Windows 8 has RTM:ed and is now available for download via MSDN and TechNet, that is if you have a subscription to these services. If you do not and still want to evaluate Windows 8 there is a 90 day working Windows 8 Enterprise available at http://msdn.microsoft.com/en-us/evalcenter/jj554510.aspx
Author: Andreas Stenhall
So to summarize the key areas which you can look into when optimizing performance from an infrastructure point of view here is a summary of the key takeaways from TechEd session WCL326: Five infrastructure changes that will boost performance for the Windows Client.
1. Slow machine boot and login / GPOs and scripts
Use Windows Performance Toolkit (part of Windows 7 SDK) to troubleshoot what is happening during boot. Specifically narrow in one Group Policy in the section in the Generic events and look for and enable only the Group Policy provider to see what’s going on with group policies. Group policies and scripts are most often the bad guys when having performance problems with boot and login.
Also use Event Viewer > Applications and Services > Windows > Group Policy > Operational log to look for instance events with id 5326, 8000, 8001or 5016. In particular the last one is of interest as this will quickly show you which Group policy extension is taking most of the time to finish.
Cleanup, remove unnecessary settings and GPO objects. Convert scripts to Group Policy Preferences as necessary or make scripts running scheduled after startup or login to minimize the boot and login times.
2. Optimizations for RDP
Activate asynchronous login for users to speed up login for Remote Desktop Services and RemoteApp. Go to Administrative templates > Policies > System > Group Policy and set the setting for “Allow asynchronous user Group Policy processing when logging in to Remote Desktop Services”.
Three other really great tweaks found in Administrative templates > Policies > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment:
Do not allow font smoothing = Enabled
Limit maximum color depth = Enabled, set it to 32-bit
Set compression algorithm for RDP data = Enabled, set it to Optimized to use less network bandwidth
3. SMB 2.1
To get full use of performance improvements in SMB2.1 protocol you need file servers that are running Windows Server 2008 R2 or if you are running a third party storage solution to activate SMB2.x support as that is not always activated by default and sometimes a firmware upgraded is needed.
Performance increases based on my own performance measuring are varying from 10-80% performance increase.
Activate BranchCache feature from Server Manager on the content servers you want to use with BranchCache. Require windows Server 2008 R2 on the content server. For file shares make sure to enable the BranchCache feature on the share(s) you want to use with BranchCache. Also set the group policy “Hash Publication for BranchCache” on the file server(s) found in Administrative templates > Policies > Network > Lanman Server.
To activate BranchCache on the Windows 7 client look in Administrative templates > Policies > Network > BranchCache and activate the required GPO settings.
5. Upgrade key servers to Windows Server 2008 R2
To gain use of RDP improvements, SMB2.1 improvements and actually make performance better for file handling the simple thing to do is to migrate to Windows Server 2008 R2.
BONUS 1. Microsoft tool to measure performance:
WDRAP (Risk and health Assessment Program for Windows Desktop) is a tool designed for enterprise customers that verifies overall performance, including bad drivers, apps that are causing the machine to start slowly etc. Contact your Technical Account Manager at Microsoft to get more information and analyzing the results with this tool. Microsoft themselves used this tool some time ago to improve performance in their environment, more on this in the Microsoft IT Case Study.
BONUS 2. Hotfixes related to infrastructure and performance, Windows 7 Post-SP1:
You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer
Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7 (WMI issue)
Slow performance when you browse the My Documents folder in the document library in Windows 7 or in Windows Server 2008 R2
Improved interoperability between the BranchCache feature and the Offline Files feature in Windows 7 or in Windows Server 2008 R2
General Q and A
Q: Can I use this tool to measure performance and troubleshoot on Windows XP?
A: You can run the tool on Windows XP by copying xbootmgr and xperfctrl.dll to an XP machine. You can then analyse the results on a Windows 7 machine. However do not expect the same amount of detailed data as Windows 7 has introduced new features that are not available in Windows XP.
Any further questions around the session or the topics, feel free to leave a comment to the article or send me an email on firstname.lastname@example.org.
The one most common misconception around AppLocker is the fact that it could be used to allow standard users to install stuff that in any normal case would require administrator privileges. This is absolutely 100% incorrect.
