AD Integration Guide · 2020-05-20 · GPO setting as shown in the following screenshot: By using DirectLaunch, when the user clicks to launch Excel, the container app will launch

Document ref: VT_HAXM_v1.0_250420

© 2020, Droplet Computing Limited

AD INTEGRATION GUIDE Mass deployment of Droplet containers using AD

Active Directory Integration Guide

WWW.DROPLETCOMPUTING.COM

Droplet Computing

Application Delivery, Redefined

2


WWW.DROPLETCOMPUTING.COM Document ref: AD_Integration_v1.0_20052020


In This Document:

3




About this document

This integration guide discusses methods by which Droplet Computing software can be

distributed and configured using standard Microsoft Active Directory Group Policy

Objects (AD GPOs).

This approach can be adopted by organizations that wish to deploy Droplet

Computing software to physical PCs on their network, using centralized or distribution

software distribution points and opted against using third-party tools or additional

management software available from Microsoft such as System Center Configuration

Manager (SCCM).

Locating the source files

Droplet Computing supports two container image types. The DCI-X for legacy apps

and the DCI-M for modern apps. The DCI-M container image is accelerated by

leveraging the Intel VT instructions available on the CPU of modern Windows PCs. While

these PC’s may have Intel CPUs installed that do support this type of hardware

acceleration, it is not uncommon for the BIOS manufacturer to have, by default,

disabled this functionality.

Droplet Computing recommends that you consult with your OEM suppliers to validate if

the Intel VT feature is available on the CPU of device and to use their tools and

technologies to ensure that it is enabled in the BIOS before deployment of the

software.

Auditing tools will allow you to identify those Windows PCs that have yet to have Intel

VT enabled in their BIOS. You should also be aware that command-line tools will only

report on the chipset and its capabilities, and not whether Intel VT has been enabled in

the BIOS. The Intel Hardware Execution Manager (HAXM) check utility is one such utility

that reports on whether the CPU is Intel VT capable and not whether it is enabled.

You should ensure that you have the Microsoft Software Installer (MSI) version of the

Windows Droplet Container Application (DCA), and the MSI version of the Intel HAXM

software. If you only plan on deploying the DCI-X container image, then you do not

need to install the Intel HAXM software as this container image does not require

hardware acceleration.

The Intel HAXM MSI file can be found by running the installer for Intel HAXM and then

locating the Temp folder containing the extracted MSI file.

4




The following is the default path:

C:\Users\%username%\AppData\Local\Temp\Intel\HAXM\<VersionNumber>\<Date-Time>

In our example the Intel HAXM software can be found at this location:

C:\Users\Administrator\AppData\Local\Temp\Intel\HAXM\7.5.4\2019-12-16_14-22-06

In that folder you will find several files. The file required is the HAX64.MSI. The Droplet

Computing and HAXM MSI files can be placed on a network distributed share for

deployment via AD GPOs.

Preparing the AD environment

AD GPOs segment their settings by using a combination of Computer and User settings.

In environments where every computer will require the Droplet Computing software,

AD GPO computer settings can be used to install the container app software.

Droplet Computing software has per-user settings that prepares and controls the end

user environment. AD GPO user settings can be configured for this purpose. In

environments with a smaller subset of end users, where the end users regularly roam

from computer to computer, GPO user settings can be configured to deploy the

software as well as to configure the end user environment.

In this simple example, an OU structure was created for just the computers and users

that would be running the Droplet Computing container software as shown below:

5




In this example, two policies were created:

1. Droplet Computing Install Policy to install the software on selected computers

2. Droplet Computing Configuration Policy to configure the per user settings

This is shown in the following screenshot:

In the next section we are going to configure these new policies.

Install the DCA and Intel HAXM using Computer Settings

In this section we are going to create a new installation package by modifying the

Droplet Computing Install Policy using the Group Policy Management console,

following the steps as described:

1. Open the Group Policy Management Editor console

2. Navigate to the Software installation setting and click on it to select it as shown

in the screenshot below:

6




3. Right right-click Software installation and from the contextual menu that

appears, click on New and the select the option for Package…

4. An Open dialog box appears as shown in the following screenshot:

5. Navigate to the network share where the .MSI files have been copied to and

select the hax64-7.5.4 MSI file

6. Click Open

7. You will see the Deploy Software dialog box appear as shown in the following

screenshot:

8. Click the radio button for Assigned

9. Click OK to accept and close the dialog box

10. Repeat the process and create a new package to add the Droplet Computing

container app MSI installer file

Once you have completed the process, the Group Policy Management Editor console

will refresh and now shows both the Droplet Container App and Intel HAXM installation

software are ready to be installed as shown in the following screenshot:

7




This policy can be tested using any Windows 10 computer that is configured with its

Active Directory computer account being in the Organizational Unit that is assigned to

this GPO.

For existing Windows 10 computers it may take some time for the Group Policy to be

applied based on replication of the domain controllers. Administrators can use the

command-line tools to trigger an immediate refresh of the policy. For example:

gpupdate /force

There are several ways to validate that the software has been correctly installed. The

easiest way is to look in the Programs and Features screen to confirm that both the

Droplet Computing container app and Intel HAXM were installed on the machine on

the same date.

Configuring the Droplet Computing User Environment with User Settings

The Droplet Computing user environment can be configured using a series of small text

files together with the larger Droplet Container Image (DCI) file.

These configuration files can be found using a working Windows 10 PC environment,

and then distributed using the Files and Folders feature within the AD GPOs.

