Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop

VMware Horizon 7 version 7.5 and later VMware Horizon Cloud Service

Introduction

Overview

Considerations you must take into account when creating a Windows system image are much different if you plan to deploy virtual desktops rather than physical desktops:

  • Physical desktops – Resource usage on a physical machine impacts only the user who is using that machine. The operating system on a physical machine determines whether or not resources are available. One-time actions impact the user only the first time they are performed because the machine is never refreshed. For example, a user typically gets a new user profile the first time they log on, and they continue to use that same profile with all subsequent logons.
  • Virtual desktops – In contrast, in a virtual environment, the guest operating system behaves as if it has exclusive access to the CPU cores, but in reality the cores are shared between 2 to 8 virtual machines. When using nonpersistent VMs or user profiles, the actions that are intended to run only once could run every time a user logs on.

Therefore, with virtual desktops, one-time system actions must be configured in the base image, and one-time user actions must be configured in the default (or mandatory) user profile. In addition, to reach a higher consolidation ratio, increasing the number of VMs hosted on a single VMware vSphere® host, VMware recommends turning off features that are not needed.

JMP Next-Generation Desktop and Application Delivery Platform

JMP (pronounced jump), which stands for Just-in-Time Management Platform, represents capabilities in VMware Horizon® 7 Enterprise Edition that deliver Just-in-Time Desktops and Apps in a flexible, fast, and personalized manner. JMP is composed of the following VMware technologies:

• VMware Instant Clone Technology for fast desktop and RDSH provisioning

VMware App Volumesfor real-time application delivery

VMware User Environment Managerfor contextual policy management

JMP allows components of a desktop or RDSH server to be decoupled and managed independently in a centralized manner, yet reconstituted on demand to deliver a personalized user workspace when needed. JMP is supported with both on-premises and cloud-based Horizon deployments, providing a unified and consistent management platform regardless of your deployment topology. The JMP approach provides several key benefits, including simplified desktop and RDSH image management, faster delivery and maintenance of applications, and elimination of the need to manage “full persistent” desktops.

Note: Installing the components of JMP is required only if you want to use that functionality. Similarly, installing the Horizon Agent is required only if you plan to use the image for VMware Horizon desktop or application pools.

Purpose of This Guide

Creating an Optimized Windows Image for a Virtual Desktop provides step-by-step procedures for creating optimized images. These procedures include creating a VM, installing and configuring a Windows operating system, optimizing the OS, and installing the various VMware agents required for desktop pool deployment.

Important: The procedures in this guide are sequential and build on one another, so make sure to complete each procedure in each chapter before moving on to the next.

Intended Audience

This guide is intended for IT administrators and product evaluators who are familiar with VMware vSphere and VMware vCenter Server®.  Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is  assumed. Knowledge of other technologies, such as Horizon 7 is also helpful.

Advantages of an Optimized Image

Optimizing the master image is well worth the time and effort involved. Savings are returned on a variety of fronts.

Initial Deployment Time Savings

By trimming the image, you can reduce the amount of required disk space by up to 80 percent, which translates to a significant reduction in the time it takes to create desktop pools (up to 3 times faster).

By default, Windows generates native images and performs disk cleanup actions after being idle for 10 minutes, which can use a full core for up to an hour. When deploying a large pool, this means that the cluster might not be usable for up to an hour after deployment. With image optimization, however, this process could be reduced to 30 seconds.

User Logon Time Savings

When a user logs on, the portion of logon time devoted to creating a standard user profile can take up to 30 seconds, but when optimized, this portion of logon time could be reduced to 2.5–8.5 seconds.

Host Memory Savings

A default deployment can use up to 2 GB of active memory, but with optimization, memory requirements can be reduced significantly (up to 50 percent).

Host CPU Savings

An optimized deployment can reduce CPU usage by up to 40 percent, allowing for up to a 40-percent increase in VM density on the physical vSphere host.

Storage and IOPS Savings

Because of the earlier-mentioned disk-space savings, you realize cache-usage improvements as well. Disabling unneeded features and compressing the OS files means a larger portion can fit in the cache, which can reduce the amount of IOPS required by up to 250 percent.

Tested Operating Systems

The following operating systems have been tested using the procedures included in this guide. The table shows the example sizing and login duration that we achieved in our testing.

Only a single 32-bit operating system was tested, but any 32-bit operating system that has a corresponding 64-bit version listed should work in the same way. All operating systems were tested with all updates available as of early July 2018. For a complete list of supported Windows 10 operating systems, see the VMware knowledge-base article Supported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 7) (2149393).

Note: Most screenshots in this guide are from the latest Windows 10 OS version. If you have a different OS version, some screens might look slightly different, but in general they are quite similar.

Important: Use an OS version that has a Microsoft Windows volume license key using the Key Management Service (KMS). KMS treats each activated clone as a computer with a newly issued license. In a production environment, you must activate Windows. In an evaluation environment, you can create the VM and log in without activating Windows.

Operating System Version Edition Architecture Used Space Mandatory Profile Size Mandatory Profile Login Duration
Windows 10 1507 LTSB* x64 6.94 GB 563.0 KB 7 S
Windows 10 1607 LTSB* x64 8.37 GB 820.0 KB 7 S
Windows 10 1607 LTSB* x86 5.39 GB 825.5 KB 7 S
Windows 10 1703 Education x64 7.87 GB 1080.0 KB 8.5 S
Windows 10 1703 Enterprise x64 8.16 GB 1082.1 KB 8.5 S
Windows 10 1703 Professional x64 8.26 GB 1082.3 KB 8.5 S
Windows 10 1709 Education x64 7.72 GB 1083.4 KB 8 S
Windows 10 1709 Enterprise x64 7.88 GB 1085.4 KB 8 S
Windows 10 1709 Professional x64 7.68 GB 1085.4 KB 8 S
Windows 10 1803 Education x64 6.97 GB 1085.0 KB 8 S
Windows 10 1803 Enterprise x64 7.19 GB 1087.0 KB 8 S
Windows 10 1803 Professional x64 6.91 GB 1087.1 KB 8 S
Windows Server 2016 1607 Datacenter x64 9.79 GB 824.0 KB 3.5 S
Windows Server 2016 1607 Standard x64 9.44 GB 824.0 KB 3.5 S
Windows 7 SP1 Enterprise x64 18.79 GB 1181.1 KB 5 S
Windows 7 SP1 Professional x64 18.77 GB 1180.6 KB 5 S
Windows 8.1   Enterprise x64 10.35 GB 878.8 KB 4.5 S
Windows 8.1   Professional x64 11.46 GB 862.7 KB 4.5 S
Windows Server
2012 R2
  Datacenter x64 10.67 GB 578.8 KB 2.5 S
Windows Server
2012 R2
  Standard x64 10.82 GB 574.6 KB 2.5 S

* LTSB means long-term servicing branch. This edition receives only security updates but no feature updates. OS upgrades are released only once every three years or so. This edition does not include Edge or any Microsoft Store (Universal Windows Platform, or UWP) apps, or Cortana, the voice-activated digital assistant. This edition is meant for specialized systems that perform a single important task—such as PCs that control medical equipment, point-of-sale systems, and ATMs.