What AppLocker does is set a number of rules on what can be run and executed on a machine. It is important to note that if you allow something to run or be executed via AppLocker rules the user will still need the appropriate privileges if the setup or application itself require administrative privileges at some point in time such as when doing automatic updating for instance.
TechDays Sweden takes place this week and as this year will be a very exiting one considering all the major releases with all from Windows 8, Windows Server 2012 to the System Center 2012 family products I can promise you a really interesting conference.
My session will be about three of the very most interesting features in Windows 8; taking on the future with UEFI, making use of virtualization with client hyper-v and least but not last creating new possibilities for your entire business with Windows To Go. @ Wednesday 14:45 Room 6. Be a part of the future!
Here are some friends from the MEET network, what they do and links to their blogs:
- Alan Smith (Azure)
- Björn Axell (System Center)
- Cecilia Wiren (.NET) – Möt MEET på TechDays 2012
- Chris Klug (.NET)
- Daniel Bugday (Sharepoint) – See you on TechDays 2012 Örebro #MSDN #TD2012
- Hasain Alshakarti (Security) – MEET@TechDays 2012 in Örebro
- Henrik Nilsson (FIM, ADFS, Security) – Microsoft Extended Experts Team – MEET
- Johan Arwidmark (System Center) – Networking at TechDays 2012 in Sweden – The Microsoft Extended Experts Team (MEET)
- Johan Åhlén (SQL Server) – SQL Server sessions at TechDays Sweden 2012
- Magnus Björk (Exchange) – #td2012 here I come
- Magnus Mårtensson (Azure) – TechDays.se 2012 – About Windows Azure
- Patrik Löwendahl (.NET)
- Mathias Olausson (ALM)
- Jörgen Nilsson (System Center) – Microsoft Extended Experts Team – MEET
- Ola Skoog (IT Pro Evanglist) – MEET@TechDays
- Anders Olsson (Security) – Få mer ut av TechDays
- Joakim Nässlander (Windows Server, Cluster)
- Martin Lidholm (Unified Communication, Lync)
Windows 8 will allow you to set roaming user profiles and/or folder redirection to be applied only if the user login to his or her primary computer. During the Windows 8 roadshow I got a question if there is an opposite action I can take to use roaming profiles on all machines except some machines or one particular machine.
The answer is yes, you can do this. As good as all organizations set the profile path on each user object in Active Directory, but as of Windows Vista and later there is a new group policy setting where you can set the roaming user profile path using GPOs instead.
What this basically means is that you can apply a GPO with a roaming user profile path on certain computers where you want user profiles to be roamed, and keep for instance conference room computers out of this OU to make sure that users do not get their roamed profile on these machines.
The GPO setting is found in Computer configuration\Administrative templates\System\User profile and is called “Set the roaming profile path for all users logging into this computer”. So if you have the profile path set on the user objects you need to remove those and make sure that you have the GPOs linked to the right OUs.
In March I will go on a Windows 8 roadshow with a few colleagues from Knowledge Factory but also from TrueSec. The topic is the smoking hot Windows 8 operating system that is going to be released later this year. For more information and registration please have a look at the all metro style roadshow page www.windows8roadshow.se.
A perfect reference image for Windows is fast to deploy, contains all security updates and all other necessary patches and possibly also applications like Office and least but not last is fully automated to achieve the best possible stability and to avoid the potential of manual errors. This guide is intended to show you how to build the perfect reference image ever made!
NOTE: I have also posted this guide to TechNet Wiki where you find an improved version of this article (although the steps in the article found below is still valid): TechNet Wiki: HOW TO: Create the perfect and fully automated reference image for Windows operating systems
There is no need to invent the wheel again as this can be achieved very easy in Microsoft Deployment Toolkit. Start by downloading Microsoft Deployment Toolkit and in the components section make sure to download and install Windows Automated Installation Kit. Start Deployment Workbench and off we go!
Note: This guide applies to everyone regardless if you are deploying Window using SCCM, MDT or any third party deployment solution.
1. In Deployment workbench create a new share for creating the reference image so start by creating a new one and name it like “Reference image build and capture share” or something of your choice.
