How to install UserLock in a Windows Server Core
From UserLock 12.2 follow the steps below. With UserLock 12.1 or older, we advise to upgrade UserLock otherwise please contact us to have specific instructions.
Note: the credential provider is not compatible with Windows Server Core, so certain features will not be available.
1. To install UserLock desktop agent in a Windows Server Core:
Since version 12.2, UserLock can deploy the Windows Server Core special agent if needed. The installation of the agent on Windows Server Core will therefore be transparent to the user.
Notes:
- If the OS is a Windows Server Core 2019 or higher and the "Server Core App compatibility" feature is installed (procedure is available in the section “Installing the App Compatibility Feature on Demand” of Server Core App Compatibility Feature on Demand in Windows Server | Microsoft Learn), the standard desktop agent works and the user can even enroll the MFA.
- For other Windows Server Core cases, the Windows Server Core special agent is installed which doesn't allow the enrollment, but where the user can validate the MFA code.
With UserLock 12.1 or older, the procedure is available here.
2. To install and configure UserLock in a Windows Core Server
Install the UserLock server silently:
Download the UserLock package to a local folder, "C:\Temp\" for example.
Run CMD 64-bit with the "Run as administrator" enabled then run on it:
UserLock_Setup.exe /s /v/qn /vADDLOCAL=Service,PrivilegeElevation,Console,PowerShell
- Note: does not work if space between "/v" and "/qn"!
- Note: "Service,PrivilegeElevation,PowerShell" corresponds to the minimum recommended configuration on a Windows Server Core, you can modify it with another configuration. For information, the default configuration installed on a standard installation on a Windows Server is "Service,PrivilegeElevation,Console,WebConsole,PowerShell,WebApps,Proxy,Help". Contact us if you want to install other components ("UserLockSSO", "IIS MFA" etc.).
Configure the UserLock server type, protected zone, and impersonation account silently:
Download https://cdn.isdecisions.com/Download/userlock/SetUserLockConfiguration.zip
Extract this zip.
Run PowerShell 32-bit (%SystemRoot%\syswow64\WindowsPowerShell\v1.0\powershell.exe) with the "Run as administrator" enabled then run on it (as explained here the first command below is to be able to run UserLockPowerShell just after the UserLock installation, not needed if server restarted after installation) the following commands, adapting them to your environment: replace "UserLockSvc" with the name of the impersonation account, replace "VCORP" with the domain name of the impersonation account, and replace "YourPassword" with the password of the impersonation account.
Import-Module "${env:ProgramFiles(x86)}\ISDecisions\UserLock\Modules\UserLockPowerShell\UserLockPowerShell.psd1"
cd C:\Temp\SetUserLockConfiguration\
& '.\SetUserLockConfiguration.ps1' -AdminAccount 'UserLockSvc' -AdminDomain 'VCORP' -AdminPassword 'YourPassword'
Parameters of this script allow you to configure a backup UserLock server (and the name of the Primary UserLock server) and a specific protected zone ("(All)" by default):
& '.\SetUserLockConfiguration.ps1' -AdminAccount 'UserLockSvc' -AdminDomain 'VCORP' -AdminPassword 'YourPassword' -Zone 'OU=MyOU,DC=MyDomain,DC=intra'
& '.\SetUserLockConfiguration.ps1 -IsBackupServer -PrimaryServerName 'DC1' -AdminDomain 'VCORP' -AdminAccount 'UserLockSvc' -AdminPassword 'YourPassword'
Once the UserLock service is running, you should be able to open a UserLock console ("%ProgramFiles(x86)%\ISDecisions\UserLock\UserLockAdmin.exe") and connect with the server.
Uninstall UserLock
Run CMD 64-bit with the "Run as administrator" enabled then run on it:
- With UL 12.2:
"%ProgramFiles(x86)%\ISDecisions\UserLock\CheckBeforeUninstall.exe" "{D3321B20-98B5-42C3-9279-ED6B741F779E}" - With UL 12.1:
"%ProgramFiles(x86)%\ISDecisions\UserLock\CheckBeforeUninstall.exe" "{6FBD4888-6169-480A-8017-600DB469E4BA}" - With UL 12.0:
"%ProgramFiles(x86)%\ISDecisions\UserLock\CheckBeforeUninstall.exe" "{A9B6960C-D193-40AC-9AD4-2C3E34A1A859}" - With UL 11.2:
"%ProgramFiles(x86)%\ISDecisions\UserLock\CheckBeforeUninstall.exe" "{C9947411-51FF-4104-878F-C4BE24363FD6}"