Abstract: Users can be logged in to modern workspaces using different cloud identity providers and single sign-on. A login manager can be provided on a user computing device to obtain a user's login credentials via a custom login screen. The login manager can then inject the login credentials into an authentication interface of a cloud identity provider to authenticate the user for purposes of logging in to the user computing device. The login manager can leverage this authentication to perform single sign-on for all resources of a modern workspace such that the user can be logged in to the modern workspace via any cloud identity provider.

Abstract: A file can be intelligently associated with an application. When a user attempts to open a file on a user computing device, context for the file can be collected and provided to an intelligent file association engine. The intelligent file association engine can use the context to select an application to be used to open the file from among different applications. These different applications can include a local application, a VDI application, and a cloud application.

Abstract: Access to functionality of a web application can be provided via microapps. A microapp platform can include a microapp orchestrator that administrators may use to create and deploy microapps. A microapp may include a simple user interface with one or more elements that are associated with a function of a web application. When the microapp is deployed to a user computing device, the user can use the elements of the microapp's user interface to invoke the function of the web application without needing to directly interact with the web application.

Abstract: Reverse authentication can be performed in a VDI environment to enable an authentication device to gain access to a client without requiring that the authentication device's drivers be installed on the client. When an authentication device is connected to the client while the client is locked or not logged in, the authentication device can be redirected to a virtual appliance on which the authentication device's drivers are installed. The authentication device can then be used to authenticate the user via the virtual appliance. When authentication is successful, the virtual appliance can send the resulting authentication information back to the client to enable the user to be logged in to the client. Additionally, the virtual appliance can return the authentication device to the client. The client can then employ the authentication information to establish a remote session on a server and redirect the authentication device to the remote server.

Abstract: The loading of a privileged application can be selectively blocked. An application restrictor can be configured to register for notifications whenever an application image is loaded. Then, whenever the application restrictor receives a notification, the application restrictor can evaluate whether the application image that is being loaded is a privileged application. If so, the application restrictor can evaluate the current process's parent tree to determine if an untrusted application is present at any level of the parent tree. The application restrictor will then allow the privileged application to load only when all applications in the parent tree are trusted applications. In this way, untrusted applications can be blocked from accessing a privileged application without blocking trusted applications from accessing the privileged application.

Abstract: A redirected biometric device can be isolated to a remote session. Such session level restrictions can be implemented using a filter driver that is layered on top of the device driver stack for the redirected biometric device. When a biometric device is redirected by a user to a remote session, the filter driver can obtain an identifier of the biometric device and maintain a mapping between the identifier and the session ID of the redirecting user's remote session. Then, when an application executing on the server attempts to enumerate biometric devices, a hooking component can inspect and modify the corresponding response to remove any biometric devices that are not redirected to the same user session in which the application is executing. In this way, the application will not be able to discover any biometric devices that are redirected to other user sessions.

Abstract: HTML5 multimedia redirection is implemented. When a multimedia application is started, a hooking library can be injected to enable the hooking library to modify the application's interactions with the Microsoft Media Foundation multimedia platform. These modifications include causing only a redirecting MFT to be enumerated so that the application will employ the redirecting MFT in the topology of a media pipeline created to play HTML5 video and/or audio. These modifications also include handling playback controls to synchronize the playback that is occurring on the client with the media session on the server.

Abstract: The loading of a privileged application can be selectively blocked. An application restrictor can be configured to register for notifications whenever an application image is loaded. Then, whenever the application restrictor receives a notification, the application restrictor can evaluate whether the application image that is being loaded is a privileged application. If so, the application restrictor can evaluate the current process's parent tree to determine if an untrusted application is present at any level of the parent tree. The application restrictor will then allow the privileged application to load only when all applications in the parent tree are trusted applications. In this way, untrusted applications can be blocked from accessing a privileged application without blocking trusted applications from accessing the privileged application.

Abstract: HTML5 multimedia redirection is implemented. When a multimedia application is started, a hooking library can be injected to enable the hooking library to modify the application's interactions with the Microsoft Media Foundation multimedia platform. These modifications include causing only a redirecting MFT to be enumerated so that the application will employ the redirecting MFT in the topology of a media pipeline created to play HTML5 video and/or audio. These modifications also include handling playback controls to synchronize the playback that is occurring on the client with the media session on the server.

Abstract: Reverse authentication can be performed in a VDI environment to enable an authentication device to gain access to a client without requiring that the authentication device's drivers be installed on the client. When an authentication device is connected to the client while the client is locked or not logged in, the authentication device can be redirected to a virtual appliance on which the authentication device's drivers are installed. The authentication device can then be used to authenticate the user via the virtual appliance. When authentication is successful, the virtual appliance can send the resulting authentication information back to the client to enable the user to be logged in to the client. Additionally, the virtual appliance can return the authentication device to the client. The client can then employ the authentication information to establish a remote session on a server and redirect the authentication device to the remote server.

