Looking for:
Vdi windows 10. Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role |
Recommended configuration for VDI desktops | Microsoft Docs
That means that whether you have 1 or users connected, you must always have an Azure nested virtual infrastructure that can support all users running all the time. To me, this limits your ability to manage runtime costs if you are using VDI. Will It Get Easie r? I believe that using Windows 10 in Azure will be easier over time, but for now, using Windows Server and RDS will provide the capabilities your users need, while providing a cost-effective solution.
Have other questions? Check out some of our other common questions and answers here. Tags: Remote Desktop Services.
Customers often come to us asking for VDI, but after understanding what they are truly looking for, they understand how RDS can Topics: Remote Desktop Services. Read time. Related Articles. Subscribe to The Chronicles of Marketing Newsletter. Carrollton, TX These recommended settings can be applied to other Windows 10 installations, including those on physical or other virtual machines.
No recommendations in this article should affect supportability of Windows 10 A VDI environment presents a full desktop session, including applications, to a computer user over a network.
The network delivery vehicle can be an on-premises network or could be the Internet. VDI environments are a "base" operating system image, which then becomes the basis for the desktops subsequently presented to the users.
There are variations of VDI implementations such as "persistent", "non-persistent", and "desktop session". The non-persistent type does not preserve changes to the VDI desktop OS from one session to the next. To the user, this desktop isn't much different to any other virtual or physical device, other than being accessed over a network. The optimization settings would take place on a reference device. A VM would be an ideal place to build the image, because the state can be saved, checkpoints can be made, and backups can be done.
A default OS installation is performed on the base VM. That base VM is then optimized by removing unnecessary apps, installing Windows updates, installing other updates, deleting temporary files, and applying settings. An in-depth discussion regarding these technologies is outside the scope of this article. This article focuses on the Windows base image settings, without reference to other factors in the environment such as host optimization.
Security and stability are top priorities for Microsoft when it comes to products and services. Enterprise customers might choose to utilize the built-in Windows Security, a suite of services that work well with or without Internet. For those VDI environments not connected to the Internet, security signatures can be downloaded several times per day, as Microsoft might release more than one signature update per day.
Those signatures can then be provided to the VDI VMs and scheduled to be installed during production, regardless of persistent or non-persistent. That way the VM protection is as current as possible. There are some security settings that are not applicable to VDI environments that are not connected to the Internet, and thus not able to participate in cloud-enabled security. There are other settings that "normal" Windows devices might utilize such as Cloud Experience, The Windows Store, and so on.
Removing access to unused features reduces footprint, network bandwidth, and attack surface. Regarding updates, Windows 10 utilizes a monthly update algorithm, so there is no need for clients to attempt to update. In most cases VDI administrators control the process of updating through a process of shutting down VMs based on a "master", or "gold" image, unseal that image which is read-only, patch the image, then reseal it and bring it back into production.
Windows Update or Microsoft Intune can also be used. System Center Configuration Manager can be used to handle update and other package delivery. It's up to each organization to determine the best approach to updating VDI.
This script was designed to suit your environment and requirements. These files contain lists of apps to be removed, and services to be disabled. If you do not wish to remove a particular app or disable a particular service, edit the corresponding text file and remove the item.
Finally, there are local policy settings that can be imported into your device. It is better to have some settings within the base image, than to have the settings applied through the group policy, as some of the settings are effective on the next restart, or when a component is first used.
Other software layers of the VDI solution provide the users easy and seamless access to their assigned VMs, often with a single sign-on solution.
Traditional virtual machine, where the VM has its own virtual disk file, starts up normally, saves changes from one session to the next. The difference is how the user accesses this VM. There might be a web portal the user logs into that automatically directs the user to their one or more assigned VDI VMs. Image-based persistent virtual machine, optionally with personal virtual disks. A VM is created, and one or more virtual disks are created and assigned to this disk for persistent storage.
When the VM is started, a copy of the base image is read into the memory of that VM. At the same time, a persistent virtual disk is assigned to that VM, with any previous operating system changes merged through a complex process. Changes such as event log writes, log writes, etc. In this circumstance, operating system and app servicing might operate normally, using traditional servicing software such as Windows Server Update Services, or other management technologies.
