Windows VDA Customization/optimization/version selection I feel

Usually do desktop projects, a lot of engineers are asking me a question, why some projects desktop that start, log on fast, why 3D than I this good? But compared to his hardware configuration is not as good as me.

This problem I believe that regardless of which desktop engineering and technical personnel have encountered, of course, this is actually involved in a lot of technical aspects, today we mainly say to the Windows VDA itself optimization, customization part.

VDA or we call Virtual Desktop/Cloud desktop, here is mainly to pay the end user to use the "thing", not related to the background of the various delivery, policy configuration components. In today's virtual desktop market, most of the people use Windows 7, followed by Windows Server r/2012 R2, and now slowly begin to accept Windows 10.

In fact, no matter which version of the operating system, we must make a custom/optimization for this VDA system before delivering it to the end user. Otherwise, in my opinion, this is the disrespect and unprofessional for the customer.

Why do you say that? In fact, a little understanding of Windows system Friends know that Microsoft's Windows products after each large version of the RTM version is not too many people on the production environment, generally have to wait until after the SP1 in the market gradually spread. Microsoft's circle of people must know a joke: Ms things do not SP1 you dare to use it?

This also comes from a side service Pack/hotfix how important this is for system stability improvement. Let's take a look at our popular release history for Windows 7:

Microsoft and October 22, 2009 officially released Windows 7, and February 22, 2011 released windows 7 SP1

Do not know, suddenly found that Windows 7 has been released for 8 years, the SP1 version is 6.5. You can feel the rapid change of it in the past 10 years, if you take a 2011 production of Windows 7 SP1 today, do you think this is in line with the development of the Times?

like the "wanncry" ransomware virus that happened last month, the most correct way to do this is to install it according to MS's requirements and recommendations . ms17-010 Patch (for instructions on this virus and precautions, see Ms MVP Ho's note, the right posture against the ransomware virus ). Many non-it circles of friends asked me, why the most simple and effective way, usually our it do not do. My reply was: this is too low.

You don't see the company that is doing it now. If you're not doing cloud computing, big Data, IoT, or ML, it's really embarrassing to go out and meet people. But IT systems maintain these most basic things lack is often overlooked. In fact, Microsoft's patch update system can be said unrivaled the entire IT sector, basically other vendors at this level basically can not be a candle.

#可能有人会说这是Windows系统写的差, so many loopholes. In fact, whether it is the linux,mac,android system are loopholes, and the number of a lot, do not think that with the MAC, with the iphone can rest assured that the upgrade should not not not rise.

What changes can the patch bring to the system?

1. Security vulnerabilities as described above. In a world of growing IT security, this can be said to be one of the cheapest and most effective end-system protection solutions.

2. Enhancements, which include many of the things our average users may not be aware of, such as: Network performance, certificate chain, specific transport protocol optimizations (such as SMB), but a significant improvement in the end use.

3. New features, new versions, such as the. NET Framework upgrade, and now MS will also push hardware drivers.

   Note: Currently Windows Update can push XenServer 7.x's guest tools driver

So now that we have a Windows 7SP1 installed, if you use Windows Update to update the patch you will find that there are almost 200 patches you are going to install.

This is the increase in the number of components that have accumulated over the years, and it can be said that the Windows 7 SP1, which installs all the patches today and the Windows 7 SP1 released in the current year, are just two different products.

This time a friend will say, I now if really a clean windows 7 SP1 patch upgrade, may not be completed in a few days, the download patch process is slow. In fact, the reason is very simple, because your system is too long, the system comes with the Windows Updage Agent does not match the current Windows Update system, resulting in a very slow traverse patch speed (I have been waiting for 2 days, said more tears) so to speed up the process, We need to manually install the following two patches on the system first:

3020369

3172605

#请先安装3020369, 3020369 is a 3172605 pre-order patch.

After the two patches have been installed, the Windows Update will quickly retrieve and iterate through the patches that need to be installed, and the subsequent download speeds will be fully read.

Of course, in the environment if there are WSUS/SCCM and other management software is more simple.

