Virtual Machine Optimization

From Userful Support
Jump to: navigation, search


Copyright © 2015 Userful Corporation. All rights reserved.
(Updated 2015.01.22)

Windows® is a Registered Trademark of Microsoft® Corporation.
VirtualBox™ is a Trademark of Oracle® Corporation.


Introduction

The performance of your Userful system will largely be determined by the care and steps you take when setting up your golden master image(s). The impact of any mistakes -- or performance improvements -- savings made before cloning of your golden master image will be amplified 10-fold, so it is worth taking the time to prepare your master image correctly.

This document and the tools below are designed to provide potential optimizations you can consider to provide a more responsive Windows® VM desktop for users. These configurations typically add value by enhancing the user experience and increasing system performance.

For example, some of the changes suggested below optimize the user experience by enabling faster log-ons, reducing unnecessary prompts, and allowing faster screen updates. Others optimize performance and increase scalability by reducing unnecessary processor, memory, disk and network usage.


Please Note: The optimizations suggested below are suggestions only and their applicability will vary between environments. Use your own professional judgement as to which of these optimizations will be useful in your environment and be sure to test out your golden master image before deploying in a production environment.

3rd Party Tools & Documents

Please Note: The links provided below are provided for your convenience only. You bear the responsibility for determining if the tools or information linked to is appropriate for your needs.


Tools

  • Quest Workspace Optimizer A free GUI and command-line utility for optimizing a Windows image for using in vWorkspace (or any VDI deployment). Currently there are 40 optimizations. You can add your own optimizations by editing the configuration file of the of the Quest vWorkspace Desktop Optimizer.
  • VDI Optimizer: The tool called VDI Optimizer outputs a VBScript (based on the selections you make in the GUI interface), which can then be used to apply performance and configuration settings to images that will be deployed via VDI platforms – this is particularly useful if you are using MDT 2010 for your image engineering process as the VBScript can bolted into the task sequence using a Run Command Line task.

Licensing is Your Responsibility

Please Note: You are responsible for complying with all operating system and application vendors’ license agreements when you clone a virtual machine or make it available for multiple users.

Best practices for Installing Virtual Machines

Before cloning from the Golden Master Image, make any desired changes to the guest OS (except binding to an Active Directory). This includes:

  • Applying OS updates, service packs and patches.
  • Installing any desired VirtualBox Tools, especially the Guest OS Tools.
  • Install and Configure management agents.
  • Install and run anti-virus software, if needed. (Note: "locked" clones are returned to a pristine state whenever they are restarted, and thus should not require anti-virus software.)
  • Backup software or files, if necessary.
  • Install and configure any desired end-user applications
  • Finally, de-fragment the guest hard disk.

Make sure that your cloning process does not result in virtual machines with duplicate system attributes.

Using a known-good ISO file to create your initial VM image can save time over using CD or DVD media and also avoids any risk of damage to physical install media.

Optimizing your Golden Master (Windows OS) Image

Rules of Thumb

  • You want to ensure the average CPU load on your server is less than 70% under regular usage (by all users). You want to be able to gracefully handle spikes in need.
  • Disable Serial and Parallel Ports on your Host PC/Server
    • In BIOS, go to Advanced ->I/O Device Configuration and disable serial and parallel ports. Save changes and Exit.

Essentials

  • Install VirtualBox Guest Additions
  • Install all Windows Patches, then turn OFF Automatic Updates
  • Disable Serial and Parallel ports in Device Manager (if they exist)
  • Set Screensaver to "None" or "Blank" (this saves CPU over a graphic image screensaver)
  • Disable System Sounds (Set Sound scheme to "None")
  • (Windows 7) Uninstall Tablet PC Components
  • Disable Windows Error Reporting
  • Remove unnecessary boot applications (Quicktime, Real, Adobe Acrobat Updater, etc.).
  • Remove any unneeded Windows components and applications (Outlook Express, Messenger, Games, etc.)
  • Disable any unnecessary services
  • If you access the internet through a proxy, it is important to configure your golden master image with the correct proxy settings. It is recommended to refer to the operating system documentation for detailed instructions; a good starting point is http://technet.microsoft.com/en-us/library/cc985352.aspx.