At some point updates must be applied to the master. This is where implementations decide how the user persistent changes are handled. It might also be that the changes the user makes are kept through monthly quality updates, and the base is reset following a Feature Update. When a non-persistent VDI implementation is based on a base or "gold" image, the optimizations are mostly performed in the base image, and then through local settings and local policies.
With image-based non-persistent VDI, the base image is read-only. When a non-persistent VM is started, a copy of the base image is streamed to the VM. Activity that occurs during startup and thereafter until the next reboot is redirected to a temporary location.
Users are usually provided network locations to store their data. In some cases, the user's profile is merged with the standard VM to provide the user with their settings. One important aspect of non-persistent VDI that is based on a single image is servicing.
Updates to the operating system and components are delivered usually once per month. With image-based VDI, there is a set of processes that must be performed to get updates to the image:. This means the users are redirected to other VMs. The base image is then opened and started up.
All maintenance activities are then performed, such as operating system updates,. NET updates, app updates, etc. Windows 10 performs a set of maintenance tasks, automatically, on a periodic basis. There is a scheduled task that is set to run at AM every day by default. This scheduled task performs a list of tasks, including Windows Update cleanup. You can view all the categories of maintenance that take place automatically with this PowerShell command:.
One of the challenges with non-persistent VDI is that when a user logs off, nearly all the operating system activity is discarded. Therefore, optimizations intended for a Windows computer that saves state from one session to the next are not applicable. Indexing might be a partial waste of resources, as would be any disk optimizations such as a traditional defragmentation. If preparing an image using virtualization, and if connected to the Internet during image creation process, on first logon you should postpone Feature Updates by going to Settings , Windows Update.
Windows 10 has a built-in capability called the System Preparation Tool , often abbreviated to "Sysprep". The Sysprep tool is used to prepare a customized Windows 10 image for duplication. The Sysprep process assures the resulting operating system is properly unique to run in production. There are reasons for and against running Sysprep. In the case of VDI, you might want the ability to customize the default user profile which would be used as the profile template for subsequent users that log on using this image.
You might have apps that you want installed, but also able to control per-app settings. The alternative is to use a standard. ISO to install from, possibly using an unattended installation answer file, and a task sequence to install applications or remove applications. Anytime that Windows defaults are changed, questions arise regarding supportability. Once a VDI image VM or session is customized, every change made to the image needs to be tracked in a change log.
At troubleshooting, often an image can be isolated in a pool and configured for problem analysis. Once a problem has been tracked to the root cause, that change can then be rolled out to the test environment first, and ultimately to the production workload.
This document intentionally avoids touching system services, policies, or tasks that affect security. After that comes Windows servicing. The ability to service VDI images outside of maintenance windows is removed, as maintenance windows are when most servicing events take place in VDI environments, except for security software updates.
Consider supportability when altering default Windows settings. Difficult problems can arise when altering system services, policies, or scheduled tasks, in the name of hardening, "lightening", etc. Consult the Microsoft Knowledge Base for current known issues regarding altered default settings. The guidance in this document, and the associated script on GitHub will be maintained with regards to known issues, if any arise.
In addition, you can report issues in several ways to Microsoft. You can use your favorite search engine with the terms ""start value" site:support. You might note that this document and the associated scripts on GitHub do not modify any default permissions. If you are interested in increasing your security settings, start with the project known as AaronLocker.
For more information, see "AaronLocker" overview. One of the goals of a VDI image is to be as light as possible. One way to reduce the size of the image is to remove UWP applications that won't be used in the environment. With UWP apps, there are the main application files, also known as the payload. There is a small amount of data stored in each user's profile for application specific settings. There is also a small amount of data in the 'All Users' profile. Connectivity and timing are important factors when it comes to UWP app cleanup.
If you deploy your base image to a device with no network connectivity, Windows 10 can't connect to the Microsoft Store and download apps and try to install them while you are trying to uninstall them. This might be a good strategy to allow you time to customize your image, and then update what remains at a later stage of the image creation process. If you modify your base.
WIM before you install, the apps won't be installed to begin with and your profile creation times will be shorter. Later in this section there is information on how to remove UWP apps from your installation. WIM file. A good strategy for VDI is to provision the apps you want in the base image, then limit or block access to the Microsoft Store afterward. Store apps are updated periodically in the background on normal computers. The UWP apps can be updated during the maintenance window when other updates are applied.
