windows Installer – Enabled; for non-managed apps only

Setting 4: Prohibit Rollback

Computer Configuration > Administrative Templates > Windows Components >
Windows Installer > Prohibit rollback – Enabled

Setting 5: Prohibit User Installs

Computer Configuration > Administrative Templates > Windows Components >
Windows Installer > Prohibit User Installs – Enabled; Prohibit User Installs

Setting 6: Prevent Automatic Updates

This setting prevents automatic updates to occur for Windows Media Player.

Computer Configuration > Administrative Templates > Windows Components > Media
Player > Prevent Automatic Updates – Enabled

Setting 7: Prevent Codec Download

This setting prevents a codec download to occur for Windows Media Player.

User configuration > Administrative Templates > Windows Components > Wi ndows
Media Player > Playback > Prevent Codec Download – Enabled

Setting 8: Remove Add or Remove Programs Codec

This setting completely removes the ability to access the Add/Remove Programs page.

User Configuration > Administrative Templates > Control Panel > Add or Remove
Programs > Remove Add or Remove Programs – Enabled

15

Policy Function: Start Menu Lockdown

Overview

These settings control user accessibility aspects of the Start menu.

Setting 1: Add Logoff to the Start Menu

User Configuration > Administrative Templates > Start Menu and Taskbar > Add Logoff
to the Start Menu – Enabled

Setting 2: Remove and prevent access to the Shut Down command

Unless specifically required by infrastructure/business rules, the user should never be able to
shutdown the blade PC, since this setting will remove the hardware resource and prevent
others from using it (in addition to forcing someone to physically power the blade PC on). This
also removes the ability of the user to restart the blade, another ability the user does not
require.

User Configuration > Administrative Templates > Start Menu and Taskbar > Remove
and prevent access to the Shut Down command – Enabled

Setting 3: Remove Windows Security item from Start menu

This removes the ability of the user to lock, restart, or shutdown the blade, which in the CCI
environment are functions reserved for the system administrator. The user is still able to lock
their access device and screen saver timeouts are be affected by this setting.

User Configuration > Administrative Templates > Start Menu and Taskbar > Remove
Windows Security item from Start menu – Enabled

Setting 4: Remove Balloon Tips From Start Menu

User Configuration > Administrative Templates > Start Menu and Taskbar > Remove
Balloon tips from Start Menu – Enabled

Setting 5: Remove Run menu from Start menu

This setting requires a good deal of consideration. Allowing the user to use the Run box opens
the possibility of opening a DOS box, which could allow the user to bypass the local drive
lock down by mapping the local drive. Removing the Run menu prevents the user from trying
to bypass any application lockdowns by running through a command line. This setting also
disables the Windows + R key combination.

User Configuration > Administrative Templates > Start Menu and Taskbar > Remove
Run menu from Start menu – Enabled

Policy Function: Roaming User Profile Management

Overview

These settings control user accessibility aspects of the Start menu.

Setting 1: Exclude directories in roaming profile

By default, the folders listed below are included in each users profile, whether it is roaming or
not. As the users' installed applications and documents grow, so does the profile. This results
in large amounts of data being transferred at logon, which could extend the logon time by
quite a few minutes. When any of the folders below are redirected, there is no longer any
need to keep them included in the user profile, hence they can be excluded, thereby lowering
the size of the user profile.

16