File System

  • Disable NTFS "Last Accessed" option
    • fsutil behavior set disablelastaccess 1 (Requires reboot)
  • Disable Windows Prefetcher & Set the value to 0 (Disable)
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher];
  • Disable System Restore
    • Right Click "My Computer" -> Properties, -> "System Restore" tab and select "Turn off System Restore"
  • Disable Indexing
    • Double Click "My Computer, Right click on C:\ -> Properties -> Click "General" tab and clear "Allow Indexing Service to Index…"
  • Disable Offline Files
  • Disable scheduled or background Defrag
  • Disable Windows Search
  • Disable Windows Disk Optimizer
  • Adjust the disk timeout value
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk] "TimeOutValue"=REG_DWORD:0×000000be(190)
  • Use User Profile Hive Cleanup Service to help prevent profile corruption

Power Settings

  • Disable hibernation
  • Change power settings to "High Performance" and disable sleep timer
  • Set HDD’s to "Never" turn off
  • Open Control Panel -> Power Options -> Change Plan Settings -> Change Advanced power settings and set the "Turn off hard disks after" setting to Never
  • Disable the Logon Screen Saver
  • HKEY_USERS\.DEFAULT\Control Panel\Desktop
  • Edit ScreenSaverActive and change value to 0

Disable Notifications

  • Disable logging of informational Printing events
  • Open "Printers and Faxes", Click File-> Server Properties -> Advanced and clear "Log spooler informational events"
  • Disable Success Logging (login attempts, etc.)
  • Only do this if security policy allows it
  • Disable Toolbar Notifications
  • Disable the Windows XP Tour Notifier
  • Disable Balloon Tips
  • Shrink Event Logs and enable circular logging (registry keys)
  • Disable Desktop Cleanup Wizard

Browser/Internet Explorer

  • Upgrade to the latest browser version.
  • Disable "Use Suggested Sites"
  • Set the default home page to your Intranet site, or blank, or something lightweight
  • Change IE to prevent programs from suggesting a change of the search provider
  • Remove Webslice gallery and suggested sites from Toolbars on IE
  • Add "trusted sites" as necessary
  • Shrink the IE Temp File size
  • Adjust browser cache size to lowest useful setting

Common Applications

  • Install Adobe Flash Player (turning off automatic updates)
  • Install Adobe Reader and set to "Do not download or install updates automatically"
  • Turn Java Updater off
  • Remove MS OneNote tray service (if installed)
  • Turn off Outlook Cached Mode
  • Remove the Language Bar
  • Regsvr32.exe /u msutb.dll
  • install a more efficient browser than Internet Explorer (e.g., Google Chrome) and set this as the default browser.

General OS Environment

  • Set Pagefile to static size
  • Change the default Windows Theme to "Basic"
  • Adjust visual effects for "Best Performance"
  • Enable ClearType Fonts
  • Turn off Windows Security Center
  • Turn off Automatic Computer Maintenance
  • Disable "Allow users to browse for troubleshooters"
  • Disable "Allow troubleshooting to begin immediately when started"

Network Optimizations

  • Install, setup and test your printers
  • Disable NetBIOS over TCP/IP
  • Disable IPv6
  • Add any necessary DNS suffixes
  • Add any necessary HOSTS entries for "custom" applications
  • Disable Automatic Searching of Network Printers and Shares
  • DHCP: Adjust default lease time

Final Cleanup

  • Optimize the Registry
    • RegScrub.exe – Registry Cleaner
    • NTRegOpt.exe – Registry Optimizer, removing "white" space in registry
  • Run disk cleanup
  • Defrag the HDD
  • Delete all event logs
  • Make the User profile the Default Profile
  • (Windows 7) ensure KMS server is enabled
  • Make sure Floppy and CD-ROM drives are set to "Client Device" and not set to "Connect at Power On"

Antivirus (AV)

  • When using "locked" clones AV may not be required
  • If you are using AV, avoid running AV scans concurrently
    • Full systems scans cause major performance impacts
    • Stagger full systems scans (when full system scans are a corporate standard)
    • Schedule any full system scans to run at night when no one is using the system.

