question

ViktorBackan avatar image
0 Votes"
ViktorBackan asked JennyYan-MSFT commented

Install program through RDP vs install program through Hyper-V console

Is there a difference installation wise? We have a sub contractor refusing support for a program installed through RDP with local admin account since they say all registry keys are not applied and we should have had installed the programs directly through the Hyper-V console on the host machine or through TeamViewer etc.

We've never had a problem with installations through RDP before and it would be great to get some documentation or a statement from Microsoft stating there are is a registry difference between the two install methods.

remote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
0 Votes"
LeonLaude answered LeonLaude commented

Hi @ViktorBackan,

Aside from security there's no difference really, RDP can cause higher security risks instead of being locally logged on, but logging on via the Hyper-V console also does have its risks, unless the infrastructure is well designed and has its security very tighten.


If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!


Best regards,
Leon

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @LeonLaude,

Thanks for the quick reply. Do you have any source or documentation to back the statement up? That is our belief and experience as well but it would be nice to provide some kind of evidence to the sub contractor.

0 Votes 0 ·

I don't believe this is documented anywhere officially, it is more of known fact that Remote Desktop sessions are something of a security risk as they are easier to hijack than a system that’s being managed by PowerShell Remoting or traditional RPC-based tools such as Hyper-V Manager.

The best option is of course to have these tools like Hyper-V Manager/PowerShell on a client that is highly secured and connections are only opened from that one specific computer and not from every administrator machine.

0 Votes 0 ·
JennyYan-MSFT avatar image
0 Votes"
JennyYan-MSFT answered JennyYan-MSFT commented

Hi,

Some considerations should be paid attention to when installing the app on an RD Session Host server like: application compatibility and dependencies, capacity and Licensing related requirements and so on.

Basically when trying to install the app on the remote session host server, we shall use change user /install command to allow each user has a unique copy of the .ini files for an application.
This prevents instances where different users might have incompatible application configurations. The installation related the registry key files will be shadowed to Terminal server path as explained below and copied to users' home directory.

"
When the system is running change user /install, several things occur. All registry entries that are created are shadowed under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Terminal Server\Install, in either the \SOFTWARE subkey or the \MACHINE subkey. Subkeys added to HKEY_CURRENT_USER are copied under the \SOFTWARE subkey, and subkeys added to HKEY_LOCAL_MACHINE are copied under the \MACHINE subkey. If the application queries the Windows directory by using system calls, such as GetWindowsdirectory, the rd Session Host server returns the systemroot directory. If any .ini file entries are added by using system calls, such as WritePrivateProfileString, they are added to the .ini files under the systemroot directory.

When the system returns to change user /execute, and the application tries to read a registry entry under HKEY_CURRENT_USER that does not exist, Remote Desktop Services checks to see whether a copy of the key exists under the \Terminal Server\Install subkey. If it does, the subkeys are copied to the appropriate location under HKEY_CURRENT_USER. If the application tries to read from an .ini file that does not exist, Remote Desktop Services searches for that .ini file under the system root. If the .ini file is in the system root, it is copied to the \Windows subdirectory of the user's home directory. If the application queries the Windows directory, the rd Session Host server returns the \Windows subdirectory of the user's home directory.
"
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/change-user

The "change user /install" procedure, still matters?
https://social.technet.microsoft.com/Forums/en-US/f89bd9ab-1657-4314-ba85-c26cd495165f/the-quotchange-user-installquot-procedure-still-matters?forum=winserverTS



Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jenny,

In this case we don’t connect to a RD Session Host.
We only connect to the RDP session that is supplied via the OS (with other words no Terminal Server). The OS could be a Windows 10.
What we have seen on a few installations (of our software) when using the RDP session is that all registry keys are not set properly.
The installation could be good but also in some few cases go bad (program does not run properly).
We try to install our software as local administrators and we run the setup.exe as “Run as administrator”.
The machines are often in Data Centers and we are not allowed to go to consoles in VM Ware, Hyper-V environment.

0 Votes 0 ·

Hi Viktor,

It sounds like the application compatibility among different applications or software.

In my VM test, I tried to remote to the windows 10 VM(without RDSH) and used Domain admin account to install the application of Chrome.

The installed Chrome could be detected either I switch to remote via another domain account or console login with domain admin.

As you mentioned, some software could be remotely installed well while other not, in order to figure out the different registry key value path, maybe you could start with process monitor to capture the traces of installation and compare accordingly.

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon


Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny

0 Votes 0 ·