Tuesday, March 19, 2013

Suggested changes to VMware View Optimization Guide for Windows 7

Those who have worked with VMware View are probably aware that VMware provides the following optimization guide for Windows 7 virtual desktop deployments:

VMware View Optimization Guide for Windows 7
http://www.vmware.com/files/pdf/VMware-View-OptimizationGuideWindows7-EN.pdf

While the optimization settings are nicely scripted for convenience, I find that some administrators may miss what a few lines in the bundled scripts do to the desktop and may unknowingly turn off various features that they may not want to be off.  What I’ve done over the past year was use a modified version of what VMware provides and thought I’d share it on my blog with the justifications as to why I have removed the various items:

reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /d " " /f

The reason why I opted to remove this line is because most users the Citrix and VMware VDI environments I’ve had to deploy almost always have users complain about how plain their desktops look when I run the canned optimization scripts and one of the top requests appear to be customization their wallpapers.  I honestly don’t like the idea of forcing users to have a plain blue background especially in the modern days when our home desktops are more powerful than a server 10 years ago.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoRecycleFiles /t REG_DWORD /d 0x1 /f

This configuration is probably one of the silliest setting of all as it turns off the recycling bin.  I remember getting a call from a client who was panicking because an important user had accidentally deleted a file on their virtual desktops that they really needed back but the recycling bin did not appear to work anymore.  After asking him whether he had ran the VMware View Windows 7 optimization scripts and receiving a “Yes” response, I had to be the bearer of bad news that the file was gone.  I’m sure there are workers out there who wouldn’t need the recycling bin but I would think that majority would need it.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Powershell Set-Service 'Themes' -startuptype "disabled"

The reason I have for leaving this on is the same reason as the desktop wallpaper.  Users are simply too used to what they have at home and would notice how crude the interface would look with themes turned off.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Powershell Set-Service 'VSS' -startuptype "disabled"

This service is required to be turned on for Persona Management managed desktops and seeing how it’s a manually started service, I don’t see why we can’t leave it set to manual even if we don’t use Persona Management but may do so in the future.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Powershell Set-Service 'WinDefend' -startuptype "disabled"

I’ve had multiple bad experiences in the past where disabling the Windows Defender service and/or not having it updated would prevent me from successfully running Windows update so I have since decided to just leave it on so that it can be updated and allow it to provide its protective service to the desktop even though catching malware or viruses can be easily fixed with a desktop refresh.  Another justification I use is that it’s nice to have something in the background checking for malware as the user is using the desktop to protect Trojans that may leak corporate information.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Powershell Set-Service 'WSearch' -startuptype "disabled"

Users are simply too used to have rich searching features in Windows and stripping this away from virtual desktops have probably generated more support calls to help desk as to why users see pop up messages saying Windows Search is disabled and how searches would be slow.  The worst call I’ve received was a user thinking search no longer worked and said she could not longer work even though if she decided to read the message, she would have noticed it just mean searches may not be fast.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Powershell Set-Service 'wuauserv' -startuptype "disabled"

I prefer to use an Active Directory GPO to disable this service for the virtual desktops while leaving this server enabled on the master image because I can then simply boot up the master images a week before I intend to recompose the desktops and let them update and reboot themselves.  This means I won’t have to manually log into the desktop and install the updates myself.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

bcdedit /set BOOTUX disabled

This setting probably annoys me the most because it simply renders a blank blue screen when the user logs in.  Sometimes the user may see please wait, sometimes they wouldn’t depending on what’s going on in the background.  I’ve received an email from the president of a bank reading:

“Thanks for optimizing my desktop earlier but now when I log in, it looks like it has hung because all I see is a blue blank screen.”

5 minutes later, I receive the following email:

“Looks like I’m in.  Strange.”