User Data

  • Use folder redirection for My Documents potentially even to a Network Attached Storage (NAS)
  • Easier to use existing file archival system, maintain multiple file versions
  • Evaluate Profile Management Applications
  • Turn off Outlook/thunderbird Cached Mode (VMs that are on same high speed network as your mail server don’t benefit as much from cached mode). This will save on disk space and conserve storage IOPS.

Services

Recommended Setting Background Explanation
Disable "Background Intelligent Transfer Service" This service uses idle network bandwidth to fetch updates for the system, like Windows Update. As we will disable these other services that rely on BITS, we can disable BITS.
Disable "Desktop Windows Manager Session Manager" This service is responsible for Windows 7 Aero theme. Turning this off typically improves performance.
Disable "Function Discovery Resource Publication" This service publishes each computer's information onto the network so peers can discover them. This functionality is typically not required in most environments. If you do not require this functionality we suggest disabling it.
Disable "HomeGroup listener" and "HomeGroup provider" This is responsible for HomeGroup membership. As the virtual Windows 7 desktops will most likely be in a domain model, the homegroup functionality is not required.
Disable "Indexing Service" The Indexing Service creates an index of local and remote files to allow for faster searching. As this information is created and stored locally. If you are using locked clones these indexes will be destroyed upon each reboot due to the read-only configuration of the locked clone. That means each reboot will start with a blank index. Disabling this service will improve scalability but will results in a slightly degraded user experience when they perform searches.
Disable Offline Files Responsible for management and maintenance and synchronization of offline files. If your host PC/Server is online, there is little need for Offline File support.
Disable "Security Center" Disabling the Security center will eliminate reporting of issues with antivirus, malware or firewall configurations. Since many of these items are being disabled or modified, disabling this service eliminates these messages being displayed to (and potentially annoying) your users.
Disable "SuperFetch" SuperFetch tries to improve system performance over time by “learning” the typical user activity. In locked clones this information is deleted on each reboot hence provides little value.
Disable "System Restore" The System Restore service creates system snapshots and restore points. This functionality is unneeded as the virtual desktop is based on a golden, read-only (locked) image. Disabling System Restore will save disk space and CPU time.
Disable "Themes" Themes allows users to manage the themes (including backgrounds, sounds and visual effects, etc.). This service take resources and will impact overall scalability. We recommend disabling this unless you want user to be able to personalize their environment.
Disable "Windows Defender" Assuming you have your own anti-malware solution, it makes sense to disable the integrated windows service.
Disable "Windows Media Player Sharing Service" Unless users will be sharing items to other users via Media Player, this service can be disabled.
Disable "Windows Search" Disabling Windows Search will improve scalability, however many applications rely on this service. Disabling the service might result in failed searches or longer user wait-times for search results.
Disable "Windows Error Reporting" Administrative Templates – Windows Components – Windows Error Reporting
  • Generates application crash dumps to be sent to Microsoft. Should be safe to disable unless troubleshooting application.
Disable "Automatic Updates" Administrative Templates – Windows Components – Windows Updates
  • Windows updates should only be done on the base desktop image and not by users.
Disable "System Restore" Administrative templates – System – System Restore
  • Not needed due to the nature of desktop virtualization and single image management.
Disable Screensaver

Utilizing complex screen savers wastes resources. Instead, the blank screen saver should be used to secure the environment without impacting resources. Administrative Templates – Control Panel – Personalization

  • Enable screen saver: Enabled
  • Prevent changing screen saver: Enabled
  • Password protect screen saver: Enabled
  • Screen saver timeout: Enabled – 600 seconds
  • Force specific screen saver: Enabled – scrnsave.scr


Force Offscreen Composition for Internet Explorer

Overcomes a potential screen flicker issue for certain websites. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Force Offscreen Composition"=dword:00000001


Reduce Menu Show Delay

Reduces the delay Windows sets for menus. Provides better user experience.

