Shulou(Shulou.com)06/02 Report--

When I usually do desktop projects, many engineers ask me a question: why is it that the desktop of some projects starts and logs in so fast, and the effect of his PPT and 3D is better than mine? But by comparison, his hardware configuration is not as good as mine.

This kind of obvious problems with end-user experience, I believe that no matter which desktop engineers and technicians actually encounter, of course, this actually involves a lot of technical aspects, from system optimization, link optimization, personal data access, AD system integration, authentication and so on, today I mainly want to talk about the Windows system itself, which will be used by every user and engineer in the virtual desktop. The VDA we're talking about today, or what we call virtual desktops / cloud desktops, is mainly about the "stuff" delivered to the end user, but it mostly involves back-end deliveries, policy configuration components, clients, and so on.

In today's virtual desktop market, Windows 7 is the most commonly used, followed by Windows Server 2008 Rshock 2012 R2 and Windows 10, which is slowly beginning to be accepted.

In fact, no matter which version of the operating system, we must customize / optimize the VDA system before delivering it to the end user. Otherwise, in my opinion, this is disrespect and unprofessional for customers.

Why would you say that? In fact, friends who know a little bit about the Windows system know that after every major version of Microsoft's Windows product comes out, the RTM version basically does not have many people on the production environment, and generally has to wait until after the SP1 before it is gradually promoted in the market. People in Microsoft circles must know a joke: do you dare to use MS without SP1?

This is also from one side how important Service Pack/hotfix is to improve the stability of the system. Let's take a look at the release process of our commonly used Windows 7:

Microsoft officially released Windows 7 on October 22, 2009, and Windows 7 SP1 on February 22, 2011.

Do not check do not know, suddenly found that Windows 7 has been released for 8 years, the SP1 version is six and a half years old. You can feel for yourself how fast the IT has changed in the past 10 years. If you produce a Windows 7 SP1 published in 2011 today, do you think this is in line with the development of the times?

Just like the "WannCry" blackmail virus that occurred last month, the most correct way after the occurrence of the virus is to install the patch of MS17-010in accordance with the requirements and recommendations of MS (for instructions on this virus and protective measures, please see MS MVP Hao's instructions, correct posture to resist the blackmail virus). Many non-IT circle friends asked me why this is the most simple and effective method, usually our IT does not do it. My reply at that time was: this is too low.

Don't you see? now the companies that do IT are embarrassed to go out and meet people if they don't do cloud computing, big data, iot and ML. However, the lack of these basic things in IT system maintenance is often ignored. In fact, Microsoft's patch update system can be said to be unique to the entire IT world, and other manufacturers are basically unmatched at this level.

# some people may say that this is because the Windows system is poorly written, so there are many vulnerabilities. In fact, both Linux,MAC,Android systems have loopholes, and the number is not small, do not think that the use of MAC, the use of iPhone can rest easy, the upgrade must be upgraded.

What changes can patches bring to the system:

The security breach described above. In this world where IT security is becoming more and more severe, this can be said to be one of the cheapest and most effective end system protection schemes.

The feature is enhanced, and it contains a lot of content that our ordinary users may not notice. For example: network performance, root certificate chain, specific transport protocol optimization (such as SMB), and so on, which are not obvious but will significantly improve the end use of the underlying content.

New features, new versions, such as. Net framework upgrades, and now MS also pushes hardware drivers.

Note: currently, Windows Update can push the Guest tools driver of XenServer 7.x.

So if we use Windows Update to update patches after a Windows 7SP1 installation is complete, we will find that there are about 200 patches to install.

This is the enhancement of the various components accumulated over the years, and it can be said that Windows 7 SP1, which has installed all the patches today, and Windows 7 SP1, which was released that year, are two products that are very different.

At this time, some friends will say, if I really update a clean Windows 7 SP1, I may not be able to finish it for a few days, and the process of downloading the patch is very slow. In fact, the reason is very simple, because your system is too old, and the underlying components are too old. In Windows 7 SP1, the Windows Updage Agent that comes with the system no longer matches the current Windows Update system, causing it to traverse patches very slowly (I once waited for 2 days, but even if I said too much, it was tearful). Therefore, in order to speed up this process, we need to manually install the following two patches on our system:

3020369

3172605

# Please install 3020369pc3020369, which is the preface patch of 3172605.

After these two patches are installed, the patches that need to be installed will be searched and traversed very quickly through Windows Update, and the subsequent download speed will depend on the Internet speed.

Of course, if there is a management software such as WSUS/SCCM in the environment, it will be easier to push it directly. Therefore, in an enterprise environment, administrators are strongly recommended to deploy such platforms. WUSU is a free component of MS, which is simple and easy to use.

So after the patch, this is only a foundation, then we need to optimize the Windows system. In fact, it is optimization (there is no such thing as acceleration). In my opinion, a more accurate description is actually the "tailoring" of the Windows system, which means removing, disabling and adjusting the components, services and policies that the Windows system does not need in the virtual desktop system.

In fact, there is no standard value for this action, and many of them are constantly adjusted and optimized based on different user applications. Here is just a list of personal experiences.

