Home > Articles > VMware

This chapter is from the book

Foundation Topics

Virtual Hardware and Installation of the Operating System

Microsoft has been producing operating systems for a while now. I still remember my first DOS system and the first time I started using Windows with version 3.1. I’ve poked and prodded pretty much all of Microsoft’s operating systems with the exception of Microsoft Me and Microsoft BOB. All of the Microsoft operating systems, with the exception of Windows 8, were pretty much designed for standalone hardware. This is particularly true for the desktop operating systems (XP, Vista, and 7). Windows 8, released as of the time of this writing, has been designed more for a tablet or touchscreen laptop. At this time, View does not support Windows 8. Although most environments deploy View during their next operating system refresh (usually from XP to Windows 7), quite a few are deployed with Windows XP, usually because of application dependency or end-user comfort.

VMware created two guides to help with optimization of both XP and Windows 7 operating systems in a View environment: the VMware View Windows XP Deployment Guide and the VMware View Optimization Guide for Windows 7. They are excellent references to keep handy. Remember to check the VMware website, because these guides are regularly updated as VMware finds new optimizations that can benefit organizations as they migrate Windows 7 to a virtual environment.

key_topic.jpg

If I were to simplify the process of building and optimizing a virtual desktop, it would look something like the following:

  1. Create a virtual machine as a template for your virtual desktops. Optimize the virtual hardware for the desktop during this step.
  2. Install the latest version of VMware Tools.
  3. Select a time-synchronization method where the virtual machine either synchronizes to the ESXi host or to the Active Directory time source.
  4. Join the Active Directory domain.
  5. If using VMware time synchronization in step 3, disable Windows time.
  6. Install appropriate applications, and tune them for optimal performance.
  7. Enable remote connections.
  8. Install the View Agent.
  9. Patch Windows desktops as needed. Note, this may require a reinstallation of VMware Tools and the View Agent.

Certain steps can be performed regardless of the OS used. By using local GPOs that prevent the use of themes, solid backgrounds, simple screensavers, and other similar settings like adjusting the Performance Options (right-click My Computer > click Properties > Advanced tab), you can realize a fair amount of performance improvement. Part of this process may require training your end users on how best to use their virtual desktops compared to what they might have been used to. Some organizations allow users a bit too much freedom with regard to the management of their desktops. The move to a virtual environment can be the perfect time to reassess end-user requirements and implement appropriate changes. As I often mention in class, one benefit of a virtual desktop infrastructure (VDI) deployment is that the organization regains ownership over the desktop as a tool provided to their end users and not something to use as their personal laptop.

Computers as personal devices have been around for decades, but it’s only in the past 20 years or so that we’ve seen such an explosion of multipurpose need. Today, many organizations are leveraging bring-your-own-device (BYOD) or employee-owned IT (EOIT) policies. These policies enable employees to have a computer system that meets their specific needs and lets them personalize it without putting organizational data at risk. There would likely still need to be an organizational policy on what’s allowed on the desktop versus what’s not allowed, but this kind of configuration allows users flexibility while minimizing risk.

The main thing to keep in mind when it comes to virtual desktops is that services and processes that work well in a physical environment might not work well in a virtual environment. The emphasis placed on storage in a virtual environment may require changes to those services and processes. For example, in Windows 7, an indexing service runs continuously in the background. This adds roughly three to five input/output operations per second (IOPS) of read behavior on a disk. By itself, on a physical system, this is a negligible amount of IOPS. But when you have multiple systems all running regular indexing at the same time, utilizing storage from the same shared storage device, the collective amount of IOPS can result in a significant impact to storage performance. Disabling this service on the master image for a linked clone desktop pool reduces the possibility of unexpected resource contention for end users. The goal is to always ensure the same or better experience for end users than they had before virtualizing their desktops.

Configure Virtual Hardware

The first step in virtual desktop optimization is to optimize the hardware configuration. The best way to do this is when first creating the master image. Do not use a physical-to-virtual (P2V) conversion method to create the master image. Creating an image from a P2V results in a virtual desktop image that includes physical drivers and other components that might not behave well when virtualized. VMware recommends creating a new virtual machine and performing a fresh OS installation. Using the Microsoft Deployment Toolkit (MDT) is one way to ensure that the initial install meets the necessary requirements and allows for the creation of a unique ISO image that is specific to the environment. This ISO image can then be used as part of a zero-touch installation that requires no user interaction. By removing that interaction, you significantly reduce the chance of mistakes occurring. In addition, the MDT can install various applications as part of the base image install. These applications can include VMware Tools and the VMware View Agent. As mentioned earlier, the more interaction that is removed from the install process the better. In this case, by including VMware Tools and the VMware View Agent as part of the install, you ensure that they will automatically be part of the base image.