[HKEY_CURRENT_USER\Control Panel\Desktop] 

"MenuShowDelay"="150"

Disable all Visual Effects except "Use common tasks in folders" and "Use visual styles on windows and buttons"

Provides a better user experience. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects] "VisualFXSetting"=dword:00000003 [HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics] "MinAnimate"="0" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "ListviewAlphaSelect"=dword:00000000 "TaskbarAnimations"=dword:00000000 "ListviewWatermark"=dword:00000000 "ListviewShadow"=dword:00000000 [HKEY_CURRENT_USER\Control Panel\Desktop] "DragFullWindows"="0" "FontSmoothing"="0" "UserPreferencesMask"=binary:90,12,01,80 ,10,00,00,00

Note: The UserPreferenceMask changes based on the settings selected in the System Properties – Performance Options configuration page.

Disable Boot Animation

Disabling the animation, saves resources and can speeds up the boot process.

  • bcdedit /set bootux disabled
Remove unused Windows components

These items are typically not be used in most zero client environments.

  • Windows Media Center
  • DVD Maker
  • Tablet Components
Set Min & Max Page file values to the same Keeping the pagefile at a single size prevents the system from expanding, which creates a significant amount of IO.
Optimize Antivirus Decide your A/V strategy. Configure antivirus to scan writes and disable the scheduled scans. The base image should be scanned before being deployed within production. should be done after completing all other optimizations.
Disk Cleanup Removes unnecessary files and can save disk space (depending on your VM cloning strategy)
Defragmentation Defragmenting your disk should be done before cloning your Golden Mater Image to ensure the disk is optimized. Note: this step should be done as a final step after completing all other optimizations.


Recommended Windows Registry Modifications

Configuration Optimizer Registry Modification (in REG format)
Disable Last Access Timestamp Yes [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem] "NtfsDisableLastAccessUpdate"=dword:00000001
Disable Large Send Offload No [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BNNS\Parameters]"EnableOffload"=dword:00000000
Disable TCP/IP Offload No [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]"DisableTaskOffload"=dword:00000001
Increase Service Startup Timeout No [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control] "ServicesPipeTimeout"=dword:0002bf20
Hide Hard Error Messages No [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows] "ErrorMode"=dword:00000002
Disable CIFS Change Notifications No [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]"NoRemoteRecursiveEvents"=dword:00000001
Disable Logon Screensaver No [HKEY_USERS\.DEFAULT\Control Panel\Desktop]"ScreenSaveActive"="0"
Disable Clear Page File at Shutdown Yes HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]"ClearPageFileAtShutdown"=dword:00000000
Disable Offline Files Yes [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache]"Enabled"=dword:00000000
Disable Background Defragmentation Yes [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction] "Enable"="N"
Disable Background Layout Service Yes [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]"EnableAutoLayout"=dword:00000000
Disable Bug Check Memory Dump Yes [HKLM\SYSTEM\CurrentControlSet\Control\CrashControl]"CrashDumpEnabled"=dword:00000000"LogEvent"=dword:00000000"SendAlert"=dword:00000000
Disable Hibernation Yes [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power]"Heuristics"=hex:05,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,3f,42,0f,00
Disable Memory Dumps Yes [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]"CrashDumpEnabled"=dword:00000000"LogEvent"=dword:00000000 "SendAlert"=dword:00000000
Disable Mach. Acct. Password Changes Yes [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]"DisablePasswordChange"=dword:00000001
Redirect Event Logs No HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application]"File"="D:\EventLogs\Application.evtx"[HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security]"File"="D:\EventLogs\Security.evtx"[HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System]"File"="D:\EventLogs\System.evtx"
Reduce Event Log Size to 64K Yes HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application]"MaxSize"=dword:00010000[HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security]"MaxSize"=dword:00010000[HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System]"MaxSize"=dword:00010000

