Win 7 Optimization for VDI
So, colleagues, today we'll talk about preparing a virtual machine with Windows 7 for further cloning in the VDI environment. You should not consider this post as an unconditional guide to action, these are only recommendations for administrators on how to optimize Windows 7 as much as possible for efficient use of hardware resources of virtualization servers. As a virtualization platform, the VMware ESX hypervisor is considered as a leader in its field.
Beg a small entry. Based on my own experience, I can confidently assert that the use of a physical machine transferred to a virtual environment as a “golden” image leads to a completely non-optimal use of resources. This is due to the process of converting Physical-to-Virtual. For one or two users (for example, VIP), this approach certainly has the right to coexist, but using such a conversion to create an image of a virtual machine (VM) will only lead to additional load on the virtualization servers, as mentioned above.
So, the process of preparing a VM begins with the creation of this very VM. Already at this stage, you can somewhat optimize the "golden" VM. First, when creating a network card, specify VMXNet3. Within one VM, this saves about 1-2% of hardware resources, however, when deploying VDI even for several hundred users, the savings cease to be something ephemeral. As a hard disk, the ideal solution would be to use a SCSI disk on the LSI Logic SAS controller. It is advisable to use “thin” drives (Thin Provisioning), although if you have a very “thick” storage system ... Then you can only envy!
It is best to immediately remove the floppy disk, as well as LPT-and COM-ports.
')
The amount of RAM is best to assign 1-1.5 GB for a 32-bit OS and 1.5-2 for a 64-bit OS. Of course, for heavily loaded VMs, you can allocate large amounts of RAM, but you should not exceed the values of 3 GB for 32-bit and 4 GB for 64-bit OS.
As an optical drive, you need to use a Windows 7 installation disk mounted to the VM. Make sure that the drive will turn on when you turn on the VM (Connect at Power on cover in the VM properties).
Next, install the actual OS Windows 7. Here we give everything at the mercy of the administrator. I will only note that two options are possible:
• standard fully manual installation (to be considered further);
• semi-automatic installation using the Microsoft Deployment Toolkit (leave for future posts).
So, the OS is installed. Now it’s time to install VMware Tools, VDI software (for example, VMware View Agent or Quest vWorkspace Agent) inside VMware Tools and start optimizing. I recommend to immediately disable (switch to the Disabled state) the following services:
• BitLocker Drive Encryption Service;
• Block Level Backup Engine Service;
• Desktop Window Manager Session Manager;
• Disk Defragmenter;
• Diagnostic Policy Service;
• Home Group Listener;
• Home Group Provider;
• IP Helper (only if not using IPv6);
• Microsoft iSCSI Initiator Service;
• Microsoft Software Shadow Copy Provider;
• Security Socket Tunneling Protocol Service;
• Security Center;
• Superfetch (for VMs that are not associated with users);
• Tablet PC Input Service;
• Themes (for VIP it is better not to disconnect - all “beautiful” will disappear );
• UPnP Device Host;
• Volume Shadow Copy Service;
• Windows Backup;
• Windows Defender (if you use third-party anti-virus software or in the case of "one-time" VMs that will be deleted after the user exits the OS);
• Windows Error Reporting Service;
• Windows Firewall (can also be disabled using Active Directory group policies);
• Windows Media Center Receiver Service;
• Windows Media Center Scheduler Service;
• Windows Search;
• Windows Update;
• WLAN AutoConfig;
• WWAN AutoConfig;
• Offline Files;
• SSDP Discover.
The list, of course, can be supplemented or cut, it all depends on the needs of your infrastructure.
You can use the following PowerShell command to disable services:
Powershell Set-Service <service name> -startuptype “disabled”
Below are a few recommendations related to setting the "golden" image using group policies.
First, the ideal solution would be to use a dedicated OU for all VMs, blocking legacy for this OU (preferably, but not necessarily), and also enable loopback processing so that uniform policies are applied that are assigned to the OU with VM. Again, I’ll clarify that these recommendations refer to ordinary “mortals”, whereas VIP certainly requires an individual approach.
So, about the policy:
• Action Center Icon Removal (User Configuration> Administrative Templates> Start Menu and Taskbar) - Remove the Action Center Icon = Enabled.
• Event Logs (Computer Configuration> Administrative Templates> Event Log Service> Specific Event Log) - Maximum log size = 1024 (for all logs - Application log, Security log, System log).
• Firewall (Computer Configuration> Windows Settings> Security Settings> Windows Firewall with Advanced Security> Windows Firewall Properties) - Firewall State = Off.
• Internet Explorer Settings (cache) (User Configuration> Administrative Templates> Windows Components> Internet Explorer> Internet Control Panel> Advanced Page) - Empty Internet.
