Hey people Smile 

I came across an issue today which is one of those “Microsoft, WTF and why have you done this?”

On a current Windows 10 Deployment I am doing we are using the Unified Write Filter to ensure that the Operating System is secure as possible.  We had tested all the features and were nearly ready to hand over to the customer for testing and they came back with some early testing and they saw lots of interaction with some external hosts.  Upon further investigation this is due to the wonderful Telemetry where Microsoft tracks what you are doing and kindly uploads if for you with you asking them to. 

Now for secure Enterprise environments this is not really ideal, they don’t really want their usage information tracked by Microsoft and also wasting bandwitht. We disable this using the following commands:

sc delete DiagTrack >NUL
sc delete dmwappushservice >NUL
echo "" > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f

The problem was after doing this we found we were unable to use the Unified Write Filter. When we tried to enable it we got the following Error:

“Could not enable the Unified Write Filter (There are no more endpoints available from the endpoint mapper).

image

After a bit of digging around the Unified Write Filter functionality seems to be reliant upon the dmwappushservice.  Why this is I am not sure yet but I cannot see any logical reason as there functionality is complete separate. Anyway, after leaving this service enabled the Write Filter functionality was back again Smile 

image

Lesson learnt – do not disable this service if you require the unified write filter functionality Smile

Posted by neil, filed under Windows 10. Date: November 23, 2016, 3:08 pm | No Comments »

 

Whilst testing some Fine Grained Password Policies in Windows 10 today I came across the following message which I had not seen before:

image

I did a bit of investigation and it turns out that there is a setting which will reboot the desktop and put it into BitLocker recovery mode if you enter your password wrong.  This is set by the default SCM Templates to a threshold of 10.  Whilst this setting is obviously for security reasons I would imagine its one of these settings which is more trouble than its worth in a large Enterprise Deployment.  I can imagine a lot of calls to helpdesk being made!

You can disable the setting by setting the following GPO setting to 0:

GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold

image

So if you are setting Account Lockout settings at the Domain Level then make sure that you set this setting to higher than your User Account Lockout threshold otherwise you may find your users machines becoming unusable even though their User accounts are not locked out.

More information can be found in this setting here:

https://technet.microsoft.com/en-us/library/jj966264.aspx

Posted by neil, filed under Windows 10. Date: November 2, 2016, 1:03 pm | 1 Comment »

Hey all Smile 

Very quick post today about a very very cool tool which VMware have released to optimise a desktop for VDI. This tool should be run on your master image whether you are using Citrix or VMware as it reduces the overall footprint that your OS will use which is critical in any VDI Deployment.  I highly suggest that you use it for any new images that you create.  It is fully compatible with Windows 7, Windows 8, Windows Server 2008 R2 and Server 2012 R2.  It’s in Beta for Windows 10 at the moment and nicely trashed my Win 10 VM when I ran it Smile 

If you head over to https://www.loginvsi.com/blog/520-the-ultimate-windows-10-tuning-template-for-any-vdi-environment you will see the Login VSI testing performed using this tool and the results are quite impressive.  They managed to get a VSIMAX increase of 44% using their settings which you can download and apply using this template.  Would you like 44% more headspace from your servers? Smile

As you can see there are a few options when you launch the tool:

  • Analyze  – This will perform an analysis of your current settings and suggest settings from the tool’s baseline settings
  • Optimize – This is where you will perform the optimization – note it will change hundreds of settings so please test carefully or review carefully before implementation
  • History  – This will provide a history of all previous actions
  • Remote Analysis  -  This will enable you to analyse VM’s remotely
  • My Templates  -  This is a pretty nice feature which enables you to create multiple templates so say for example if you have a different set of images with different requirements or different operating systems
  • Public Templates  – Killer feature in my opinion – if you have a really nice optimised image you can upload it to VMware and anybody can download it for use, nice community sharing Smile
  • References – bunch of URL’s to view more information

image

You can download the tools from here:

https://labs.vmware.com/flings/vmware-os-optimization-tool

Note when I ran the optimisations on my Windows 10 VM I got the following when I rebooted and it generally doesn’t seem very happy, but it is in BETA Smile 

image

Enjoy!

Posted by neil, filed under Citrix, Virtualization, Windows 10. Date: September 21, 2016, 11:53 am | No Comments »

« Previous Entries