Every VMware View implementation will try to squeeze as much VM’s out of the available hardware resources as possible. One of the easier ways to do this is to disable unnecessary Windows services to save on RAM and CPU.
This can of course be achieved by disabling the services in the master or template, but from a management perspective it’s better to use Active Directory (AD) group policy to do this. If anything changes later on and some service has to be enabled that was previously thought unnecessary, it can be done dynamically by changing the Group Policy Object (GPO).
A problem with this approach can be that if the Group Policy Management Console (GPMC) is used on a Windows 2008 R2 Server some services that are specific for Windows 7 (and not present on Windows 2008 R2) are not seen. What you can’t see is difficult to disable
Easiest resolution for this is of course to install the GPMC on a Windows 7 VM in the domain. For all kinds of reasons involving permissions on OU’s managed by other departments and compliance reasons I was recently in a position where this was not possible, at least not without a lot of hassle. So for me disabling the Windows 7 Services had to be done in two stages:
- Making and exporting a security profile on a Windows 7 View desktop
- Importing this security profile on a Windows Server 2008 R2 domain controller
Another advantage to this approach is that the Security Profile that will be created is just a list that can be applied again later. If you’re a consultant and have to do this again and again it saves a lot of time and makes sure you don’t forget things or make typos.
This can be done by creating a Group Policy Security Template on a Windows 7 desktop, and importing this in the GPO for the VMware View desktops. This post will show how this is done.
First you have to decide which services can safely be disabled. As usual “it depends” on your environment and requirements. I recently used this list:
BitLocker Drive Encryption Service
Block Level Backup Engine Service
Desktop Window Manager Session Manager
Diagnostic Policy Service
Error Reporting Service
Home Group Listener
Home Group Provider
Microsoft iSCSI Initiator Service
Secure Socket Tunneling Protocol Service
Tablet PC Input Service
Windows Error Reporting
Windows Media Center Scheduler Service
Windows Media Center Receiver Service
Windows Media Player Network Sharing Service
Wireless Zero Configuration