We wanted UltraVNC server (client) with encryption. Although UltraVNC currently supports unintended installs, it needs to download the mirror driver from the Internet durring the process. I found it easier to install it myself.

This guide will explain deploying it via Group Policy. While I have used a GPO for some settings (like the registry modifications), they could easily be put into the main script to use with a KACE appliance for example.

First let’s look at the main script. Here is the script with my comments.

REM Script to install UltraVNC with custom settings. Author: Duncan White (duncan.white@live.com.au)

REM Detect if UVNC is installed. Skip script if it is.

if not exist "%ProgramFiles%(x86)\UltraVNC\winvnc.exe" (

       goto UVNCInstall

)

exit

:UVNCInstall

REM COPY ULTRAVNC

robocopy \\server\softwareshare\ultravnc\runtime "%ProgramFiles(x86)%\UltraVNC"

  • Note I am copying it to the 32-bit ‘Program Files’ directory on a 64-bit PC.
  • Mine is shared in our domain’s ‘SYSVOL’ group policy share so it is replicated to all our domain controllers.

REM INSTALL MIRROR DRIVER (32-bit)

"%ProgramFiles(x86)%\UltraVNC\driver\setupdrv.exe" installs

  • This installs the mirror driver. Use this for better performance.

REM INSTALL MIRROR DRIVER (64-bit) (WON'T WORK UNTIL THEIR DRIVER CERTIFICATE IS VALID)

\\server\softwareshare\ultravncserver\devcon.exe install "C:\%ProgramFiles(x86)%\UltraVNC\driver\x64\driver\mv2.inf" mv_hook_display_driver2

  • As noted: not working at present (on 64-bit PCs only).
  • Google Devcon.exe and download it.

REM IMPORT REGISTRY SETTINGS SO MSLOGONACL IMPORT WORKS

regedit /s \\server\softwareshare\ultravncserver\orl.reg

  • This is annoying. The ACL command will not work until there are specific UltraVNC registry keys. See orl.reg below.

REM INSTALL AUTHENTICATION ACLS

"%ProgramFiles(x86)%\UltraVNC\MSLogonACL.exe" /i /o \\server\softwareshare\ultravncserver \acl.inf

REM INSTALL AS SERVICE

"%ProgramFiles(x86)%\UltraVNC\winvnc.exe" -install

REM START VNC SERVICE TO READ NEW SETTINGS

net start uvnc_service

 

My Group Policy Object then contains additional settings.

  1. I lock users out of C:\Program Files (x86)\UltraVNC via NTFS security.
  2. Unblock the port used via Windows firewall.
  3. Give Services permission for ‘Secure Attention Sequence’. This is needed be pre-logon remote access. The setting can be found in 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Logon Options\Disable or enable software Secure Attention Squence'. Set it to ‘Services and Ease or Access applications.

 

Orl.reg

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\ORL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ORL]