Personally, my basic image will do the following:

Add and delete components, delete all components except .net framework 3.5, IE

Set the Pagefile size (especially in scenes with more than 4G physical memory)

Deactivate Service that is not necessary

Deactivate Schedule Task that is not necessary

Disable special effects including Aero, mouse, etc.

Deactivating Service and Schedule Task is really a technical task. In the past, this operation needs to be set by experience or referring to some KB. I used to do a PSH script to get the job done. Now Citrix provides a VDA image optimization tool called Citrix Optimizer, which is very convenient for our front-line staff to use. I've been waiting for a long time. )

Https://support.citrix.com/article/CTX224676

Currently this tool supports Windows7,10, Server 2012, 2016. It comes with relevant templates by default, and it is believed that it will be improved and given better support in the future.

# Tools is not a panacea, please adjust it according to the actual situation.

Once this is done, the master image of VDA is ready for delivery for regular use. But we all know that in general, we will give users Administrator, that is, administrator privileges. In fact, in any system, when you have the authority of the system administrator, control will become very difficult to do, why everyone says that the Linux system is stable, in fact, there is a very important reason is in the Linux design, its management system by default, the user is no Root, that is, super management authority, then the core system will not be affected by various operations on the user side, thus reducing the instability of the system.

However, in the Windows system, no matter from the design logic of the system, the user's usage habits and the characteristics of the application, it is very difficult for us not to give the user the authority of Administrators, so the virtual desktop cannot work properly due to the misoperation of the user and the interference of the application. For example, some users modify their own IP address, delete some desktop Agent, arbitrarily modify system variables, and so on.

In the past, in order to restrict the operation of users, it was generally necessary to use GPO to complete this operation, but for many students with non-MS backgrounds, this is too complicated.

So Citrix uses a WEM (Workspace Environment Management) to set the system environment.

For example, I set restrictions that users cannot use these features of Windows Update,Help.

# patches should be installed before they are delivered to the user, rather than letting the user install various patches.

Restrict users from using the control panel or specific components in the panel.

In this way, in the case of giving users super administrator privileges, you can also reasonably control the user, you can use the entire desktop, as well as the customized system, which is the most suitable system for each different customer.

In fact, from my personal point of view, virtual desktops still need to be docked with the user's management system, completely open, completely uncontrolled, regardless of standardization, maybe there is no problem in the initial use, in the middle and later stages, the more uncontrolled virtual desktops, the more pressure on the user's operation and maintenance will be unprecedented. Too many users have reported to us that if the initial stage is not controlled, the operation and maintenance work will really go back to pre-liberation overnight.

# in fact, I would like to clarify a point here. Many people say that standard / pooled / Non-persistent desktops must be used for standardized desktops, but my personal opinion is not necessarily. You can use technical means to do this restart that is to restore the desktop, you can also give users complete self-control of the proprietary / Persistent desktop, but supporting the enterprise's management system, such as: running and installing the software is uniformly regulated by the company, installing the software not in this list is a violation, through the management system to control and manage.

Personally, I highly admire the management and control features of virtual desktops for IT front-end operations and maintenance. At the operational level, it advocates a way of technology + management accommodation, rather than rigid use of technology only to achieve the final result.

The above information is applicable to Windows 7 SP1, Windows Server 2012, but not fully applicable to Windows 10. The main difference is related to the newer version of the Windows 10 system itself.

I believe you all know that in the past, whether it is the Windows client system, 7Jing 8Accord 8.1 or the server system 2008R2, 2012R2 updates the system through Service Pack+hotfix.

But when it comes to Windows 10, basically every six months to a year, a complete version will be distributed. Each release of a new version brings a large number of new features, components, and services. In fact, this is also a new method of MS in order to avoid the update of Service Pack+hotfix in the past, which can not iterate quickly for new functions. After all, with the current development of IT, agile development and rapid iteration are a major trend.

From this chart, we can see that the number of Schedule Task,Service,Default App of the three major Windows 10 versions currently released will be different, which in turn leads to differences in the consumption of system resources such as CPU/RAM.

So the question is, if we are going to use Windows 10 as our VDA, which version should we choose, RTM,Anniversary or Creator? (please retrieve the specific version number by yourselves)

In fact, MS considered this problem when designing the Windows 10 system, so in addition to the professional version and enterprise version that we were familiar with in the past, he also introduced a new Service options.

Https://blogs.technet.microsoft.com/enterprisemobility/2016/01/06/navigating-the-windows-10-servicing-options/

Inside Program is similar to BETA version, CB is the latest version, CBB is a stable version, and LTSB is stable.

Therefore, MS recommends that CBB and LTSB are used in enterprise scenarios, and Inside and CB are recommended for individual users. For example, my personal computer is currently using the latest CB version 1703.

So at the moment, which versions are CBB and LTSB? At the following MS site, MS gives the status of each version

Https://technet.microsoft.com/en-us/windows/release-info.aspx

# Please note that 1703 recommended by Microsoft Recommend is the latest version, which is mainly for individual users. However, in the VDA/ virtual desktop scenario, we need to refer to the MS recommendation to choose the CBB/LTSB version first.

Therefore, I suggest that in the virtual desktop scene, the more appropriate choice is: 1607, 1511, 1507, these three versions.

The above information only represents my personal point of view for reference.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.