VMware vSphere virtual machines constantly runs a CHKDSK after every reboot

Ran into an interesting problem today while upgrading an existing vSphere 4.1 infrastructure to 5.1 with the latest build (1021289). What we noticed was that when all of the virtual machines that were migrated over to the new 5.1 environment would run a chkdsk every the Windows 2008 R2 operating system was rebooted:

… and whenever we ran a chkntfs c:, the return would be that the disk was dirty. After going through trial and error by moving virtual machines from patched to non-patched ESXi 5.1 hosts without any luck, we opened up a support ticket with VMware and ended up discovering that the issue did not have anything to do with VMware but because the servers had the security update 2823324 patch installed just a week ago. More information on this patch can be found here:

MS13-036: Description of the security update for the Windows file system kernel-mode driver (ntfs.sys): April 9, 2013
http://support.microsoft.com/kb/2823324

What we ended up doing was the following:

• Uninstall the security patch
• Reboot
• Let the chkdsk run (the difference we noticed after having the patch uninstalled was that this chkdsk ran much longer as if it did fix something during the process)
• Reboot again

This resolved the issue.

Lync Server 2013 Edge server replication issues on Windows Server 2012

Problem

You’ve completed a new greenfield deployment or successfully migrated from Lync Server 2010 to Lync Server 2013 with Windows Server 2012 servers as the base operating system but noticed that your Lync Edge servers are not replicating and executing the Invoke-CsManagementStoreReplicationStatus cmdlet then the Get-CsManagementStoreReplicationStatus display’s the following:

Note how the Lync front end server has True for UpToDate while the Edge server does not.

You’ve tried using the Lync Logging Tool on the front end server to log the following components:

• XDS_File_Transfer_Agent
• XDS_Master_Replicator
• XDS_Replica_Replicator

… but could not capture any errors useful for the troubleshooting.

Deleting the RtcReplicaRoot folder on the Lync Edge server then running a repair on the Core Components also does not correct this issue.

Reviewing all of the application, system and Lync logs in the event viewer does not reveal any errors.

You’ve tried adding the SendTrustedIssuerList REG_DWORD registry key into HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL but that did not fix the issue:

Browsing the URL https://<lyncEdgeServer.someDomain.internal:4443/replicationwebservice loads the Windows Communicator Foundation service page properly with one abnormal behavior which is that you receive a Confirm Certificate prompt with the message:

Confirm this certificate by clicking OK. If this is not the correct certificate, click Cancel.

… clicking on OK brings you to the regular expected webpage:

Solution

This problem actually got me quite frustrated as I’ve done numerous deployments of Lync yet could not figure out why this particular environment gave me a problem I seemingly couldn’t find any clues that pointed me in the right direction so I opened up a support call with Microsoft.  The engineer spent almost a total of 2 days before he figured out what was wrong.

To make a long story short, Windows Server 2012 apparently is more stringent on performing certificate checks because Windows Server 2012 implements checks for a higher level of trust for certificate authentication.  A more detailed explanation can be found at the following KB:

Lync Server 2013 Front-End service cannot start in Windows Server 2012
http://support.microsoft.com/kb/2795828

First off, the reason why we were getting the strange Confirm Certificate prompt when we browse the https://<lyncEdgeServer.someDomain.internal:4443/replicationwebservice URL:

… is because I had a certificate in the Current User store:

You might be wondering why I had this certificate in there and it’s because I had to use our internal Enterprise CA’s enrollment webpage (/certsrv) to obtain the Lync Front End server’s certificate because we had RCC integration with the Avaya AES server and using the regular certificate tool in the Lync deployment wizard did not work.  This meant that I had to install it under the logged on user’s account, export it along with the private key from the current user store, then re-import it into the computer store.  I didn’t end up deleting the certificate so when I deleted it, closed Internet Explorer and navigated to the https://<lyncEdgeServer.someDomain.internal:4443/replicationwebservice URL, I was no longer prompted with the window landing directly onto the expected Windows Communication Foundation Service page:

Second, as per the KB article, Windows Server 2012 basically does not like certificates that are in the incorrect place.  We noticed that an intermediate certificate was placed in the Trusted Root Certification Authorities in the local computer store of the Edge server so it was removed:

We then proceeded to check for certificates in the Intermediate Certification Authorities and Trusted People stores to ensure there weren’t any that shouldn’t be in there.  Once we completed this, a restart of the replication services then followed by the Invoke-CsManagementStoreReplicationStatus cmdlet showed that the front end and Edge server began to replicate:

This was definitely one of the more difficult issues I’ve come across and seeing how I couldn’t find any helpful information on the internet, I hope this post will help anyone who may come across this in their environment.

