Looking for:

Optimizing Windows 10, Build , for a Virtual Desktop role | Microsoft Docs – Onboarding non-persistent virtual desktop infrastructure (VDI) devices

Click here to Download


Enabling this policy will disable that functionality, and might cause connection to public services such as the Windows Store to stop working. NOTE: This policy applies only when this device is configured to connect to an intranet update service using the “Specify intranet Microsoft update service location” policy.

Selecting Disable preview builds will prevent preview builds from installing on the device. Disables preview builds. Enable this policy to specify the level of Preview Build or feature updates to receive, and when. Enable this setting if you would like to prevent the OneDrive sync client OneDrive. If you enable this policy setting, Windows Defender will not send notifications with critical information about the health and security of your device.

The system does not conduct the final drive search. It just displays a message explaining that the file is not found. The people icon will be removed from the taskbar, the corresponding settings toggle is removed from the taskbar settings page, and users will not be able to pin people to the taskbar. Start Menu and Taskbar Turn off feature advertisement balloon notifications Enabled.

Users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next sign in.

If your environment does not connect to the Internet at all, or connects indirectly, you can set a group policy setting to remove the Network icon from the Taskbar. The reason you might want to remove the Network icon from the Taskbar is if you turn off Internet connectivity checks, there will be a yellow flag on the Network icon, even though the network might be functioning normally.

If you would like to remove the network icon as a group policy setting, you can find that in this location:. If you’re considering disabling your system services to conserve resources, great care should be taken that the service being considered isn’t in some way a component of some other service. Note that some services are not in the list because they can’t be disabled in a supported manner. Most of these recommendations mirror recommendations for Windows Server , installed with the Desktop Experience in Guidance on disabling system services on Windows Server with Desktop Experience.

Many services that might seem like good candidates to disable are set to manual service start type. This means that the service won’t automatically start and isn’t started unless a process or event triggers a request to the service being considered for disabling.

Services that are already set to start type Manual are usually not listed here. You can enumerate running services with this PowerShell sample code, outputting only the service short name:.

Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account – this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. Per-user services in Windows 10 and Windows Server. If you intend to change a service start value, the preferred method is to open an elevated.

For more information on using ‘Sc. The following list of tasks are those that perform optimizations or data collections on computers that maintain their state across reboots. When a VDI VM task reboots and discards all changes since last boot, optimizations intended for physical computers are not helpful. You can get all the current scheduled tasks, including descriptions, with the following PowerShell code:. There are several tasks that can’t be disabled via script, even if you’re running elevated.

We recommend that you don’t disable tasks that can’t be disabled using a script. Whether from Microsoft Update, or from your internal resources, apply the available updates including Windows Defender signatures. This is a good time to apply other available updates including Microsoft Office if installed, and other software updates. If PowerShell will remain in the image you can download the latest available help for PowerShell by running the command Update-Help. At some point during the image optimization process available Windows updates should be applied.

There is a setting in Windows 10 Update Settings that can provide additional updates:. This would be a good setting in case you are going to install Microsoft applications such as Microsoft Office to the base image. That way Office is up to date when the image is put in service. There are also. NET updates and certain third-party components such as Adobe that have updates available through Windows Update. One very important consideration for non-persistent VDI VMs are security updates, including security software definition files.

These updates might be released once or more than once per day. There might be a way to retain these updates, including Windows Defender and third-party components. The updates are going to apply nearly every logon session, but the updates are small and should not be a problem. Additionally, the VM won’t be behind on updates because only the latest available updates will apply.

The same might be true for third-party definition files. Modern versions of Office such as Microsoft update through their own mechanisms when directly connected to the Internet, or via management technologies when not.

Windows is configured, by default, to collect and save limited diagnostic data. The purpose is to enable diagnostics, or to record data if further troubleshooting is necessary. Automatic system traces can be found at the location shown in the following illustration:. Others, such as the ‘WiFiSession’ trace can be stopped. To stop a running trace under Event Trace Sessions right-click the trace and then click ‘Stop’. Use the following procedure to prevent the traces from starting automatically on startup:.

