We just had a nightmare setup with Trend Micro Deep Security w/ VShield. It's agent-less and increased our end users login time by 5 to 10 mins. UEM ended up being the cause and they suggested whitelisting the UNC paths that the profiles are stored on. This would also white-list the very files we want to scan. Anyways we are on the hunt again. Would what everyone else is using. We are on Horizon 7 with Non-persistent floating desktops and UEM 9 is doing the folder redirect. Our golden now is Windows 8.1 but we are testing 10.
Thanks so much,
Joseph
Hi MSDS
We also have a Win10 floating VDI environment (Horizon 7) and use UEM for usersettings sync. We have Symantec Endpoint Protection 12.1.7061 natively installed in the master image. But for that, we had to do several optimizations:
- Disabled Windows Defender in master image
- After SEP12 installation, automated SEP Patterns update
- Virtual Image Exception: About the Symantec Virtual Image Exception tool
- Prepare master image with ClientSideClonePrepTool.exe for cloning: How to prepare a Endpoint Protection client for cloning
- Individual patterns for more than 100 days (about 50GB storage on the symantec endpoint protection server)
General optimization for master images
- VMware OS Optimization Tool: VMware OS Optimization Tool
As example:
:: ***********************************************************
:: VMware OS Optimization Tool (OSOT)
:: ***********************************************************
SET SourceDir=%~dp0
:: create folder
If not exist "%ALLUSERSPROFILE%\VMware\OSOT\VMware Templates" md "%ALLUSERSPROFILE%\VMware\OSOT\VMware Templates"
md "%temp%\OSOT"
:: Generate report before optimize
start "before" /WAIT "%SourceDir%VMwareOSOptimizationTool_b1084.exe" -t %SourceDir%Windows10_1.4.xml -r %temp%\OSOT\
:: Optimize mandatory settings
start "mandatory" /WAIT "%SourceDir%VMwareOSOptimizationTool_b1084.exe" -o mandatory -t %SourceDir%Windows10_1.4.xml -v
:: Optimize recommended settings
start "recommended" /WAIT "%SourceDir%VMwareOSOptimizationTool_b1084.exe" -o recommended -t %SourceDir%Windows10_1.4.xml -v
:: Generate report after optimize
start "before" /WAIT "%SourceDir%VMwareOSOptimizationTool_b1084.exe" -t %SourceDir%Windows10_1.4.xml -r %temp%\OSOT\
- Remove AppX
powershell.exe Set-ExecutionPolicy bypass
xcopy /Y "%SourceDir%Remove_AppxProvisionedPackage.ps1" C:\Temp\
powershell.exe -file "C:\Temp\Remove_AppxProvisionedPackage.ps1" -ExecutionPolicy bypass
del /F /Q "C:\Temp\Remove_AppxProvisionedPackage.ps1"
Remove_AppxProvisionedPackage.ps1
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.3DBuilder*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.BingWeather*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.Getstarted*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.Messaging*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.MicrosoftOfficeHub*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.MicrosoftSolitaireCollection*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.Office.OneNote*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.OneConnect*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.People*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.SkypeApp*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.StorePurchaseApp*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsAlarms*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsCamera*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*microsoft.windowscommunicationsapps*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsFeedbackHub*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsMaps*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsSoundRecorder*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsStore*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.XboxApp*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.XboxIdentityProvider*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.ZuneMusic*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.ZuneVideo*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.Windows.Photos*"} | Remove-AppxProvisionedPackage -Online
- Optimize .net
:: ***********************************************************
:: Optimize .net
:: ***********************************************************
start "opti" /WAIT "%windir%\Microsoft.NET\Framework\v2.0.50727\ngen.exe" executeQueuedItems
start "opti" /WAIT "%windir%\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" executeQueuedItems
start "opti" /WAIT "%windir%\Microsoft.NET\Framework\v4.0.30319\ngen.exe" executeQueuedItems
start "opti" /WAIT "%windir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" executeQueuedItems
- winsat
:: ***********************************************************
:: winsat
:: ***********************************************************
start "optiwinsat" /WAIT cmd.exe /c winsat formal