Abstract: A Windows file system can be attached to a remote non-Windows disk stack thereby allowing a mass storage device to be redirected at the disk level even though a client terminal is running a non-Windows operating system. A client-side proxy can include a disk provider that is configured to obtain disk information from a mass storage device connected to the client terminal and provide it to the server-side agent. A virtual disk enumerator on the server can employ the disk information to emulate a disk stack so that a Windows specific file system can be loaded on the server. Any Windows-specific management commands that target the mass storage device can be handled by the virtual disk enumerator using the disk information, whereas any access commands can be routed to the disk provider which can interface with a non-Windows disk stack on the client terminal for handling.

Abstract: In certain information handling system environments, remote conferencing may require the transmission of multi-media content. The server may query a client that has joined the remote conference to determine if the client supports the encoding format of the multi-media content. A source filter may load the requested multi-media content whereupon the multi-media content is split into audio content and video content by a demultiplexor and then transmitted via a multi-media redirection multiplier filter to a proxy client of each client joined to the remote conference or only selected clients. The multi-media content is processed and decoded at the client system using local hardware at the client thereby offloading demand on the server to the client.

Abstract: A redirected biometric device can be isolated to a remote session. Such session level restrictions can be implemented using a filter driver that is layered on top of the device driver stack for the redirected biometric device. When a biometric device is redirected by a user to a remote session, the filter driver can obtain an identifier of the biometric device and maintain a mapping between the identifier and the session ID of the redirecting user's remote session. Then, when an application executing on the server attempts to enumerate biometric devices, a hooking component can inspect and modify the corresponding response to remove any biometric devices that are not redirected to the same user session in which the application is executing. In this way, the application will not be able to discover any biometric devices that are redirected to other user sessions.

Abstract: Scanners and printers can be redirected over a WAN in an efficient manner by employing a proxy device. When a client terminal has established a remote display protocol connection with a server over a WAN and attempts to redirect a printer, scanner, or other similar device over the connection, the device can instead be redirected to a proxy device that is on the same LAN as the client terminal. The proxy device can then establish a driver mapping connection with the server for the purpose of sending commands pertaining to the redirected device. In this way, the communications over the WAN will be simpler driver mapping commands rather than numerous USB-based IRPs and will therefore not suffer from the latency of the WAN.

Abstract: Access to a redirected smart card can be provided to applications executing within a remote session. To enable this access, a smart card stub can be executed within the remote session and can function to intercept an application's API calls to access a smart card. A corresponding smart card proxy can also be executed within session 0 and can function to receive the intercepted API calls from the smart card stub. The smart card proxy can then execute the API calls. Because the smart card proxy is executing in session 0, the smart card resource manager service will not block access.

Abstract: Mass storage devices of any interface can be redirected to a server. When a mass storage device is connected to a client terminal, a client-side proxy can obtain information about the device including the interface by which the device connects to the client terminal. The proxy can relay this information to a server-side agent which can instruct a VMiniport enumerator to enumerate the mass storage device using the interface specified in the information. When the VMiniport driver is loaded, the agent can also use the information to cause the VMiniport driver and the storport driver to be initialized in accordance with the specified interface. The VMiniport driver and storport driver will therefore be configured to communicate IO requests targeting the mass storage device in a format appropriate for the interface.

Abstract: Certain information and data, such as HTML5 content, may be stored at a cloud server. A client may establish a connection with the server whereupon the server redirects the HTML5 content to the client. The HTML5 content may not be accessible by the client due to geographic or other location restrictions on placed on the HTML5 content. The client may request that the server fetch the desired HTML5 content from the source whereupon the server transmits the encoded HTML5 content to the client. The client renders the encoded HTML5 content. The client receives seamless HTML5 content redirection irrespective of geography and website.

Abstract: A shortcut to a file in a cloud desktop can be virtualized. A file shortcut virtualizer can be executed on a server and a client terminal that establishes remote sessions with the server. Server-side components of the file shortcut virtualizer can be configured to identify when a file shortcut has been created on a user's cloud desktop and to send information about each created shortcut to client-side components of the file shortcut virtualizer. The client-side components can then employ this information to create a virtual shortcut for each file shortcut on the user's cloud desktop. A virtual shortcut corresponding to a particular file can be configured to invoke a remote application launcher and can include information identifying a connection file that the remote application launcher should use to directly open the particular file using an associated remote application.

Abstract: A smart card stub and a smart card proxy can be employed to enable a redirected smart card reader to be accessed within a remote session. To isolate a redirected smart card to a remote session, the smart card stub can be configured to process a response to an application's request to enumerate smart card readers. This processing can include obtaining a session identifier for each enumerated smart card reader and removing any smart card reader from the response if the session identifier of the smart card reader does not match the session identifier of the requesting application. The smart card stub can communicate with a filter driver to obtain the session identifiers employed in this process.

Abstract: To provide the full functionality available locally at a client, a display-port audio playback device, such as a display-port monitor, is redirected to a server. This provides a remote user with the same experience as the local user. Applications at the server may be associated with any one or more virtualized display-port audio playback devices in a similar manner as associating a local client application to a local display-port audio playback device. The audio data associated with a request of a server application may be directed only to the virtual display-port audio playback device associated with the server application. Any application at the server may be associated with any one or more virtual display-port audio playback devices.