2. Add the OS install files (repeat for each OS you want to build for) into the operating systems folder. Always include the setup files so never install just a WIM file at this stage.
3. Create a task sequence based on the Standard client task sequence (repeat for each OS you want to build image for).
4. For each task sequence edit the task sequence to enable the existing but disabled “Windows Update” step(s).
5. Edit the rules of the share by right clicking it and choosing Properties. The rules (customsettings.ini) should look like below. Replace the variables BackupShare and BackupDir with whatever the share name and directory to store the images are.
6. Modify the bootstrap.ini to look like the below information. Replace the variables according to what applies to your configuration.
7. Now add to the Rules (customsettings.ini) a section named like below. This sets that the Windows Update step will point to your WSUS server, where you are in control of everything that is released by Microsoft and thereby staying 100% in control of what is in your image.
8. To make sure that you get a separate name for each operating system you are building a reference image for edit each task sequence to contain a Task Sequence Variable named for instance:
9. Update the deployment share to get boot ISO which you use to boot your virtual machine and start the build process.
Remember to always build the reference image on a virtual machine to avoid potential problems related to hardware.
You could also add the Office as an application in the Deployment Workbench and to all task sequences that require it to make sure that you have a rapid deployment image ready to go.
Done! Happy deploying!
This guide will take you through the necessary steps to create a DaRT 7.0 installation locally (replacing WinRE) and not having the user need to enter the password for a local administrator account before having the remote connection start. Basically this means that a user can press F8 during boot and choose “Repair your computer” and have someone remotely taking control over their machine and fixing problems which previously required physical presence of IT staff.
Note: There is information on how to do this in official MS documents for DaRT 7.0 but you have to do a lot of reading between the lines so I wanted to take the moment to do a complete documentation on how to accomplish this.
Background on WinRE and local admins
Some basic information about WinRE is that whenever you start WinRE (and that includes DaRT 7.0) when it is located on the machines disk it will always ask you to supply a local admin account information. This is not the case if you boot WinRE or DaRT from USB, DVD, CD or via PXE boot, then you do NOT have to enter a local admin account to gain access to the system. Potential security issue here I might add.
Step by step solution
The dilemma with DaRT and remote connections is that we cannot in most cases let the users know the password of our local administrator account so what we can do is to start the remote connection as soon as possible when DaRT boots. So here is what you need to do to achieve this:
1. Go through the DaRT Recovery Image wizard and create your DaRT.iso. Then extract this ISO file and copy boot.wim which can be found in the sources folder to C:\DaRT and rename it to winre.wim.
2. Start a cmd.exe with administrator privileges.
3. Create a folder called C:\DaRTmount
4. Run the following command (on one line and with no space between “mount-” and “wim”:
dism /mount-wim /wimfile:C:\DaRT\winre.wim /index:1 /mountdir:C:\DaRTmount
5. From the same command prompt, type “notepad” to start Notepad and then browse to C:\DaRTmount\Windows\System32 and open winpeshl.ini. Make sure that this is entered into the winpeshl.ini and then save the file:
"%windir%\system32\netstart.exe -network -remount"
"cmd /C start %windir%\system32\RemoteRecovery.exe -nomessage"
6. When the file is saved make sure that you have closed notepad and also all instances of Windows Explorer (yes, the following command might fail if you have Explorer windows open) run the following command:
dism /unmount-wim /mountdir:C:\DaRTmount /commit
7. After the image has been saved you need to replace the existing Windows recovery environment with your customized DaRT installation.
8. Start by making sure that you show hidden and operating system files (via Windows Explorer – Organize – Folder and search options – View).
9. Go to C:\Recovery (if you get “access denied”) you need to modify the access control list, add your account or everyone full control to this folder.
10. Now scroll down the folder structure until you reach where winre.wim is located. Now copy your modified winre.wim from C:\DaRT to this location. Remember to set the ACLs back on the recovery folder when you are finished, that is if you modified them.
11. Test by booting the machine and press F8 just before Windows starts loading and you will get “Repair your computer” option. Choose that and see how the Remote Connection is started along with the prompt for local administrator password, giving your users a chance to let you connect and then giving the IT staff enter the password.