- clean up
:: ***********************************************************
:: Delete any existing shadow copies
:: ***********************************************************
vssadmin delete shadows /All /Quiet
:: ***********************************************************
:: delete files in c:\Windows\SoftwareDistribution\Download\
:: ***********************************************************
del %windir%\SoftwareDistribution\Download\*.* /f /s /q
:: ***********************************************************
:: delete hidden install files
:: ***********************************************************
del %windir%\$NT* /f /s /q /a:h
:: ***********************************************************
:: delete prefetch files
:: ***********************************************************
del %windir%\Prefetch\*.* /f /s /q
:: ***********************************************************
:: Defragment the VM disk
:: ***********************************************************
sc config defragsvc start= auto
net start defragsvc
defrag c: /U /V
net stop defragsvc
sc config defragsvc start= disabled
UEM
- Do not set the default Windows Settings "Active Setup". Because this prevents to run all Active Setups at logon. For a roaming profile, that will work but not for UEM only. The user in a floating pool has every logon a "first logon". UEM sync the Active Setup user registry. In Win10, the user will not have any user shell folders. Dont do that 🙂
Mandatory profiles
VMware recomends UEM with mandatory profiles: Creating a mandatory profile for use with VMware User Environment Manager (2127778) | VMware KB
But dont create a mandatory profile the way VMware describe it! Take a look to the Microsoft KB: Create mandatory user profiles (Windows 10)
Then we have a logon time from about 30-40 seconds.
Good luck,
Tschuegy
Trend Micro is still a pretty popular option for server and horizon workloads. As part of the troubleshooting, did they have you try to swap out the vShield drivers in vmware Tools? I've run into two situations where Trend was causing big performance problems, but it turned out to be a vshield problem instead. Backing out the vsepflt.sys to an earlier version has resolved those problems in those cases. What version of vSphere and what build number are your tools?
I just finished a troubleshooting session of a couple of days, where in the end, TrendMicro Deepsecurity also in combination with UEM caused logoffs to hang.
Here are the official guidelines for the exclusions needed for UEM and antivirus. Maybe this will help you:
Imports and exports in VMware User Environment Manager are slow (2113665) | VMware KB
Assuming the UNC paths point to a file server with its own AV already, you shouldn't be worried about white-listing those paths to stop your desktop AV from scanning them. Also, once UEM has imported the profile it will be in an area that is protected.
We are using MOVE MacAfee with win10 not tested with UEM yet..
I would recommend reading this:
Bryan
Hi MSDS
We also have a Win10 floating VDI environment (Horizon 7) and use UEM for usersettings sync. We have Symantec Endpoint Protection 12.1.7061 natively installed in the master image. But for that, we had to do several optimizations:
- Disabled Windows Defender in master image
- After SEP12 installation, automated SEP Patterns update
- Virtual Image Exception: About the Symantec Virtual Image Exception tool
- Prepare master image with ClientSideClonePrepTool.exe for cloning: How to prepare a Endpoint Protection client for cloning
- Individual patterns for more than 100 days (about 50GB storage on the symantec endpoint protection server)
General optimization for master images
- VMware OS Optimization Tool: VMware OS Optimization Tool
As example:
:: ***********************************************************
:: VMware OS Optimization Tool (OSOT)
:: ***********************************************************
SET SourceDir=%~dp0
:: create folder
If not exist "%ALLUSERSPROFILE%\VMware\OSOT\VMware Templates" md "%ALLUSERSPROFILE%\VMware\OSOT\VMware Templates"
md "%temp%\OSOT"
:: Generate report before optimize
start "before" /WAIT "%SourceDir%VMwareOSOptimizationTool_b1084.exe" -t %SourceDir%Windows10_1.4.xml -r %temp%\OSOT\
:: Optimize mandatory settings
start "mandatory" /WAIT "%SourceDir%VMwareOSOptimizationTool_b1084.exe" -o mandatory -t %SourceDir%Windows10_1.4.xml -v
:: Optimize recommended settings
start "recommended" /WAIT "%SourceDir%VMwareOSOptimizationTool_b1084.exe" -o recommended -t %SourceDir%Windows10_1.4.xml -v
:: Generate report after optimize
start "before" /WAIT "%SourceDir%VMwareOSOptimizationTool_b1084.exe" -t %SourceDir%Windows10_1.4.xml -r %temp%\OSOT\
- Remove AppX
powershell.exe Set-ExecutionPolicy bypass
xcopy /Y "%SourceDir%Remove_AppxProvisionedPackage.ps1" C:\Temp\
