Deploying ThreatLocker in a VDI environment

3 min. readlast update: 12.27.2023
Note: For organizations deploying to a large amount of endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to a large number of endpoints at once may experience increased bandwidth usage as Windows Core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to corecdn.threatlocker.com and apps.threatlocker.com

 ThreatLocker identifies computers based on two registry keys, The ComputerId and ComputerAuthKey, that are created when the endpoints check into the portal.

For those who utilize VDIs within their organizations, below you will find three VDI Configuration Scenarios and procedures to follow based on your scenario. If you happen to fall under a different scenario, reach out to a Cyber Hero for additional assistance.

ThreatLocker Recommends Keeping Your Golden Image Up to Date. If your software undergoes a major update, you should update the Golden Image to ensure the ThreatLocker Apps.db downloads the latest definitions. The Golden Image should also be updated with each ThreatLocker Agent Version update. A good rule of thumb is updating it once a month. 

Scenario One: A Completely Autonomous and Independent Virtual Desktop

This scenario is treated as any other desktop. ThreatLocker should be deployed as usual and saved onto the Golden Image.

Scenario Two: Non-Persistent Virtual Desktop (Using a Golden Image that Spins a New VDI Each Time it Boots Up)

ThreatLocker should be deployed as usual and saved onto the Golden Image. Administrators should snapshot the Golden Image after policies have been deployed and files have been updated.

The Computers page will only display one computer. The Unified Audit will show the actual computer name of the Virtual Desktop.

Scenario Three: Persistent Virtual Desktop (Using a Golden Image that has a VDI that Stays with the User and Does Not Reset Back)

ThreatLocker should be deployed as usual and saved onto the Golden Image. 

Once everything has downloaded and the Golden Image has been saved, the ComputerId, ComputerAuthKey, and pk.dat file will need to be deleted from the Golden Image.

Steps to Delete the ComputerId, ComputerAuthKey, and pk.dat File

  • Disable Tamper Protection (For instructions on how to disable tamper protection, please refer to our article, Disabling Tamper Protection)
  • Open Command Prompt as an Administrator
  • Type "net stop HealthTLService" to stop the Health Service (This step must be done before you attempt to stop the ThreatLocker Service as it will revive the ThreatLocker Service)
  • Type "net stop threatlockerservice" to stop the ThreatLocker Service
  • Press Enter
  • Delete the ComputerId and the ComputerAuthKey from the registry of the image
undefined
  • Delete pk.dat from C:\Program Files\ThreatLocker 
undefined
  • Leave the ThreatLocker Service and Health Service stopped 
    • They will start when the VDI boots up.

Once you have deleted the ComputerId, ComputerAuthKey, and pk.dat file you should snapshot your Golden Image. 

These steps need to be followed each time the Golden Image is booted up and reimaged.

Note: This scenario should not be used if the VDI will be reset back to the Golden Image.
Was this article helpful?