For more information see Universal Windows Platform Apps. UWP apps that are not needed are still in the file system consuming a small amount of disk space. For apps that will never be needed, the payload of unwanted UWP apps can be removed from the base image using PowerShell commands.
In fact, if you remove those from the installation. WIM file using the links provided later in this section, you should be able to start from the beginning with a very slim list of UWP apps. Run the following command to enumerate provisioned UWP apps from a running operating system, as in this truncated example output from PowerShell:. UWP apps that are provisioned to a system can be removed during operating system installation as part of a task sequence, or later after the operating system is installed.
This might be the preferred method because it makes the overall process of creating or maintaining an image modular. Once you develop the scripts, if something changes in a subsequent build, you edit an existing script rather than repeat the process from scratch. Here are some links to information on this topic:. Removing Windows 10 in-box apps during a task sequence.
Windows 10 Keeping apps from coming back when deploying the feature update. Each UWP app should be evaluated for applicability in each unique environment. You'll want to install a default installation of Windows 10 , then note which apps are running and consuming memory.
For example, you might want to consider removing apps that start automatically, or apps that automatically display information on the Start Menu, such as Weather and News that might not be of use in your environment. If utilizing the scripts from GitHub, you can easily control which apps are removed before running the script. After downloading the script files, locate the file 'AppxPackages. See the section Customization for details. For more information, see the Windows Server powershell forum.
To enumerate currently installed Windows Features, run the following PowerShell command:. Next, you might want to remove the Windows Media Player package. There are two Windows Media Player packages in Windows 10 You can use the built-in Dism.
A Dism. The Windows technology involved is called Features on Demand. Any settings made to this file will be applied to any subsequent user profiles created from a device running this image. You can control which settings to apply to the default user profile, by editing the file 'DefaultUserSettings. One setting that you might want to consider carefully, new to this iteration of settings recommendations, is a setting called TaskbarSmallIcons.
This parameter specifies the maximum number of files that should be left open on a shared resource after the application has closed the file. Where many thousands of clients are connecting to SMB servers, consider reducing this value to You can configure registry-only settings by using Windows PowerShell as well, as in the following example:.
Microsoft has released a baseline created using the same procedures as the Windows Security Baselines , for environments that are either not connected directly to the Internet, or want to reduce data sent to Microsoft and other services. Disk cleanup can be especially helpful with master image VDI implementations. After the master image is prepared, updated, and configured, one of the last tasks to perform is disk cleanup. The Disk Cleanup wizard built into Windows can help clean up most potential areas of disk space savings.
The Disk Cleanup wizard is no longer being developed. Windows will use other methods to provide disk cleanup functions. Here are suggestions for various disk cleanup tasks. You should test these before implementing any of them:. Run the Disk Cleanup wizard elevated after applying all updates.
You can automate this process with Cleanmgr. This option sets registry values that can be used later to automate disk cleanup, using every available option in the Disk Cleanup wizard. If you set more options, or all options, those options are recorded in the registry, according to the index value provided in the previous command Cleanmgr.
In this example, we use the value 11 as our index, for a subsequent automated disk cleanup procedure. After running Cleanmgr.
You can select every option, and then select OK. You will notice that the Disk Cleanup wizard just disappears. However, the settings you selected are saved in the registry, and can be invoked by running Cleanmgr. Clean up Volume Shadow Copy storage, if any is in use.
To do this, run the following commands in an elevated prompt:. If the output from these commands is No items found that satisfy the query.
You can use following sample PowerShell code to assist in removing OneDrive from the image:. For any questions or concerns about the information in this paper, contact your Microsoft account team, research the Microsoft VDI blog, post a message to Microsoft forums, or contact Microsoft for questions or concerns.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Table of contents Exit focus mode. Table of contents. Note Settings recommended here can be applied to other installation of Windows 10, version , including those on physical or other virtual devices. Note Windows 10 performs a set of maintenance tasks automatically, on a periodic basis.
You can view all the categories of maintenance that take place automatically with this PowerShell command: Get-ScheduledTask? Note In this table of group policy settings, items marked with an asterisk are from the Windows Restricted Traffic Limited Functionality Baseline. Note The Disk Cleanup wizard is no longer being developed. Submit and view feedback for This product This page. View all page feedback. In this article.
Disabled Settings will not contact Microsoft content services to retrieve tips and help content. Enabled This policy setting controls whether the lock screen appears for users. Enabled This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users--it replaces the default image. A low resolution, non-complex image would cause less data transmitted over the network each time the image is rendered.