Many administrators simply accept the default virtual hardware when creating a new virtual machine. To ensure optimal performance, adjusting that hardware is worthwhile. This is often referred to as right sizing the environment and ensures that CPU, memory, disk, and network resources are sized exactly to what is needed by the environment. Removing any hardware that is not needed (such as a CD-ROM or floppy drive) can help keep the virtual machine optimized. Modifying the BIOS of the virtual machine can provide some benefit. For example, you can modify the BIOS to disable serial ports and parallel ports not in use on the virtual machine.

A part of this optimization process is sizing virtual CPU and virtual memory resources. As part of the initial planning of any VDI environment, an analysis of how the current environment is being used, including how the four “food groups” of CPU, memory, disk, and network are used, can help determine how many vCPUs are needed, how much memory is required, the proper sizing of the disks, and how much bandwidth is needed by the virtual desktops. For Windows 7, you can leverage the VMXNET3 virtual network adapter to help ensure better performance for virtual machine network activities.

After the virtual hardware is configured, a fresh install of the operating system should be performed, along with any required patches (as per organizational policy) and service packs. In addition to doing a fresh install, consideration should be given to minimizing the number of applications included with the master image. The fewer applications that exist on the image, the better it will perform and the better the end-user experience will be with it. This has the nice side effect of reducing application conflicts and reducing the number of support calls in relation to those conflicts. Ideally, applications should be virtualized using ThinApp and then streamed, either as a mapped drive to the desktop or through other methods. This will also result in a smaller image, which will allow for the faster deployment of images, whether fully provisioned or linked-clone provisioned.

After you have a basic clean image, you can clone this to create other “master” images for each of your use cases. Many organizations make the mistake of creating a single image with multiple levels of snapshots on it to represent different use cases. Having multiple images can result in a little more administration, but it allows for proper image management for each use case and not just from an operating system or application standpoint. An individual master image for each use case means that individual virtual hardware configuration can also be performed.

As mentioned in the steps listed previously, you must choose how to synchronize the guest operating system to a time source. This is a critical step, particularly with regard to Active Directory. As an experiment, I once tested what would happen when a virtual machine was not synchronized. Over an 18-hour period, the virtual machine drifted by 23 minutes! That is a significant time drift that can cause problems for things like Active Directory, and even some applications. As part of VMware Tools, the ESXi host can be selected as a time source. Alternatively, you can use a centralized time source, ideally the one that Active Directory uses. The rule I follow is that whatever you choose should be consistent across the board for all desktops, the Connection Servers, and Active Directory. For updates on how time changes with each ESXi version, check http://kb.vmware.com/kb/1318.

If you need to stop Windows time (W32Time), you can adjust it by modifying the following Registry entry type to NoSync:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32TimeParameters

The last steps to perform are to install VMware Tools and the VMware View Agent. VMware Tools is needed to ensure that the latest drivers and other features specific to a virtual environment are in place. The VMware View Agent ensures that connectivity and management between the desktop and the Connection Server and between the desktop and the client are maintained. Keep in mind that as you install base applications and additional drivers you might need to reinstall VMware Tools again to ensure that the right drivers stay in place.

To install the View Agent, start by double-clicking the installer executable. This file is named VMware-viewagent-xxxxxx.exe, where the xxxxxx represents the build version. Remember to always read the release notes with each version to see whether a reinstallation of VMware Tools is required before or after upgrading the View Agent. Once the installer starts, complete the steps laid out in the following sections.

Installing the Agent

To install the Agent, follow these steps:

key_topic.jpg
  • Step 1. On the first two screens (the Introduction and the End User Patent Agreement screens), click Next.
  • Step 2. Read the VMware end user license agreement. Then choose I accept the terms in the license agreement and click the Next button.
  • Step 3. Choose which options you want to use with the agent. See Table 6-2 for more details on the options shown in Figure 6-1.

    Figure 6-1

    Figure 6-1. View Agent install options.

    key_topic.jpg

    Table 6-2. VMware View Agent Custom Installation Options

    Option

    What Does It Do?

    USB Redirection

    Allows for USB devices connected to the client to be passed through (if allowed by GPO and View Connection Server policy) to the virtual desktop to be used by the desktop.

    View Composer Agent

    Allows for the creation of special virtual machines as part of the composer process. This is required for master images that will be used to build linked-clone pools.

    Virtual Printing

    Allows users with the full Windows client to print to their local printer rather than to a network printer.