Removing a virtual desktop in VMware View 5.x throws the error: “Provisioning error occurred for Machine <VDI-Name>: Unable to remove Machine from inventory”

Problem

You attempt to remove a virtual machine from the VMware View administration console:

… but you notice that VMware View is unable to delete the virtual desktop and the follow error is logged in the events:

Error: Provisioning error occurred for Machine <VDI-Name>: unable to remove Machine from inventory

You will also notice that the failed actual is automatically recovered by powering back on the virtual desktop:

Automatic error recovery for Pool <pool-name>: attempting to restart Machine <VDI-name>

Solution

While there are probably multiple reasons why this error would be thrown, the environment I had to troubleshoot turned out to be because the Active Directory permissions were not set correctly.  The permissions required for the View service account can be found here:

http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-3446495C-FEC8-425C-AFF8-A6CAABA5E973.html

What I’ve noticed is that most administrators miss an important step that isn’t obvious in the documentation and that is the Write All Properties permissions in the Properties tab:

In the screenshot above, note that the Object tab has a Write all properties permission and selecting this permission does not enable the Write all properties under the Properties tab shown here:

Forgetting this selection is one of the reasons why the error shown earlier in the post is thrown when attempting to remove virtual desktops from the VMware View administration console.

Starting Google Earth on Citrix XenDesktop 5.6 virtual desktop prompts the message: ‘DirectX’ mode not supported

Update:
Please see my latest update blog post:

Updated: Starting Google Earth on Citrix XenDesktop 5.6 virtual desktop prompts the message: ‘DirectX’ mode not supported
http://terenceluk.blogspot.com/2014/02/updated-starting-google-earth-on-citrix.html

Problem

You’ve followed the instructions provided by the following Citrix XenDesktop 5.6 Feature Pack 1 eDocs:

HDX Optimization Pack for Google Earth
http://support.citrix.com/proddocs/topic/xendesktop-56fp1/hdx-opt-pack-for-google-earth.html

… and copy the d3d9.dll file to:

%ProgramFiles(x86)%\Google\Google Earth\client\alchemy\ogles20

%ProgramFiles(x86)%\Google\Google Earth\plugin\alchemy\ogles20

%ProgramFiles%\Google\Google Earth\client

%ProgramFiles%\Google\Google Earth\plugin

… but notice that you still receive the following prompt:

‘DirectX’ mode not supported



Please start Google Earth again after making one of the changes.



Solution

After searching around on the internet and noticing other people having the same issues, what ended up working for me was to copy the file to the following directory as well:

C:\Windows\SysWOW64 **Note that the d3d9.dll file in the C:\Windows\SysWOW64 folder is owned by the TrustedInstaller account so you’ll need to take ownership of the file then grant yourself permissions before you can either rename or overwrite it.

Using PowerCLI to create new role and assign service account used by Citrix XenDesktop 5.6 permissions for vCenter Server 5.1

As demonstrated in one of my previous posts for VMware Horizon View 5.2:

Using PowerCLI to create new role and assign service account used by VMware Horizon View 5.2 (View Manager & View Composer) permissions for vCenter Server 5.1
http://terenceluk.blogspot.com/2013/04/using-powercli-to-create-new-role-and.html

… you can use PowerCLI to create, configure and assign the role required for the VMware View Manager and View Composer service account to access the vCenter.  As my current role requires me to architect and implement VDI solutions from VMware and Citrix, I thought I’d also write the equivalent post for Citrix XenDesktop 5.6 demonstrating how to create a role in vCenter with permissions required by the XenDesktop DDC (Desktop Delivery Controller) to deploy and manage desktop catalogs.

