VMware Horizon, Imprivata Onesign and ThinClients

Ran into a little bug yesterday while implementing VMware Horizon and Imprivata.

Appliances rolled out, configured the site, policy's etc. etc.

On the regular Windows endpoints this worked as expected. Login went fine, tabbed a badge, entering additional credentials if required by policy and the session would beautifully start, locking, roaming, smooth as silk..

Pushed the Imprivata agent to the Thin Clients (Dell Wyse based on Windows 10 IoT, although the brand does not matter) ran in to a little bug.

Session started the same, but then.. no more possibility to lock the session with badge or pressing Windows-L key... it beeps... it lights...it ignores..

Usual suspect to investigate is to check if the Card reader is passed trough to the VDI by USB redirection. But no not the case. Weird thing is when closing the Horizon Client the reader and lock keys immediately started to work. Like the commands are send to Horizon and completely ignored by the Imprivata Agent ending up in a black hole.

After numerous troubleshooting, checking policy's, regkeys here is the fix:

Set an additional regkey on the thinclient so Imprivata matches the privilege of the Horizon Client.

Key Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SSOProvider\ISXAgent
 Key Name: "ForceHighIntegrityLevel"
 Key Type: DWORD
 Key Value: "1"

And it all works like expected again... nice...!

Any questions or remarks? please let me know!

Special thanks to Ron van de Liskdonk (Imprivata) for troubleshooting the issue with me.