    PCoIP Server

    Allows users to connect to the desktop through the View Connection Server by using the PCoIP protocol. Note that by installing this piece on Windows Vista and Windows 7, guest operation will disable the sleep mode service. On Windows XP systems, this disables standby mode. This helps prevent desktops from going into a state that could make them unusable or appear otherwise hung.

    PCoIP Smartcard

    Allows users to authenticate with smart cards while using PCoIP. If the environment uses smart cards, this setting must be enabled to use them with the PCoIP protocol.

    View Persona Management

    Allows for profile synchronization from the virtual desktop to the repository to ensure that the user’s profile is maintained.

  • Step 4. Select the location where the View Agent will be installed if different from the default location of C:\Program Files\VMware\VMware View\Agent\, and then click Next.
  • Step 5. If Remote Desktop was not already made available, you will seen a screen asking if you want to enable Remote Desktop. Select the choice that is appropriate for the use case of the desktop and click Next.
  • Step 6. Read the summary page and ensure that all the choices are correct. Click Next and wait for the installer to finish.

If the installer includes USB Redirection, this forces the Windows OS to reboot to add a virtual USB device to the system.

Now that a master image has been created and virtual hardware has been configured, we can begin to optimize the OS.

Creating Customization Specifications

Before getting into the details of OS customization, it is worthwhile to review some of the options needed for Sysprep customized pools. In essence, the customization specification is key to the Sysprep process. Having it ready and tested before doing a pool deployment, whether template-provisioned virtual desktops or linked clones using Sysprep, can make the difference between a successful deployment and a frustrating one. The process to create a customization specification is straightforward:

  1. Go to the Customization Specifications Manager found on the vSphere Client Home page.
  2. Click the New button.
  3. Choose the appropriate OS from the Target Virtual Machine OS. In this case, it is Windows because Linux is not a supported OS for View.
  4. In the Customization Specification Information dialog box, enter a name. You can enter a description as well (helpful when multiple customization specifications exist). Click Next.
  5. Enter the virtual machine owner’s name and organization. This will likely be a generic owner name and the actual organization name. Click Next.
  6. Specify that the computer name will be derived from the virtual machine name. This option must be selected for desktops that will be used with Sysprep. Select Use the virtual machine’s name and click Next.
  7. Specify a volume license and click Next.
  8. Configure the local administrator and click Next.
  9. Select the time zone and click Next.
  10. (Optional) If there are scripts or commands that have to be run when the user first logs in, add them to the Run Once page. Click Next.
  11. Network settings should always be set to Typical settings because Dynamic Host Configuration Protocol (DHCP) is currently the only supported addressing method for automated pools. Click Next.
  12. Add appropriate domain information. The computer should be removed from the domain before you attempt to join the template to the same (or a different) domain. If the computer has not been removed, it is very likely that attempting to join the template to the domain will fail. Click Next.
  13. Select Generate new security ID (SID) and click Next.
  14. Click Finish to save all the settings.

This ensures that any new desktop created will have a consistent look and feel to it. Also, using a customization specification reduces the possibility of user errors interspersed in various desktops as part of their creation.

Most environments will deploy a VDI environment as part of an operating system refresh when moving from Windows XP to Windows 7. To that end, the focus in this chapter is on Windows 7 as the OS that will be optimized. Although the Optimization Guide does have two .bat scripts to turn services off, it is important to understand why it is necessary to turn off certain services and why some may be left on.

One of the big challenges with administering desktops is the reliance on the end user to keep the system up to date and to not perform activities that are harmful to the desktop and the network it is part of. In an attempt to reduce vectors of attacks and find ways to optimize performance, Microsoft moved a variety of tasks into service processes that could be automated. This ensures that activities like defragmentation of the disk occur on a regular schedule. As mentioned earlier, these processes were initially designed for physical systems and might not perform well for virtual machines with shared storage. Understanding what each service is, what it does, and whether to allow it to continue to run is a critical part of virtual desktop optimization.

Before looking at each service, note this one important thing: Even if a service is set to Manual, you might want to disable it to avoid the possibility that it might get restarted. You can adjust these services using a post installation script or by building the settings into the ISO image that is created.

The first service to look at is the BitLocker Drive Encryption Service. This service was introduced to encrypt whole volumes as an extra layer of protection against compromise, particularly if a laptop (or even just a disk) is stolen. The challenge with this service is that the constant encryption behavior performed by the service increases activity on the disk. This adds additional load for full-provisioned virtual machines that exist on a shared storage array. For linked clones, this method of encryption is unnecessary and would seriously impact performance for the shared C: drive of the replica. The setting for the service defaults to Manual, but you should definitely set it to Disable. Even if the image might be used with local mode, you should avoid the use of this feature. Local mode has its own encryption method, so using this feature would be unnecessary and would only impact performance. Put simply, this feature should not be used in a VDI environment.

