Desktop Optimizations for Windows 10 – VDI

Windows 10 was first released in 2015, and a lot has changed since it’s initial release. The OS had it’s up’s and downs: we the VDI engineers, often cursed it, because of those UWP apps and difficulties to get it to work properly in a non-persistent environment. But since Windows 7 is no longer supported and Windows 8(.1) was never really enterprise-ready, Windows 10, it is the best we have. And believe me, there is a lot of beautiful things that can be done with it… if you understand and follow the rules of the VDI game.

General Windows 10 Optimizations

Why optimize a Windows OS one might wonder? Well, the thing is that Microsoft builds their desktop operating system for the desktop computer. It needs to be compatible with any possible device, and any person who uses the OS has to be able to make it work with as little issues as possible. Thus “everything is on by default”. But when you think of the specefics of VDI, a lot of those “everythings” should not be switched on, as a matter of fact they only slow down things. Think for example of bluetooth, automated defragmentation or windows updates. In a none-persistent virtual desktop, running in a datacenter those things are obsolete and often more harmful then helpful. So optimize the hell out of it, so you can deliver well performing computers to your users.

As a start, I can already redirect you to Microsoft’s own recommendations. Microsoft says it this way: “Although the Windows 10 operating system is very well tuned out of the box, there are opportunities for you to refine it further specifically for the corporate Microsoft Virtual Desktop Infrastructure (VDI) environment. In the VDI environment, many background services and tasks are disabled from the beginning.”

What Edition of Windows 10 to Choose?

Every 6 months Microsoft comes with a new release of Windows 10. These releases are mostly supported with updates for 18 months. It is my believe that this short term, high speed update cycle is not feasible in a corporate environment.

What version should you then use ? I suggest the LTSC (previously known as LTSB). This version is supported by Microsoft for an extended period of time and has some other advantage also:

  • With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices.
  • Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. (You might not know this, but Universal Windows Apps can be a real pain, so having a Windows version without them is a blessing)
  • Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or skip releases over a 10-year life cycle.

Currently the latest stable Windows 10 LTSC is version 1809. More information can be found here.

Logon Time

One of the main reasons to decrease user satisfaction is by making them wait for multiple minutes after they entered their credentials. It’s the fist thing they do (every day) and each time they have to wait… too long…

How can you solve this? Know your environment. Some good tools to understand your logon performance are (there are many more options out there but I did not have the pleasure yet to work with them extensivly):

  • Citrix Director
  • ControlUp
  • eg Innovations
  • uberAgent

From experience I know that following are the first points of attention when troubleshooting slow logins:

  • Universal Windows Platform apps
  • User Profiles
  • Group Policy Settings & Preferences
  • Logon Scripts
  • Folder Redirection
  • Antivirus

And if you really wish to go all the way, use this very detailed resource:

https://james-rankin.com/articles/how-to-get-the-fastest-possible-citrix-logon-times/

Also: There seems to be a strange issue with Dual Monitors: When I was using a Windows 1903 based VDI, I experienced extreme long logon times, where a logon could take up to 3 minutes but on a single monitor the same user and same VDI could logon within 30-40 seconds. So far I did not manage to find the root cause, but I thought this was an extra reason to use the LTSC version of Windows. See this Citrix forum and this reddit on VMware for more information.

Scheduled Tasks & Windows Services

Windows comes with many scheduled tasks and windows services that are irrelevant in an environment where all changes are discarded upon reboot.

Did you ever hear of the Citrix Optimizer tool? It comes with a beautiful user interface and you can select/unselect the scheduled tasks and services you wish to disable. Mostly I go through the list of over 100 settings, leaving the defaults as suggested by Citrix (depending upon the requirements of the customer). Some of the optional settings are also worth having a look at, but there you have a bigger chance of breaking things, so use with care. When I start testing I might notice that one or two of the configuration updates were not good and luckily the optimization tool comes with a wonderfull rollback mechanism so you can reset whatever config change you made.