Before I being, note that the documentation for the required permissions that I will be using can be found at the following URLs:

Using VMware with XenDesktop
http://support.citrix.com/proddocs/topic/xendesktop-rho/cds-vmware-rho.html

More information about the permissions required can be found in one of my previous posts here:

Permissions required for Citrix XenDesktop 5.6 and VMware vSphere 5.1
http://terenceluk.blogspot.com/2013/04/permissions-required-for-citrix.html

Assigning permissions to variable

Prior to creating the role, we’ll need to assign the required permissions to a variable and prior to assigning the permissions to variable, we’ll need to identify the unique Id for the privilege by using the following PowerCLI command for each permission required:

Get-VIPrivilege -Name “<Name of permissions>” | FL

The reason why we need to identify the unique Id is because permissions such as Power On are generic and can be found in nodes such as Interaction:

… and vApp:

… which are permissions we don’t need.  Without making this post too long, I will demonstrate the output for the Power On permissions in the PowerCLI:

Connect-VIServer <yourvCenterFQDN>

Get-VIPrivilege -Name “Power On” | FL

Note that the Power On permissions we’re interested in is under the ParentGroupID VirtualMachine.Interact and the unique Id is VirtualMachine.Interact.PowerOn.

Once I’ve gone through the list of privileges required, I was able to assign the permissions with the following cmdlet to assign the permissions to a variable:

$priv = Get-VIPrivilege –ID Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Host.Config.AdvancedConfig,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Resource,VirtualMachine.Config.Memory,VirtualMachine.Config.RemoveDisk,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.GetVmFiles,VirtualMachine.Provisioning.PutVmFiles,VirtualMachine.Provisioning.CloneTemplate,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RevertToSnapshot,Resource.AssignVMToPool,Global.ManageCustomFields,Global.SetCustomField,Network.Assign,Task.Create

Creating the VMware View service role and assigning permissions

With the permissions stored in a variable, what need to do is combine the cmdlet to create the role and assign the stored permissions as such:

$priv = Get-VIPrivilege -ID Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Host.Config.AdvancedConfig,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Resource,VirtualMachine.Config.Memory,VirtualMachine.Config.RemoveDisk,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.GetVmFiles,VirtualMachine.Provisioning.PutVmFiles,VirtualMachine.Provisioning.CloneTemplate,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RevertToSnapshot,Resource.AssignVMToPool,Global.ManageCustomFields,Global.SetCustomField,Network.Assign,Task.Create

New-VIRole -Name "XenDesktop Service" -Privilege $priv

Once this role has been created:

… the last step was to execute the following to add your domain service account to the role:

$rootFolder = Get-Folder -NoRecursion

$myPermission = New-VIPermission -Entity $rootFolder -Principal “domain\svc_XenDesktop” -Role “XenDesktop Service” -Propagate:$true

… which will assign the domain service account to the vCenter object (top most level).

Note that the cmdlets above were tested with Citrix XenDesktop 5.6 and vCenter 5.1.0 Build 947673.

Using PowerCLI to create new role and assign service account used by VMware Horizon View 5.2 (View Manager & View Composer) permissions for vCenter Server 5.1

As demonstrated in one of my previous posts:

Using PowerCLI to create new role and assign service account used by VMware View Manager 5.1 permissions for vCenter Server

http://terenceluk.blogspot.com/2013/03/using-powercli-to-create-new-role-and.html

… you can use PowerCLI to create, configure and assign the role required for the VMware View Manager and View Composer service account to access the vCenter.  As I notice that I am involved with VMware Horizon View projects more and more, I find it important to cut back the amount of time required to setup or fix account permissions so this post serves to demonstrate how to create, configure and assign the role and service account for VMware Horizon View 5.2 and VMware vCenter 5.1.

Before I being, note that the documentation for the required permissions that I will be using can be found at the following URLs:

Configuring User Accounts for vCenter Server and View Composer
http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-997107E5-F66D-494C-B2BA-A74977C7804C.html

View Manager Privileges Required for the vCenter Server User
http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-A878F876-B359-42FC-9124-A1E34BFB3319.html

View Composer Privileges Required for the vCenter Server User

http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-467F552F-3034-4917-A985-B5E5FEC5C68F.html

Assigning permissions to variable

Prior to creating the role, we’ll need to assign the required permissions to a variable and prior to assigning the permissions to variable, we’ll need to identify the unique Id for the privilege by using the following PowerCLI command for each permission required:

Get-VIPrivilege -Name “<Name of permissions>” | FL

The reason why we need to identify the unique Id is because permissions such as Power On are generic and can be found in nodes such as Interaction:

… and vApp:

… which are permissions we don’t need.  Without making this post too long, I will demonstrate the output for the Power On permissions in the PowerCLI:

Connect-VIServer <yourvCenterFQDN>

Get-VIPrivilege -Name “Power On” | FL

Note that the Power On permissions we’re interested in is under the ParentGroupID VirtualMachine.Interact and the unique Id is VirtualMachine.Interact.PowerOn.