The Block Level Backup Engine Service was created to allow workstations to perform a block-level backup rather than backing up individual files. This ensures that decentralized environments are backed up and data is protected. Because a VDI implementation relocates all data into the datacenter and allows for centralized backup to occur, this service is not needed. Again, this service defaults to Manual, but you should set it to Disable as a best practice.

Desktop Window Manager Session Manager, besides being a mouthful to say, is a service that may or may not be disabled for an environment. This service renders the desktop Aero environment if used. If the environment requires Aero, this service must be enabled. If Aero will not be used, set the value to Disable. By default, the service is enabled and set to start and run at boot.

One feature that has been part of Windows for a long time is disk defragmentation. Users often forget to do a disk defrag regularly, and as a result, disk performance slows down as fragmentation increases. Making this available as an automated scheduled service addressed this problem. However, having the defragmentation feature running on virtual disks causes unnecessary I/O, particularly for linked clones. The Disk Defragmenter Service should be run only on the master image. This will ensure that it is part of the replica, and then whenever a linked clone is refreshed, the disk will be optimized to begin with. By default, the service is set to Manual, but you should definitely set it to Disable for all virtual desktop types.

Sometimes, trying to determine what is causing problems on a desktop can prove challenging. The Diagnostic Policy Service was added to help identify problematic issues and to help end users troubleshoot them. For environments where end users need to perform troubleshooting, and for environments with various hardware and software footprints, this service can prove helpful. However, in a View environment, the master image remains unchanged and the hardware settings remain unchanged, so you have no need for this service.

Both the Home Group Listener service and Home Group Provider service were introduced to help make home networking and shared printer setup easier for the home environment. Within Active Directory environments, these services are unnecessary and should have their default setting of Manual changed to Disable for all systems, physical or virtual. Another networking service, the IP Helper service, should also be looked at. If your environment leverages IPv6, it is worthwhile to keep this service; otherwise, you should change its setting from the default of Automatic to Disable.

A number of services are not needed after a desktop is virtualized. These services may offer something for physical hardware, but they become unnecessary because we are leveraging virtual hardware. Leaving the following services running or potentially available could result in excess resource utilization or spikes in disk I/O by the guest OS:

  • Microsoft iSCSI Service
  • Tablet PC Input Service
  • WLAN AutoConfig
  • WWAN AutoConfig
  • SSDP Discovery

If the desktop I was configuring were physical, I would have to consider whether these services might be needed. For example, the WLAN AutoConfig service is for wireless access, definitely an unnecessary service in a virtual environment because the virtual desktops reside in the datacenter. The Simple Service Discovery Protocol (SSDP) service was designed to help home and small business environments with network IP assignment without needing a full server to provide for things like DHCP and other similar services. Disabling SSDP also means that Universal Plug-and-Play (UPnP) service, the actual service that makes it easier to connect devices to PCs, will have to be disabled (because it is dependent on SSDP).

You still have to consider the use of some services, however, regardless of whether you want to use them because other services or functions might be dependent on the service in question. The Microsoft Software Shadow Copy Provider service, which is used by the Virtual Shadow Service (VSS) for backups, is one such example. If you back up the user data from a central location because of profile configuration, individual desktops do not necessarily need to be backed up and you might consider disabling this service. But if you are using View Persona Management, this service must be running because Persona Management utilizes the VSS to maintain the regular in-session backup of the profile between the user session and the repository. In fact, if you are using View Persona Management, even though this service is required, you should not use a VSS-based backup application. This can potentially cause corruption of files, which generally is not a good thing.

The Microsoft Software Shadow Copy Provider service, used as a mechanism for backup, should not be confused with Windows Backup. The Windows Backup service allows for the backup of individual workstations. But in a virtualized environment the desktops are located within the datacenter, and backups are performed either with the Microsoft Software Shadow Copy Provider service or with the backup mechanism that takes care of the centralized files, and personas are kept as per organizational policy.

Because the environment will be hosted within the datacenter and any remote sessions will come through either a View Security Server or a point-to-point VPN, the Secure Socket Tunneling Protocol Service is unnecessary. This service is meant for virtual private network (VPN) connections from the desktop to a VPN broker. Because the desktop has no need to do this, this is definitely a service that should be set to Disable.

The Security Center service might seem an odd service to turn off, but it is appropriate to set this service to Disable for virtual desktops because the features it provides are better provided outside of the guest OS in larger organizations. The Security Center service monitors whether security features like host-based firewall, antivirus, malware detection, and other security programs are running. Because these services often add additional I/O when using traditional versions of them (rather than versions optimized for virtual desktops), it is best not to use them. Products such as vShield Endpoint Protection and other similar vApps, where the protective service runs outside of the virtual machine, are better for overall disk I/O.

