ITS General Computing

U-M Shared Desktop

Technical FAQ

What is the U-M Shared Desktop?

The U-M Shared Desktop is a project to standardize the deployment of desktop images on campus. We hope to increase collaboration among units and save time for IT Staff by standardizing settings, applications, interfaces, tools and upgrade strategies.

Which models do we support?

We include drivers for the following hardware:

Which applications are included in the desktop image?

  • 7-Zip
  • Adobe Acrobat Reader
  • Adobe Flash Player
  • Citrix ICA Client
  • Microsoft Forefront Endpoint Protection
  • Microsoft Office Professional Plus 2010 (32 bit)
  • Microsoft Powershell
  • Microsoft Silverlight
  • Password Safe
  • PuTTY
  • SSH.COM Secure Shell
  • Sun JRE/Java
  • Rapid Player
  • .NET Frameworks 3.5 sp1
  • VMWare Tools*
  • VMWare View Agent*
  • VMWare View Client*
  • *optional

    What are the security and power settings used by the desktop image?

    There are two UM Shared Desktop power schemes in our Windows 7 images.

    1. UM Climate Savers Recommended Settings
      • On battery, the display turns off after 5 minutes.
      • When plugged in, the display turns off after 15 minutes.
      • On battery, the computer goes to sleep after 30 minutes.
      • When plugged in, the computer goes to sleep after 15 minutes.

      Standard (limited) Users can change only the time the computer will go to sleep when running on battery.

      Be aware: The Shared Desktop does not by default support the ability to connect remotely when the computer is in sleep mode. Users will have to "Change when the computer sleeps" to connect to their PC from home.

    2. "Always on" Workstations
      • On battery and when plugged in, the display turns off after 5 minutes.
      • The computer never goes to sleep.

    In addition to these power settings, we provide the following group policies:
    NOTE: These group policy settings reflect our initial Vista. Windows 7 settings were based on these.

    Download the desktop image's security and power settings document.

    Download an Excel spreadsheet summary of desktop image's security and power settings.

    Does the image include renamed administrator accounts?

    No, although we do recommend that you rename admininstrator accounts. From the settings document (page 28):

    Accounts: Rename administrator account

    The built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends that you choose another name for this account, and that you avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console). The Accounts: Rename administrator account setting is Recommended for the UM Shared Image.

    Note: This policy setting is not configured in the Security Templates, nor does this guide suggest a user name for the account. Suggested user names are omitted to ensure that organizations that implement this guidance will not use the same new user name in their environments.

    Which settings has the Shared Desktop team identified as likely to be changed by the participating departments?

    Security Settings

    The Tech team has identified several security settings that departments should pay special attention to. You and your unit/department may want to change these.

    Firewall Settings

    If your workstations have multiple network connections (multiple network cards, connections created by afs or VMware), you may want to change your firewall exceptions to include "Private" or "Any" network properties. These are set to "Domain" by default, which may cause your machine to be unable to work with afs.

    Application Settings

    1. Powershell
    2. The Powershell Execution Policy is currently set to "Restricted." Units may want to change this. For more information, see Changing the Windows PowerShell Script Execution Policy on Microsoft's Website.

    3. Outlook
    4. Outlook has three settings that units may want to change:

    5. Meeting Space
    6. By default, Meeting Space is disabled in the image.

      To enable Meeting Space, see Getting started with Windows Meeting Space.

    How can I view disabled applications?

    If you're customizing the image and wish to view the disabled individual applications instead of the application bundles in Litetouch, you'll have to enable them in MDT.

    To enable individual applications in MDT:

    1. Click Applications in the left sidebar.

    2. Right click the name of the application you wish to enable.

    3. Select Properties. At the bottom of the dialog box, you'll see two checkboxes.

    4. Check the box to Enable the Application.

    In the Deployment Wizard, uncheck Hide the Application.

    How do I enable Kerberos pass-thru authentication in the image?

    For Windows Vista, apply the UMROOT Vista pass-thru GPO. For more details, see the LAN/NOS Kerberos pass-thru instructions.

    For Windows 7, apply the UMROOT Windows 7 pass-thru. for more details, see the LAN/NOS Kerberos pass-thru instructions.

    How do I replicate the image from the distribution servers to my servers?

    In order for pilot units to replicate the U-M Shared Desktop from the Shared Desktop distribution servers to a server that your unit controls, you need to provide the Shared Desktop Administrator:

    Send an e-mail message with this information to

    For more information about replication with MDT2010, see the Windows Article on Deployment.