Once I’ve gone through the list of privileges required, I was able to assign the permissions with the following cmdlet to assign the permissions to a variable:

$priv = Get-VIPrivilege -ID Folder.Create,Folder.Delete,Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Host.Config.AdvancedConfig,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Resource,VirtualMachine.Config.ManagedBy,VirtualMachine.Config.ChangeTracking,VirtualMachine.Config.DiskLease,VirtualMachine.Config.MksControl,VirtualMachine.Config.DiskExtend,VirtualMachine.Config.HostUSBDevice,VirtualMachine.Config.Memory,VirtualMachine.Config.EditDevice,VirtualMachine.Config.QueryFTCompatibility,VirtualMachine.Config.QueryUnownedFiles,VirtualMachine.Config.RawDevice,VirtualMachine.Config.ReloadFromPath,VirtualMachine.Config.RemoveDisk,VirtualMachine.Config.Rename,VirtualMachine.Config.ResetGuestInfo,VirtualMachine.Config.Annotation,VirtualMachine.Config.Settings,VirtualMachine.Config.SwapPlacement,VirtualMachine.Config.Unlock,VirtualMachine.Config.UpgradeVirtualHardware,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Move,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Inventory.Unregister,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.ReadCustSpecs,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RemoveSnapshot,VirtualMachine.State.RenameSnapshot,VirtualMachine.State.RevertToSnapshot,Resource.AssignVMToPool,Resource.ColdMigrate,Global.EnableMethods,Global.DisableMethods,Global.SystemTag,Global.VCServer,Network.Assign,Network.Config,Network.Move,Network.Delete

Creating the VMware View service role and assigning permissions

With the permissions stored in a variable, what need to do is combine the cmdlet to create the role and assign the stored permissions as such:

$priv = Get-VIPrivilege -ID Folder.Create,Folder.Delete,Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Host.Config.AdvancedConfig,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Resource,VirtualMachine.Config.ManagedBy,VirtualMachine.Config.ChangeTracking,VirtualMachine.Config.DiskLease,VirtualMachine.Config.MksControl,VirtualMachine.Config.DiskExtend,VirtualMachine.Config.HostUSBDevice,VirtualMachine.Config.Memory,VirtualMachine.Config.EditDevice,VirtualMachine.Config.QueryFTCompatibility,VirtualMachine.Config.QueryUnownedFiles,VirtualMachine.Config.RawDevice,VirtualMachine.Config.ReloadFromPath,VirtualMachine.Config.RemoveDisk,VirtualMachine.Config.Rename,VirtualMachine.Config.ResetGuestInfo,VirtualMachine.Config.Annotation,VirtualMachine.Config.Settings,VirtualMachine.Config.SwapPlacement,VirtualMachine.Config.Unlock,VirtualMachine.Config.UpgradeVirtualHardware,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Move,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Inventory.Unregister,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.ReadCustSpecs,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RemoveSnapshot,VirtualMachine.State.RenameSnapshot,VirtualMachine.State.RevertToSnapshot,Resource.AssignVMToPool,Resource.ColdMigrate,Global.EnableMethods,Global.DisableMethods,Global.SystemTag,Global.VCServer,Network.Assign,Network.Config,Network.Move,Network.Delete

New-VIRole -Name "VMware View Service" -Privilege $priv

Once this role has been created:

… the last step was to execute the following to add your domain service account to the role:

$rootFolder = Get-Folder -NoRecursion

$myPermission = New-VIPermission -Entity $rootFolder -Principal “domain\svc_view” -Role “VMware View Service” -Propagate:$true

… which will assign the domain service account to the vCenter object (top most level) indicated as a requirement in the documentation here:

In vSphere Client, right-click the vCenter Server at the top level of the inventory, click Add Permission, and add the vCenter Server user.

Note

You must define the vCenter Server user at the vCenter Server level.

http://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-80D653FA-BCC0-45B9-AF84-5E0EEC2AD139.html

Note that the cmdlet above was tested with VMware Horizon View 5.2 and vCenter 5.1.0 Build 947673.