Windows 7 Specific Config Settings

Parameter Comment
Guest Operating System Microsoft Windows 7 (32-bit or 64-bit)
SCSI Controller LSI Logic SAS or Parallel
Hard Disk Disks for Templates or parent virtual machines can utilize Thin Provisioning
Floppy Remove the floppy drive
CD/DVD Suggest to turn this off unless you want to give users access to the CD drive of the host PC/Server.


Memory Specs 32-bit, 1 – 3GB (no more than 3GB); 64-bit, 1 – 4GB (depends on use case)
Bios - Disable Ports Go to the Options tab of virtual machine properties and select force entry into bios to disable unnecessary LPT and COM ports

Windows 7 Services Parameters Table

Service Default State Comments
BitLocker Drive Encryption Service Manual Disable Not recommended to encrypt VDI virtual machines
Block Level Backup Engine Service Manual Disable Leveraged for backing up data on a workstation
Desktop Window Manager Session Manager Auto Disable Disable if Aero is not necessary / desired
Disk Defragmenter Manual Disable Provides disk defragmenting services for hard drives and can impact performance if run on a virtual machine
Diagnostic Policy Service Auto Disable Problem detection and troubleshooting resolution
Home Group Listener Manual Disable Leveraged for Home Networking
Home Group Provider Manual Disable Leveraged for Home Networking
IP Helper Auto Disable Disable if IPv6 is not leveraged
Microsoft iSCSI Initiator Service Manual Disable Not needed for virtual machines
Microsoft Software Shadow Copy Provider Manual Disable/Enable Disable if you are not using System Restore.
Secure Socket Tunneling Protocol Service Manual Disable Used to provide VPN capability
Security Center Auto Disable Monitors configuration of security-related services
Superfetch Auto Disable Loads applications into memory for faster reload over time. Non-persistent virtual machines will likely not benefit from this setting being enabled. Full testing is recommended to determine the optimum setting for this service.
Tablet PC Input Service Manual Disable Table PC Services
Themes Auto Disable Only if you want to run as “Classic” interface (no “Orb” for start button)
UPnP Host Service Manual Disable Dependent on SSDP Service
Volume Shadow Copy Service Manual Disable/Enable Disable if you are not using System Restore.
Windows Backup Manual Disable Backs up workstation data
Windows Defender Auto Disable Disable if Anti Spyware / Malware isn’t needed
Windows Error Reporting Service Manual Disable Windows Error Reporting
Windows Firewall Auto Disable Disable unless you are setting exceptions using GPO
Windows Media Center Receiver Service Manual Disable Used by Media Center
Windows Media Center Scheduler Service Manual Disable Used by Media Center
Windows Search Auto Disable Disable if you are not doing a lot of searching on a virtual machine
Windows Update Auto Disable Disable unless needed for updates
WLAN AutoConfig Manual Disable Wireless LAN Configuration
WWAN AutoConfig Manual Disable Used for Mobile Broadband Devices
Offline Files Manual Disable Used for maintenance of Offline Files cache
SSDP Discovery Manual Disable Used to discover UPNP Devices

Windows 7 Group Policy Table

Policy Policy Location Settings
Action Center Icon Removal User Configuration > Administrative Templates > Start Menu and Taskbar
  • Remove the Action Center icon = Enabled
Event Logs Computer Configuration > Administrative Templates > Event Log Service > Specific Event Log
  • Maximum application log size = 1024
  • Maximum security log size = 1024
  • Maximum system log size = 1024

Note: If you are attempting to set the Security log size to 1024 via this Group Policy setting, you are restricted to 20480 unless you set this using the previous Group Policy Setting valid for Windows XP SP2 and Server 2003 and above located here ? Computer Configuration > Windows Settings > Security Settings > Event Log

