Use the Same Image for Type 1 and Type 2 Imprivata Desktop Pools

Imprivata is heavily used across many healthcare industries today due to their tap-and-go and EPCS functionalities. If you have used Imprivata before, you are likely aware of the difference between “Type 1” (Single User) and “Type 2” (Shared Kiosk) agents and workflows. When it comes to VDI, Type 1 is sometimes also paired with a thin client running ProveID Embedded or ProveID Web. As clinicians authenticate or tap their badge, they are logged in / reconnected to their Type 1 desktop.

In a VDI scenario, such as Citrix or Horizon, I often see customers that have separate images for Type 1 and Type 2, since this choice is presented during the install of the Imprivata agent:

Type 1, Type 2, and Type 3 choices

The only real difference in this choice is a registry key that is located in (for 64-bit) HKLM > Software > WOW6432node > SSOProvider > ISXAgent > Type. Upon install, you’ll see the Type (REG_DWORD) value is set to 1, 2, or 3, depending on the choice above. Obviously, multiple images means additional maintenance and more inconsistencies. So, let’s just script around this and use a single image! Let’s assume Type 1 (Single User) is in our image, so here’s an example script to flip this if we deploy the same image to a Type 2 pool:

@echo off
SET log=C:\scripts\Type2Switch.log
echo %date% %time% Running script... setting regkey... >> %log%
REG ADD HKLM\SOFTWARE\WOW6432Node\SSOProvider\ISXAgent /v Type /t REG_DWORD /d 2 /f 1>> %log% 2>>&1
echo %date% %time% Stopping SSOManHost... >> %log%
net stop SSOManHost 1>> %log% 2>>&1
echo %date% %time% Starting SSOManHost... >> %log%
net start SSOManHost 1>> %log% 2>>&1

Copy this to a file called C:\scripts\Type2Switch.bat and save it in the image. We’re going to flip the Type value to 2, stop, and start the SSOManHost service (Imprivata’s main service). We also log relevant information to Type2Switch.log in the same location to ensure the script is running appropriately.

This should be ran as a startup script as SYSTEM, since it requires elevation between the service restart and HKLM registry edits. There are multiple ways to do this: DEM (Computer Environment), GPO, Horizon Post-Sync scripts, etc. For simplicity, let’s use a Horizon Post-Sync script in an Instant Clone pool. First, I’ll create my Type 2 pool using the image with the script located in C:\scripts, and I’ll fill in the script path in the correct location:

Once deployed, let’s try to login with a generic AD account that’s entitled to the pool…

As expected, I am presented with the Imprivata login screen. This is actually the behavior for a Type 2 scenario, as the Windows login happens first with a generic account, and then Imprivata secures the desktop, ensuring authentication into the shared kiosk, while providing instant access to the desktop.

We can also check the Imprivata admin console to ensure it is registering as a shared kiosk:

Nice! In summary, this allows for Imprivata customers using Citrix and Horizon to use a single image for both Type 1 and Type 2 pools, allowing for easier management and consistency. Have any questions or comments, or want to see any other Imprivata/VDI-related posts? Feel free to send me an email! Enjoy!