The above article contains procedures to service the ‘gold’ VDI image, and how to maintain the VDI clients as they are running. To reduce network bandwidth when VDI computers need to update their Windows Defender signatures, stagger reboots, and schedule reboots during off hours where possible. The Windows Defender signature updates can be contained internally on file shares, and where practical, have those files shares on the same or close networking segments as the VDI virtual machines.

There are some registry settings that can increase network performance. This is especially important in environments where the VDI or computer has a workload that is primarily network-based. The settings in this section are recommended to bias performance toward networking, by setting up additional buffering and caching of things like directory entries. Some settings in this section are registry-based only and should be incorporated in the base image before the image is deployed for production use.

The following settings are documented in the Windows Server Performance Tuning Guideline , published on Microsoft. Applies to Windows The default is 0. By default, the SMB redirector throttles throughput across high-latency network connections, in some cases to avoid network-related timeouts.

Setting this registry value to 1 disables this throttling, enabling higher file transfer throughput over high-latency network connections. Consider setting this value to 1. The default is 64 , with a valid range of 1 to This value is used to determine the amount of file metadata that can be cached by the client. Increasing the value can reduce network traffic and increase performance when many files are accessed.

Try increasing this value to The default is 16 , with a valid range of 1 to This value is used to determine the amount of directory information that can be cached by the client. Increasing the value can reduce network traffic and increase performance when large directories are accessed.

Consider increasing this value to The default is , with a valid range of 1 to This value is used to determine the amount of file name information that can be cached by the client. Increasing the value can reduce network traffic and increase performance when many file names are accessed. The default is This parameter specifies the maximum number of files that should be left open on a shared resource after the application has closed the file.

Where many thousands of clients are connecting to SMB servers, consider reducing this value to Registry-only settings can be configured by using Windows PowerShell as well, as in the following example:.

Microsoft has released a baseline, created using the same procedures as the Windows Security Baselines , for environments that are either not connected directly to the Internet, or wish to reduce data sent to Microsoft and other services.

The Windows Restricted Traffic Limited Functionality Baseline settings are called out in the group policy table with an asterisk. After the image is prepared, updated, and configured, one of the last tasks to perform is disk cleanup.

There is a built-in tool called the “Disk Cleanup Wizard” that can help clean up most potential areas of disk space savings. On a VM that has very little installed, but was fully patched you can usually get about 4GB disk space freed up running Disk Cleanup.

Here are suggestions for various disk cleanup tasks. These should all be tested before implementing:. Run elevated Disk Cleanup Wizard after applying all updates. This process can be automated, using command line Cleanmgr. On a test VM, from a clean installation, running Cleanmgr. If you set more options, or all options, those options are recorded in the registry, according to the Index value provided in the previous command Cleanmgr.

In this case, we are going to use the value 11 as our index, for a subsequent automated disk cleanup procedure. After running Cleanmgr.

You can check every option, and then click OK. The Disk Cleanup Wizard disappears and your settings are saved in the registry.

Open an elevated command prompt and run the vssadmin list shadows command and then the vssadmin list shadowstorage command. Find threads, tags, and users Please provide some documentation if possible! Thanks in advance, Best regards. Current Visibility: Visible to all users.

Our contractors have access to our centralized account books in a secure environment wherever we go. Talk to an expert: Home Features vDesk. Flat Rate Always. No Surprises. With Best DaaS Cloud Service, you give your organization access to our state-of-the-art applications hosted in a cloud. Preventing you from making large investments in office equipment and servers. With vDesk’s Best DaaS cloud service, you give your business an extraordinary tool to lead in your industry.

Advanced Security. Access Control. Remote Assistance. Remote Assistance and Session Shadowing. Instructions to migrate to the new unified solution are at Server migration scenarios in Microsoft Defender for Endpoint.

The following registry is relevant only when the aim is to achieve a ‘Single entry for each device’. Follow the server onboarding process. With the ability to easily deploy updates to VMs running in VDIs, we’ve shortened this guide to focus on how you can get updates on your machines quickly and easily.

You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it’s turned on. If you have onboarded the master image of your Non-Persistent VDI environment SENSE service is running , then you must offboard and clear some data before putting the image back into production. After onboarding devices to the service, it’s important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.

Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.

Skip to main content. This browser is no longer supported. Download Microsoft Edge More info.


Windows 10 vdi


Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. This article helps you choose settings for Windows 10, version build that should result in the best performance in a Virtualized Desktop Infrastructure VDI environment. All settings in this guide are recommendations to be considered and are in no way requirements.

The key ways to optimize Windows 10 performance in a VDI environment are to minimize app graphic redraws, background activities that have no major benefit to the VDI environment, and generally reduce running processes to the bare minimum.

A secondary goal is to reduce disk space usage in the base image to the bare minimum. With VDI implementations, the smallest possible base, or “gold” image size, can slightly reduce memory usage on the hypervisor, as well as a small reduction in overall network operations required to deliver the desktop image to the consumer.

These recommended settings can be applied to other Windows 10 installations, including those on physical or other virtual machines. No recommendations in this article should affect supportability of Windows 10 A VDI environment presents a full desktop session, including applications, to a computer user over a network. The network delivery vehicle can be an on-premises network or could be the Internet.

VDI environments are a “base” operating system image, which then becomes the basis for the desktops subsequently presented to the users. There are variations of VDI implementations such as “persistent”, “non-persistent”, and “desktop session”. The non-persistent type does not preserve changes to the VDI desktop OS from one session to the next.

To the user, this desktop isn’t much different to any other virtual or physical device, other than being accessed over a network. The optimization settings would take place on a reference device. A VM would be an ideal place to build the image, because the state can be saved, checkpoints can be made, and backups can be done.

A default OS installation is performed on the base VM. That base VM is then optimized by removing unnecessary apps, installing Windows updates, installing other updates, deleting temporary files, and applying settings.

An in-depth discussion regarding these technologies is outside the scope of this article. This article focuses on the Windows base image settings, without reference to other factors in the environment such as host optimization.

Security and stability are top priorities for Microsoft when it comes to products and services. Enterprise customers might choose to utilize the built-in Windows Security, a suite of services that work well with or without Internet. For those VDI environments not connected to the Internet, security signatures can be downloaded several times per day, as Microsoft might release more than one signature update per day. Those signatures can then be provided to the VDI VMs and scheduled to be installed during production, regardless of persistent or non-persistent.

That way the VM protection is as current as possible. There are some security settings that are not applicable to VDI environments that are not connected to the Internet, and thus not able to participate in cloud-enabled security. There are other settings that “normal” Windows devices might utilize such as Cloud Experience, The Windows Store, and so on. Removing access to unused features reduces footprint, network bandwidth, and attack surface.

Regarding updates, Windows 10 utilizes a monthly update algorithm, so there is no need for clients to attempt to update. In most cases VDI administrators control the process of updating through a process of shutting down VMs based on a “master”, or “gold” image, unseal that image which is read-only, patch the image, then reseal it and bring it back into production. Windows Update or Microsoft Intune can also be used.

System Center Configuration Manager can be used to handle update and other package delivery. It’s up to each organization to determine the best approach to updating VDI.

This script was designed to suit your environment and requirements. These files contain lists of apps to be removed, and services to be disabled. If you do not wish to remove a particular app or disable a particular service, edit the corresponding text file and remove the item. Finally, there are local policy settings that can be imported into your device. It is better to have some settings within the base image, than to have the settings applied through the group policy, as some of the settings are effective on the next restart, or when a component is first used.

Other software layers of the VDI solution provide the users easy and seamless access to their assigned VMs, often with a single sign-on solution.

Traditional virtual machine, where the VM has its own virtual disk file, starts up normally, saves changes from one session to the next. The difference is how the user accesses this VM. There might be a web portal the user logs into that automatically directs the user to their one or more assigned VDI VMs. Image-based persistent virtual machine, optionally with personal virtual disks. A VM is created, and one or more virtual disks are created and assigned to this disk for persistent storage.

When the VM is started, a copy of the base image is read into the memory of that VM. At the same time, a persistent virtual disk is assigned to that VM, with any previous operating system changes merged through a complex process. Changes such as event log writes, log writes, etc. In this circumstance, operating system and app servicing might operate normally, using traditional servicing software such as Windows Server Update Services, or other management technologies.