Infrastructure Prerequisites

Before you can perform the procedures in this guide, you must have the following infrastructure components installed and configured:

  • VMware vSphere and vCenter Server. We used vSphere 6.7 and vCenter Server 6.7 in our testing. For information and installation instructions, see the VMware vSphere documentation.
  • VMware ESXi™ host or hosts configured in the vCenter Server instance.
  • An authentication infrastructure that includes Active Directory, DNS, and DHCP.
  • If you intend to use VMware App Volumes™, you must have the host name or IP address of the server on which App Volumes Manager is installed or will be installed. You will enter this information when you install the App Volumes Agent on the master VM image.

If you plan to create Horizon 7 desktop pools, ideally at this point you would also have Horizon 7 Connection Server installed and configured. We used Horizon 7 version 7.5. For installation instructions, see the Horizon 7 Installation guide.

Initial VM Creation

Create a Virtual Machine

Each desktop pool or RDSH server farm uses a master virtual machine (VM), which serves as the model for the deployed virtual desktops. You use VMware vSphere® Web Client to create the master VM.

Prerequisites

Before you complete this procedure, you will need the following:

  • Windows  ISO file – You must have uploaded an ISO file to a vSphere datastore. The ISO file must contain a supported version of the Windows operating system. You will point to this file when completing the New Virtual Machine wizard. For a list of the operating systems we tested, see Tested Operating Systems. For a complete list of supported Windows 10 operating systems, see the VMware knowledge-base article Supported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 7) (2149393).

    Important: Use an OS version that has a Microsoft Windows volume license key using the Key Management Service (KMS). KMS treats each activated clone as a computer with a newly issued license. In a production environment, you must activate Windows. In an evaluation environment, you can create the VM and log in without activating Windows.
  • User account – When you log in to vSphere Web Client, the account you use must have the privileges required to create a VM. See the "Prerequisites" section of the product documentation topic Create a Virtual Machine with the New Virtual Machine Wizard.

1. Start the New Virtual Machine Wizard in the vSphere Web Client

  1. In vSphere Web Client, right-click a data center, cluster, host, or VM folder.
  2. Select New Virtual Machine.

2. Select the New Virtual Machine Creation Type

  1. Select Create a new virtual machine.
  2. Click NEXT.

3. Select a VM Name and Folder

  1. Provide a name in the Virtual machine name field.
  2. Select a location.
  3. Click NEXT.

4. Select a Cluster or Host

  1. Select a cluster or host as the compute resource.
  2. Click NEXT.

5. Select a Datastore for the VM

  1. Select a datastore or datastore cluster where you would like to store the VM.
  2. Click NEXT.

6. Select the vSphere Compatibility Level

  1. Select the lowest version of ESXi that this VM would be deployed to.
    Tip: See Hardware Features Available with Virtual Machine Compatibility Settings.
  2. Click NEXT.

7. Select the Windows Version and Architecture

  1. Select the Guest OS Version with the correct architecture (32- or 64-bit) and, when required, enable VBS.
  2. Click NEXT.

8. Specify Virtual Hardware Settings

  1. Select 4 CPUs. (Use 4 CPUs for the creation of the image. We will adjust this to production values later.)
  2. Select 4 GB of memory.
    Note: The table that follows describes the small amount of RAM on the ESXi host that is required for video overhead in addition to system memory. This VRAM size requirement depends in on the display resolution and number of monitors configured for end users.
  3. Choose an appropriate hard disk size.
  4. Select the appropriate network.
  5. Browse to the Windows ISO file and select Connect.
  6. Choose the appropriate video card settings.
  7. Click NEXT.

 

Display Resolution Standard Width, in Pixels Height, in Pixels 1-Monitor Overhead 2-Monitor Overhead 3-Monitor Overhead 4-Monitor Overhead
VGA 640 480 1.20 MB 3.20 MB 4.80 MB 5.60 MB
WXGA 1280 800 4.00 MB 12.50 MB 18.75 MB 25.00 MB
1080p 1920 1080 8.00 MB 25.40 MB 38.00 MB 50.60 MB
WQXGA 2560 1600 16.00 MB 60.00 MB 84.80 MB 109.60 MB
UHD (4K) 3840 2160 32.00 MB 78.00 MB 124.00 MB Not supported

9. Complete the Wizard

Click FINISH.

Install Windows

After you boot the VM, installation of the Windows OS begins automatically. You will accept most of the default settings and specify that you are doing a new installation rather than an update.

1. Open a Remote Console for the VM

  1. Select the newly created Windows VM in the inventory list.
  2. Click Lauch Remote Console.
    Note: To launch a remove console, you must have downloaded and installed the VMware Remote Console. If necessary, you can click the "i" button to download and install it.

2. Power on the VM

Click the play icon.

3. Boot the VM from the Virtual CD

Press a key on your keyboard.

4. Select Settings for Your Region

  1. Select the correct regional options.
  2. Click Next.

5. Begin Installing Windows

Click Install now.

6. Select the Edition

This screen is only shown for an ISO that contains multiple editions.

  1. Select the Windows edition.

    Important: For Windows Server 2012 R2, select either of the following "Server with GUI" editions:
    • Windows 2012 R2 Standard (Server with a GUI)
    • Windows 2012 R2 Datacenter (Server with a GUI)

      For Windows Server 2016, select either of the following "Desktop Experience" editions:
    • Windows Server 2016 Standard (Desktop Experience)
    • Windows Server 2016 Datacenter (Desktop Experience)
  2. Click Next.

7. Accept the License Agreement

  1. Select the I accept the license terms check box.
  2. Click Next.

8. Select the Custom Installation

Select Custom: Install Windows only (advanced).

9. Use the Default Location

Click Next.

10. Monitor Installation Progress

Wait for Windows to be installed.

11. Enter Audit Mode

When you are prompted with Let's start with a region or to Get going fast, or Personalize, or Settings, or Setup Windows, press CTRL+SHIFT+F3 to switch to audit mode.

12. Allow the System to Be Discoverable

  1. Click Yes.
  2. In the System Preparation Tool dialog box, click Cancel.

Configure Windows Server Systems for VDI or RDSH

Complete this procedure if you are working with Windows Server 2012 R2 or 2016.

Note: The following editions are supported for Windows Server installations:

For Windows Server 2012 R2, use either of the following "Server with GUI" editions:

  • Windows 2012 R2 Standard (Server with a GUI)
  • Windows 2012 R2 Datacenter (Server with a GUI)

For Windows Server 2016, use either of the following "Desktop Experience" editions:

  • Windows Server 2016 Standard (Desktop Experience)
  • Windows Server 2016 Datacenter (Desktop Experience)

1. Open the Server Management Properties Dialog Box

On the Windows Server system, start Server Manager, and select Manage > Server Manager Properties.

