SCCM and App-V integration on RDS: The File Type Association issue
When using SCCM 2007 to deploy App-V sequences to RDS servers, one of the major disadvantages is targeting: user-based targeting is not supported on RDS servers. This means every advertised App-V sequence will be accessible for every user. Offcourse shortcuts can be presented to users based on group membership, but File Type Associations are registered at machine level and apply to all users.
Let’s take Microsoft Visio as an example: A Sequence for Microsoft Visio is advertised via SCCM to a RDS server. Visio will be streamed to the RDS server, the .vsd extension is registered on the machine, and the application shortcut is presented to all members of the Visio application group.
When a user not member of the Visio group logs on to the RDS server, he doesn’t see the shortcut in his start menu but the file type association still exists. When this user clicks a file with the .vsd extension Visio will still launch and try to open this file.
There are a few ways to block access to Visio for this user, e.g. using AppLocker, but the File Type Associaton will still exist.
In Windows, File Type Associations are stored in the HKEY_CLASSES_ROOT registry root, which is a merged view for HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes. If we want to block the File Type Assocation for all users except users from the Visio application group we can just apply permissions on the HKEY_LOCAL_MACHINE\Software\Classes\.vsd regsitry key so that only administrators and members of the Visio Application group can read the contents of this key. This means contents of this key will not be merged in HKEY_CLASSES_ROOT\.vsd if a user is not member of the Visio application group, and File Type Associations will not exist for these users.
These permissions can be set through Group Policies, which can also be used to block access to Visio for unauthorized users via AppLocker.