Firewall Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties
  • Firewall State = On (Recommended), or Off

Note: If the Windows Firewall Service is Disabled, this is not necessary

Internet Explorer Settings (cache) User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
  • Empty Temporary Internet Files folder when browser is closed = Enabled
Internet Explorer Settings (first run wizard) Computer Configuration > Administrative Templates > Windows Components > Internet Explorer
  • Prevent performance of First Run Customize settings = Enabled
Recycle Bin User Configuration > Administrative Templates > Windows Components > Windows Explorer
  • Do not move deleted files to the recycle bin = Enabled
Remote Desktop Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
  • Enables users to connect remotely using Remote Desktop Services = Enabled
Remote Desktop Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
  • Require user authentication for remote connections by using Network Level Authentication = Enabled
RSS Feeds User Configuration > Administrative Templates > Windows Components > RSS Feeds
  • Turn off background sync for feeds and Web Slices = Enabled
*Screen Saver User Configuration > Administrative Templates > Control Panel > Personalization
  • Password protect the screen saver = Enabled
  • Screen saver timeout = 600
  • Force specific screen saver = %windir%\system32\scrnsave.scr
System Restore Computer Configuration > Administrative Templates > System > System Restore
  • Turn off System Restore = Enabled
User Access Control Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting
  • User Account Control: Detect application installations and prompt for elevation = Disabled
  • User Account Control: Only elevate UIAccess applications that are installed in secure locations = Disabled
  • User Account Control: Run all administrators in Admin Approval Mode = Disabled
Wallpaper User Configuration > Administrative Templates > Desktop > Desktop
  • Desktop Wallpaper = “ ”

Note: A “space” is required to set the wallpaper to none in the above setting. Optionally, setting to a file that does not exist will actually prevent a user from setting wallpaper at all.

Windows Defender Computer Configuration > Administrative Templates > Windows Components > Windows Defender
  • Turn off Windows Defender = Enabled
Windows Sideshow Computer Configuration > Administrative Templates > Windows Components > Windows Sideshow
  • Turn off Windows Sideshow = Enabled
*Windows Update Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings
  • Turn Off Access to All Windows Update Features = Enabled
  • Turn off Windows Update Device Driver Searching = Enabled

Note: If the Windows Update Service is Disabled, this is not necessary

Windows 7 Customizations Available Using the Registry

Computer (Local Machine) Settings

Windows Registry Editor Version 5.00

;Disables First Run Wizard for Internet Explorer

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main]

“DisableFirstRunCustomize”=dword:00000001

;Disables Windows Update

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]

“NoAutoUpdate”=dword:00000001

;Disables System Restore

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

“DisableSR”=dword:00000001

;Sets size and retention for Event Logs to 1 MB and no retention

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application]

“MaxSize”=dword:00100000

“Retention”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security

“MaxSize”=dword:00100000

“Retention”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System]

“MaxSize”=dword:00100000

“Retention”=dword:00000000

;Disables the crash dump file

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]

“CrashDumpEnabled”=dword:00000000

;Removes the option to store files in the recycle bin and deletes them immediately

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]

“NoRecycleFiles”=dword:00000001

;Allows RDP to be used – ensure firewall is configured or turned off

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]

“fDenyTSConnections”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\

RDP-Tcp]

“UserAuthentication”=dword:00000000

;Disables User Access Control (UAC)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

“EnableLUA”=dword:00000000

;Set Superfetch for boot files only

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory

Management\PrefetchParameters]

“EnableSuperfetch”=dword:00000000

;Turn off Default Network Location Dialogue

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\

NewNetworkWindowOff]

; Extend Disk Time-Out Value to 200

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk]

“TimeOutValue”=dword:000000c8

[HKEY_LOCAL_MACHINE\SOFTWARE\Image]

“Revision”=”1.0”

“Virtual”=”Yes”

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow]

“Disabled”=dword:00000001

User (Default User) SettingsWindows Registry Editor Version 5.00
;Sets the screensaver default to “blank”, timeout 10 mins, protected