2. Select the Option to Not Start Server Manager at Logon

  1. Select the check box Do not start Server Manager automatically at logon.
  2. Click OK.

3. Turn Off IE Enhanced Security

  1. Select Local Server.
  2. Click on On next to IE Enhanced Security Configuration.
  3. Select Off for both Administrators and Users.
  4. Click OK.

4. Start the Add Roles and Features Wizard

  1. Select Dashboard.
  2. Click Add roles and features.
  3. In the wizard, for Installation Type, use the default selection, which is Role-based or feature-based installation.
  4. Follow the prompts to the Server Roles page.

5. Install the Remote Desktop Services Role for RDSH Servers

  1. If you plan to use this server as an RDSH server, to create published applications and published desktops (rather than single-user VDI desktops), select Remote Desktop Services on the Server Roles page.
  2. Click Next, and click Next on the pages that follow until you come to the Role Services page.

6. Add the Remote Desktop Session Host

Select the check box for the Remote Desktop Session Host service, and confirm that you want to add the applicable management tools, before clicking Next.

7. Install the Desktop Experience Feature on Windows Server 2012 R2

  1. On Windows Server 2012 R2 servers, on the Features page, install the Desktop Experience feature. This feature is already installed on Windows Server 2016 (Desktop Experience) installations.
  2. Click Next.

8. Complete the Wizard

Follow the rest of the prompts, click Install on the Confirmation page, and close Server Manager.

9. Enable Adobe Flash Player to Run on Windows Server 2016

For Windows Server 2016, open a command prompt and enter the following command to enable Adobe Flash Player run.

Note: To display the command in this document, we had to add a line break after Packages\, but you should enter the command all on one line:

dism /online /add-package /packagepath:"C:\Windows\servicing\Packages\
Adobe-Flash-For-Windows-Package~31bf3856ad364e35~amd64~~10.0.14393.0.mum"

Update Windows and Run Ngen and DISM

After you install the latest Windows OS updates, you will use the Native Image Generator (Ngen.exe) command-line tool to improve the performance of managed applications. You will use the Deployment Image Servicing and Management (DISM.exe) command-line tool to save space on the Windows image by running the operating system and other system files from compressed files.

1. Select the Update & Security Settings

Press Windows Key+I, to open Windows Settings, and click Update & Security or, for Windows 8.1 or Windows Server 2012 R2 and earlier, navigate to Control Panel > System and Security > Windows Update.

Important: Currently (as of July 2018), Windows Update is not working on Windows 8.1 and 2012R2. Use Microsoft Baseline Security Analyzer 2.3 to identify missing updates, and manually download and install them from the Microsoft Download Center.

2. Select Check for Updates

Note: For non-LTSB Windows 10 versions, click Advanced options first and select Defer feature upgrades so that new features are not downloaded and installed. Deferring feature upgrades does not affect security updates.

Click Check for updates and wait for the updates to be installed.

3. Restart the VM

Click Restart now.

4. Open a Command Prompt

  1. After the VM restarts, log in, press Windows Key+R and type cmd.exe.
  2. Click OK

5. Run the Ngen Tool

  1. Type cd\ and press Enter.
  2. Type cd Windows\Microsoft.NET\Framework\v4 and press Tab and then press Enter.
  3. Type ngen executequeueditems and press Enter. This command executes queued compilation jobs.

6. Run the DISM Tool

  1. Type dism /online /cleanup-image /startcomponentcleanup /resetbase and press Enter.
    Note: This command might take a long time to complete and is not available on Windows 7 or Server 2008, on these operating systems run cleanmgr.exe and select Windows Update Cleanup and reboot afterwards.
  2. Optionally on Windows 10/Server 2016, you can also run compact /compactos:always, which has a positive effect on the amount of IOPS required for storage with cache and a negligible CPU impact.
  3. Close the command prompt.

Install VMware Tools

VMware Tools is a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guests operating systems.

For example, VMware Tools can run scripts that automate OS operations and can synchronize the time in the guest operating system with the time on the vSphere host. You must install VMware Tools in VMs used for desktop and application pools.

1. Use vSphere Web Client to Mount the VMware Tools Virtual DVD Drive

  1. Select the VM in the inventory list.
  2. Click Install VMware Tools, and click MOUNT when prompted.

Alternatively, you can select the VM and select ACTIONS > Guest OS > Install VMware Tools.

2. Start the Installation Wizard

  1. Open a console for the VM, and in Windows Explorer, select DVD Drive (D:) VMware Tools.
  2. To start the wizard, double-click Setup64.exe (or Setup.exe for a 32-bit OS).

3. Click Next on the Welcome Page

Click Next.

4. Select the Typical Setup Type

Leave the Typical setup selected, and click Next

5. Start the Installation

Click Install.

6. Complete the Wizard

Click Finish.

7. Do Not Restart the VM Yet

Click No.

8. Shut Down the VM

  1. Click the Start button.
  2. Click the Power button.
  3. Click Shut down.

Optimize the VM Hardware

The VMXNET family of paravirtualized network adapters provides better performance in most cases than emulated adapters, which include E1000e. VMXNET network adapters implement an idealized network interface that passes network traffic between the VM and the physical network interface card with minimal overhead. Now that VMware Tools are installed, we can replace the E1000e adapter.

Also, because we no longer need the virtual CD/DVD drive, we can remove that as well as any other unnecessary virtual hardware devices.

1. Open the Edit Settings Dialog Box

In the vSphere Web Client, right-click the VM and select Edit Settings.

2. Remove E1000e

  1. To delete the current network adapter, click on the cross that appears when your pointer hovers over the Network adapter 1 row.
  2. Click ADD NEW DEVICE.

3. Add a VMXNET3 Network Adapter

Select Network Adapter.

4. Configure the Network Adapter Settings

  1. Expand New Network.
  2. Select the correct network.
  3. Change the Adapter Type to VMXNET 3.

5. Remove Devices That You Plan Not to Use

  1. To remove the virtual CD/DVD drive from the VM, click the X that appears when you hover your pointer over CD/DVD drive 1 row. If you do not plan to use USB redirection, do the same with the USB xHCI controller.
  2. Click OK and edit the VM again.

6. Remove the SATA Controller

To remove the virtual SATA controller from the VM, click the X that appears when you hover your pointer over the SATA Controller 0 row.

7. Open the Add Configuration Parameter Dialog Box

  1. Click the VM Options tab.
  2. Expand Advanced.
  3. Click EDIT CONFIGURATION.

Note: In the next step, you are going to disable the hotplug feature. With hotplug enabled, NICs and SCSI controllers appear as removable devices, and the Safely Remove Hardware option for the virtual hardware appears in the Windows System Tray (notification area). To prevent this option from appearing, we will disable the capability.

8. Add a Parameter to Disable Hotplug Functionality

  1. Click ADD CONFIGURATION PARAMS
  2. For Name, type devices.hotplug, and for Value, type false.
  3. Click OK.

9. Disable Floppy, IDE, LPT, and COM Devices

If you are not using Windows 10 or Windows Server 2016 systems that, by default, use UEFI rather than BIOS to boot, you can disable more devices in the BIOS.

