Skip to main content
  1. Posts/

VRLCM & vRA prerequisites in a locked down environment

·429 words·3 mins·
vRealize Automation blogposts vRealize Automation blogposts

A very brief one, but for a current project i’m working on LCM in a heavily locked down environment. So locked down in fact that even RDP to the servers is impossible, which makes making changing slightly impractical as everything has to go through the console.

So the first issue we ran into with regards to the prerequisites was setting UAC. Disabling UAC in the template was not enough, and UAC levels were being centrally enforced through a GPO, so as soon as the machine booted our setting disappeared as the registry key was overwritten

Another problem was adding the service accounts to local policies manually. As i mentioned, even RDP is not allowed, so going through each machine’s console becomes very tedious, especially when we want to deploy another vRA instance in the future.

The last issue was the actual sources. The way this customer installes roles and features is by attaching the ISO to the VM, installing the roles and features, and templating the VM. Now that obviously works for specific applications, but it’s a pain to manage and honestly i’d rather have LCM manage that instead of having separate templates.

In any case, all of the above prerequisites can fortunately be managed through Group Policy. We decided to use a vRA-specific OU containing all our machines, and by using the following GPO settings applied to that OU we can preconfigure all the manual prerequisites, without any manual reconfiguration required or any logging in to slow and frustrating VM consoles.

  - Computer Configuration
    - Windows settings
      - Security Settings
        - Local Policies
          - Security Options
            - User Account Control: Run all administrators in Admin Approval Mode - Set to disabled
          - User Rights assignments
            - Allow log on locally
              - Add your service account here
            - Log on as a batch job
              - Add your service account here
            - Log on as a service
              - Add your service account here
    - Administrative templates
      - System
        - Specify settings for optional component installation and component repair
          - Set to enabled
          - set Alternate source path to either the local ISO path (D:\sources\sxs) or a UNC path

Don’t forget to extract your ISO to your UNC path if you decide to store your side-by-side folder centrally, otherwise just mount your ISOs to the machines before going through the prerequisites and you should be good to go.

Also do note that this does not actually log in to your VM and creates the profile, so you’ll still have to do that yourself, though i guess you could also automate that.