VMware Communities
ams_tschoening
Contributor
Contributor

Do shared VMs support being executed by a restricted Windows user?

I'm using VMware Workstation Pro 16.1.1 and need to run a VM after Windows booted. The important thing is that the VM needs to be executed using a specially restricted default user of Windows which WILL NOT logon itself interactively to get a desktop or shell. An approach based on VMRUN and the task scheduler doesn't work, but in theory shared VMs are exactly the functionality I need. There seems to be one important difference, though: When manually executing VMRUN using the task scheduler one has influence under which user account VMRUN and therefore the VM itself executes in the end. This doesn't seem to be possible with shared VMs and instead the VM seems to run using the SYSTEM account of the parent service. I already tried to change that account of the service to a more restricted one and restarted the service, but it failed to start afterwards and I stopped further tests.

So, is there any way to make shared VMs being executed with less privileges, only using a restricted user account?

I'm fine with the service itself running as SYSTEM if e.g. it starts VMs with less privileges or VMs drop privileges on their own pretty much like classic UNIX daemons do with FORK etc. But I can't find any corresponding config in the GUI of Workstation Pro either globally or per VM. The only thing I can find is power actions, file locations and stuff like that, nothing of interest regarding making individual VMs more secure.

Labels (2)
Reply
0 Kudos
0 Replies