One thing that Microsoft attempted to do for Windows Vista (and tried to improve in Windows 7) was to be proactive about starting and loading applications to help speed up performance through the introduction of a service called Superfetch. It uses an algorithm based on commonly used applications to determine what applications would benefit from being cached in memory. Because memory for a virtual machine can be done at a disk level (vswp) as well as within the guest operating system (pagefile.sys), Superfetch use might cause problems for a virtual desktop.

This is one service that should be thoroughly tested to verify whether disabling it will adversely affect specific applications. For most virtual desktop environments, it is safe to disable this service. However, there are always unique cases where specific applications behave differently. One option is to “partially” leverage the Superfetch service by limiting it to just applications. You can also adjust the shadow storage size. The following steps describe how to adjust Superfetch settings. This should be done in the master image/template so that it is pre-optimized when clones are deployed:

  • Step 1. Click the Start button and type regedit in the Search box.
  • Step 2. Press Enter.
  • Step 3. Navigate to the following key location:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement\PrefetchParameters

  • Step 4. Double-click the Enable Superfetch key. By default the value will be 3. Change this value to one that is appropriate:

    0 = Disable Superfetch

    1 = Cache applications only

    2 = Cache boot files only

    3 = Cache everything (default)

  • Step 5. Choose the value and click OK.
  • Step 6. Select File from the top menu and click Exit.
  • Step 7. Click the Start button and type C:\Windows\Prefetch in the Search box.

    A Windows Explorer window showing the contents of this location should open.

  • Step 8. Delete all the files in this location.
  • Step 9. Restart the Windows OS. The first reboot might take longer because Superfetch will need to repopulate the C:\Windows\Prefetch location with the appropriate files, depending on which option was chosen.

The decision as to whether to run Superfetch also depends on the kind of virtual machine being used and the disk density of the storage device. Those decisions are generally made during the design phase and are thus beyond the scope of this exam. As a best practice, an administrator should consult the appropriate personnel about the design before making these configuration changes.

Another service that can be disabled is the Themes service. Themes were first introduced with Windows 98 and the Plus! add-on. The idea was to enable end users to customize the desktop look and feel to whatever they wanted. Users could have dancing hamsters, leaves falling, or magical snowy backgrounds. All these animations increase the overall utilization of both CPU and memory resources, which can present a challenge for virtual desktops. VMware recommends disabling this service to reduce resource utilization and improve performance. However, it is a required service for Windows Aero and must be enabled if Windows Aero will be used. If a decision has been made to use Windows Aero, the environment should be tested to ensure that the functionality can be supported without undue performance impact. It might be that not every desktop will need Aero, or perhaps you can offer Aero as an optional desktop choice for some users. The default setting is for it to automatically start. If possible, though, you should set this to Disable.

During the Internet boom of the late 1990s and early 2000s, Windows was one of the more prolific operating systems and was the main target for worm, virus, and other malware creators. Most of these developers depended on users not being savvy with regard to the protection of their systems, and for the most part they were correct. Although Microsoft was not in the antivirus or antimalware business, it did recognize the need for these services. In 2004, it acquired GIANT AntiSpyware (originally developed by GIANT Company Software, Inc.). The idea was to include a combo antivirus/antimalware program as part of the OS so that users would not have to determine which third-party application they should trust. In 2006, Windows Defender was officially released as part of Windows Vista. The initial version of this application was limited to antimalware capabilities. Subsequent versions added an antivirus component, and today both Windows 7 and Windows 8 provide full coverage by default.

The inclusion of the antimalware portion was critical as users ventured more and more out to the Internet and spyware was becoming more and more prevalent. For home users and small offices, this is a nice piece of software to help secure desktops. However, in organizations, it is not sufficient because the user can turn off the protection. In addition, the program regularly scans the hard drive for any potential unwelcomed “visitors.” For a virtual enterprise environment, using something like vShield Endpoint or a similar product, where the scan occurs in active processes through the hypervisor, results in less disk I/O impact compared to traditional system protection software. If Defender is going to be used in an enterprise environment, no change needs to be made. If an enterprise application will be employed, you should change this service from the default of Automatic to Disable.

