This document provides a process to configure PortBlocker in a non-persistent Virtual Desktop environment. PortBlocker is an endpoint software for blocking mass storage devices. This software can be configured to allow all devices, place devices in read-only, or even allow only specified devices. For more information, you can view our PortBlocker page and/or request a demo.

PortBlocker is managed by SafeConsole on a per-endpoint basis, therefore, a non-persistent VDI environment can pose PortBlocker deployment challenges. When PortBlocker installs, a unique serial number is generated for management and auditing within the SafeConsole management platform. SafeConsole also utilizes the unique workstation name for auditing and tracking. As such, PortBlocker deployment should be performed after a virtual desktop is powered on. In addition, the licensing for each endpoint would be tied up if the virtual desktop is torn down with an active PortBlocker installation. For this, the PortBlocker endpoint can be deregistered and removed prior to shutdown/teardown to meet licensing needs.

This guide will provide steps to do both of the above - Install PortBlocker after the virtual desktop is available and uninstall PortBlocker before teardown to ensure proper management and licensing of each PortBlocker endpoint.

Note: This guide does not describe the setup or configuration of SafeConsole or a non-persistent VDI environment.


1. SafeConsole OnPrem or SafeConsole Cloud

2. PortBlocker license seats

3. PortBlocker MSI

4. Non-persistent VDI w/ unique workstation names

5. Storage location for scripts and PortBlocker msi


The below scripts contain the necessary information for installation but do not include all available MSI options for PortBlocker. Additional PortBlocker installation options can be found in this article.

*Important* Windows by default restricts execution of PowerShell scripts. When testing the script locally, the PowerShell execution policy may need to be modified. For more information see Microsoft's documentation.


#Sets a variable for installer location
Set-Variable -Name "installer" -Value '"path\to\msi\PortBlocker-Setup.msi"' 
#Optional - Sets a variable to automatically apply a policy to PortBlocker
Set-Variable -name "utoken" -Value "ND/5PD7jf9s9kG//8zGgZHOgqPHP"
#Sets the Connection token variable
Set-Variable -Name "safeConsoleURL" -Value '"https://myserver.safeconsolecloud.io/connect"' 
#Configures the installer to use the above variables as well as automatically accepting the EULA and installing quietly
$installerArgs = "/i $installer /quiet /norestart EULA=1 USER=$utoken URL=$safeConsoleURL LAUNCH_CLIENT=0" 
#Runs the installer with the above options
Start-Process msiexec.exe -Wait -ArgumentList $installerArgs

The 'installer' variable should match your storage location for the PortBlocker msi. 

The 'utoken' variable is the unique token from SafeConsole. By default, SafeConsole requires this to be specified. You can get the unique token by clicking the wrench beside a path within your SafeConsole. This can also be used to configure two or more scripts to apply different policies. This requirement can be disabled from your SafeConsole Server Properties page.

The 'safeConsoleURL' will be your SafeConsole Connection Token.


#Sets a variable for the location of the PortBlocker msi
Set-Variable -Name "installer" -Value '"path\to\msi\PortBlocker-Setup.msi"' 
#(OPTIONAL) Sets a variable for your uninstall password. This password is set in the SafeConsole Policy.
Set-Variable -Name "password" -Value "my_password"
#Sets a variable for the MSI arguments
$installerArgs = "/x $installer /passive PASSWORD=$password CLEANUP_ALL_DATA=1"
#Runs the PortBlocker uninstall
Start-Process msiexec.exe -Wait -ArgumentList $installerArgs
#Pauses the shutdown to allow the uninstall to complete
Start-Sleep -Seconds 60

The 'installer' variable should match your storage location for the PortBlocker msi.

(Optional) The 'password' variable should match your uninstall password. This is set in the PortBlocker policy within SafeConsole.
The “Start-Sleep” command is used to pause the shutdown process for 60 seconds to allow the script to run. You may try lower values, but there needs to be adequate time for PortBlocker to unregister and uninstall.


Modify the group policy for your workstation(s). 

Add the scripts to the Computer Configuration -> Windows Settings -> Scripts (Startup/Shutdown).

    The scripts themselves may be stored on the workstation or on a Network Storage location as long as the workstation has access to the script.

    Note: In the below example, the scripts were stored locally under C:\Script\


This will run the script during the Virtual Machine startup process. Add the script using the “Add” button. If you need to change the path to the script later, you may use the “Edit” button. 


This will run the script during the Virtual Machine shutdown process. Expect shutdown times to be longer due to running this script. Add the script using the “Add” button. If you need to change the path to the script later, you may use the “Edit” button.

Wrap Up

This process can be used on the Golden Image to apply this Group Policy globally during startup.

After this process has been followed, fresh virtual desktops may be created and they will be automatically added to SafeConsole. Each clone will show up as a separate entry inside SafeConsole.

If the script needs changed, the golden image will need to be updated.


If the startup/shutdown scripts aren’t working in your environment, you may try user login/logoff instead. Use the above process but instead use the following GPO setting options.