Setting Up the MiDesktop Instant Clone Base Image (Debian) / ITS Documentation

Overview

The base image must be properly configured before deploying a desktop pool. This document contains the steps that must be completed to ensure it is set up correctly and in accordance with vendor best practices.

Install the Operating System (for Blank Images ONLY)

Open a web browser to MiDesktop vCenter. For more information, see steps in Accessing MiDesktop vCenter.
Click the base image, and then click the Summary tab.
Click Launch Remote Console and power on the VM.
Click the VMRC menu > Removable Devices > CD/DVD drive 1 > Select Datastore ISO file
When the file browser opens, navigate to NFS-MACC-VDI > ISOs, and select the folder which contains your ISO file. If the ISO you need is not available, send a request to [email protected] so it can be added
Issue a CTRL + ALT + DEL on the VMRC console to restart the VM and boot to the ISO to load the OS

Configure Active Directory

Before beginning, the base image must be added to U-M Active Directory. Please see Configure Active Directory Information on the Onboarding section of the MiDesktop service page to ensure you have the correct permissions to continue.
Create an Active Directory computer object in your OU - it must have the same name as the hostname of your base image.

Log in to the Base Image and Change Admin Password (for MiDesktop-Provided Images)

MiDesktop will provide a local admin password for the base image
Follow steps in Accessing vCenter to Manage Base Images.
Click the base image, and then click Summary tab.
Click Launch Remote Console and power on the VM.
Log into the base image with the temporary credentials provided. You will be prompted to change the password at the first login.
Set the hostname in the OS (must match your Active Directory computer object name):
sudo nano /etc/hostname
Reboot
Log in again, and open a terminal to perform the remaining steps of this document

Install VMWare Tools

Run:
sudo apt update && sudo apt upgrade -y
sudo apt-get install open-vm-tools -y

Install Crowdstrike

Verify your group has a unique Crowdstrike Customer ID. If not, please see CrowdStrike Falcon for Units for more information before continuing.
Download the Crowdstrike installer from MiDesktop Downloads onto the base image.
Navigate to the directory with the install file and run:
sudo dpkg -i ./Downloads/falcon-sensor_[version].deb
Remove the agent ID:
sudo /opt/CrowdStrike/falconctl -d -f --aid
Add the customer ID:
sudo /opt/CrowdStrike/falconctl -s --cid=your dept cid --tags=optional.tags
Start the Falcon agent:
sudo systemctl start falcon-sensor
Confirm Falcon installation:
sudo ps -e | grep falcon-sensor

You should receive results for the running Falcon sensor:
XXX ? 00:00:08 falcon-sensor-b

Install NVIDIA vGPU Driver (for GPU Base Images ONLY)

Install dependencies:
sudo apt install make gcc linux-headers-amd64 pkg-config libglvnd-dev openssh-server libnss3-tools -y
Verify secure boot is disabled on the base image:
mokutil --sb-state
If enabled, contact [email protected] to disable it before continuing
Check DRM KMS status:
cat /proc/cmdline
If nvidia-drm.modeset=1is present, edit the file and remove that section, save and exit:
sudo nano /proc/cmdline
Reboot
Check Nouveau driver status:
lsmod | grep nouveau
If you get any results, the driver is enabled and must be disabled:
sudo nano /etc/modprobe.d/blacklist-nouveau.conf
Add these lines, save and exit:
blacklist nouveau
options nouveau modeset=0
If you disabled the driver, regenerate initramfs:
sudo update-initramfs -u
Reboot
Disable Wayland (with gdm display manager):
sudo nano /etc/gdm3/daemon.conf
Uncomment this line, then save and exit:
WaylandEnable=false
Reboot
Before continuing, ensure you can reach the base image via SSH. During the NVIDIA driver installation, the desktop environment is temporarily disabled so SSH is the only way to complete the installation. It is also helpful to take a snapshot of the base image before continuing so that any missteps can be reverted.
Download the NVIDIA install script NVIDIA-Linux-x86_64-[version]-grid.run, and client config token file from the MiDesktop downloads site. Also download the Horizon Agent .tar.gz file since you will be unable to do it later.
Exit X server (this disables the desktop environment and sends you to a terminal):
sudo chvt 3
Sign in to the terminal as admin
Execute NVIDIA install script:
sudo chmod +x ./NVIDIA-Linux_x86_64-[version]-grid.run
sudo sh ./NVIDIA-Linux_x86_64-[version]-grid.run
Reboot
Set license type:
sudo cp /etc/nvidia/gridd.conf.template /etc/nvidia/gridd.conf
sudo nano /etc/nvidia/gridd.conf
Set FeatureType=1, save and exit
Copy the client config token to the NVIDIA GPU license directory:
sudo cp /path/to/Prod_DLS_ClientConfigToken__[token date].tok /etc/nvidia/ClientConfigToken/
Restart NVIDIA GRID service:
sudo systemctl restart nvidia-gridd
Check license status. The results should show Licensed with an expiration time:
nvidia-smi -q | grep 'License Status'