9.1. Configure the VM to Boot into the BIOS Setup Screen

  1. Expand Boot Options.
  2. Select During the next boot, force entry into the BIOS setup screen.
  3. Click OK.
  4. Power on the VM and open a remote console.

 

9.2. Open I/O Device Configuration Options

  1. Go to the Advanced tab.
  2. Select I/O Device Configuration and press Enter.

9.3. Disable the Devices

Set everything to Disabled and press ESC.

9.4. Disable the Local Bus IDE Adapter

  1. On the Advanced tab, select Local Bus IDE adapter and press Enter.
  2. Select Disabled and press Enter.

9.5. Exit BIOS Setup

  1. Go to the Exit tab.
  2. Select Exit Saving Changes and press Enter.

Image Generalization

Prepare the OS for Generalization

Generalizing a Windows image means removing computer-specific information so that the image can be deployed throughout an enterprise. Before we can generalize the image, we need to remove any Windows Store applications that are not needed. In our example, these include all the Windows Store applications that can be deleted.

The CopyProfile setting in the Sysprep answer file enables you to customize a user profile and use the customized profile as the default user profile. Windows uses the default user profile as a template to assign a profile to each new user. Because we want to prevent the removed Windows Store applications from being automatically reinstalled later, when we log in with a user account, we need to merge the change into the default user profile.

Note: When preparing the master image, we do not join the machine to a domain. Joining a machine to a domain is part of the deployment process, not part of image creation and optimization. This way, the image can be used across domains. Also some optimization steps will not work if the image is joined to a domain.

1. Remove All App Packages Installed in Windows 8.1 and Windows 10 User Profiles

1.1. Run a PowerShell Prompt as Administrator

For example, use the Start button on the master VM to browse to Windows PowerShell, right-click, and select Run as administrator.

1.2. Run PowerShell Commands to Remove App Packages in User Profiles

For all Windows 8.1 and 10 versions except LTSB, enter the following commands. Server, LTSB and older versions of Windows do not have AppX packages.

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
Get-AppxPackage -AllUsers | Remove-AppxPackage
Get-AppxProvisionedPackage -online | Remove-AppxProvisionedPackage –online

The reg add command disables app suggestions for a new user profile.

The Get-AppxPackage -AllUsers | Remove-AppxPackage command obtains a list of all installed app packages for all users, and then removes them.

The Get-AppxProvisionedPackage -online | Remove-AppxProvisionedPackage –online command obtains information about all app packages that are set to install for each new user on the OS that is currently running on the local computer, and then removes them.

 

2. Disable Password Complexity Requirements on Windows Server

  1. On the Windows Server VM, run gpedit.msc, and navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
  2. Double-click Password must meet complexity requirements.
  3. Click Disabled and click OK.

For Windows Server operating systems disable Password must meet complexity requirements. Desktop operating systems already have this setting. When using this image later the domain policies will overwrite this setting, but for the Master this allows the use of an empty administrator (which should also be disabled by the domain policy) password.

3. Create a Sysprep Answer File

Create a new file with the name unattend.xml in the c:\windows\system32\sysprep directory.

4. Add the Content of the Answer File

Open the unattend.xml file with a text editor, and add the following content:

Note: If you copy the following text from a Web (HTML) page, the line breaks will most likely be preserved, but if you copy the lines from a PDF file, the line breaks will not be correct. Be sure to copy the text from an HTML page.

<?xml version="1.0" encoding="UTF-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
   <settings pass="generalize">
      <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
         <SkipRearm>1</SkipRearm>
      </component>
   </settings>
   <settings pass="specialize">
      <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
         <RunSynchronous>
            <RunSynchronousCommand wcm:action="add">
               <Order>1</Order>
               <Path>net user administrator /active:yes</Path>
            </RunSynchronousCommand>
         </RunSynchronous>
      </component>
      <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
         <CopyProfile>true</CopyProfile>
         <TimeZone>Mountain Standard Time</TimeZone>
         <ComputerName>*</ComputerName>
      </component>
   </settings>
   <settings pass="oobeSystem">
      <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
         <InputLocale>en-us</InputLocale>
         <SystemLocale>en-us</SystemLocale>
         <UILanguage>en-us</UILanguage>
         <UserLocale>en-us</UserLocale>
      </component>
      <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
         <AutoLogon>
            <Enabled>true</Enabled>
            <LogonCount>1</LogonCount>
            <Username>Administrator</Username>
         </AutoLogon>
         <OOBE>
            <HideEULAPage>true</HideEULAPage>
            <NetworkLocation>Work</NetworkLocation>
            <HideLocalAccountScreen>true</HideLocalAccountScreen>
            <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
            <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
            <ProtectYourPC>3</ProtectYourPC>
         </OOBE>
         <UserAccounts>
            <LocalAccounts>
               <LocalAccount wcm:action="add">
                  <Description>Local Administrator</Description>
                  <DisplayName>Administrator</DisplayName>
                  <Group>Administrators</Group>
                  <Name>Administrator</Name>
               </LocalAccount>
            </LocalAccounts>
         </UserAccounts>
      </component>
   </settings>
</unattend>

Important: Take the following version-specific guidelines into account when creating this file:

  • When using a 32-bit operating system, replace the instances of amd64 with x86.
  • When using Windows 7, delete the lines with HideLocalAccountScreen, HideOEMRegistrationScreen, and HideOnlineAccountScreen.

5. Create a UseProfilePathExtensionVersion Registry Entry for Certain Versions of Windows

For Windows Server 2012 R2 and Windows 8.1, run the following command:

reg add "HKLM\System\CurrentControlSet\Services\ProfSvc\Parameters" /v UseProfilePathExtensionVersion /t REG_DWORD /d 1 /f

This command helps avoid compatibility issues between Windows Server 2012 R2 or Windows 8.1 and default user profiles created using a different version of Windows.

Run Sysprep to Create a Generic Image

Now that you have created a Sysprep answer file, you can run an unattended installation using the System Preparation tool.

Open a Command Prompt and Run Sysprep

For all versions except Windows 7, open a command prompt and execute the following command from the directory where sysprep.exe is installed. For Windows 7, because the /mode:vm option is not available, run the command without it.

c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /mode:vm /unattend:c:\windows\system32\sysprep\unattend.xml /reboot

In this command, /generalize removes computer-specific information, /oobe restarts the computer into out-of-box-experience mode, /mode:vm skips driver installation, and /unattend points to the answer file to use during an unattended installation. For details about these options and others, see the Microsoft article Sysprep Command-Line Options.

Create a Mandatory User Profile

With mandatory user profiles, changes a user might make to the desktop are not saved when the user logs off. When the Sysprep process is complete, you can configure a mandatory user profile.

After Sysprep runs, the system reboots. For Windows Server operating systems, when you are prompted to change the password, leave everything blank and press Enter.

During logon, the screen might stay black a bit longer than usual. This should last only two minutes and occur only during the first logon.

 

1. Open the System Information for the Master VM

In the File Explorer, right-click This PC or Computer, and select Properties.

2. Open Advanced System Settings

Click Advanced system settings.

3. Open User Profile Settings

In the User Profiles section, click Settings.