8




The following files are needed to automate the configuration of the user environment:

• apps.json – Application Tiles

• droplet.lic – License file

• settings.json – Global settings (CPU, Memory, DCI filename and path)

• credentials – Droplet Computing Administrator password

• eula_accept – File created after accepting EULA

• .droplet – Droplet Computing Image file (DCI)

The easiest way to create this configuration is to copy these files from a working

environment that closely matches the destination environment. By matches we mean

uses the same network share location for use with Active Directory policies. By default,

these files can be found in the following path:

C:\Users\%USERNAME%\AppData\Roaming\Droplet

Care must be taken with these files as they contain hard-coded paths and filenames

which must be present on the target system for them to work. For example, if the end

user’s DCI file is called DCI-M_32_V1.1-OFFICE2003-IE11.droplet and is stored on the H:

drive then this will be present in the settings.json file and there container app will be

looking for that exact filename in that exact folder location.

The DCI is a per-user file and each user will require their own personal, individual, and

unique copy. In a stateless environment were the same DCI is used this can be stored

on the C: drive of the local computer. Alternatively, if you have roaming users and wish

to customize their DCI container then it can be stored in the user’s home directory.

Administrators should confirm that the user has the correct permissions for the DCI file,

and both the file and directory have the required read/write access.

You can now configure the GPO for the user settings by following the steps described:

1. Navigate to User Configuration → Preferences → Windows Settings and then

Files.

2. Right-click Files, and select New

3. In the Action box, from the drop-down menu options, select the option for

Create

4. In the Source File(s) box, click the … button and then navigate to the first file. In

this example it’s the apps.json file

5. In the Destination File box type the path to the user’s profile for where the .json

file will be stored. This will look something like the following example:

C:\Users\%USERNAME%\AppData\Roaming\Droplet\apps.json

9




6. Finally, in the Attributes box, uncheck the Archive option as shown in the

following screenshot:

7. Now click the Common tab

8. Check the box for Run in logged-on user’s security context (user policy option).

This ensures files are copied under the context of the user to ensure their

ownership rights are preserved and prevents files being created using the

SYSTEM context which is the default behaviour.

10




9. Click OK to accept the configuration

10. Repeat the process for each of the individual files that make up the Droplet

Computing user environment including the preferred DCI image

11. Once you have completed the configuration for each file you will see the

following:

You have now configured the Droplet Computing solution to be deployed and

configured using AD Group Policy.

In the next section we are going to look at how AD GPO’s can be used to deliver

application shortcuts directly to the end users’ desktop.

DirectLaunch

Optionally, AD group policy can be used to create application shortcuts on the user’s

desktop and start menu. In this instance the app shortcut is to the Droplet Container

App which in turn launches the app using the DirectLaunch feature. Using

DirectLaunch enables the application inside the container to be launched directly

from the desktop rather than being launched from the Droplet Computing workspace

interface.

In the example below the shortcut Excel by Droplet was added to the desktop using a

GPO setting as shown in the following screenshot:

By using DirectLaunch, when the user clicks to launch Excel, the container app will

launch first, and then launch Excel. All that the end user will see is the Excel app.

To create the shortcut policy, follow the steps as described:

11




1. Create a new policy and link in to the relevant OU.

2. Now edit the policy and navigate to Computer Configuration → Preferences

→ Windows Settings → Shortcuts

3. Click to highlight Shortcuts and then right-click and from the contextual menu

that appears click on New and then select Shortcut

4. You will now see the properties box as shown in the following screenshot:

5. In the Action box, from the drop-down menu, select the option for Create

6. In the Name box, type in a name for the shortcut as you want it to appear on

the end user’s desktop. In this example we have called it Excel by Droplet

7. In the Target type box, from the drop-down menu, select File System Object and

in the Location box below, from the drop-down menu select Desktop

8. In the Target path box either browse to, or enter the path to the Droplet

Container App. In this example the app is in the default location.

9. The Arguments box is where DirectLaunch comes into play. Type in launch,

followed by the app you want to launch. In this example the app to be

launched is excel.exe.

10. In the Run box, from the drop-down menu, select how you want the app to run.

In this case it is Maximized. NOTE: this refers to the container app and not the

app inside the container. To configure the app inside the container to run

maximizes, you will need to configure this using the container app configuration.

11. Lastly, in the Icon file path, you can configure an icon that will be displayed on

the desktop. You can either type in the location to the .ico file or use the …

button and then navigate to the file you want to use.

12. Click OK to complete the configuration

12




Conclusion

AD GPOs remain a popular method for configuring physical Windows PC environments,

although in the modern era they continue to be modified and enhanced by additional

user environment management tools.

AD GPOs are universal and available to all types of organizations regardless of their size

and could be considered applicable to modern virtual desktops and application

delivery tools. Droplet Computing provides integration guides for these application

delivery technologies available online at:

https://www.dropletcomputing.com/product-guides-documentation/

86-90 Paul Street,

London,

England,

EC2A 4NE

Droplet Computing Limited

Registered in England and Wales, Company Number 10536920

WWW.DROPLETCOMPUTING.COM

https://www.dropletcomputing.com/product-guides-documentation/

https://en-gb.facebook.com/dropletcom/

https://www.linkedin.com/company/droplet-computing

https://twitter.com/dropletcom

https://www.dropletcomputing.com/contact-us/

Documents

AD Integration Guide · 2020-05-20 · GPO setting as shown in the following screenshot: By using DirectLaunch, when the user clicks to launch Excel, the container app will launch