Author: Andreas Stenhall

Doing Windows deployments over VPN is not a very good idea and it will work really bad. If you are using MDT to do Windows deployments you can easily prevent deploying Windows over VPN.

The easisest way is to modify the customsettings.ini to simply not install anything if the network card’s gateway is what we define as the VPN gateway. So lets look at the default customsettings.ini before we modify it.

[Settings]
Priority=Default

[Default]
OSInstall=Y
SkipCapture=NO
SkipAdminPassword=NO
...

Now let’s look at what we will do to modify it to fit our needs. We will add a check so that the first thing we do is to check if the machine is on a VPN connection and if so not install anything. In the example we have two default gateways defined.

[Settings]
Priority=DefaultGateway,Default

[DefaultGateway]
10.0.0.1=VPN
10.0.1.1=VPN

[VPN]
OSInstall=N

[Default]
OSInstall=Y
SkipCapture=NO
SkipAdminPassword=NO
...

Happy deploying (but not over VPN)!

The new framework and infrastructure around apps in Windows 8 brings some new challenges to deal with. To start with you cannot turn off User Account Control if you want to use the modern apps in Windows 8, but there are more going on behind the scenes that are essential to the working of Windows Store Apps.

When a problem do occur Microsoft provide a nifty little troubleshooter tool for Windows Store Apps, download and run the tool from:
http://go.microsoft.com/fwlink/?LinkId=271185

A unique Windows 8 book for corporations and enterprises is here! It’s called Windows 8 in the Enterprise and provide you with full step by step guides and information on how to successfully implement Windows 8 in your existing environment. The writing started in mid-August and completed in October, after which there have been some editorial and technical reviews and now the book is finally published at Amazon.com. Go grab Windows 8 in the Enterprise now!

I came across a rather peculiar thing with MDT 2012 Update 1 recently. MDT 2012 is pretty good at detecting when there are leftovers from previous deployments but this time it failed, and it failed hard.

LiteTouch is trying to install applications. This cannot be performed in Windows PE.
If booting from a USB Flash Disk, please remove all drives before restarting. Otherwise, ensure the hard disk is selected first in the BIOS boot order.

Oh no, I was NOT trying to install applications in WinPE :) It was a pretty plain task sequence and even recreating it with a brand new standard one did not help. However the solution was to remove the MININT and _SMSTaskSequence folders using the good old rd command with the switches /q and /s. Unfortunately I did not save the logs but the point is that if anyone hits this, there is a real easy solution.

Windows 8 has RTM:ed and is now available for download via MSDN and TechNet, that is if you have a subscription to these services. If you do not and still want to evaluate Windows 8 there is a 90 day working Windows 8 Enterprise available at http://msdn.microsoft.com/en-us/evalcenter/jj554510.aspx

So to summarize the key areas which you can look into when optimizing performance from an infrastructure point of view here is a summary of the key takeaways from TechEd session WCL326: Five infrastructure changes that will boost performance for the Windows Client.

1. Slow machine boot and login / GPOs and scripts

Use Windows Performance Toolkit (part of Windows 7 SDK) to troubleshoot what is happening during boot. Specifically narrow in one Group Policy in the section in the Generic events and look for and enable only the Group Policy provider to see what’s going on with group policies. Group policies and scripts are most often the bad guys when having performance problems with boot and login.

Also use Event Viewer > Applications and Services > Windows > Group Policy > Operational log to look for instance events with id 5326, 8000, 8001or 5016. In particular the last one is of interest as this will quickly show you which Group policy extension is taking most of the time to finish.

Cleanup, remove unnecessary settings and GPO objects. Convert scripts to Group Policy Preferences as necessary or make scripts running scheduled after startup or login to minimize the boot and login times.

2. Optimizations for RDP

Activate asynchronous login for users to speed up login for Remote Desktop Services and RemoteApp. Go to Administrative templates > Policies > System > Group Policy and set the setting for “Allow asynchronous user Group Policy processing when logging in to Remote Desktop Services”.

Three other really great tweaks found in Administrative templates > Policies > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment:

Do not allow font smoothing = Enabled
Limit maximum color depth =  Enabled, set it to 32-bit
Set compression algorithm for RDP data = Enabled, set it to Optimized to use less network bandwidth

3. SMB 2.1

To get full use of performance improvements in SMB2.1 protocol you need file servers that are running Windows Server 2008 R2 or if you are running a third party storage solution to activate SMB2.x support as that is not always activated by default and sometimes a firmware upgraded is needed.

Performance increases based on my own performance measuring are varying from 10-80% performance increase.

4. BranchCache

Activate BranchCache feature from Server Manager on the content servers you want to use with BranchCache. Require windows Server 2008 R2 on the content server. For file shares make sure to enable the BranchCache feature on the share(s) you want to use with BranchCache. Also set the group policy “Hash Publication for BranchCache” on the file server(s) found in Administrative templates > Policies > Network > Lanman Server.