4. Copy the Default Profile

With the default profile selected, click Copy To. This is the default user profile you customized and saved when you performed the procedure in Prepare the OS for Generalization.

5. Complete the Copy-To Settings

  1. For all Windows 10/Server 2016 versions except Windows 10 1507 LTSB, type c:\users\mandatory.v6. For Windows 10 1507 LTSB, use .v5. For Windows 8.1 and 2012 R2 use .v4, and for Windows 7 use .v2.
  2. Click Change.

5.1. Change the User Group to Authenticated Users

  1. Type authenticated.
  2. Click Check Names.
  3. Click OK.

5.2. Click OK in the Copy To Dialog Box

Click OK. Note that Mandatory profile is not selected.

6. Delete Additional Profiles If They Exist

If you see a profile named defaultuser0 or any other profile that is not Administrator or Default Profile:

  1. Select defaultuser0 (or other user).
  2. Click Delete, and click Yes to confirm.
  3. Click OK.

7. Click OK to Close the User Profiles Dialog Box

Now that other profiles have been deleted and only the Administrator and Default Profile remain, click OK.

9. Rename the ntuser.dat File

  1. Click View.
  2. Select the Hidden items check box.
  3. Rename ntuser.dat to ntuser.man. Renaming the file with the .man extension causes the user profile to become a mandatory, read-only profile.

10. Unhide Protected Operating System Files

  1. De-select Hide protected operating system files.
  2. Click OK.

11. Delete NTUSER.DAT Files

  1. Select all files that start with NTUSER.DAT.
  2. Right-click and select Delete.
  3. Click View and click Options.

12. Delete Local AppData Folders

  1. Navigate to the AppData subfolder.
  2. Select the Local and LocalLow folders.
  3. Right-click and select Delete.

13. Delete Theme Files

Delete all files in the  AppData\Roaming\Microsoft\Windows\Themes directory.

Installation of Virtual Desktop Agents and Applications

Install Horizon Agent

If you plan to create VMware Horizon desktop or application pools, you must install Horizon Agent on the master VM so that VMware Horizon servers can communicate with and manage the desktops that you deploy. The Horizon Agent also communicates with VMware Horizon® Client™ on end users' computers to provide features such as connection monitoring, virtual printing, access to the local file system, and access to locally connected USB devices.

Prerequisites for Installing Horizon Agent

To perform this procedure, you need the following:

Important: If you install Horizon Agent on a Windows Server machine on which the Remote Desktop Services (RDS) role is not installed, the wizard will prompt you to Install VMware Horizon Agent in 'desktop mode'.

Selecting this option configures the Windows Server machine as a single-user virtual desktop rather than as an RDS host. If you intend the machine to function as an RDS host, cancel the Horizon Agent installation, install the RDS role on the machine, and restart the Horizon Agent installation.

1. Start the Horizon Agent Wizard

Log in to the OS of the master VM as an Administrator, and double-click the installer file to start the wizard, and click Next on the Welcome page.

2. Accept the License Agreement

Select I accept the terms in the license agreement, and click Next.

3. Select Whether to Use IPv4 or IPv6

Select the protocol, and click Next.

The environment must be either IPv6 only or IPv4 only. Horizon 7 does not support a mixed IPv6 and IPv4 environment.

4. Enable the USB Redirection Feature

Enable the USB Redirection feature, and click Next.

You can later control use of the feature by setting group policies or by using Horizon Smart Policies for granular control. For example, you can set a condition for the Smart Policy so that users can access USB devices only when connecting from inside the corporate network.

5. Disable Installation of the View Composer Agent

Because the View Composer Agent cannot be installed if you plan to install the Instant Clone Agent, disable the VMware Horizon View Composer Agent, and click Next.

6. Enable Installation of the Instant Clone Agent

Enable the VMware Horizon Instant Clone Agent, and click Next.

Instant Clone Technology enables single-image management with automation capabilities. You can rapidly create instant-clone desktop pools and automated RDSH server farms that contain thousands of VMs.

Note: Even though you install this feature, you can still use this master image to create full-clone desktop pools in addition to instant-clone desktop pools.

7. Disable the Persona Management Feature

Because the Persona Management feature cannot be installed if you plan to install the Instant Clone Agent, disable the VMware Horizon Persona Management feature, and click Next.

Note: For some operating systems, this component might not appear in the list.

8. Enable the Performance Tracker

Enable installation of the Horizon Performance Tracker, as well as any other features you might require, and click Next.

VMware Horizon Performance Tracker is a utility that runs in a remote desktop or RDSH server and monitors the performance of the display protocol and system resource usage.

Note: For a description of each of the features in the list, see Horizon Agent Custom Setup Options.

9. Enable the Remote Desktop Capability

If the Remote Desktop Protocol page appears, select Enable the Remote Desktop capability on this computer, and click Next.

This wizard page might not appear if you have already enabled this feature in Windows Firewall.

If you select the Do not enable the Remote Desktop capability on this computer option, you can manually enable the remote desktop feature later and configure the firewall exceptions.

10. Click Install

Now that all the correct components are configured to be installed, click Install.

11. Click Finish When Installation Is Complete

Click Finish to close the installer.

12. Restart the VM

When prompted to restart, click Yes.

Install the User Environment Manager Agent

User Environment Manager provides profile management by capturing user settings for the operating system and applications. Unlike traditional application profile management solutions, User Environment Manager captures only the settings that the administrator specifies. This reduces login and logout time because less data needs to be loaded. User data is managed through folder redirection.

FlexEngine, the User Environment Manager agent component, applies the policies that the IT administrator creates with the User Environment Manager Management Console. To install this component, you run the same VMware User Environment Manager Setup wizard that you run to install the management console.

Note: Installing the User Environment Manager Agent is an optional step. Install this agent only if you plan to use this functionality.

Prerequisites for FlexEngine Installation

To perform this exercise, you need the following:

  • User account – When you log in to the OS to run the installer, the account you use must have administrative privileges.
  • Installer – If necessary, you can download the installer from the VMware Downloads page. The installer is an architecture-specific (x86 or x64) MSI file. You must download the file and copy it to the system where it will run or to a location accessible to the system.
  • Internet access – The installation process includes a certificate revocation check to verify the digital signature of the MSI file. This check requires Internet access.
  • VM with supported Windows OS – The machine must be running a supported Windows version. For a list of the systems we tested, see Tested Operating Systems. For a complete list of supported Windows 10 operating systems, see the VMware knowledge-base article Supported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 7) (2149393).

Note: When you install the User Environment Manager agent on a VM where Horizon Agent is already installed, you are not required to specify a User Environment Manager license file. However, you are required to have purchased User Environment Manager. This component is included with Horizon 7 Enterprise Edition.

1. Start the User Environment Manager Wizard

Double-click the installer file to start the wizard, and click Next on the Welcome page.

2. Accept the License Agreement

Select I accept the terms in the license agreement, and click Next.

3. Select an Installation Folder

Click Next.

4. Choose the Setup Type

Select Typical, which installs the VMware UEM FlexEngine agent component, along with the optional components: Application Migration and Self-Support.

