Enabling Multiple Windows Desktop Workstations in Computer Policies

Multiple Windows Desktop environments employ multiple instances of the Imprivata single-user agent with a Windows-based fast user switching feature to give multiple users access to their personal desktops. Multiple Windows Desktop workstations permit the user’s Windows desktop session to remain open but secured. Multiple Windows Desktop workstations are good when multiple users authenticate to the same shared workstation.

Note: Depending on your environment, there may be significant limitations on using Multiple Windows Desktop. Review Limitations of Multiple Windows Desktops for detailed information that will help you decide if this feature meets your needs.

To enable Multiple Windows Desktops: In the Imprivata Admin Console, go to the Computers menu > Computer policies option and select a computer policy. Select the Shared Workstation tab and go to the Multiple Windows Desktops Workstations section at the bottom of the page.

  • Because each user has their own private Windows desktop, drive mappings, shortcuts, browser favorites, and so forth are specific to each user. Applications that use Integrated Windows Authentication or Kerberos can also be used.
  • Users can lock their desktops when they leave and resume exactly where they left off when they return, even if other users have logged on to the workstation in between.
  • Users go through a full Windows logon one time, but from then on can switch to their private desktop very quickly throughout their shift.

  • All applications used with this feature must be able to run in a Terminal Services multi-session environment. This is because Multiple Windows Desktop uses the Fast User Switching feature built into Microsoft Windows, using Terminal Services running locally. Work with your application vendors to verify that their applications will run as separate instances in the Terminal Services sessions. This is critical to avoid one user’s application credentials from inadvertently being used in a different user’s Windows session.

  • Novell and other login clients are not supported.

  • The performance and maximum number of concurrent Windows sessions is limited by the CPU and memory of the workstation, as well as by the number and types of applications running.

  • Imprivata or its partners cannot predict or be responsible for individual variations in performance when using this feature, due to factors outside Imprivata's control.

  • Multiple Windows desktops are not appropriate for environments where the users roam among many different workstations.
  • Running multiple Windows desktops requires more CPU, memory, and disk space resources than kiosk mode does.

NOTE: Each computer that supports Multiple Windows Desktops must allow users to connect remotely. You can set this on each computer through the Control Panel > System Properties > Remote tab or for all affected computers through Microsoft Active Directory group policy.

For more information about a user, move the mouse pointer over the user icon.

  • A window shows the user, username and domain, and amount of time remaining in the session’s inactivity log-off clock. The inactivity log-off clock is reset each time the user is active within the session.
  • The clock image accompanies the user icon when the user is within 10 minutes of being logged out. Sessions closest to timeout appear on the far left.
  • After the Maximum Number of Concurrent Desktops limit is reached, the arrow icon indicates the user who will be logged out when the next different user authenticates to this workstation. The oldest session is logged out to make way for the new session.
  • As time goes on, the oldest user session is logged off and each inactive user session moves to the left as new sessions are opened, up to the Maximum Number of Concurrent Desktops.
  • Sessions that do not have an inactivity logoff setting are displayed on the far right. The session information window has no timeout value. The next user to log in will inherit the session with the no inactivity logoff property.

To configure multiple desktop workstations:

  1. In the Imprivata Admin Console, go to the Computers menu > Computer policies option and select a computer policy.
  2. Select the Shared Workstation tab and go to Multiple Windows Desktops Workstations.
  3. Select Enable Multiple Windows Desktops.
  4. Configure the feature as needed.
    • Maximum Number of Concurrent Windows Desktops — When setting this value consider the number of users who could need to be logged in during a shift changeover.
    • Number of Desktops during Normal Load — This value determines normal load; any time there are more users logged into this computer, the heavy load timeout value applies.
    • Period of Desktop Inactivity before Windows Log off
      • At or Below Normal Load - Under normal working conditions, an authenticated user session remains live for the number of minutes you set here. When the user’s session is within 10 minutes of timing out, the clock image is displayed to warn the user.
      • Above Normal Load - When the number of active desktops exceeds the Normal Load value, the lower Above Normal Load inactivity setting takes effect for the oldest user sessions. New users are assigned the Normal Load setting, and older user sessions are reset to the Above Normal Load setting.
    • Number of Desktops with no Inactivity Log-off — You can allow a certain number of sessions to be exempt to the timeout settings. This value can be as high as the Number of Desktops during Normal Load. This value depends largely on the power of the computer and the demands of the individual user desktop sessions.

    • NOTE: It is important to note that this setting applies to Windows sessions only, and has no relation to individual users. The most recent user sessions always inherit the No Inactivity Log-Off sessions. No individual user can be assigned a No Inactivity Log-Off session.

  6. Click Save. The computers in this computer policy must be restarted for this policy to take effect.

Example

A computer is normally used by four members during a shift. When the shift changes, up to eight users may be logged in simultaneously. The most recent four users enjoy the two-hour Normal Load inactivity setting, while the older sessions are assigned the Above Normal Load setting, which is lower. They will be logged out in 20 minutes.