Deploying the Desktop agent

The UserLock Desktop agent is designed to audit, control and protect workstations, servers and terminal servers.

Published May 1, 2024

Overview

Useful resources

Agents
Core concept

The Desktop agent audits all interactive sessions activity on these machines and protects them by applying a user access control policy defined through access policy rules.

This agent has to be installed on the machines and communicates with UserLock servers to control all open requests for interactive sessions.

Install from the console

The easiest way to install the UserLock IIS agent is to use the UserLock console.
You will find more information here.

Install the agent manually

You can also deploy it manually through the following procedure:

Copy the agent file
The Desktop Agent runs as a Windows service under the Local System account.
Copy UlAgentExe.exe from the UserLock installation folder on the Primary Server
(default: %ProgramFiles(x86)%\ISDecisions\UserLock)
to the target system folder:
- 64-bit OS: %windir%\SysWOW64\
- 32-bit OS: %windir%\System32\
Copy the credential provider files (only from Windows 10 version 1809 and Server 2019) from the UserLock installation folder of the Primary server to the System32 folder of the target machine %windir%\System32\:
- 64-bit OS:
  - Copy UlCredProv_x64.dll → rename to UlCredProv.dll
  - Copy UlCredProvFilter_x64.dll → rename to UlCredProvFilter.dll
- 32-bit OS:
  - Copy UlCredProv.dll
  - Copy UlCredProvFilter.dll

Add UserLock server names in the registry

Browse to the following key::
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Create the following values:
Name
Type
Value
UserLockServer
REG_SZ
The name of the UserLock Primary server.
UserLockServerBackup
REG_SZ
The name of the UserLock Backup server.

Name	Type	Value
UserLockServer	REG_SZ	The name of the UserLock Primary server.
UserLockServerBackup	REG_SZ	The name of the UserLock Backup server.

For offsite computers, you might want to configure the following registry values as well:

Name	Type	Value
UserLockInternetUrl	REG_SZ	If UserLock Anywhere is enabled, create this registry value and set in its content the URL of UserLock Anywhere.
SessionsWithout NetworkLogoffAgent Internet	REG_DWORD	If UserLock Anywhere is enabled, the number of minutes the Desktop agent will wait between each request for the list of sessions to interact with.
UserLockCfg	REG_DWORD	See details in the Windows Installer package section.

Example via PowerShell:

powershell

$RegKeyPath = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'Set-ItemProperty -Path $RegKeyPath -Name 'UserLockServer' -Value 'ULSRVPRI'Set-ItemProperty -Path $RegKeyPath -Name 'UserLockServerBackup' -Value 'ULSRVBAC'Set-ItemProperty -Path $RegKeyPath -Name 'UserLockInternetUrl' -Value 'https://VES1.VDE.INTRA/ulproxy'Set-ItemProperty -Path $RegKeyPath -Name 'UserLockCfg' -Value 768

Note

If these values are missing, the agent cannot contact the servers and may fail at startup.

Register the Windows service
Run the following command as Administrator to register the agent service:
ULAgentExe.exe /SERVICE S
Start the UserLock agent service:
net start UlAgentService

No restart is required.

For Windows server core

UserLock 13 fully supports installation on Windows Server Core.
You can deploy the server and complete its configuration without using any graphical interface, ensuring a lightweight and automated setup for secure environments.

Server Core edition	Description
Windows Server Core 2019 or later with App Compatibility Feature on Demand	The standard UserLock Desktop Agent is used. Users can enroll in MFA directly. 📘 See Microsoft documentation: Install the Application Compatibility Feature on Demand on Server Core
Other Server Core editions	UserLock deploys the special Server Core agent. MFA enrollment is not available, but users can still validate MFA codes.

Uninstall the agent

You can uninstall the Desktop agent from the console, but also manually.

Stop the service and unregister it (run as Administrator):
powershell
```
NET STOP UlAgentService
C:\Windows\SysWOW64\ULAgentExe.exe /SERVICE U
C:\Windows\SysWOW64\ULAgentExe.exe /UNREGISTER
```
(Replace “SysWOW64” with “System32” on 32-bit systems.)
Once done, the agent will be completely uninstalled.