5. Click Next on the License File Page

Because you are installing the User Environment Manager agent on a VM where Horizon Agent is already installed, you can click Next. You are not required to specify a User Environment Manager license file.

6. Click Install

To begin installation, click Install.

7. Click Finish When Installation Is Complete

Click Finish to close the installer.

Install the App Volumes Agent

App Volumes delivers applications that are not in the master VM image. Application containers, called AppStacks, are assigned to a user, group, OU, or machine and mounted each time the user logs in to a desktop. With this strategy, user changes can persist between sessions.

App Volumes can also provide user-writable volumes, which allow users to install their own applications and have those applications follow the user as they connect to different virtual desktops.

You install the App Volumes Agent on the master VM so that the App Volumes Manager can communicate with the desktops you deploy and attach the correct applications when a user logs in.

Note: Installing the App Volumes Agent is an optional step. Install this agent only if you plan to use this functionality.

Prerequisites for Installing the App Volumes Agent

To perform this exercise, you need the following:

  • User account – When you log in to the OS of the master image to run the installer, the account you use must have local administrative privileges.
  • Installer – App Volumes is included with Horizon 7 Enterprise Edition, available from the Download VMware Horizon page. The App Volumes installer is distributed as an ISO file. You can mount the ISO on the machine where you want to create the App Volumes component, or you can also extract the ISO contents to a shared folder. This option allows you to install each component without mounting the ISO each time.
  • VM with supported Windows OS – The machine must be running a supported Windows version. For a list of the systems we tested, see Tested Operating Systems. For a complete list of supported Windows 10 operating systems, see the VMware knowledge-base article Supported versions of Windows 10 on Horizon Agent Including All VDI Clones (Full Clones, Instant Clones, and Linked Clones on Horizon 7) (2149393).
  • App Volumes Manager server information – During agent installation, you will be prompted to enter the host name or IP address and port number of the App Volumes Manager that this agent will communicate with.

1. Start the App Volumes Agent Wizard

In the Installation folder of the App Volumes installation media, double-click setup.exe, and click Next.

2. Accept the License Agreement

Select I accept the terms in the license agreement, and click Next.

3. Select to Install App Volumes Agent

On the App Volumes Install Screen page, select Install App Volumes Agent, and click Install.

4. Enter the Host Name or IP and Port Number

  1. Enter the host name  of App Volumes Manager.
  2. Enter port number (default: 443).
  3. Ensure that Disable Certificate Validation with App Volumes Manager is not selected.
  4. Click Next.

5. Click Install

On the Ready to Install the Program page, click Install.

6. Click Finish When Installation Is Complete

Click Finish to close the installer.

7. Restart the VM

When prompted to restart, click Yes.

Install Applications in the Base Image

Although our primary application-delivery mechanism is App Volumes, it might be desirable to install select applications in the master VM so that all clones get those applications in their base disk.

Many applications have integrated auto-update functionality. Install these applications and update them to the latest version, and then turn off or disable the auto-update functionality to prevent the clones from updating individually.

Image Optimization

Run the VMware OS Optimization Tool

The VMware OS Optimization Tool fling helps optimize Windows 7/8/10 and Windows Server 2008 R2/2012/2016 systems for use with Horizon 7. The optimization tool includes customizable templates to enable or disable Windows system services and features, according to VMware recommendations and best practices, across multiple systems. Because most Windows system services are enabled by default, the optimization tool can be used to easily disable unnecessary services and features to improve performance.

1. Download the OS Optimization Tool

Go to the VMware OS Optimization Tool page to download and start it.

2. Check for Updates to the Template

  1. To check for updates to the template for our Windows version, select the Public Templates tab.
  2. Select Update Only.
  3. If there is click Update. In the screen shot for this example, there is an update only for the templates provided by Login VSI, not the default VMware one.

3. Make a Copy of the Template

  1. Select the My Templates tab.
  2. Select the Windows version.
  3. Click Copy and Edit.

To keep the default user profile pristine, you make a copy of the default template and adjust it to modify only the mandatory user profile. If anything undesirable happens to the mandatory user profile now or later, you can restart from this point and will not be required to reinstall.

To ensure that optimizations are not bypassed, you are going to copy this template and modify it to include a mandatory user profile. The mandatory user profile is used for new (and old) accounts instead of the default user profile.

4. Name the Template

Type Windows <Version> - Mandatory User, and click OK.

5. Change the User Profile Name

  1. Expand Apply HKCU Settings to Register and click Load HKCU for editing.
  2. Change %USERPROFILE%\..\Default User\NTUSER.DAT to %USERPROFILE%\..\MANDATORY.V6\NTUSER.MAN.
    Important: For all Windows 10/Server 2016 versions except Windows 10 1507 LTSB, use mandatory.v6. For Windows 10 1507 LTSB, use .v5. For Windows 8.1/Server 2012 R2, use .v4. For Windows 7, use .v2.
  3. Click Save.
  1. Select the Analyze tab.
  2. Select MyTemplates\Windows <Version> - Mandatory User
  3. Click Analyze.

7. Select the Optimizations to Apply

  1. Select the appropriate optimizations from the extensive list. For most VDI environments, use the default selection. For Windows 8.1 and 2012R2, de-select SMB v1.
  2. Click Optimize.

8. Restart the VM When Optimization Is Complete

Monitor the optimization results, close the VMware OS Optimization Tool when the process is complete, and restart the VM.

Configure Local Group Policies

In the example in this article, we edit the local group policy on the master VM, but you could instead configure the same policies on the Active Directory OU where the eventual deployment targets will reside.

1. Open the Group Policy Editor

On the master VM, press Windows Key+R, type gpedit.msc, and click Ok.

2. Edit Certain Version-Specific Policies

The policies you must configure depend on the version of Windows.

  • For Windows 7, navigate to Computer Configuration > Administrative Templates > System > Logon and set Don't display the Getting Started welcome screen at logon to Enabled.
  • For Windows 8.1/2012R2 and Windows 10/Server 2016, navigate to Computer Configuration > Administrative Templates > System > Logon, and set Show first sign-in animation to Disabled.
  • For Windows 10/Server 2016, navigate to Computer Configuration > Administrative Templates > Windows Components > Search, and set Allow Cortana to Disabled.
  • For Windows 8.1/2012R2 and Windows 10/Server 2016 1507 and 1607, navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender and set Turn off Windows Defender to Enabled.
  • For Windows 10/Server 2016 1607, 1703, 1709 and 1803, navigate to Computer Configuration > Administrative Templates > Windows Components > Cloud Content and set Turn off Microsoft consumer experience to Enabled.
  • For Windows 10 1703, 1709 and 1803, navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus and set Turn off Windows Defender Antivirus to Enabled.
  • For Windows 10 1709 and 1803, navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Security Center > Notifications and set Hide all notifications to Enabled.

Clean Up Disk Space and Zero-Out the Virtual Hard Disk

The Disk Cleanup utility frees unused disk space, and running the Secure Delete tool with the -z option zeros-out free disk space.