Enabled If you enable this policy setting, automatic learning stops, and any stored data is deleted. Users cannot configure this setting in Control Panel. Disabled Windows does not connect to an online font provider and only enumerates locally installed fonts.
Network Connectivity Status Indicator Note that there are other settings in this section that can be used in isolated networks. Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services.
Disabled Connect to suggested open hotspots , Connect to networks shared by my contacts , and Enable paid services will be turned off and users on this device will be prevented from enabling them. Enabled If you enable this policy setting, applications and system features will not be able to receive notifications from the network from WNS or by using notification-polling APIs.
Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point. Prevent Windows from sending an error report when a device driver requests additional software during installation. Disabled Disables web-to-app linking and http s URIs will be opened in the default browser instead of starting the associated app. Disabled The Windows device is not discoverable by other devices, and cannot participate in cross-device experiences.
Enabled If you enable this policy setting, all Windows Update features are removed. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website.
Enabled If you enable this policy setting, when you are presented with a certificate issued by an untrusted root authority, your computer will not contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities. NOTE: Only use this policy if you have an alternate means to the latest certificate revocation list. Enabled This policy setting turns off the active tests performed by the Windows Network Connectivity Status Indicator NCSI to determine whether your computer is connected to the Internet or to a more limited network As part of determining the connectivity level, NCSI performs one of two active tests: downloading a page from a dedicated Web server or making a DNS request for a dedicated address.
If you enable this policy setting, NCSI does not run either of the two active tests. Disabled If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers NOTE : Consider this setting very carefully. Windows devices that are joined to a domain should use NT5DS. Enabled If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps.
Enabled If you choose the Force Deny option, Windows apps are not allowed to access account information and employees in your organization cannot change it. Enabled If you choose the Force Deny option, Windows apps are not allowed to access the call history and employees in your organization cannot change it.
Enabled If you choose the Force Deny option, Windows apps are not allowed to access contacts and employees in your organization cannot change it. Enabled If you choose the "Force Allow" option, Windows apps are allowed to access email and employees in your organization cannot change it. Enabled If you choose the Force Deny option, Windows apps are not allowed to access location and employees in your organization cannot change it.
Enabled If you choose the Force Deny option, Windows apps are not allowed to access motion data and employees in your organization cannot change it. Enabled If you choose the Force Deny option, Windows apps are not allowed to access notifications and employees in your organization cannot change it. Enabled If you choose the Force Deny option, Windows apps are not allowed to access tasks and employees in your organization cannot change it.
Enabled If you choose the Force Deny option, Windows apps are not allowed to access the calendar and employees in your organization cannot change it. Enabled If you choose the Force Deny option, Windows apps are not allowed to access the camera and employees in your organization cannot change it. Enabled If you choose the Force Deny option, Windows apps are not allowed to access the microphone and employees in your organization cannot change it. Enabled If you choose the Force Deny option, Windows apps are not allowed to access trusted devices and employees in your organization cannot change it.
Enabled If you choose the Force Deny option, Windows apps are not allowed to communicate with unpaired wireless devices and employees in your organization cannot change it.
Enabled If you choose the Force Deny option, Windows apps will not have access to control radios and employees in your organization cannot change it. Enabled Windows apps are not allowed to make phone calls and employees in your organization cannot change it.
Enabled If you choose the Force Deny option, Windows apps are not allowed to run in the background and employees in your organization cannot change it. Enabled If you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. Disabled SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet.
The user will also not be able to view the location of the last use of their active digitizer on their device. Disabled users won't receive enhanced suggestions while typing in the Address bar.
In addition, users won't be able to change the Suggestions setting. Enabled If you enable this policy setting, user will not be suggested matches when entering Web addresses. The user cannot change the auto-complete for setting web addresses. Disabled If you disable this policy setting, the entry points and functionality associated with this feature are turned off. Enabled If you enable this policy setting, the user cannot use the Compatibility View button or manage the Compatibility View sites list.
Enabled Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop. If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background. Enabled f you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature.
Enabled If you enable this setting the automatic download and update of map data is turned off. Enabled If you enable this policy setting, features that generate network traffic on the Offline Maps settings page are turned off. Note: This might turn off the entire settings page. Disabled This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.
No comments:
Post a Comment