Using UserLock in a VDI environment

Learn how to install and configure the UserLock Desktop Agent in a Virtual Desktop Infrastructure (VDI) environment. This guide explains how to prepare the VDI template, verify communication with the UserLock server, and ensure correct session tracking.

Published July 31, 2025

Overview

Virtual Desktop Infrastructure (VDI) allows administrators to provide users with virtual workstations generated from a single master image (template).
When a user logs in, a new instance of this template is created and used as their session.

To protect and monitor these sessions with UserLock, the UserLock Desktop Agent must be installed and configured on the VDI template before it is deployed.

Note

Examples of VDI providers: Microsoft, Citrix, and VMware.
See Desktop virtualization on Wikipedia for more background.

1. Prepare the VDI template

Start your VDI template and verify that it meets the following prerequisites:

  • ✅️ Remote Registry service is enabled and started.

  • ✅️ ICMP (Ping) is authorized in both directions between the UserLock server and the VDI machine.

  • ✅️ Microsoft File and Printer Sharing (SMB TCP 445) is authorized in both directions between the UserLock server and the VDI machine.

2. Deploy the Desktop Agent

  1. Log on to the UserLock server.

  2. Open the UserLock console.

  3. Deploy the Desktop Agent on the VDI template.

    • This will install the agent and configure it to connect to the Primary (and optional Backup) UserLock servers.

  4. If the VDI template is not listed in the Environment ▸ Machines pages, it may not be in the protected network zone. In that case, install the Desktop Agent manually.

  5. If it is in the protected zone, wait up to 5 minutes for the list of protected computers to refresh.

3. Validate the configuration

  1. In the console, create a temporary Alerts & notifications access policy for a test user (e.g., UserLockTestUser).

    • Enable the Welcome message.

  2. Log on to the VDI template using this test user.

    • Confirm that the welcome message appears.

    • If not, restart the entire process from the beginning.

      Note

      If you skip this restart, the agent will keep trying to report the failed logon event to the UserLock service, and this data will persist in future template clones.

  3. In the console, verify that the session appears under Activity ▸ Active sessions.

  4. Log off the template and confirm that the session disappears from the console.

    • If not, restart the process from the beginning to avoid data persistence issues.

4. Finalize the template

Once the tests are successful, finalize the template.

This image is now UserLock Ready and can be deployed as a standard VDI image.

5. Configuring UserLock to treat VDI sessions as terminal sessions

By default, UserLock treats VDI sessions as workstation sessions.

If you prefer to categorize them as terminal sessions, you can change this behavior:

  1. Open the UserLock console.

  2. Go to ⚙️ Server settings ▸ Advanced Settings ▸ General section.

  3. Set the property VDI Mode to true

  4. Click Save.

Note

This feature is not supported in some limited versions of VMware, where the client name data is unavailable.
Without the client name, UserLock cannot enforce client-based restrictions or count VDI sessions as terminal sessions.