1. Open the Disk Cleanup Utility

  1. Press Windows Key+R and type cleanmgr.exe.
  2. Click OK.

2. Select File Types to Delete

  1. Select all items.
  2. Click OK.

3. Confirm File Deletion

Click Delete Files.

4. Download and Run SDelete

Download the Sysinternal SDelete Tool and run the following command from a command prompt:

  • For 64-bit operating systems: sdelete64 -z c:
  • For 32-bit operating systems: sdelete.exe -z c:

This command overwrites all empty disk space with zeroes so that we can shrink the VMDK (virtual machine disk file) later.

Clear KMS and Release the IP Address

In this procedure, you use the Windows Software Licensing Management Tool (slmgr.vbs), which is a Visual Basic script, to clear the KMS (Key Management Service) host information from the image. You also release the IP address and shut down the machine.

Run the following commands:

slmgr.vbs /ckms
slmgr.vbs /ckhc
ipconfig /release
shutdown /s /t 0 /c "Image Ready"

slmgr.vbs /ckms clears the name of the KMS server.

slmgr.vbs /ckhc disables KMS host caching.

ipconfig /release releases the IP address.

shutdown /s /t 0 /c "Image Ready" shuts down the local computer, with 0 seconds between the time the command is given and the time the shutdown occurs, and leaves the comment "Image Ready."

Preparation for Use

Clone the VM to Adjust Disk Size and Virtual Hardware

If you used the same settings as shown in Specify Virtual Hardware Settings when you created the master VM, your VM has 40 GB of disk space and 4 GB of RAM. The storage usage of the VM can amount to the size of the disk as specified plus the amount of RAM.

Using the cloning process described in this article, we can select the thin-disk option and shrink the size of the VM according to the amount of zeroes written during the procedure Clean Up Disk Space and Zero-Out the Virtual Hard Disk.

Cloning also offers a good opportunity to adjust the virtual hardware specifications to better suit production usage.

1. Open the Clone VM Wizard

  1. Using vSphere Web Client, right-click the VM in the inventory list, and select Clone.
  2. Select Clone to Virtual Machine.

2. Specify a VM Name and Location

  1. Type a descriptive name; for example, Win10-1803-Master-v1.
  2. Select a location.
  3. Click NEXT.

3. Select a Cluster or Host

  1. Select a cluster or host as the compute resource.
  2. Click NEXT.

4. Select a Datastore and Disk Format

  1. Select a datastore or datastore cluster where you would like to store the VM.
  2. Select Thin Provision.
  3. Click NEXT.

5. Open the Customize VM Hardware Page

  1. Select Customize the virtual machine's hardware.
  2. Click NEXT.

6. Adjust Virtual Hardware Settings

The actual values you use should be tested in a pilot, but the following settings are a good starting point:

  1. For CPU, select 2.
  2. For Core per Socket, select 1.
  3. For Memory, type 2.5.
  4. Click NEXT.

7. Click Finish

To begin the cloning process, click FINISH.

For the example in this procedure, the storage usage shrank from 44.2 GB to 10.84 GB, which represents a 75 percent savings.

Take a VM Snapshot

To create a desktop pool of cloned VMs, or to create a farm of cloned RDSH server VMs, you need to create a frozen state, or base image, from which the clone can be derived.

  • For instant-clone pools and server farms, and for linked-clone pools, you achieve this state by taking a VM snapshot of the master VM.
  • For full-clone pools, you achieve this state by cloning the master VM to a VM template.

This procedure describes taking a VM snapshot. For information about cloning a VM to a VM template, see Clone a Virtual Machine to a Template.

Prerequisites for Taking a Snapshot

Although it is possible to take a snapshot of a VM that is powered on, for the purposes of creating a base image for a Horizon 7 desktop pool or server farm, the VM must be shut down and powered off.

1. Open the Take Snapshot Dialog Box

  1. Using vSphere Web Client, right-click the VM in the inventory list, and select Snapshots.
  2. Select Take Snapshot.

2. Take the Snapshot

  1. Provide a descriptive name; for example, the name might include the date of the snapshot.
  2. Click OK.

Create OUs and User Groups in Active Directory

Much of the initial configuration and ongoing management of virtual desktops, RDSH server farms, feature enablement, and end-user experience is performed by creating and applying group policies in Active Directory. Some standard Microsoft Group Policy Object settings are required to configure virtual desktops and applications, as described later in this guide.

If you use Horizon 7, you can also use VMware-provided GPO administrative templates for fine-grained control of access to features. See Using Horizon 7 Group Policy Administrative Template Files.

OUs for VMs

You should create an organizational unit (OU) specifically for your virtual desktops and an OU for your RDSH server VMs. An OU is a subdivision in Active Directory that contains users, groups, computers, or other OUs.

To prevent group policy settings from being applied to other Windows servers or workstations in the same domain as your desktops or server farms, you can create a GPO for group policies and link it to the OU that contains your VMs. For example, later in this guide, you create a group policy to ensure that every user who logs on to a virtual desktop in a specific OU will use the same mandatory user profile.

You can also delegate control of the OU to subordinate groups, such as server operators or individual users.

User Groups

You should also create groups for different types of users in Active Directory. For example, you can create a group called  End Users for your end users and another group called Horizon Administrators for users that will administer virtual desktops and applications.

Later in this guide, you will add a user group containing end users to the local Remote Desktop Users group in AD. Then members of the group will be able to connect to any VM that is joined to the domain.

Set a Policy to Use the Mandatory Profile

Now that you have created a mandatory user profile, you must create a policy to ensure that end users use that mandatory profile. To configure the path to the mandatory user profile, you use an Active Directory group policy. Using a local group policy is not recommended because the local policy also applies to the local administrator account.

In most cases, you will apply the policy to the OU where you plan to deploy VMs for end users. The policy is called Set roaming profile path for all users logging onto this computer.

If you do not want all users in an OU to use the same profile, you can alternatively double-click a user name in Active Directory Users and Computers, and type the profile path on the Profile tab. The profile can be located either on the local VM or on a file share. For example:

The path to the mandatory user profile does not have the .v6 (or any other .v<N> extension, depending on the Windows version).

Important: You can set the profile path either:

  • Per user, in Active Directory Users and Computers, if you have multiple mandatory profiles to use for different users in the same OU.
  • For all users who log on to a computer in a certain organization unit (OU). Using the Group Policy Management Editor, you can create a group policy to set the profile path and apply it to the OU.

You must use one option or the other. If you try to use both options for a user, the group policy setting overwrites the per-user setting.

Prerequisites for Setting the Path to the Mandatory User Profile

Before you perform this procedure, decide where you want to store the mandatory user profile: you can keep it on the local VM or copy it to a share.

  • The benefit off keeping it local is that it requires less resources. You do not need a file share.
  • The benefit of having it on a share is that if you ever need to update the profile, you will not need to update the master VM and push new VMs just to update the profile.

1. Use the Group Policy Management Editor to Access User Profile Policies

  1. Open the Group Policy Management Editor for the OU, and navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles.
  2. Double-click Set roaming profile path for all users logging onto this computer.