Another service with similar conditions is the Windows Firewall service. This service began with Windows XP as the Internet Connection Firewall service (ICS), which was a basic firewall application. By default, the service was disabled, largely because of concerns about compatibility with existing programs. However, this mindset changed after the Blaster and Sasser worms began to ravage the Internet. With Windows XP Service Pack 2, the service was renamed and significantly improved. One of the main improvements was that the service was enabled by default. With each release, Microsoft has added significant improvements to this service. If this will be the only firewall for your virtual desktops, leave the service running. It is best to ensure that the settings for the service are controlled by Group Policy Objects (GPOs) and that appropriate settings for access are configured. If an organizational firewall will be in place, whether physical or software based, this service should be disabled.

It might seem odd to disable the Windows Error Reporting service, but the logic behind doing so is twofold. This service (originally known as Dr. Watson) was designed as a way for application developers to get error reports sent to them, over the Internet, when errors occurred. This would help lead to better programs and fewer issues. Although this is a good idea for the average home user, for organizations it is better for the IT team to be aware of any issues and address them as part of their support mandate. For an ideal virtual desktop environment, any support application would be virtualized and in a central location where logs would be collected. In addition, because of the nature of virtualization, the number of errors that occur due to conflict with other programs (the more common scenario) will lessen significantly. This brings us back to the clean image concept. Assuming a clean image was used, the need for this service is minimal, and the performance impact from using the service makes it disadvantageous. This service defaults to Manual, but you should set it to Disable.

The Windows Media Center was designed as a way for Windows to control various media devices and to provide access to various devices like TV tuners or FM access. The Windows Media Center Receiver service and the Windows Media Center Scheduler service are not needed for desktops because there is no access to a device like a tuner on the ESXi host. Both services default to Manual, but you should set them to Disable.

The states of the last three services that we look at here depend on use cases and fall into the “it depends” category. The utility of the Windows Search service, the Windows Update service, and the Offline Files service depend largely on how and if they are needed and used. The Windows Search service enables users to find files or folders on the desktop. If very little virtual desktop searching is necessary, you should disable this service. In environments where searching is necessary, it is wise to reduce the density of desktops found within the datastore to help reduce conflicting I/O behavior from the resulting searches against other desktops with similar activity.

The Windows Update service, another service introduced with Windows 98, was originally designed to give users access to additional themes, games, driver updates, and other features not found with the base operating system. Over time, however, this service came to be used for patch management, the most notable being the Y2K fixes. The ability to keep the system up to date in the face of challenges and threats from the Internet has been critical to keeping Windows systems running. However, for virtual environments (particularly linked clones), this service might not be needed. The base image and any patching should come from a central location after sufficient testing of the patch has been performed. (To this day, I still have nightmares over NT4 and Service Pack 6.) Linked clones should never have the Windows Update service running because a refresh would cause any updates to no longer exist. It is better to have the update applied to the base image and a recompose done to ensure that the whole pool has the updated features as part of the desktops. The default setting for the Windows Update service is Automatic, so this should be changed to Disable unless needed (say, for a local mode desktop or fully provisioned virtual machines).

The last service, the Offline Files service, was created to enable users to access files even when the network is down. Because the virtual environment is based on the network, this service is not really needed. Again, the exception would be for local mode desktops. The default for this service is Manual, but you should change it to Disable.

You can disable all of these services manually via the graphical user interface (GUI), or you can disable them through command-line options or even a PowerShell script. To do this via a script, use the following syntax:

Powershell Set-Service <Service Name> –startuptype "disabled"

The VMware View Optimization Guide for Windows 7 comes with two batch-shell scripts, one for environments leveraging Persona Management and one for use without Persona Management. These scripts will disable all the services reviewed in this section. Because the scripts are text based, you can modify them as needed to ensure that master images are configured according to use case requirements.

A last thought with regard to these services is this: Disabling these services makes complete sense for virtual desktops that reside in the datacenter. If local mode will be used, any desktops that run locally can actually benefit from leaving these services running. While disabling the services can provide some performance optimizations, the use cases should be carefully considered before any changes are made.

Additionally, the services may still need to be used for any physical desktops that will exist in the environment. This highlights the importance of having a separate organizational unit (OU) for the virtual desktops apart from that of any physical desktops. Conversely, it might be important to block the effects of GPOs used for the physical desktops from being applied on the virtual desktops because those GPOs may have an adverse effect.

To help with the variety of GPOs that could be used within an environment, leverage loopback policy processing. This will tie the use of GPOs to the computer OU the user is in and ensure that the appropriate GPOs are applied, particularly when users move between different desktop OUs.