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

vssadmin delete shadows /All /Quiet

This configuration is required for virtual desktops without Persona Management.  My justification for removing this from the optimization is in case this changes and Persona Management is used.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

The following is the script with the modifications:

rem Setting Default HKCU values by loading and modifying the default user registry hive

reg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"

reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v SCRNSAVE.EXE /d "%windir%\system32\scrnsave.scr" /f

reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaveTimeOut /d "600" /f

reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaverIsSecure /d "1" /f

reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v Persistent /t REG_DWORD /d 0x0 /f

reg ADD "hku\temp\Software\Microsoft\Feeds" /v SyncStatus /t REG_DWORD /d 0x0 /f

reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 0x1 /f

reg unload "hku\temp"

rem Making modifications to the HKLM hive

reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 0x1 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 0x0 /f

reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0x1 /f

reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0x1 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk" /v TimeOutValue /t REG_DWORD /d 200 /f

reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Revision /t REG_SZ /d 1.0 /f

reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Virtual /t REG_SZ /d Yes /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x100000 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x0 /f

reg ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t REG_DWORD /d 0x100000 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x0 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x100000 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x0 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 0x0 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x0 /f

reg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0x0 /f

reg Add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow" /v Disabled /t REG_DWORD /d 0x1 /f

rem Using Powershell to perform Windows Services modifications

Powershell Set-Service 'BDESVC' -startuptype "disabled"

Powershell Set-Service 'wbengine' -startuptype "disabled"

Powershell Set-Service 'DPS' -startuptype "disabled"

Powershell Set-Service 'UxSms' -startuptype "disabled"

Powershell Set-Service 'Defragsvc' -startuptype "disabled"

Powershell Set-Service 'HomeGroupListener' -startuptype "disabled"

Powershell Set-Service 'HomeGroupProvider' -startuptype "disabled"

Powershell Set-Service 'iphlpsvc' -startuptype "disabled"

Powershell Set-Service 'MSiSCSI' -startuptype "disabled"

Powershell Set-Service 'swprv' -startuptype "disabled"

Powershell Set-Service 'CscService' -startuptype "disabled"

Powershell Set-Service 'SstpSvc' -startuptype "disabled"

Powershell Set-Service 'wscsvc' -startuptype "disabled"

Powershell Set-Service 'SSDPSRV' -startuptype "disabled"

Powershell Set-Service 'SysMain' -startuptype "disabled"

Powershell Set-Service 'TabletInputService' -startuptype "disabled"

Powershell Set-Service 'upnphost' -startuptype "disabled"

Powershell Set-Service 'SDRSVC' -startuptype "disabled"

Powershell Set-Service 'WerSvc' -startuptype "disabled"

Powershell Set-Service 'MpsSvc' -startuptype "disabled"

Powershell Set-Service 'ehRecvr' -startuptype "disabled"

Powershell Set-Service 'ehSched' -startuptype "disabled"

Powershell Set-Service 'Wlansvc' -startuptype "disabled"

Powershell Set-Service 'WwanSvc' -startuptype "disabled"

rem Making miscellaneous modifications

Powershell disable-computerrestore -drive c:\

netsh advfirewall set allprofiles state off

powercfg -H OFF

net stop "sysmain"

fsutil behavior set DisableLastAccess 1

rem Making modifications to Scheduled Tasks

schtasks /change /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /Disable

schtasks /change /TN "\Microsoft\Windows\SystemRestore\SR" /Disable

schtasks /change /TN "\Microsoft\Windows\Registry\RegIdleBackup" /Disable

schtasks /change /TN "\Microsoft\Windows Defender\MPIdleTask" /Disable

schtasks /change /TN "\Microsoft\Windows Defender\MP Scheduled Scan" /Disable

schtasks /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /Disable

10 comments:

Darrell Hix said...

Do you realize that with Desktop Search enabled and using non-persistent desktops that refresh automatically, you are rebuilding the desktop search index on every VM each time the user logs off and back on? It would be ok if you could redirect where the index file gets built built but at this time I don't think this is possible.