Another year has passed by and I would like to take the opportunity to share some of my most interesting blog posts during the year. First off is Busting the myths: Windows 7 require Windows Server 2008/2008 R2 domain controllers and raised functional levels.
Second off is the guide I wrote up the other day on a very hot subject, how to handle user group policy settings when migrating for instance from Windows XP to Windows 7. Third comes the strange things UAC may cause, and this one is about mapped network drives not being accessible when cmd.exe is run with admin privileges although the same user account.
One last thing I want to highlight is that although it is actually from last year but still worth noting, this little tip on how to very easily discover performance issues such as drivers making going to sleep/resume from sleep slow, apps making your machine start and shutdown slower etc, HOW TO: List performance issues with your Vista or Windows 7 machine.
This is a very common question and one that I would say all companies migrating to Windows 7 has experienced. The scenario is how do we handle user group policy settings when we have multiple operating systems such as Windows XP and Windows 7 or in the future also introduce Windows 8?
First I strongly recommend that you do not reuse the user configuration for Windows XP for Windows 7. Group policies tend to grow over time and at most customers I have encountered a lot of rubbish in the old configuration. Starting over and migrating only what is needed minimize the risk for problem and makes the configuration slicker and more easy to manage in the long run.
But how do we make sure that users get one configuration when they log in to for instance Windows XP and another configuration when they log in to a Windows 7 or Windows 8 machine? Well, let’s have a look at the options including pros and cons followed by recommendations from the field.
1. Security group filtering
– Require no change in OU structure/move of users.
– Requires a lot of management and make it hard to administer.
2. Separate users into a new and old OU
– Easy to do if you have very few users and no dependencies to other services or applications.
– Not a manageable solution in an environment with many users.
– There are often apps or services that rely on the users being in a certain OU which is making it hard to move users without affecting other services.
3. WMI filters
– Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
– A longterm investment in making it easy to introduce new operating system versions.
– Quick determination (WMI is often known to be real slow but this particular query is not performance intensive).
– Need changes for existing environment, i.e. for instance Windows XP user configuration.
– Could make group policies not being applied due to problems with WMI repository or related services.
4. Loopback processing
– Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
– Very reliable solution.
– If not Replace mode is used you need to handle current configuration.
– Might become a mess to troubleshoot and maintain if naming and config is not done consistent and clear.
Recommendations from the field
In my professional opinion the only real alternatives are WMI filters or loopback processing and sometimes I recommend WMI filters for separating user settings depending on what operating system they are logging in to and sometimes I recommend loopback processing. It depends on the environment and needs for the customer. Many times moving the user accounts around is not an alternative but consider that a very good alternative if possible to accomplish.
How do I implement it in my environment?
1. WMI filters
In the Group Policy console you create multiple WMI filters for for instance Windows XP and Windows 7. You then set each WMI filter respectively on each GPO containing user settings for each operating system. NOTE: Always test it out before applying this configuration to your existing environment. Also note that this does not affect performance to any noticeable amount of time.
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "5.2%" AND ProductType ="1"
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.1%" AND ProductType ="1"
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.2%" AND ProductType ="1"
Basically the version is the OS version as we know it and the ProductType=1 means that it is a client operating system.
So you will end with for instance one GPO named “User Configuration – Windows 7” which have the WMI filter for Windows 7 machines set and one GPO named “User Configuration – Windows XP” which have the WMI filter for Windows XP set.
2. Loopback processing
A prerequisite for using loopback processing is that you keep computers in separate OUs, for instance XP computer accounts in one OU and Windows 7 computer accounts in another OU.
You then create GPO objects in the OU for Windows 7 in our example and configure the user settings there. As I think you should always separate Computer and User configuration GPO:s I would say that you in a Computer configuration policy in that same OU set this setting for the user settings to be applied when users log into Windows 7 machines:
Policies – Computer configuration – Administrative templates – System – Group Policy and there set “User Group Policy loopback processing mode” to Replace or Merge, depending on what you want to achieve and how you want to handle your current configuration. Replace mode is recommended as you will have a hard time maintaining and troubleshooting the configuration otherwise.
Done! When users log on to your Windows 7 machines they will get the user settings you have defined in the user configuration GPOs located in the Windows 7 machines OU in our example.