Forum Discussion
Azure Virtual Desktop - Problems Attempting Locked down Exam Environment
I am attempting to build an Azure Virtual Desktop that will be used for an Exam Environment. The physical workstations are thin clients that auto-direct to RDP and access our AVD environment. Using a Windows11+Office365 image, I created a basic image. I added shortcuts to the desktop (Word, Excel, PowerPoint, a web shortcut)
I want a non-persistent desktop that does not pull any information from a user's account. Not OneDrive, not Teams, no roaming files. It will pass-through the user's credentials for obtaining a Office license and nothing more. All internet will be blocked, and only a couple of sites will be accessed.
All lockdown settings are handled through GPO (https://www.dropbox.com/scl/fi/qv8y15khfrttd3v1z9vwv/AVD-DSB-Exam-Policy_Redacted.pdf?rlkey=d7kbgxnx3826wgro5nncumged&dl=1). **not shown in the file is the usage of Teams where I used a fake tenant ID so it was impossible to load\link MSTeams. But to block OneDrive as indicated in the file, I did use the correct tenant ID.
Does it work? Yes. But it has issues loading up.
When you attempt to sign in, it will take exactly 10min 'Preparing Windows'.
Once this completes, in the bottom left corner is a minimized DOS window. When you restore this window it shows it's attempting to run UsrLogon.cmd but has the error "The command prompt has been disabled by your administrator. Press any key to continue...", which when done takes you to the desktop.
Lastly, the weblink is created for the student to upload their exam to our CRM when completed. When you access this weblink it opens with "Welcome-new-device is blocked" and you have to use TaskManager to kill Edge, and then restart it so it will then properly access the CRM site.
While this does work as intended once you get to this point, it's an unnecessary delay. Especially when attempting to take an exam.
I need help trying to identify those (3) problems;
- Why is it taking 10 minutes to prepare windows, and how do you make it stop doing that?
- Why is the usrlogon.cmd failing to run (and I don't appear to need it, so how to stop it completely?)
- What GPO did I miss with Edge to not have that 'welcome new device\user' to appear and just load the website I want.
4 Replies
Update #2
Well.... I'm so very close. Just one piece isn't working. Hopefully if you are reading this, might lend a suggestion.
The entire desktop is locked down.
- I've blocked internet access, except for the couple of sites I need
- I've blocked the integrated experience through all Microsoft apps
- Blocked OneDrive
- I've blocked the windows apps Miscorsoft Store, Microsoft 365 (CoPilot) and Outlook(new)
But what isn't working, is that it's keeping a local profile on the server\workstation. It's not using FSLogix, but a local profile is kept after the user signs out. And I want it to be deleted once they sign out, or the server reboots.
When a user logs into AVD, they are given access to which ever AVD is available to them. In this example, user logs onto Server#2 and is able to save a Word document to the desktop. When they are done, they sign out. If the user comes back another time they may be on Server#6. But if they are lucky enough to log back into Server#2 - the file they left on the desktop is still there.There is a GPO setting
Computer -> Admin -> System\User Profiles
Delete user profiles older than a specified number of days on system restart -> (set number to 1)I would leave the device running over the weekend, come back and restart the server - profile is still there with the document on the desktop.
Any thoughts?See whether this can provide you with some insight:
https://www.isumsoft.com/windows-tips/fix-command-prompt-disabled-by-administrator.html?form=MG0AV3
- Thanks Kidd_Ip. That was definitely the cause of the 10min wait for "preparing windows". I was able to re-able that through GPO and logging in because a breeze again.
UPDATE:
the Edge issue was an easy fix I overlooked. I just needed to enable this setting
user --> Admin Template --> Microsoft Edge --> Hide the First run experience and slash screen.
I was able to "fix" the 10min of preparing windows and usrlogon.cmd by re-enabling the settings
User -> Admin Template --> System --> Prevent access to the command prompt
The user will login quickly now. It seems that either FSLogix or the UsrLogon required the command prompt, and turning that back on made the difference.
BUT... because of the unique setup I'm attempting to build here, I don't want any files on the user's desktop kept. And I think FSLogix is doing this still in the background, but I can't figure out how to stop it.
If I create a word document (file1.docx) on the desktop (Server6) and if I signout. The next time I may be on Server11 and I don't see that file. But if I end up back on Server6 again, there's file1.docx sitting on the desktop again.
This shouldn't be happening tried to stop keeping local directory after logoff. Or clear cache on logoff, delete cached copies of roaming profiles, don't save settings at exist,I'm quite close, but just a couple things are in my way. The fact that it will leave a file on the desktop (which we don't want), and some way to remove all the 'pinned apps' in the start menu.
