Those who have worked with VMware View are probably aware that VMware provides the following optimization guide for Windows 7 virtual desktop deployments:
VMware View Optimization Guide for Windows 7
http://www.vmware.com/files/pdf/VMware-View-OptimizationGuideWindows7-EN.pdf
While the optimization settings are nicely scripted for convenience, I find that some administrators may miss what a few lines in the bundled scripts do to the desktop and may unknowingly turn off various features that they may not want to be off. What I’ve done over the past year was use a modified version of what VMware provides and thought I’d share it on my blog with the justifications as to why I have removed the various items:
reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /d " " /f
The reason why I opted to remove this line is because most users the Citrix and VMware VDI environments I’ve had to deploy almost always have users complain about how plain their desktops look when I run the canned optimization scripts and one of the top requests appear to be customization their wallpapers. I honestly don’t like the idea of forcing users to have a plain blue background especially in the modern days when our home desktops are more powerful than a server 10 years ago.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoRecycleFiles /t REG_DWORD /d 0x1 /f
This configuration is probably one of the silliest setting of all as it turns off the recycling bin. I remember getting a call from a client who was panicking because an important user had accidentally deleted a file on their virtual desktops that they really needed back but the recycling bin did not appear to work anymore. After asking him whether he had ran the VMware View Windows 7 optimization scripts and receiving a “Yes” response, I had to be the bearer of bad news that the file was gone. I’m sure there are workers out there who wouldn’t need the recycling bin but I would think that majority would need it.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Powershell Set-Service 'Themes' -startuptype "disabled"
The reason I have for leaving this on is the same reason as the desktop wallpaper. Users are simply too used to what they have at home and would notice how crude the interface would look with themes turned off.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Powershell Set-Service 'VSS' -startuptype "disabled"
This service is required to be turned on for Persona Management managed desktops and seeing how it’s a manually started service, I don’t see why we can’t leave it set to manual even if we don’t use Persona Management but may do so in the future.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Powershell Set-Service 'WinDefend' -startuptype "disabled"
I’ve had multiple bad experiences in the past where disabling the Windows Defender service and/or not having it updated would prevent me from successfully running Windows update so I have since decided to just leave it on so that it can be updated and allow it to provide its protective service to the desktop even though catching malware or viruses can be easily fixed with a desktop refresh. Another justification I use is that it’s nice to have something in the background checking for malware as the user is using the desktop to protect Trojans that may leak corporate information.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Powershell Set-Service 'WSearch' -startuptype "disabled"
Users are simply too used to have rich searching features in Windows and stripping this away from virtual desktops have probably generated more support calls to help desk as to why users see pop up messages saying Windows Search is disabled and how searches would be slow. The worst call I’ve received was a user thinking search no longer worked and said she could not longer work even though if she decided to read the message, she would have noticed it just mean searches may not be fast.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Powershell Set-Service 'wuauserv' -startuptype "disabled"
I prefer to use an Active Directory GPO to disable this service for the virtual desktops while leaving this server enabled on the master image because I can then simply boot up the master images a week before I intend to recompose the desktops and let them update and reboot themselves. This means I won’t have to manually log into the desktop and install the updates myself.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
bcdedit /set BOOTUX disabled
This setting probably annoys me the most because it simply renders a blank blue screen when the user logs in. Sometimes the user may see please wait, sometimes they wouldn’t depending on what’s going on in the background. I’ve received an email from the president of a bank reading:
“Thanks for optimizing my desktop earlier but now when I log in, it looks like it has hung because all I see is a blue blank screen.”
5 minutes later, I receive the following email:
“Looks like I’m in. Strange.”
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
vssadmin delete shadows /All /Quiet
This configuration is required for virtual desktops without Persona Management. My justification for removing this from the optimization is in case this changes and Persona Management is used.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
The following is the script with the modifications:
rem Setting Default HKCU values by loading and modifying the default user registry hive
reg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v SCRNSAVE.EXE /d "%windir%\system32\scrnsave.scr" /f
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaveTimeOut /d "600" /f
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaverIsSecure /d "1" /f
reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v Persistent /t REG_DWORD /d 0x0 /f
reg ADD "hku\temp\Software\Microsoft\Feeds" /v SyncStatus /t REG_DWORD /d 0x0 /f
reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 0x1 /f
reg unload "hku\temp"
rem Making modifications to the HKLM hive
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk" /v TimeOutValue /t REG_DWORD /d 200 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Revision /t REG_SZ /d 1.0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Virtual /t REG_SZ /d Yes /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0x0 /f
reg Add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow" /v Disabled /t REG_DWORD /d 0x1 /f
rem Using Powershell to perform Windows Services modifications
Powershell Set-Service 'BDESVC' -startuptype "disabled"
Powershell Set-Service 'wbengine' -startuptype "disabled"
Powershell Set-Service 'DPS' -startuptype "disabled"
Powershell Set-Service 'UxSms' -startuptype "disabled"
Powershell Set-Service 'Defragsvc' -startuptype "disabled"
Powershell Set-Service 'HomeGroupListener' -startuptype "disabled"
Powershell Set-Service 'HomeGroupProvider' -startuptype "disabled"
Powershell Set-Service 'iphlpsvc' -startuptype "disabled"
Powershell Set-Service 'MSiSCSI' -startuptype "disabled"
Powershell Set-Service 'swprv' -startuptype "disabled"
Powershell Set-Service 'CscService' -startuptype "disabled"
Powershell Set-Service 'SstpSvc' -startuptype "disabled"
Powershell Set-Service 'wscsvc' -startuptype "disabled"
Powershell Set-Service 'SSDPSRV' -startuptype "disabled"
Powershell Set-Service 'SysMain' -startuptype "disabled"
Powershell Set-Service 'TabletInputService' -startuptype "disabled"
Powershell Set-Service 'upnphost' -startuptype "disabled"
Powershell Set-Service 'SDRSVC' -startuptype "disabled"
Powershell Set-Service 'WerSvc' -startuptype "disabled"
Powershell Set-Service 'MpsSvc' -startuptype "disabled"
Powershell Set-Service 'ehRecvr' -startuptype "disabled"
Powershell Set-Service 'ehSched' -startuptype "disabled"
Powershell Set-Service 'Wlansvc' -startuptype "disabled"
Powershell Set-Service 'WwanSvc' -startuptype "disabled"
rem Making miscellaneous modifications
Powershell disable-computerrestore -drive c:\
netsh advfirewall set allprofiles state off
powercfg -H OFF
net stop "sysmain"
fsutil behavior set DisableLastAccess 1
rem Making modifications to Scheduled Tasks
schtasks /change /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
schtasks /change /TN "\Microsoft\Windows\SystemRestore\SR" /Disable
schtasks /change /TN "\Microsoft\Windows\Registry\RegIdleBackup" /Disable
schtasks /change /TN "\Microsoft\Windows Defender\MPIdleTask" /Disable
schtasks /change /TN "\Microsoft\Windows Defender\MP Scheduled Scan" /Disable
schtasks /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /Disable