powershell.exe -file "C:\Temp\Remove_AppxProvisionedPackage.ps1" -ExecutionPolicy bypass
del /F /Q "C:\Temp\Remove_AppxProvisionedPackage.ps1"
Remove_AppxProvisionedPackage.ps1
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.3DBuilder*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.BingWeather*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.Getstarted*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.Messaging*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.MicrosoftOfficeHub*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.MicrosoftSolitaireCollection*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.Office.OneNote*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.OneConnect*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.People*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.SkypeApp*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.StorePurchaseApp*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsAlarms*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsCamera*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*microsoft.windowscommunicationsapps*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsFeedbackHub*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsMaps*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsSoundRecorder*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.WindowsStore*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.XboxApp*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.XboxIdentityProvider*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.ZuneMusic*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.ZuneVideo*"} | Remove-AppxProvisionedPackage -Online
Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like "*Microsoft.Windows.Photos*"} | Remove-AppxProvisionedPackage -Online
- Optimize .net
:: ***********************************************************
:: Optimize .net
:: ***********************************************************
start "opti" /WAIT "%windir%\Microsoft.NET\Framework\v2.0.50727\ngen.exe" executeQueuedItems
start "opti" /WAIT "%windir%\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" executeQueuedItems
start "opti" /WAIT "%windir%\Microsoft.NET\Framework\v4.0.30319\ngen.exe" executeQueuedItems
start "opti" /WAIT "%windir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" executeQueuedItems
- winsat
:: ***********************************************************
:: winsat
:: ***********************************************************
start "optiwinsat" /WAIT cmd.exe /c winsat formal
- clean up
:: ***********************************************************
:: Delete any existing shadow copies
:: ***********************************************************
vssadmin delete shadows /All /Quiet
:: ***********************************************************
:: delete files in c:\Windows\SoftwareDistribution\Download\
:: ***********************************************************
del %windir%\SoftwareDistribution\Download\*.* /f /s /q
:: ***********************************************************
:: delete hidden install files
:: ***********************************************************
del %windir%\$NT* /f /s /q /a:h
:: ***********************************************************
:: delete prefetch files
:: ***********************************************************
del %windir%\Prefetch\*.* /f /s /q
:: ***********************************************************
:: Defragment the VM disk
:: ***********************************************************
sc config defragsvc start= auto
net start defragsvc
defrag c: /U /V
net stop defragsvc
sc config defragsvc start= disabled
UEM
- Do not set the default Windows Settings "Active Setup". Because this prevents to run all Active Setups at logon. For a roaming profile, that will work but not for UEM only. The user in a floating pool has every logon a "first logon". UEM sync the Active Setup user registry. In Win10, the user will not have any user shell folders. Dont do that 🙂
Mandatory profiles
VMware recomends UEM with mandatory profiles: Creating a mandatory profile for use with VMware User Environment Manager (2127778) | VMware KB
But dont create a mandatory profile the way VMware describe it! Take a look to the Microsoft KB: Create mandatory user profiles (Windows 10)
Then we have a logon time from about 30-40 seconds.
Good luck,
Tschuegy
Better use these 2 blog posts to create a mandatory profile:
VMware User Environment Manager, Part 1: Easier, Faster Windows Logins with Mandatory Profiles | https://blogs.vmware.com/euc/2017/01/vmware-user-environment-manager-mandatory-profiles-part-1.html |
VMware User Environment Manager, Part 2: Complementing Mandatory Profiles with VMware User Environment Manager | https://blogs.vmware.com/euc/2017/01/vmware-user-environment-manager-mandatory-profiles-part-2.html |