Although the majority of the optimization benefits come from disabling services, some benefits derive from GPOs being leveraged or through manual adjustments to the master computer image. The assumption may be that everything should be removed or disabled, but certain settings are required, such as enabling RDP access. If these settings are not configured as part of the base image and the user needs RDP to access the desktop, this would present an obvious challenge for accessing the environment. In this section, we take a look at adjustments that should be made using the GPO Editor. To get to the editor, follow these steps:

  • Step 1. Click the Start button.
  • Step 2. In the Search box, type MMC. This opens a blank Microsoft Management Console (MMC).
  • Step 3. Select File from the menu.
  • Step 4. Choose Add or Remove Snap-ins.
  • Step 5. From the Available Snap-ins list, find Group Policy Object Editor.
  • Step 6. Click the Add button.
  • Step 7. For the Group Policy Object, choose either Local Computer (beneficial for computer specific policies like Themes) or the appropriate domain.
  • Step 8. Click Finish and verify that the snap-in shows in the Selected Snap-ins window.
  • Step 9. Click OK.

Over the years, Microsoft has tried to get end users to realize the importance of addressing security issues and updates. Of equal importance was identifying when a Windows system did not have enough protection in place when the user was online. As Microsoft introduced more security features as part of the Windows OS, it became important to let users know when those security services (such as Windows Firewall or Windows Defender) or replacement services weren’t running so that the user would be aware of the issue, and thus protect the OS. To that end, Microsoft added a mechanism to alert users when a vulnerability was present.

Originally known as the Windows Security Center, the Windows Action Center lets users know when those services are not enabled or available and it provides diagnostic advice on how to address maintenance issues (for example, patch updates). Given that the services might have been disabled as part of the optimization process, this could result in warnings that would be unnecessary in a virtual desktop environment and resources being used by the Action Center. By default, this service cannot be turned off completely. However, through a GPO setting, you can disable and remove the Action Center by changing the value of the Remove the Action Center Icon to Enabled in the Administrative Templates under User Configuration, as shown in Figure 6-2. This needs to be done for VDI environments because the security comes through mechanisms in the datacenter rather than through the Guest OS.

key_topic.jpg
Figure 6-2

Figure 6-2. GPO of Action Center

Most applications leave a trail of their activities within the event log. This helps users troubleshoot when application issues arise. The default size of the logs is 1024KB (or 1MB). Depending on the number and complexities of applications on the desktop, the values for these logs might need to be adjusted. You can adjust the various log sizes, in chunks of 64KB, by going to the Event Log Service in the Administrative Templates under Computer Configuration. This particular setting would benefit from being specific to the image rather than applied from the domain.

The same is true for GPO configuration if the Windows Firewall is going to be used. If the Firewall service is disabled, there is no need for a GPO configuration. If the firewall is used, it will be necessary to adjust the settings for items such as Define Port Exceptions, Allow Logging, Allow Remote Desktop Exception, and other features would be necessary for a virtual desktop. The choices made will depend on the use case of the desktop. As part of the test of the master image, adjust each setting one at a time until you reach your required security level.

Internet Explorer is the browser that many users choose for their web experience. If this browser is used in your environment, you must be aware of two settings, one under Computer Configuration and one under User Configuration, that must be adjusted to ensure a better end-user experience. The first, Internet Explorer Settings (cache), is found under User Configuration. By default, Internet Explorer has a cache of 50MB. To improve performance and behavior, you can configure the setting for temporary Internet files to delete upon browser closure. This helps reduce the amount of space used by the browser on the desktops and ensures that data is not carried over from session to session, particularly for fully provisioned virtual machines that are in a floating pool. You can find this setting at Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page.

The second setting, Internet Explorer Settings (using the First Run Wizard), enables you to configure the default behavior of Internet Explorer when it is first launched. By default, Internet Explorer starts by going to the Welcome to IE page. However, this can be changed to a home page appropriate for your users. If you configure this setting in a GPO, you can prevent users from changing the default home page to another that could be detrimental to the performance of the virtual desktop. Because this setting is applied to the computer configuration, this can be done as part of the master image to ensure that it carries over to all users. You can find this setting in the Administrative Templates at Windows Components > Internet Explorer.

Each use case can have a different default home page if necessary because the home page option is configured under User Configuration and can be applied to different OUs. The default home page option is found in the Important URLs GPO under Internet Explorer Maintenance in the Windows Settings section. You can configure other URLs here, too, such as the Search bar URL and Online support page URL. You can configure each setting as appropriate for the organization.

When files are deleted on a Windows system they end up in the Recycle Bin. The files are not deleted until you choose Empty Recycle Bin, and even then the files are not actually deleted and can be recovered using the Restore option. Beginning with Windows Vista, the ability to recover recycled files became possible for each drive. The capability to allow or disallow the recovery can either be adjusted via GPO or configured in the Registry. In a virtual environment, enabling this setting using a GPO allows you to apply it based on each use case found within the environment rather than as a carte blanche setting. You can find this setting under User Configuration > Administrative Templates > Windows Components > Windows Explorer.