A bow, and a thanks to Martin Zugec, who made this tool possible!

https://support.citrix.com/article/CTX224676

Be aware of:

  • I typically enable the Windows Updates service in my golden image. and disable + stop it in the startup phase of the clones. That makes management easier and faster.
  • BITS is often disabled, but there are tools out there (like Ivanti) that rely on the service.
  • Don’t disable Themes: I once spent a lot of time troubleshooting strange Windows Explorer behavior to solve it by starting the Themes service.
  • Under optional components you’ll find Windows Search. Think twice before you disable this one, because without Windows search your users will have a reduced experience. (FSLogix or Citrix can help you solve this issue)
  • And three more times: Test, Test & Test

Removing Unnecessary Windows 10 Applications

Let’s start with the obvious one, the elephant in the room: UWP Apps. They are a pain, especially in a non-persistent enterprise environment:

  • They contain irrelevant Apps (Xbox-related, Groove Music, Weather,…).
  • They are provisioned at each login (and on a non-persistent that is EACH login. Thus slowing down the user experience.
  • They bloat the user profile, because the apps are installed in %localappdata%\packages.

The best resource I have found on this topic is from James Rankin, it is about Windows 10 1803, but still very relevant:

https://james-rankin.com/articles/how-to-remove-uwp-apps-on-windows-10-v1803/

Microsoft OneDrive

Use OneDrive: For a long time Microsoft OneDrive was installed in the user profile… But since version 19.174 it can be installed in Program Files. So: Make sure that you install the correct version of OneDrive in case you need it. And to use OneDrive in a VDI environment, think FSLogix and Files on Demand.

Don’t Use OneDrive: To prevent OneDrive from installing during initial logon, run following in your base image:

reg load “hku\Default” “C:\Users\Default\NTUSER.DAT”

reg delete HKU\default\software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /f

reg unload “hku\Default”

Page file Sizing

The pagefile has been there since… forever… and still discussions are happening about the preferred size of the pagefile. According extesive tests done by the great guys at GO-EUC, the best options are:

  • Default (System Managed Size) or
  • Fixed 1024 – 1024 MB. (Preferred when using PVS RAM cache or MCS)

The very interesting and detailed test results can be found here.

Ad Blockers… Yes please

The question is, are your users using internet browsers? If the answer is yes, then it is highly advised to use ad blockers, because they will/can have a large impact on the overall performance of your environment. I believe they also make sense from a security point of view: do you want those cookies and trackers all over your corporate network?

The entire test executed by GO-EUC can be found on this page.

Windows 10 Security Settings

Shutdown, Reboot, Hybernate

To make sure that our users don’t accidently shutdown their VDI or event worse a multi-session computer, shared with tens of people. Do the following:

  • Disable Hybernate: Powercfg -h off
  • Disable Shutdown: User Configuration > Administrative Templates > Start Menu and Taskbar > Remove and Prevent Access to the shutdown command.
  • Block Shutdown Privilege: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shut Down the System

Prevent Access to Regedit, CMD & Powershell

In most cases it’s also standard to prevent the user from altering your system and the best places to start are:

  • CMD: User Configuration > Administrative Templates > System > Prevent access to the command prompt
  • Powershell: User Configuration > Administrative Templates > System > Don’t run specified Windows Applications > Add Powershell & Powershell_ISE (x86 & x64)
  • Powershell: User Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn On Script Execution > Allow only signed scripts
  • Registry: User Configuration > Administrative Templates > System > Prevent access to Registry Editing Tools

Note: Make sure you don’t lock yourself out as an Administrator

Local Drives, Network Drives, Client Drives

Local Drives: Your users need files, but those files normally are just their data files. They don’t need access to the system files of your VDI machine. So a rule of thumb: Block access to the Local system:

  • User Configuration > Administrative Templates > Windows Components > Windows Explorer > Prevent Access to drives from My Computer > Restrict Al Drives

Network Drives: Keep it clean and structured. I have seen envrionments where, through all kinds of rules, there are potentially tens or even hundreds of drives mapped. Believe me, you lose sight of things (never good from a security point of view) and you’ll spend to much time troubleshooting and slow down the logon proces.

Client Drives: I prevent access to all client drives and other USB drives by default. And just in some extreme exceptional cercomstances open access for specific users. With Citrix Policies:

  • Auto connect client drives – Disabled

  • Client drive redirection – Prohibited

  • Client fixed drives – Prohibited

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *