The digitization that has taken place in every production field has created a constant increase in the number of computerized workstations and digital devices used in any production phase and department. In many cases these workstations are based on the Microsoft Windows operating system, known by virtually all end users and adopted by many IT administrators. In particular, with the advent of Embedded/IoT distributions (now Windows 10 IoT Enterprise), Microsoft has also conquered the industrial world, reserving EOM manufacturers with further customization possibilities, greater security systems and more affordable licensing.
This sudden diffusion of digital workstations has required all companies to equip themselves, internally or externally, with IT administration and assistance staff for the management of the IT infrastructure and, more specifically, is imposing the need for efficient, “cost-effective” and scalable management of all devices, to always guarantee the highest levels of security and reconcile IT needs with the company’s operational and production needs.
As for Windows-based workstations, these can offer many advantages, especially in terms of compatibility. However, compared to the Linux world, they can present IT administrators with a few more challenges in terms of IT security, thanks to their strong diffusion and, in some cases, scalability, requiring extremely complex operations to automate IT management on hundreds or even thousands of workstations.
This is why at Praim we have further innovated the products dedicated to IT departments for the centralized and automated management of Windows-based workstations. Through the Praim ThinMan Advanced management console, it’s now possible to control the Microsoft automatic update process on all Windows workstations equipped with the Praim Agile agent (on Praim’s Windows 10 IoT thin clients) or Praim Agile4PC (on any other Windows device, whether it’s a third party thin client or a laptop/PC).
This feature joins many other offered from Agile and centrally coordinated by ThinMan, to optimize and simplify the configuration of Windows workstations and make them more secure and manageable in the long term, including, in particular: Desktop Lockdown, the distribution of installing software and commands, the distribution of security certificates and configurations, and many more.
Now let’s take a closer look at these new features, which meet the needs of companies looking for efficiency and flexibility in the management of large fleets of endpoints based on the Microsoft Windows operating system.
The Desktop Lockdown limits the otherwise free access to the innumerable functions made available to the desktop by the operating system and other installed applications and allows the user to use only the programs reserved for him. It’s therefore a configuration method that aims to simplify and focus the use of the workstation, so that it’s dedicated to single or specific selected tasks, as typically necessary in many working contexts. This makes it easier to use the chosen applications and more difficult to make mistakes or compromise the system (intentionally or accidentally) in terms of security and configuration.
This type of configuration is useful, for example, if you want to create an information kiosk, a point of sale or machine-side workstation to control production or goods sorting software, or again to set up systems that can be used by users of a public place or by different operators accessing the same company workstation. In the office, however, the Desktop Lockdown can make the use of a dedicated workstation easier and securer, such as those at counters in banks or public offices, especially those created for the remote access to Virtual Desktops (VDI).
There are several ways to implement a Desktop Lockdown and they vary according to the operating system used. To obtain this result with Windows, a very in-depth knowledge of the system is required and countless configurations, system policies and other specific modifications must be applied (e.g. introduction, deletion or modification of particular registry keys) relating to the entire system or only to individual users. On Windows 10, for example, a series of rules must be set via Local Security Policy and Local Group Policy. In general, it’s necessary at least:
- Create a new user and select it for auto-login;
- Restrict operations accessible via input sequences (e.g. “Ctrl-Alt-Del”);
- Replace the default Windows shell (explorer.exe) with your own application;
- Conveniently manage auto-starting applications and the privileges of other users.
By using Agile, on the other hand, you have a fast and complete alternative that also offers many more possibilities for configuring and customizing the end user interface. Through the Agile agent distributed on Praim thin clients (and also available in the Agile4PC version for PCs and laptops already owned) it’s possible to activate the Desktop Lockdown mode without having to perform the above operations. The configuration will also be applicable remotely in a centralized way using the ThinMan management console and can be replicated with a few clicks on an unlimited number of Windows devices with Agile.
Installing software and remote commands
Starting with the Windows 7 system, Microsoft has made it possible to use the PowerShell Remoting service to launch PowerShell devices or invoke scripts on remote computers (clients). Once connected to the client’s PowerShell, all the classic features of this tool will be available, for example: the ability to mount network shares to exchange files, perform installations, etc.
It’s a very powerful feature that allows many actions and commands to be performed and managed centrally from the server, typically useful to IT departments for automating maintenance, configuration and updating endpoint fleets, even geographically distributed ones.
To achieve this goal, however, in addition to knowing PowerShell, it’s also necessary to perform a complex set of operations, both on the server and on the client side, to establish secure communication between the workstation (perhaps remote) and the server. Among other things, you need to enable PowerShell Remoting, WinRM services on the server (manually or via GPO, if part of a Domain), set firewall rules to access remote connections, edit the list of trusted devices (“trusted host “), etc.
Devices equipped with Agile, on the other hand, can receive third-party software installation packages through a simple procedure coordinated by the ThinMan console, taking advantage of the secure connections between the console and the Praim clients. In this way a complex procedure becomes an immediate and elementary action for the IT admin or his helpdesk team. ThinMan managers (who can be provided with different privileges through the Access Control List – ACL function) can perform configurations, install and update software on all Windows client devices, directly from the console, on groups or on individual workstations. That’s not all: these tasks can be performed to run on event (e.g. when device is turned on) or on a scheduled basis, and still classify devices based on the activity status (e.g. scheduled, already done successfully, or failed).
Windows updates check
ThinMan and Agile offer two new features to also facilitate the control and application of automatic Windows updates.
The Windows Update service is always active on Windows devices of all versions and coordinates the download, installation and application of new version-specific updates, in a totally autonomous way and controlled by Microsoft. This feature, which has the advantage of keeping devices always up-to-date, can sometimes affect the corporate IT infrastructure management process. This happens, in particular, in situations where digital workstations are used for production and critical operational activities for the organization. Windows updates, in fact, require the use of bandwidth on the network to be downloaded and if applied automatically can lead to one or more restarts of the workstation, at moments and with times that cannot always be controlled. Also, updates that you download but haven’t applied yet can affect the operation of your device, slowing it down until you install them. Finally, if the device has an active Write Filter (as happens on many workstations in the company environment, to avoid changes to the disk) the Windows updates can’t be downloaded.
Therefore, in the corporate environment, if on the one hand it’s necessary to always keep the workstations updated, on the other this must be done totally under the control of the IT administrator, so that he can perform maintenance in a flexible and personalized way, in line with production cycles, business needs or priorities. Both the use of the network and the operations resulting from the update that take place on each device must be able to be performed at specific times and periods identified by the administrator for reasons of optimization, uniformity within the endpoint estate and above all to avoid interruptions during staff’s work.
However, switching from the automatic mode of Windows Update to a flexible and personalized use, centrally controlled, is a complex activity that requires specific configurations on each device. Furthermore, this must be done in harmony with the other characteristics of the device, such as the presence of the Write Filter. Achieving this with commands and policies is not only complex, it’s also costly in terms of staff and requires precision to ensure consistency.
Through ThinMan and Agile, on the other hand, it’s possible to block or unblock automatic Windows updates on individual devices or groups, with a click. Once the updates are disabled in the automatic mode, it’s then possible to control the application of the available ones in a flexible and personalized way, always with a click, choosing on which machines and at what moment the updates must be downloaded and applied. In fact, ThinMan also allows you to do it in a massive and automated way, through planned or event-based activities. It will therefore be possible to control, according to specific needs, all maintenance and updating activities, without running the risk of procrastinating it “indefinitely” or having to stop production for massive IT activities. Furthermore, through ThinMan it’s also possible to load single Microsoft update packages (“Windows Update Standalone” packages with “.msu” extension) to send and install them on devices equipped with Agile/Agile4PC, through the Third Party Software Installation function now extended. ThinMan allows to distribute these update packages on the desired machines in synchronization with the disk protection systems, all for the IT admin in a single operation and without ever having to give up on security.
These new features are added to all the services that Agile and ThinMan already offer for the centralized management of workstations, making them completely secure and controllable by the IT administrator, centrally and with minimum effort (i.e. maximum efficiency). With ThinMan, the automation of corporate device management activities becomes simple and fast, quickly enabling IT staff to perform the various maintenance, protection, configuration and assistance functions in a uniform and scalable way across the entire fleet of machines.
Reducing complexity to offer ever greater efficiency and security is the objective behind our product innovations. In an industrial context where digital technology is constantly increasing and IT human resources are precious and often overloaded, we want to support customers with essential solutions to optimize times, guarantee efficiency and uniformity, and reduce corporate infrastructure management costs.