To completely clean agent data

Run RegEdit
Browse the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Delete:
- All registry values beginning with UserLock.
- The UserLock sub key (ie the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserLock registry key).

Windows Installer package

The UserLock Desktop agent can be deployed through a third-party deployment solution or using Microsoft Group Policies. We provide MSI packages of the Desktop agent for this purpose:

Target OS	MSI file	Default location
64-bit	`UlAgent_x64.msi`	`%ProgramFiles(x86)%\ISDecisions\UserLock\`
32-bit	`UlAgent_x86.msi`	`%ProgramFiles(x86)%\ISDecisions\UserLock\`

Run all MSI commands as Administrator.

By default, communication settings are not configured. You need to specify some MSI properties for the MSI package except if you deploy the communication settings with the UserLock Administration template through Microsoft Group Policies.

Silent installation

msiexec /i ULAgent_x64.msi /qn USERLOCKSERVER=YourUserLockServerName USERLOCKSERVERBACKUP=YourUserLockBackupServerName

Silent upgrade (if previously installed via MSI)

msiexec /i ULAgent_x64.msi /qn USERLOCKSERVER=YourUserLockServerName USERLOCKSERVERBACKUP=YourUserLockBackupServerName REINSTALL=ALL REINSTALLMODE=vomus

3. Installation with advanced options

Include the USERLOCKCFG parameter to apply additional settings:

msiexec /i ULAgent_x64.msi /qn USERLOCKSERVER=YourUserLockServerName USERLOCKSERVERBACKUP=YourUserLockBackupServerName USERLOCKCFG=YourNeededCfgNumber

Hex	Decimal	Description
0x002	2	Displays errors to end users.
0x010	16	Prevents the Desktop Agent from sending logons denied by Active Directory.
0x020	32	Send a "lock session" event when the screensaver starts.
0x040	64	Prevent the removal of ghost (inactive) sessions on the local computer.
0x180	384	Logons without network connection: Both bits disabled: Always allow connections. 0x080 disabled and 0x100 enabled: Ask for MFA. Both bits enabled: Force MFA. 0x080 enabled and 0x100 disabled: Always deny connections.
0x200	512	Apply all restrictions (including MFA) when unlocking or reconnecting to a session.
0x0800	2048	If enabled, UserLock Anywhere is the only technology used by the Desktop Agent to communicate with UserLock servers.
0x1000	4096	If enabled, UserLock Credential Provider is enabled.

Example:

To enable MFA on unlock/reconnect, require MFA for offline logons, and use the credential provider:
USERLOCKCFG=4864 (which equals 0x1300).

The PowerShell script, available here, helps to know which configurations a value of "UserLockCfg" corresponds to.

To uninstall the MSI package silently (on a 64-bit operating system):

powershell

msiexec /x ULAgent_x64.msi /qn

Group policy deployment

You can deploy the Desktop Agent using Microsoft Group Policies (GPO).
MSI packages are provided for this purpose in the UserLock installation folder.

In addition, you can deploy agent settings and communication parameters through GPOs using the Group Policy Administrative Template provided with UserLock.
This template is compatible with all installation methods (console, MSI, manual, etc.).

Locate the template file in the UserLock installation folder:UserLock.adm (default path: C:\Program Files (x86)\ISDecisions\UserLock\).
Add this template to the Group Policy you want to use to configure Desktop Agent settings.
Once imported, open Administrative Templates and display UserLock agent configuration.
- In Windows Server 2008 and later, use Classic Administrative Templates.
- You’ll find the same settings available in the UserLock console, plus communication parameters (Primary and Backup server names).
Double-click a setting to edit its properties.

On affected computers, all configured values are deployed to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ISDecisions\UserLock\Agent

Install in an environment using VDI

To install the Desktop agent in an environment using VDI, please follow this guide.