Where I work we started to realise that not every user was getting a locked down VDI session, and each time it was the result of a Group Policy failure during the VM startup or user logon. To warn the users that they had a bad session and to report it to the IT department I came up with the following config.
Create a Computer GPO which creates an empty key in the following location: "HKLM:\SOFTWARE\Custom\ComputerGPO" Create a User GPO which creates an empty key in the following location: "HKCU:\SOFTWARE\Custom\UserGPO"
Make sure that those GPO's are the last to apply in both cases.
The attached EM config then checks for the presence of those registry keys. If there was a problem with any previous GPO's applying, they will be missing, and then a PowerShell script prompts the user to log off and sends an email to the IT department.
It's exactly infallible, but it's saved us on more than one occasion from a user potentially saving files to the hard drive of their Provisioned VM.