To activate BranchCache on the Windows 7 client look in Administrative templates > Policies > Network > BranchCache and activate the required GPO settings.

5. Upgrade key servers to Windows Server 2008 R2

To gain use of RDP improvements, SMB2.1 improvements and actually make performance better for file handling the simple thing to do is to migrate to Windows Server 2008 R2.

BONUS 1. Microsoft tool to measure performance:

WDRAP (Risk and health Assessment Program for Windows Desktop) is a tool designed for enterprise customers that verifies overall performance, including bad drivers, apps that are causing the machine to start slowly etc. Contact your Technical Account Manager at Microsoft to get more information and analyzing the results with this tool. Microsoft themselves used this tool some time ago to improve performance in their environment, more on this in the Microsoft IT Case Study.

BONUS 2. Hotfixes related to infrastructure and performance, Windows 7 Post-SP1:

You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer
http://support.microsoft.com/kb/2561285

Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7 (WMI issue)
http://support.microsoft.com/kb/2617858

Slow performance when you browse the My Documents folder in the document library in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2690528

Improved interoperability between the BranchCache feature and the Offline Files feature in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2675611

General Q and A

Q: Can I use this tool to measure performance and troubleshoot on Windows XP?
A: You can run the tool on Windows XP by copying xbootmgr and xperfctrl.dll to an XP machine. You can then analyse the results on a Windows 7 machine. However do not expect the same amount of detailed data as Windows 7 has introduced new features that are not available in Windows XP.

Any further questions around the session or the topics, feel free to leave a comment to the article or send me an email on andreas.stenhall@knowledgefactory.se.

SLIDES: Download the slides from the session WCL326

The one most common misconception around AppLocker is the fact that it could be used to allow standard users to install stuff that in any normal case would require administrator privileges. This is absolutely 100% incorrect.

What AppLocker does is set a number of rules on what can be run and executed on a machine. It is important to note that if you allow something to run or be executed via AppLocker rules the user will still need the appropriate privileges if the setup or application itself require administrative privileges at some point in time such as when doing automatic updating for instance.

TechDays Sweden takes place this week and as this year will be a very exiting one considering all the major releases with all from Windows 8, Windows Server 2012 to the System Center 2012 family products I can promise you a really interesting conference.

My session will be about three of the very most interesting features in Windows 8; taking on the future with UEFI, making use of virtualization with client hyper-v and least but not last creating new possibilities for your entire business with Windows To Go. @ Wednesday 14:45 Room 6. Be a part of the future!

Here are some friends from the MEET network, what they do and links to their blogs:

• Alan Smith (Azure)
• Björn Axell (System Center)
• Cecilia Wiren (.NET) – Möt MEET på TechDays 2012
• Chris Klug (.NET)
• Daniel Bugday (Sharepoint) – See you on TechDays 2012 Örebro #MSDN #TD2012
• Hasain Alshakarti (Security) – MEET@TechDays  2012 in Örebro
• Henrik Nilsson (FIM, ADFS, Security) – Microsoft Extended Experts Team – MEET
• Johan Arwidmark (System Center) – Networking at TechDays 2012 in Sweden – The Microsoft Extended Experts Team (MEET)
• Johan Åhlén (SQL Server) – SQL Server sessions at TechDays Sweden 2012
• Magnus Björk (Exchange) – #td2012 here I come
• Magnus Mårtensson (Azure) – TechDays.se  2012 – About Windows Azure
• Patrik Löwendahl (.NET)
• Mathias Olausson (ALM)
• Jörgen Nilsson (System Center) – Microsoft Extended Experts Team – MEET
• Ola Skoog (IT Pro Evanglist) – MEET@TechDays
• Anders Olsson (Security) – Få mer ut av TechDays
• Joakim Nässlander (Windows Server, Cluster)
• Martin Lidholm (Unified Communication, Lync)

Windows 8 will allow you to set roaming user profiles and/or folder redirection to be applied only if the user login to his or her primary computer. During the Windows 8 roadshow I got a question if there is an opposite action I can take to use roaming profiles on all machines except some machines or one particular machine.

The answer is yes, you can do this. As good as all organizations set the profile path on each user object in Active Directory, but as of Windows Vista and later there is a new group policy setting where you can set the roaming user profile path using GPOs instead.

What this basically means is that you can apply a GPO with a roaming user profile path on certain computers where you want user profiles to be roamed, and keep for instance conference room computers out of this OU to make sure that users do not get their roamed profile on these machines.

The GPO setting is found in Computer configuration\Administrative templates\System\User profile and is called “Set the roaming profile path for all users logging into this computer”. So if you have the profile path set on the user objects you need to remove those and make sure that you have the GPOs linked to the right OUs.

In March I will go on a Windows 8 roadshow with a few colleagues from Knowledge Factory but also from TrueSec. The topic is the smoking hot Windows 8 operating system that is going to be released later this year. For more information and registration please have a look at the all metro style roadshow page www.windows8roadshow.se.