• Internet Explorer Settings (first run wizard) (Computer Configuration> Administrative Templates> Windows Components> Internet Explorer) - Prevent performance of First Run Customize = Enabled.
• Recycle Bin (User Configuration> Administrative Templates> Windows Components> Windows Explorer) - bin = Enabled.
• Remote Desktop (Computer Configuration> Administrative Templates> Windows Components> Remote Desktop Services> Remote Desktop Session Host> Connections) - Enable Remote Desktop Services = Enabled.
• Remote Desktop (Computer Configuration> Administrative Templates> Windows Components> Remote Desktop Services> Remote Desktop Session Host> Security) - Require user authentication - Enabled.
• RSS Feeds (User Configuration> Administrative Templates> Windows Components> RSS Feeds) - Turn Off background.
• Screen Saver (User Configuration> Administrative Templates> Control Panel> Personalization) - set in accordance with the policies of the Company.
• System Restore (Computer Configuration> Administrative Templates> System> System Restore) - Turn Off System Restore = Enabled.
• User Access Control (Computer Configuration> Windows Settings> Security Settings> Local Policies> Security Options):
o User Account Control: Approval Mode = Elevate without promting;
o User Account Control: Detect application installations and promt for elevation = Disabled;
o User Account Control: Only elevate applications that are installed in secure locations = Disabled;
o User Account Control: Run all administrators in Admin Approval Mode = Disabled.
• Wallpaper (User configuration> Administrative Templates> Desktop> Desktop) - Desktop Wallpaper = ““ (a space must be used for a desktop without wallpaper, you can specify your path to the standard wallpaper of the Company).
• Windows Defender (Computer Configurations> Administrative Templates> Windows Components> Windows Defender) - Turn off Windows Defender = Enabled (already mentioned earlier about the limitations of disabling Windows Defender).
• Windows Sideshow (Computer Configuration> Administrative Templates> Windows Components> Windows Sideshow) - Turn off Windows Sideshow = Enabled.
• Windows Update (Computer Configuration> Administrative Templates> System> Internet Communication Management> Internet Communication Settings):
o Turn off Access to All Windows Update Features = Enabled;
o Turn off Windows Update Device Driver Searching = Enabled.
After the image is configured, you must run the ipconfig / release command to release the lease of the IP address on the DHCP server. Now you can turn off the VM. If you plan to use linked clone, then now is the time to take a snapshot of the VM (snapshot).
Everything, the “golden” image of VM is ready for use!
Colleagues, I will be glad to hear and discuss other ways to optimize Windows 7 for further use in the VDI environment.
Beg a small entry. Based on my own experience, I can confidently assert that the use of a physical machine transferred to a virtual environment as a “golden” image leads to a completely non-optimal use of resources. This is due to the process of converting Physical-to-Virtual. For one or two users (for example, VIP), this approach certainly has the right to coexist, but using such a conversion to create an image of a virtual machine (VM) will only lead to additional load on the virtualization servers, as mentioned above.
So, the process of preparing a VM begins with the creation of this very VM. Already at this stage, you can somewhat optimize the "golden" VM. First, when creating a network card, specify VMXNet3. Within one VM, this saves about 1-2% of hardware resources, however, when deploying VDI even for several hundred users, the savings cease to be something ephemeral. As a hard disk, the ideal solution would be to use a SCSI disk on the LSI Logic SAS controller. It is advisable to use “thin” drives (Thin Provisioning), although if you have a very “thick” storage system ... Then you can only envy!
It is best to immediately remove the floppy disk, as well as LPT-and COM-ports.
')
The amount of RAM is best to assign 1-1.5 GB for a 32-bit OS and 1.5-2 for a 64-bit OS. Of course, for heavily loaded VMs, you can allocate large amounts of RAM, but you should not exceed the values of 3 GB for 32-bit and 4 GB for 64-bit OS.
As an optical drive, you need to use a Windows 7 installation disk mounted to the VM. Make sure that the drive will turn on when you turn on the VM (Connect at Power on cover in the VM properties).
Next, install the actual OS Windows 7. Here we give everything at the mercy of the administrator. I will only note that two options are possible:
• standard fully manual installation (to be considered further);
• semi-automatic installation using the Microsoft Deployment Toolkit (leave for future posts).
