Windows Installer package
The UserLock 'Desktop' agent is designed to audit, control and protect workstations, servers and terminal servers. This agent audits all interactive sessions activity on these machines and protects them by applying a user access control policy defined through protected account rules.
This 'Desktop' agent has to be installed on the machines and communicates with UserLock servers to control all open requests for interactive sessions.
The UserLock 'Desktop' agent can be installed manually or automatically deployed through the UserLock console. However you can deploy the 'Desktop' agent through a third-party deployment solution or using Microsoft Group Policies. We provide MSI packages of the 'Desktop' agent for this purpose:
- For 64-bit target operating systems: %ProgramFiles(x86)%\ISDecisions\UserLock\UlAgent_x64.msi.
- For 32-bit target operating systems: %ProgramFiles(x86)%\ISDecisions\UserLock\UlAgent_x86.msi.
Install the 64-bit package on a 64-bit operating system and 32-bit on a 32-bit operating system. Note that you must run cmd with the "Run as Administrator" option.
By default, communication settings are not configured. You need to specify some MSI properties for the MSI package except if you deploy the communication settings with the UserLock 'Administration template' through Microsoft Group Policies.
Command line example to install the MSI package silently or to upgrade old version agents previously installed using the Windows console (on a 64-bit operating system):
msiexec /i ULAgent_x64.msi /qn USERLOCKSERVER=YourUserLockServerName
Command line example to upgrade an old agent version which was previously installed using an MSI package (on a 64-bit operating system):
/i ULAgent_x64.msi /qn USERLOCKSERVER=YourUserLockServerName USERLOCKSERVERBACKUP=YourUserLockBackupServerName
REBOOT=ReallySuppress REINSTALL=ALL REINSTALLMODE=vomus
Command line example to silently install the MSI package or update older versions of agent previously deployed using the Windows console and specifying UserLock server names and configuring desktop agent with unlock and reconnection protection and "Ask for MFA" for "Logons without network connection" (on a 64-bit operating system):
msiexec /i ULAgent_x64.msi /qn USERLOCKSERVER=YourUserLockServerName USERLOCKSERVERBACKUP=YourUserLockBackupServerName USERLOCKCFG=YourNeededCfgNumber REBOOT=ReallySuppress
Replace "YourNeededCfgNumber" with a number including all the options you want to configure in the Desktop UserLock agent:
- 0x001 If enabled, protect the terminal server console (for Windows Server 2003 / 2003R2 only).
- 0x002 If enabled, displays errors to end users.
- 0x00C (12: 0x004 (4) + 0x008 (8)) TSJoinMode bits (for Windows Server 2003 / 2003R2 only). Try to join any existing session on the server:
- Both bits disabled: Always.
- 0x008 disabled and 0x004 enabled: If the new session is not allowed.
- 0x008 enabled and 0x004 disabled: Never.
- 0x010 (16) If enabled, prevents the Desktop Agent from sending logons denied by Active Directory.
- 0x020 (32) If enabled, lock session event sent on screen saver startup.
- 0x040 (64) If enabled, prevent from removing ghost sessions if any on the localhost computer.
- 0x180 (384: 0x080 (128) + 0x100 (256)) Logons without network connection bits:
- Both bits disabled: Always allow connections.
- 0x080 disabled and 0x100 enabled: Ask for MFA.
- Both bits enabled: Force MFA.
- 0x080 enabled and 0x100 disabled: Always deny connections.
- 0x200 (512) If enabled, all restrictions - including MFA - will be applied when unlocking or reconnecting to a session.
Example value for "YourNeededCfgNumber": 768 (= 0x300):
- All restrictions - including MFA - will be applied when unlocking or reconnecting to a session.
- "Ask for MFA" for "Logons without network connection".
To uninstall the MSI package silently (on a 64-bit operating system):
msiexec /x ULAgent_x64.msi /qn REBOOT=ReallySuppress
- Without specifying these communication parameters, agents can't use localized UserLock servers.
REBOOT=ReallySuppressavoid any reboot which is required for agent operations performed on Windows 2003 Server and XP systems.