Deploying ThreatLocker in a VDI environment
Threatlocker identifies computers based on two registry keys that are created when the endpoints check into the portal. When we configure the base image for the VDI, we have to make sure the values for the "Computer ID and the Computer Auth" registry keys are set and the process that creates the new machines also copies those original keys to the new VMS to avoid having new machines created in the ThreatLocker Portal every time the VDI environment is destroyed.
- Install ThreatLocker on the GOLD image for the VDI environment
- Navigate to the registry (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\ThreatLocker) and take note of the keys listed below.
- Computer AuthKey
When the VDI replication process begins, that replication process must copy those registry keys. If it does not, you can manually copy these keys by right-clicking on the folder in the Registry Editor of your Gold image and selecting 'Export'. Be sure to save the file as a .reg.
Before you can import the file into the Registry Editor of the VDI, you will need to disable tamper protection and stop the ThreatLocker Service on the VDI.
- Disable Tamper Protection (For instructions on how to disable tamper protection, please refer to our article) --
- Open Command Prompt as an Administrator.
- Type "net stop HealthTLService" to stop the Health Service. (This step must be done before you attempt to stop the ThreatLocker Service as it will revive the ThreatLocker Service)
- Type "net stop threatlockerservice" to stop the ThreatLocker Service.
- Press Enter.
Now you can import the .reg file into the Registry Editor of the VDI.
Normally, the VMs that are created in VDI environments are destroyed on a daily basis. If the registry keys aren't copied to those new VMs, new machines will be created in the ThreatLocker portal on a daily/weekly basis ( varies based on your VM clean-up process) and they will go offline whenever those images are destroyed. By copying these important registry keys, your Gold image can be used across multiple VMs but appear in the ThreatLocker Portal as a single computer.
VDI environments are billed on a per-user basis instead of a per endpoint basis.