Configure Base Image Active Directory

Verify the domain is discoverable via DNS:
sudo realm -v discover adsroot.itcs.umich.edu
Download Horizon Agent (.tar.gz file) from the MiDesktop downloads site and extract the files:
tar -xzvf /path/to/Omnissa-horizonagent-linux-[version].tar.gz
cd /path/to/Omnissa-horizonagent-linux-[version]
Run the Horizon Agent pre-check:
sudo ./easyinstall_viewagent.sh -p
Join the domain using the Horizon Agent easy installer:
sudo ./easyinstall_viewagent.sh -c -l advanced
Respond to the prompts:
- DNS server: 10.10.10.10,10.10.5.5
- Host name: [the base image guest hostname]
- IP address of the ntp server: [leave blank]
- Join the active directory: y
- Domain FQDN: adsroot.itcs.umich.edu
- User name used to join domain: [domain user name]
- Input the computer OU to join: [leave blank, it will join the domain in the OU in which the computer object was created during Active Directory configuration]
- Password: [domain user password]
Review the summary and confirm, then reboot

Modify SSSD Configuration

Modify the SSSD configuration:
sudo nano /etc/sssd/sssd.conf

Replace the file contents with this, then save and exit:

[sssd]
domains = adsroot.itcs.umich.edu
config_file_version = 2
services = nss, pam
[domain/adsroot.itcs.umich.edu]
ad_gpo_access_control = permissive
ad_gpo_map_interactive = +gdm-vmwcred
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = ADSROOT.ITCS.UMICH.EDU
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = adsroot.itcs.umich.edu
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
case_sensitive = False
dydns_update = True
ignore_group_members = True
ldap_user_gid_number = primaryGroupID

Configure PAM:
sudo pam-auth-update --enable mkhomedir
Reboot

Install Horizon View Agent

Navigate to the Omnissa Horizon agent folder:
cd /path/to/Omnissa-horizonagent-linux-[version]
Install the Horizon agent:
sudo ./easyinstall_viewagent.sh -i -A yes
Reboot
(GPU-enabled images only) the desktop environment should be available after rebooting

Remove Initial Setup Wizard

Edit the custom View agent configuration:
sudo nano /etc/omnissa/viewagent-custom.conf
Uncomment the following lines:
SSOUserFormat=[domain]\\[username]
OfflineJoinDomain=sssd
Save and exit, then reboot

Take a Snapshot

Run:
sudo apt purge -y gnome-initial-setup

Modify View Agent Configuration

Once the base image is configured, take a snapshot for use later in the new VDI pool creation process to create the virtual desktops.

Shut down the base image.
From MiDesktop vCenter, click the Snapshots tab and click Take Snapshot.
Name the snapshot, enter a description (optional), and click Create.
Note: Remember the snapshot name. This is used to create the desktop machine pool later.

Last Updated

Friday, April 17, 2026