Vince Daly said...

Very interesting reading. I am having an issue with our Wyse Terminals and not being able to change the Display settings or adjust the text size. I was able to finally adjust after deploying a GPO but I also was able to change the text size by modifying the Registry. Now the issue is we can't change the desktop back ground. It will allow me to open a picture and right click and set as back ground but it want actually change. I'm thinking it might be because the video card doesn't support Aero. I'm going to try your suggestion and see if that works. We are using VMWare and Windows 7 as the OS.

@iamxCPx said...

@Vince Daly.
You will need to add ViewPM.adm to the GPO and disabled "Toggle Display Settings Control" under VMware View Agent Configuration/Agent Configuration.

Once you do that, user can change the settings under the Display Settings and adjust text or resolution. We use Zero Clients (Wyse, 10Zig) and no issue here.

And also, if you need more help, post it on the VMware Community Forum and plenty of vExperts will help you there.

Cheers.

Rob Alexander said...

This was really useful! I am setting up a small VDI lab for my students and I want them to have themes and wallpaper. Our LAN and hardware can handle it and they will enjoy it more.

I am having a problem that I haven't seen elsewhere, though, and I am wondering if anyone else has seen this and may have a solution. Themes work for my users, loading when they choose them, but after logging out and back in again, the wallpaper component of the theme is missing, so the background is black. If they choose a different theme (or another, then back to the original), it all works fine for that session, but it is gone again on the next login.

The system is running Windows 7 Enterprise on Horizon View 6 on Windows Server 2012. I have tested this on a variety of builds, from brand new install with just Windows (incl updates), VMWare Tools, View Agent and our Apex video driver, all the way up to a fully optimized build, and it happens every time.

The system has GPO files in place, but it looks like all the entries are just 'not configured'.

My network guy is very experienced, but is not a Windows guy, and I'm a Windows guy, but not a network expert, so between us, we're missing something.

I am running out of places to look and so thought I'd toss this out there just in case anyone has seen it or has any ideas of things to try. Any ideas?

Joe Clarke said...

Great post Terence. I've added these two defaults into the default profile in addition to your modifications. I have yet to try out the script, but have used this in the past.

rem Set all users to use "Best Performance".
reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 0x2 /f

rem remove the 400ms of start menu delay
reg ADD "hku\temp\Control Panel\Desktop" /v MenuShowDelay /d "0" /f

Rob Alexander said...

I wanted to followup on my own question, in case someone else ran across this with the same problem. My network guy and I sat down and did some troubleshooting and discovered that the files that control the wallpaper (in \users\\appdata\Roaming\Microsoft\Windows\Themes) were being copied to the server when the user logged out, but were not being copied back to the new VM when the user logged back in later. We solved the problem by using Persona Manager to force that folder to pre-load on login. There is still some underlying cause that we were unable to discover, because all other locations under Roaming did copy both ways without being forced, but this one did not. Still, at least we found a workaround that got it working, and it's a solution that should work for others.

Anonymous said...

Hi Terence,

Great post, but there is one thing missing from your suggested modifications:

reg ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0x0 /f

This breaks IE Explorer and needs to be commented out to keep that from happening. Here's the link to the reason:
http://vmstan.com/view-optimization-script-breaks-windows-security-features/

Thanks,

Steve

Anonymous said...

@RobAlexander
Thank you, this problem is exactly the same we ran into in Horizon 6.0.1. We use the same repo as with our old 5.2 and iy must be a bug somewhere in 6.0.1.
Have a case regged at VMware but they dont have a clue it seems. :\

G said...

I just want to say great job everyone. I'm setting up my first Vmware View image and all the stuff here has greatly helped me decipher all the items VMware published in that batch file. You guys saved me a lot of time and headaches! Thank you all!

Blogger said...

I've just downloaded iStripper, so I can have the sexiest virtual strippers on my taskbar.