Reversing VMware View Optimization Guide for Windows 7 Configuration

I was recently asked by a colleague whether I had prewritten scripts to reverse the configuration changes that the VMware View Optimization Guide for Windows 7 performed on a master image and while I didn’t have exactly what he asked for, I did have scripts to reverse a subset of those settings.  The reason why my scripts only reverse a subset of those settings is because I don’t use all of the optimizations provided by VMware and the reasons can be found in one of my previous posts here:

Suggested changes to VMware View Optimization Guide for Windows 7
http://terenceluk.blogspot.com/2013/03/suggested-changes-to-vmware-view.html

With that being said, the changes I make to the VMware provided optimization scripts isn’t too far off so if I thought I’d provide my script here which could serve as a starting point to reverse all the changes made by the original scripts:

rem Setting Default HKCU values by loading and modifying the default user registry hive

reg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"

reg DELETE "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v SCRNSAVE.EXE /f

reg DELETE "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaveTimeOut /f

reg DELETE "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaverIsSecure /f

reg DELETE "hku\temp\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v Persistent /f

reg DELETE "hku\temp\Software\Microsoft\Feeds" /v SyncStatus /f

reg DELETE "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f

reg unload "hku\temp"

rem Making modifications to the HKLM hive

reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 3 /f

reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0x0 /f

reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk" /v TimeOutValue /t REG_DWORD /d 60 /f

reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x6e00000 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x0 /f

reg DELETE "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t REG_DWORD /d 0x6e00000 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x0 /f 

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x6e00000 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x0 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 0x2 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x1 /f

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x0 /f

reg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0x1 /f

reg DELETE "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow" /f

rem Using Powershell to perform Windows Services modifications

Powershell Set-Service 'BDESVC' -startuptype "manual"

Powershell Set-Service 'wbengine' -startuptype "manual"

Powershell Set-Service 'DPS' -startuptype "automatic"

Powershell Set-Service 'UxSms' -startuptype "automatic"

Powershell Set-Service 'Defragsvc' -startuptype "manual"

Powershell Set-Service 'HomeGroupListener' -startuptype "manual"

Powershell Set-Service 'HomeGroupProvider' -startuptype "manual"

Powershell Set-Service 'iphlpsvc' -startuptype "automatic"

Powershell Set-Service 'MSiSCSI' -startuptype "manual"

Powershell Set-Service 'swprv' -startuptype "manual"

Powershell Set-Service 'CscService' -startuptype "automatic"

Powershell Set-Service 'SstpSvc' -startuptype "manual"

rem Powershell Set-Service 'wscsvc' -startuptype "disabled" <-- no Delayed Start

reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc" /v Start /t REG_DWORD /d 0x2 /f

net stop wscsvc

Powershell Set-Service 'SSDPSRV' -startuptype "manual"

Powershell Set-Service 'SysMain' -startuptype "automatic"

Powershell Set-Service 'TabletInputService' -startuptype "manual"

Powershell Set-Service 'upnphost' -startuptype "manual"

Powershell Set-Service 'SDRSVC' -startuptype "manual"

Powershell Set-Service 'WerSvc' -startuptype "manual"

Powershell Set-Service 'MpsSvc' -startuptype "automatic"

Powershell Set-Service 'ehRecvr' -startuptype "manual"

Powershell Set-Service 'ehSched' -startuptype "manual"

Powershell Set-Service 'Wlansvc' -startuptype "manual"

Powershell Set-Service 'WwanSvc' -startuptype "manual"

rem Making miscellaneous modifications

Powershell enable-computerrestore -drive c:\

net start MpsSvc

netsh advfirewall set allprofiles state on

powercfg -H ON

net start "sysmain"

fsutil behavior set DisableLastAccess 0

rem Making modifications to Scheduled Tasks

schtasks /change /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /Enable

schtasks /change /TN "\Microsoft\Windows\SystemRestore\SR" /Enable

schtasks /change /TN "\Microsoft\Windows\Registry\RegIdleBackup" /Enable 

schtasks /change /TN "\Microsoft\Windows Defender\MPIdleTask" /Enable

schtasks /change /TN "\Microsoft\Windows Defender\MP Scheduled Scan" /Enable 

schtasks /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /Enable