Friday, October 5, 2012

Automating optimizations in Citrix’s Windows 7 Optimization Guide

As I’ve been involved with multiple XenDesktop projects over the last few months, I’ve found myself constantly repeating the steps in Citrix’s Windows 7 Optimization Guide.  Today was my probably the 5+ time I had to perform these steps, I figure it would be worth while to spend a bit more time automating some of the process so that I have something to reference in the future.

First and foremost, the guide can be downloaded here:  http://support.citrix.com/article/CTX127050

Disabling Services

The first section of the document:

image

… suggests services that can be disabled so what I did was use the following commands in a batch file to stop and disable the services:

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

net stop BITS

sc config BITS start= disabled

net stop UxSms

sc config UxSms start= disabled

net stop FDResPub

sc config FDResPub start= disabled

net stop HomeGroupListener

sc config HomeGroupListener start= disabled

net stop HomeGroupProvider

sc config HomeGroupProvider start= disabled

net stop CISVC

sc config CISVC start= disabled

net stop CscService

sc config CscService start= disabled

net stop wscsvc

sc config wscsvc start= disabled

net stop SysMain

sc config SysMain start= disabled

net stop Themes

sc config Themes start= disabled

net stop WinDefend

sc config WinDefend start= disabled

net stop WMPNetworkSvc

sc config WMPNetworkSvc start= disabled

net stop WSearch

sc config WSearch start= disabled

pause

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

**Note that I included a pause command at the end so I could review whether any of the commands failed.

One of the issues I’ve constantly come across with virtual desktops is with the Windows Update Service.  As much as I agree that the Windows Update service should be disabled for the virtual desktops, I prefer to use group policy to disable the service because by doing it that way I won’t need to re-enable the service when updating the master image.  Now you might be wondering why I’m talking about the Windows Update service when the optimization guide doesn’t actually disable the service and the reason why is because the guide lists Windows Defender as a service to disable.  What I’ve found in past deployments is that this affects the Windows Update service and if it was disabled, Windows Update may error out when you attempt to patch the Windows desktop.  This in turn has lead me to exclude this service from being disabled at the master image level but disabled for the desktops in the desktop pool.  If you’ve come across the same problem as I have, you can simply omit the following lines in the batch file:

net stop WinDefend

sc config WinDefend start= disabled

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Group Policy Objects

The second section of the guide includes settings that are disabled via either local policy on the master image or Group Policy:

image

My preference is to create a GPO that omits the Windows Update configuration due to reasons I stated above and apply it to the virtual desktops.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Computer Registry Optimization

The next section of the guide lists registry settings that are applied to the HKLM and HKU of the registry of the master image which can be easily applied via the following lines in a .reg file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]

"NtfsDisableLastAccessUpdate"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BNNS\Parameters]

"EnableOffload"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"DisableTaskOffload"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]

"ServicesPipeTimeout"=dword:0002bf20

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows]

"ErrorMode"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Polic

ies\Explorer]

"NoRemoteRecursiveEvents"=dword:00000001

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]

"ScreenSaveActive"="0"

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Optional Provisioning Services Computer Registry Optimization

The next section of the optimization guide lists configuration settings that pertain more to Provisioning Services with vDisks so whether you would like to apply them is at your discretion.  If you do choose to, they can be easily applied via the following lines in a .reg file:

Windows Registry Editor Version 5.00

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

"ClearPageFileAtShutdown"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]

"Enable"="N"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]

"EnableAutoLayout"=dword:00000000

[HKLM\SYSTEM\CurrentControlSet\Control\CrashControl]

"CrashDumpEnabled"=dword:00000000

"LogEvent"=dword:00000000

"SendAlert"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power]

"Heuristics"=hex:05,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,3f,42,0f,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]

"CrashDumpEnabled"=dword:00000000 "LogEvent"=dword:00000000

"SendAlert"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

"DisablePasswordChange"=dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application]

"File"="D:\EventLogs\Application.evtx"

[HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security]

"File"="D:\EventLogs\Security.evtx"

[HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System]

"File"="D:\EventLogs\System.evtx"

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application]

"MaxSize"=dword:00010000

[HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security]

"MaxSize"=dword:00010000

[HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System]

"MaxSize"=dword:00010000

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Optional Computer Registry Optimization

The last set of optional computer registry optimization settings has to do with the recycling bin behavior and whether they are applied will again be at your discretion:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket]
"UseGlobalSettings"=dword:00000001
"NukeOnDelete"=dword:00000001

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

User Policy Optimization

The next section provides optimization settings for the user that can be easily applied via GPO:

image

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

User Registry Optimization

The next section lists the registry settings that are applied to the user.  Since these settings are made to HKLU, you’ll need to use GPO Preferences to apply the configuration:

image

Ensure that these settings are applied to the user objects and not the computer objects.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Final Configuration Optimization

The only final configuration optimization I use when setting up mater images is the Boot Animation setting that can be applied via the following command:

bcdedit /set bootux disabled

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note that I left out a few optimization settings listed in the documentation so please reference the guide to ensure you don’t miss any configuration changes that applies to your environment.

2 comments:

LordZoster said...

Thank you Terence.

Anonymous said...

you're the man.. thanks for doing what I was too lazy to do