So, the OS is installed. Now it’s time to install VMware Tools, VDI software (for example, VMware View Agent or Quest vWorkspace Agent) inside VMware Tools and start optimizing. I recommend to immediately disable (switch to the Disabled state) the following services:
• BitLocker Drive Encryption Service;
• Block Level Backup Engine Service;
• Desktop Window Manager Session Manager;
• Disk Defragmenter;
• Diagnostic Policy Service;
• Home Group Listener;
• Home Group Provider;
• IP Helper (only if not using IPv6);
• Microsoft iSCSI Initiator Service;
• Microsoft Software Shadow Copy Provider;
• Security Socket Tunneling Protocol Service;
• Security Center;
• Superfetch (for VMs that are not associated with users);
• Tablet PC Input Service;
• Themes (for VIP it is better not to disconnect - all “beautiful” will disappear );
• UPnP Device Host;
• Volume Shadow Copy Service;
• Windows Backup;
• Windows Defender (if you use third-party anti-virus software or in the case of "one-time" VMs that will be deleted after the user exits the OS);
• Windows Error Reporting Service;
• Windows Firewall (can also be disabled using Active Directory group policies);
• Windows Media Center Receiver Service;
• Windows Media Center Scheduler Service;
• Windows Search;
• Windows Update;
• WLAN AutoConfig;
• WWAN AutoConfig;
• Offline Files;
• SSDP Discover.
The list, of course, can be supplemented or cut, it all depends on the needs of your infrastructure.
You can use the following PowerShell command to disable services:
Powershell Set-Service <service name> -startuptype “disabled”
Below are a few recommendations related to setting the "golden" image using group policies.
First, the ideal solution would be to use a dedicated OU for all VMs, blocking legacy for this OU (preferably, but not necessarily), and also enable loopback processing so that uniform policies are applied that are assigned to the OU with VM. Again, I’ll clarify that these recommendations refer to ordinary “mortals”, whereas VIP certainly requires an individual approach.
So, about the policy:
• Action Center Icon Removal (User Configuration> Administrative Templates> Start Menu and Taskbar) - Remove the Action Center Icon = Enabled.
• Event Logs (Computer Configuration> Administrative Templates> Event Log Service> Specific Event Log) - Maximum log size = 1024 (for all logs - Application log, Security log, System log).
• Firewall (Computer Configuration> Windows Settings> Security Settings> Windows Firewall with Advanced Security> Windows Firewall Properties) - Firewall State = Off.
• Internet Explorer Settings (cache) (User Configuration> Administrative Templates> Windows Components> Internet Explorer> Internet Control Panel> Advanced Page) - Empty Internet.
• Internet Explorer Settings (first run wizard) (Computer Configuration> Administrative Templates> Windows Components> Internet Explorer) - Prevent performance of First Run Customize = Enabled.
• Recycle Bin (User Configuration> Administrative Templates> Windows Components> Windows Explorer) - bin = Enabled.
• Remote Desktop (Computer Configuration> Administrative Templates> Windows Components> Remote Desktop Services> Remote Desktop Session Host> Connections) - Enable Remote Desktop Services = Enabled.
• Remote Desktop (Computer Configuration> Administrative Templates> Windows Components> Remote Desktop Services> Remote Desktop Session Host> Security) - Require user authentication - Enabled.
• RSS Feeds (User Configuration> Administrative Templates> Windows Components> RSS Feeds) - Turn Off background.
• Screen Saver (User Configuration> Administrative Templates> Control Panel> Personalization) - set in accordance with the policies of the Company.
• System Restore (Computer Configuration> Administrative Templates> System> System Restore) - Turn Off System Restore = Enabled.
• User Access Control (Computer Configuration> Windows Settings> Security Settings> Local Policies> Security Options):
o User Account Control: Approval Mode = Elevate without promting;
o User Account Control: Detect application installations and promt for elevation = Disabled;
o User Account Control: Only elevate applications that are installed in secure locations = Disabled;
o User Account Control: Run all administrators in Admin Approval Mode = Disabled.
• Wallpaper (User configuration> Administrative Templates> Desktop> Desktop) - Desktop Wallpaper = ““ (a space must be used for a desktop without wallpaper, you can specify your path to the standard wallpaper of the Company).
• Windows Defender (Computer Configurations> Administrative Templates> Windows Components> Windows Defender) - Turn off Windows Defender = Enabled (already mentioned earlier about the limitations of disabling Windows Defender).
• Windows Sideshow (Computer Configuration> Administrative Templates> Windows Components> Windows Sideshow) - Turn off Windows Sideshow = Enabled.
• Windows Update (Computer Configuration> Administrative Templates> System> Internet Communication Management> Internet Communication Settings):
o Turn off Access to All Windows Update Features = Enabled;
o Turn off Windows Update Device Driver Searching = Enabled.
After the image is configured, you must run the ipconfig / release command to release the lease of the IP address on the DHCP server. Now you can turn off the VM. If you plan to use linked clone, then now is the time to take a snapshot of the VM (snapshot).
Everything, the “golden” image of VM is ready for use!
Colleagues, I will be glad to hear and discuss other ways to optimize Windows 7 for further use in the VDI environment.
Source: https://habr.com/ru/post/110027/
All Articles