So finish the patch, this is just a foundation, then you need to optimize the Windows system. Actually said to be optimized, there is nothing here to accelerate this kind of thing. In my view, optimization is actually "cropping" for Windows systems. Cropping means removing, deactivating, and adapting Windows systems to components, services, and policies that are not needed in the virtual desktop system.

#这个动作其实没有一个标准值, many are based on different user applications to continuously adjust the optimization.

From my personal perspective, my base image will do several things like this:

1. Add Delete component inside, remove all other components except:. NET Framework 3.5,windows Media Player, IE

2. Setting the pagefile size (especially in scenarios where physical memory is greater than 4G)

3. Deactivate a service that is not necessary to use,

4. Deactivate a schedule Task that is not necessary to use,

5. Disable the effects, including Aero,
   

Discontinued service, Schedule task This is really a technical work, in the past this operation has to rely on experience to set. I used to make a PSH script, some of which are implemented by PSH. Citrix now provides a VDA image optimization tool called Citrix Optimizer, which can greatly facilitate the use of our frontline staff. (Looking forward to a long time ah ...) ）

https://support.citrix.com/article/CTX224676

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M00/9B/0E/wKioL1ldryvgukM3AAAgCjMib5U707.png-wh_500x0-wm_ 3-wmp_4-s_4096016462.png "style=" Float:none; "title=" 2017-07-06_113102.png "alt=" Wkiol1ldryvgukm3aaagcjmib5u707.png-wh_50 "/>

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M00/9B/0E/wKiom1ldryyg5zpGAABZpwLsWoo832.png-wh_500x0-wm_ 3-wmp_4-s_1172780645.png "style=" Float:none; "title=" 2017-07-06_113125.png "alt=" Wkiom1ldryyg5zpgaabzpwlswoo832.png-wh_50 "/>

Currently this tool supports windows7,10, Server 2012, 2016. The default comes with a lot of templates, follow the trust will continue to improve to give more support.

#Tools不是万能的, please adjust it according to the situation.

Once this is done, the VDA's parent image is already available for general use. But we all know that under normal circumstances we will give users Administrator and administrator privileges. In fact, in any system, when you have the Windows system administrator this control is very difficult to do, why everyone said that the Linux system is stable, in fact, there is a very important management system is by default, users in Linux is not root and super-control permissions, so many core systems will not be affected.

So in Windows, because of the logic of the design, it is difficult to remove the user administrator rights, then the front-end users will cause the virtual desktop due to the wrong operation. For example, there are users themselves to modify the IP address, delete some desktop agents and so on.

We used to do this with GPOs in the past, but it was too complicated for many non-MS backgrounds.

So Citrix uses a call WEM (Workspace environment Management) to set up the system environment.

For example, I can restrict users from using Windows Update,help these features by setting

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M01/9B/0E/wKioL1ldsHmh2nnAAAIZ78MnQb4373.png-wh_500x0-wm_ 3-wmp_4-s_1539409718.png "style=" Float:none; "title=" 2017-07-06_113637.png "alt=" Wkiol1ldshmh2nnaaaiz78mnqb4373.png-wh_50 "/>

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/9B/0E/wKiom1ldsHmSmGQaAAAhZ7QRPW4889.png-wh_500x0-wm_ 3-wmp_4-s_603006155.png "style=" Float:none; "title=" 2017-07-06_113654.png "alt=" Wkiom1ldshmsmgqaaaahz7qrpw4889.png-wh_50 "/>

Restrict users from using the control Panel or some of the specific components in the panel.

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/9B/0E/wKioL1ldsHuCWUP6AADVgWjhbJg040.png-wh_500x0-wm_ 3-wmp_4-s_1373473769.png "style=" Float:none; "title=" 2017-07-06_113700.png "alt=" Wkiol1ldshucwup6aadvgwjhbjg040.png-wh_50 "/>

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M00/9B/0E/wKiom1ldsHzDXW1aAAAVr4H9iWo553.png-wh_500x0-wm_ 3-wmp_4-s_1231222797.png "style=" Float:none; "title=" 2017-07-06_113706.png "alt=" Wkiom1ldshzdxw1aaaavr4h9iwo553.png-wh_50 "/>

In this way, in the case of giving the user administrator privileges, reasonable control users can use the entire desktop, the entire customized system is the most suitable for each different customer, enterprise system.