At some point updates must be applied to the master. This is where implementations decide how the user persistent changes are handled. It might also be that the changes the user makes are kept through monthly quality updates, and the base is reset following a Feature Update.

When a non-persistent VDI implementation is based on a base or “gold” image, the optimizations are mostly performed in the base image, and then through local settings and local policies. With image-based non-persistent VDI, the base image is read-only. When a non-persistent VM is started, a copy of the base image is streamed to the VM.

Activity that occurs during startup and thereafter until the next reboot is redirected to a temporary location. Users are usually provided network locations to store their data. In some cases, the user’s profile is merged with the standard VM to provide the user with their settings. One important aspect of non-persistent VDI that is based on a single image is servicing. Updates to the operating system and components are delivered usually once per month. With image-based VDI, there is a set of processes that must be performed to get updates to the image:.

This means the users are redirected to other VMs. The base image is then opened and started up. All maintenance activities are then performed, such as operating system updates,.

NET updates, app updates, etc. Windows 10 performs a set of maintenance tasks, automatically, on a periodic basis. There is a scheduled task that is set to run at AM every day by default.

This scheduled task performs a list of tasks, including Windows Update cleanup. You can view all the categories of maintenance that take place automatically with this PowerShell command:. One of the challenges with non-persistent VDI is that when a user logs off, nearly all the operating system activity is discarded. Therefore, optimizations intended for a Windows computer that saves state from one session to the next are not applicable.

Indexing might be a partial waste of resources, as would be any disk optimizations such as a traditional defragmentation. If preparing an image using virtualization, and if connected to the Internet during image creation process, on first logon you should postpone Feature Updates by going to Settings , Windows Update.

Windows 10 has a built-in capability called the System Preparation Tool , often abbreviated to “Sysprep”. The Sysprep tool is used to prepare a customized Windows 10 image for duplication. The Sysprep process assures the resulting operating system is properly unique to run in production. There are reasons for and against running Sysprep. In the case of VDI, you might want the ability to customize the default user profile which would be used as the profile template for subsequent users that log on using this image.

You might have apps that you want installed, but also able to control per-app settings. The alternative is to use a standard. ISO to install from, possibly using an unattended installation answer file, and a task sequence to install applications or remove applications. Anytime that Windows defaults are changed, questions arise regarding supportability. Once a VDI image VM or session is customized, every change made to the image needs to be tracked in a change log.

At troubleshooting, often an image can be isolated in a pool and configured for problem analysis. Once a problem has been tracked to the root cause, that change can then be rolled out to the test environment first, and ultimately to the production workload. This document intentionally avoids touching system services, policies, or tasks that affect security. After that comes Windows servicing.

The ability to service VDI images outside of maintenance windows is removed, as maintenance windows are when most servicing events take place in VDI environments, except for security software updates.

Consider supportability when altering default Windows settings. Difficult problems can arise when altering system services, policies, or scheduled tasks, in the name of hardening, “lightening”, etc. Consult the Microsoft Knowledge Base for current known issues regarding altered default settings. The guidance in this document, and the associated script on GitHub will be maintained with regards to known issues, if any arise.

In addition, you can report issues in several ways to Microsoft. You can use your favorite search engine with the terms “”start value” site:support. You might note that this document and the associated scripts on GitHub do not modify any default permissions.

If you are interested in increasing your security settings, start with the project known as AaronLocker. For more information, see “AaronLocker” overview. One of the goals of a VDI image is to be as light as possible. One way to reduce the size of the image is to remove UWP applications that won’t be used in the environment. With UWP apps, there are the main application files, also known as the payload.


Nutanix Support & Insights.

Access Windows 10 and Windows 11 desktop and applications from virtually anywhere A flexible cloud virtual desktop infrastructure (VDI) platform that. In a VDI environment the key ways to optimize Windows 10 performance are to minimize app graphic redraws, background activities that have no. The main areas in which you can optimize a Windows 10 VDI image are: Features; Scheduled tasks; Services; Consumer-focused apps; Microsoft OneDrive; Hardware.


Leave a Reply

Your email address will not be published.