cbaptiste
Hot Shot
Hot Shot

Login Time

What is your login time with Windows 10 1909?

0 Kudos
18 Replies
jonathanjabez
Hot Shot
Hot Shot

Hi,

On an average, we see the login takes approx. 10-15 seconds. However, the login takes upto 30 secs when using DEM and App Volumes Appstack/Writable volume.

/Jon.

0 Kudos
cbaptiste
Hot Shot
Hot Shot

I used to get the same results you have with 1809 and older. Nothing have changed other than the OS in our environment but now we are getting 1 min login time. That’s why I am asking to see what everyone else is getting. Thanks 

0 Kudos
antonpaloka
Enthusiast
Enthusiast

I'd like to add some variables to your logon time question

What is the size of your uem profile folder which you measured logon times?

How many Antivirus/Security agents do you have?

 

My Logon times are 2 minutes

My uemprofile folder for this test is 70MB

We have 4 Security Agents

0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

By any chance can you tell what Security products you have?

0 Kudos
cbaptiste
Hot Shot
Hot Shot

I currently have McAfee DLP and CrowdStrike.

0 Kudos
sjesse
Leadership
Leadership

0 Kudos
antonpaloka
Enthusiast
Enthusiast

@sjesse That article does not list the FLX###.tmp files, which just based on their location and actions (appdata\local\temp and extracts to other folders in users appdata) should be flagged by any current security solution.

0 Kudos
antonpaloka
Enthusiast
Enthusiast

@LukaszDziwisz 

Carbon Black Defense, Carbon Black Protect, CyberArk EPM, Forcepoint DLP

POC with Crowdstrike

0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

That is exactly what we are seeing. We currently have Carbon Black App Control (Former CB Protection) which adds roughly 25 seconds to our logon. Had multiple tickets opened with Support and they said that this is the best that they can do. However now we are also adding CB Defense (CB Cloud) and it just doubles our logon times to roughly 120 seconds as well. I have multiple tickets opened with CB/Vmware and so far there is no solution . I have an exclusion for FLX*.tmp in complete bypass mode and it just doesn't seem to work. Applying user Policy in logon log skyrockets to 40-60 seconds and we don't even use UEM very heavily as we are using Writable VOlumes Profile only to persist settings

Our normal logon times for average user with 1 appstack and writable:

No security product: 15-22 seconds

Added CBP only - 45-55 seconds

Added CBP and CBC  - 120 +

 

 

 

0 Kudos
sjesse
Leadership
Leadership

@DEMdev any input on what to do the the FLX temp files with antivirus software, the one I use doesn't seem to choke on them too much. I'm only on 1809 still so I haven't been able to test 1909 yet.

0 Kudos
antonpaloka
Enthusiast
Enthusiast

@LukaszDziwisz I see you have a thread on this, will join you there.

0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

I'm here. What do you mean to join there ? As for Windows version we are on 1809 LTSC. Planning on going to SAC at some point in time but didn't have a chance to build an image for it yet. 

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi @sjesse,

any input on what to do the the FLX temp files with antivirus software

I can only speak to DEM itself, I'm afraid. If you can exclude FLX*.TMP from your antivirus scans that would be beneficial, as the files will get their "real" names shortly after (and can then be picked up by a scan, if so required.)

0 Kudos
sjesse
Leadership
Leadership

Thanks, I remember you menitoning something to them to me awhile ago, but I can't find the post so figured I'd ask 🙂

0 Kudos
antonpaloka
Enthusiast
Enthusiast

@DEMdev any discussion internally on changing the location/file extensions for that to be something less....scary? Asking security teams to exclude tmp files from appdata\local\temp location raises eyebrows.

0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

It's not fully excluding tmp files. It was a solution recommended by CB support. THat's why I'm saying that usually it is done with support due to different codes. With the 2094975  code you are excluding CB looking into writes and reads but it is still fully monitoring executions. CB App Control is technically not an AV product so things work different with that

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi @antonpaloka,

> any discussion internally on changing the location/file extensions for that to be something less....scary?
> Asking security teams to exclude tmp files from appdata\local\temp location raises eyebrows.

AppData\Local\Temp\FLX*.tmp is "only" used for registry imports. All other files are extracted as FLX*.tmp into their real destination folder, and then renamed to their real name.

We could consider using another pattern/location/extension for the .REG import? I've also been debating an option to skip the intermediate FLX*.tmp files for non-.REG imports, and immediately write to the target file. Maybe that would help?

0 Kudos
onfire247
Enthusiast
Enthusiast

My standard optimized gold takes about 15 seconds. Adding Trend Micro increases it to 25 seconds. Attaching the writable pushes the boot to 45 seconds. If I add Teams to autostart, or enable our homemade bloated Novell printer and drive mapping script, it pushes past a minute.

0 Kudos