In fact, from my personal point of view, the virtual desktop this product he still needs and user management system docking, completely open, completely uncontrolled, regardless of standardization, perhaps the initial use of no problem. In the middle and late, the more uncontrolled virtual desktops, the user side of the operation and maintenance of pressure will be unprecedented.

This information is applicable for Windows 7 SP1, Windows Server 2012, but not fully for Windows 10. This major difference is also related to the system of the Windows 10 system's own version update.

As you all know, in the past, both the Windows client system, the 7,8/8.1, and the server system 2008R2,2012R2 are updating the system through the service Pack+hotfix way.

But to Windows 10, basically every six months to a year, will be a full version will be issued, this updated version will have a lot of new features, new components. In fact, this is also the disadvantage of MS to avoid the rapid iteration of the new function in order to evade the service Pack+hotfix update in the past.

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/9B/0F/wKioL1ldtfbjQnu3AAAlvfCsjIc353.png-wh_500x0-wm_ 3-wmp_4-s_3425555425.png "title=" 2017-07-06_120025.png "alt=" Wkiol1ldtfbjqnu3aaalvfcsjic353.png-wh_50 "/>

From this graph we can see that each version of Windows 10, its schedule Task,service,default app number, then lead to a difference in cpu/ram consumption.

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/9B/0F/wKioL1ldtnuysYsOAADfuPPBJnc774.png "style=" width : 600px;height:211px; "title=" 2017-07-06_120207.png "width=" "height=" 211 "border=" 0 "hspace=" 0 "vspace=" 0 "alt=" Wkiol1ldtnuysysoaadfuppbjnc774.png "/>

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/9B/0F/wKioL1ldtnvA7yMqAAAssQIE5V4176.png "style=" width : 600px;height:205px; "title=" 2017-07-06_120217.png "width=" "height=" 205 "border=" 0 "hspace=" 0 "vspace=" 0 "alt=" Wkiol1ldtnva7ymqaaassqie5v4176.png "/>

So the question is, if we're going to use Windows 10 as a VDA, we should choose which version, Rtm,anniversary or creator version. (The specific version number, please search by yourselves)

In fact, Ms was thinking about this when designing the Windows 10 system, so he introduced a new service options in addition to the Professional and Enterprise editions that we used to know.

https://blogs.technet.microsoft.com/enterprisemobility/2016/01/06/navigating-the-windows-10-servicing-options/

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M00/9B/0F/wKioL1lduEqSz-dNAAAPrKLWM6g908.png-wh_500x0-wm_ 3-wmp_4-s_3966407418.png "title=" 2017-07-06_121031.png "alt=" Wkiol1ldueqsz-dnaaaprklwm6g908.png-wh_50 "/>

Which inside programe similar to the beta version, CB is the latest version, CBB is a stable version of the branch, LTSB is stable-oriented.

So Ms recommended in an enterprise scenario, we are using both CBB and LTSB versions.

So in the present, which versions are CBB and LTSB versions? In the following Ms website, Ms gives the status of each version,

https://technet.microsoft.com/en-us/windows/release-info.aspx

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/9B/0F/wKioL1lduLzgIuOgAABVlt3Jbsc423.png "title=" 2017-07-06_120924.png "width=" height= "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:700px;height:230px; " alt= "Wkiol1ldulzgiuogaabvlt3jbsc423.png"/>

#请注意, here Microsoft recommend recommended 1703 is its latest version, which is primarily for individual users. However, in the vda/Virtual desktop scenario, we need to refer to MS Referral preference for the CBB/LTSB version.

So at present the more appropriate should choose: 1607,1511,1507 these three versions.

The above information, only represents personal views, for reference.

This article is from the "Citrix in the Cloud" blog, be sure to keep this source http://kaiqian.blog.51cto.com/236001/1944955

Windows VDA Customization/optimization/version selection I feel