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop]

“SCRNSAVE.EXE”=”%windir%\\system32\\scrnsave.scr”

“ScreenSaveTimeOut”=”600”

“ScreenSaverIsSecure”=”1”

;Sets default wallpaper to nothing

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

“Wallpaper”=””

;Ensures that temporary internet files are always purged

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]

“Persistent”=dword:00000000

;Hide the Action Center Task Tray Icon

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

“HideSCAHealth”=dword:00000001

;Disable RSS Feeds for Internet

[HKEY_CURRENT_USER\Software\Microsoft\Feeds]

“SyncStatus”=dword:00000000




Customizations Reference

Type Description Status Method Hive
Customization Action Center Icon Disable GPO, Registry HKCU
Customization Set Boot to “No GUI” Disable Command Line HKLM
Customization Crash Dump Disable Registry HKLM
Customization Disk Timeout Value Modify Registry HKLM
Customization Event Logs Modify GPO, Registry HKLM
Customization Hibernation Disable Command Line HKLM
Customization IE Cache Disable GPO, Registry HKCU
Customization IE First Run Wizard Disable GPO, Registry HKLM
Customization IE RSS Feeds Disable GPO, Registry HKCU
Customization Image Revision Modify/Create Registry HKLM
Customization Last Access Timestamp Modify Command Line HKLM
Customization Network Location Dialogue Modify Registry HKLM
Customization Recycle Bin Disable Deleted File Retention GPO, Registry HKLM
Customization Registry Idle Backup Disable Command Line HKLM
Customization Screensaver Enable and Configure GPO, Registry HKCU
Customization Wallpaper Disable GPO, Registry HKCU
Customization WinSAT (Windows System Assessment Tool) Disable Command Line HKLM
Feature User Access Control Turn off or Configure GPO, Registry HKLM
Feature Windows Sideshow Disable GPO, Registry HKLM
Feature/Service System Restore Disable GPO, Registry, Services, Command Line HKLM
Windows Service *Desktop Window Manager Session Manager Disable Services HKLM
Windows Service *IP Helper Disable Services HKLM
Windows Service *Superfetch Disable Registry, Services HKLM
Windows Service *Themes Disable Services HKLM
Windows Service *Windows Defender Disable GPO, Services, Command Line HKLM
Windows Service Tablet PC Input Services HKLM
Windows Service *Windows Firewall Configure/Disable GPO, Services, Command Line HKLM
Windows Service BitLocker Drive Encryption Service Disable Services HKLM
Windows Service Block Level Backup Engine Service Disable Services HKLM
Windows Service Diagnostic Policy Service Disable Services HKLM
Windows Service Disk Defragmenter Disable Services, Command Line HKLM
Windows Service Home Group Listener Disable Services HKLM
Windows Service Home Group Provider Disable Services HKLM
Windows Service Microsoft iSCSI Initiator Service Disable Services HKLM
Windows Service Microsoft Software Shadow Copy Provider Disable/Enable for Persona Management Services HKLM
Windows Service Offline Files Disable Services HKLM
Windows Service Remote Desktop Enable GPO, Registry, Services HKLM
Windows Service Secure Socket Tunneling Protocol Service Disable Services HKLM
Windows Service Security Center Disable Services HKLM
Windows Service SSDP Discovery Disable Services HKLM
Windows Service Volume Shadow Copy Service Disable/Enable for Persona Management Services HKLM
Windows Service Windows Backup Disable Services HKLM
Windows Service Windows Error Reporting Service Disable Services HKLM
Windows Service Windows Media Center Receiver Service Disable Services HKLM
Windows Service Windows Media Center Scheduler Service Disable Services HKLM
Windows Service Windows Search Disable Services HKLM
Windows Service Windows Update Disable GPO, Registry, Services HKLM
Windows Service WLAN AutoConfig Disable Services HKLM
Windows Service WWAN AutoConfig Disable Services HKLM