2. Enable the Policy and Specify the Path

  1. Select Enabled.
  2. Specify the path to the mandatory user profile file, but do not include the .v6 (or other version number).
  3. Click OK.

Important: Because mandatory user profiles prevent user changes from being saved when a user logs off, be sure to also use User Environment Manager policies. With User Environment Manager, you can configure folder redirection to preserve user data as well as other policies to save user changes to application settings.

Set Other Common Group Policies

For both virtual desktop VMs and RDSH server VMs, create a GPO for the OU in Active Directory, and use the Group Policy Management Editor to apply the following GPO settings.

Setting Value
Computer Configuration > Policies > Administrative Templates > System > Group Policy
Configure user Group Policy loopback processing mode
Enabled
Set Mode to Replace
 
Configure Logon Script Delay
Disabled
Computer Configuration > Policies > Administrative Templates > System > Logon
Show first sign-in animation
Disabled
Always wait for the network at computer startup and logon
Enabled

If you use Horizon 7, you can also use VMware-provided GPO administrative templates for fine-grained control of access to features. See Using Horizon 7 Group Policy Administrative Template Files.

Set Policies for RDSH Server VMs

If you plan to use the image for creating RDSH server VMs, create a GPO for the RDSH server OU in Active Directory, and use the Group Policy Management Editor to apply the following GPO settings.

Setting Value
Computer Configuration > Policies > AdministrativeTemplates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing
 
Use the specified Remote Desktop license server
Enabled
(Comma-separated list of license servers to use)
 
Set the Remote Desktop license mode
Enabled
(Choose the correct Per Device or Per User mode for your CALs)
Computer Configuration > Policies > Administrative Templates > System > User Profiles
Delete cached copies of roaming profiles
Enabled

If you use Horizon 7, be sure to review the VMware-provided administrative templates for RDSH server management. See Using Remote Desktop Services Group Policies.

Add Users to the Local Remote Desktop Users Group

To connect to a remote desktop or RDSH server, users must belong to the local Remote Desktop Users group of the virtual desktop or RDSH server. You can use the Restricted Groups policy in Active Directory to add users or groups to the Remote Desktop Users group.

The members of the Remote Desktop Users group are always added to the local Remote Desktop Users group of every virtual desktop or RDSH server that is joined to your domain. When adding new users, you need only add them to the Remote Desktop Users group.

Prerequisites for Adding Users to the Restricted Groups Policy

Before you can perform the procedure in this article, you must have created one or more user groups in Active Directory that contain the end users who will connect to the virtual desktops and RDSH servers.

1. Open Group Policy Management

On the domain controller (AD machine), click the Start button, and navigate to Windows Administrative Tools > Group Policy Management.

2. Edit the Default Domain Policy

  1. Expand your domain.
  2. Right-click Default Domain Policy.
  3. Select Edit.

3. Open the Add Group Dialog Box

  1. In the Group Policy Management Editor, expand Computer Configuration.
  2. Expand Windows Settings.
  3. Expand Security Settings.
  4. Right-click Restricted Groups.
  5. Select Add Group.

4. Add the Remote Desktop Users Group

  1. In the Add Group dialog box, enter Remote Desktop Users.
  2. Click OK.

5. Add User Groups to the Remote Desktop Users Group

  1. Right-click the Remote Desktop Users group that you just added to Restricted Groups.
  2. Select Properties.
  3. Click Add.
  4. Add a group of end users.
  5. Click OK in the Add Member dialog box.
  6. Click OK in the Remote Desktop Users Properties dialog box.

Turn Off Hardware Graphics Acceleration in Commonly Used Applications

If the VMs are not using a physical GPU in the ESXi hosts, you can reduce CPU usage by not emulating hardware graphics in applications. We recommend using User Environment Manager configuration files to control these application settings.

For more information about having VMs use physical GPUs, see Deploying Hardware-Accelerated Graphics with VMware Horizon 7.

1. Internet Explorer

  1. To turn off hardware graphics acceleration for Internet Explorer, open the Internet Options dialog box by clicking the Tools icon and selecting Internet Options.
  2. Click the Advanced tab.
  3. From the Accelerated graphics list, select Use software rendering instead of GPU rendering.
  4. Click OK.

2. Microsoft Office

  1. To turn off hardware graphics acceleration for Microsoft Office, open the Options dialog box by selecting File > Options in the application (in this example, Microsoft Word).
  2. Select Advanced.
  3. Scroll down to the Display section.
  4. Select Disable hardware graphics acceleration.

3. Adobe Reader

  1. To turn off hardware graphics acceleration and disable other CPU-intensive display options for Adobe Reader, open the Preferences dialog box by selecting Edit > Preferences.
  2. Select Page Display.
  3. In the Rendering section, deselect the following options:  
    • Smooth imaging
    • Smooth line art
    • Use page cache
    • Enhance thin lines
  4. In the Page Content and Information section, deselect Use smooth zooming.

For more information, see the Adobe documentation about General Application Settings in the Windows Registry.

4. Google Chrome

  1. To turn off hardware graphics acceleration for Chrome, navigate to chrome://settings.
  2. Scroll down to the System section, and turn off Use hardware acceleration when available.

Conclusion

In Conclusion

With the image optimization procedures in this guide, you are able to achieve a significant reduction in the amount disk space, CPU, and memory used by virtual desktop and RDSH server VMs and their vSphere hosts. The result is a corresponding savings in initial deployment time, user logon times, and IOPS.

Image optimization techniques included:

  • Creating a mandatory user profile
  • Disabling unneeded Windows services and features
  • Deleting unnecessary files and folders, such as event logs and temporary files
  • Compressing OS files
  • Zeroing out free disk space and shrinking the disk

Using the VMware OS Optimization Tool fling greatly simplifies many of these tasks.

This guide also provided step-by-step instructions for configuring the Windows image to perform optimally in a virtual environment, where CPU cores are shared among many VMs, and where users might be accessing a new VM every time they log in, though they probably will not realize it.

Twenty discreet versions of the Windows OS were tested using the procedures in this guide, including 12 versions of Windows 10.

The procedures in this guide help you create an optimized Windows image that you can use in a VMware Horizon implementation or in other types of deployments. End users will have a great experience, whether they access their personalized virtual desktops or remote applications from company laptops, their home PCs, thin client devices, Macs, tablets, or smartphones.

Additional Resources

About the Authors and Contributors

Hilko Lantinga is an End-User Computing Architect in VMware Technical Marketing, with a focus on 3D, Horizon Windows Desktops and RDSH, Linux, and Applications. Previously, he was a Senior Consultant in VMware Professional Services, leading large-scale EUC deployments in EMEA and has 18 years of experience in end-user computing.

Caroline Arakelian is a Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware.

The following people contributed to the review of this paper:

  • Graeme Gordon, Senior Staff End-User-Computing (EUC) Architect in End-User-Computing Technical Marketing, VMware
  • Jim Yanik, Senior Manager, End-User-Computing Technical Marketing, VMware

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.