Although PCoIP is the default protocol for a View implementation, some end-user clients must use RDP. To ensure that those users can connect using RDP, and to enable the use of network-level authentication, you must enable the settings found in Administrative Templates under Computer Configuration. In the Windows Components > Remote Desktop Services > Remote Desktop Session Host, you can enable the Connections and the Security options.

In the information age, keeping up to date on information can be a challenge. One often used technique is to utilize Rich Site Summary (RSS) feeds. With RSS, websites can publish brief synapses of information to a browser link or other location so that interested individuals are made aware of changes or to aggregate website updates from a variety of sites. To help keep these feeds up to date on a Windows system, Windows 7 typically runs this service in the background. Not surprisingly, this can have an adverse performance effect. Some users (for example, power users or local mode users) might require this feature, so disabling it for them would not be beneficial. If a use case requires the feature to be disabled, you can do so in the Windows Components of the Administrative Templates under User Configuration.

Screensavers were first implemented as a way to save cathode ray tube (CRT) monitors from “ghost” burn-in of the desktop. Over the years, as newer technology was introduced, the need to use screensavers for that purpose lessened, and screensavers began to be used more commonly for security and/or entertainment purposes. The challenge with screensavers is that the more complex they are (for example, screensavers that show a lot of images or have many moving parts) the greater the possibility of a performance hit. In virtual environments, screensavers not only cause performance issues, but in some cases they have been known to cause the desktop to hang. So, the general rule is to not enable screensavers.

For environments that need screensavers (for example, in environments where users forget to lock their desktops), it is worthwhile to configure a GPO for users. As part of the configuration, you can configure specific features of the screensaver so that it works in a manner that benefits both the user and the organization. These features include configuring a requirement for a password to be used to unlock the screensaver, setting a timeout period of inactivity before launching the screensaver, and choosing a specific screensaver. Because these settings are tied to the user configuration under the Control Panel in the Administrative Templates, they will follow the user regardless of the desktop he uses (if that is the desired result).

As the Windows operating system became more and more mainstream, drivers, applications, updates, hardware changes, and more were added to the environment in so many different permutations that the resultant side effects could not be predicted. As a result, these variations could potentially leave a desktop unstable and unusable, frustrating users because of the time needed to perform a full reinstall or an in-place upgrade. These frustrations don’t even account for the possibility of data loss. Because of this issue, Microsoft introduced System Restore, which allows the OS to be restored to a previous state that was functional (sometimes referred to as last known good state). This feature first appeared in Microsoft Me and has evolved over the years. For environments that have a wide variety of hardware/software combinations, this feature has saved more than a few users from having to do a full reinstallation due to the installation of faulty hardware or software.

Because virtual hardware never changes for virtual environments, and because the base Guest OS is configured based on the virtual hardware configuration, the need to return to a last known good state is lessened significantly. As a result, System Restore becomes an unnecessary feature, especially for desktops like those found in a linked-clone pool. So, it is beneficial to configure the Computer Configuration GPO to turn off System Restore. You can find this under the Administrative Templates in the System section.

The use of desktop wallpaper represents another challenge for desktops in a similar vein as screensavers do. The challenge with wallpapers is that they consist of complex images that can cause performance degradation. To alleviate performance concerns, you should configure the desktop to use either a solid-color background or no background. To configure the desktop not to use a background image (and use the default color associated with the desktop profile) using a GPO, go to the GPO Editor under User Configuration in the Desktop section of the Administrative Templates and set the value for Desktop Wallpaper equal to a blank space. The other option is to set the value to a nonexistent file. This will prevent user changes to the desktop background.

Although some might think that the Windows Sideshow service is related to a screensaver concept, it actually relates to how information is displayed on secondary display devices, including mobile phones, tablets, and so on. Because the desktop is located in the datacenter, this is not possible. So, disabling this feature via GPO is important because this will reduce the number of services active on the base image. You can find this particular GPO under Computer Configuration in the Administrative Templates within the subgroup of Windows Components. Just enable the Turn Off Windows Sideshow option.

Summary

This chapter covered a significant amount of information related to optimizing the virtual desktop by optimizing the underlying operating system. The operating system features enabled or disabled should not be chosen based only on the performance benefit but also based on the use case for the desktop. This will ensure that the configuration satisfies the use case while also providing the best possible performance. Without properly optimizing the virtual desktop, there is a good chance that the end user experience will suffer regardless of the chosen protocol.

In the next chapter, we look at a unique desktop configuration known as kiosk mode.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020