12

I have some windows 7 virtual machines in xen that have devices showing up in "safely remove hardware".

I don't want users to ever be able to remove/eject any hardware at all. I'm told vmware has a hotplug option. xen doesn't seem to provide this for pci passthrough devices, therefore I'm looking for a reliable solution to prevent users from ejecting devices.

This issue is not necessarily related just to virtual machines but seems to be a common problem with devices that get wrongly reported as removable. I'm ideally looking for a way to prevent all devices from appearing or just prevent the safely remove hardware option from ever coming up.

I've tried setting device capabilities for specific devices on boot with a script but this for some reason doesn't always seem to work reliably.

Is there a way to prevent this icon from appearing in the notification area completely, either by registry key or group policy?


I should point out that setting this in group policy to "Administrators" did not seem to work.

[Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options>evices:Allowed to format and eject removable media]

hookenz
  • 14,132
  • 22
  • 86
  • 142
  • I think it's funny that you get upvotes. Those who encountered the problem might know what you are talking about. But I don't. You should at least say which "virtual desktop" you are using. There are several and they might behave differently. – Tom Feb 28 '12 at 07:56
  • @Tom - thanks, I've expanded the question with more detail. It's a common issue not just with Virtual Machines. – hookenz Feb 28 '12 at 18:57
  • @Tom, I upvoted the question because it's well written and interesting. Its meaning should be completely obvious to any Windows admin. In regard to your point about there being various ways to offer virtual desktops, that's irrelevant The policy needs to apply to the virtual machine, not the host. – John Gardeniers Feb 28 '12 at 20:34
  • @JohnGardeniers True, but why then mention virtual desktops if it is a general client question? I guessed Matt had a problem with XenDesktop showing devices like "Citrix PV Ethernet Adapter" and such. Using VMWare View you don't have any devices to eject. That's why I wanted Matt to improve his question. As you can see I had a more specific question in mind. Thanks for the elaboration and Matt thanks for the edit. – Tom Feb 29 '12 at 07:35

3 Answers3

2

I think IconRemover does what you wish, by providing a GUI to the same registry changes.

Orangutech
  • 290
  • 4
  • 14
  • Interesting, I wonder what registry keys it's setting. Hopefully it's not adware. – hookenz Feb 28 '12 at 21:51
  • This does work, but a downside to this is that it creates a task in the process list and installs the program entries to "all users". All users can still enable or disable this. So unfortunately, it fails my test. It may be a useful tool for some though. – hookenz Feb 29 '12 at 18:32
1

To answer my question,

One way which seems possible is to write a vbscript which enumerates registry entries and updates the device capabilities for every device that we want to not appear. This has to be called on startup.

An extension to what is done here. http://forums.citrix.com/thread.jspa?threadID=295752

hookenz
  • 14,132
  • 22
  • 86
  • 142
1

To pick up this dead question, setting the key

HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\Services

to 1d (hex) / 29 (dec) will do it, but you will need to rerun "systray" afterwards. This won't remove "Eject" from the context menu of drives in Explorer.

sahmeepee
  • 146
  • 3
  • That actually does appear to work. But needs to be set after every reboot as it resets back to it's initial value of 31. – hookenz Oct 18 '13 at 00:09