Desktop Optimizations for Windows 10
Windows 10 was first released in 2015, and a lot has changed since it’s initial release. The OS had it’s up’s and downs: we the VDI engineers, often cursed it, because of those UWP apps and difficulties to get it to work properly in a non-persistent environment. But since Windows 7 is no longer supported and Windows 8(.1) was never really enterprise-ready, Windows 10, it is the best we have. And believe me, there is a lot of beautiful things that can be done with it… if you understand and follow the rules of the VDI game.
In this document I describe my experiences related to Windows 10 & VDI. I provide links and thoughts to articles that help me when I am setting up or troubleshooting enterprise customer environments.
General Windows 10 Optimizations
Removing Unnecessary Windows 10 Applications
Let’s start with the obvious one, the elephant in the room: UWP Apps. They are a pain, especially in a non-persistent enterprise environment:
- They contain irrelevant Apps (Xbox-related, Groove Music, Weather,…).
- They are provisioned at each login (and on a non-persistent that is EACH login. Thus slowing down the user experience.
- They bloat the user profile, because the apps are installed in %localappdata%\packages.
The best resource I have found on this topic is from James Rankin, it is about Windows 10 1803, but still very relevant:
Scheduled Tasks & Windows Services
Windows comes with many scheduled tasks and windows services that are irrelevant in an environment where all changes are discarded upon reboot.
Did you ever hear of the Citrix Optimizer tool? it comes with a beautiful user interface and you can select/unselect the scheduled tasks and services you wish to disable. Mostly I just disable all of them as suggested by Citrix when I build a new golden image and in case needed, I modify later.
Be aware of:
- I typically enable the Windows Updates service in my golden image. and disable + stop it in the startup phase of the clones. That makes management easier and faster.
- BITS is often disabled, but there are tools out there (like Ivanti) that rely on the service.
- Don’t disable Themes: I once spent a lot of time troubleshooting strange Windows Explorer behavior to solve it by starting the Themes service.
One of the main reasons to decrease user satisfaction is by making them wait for multiple minutes after they entered their credentials. It’s the fist thing they do (every day) and each time they have to wait… too long…
How can you solve this? Know your environment. Some good tools to understand your logon performance are (there are many more options out there but I did not have the pleasure yet to work with them extensivly):
- Citrix Director
- eg Innovations
From experience I know that following are the first points of attention when troubleshooting slow logins:
- Universal Windows Platform apps
- User Profiles
- Group Policy Settings & Preferences
- Logon Scripts
- Folder Redirection
And if you really wish to go all the way, use this very detailed resource:
Use OneDrive: For a long time Microsoft OneDrive was installed in the user profile… But since version 19.174 it can be installed in Program Files. So: Make sure that you install the correct version of OneDrive in case you need it. And to use OneDrive in a VDI environment, think FSLogix and Files on Demand.
Don’t Use OneDrive: To prevent OneDrive from installing during initial logon, run following in your base image:
reg load “hku\Default” “C:\Users\Default\NTUSER.DAT”
reg delete HKU\default\software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /f
reg unload “hku\Default”
Windows 10 Security Settings
Shutdown, Reboot, Hybernate
To make sure that our users don’t accidently shutdown their VDI or event worse a multi-session computer, shared with tens of people. Do the following:
- Disable Hybernate: Powercfg -h off
- Disable Shutdown: User Configuration > Administrative Templates > Start Menu and Taskbar > Remove and Prevent Access to the shutdown command.
- Block Shutdown Privilege: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shut Down the System
Prevent Access to Regedit, CMD & Powershell
In most cases it’s also standard to prevent the user from altering your system and the best places to start are:
- CMD: User Configuration > Administrative Templates > System > Prevent access to the command prompt
- Powershell: User Configuration > Administrative Templates > System > Don’t run specified Windows Applications > Add Powershell & Powershell_ISE (x86 & x64)
- Powershell: User Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn On Script Execution > Allow only signed scripts
- Registry: User Configuration > Administrative Templates > System > Prevent access to Registry Editing Tools
Note: Make sure you don’t lock yourself out as an Administrator
Local Drives, Network Drives, Client Drives
Local Drives: Your users need files, but those files normally are just their data files. They don’t need access to the system files of your VDI machine. So a rule of thumb: Block access to the Local system:
- User Configuration > Administrative Templates > Windows Components > Windows Explorer > Prevent Access to drives from My Computer > Restrict Al Drives
Network Drives: Keep it clean and structured. I have seen envrionments where, through all kinds of rules, there are potentially tens or even hundreds of drives mapped. Believe me, you lose sight of things (never good from a security point of view) and you’ll spend to much time troubleshooting and slow down the logon proces.
Client Drives: I prevent access to all client drives and other USB drives by default. And just in some extreme exceptional cercomstances open access for specific users. With Citrix Policies:
Auto connect client drives – Disabled
Client drive redirection – Prohibited
Client fixed drives – Prohibited