Jan 31, 2012

Disable Windows 7 Services to save resources with View


Every VMware View implementation will try to squeeze as much VM’s out of the available hardware resources as possible. One of the easier ways to do this is to disable unnecessary Windows services to save on RAM and CPU.

This can of course be achieved by disabling the services in the master or template, but from a management perspective it’s better to use Active Directory (AD) group policy to do this. If anything changes later on and some service has to be enabled that was previously thought unnecessary, it can be done dynamically by changing the Group Policy Object (GPO).

A problem with this approach can be that if the Group Policy Management Console (GPMC) is used on a Windows 2008 R2 Server some services that are specific for Windows 7 (and not present on Windows 2008 R2) are not seen. What you can’t see is difficult to disable Winking smile 

Easiest resolution for this is of course to install the GPMC on a Windows 7 VM in the domain. For all kinds of reasons involving permissions on OU’s managed by other departments and compliance reasons I was recently in a position where this was not possible, at least not without a lot of hassle. So for me disabling the Windows 7 Services had to be done in two stages:

  • Making and exporting a security profile on a Windows 7 View desktop
  • Importing this security profile on a Windows Server 2008 R2 domain controller

Another advantage to this approach is that the Security Profile that will be created is just a list that can be applied again later. If you’re a consultant and have to do this again and again it saves a lot of time and makes sure you don’t forget things or make typos.

This can be done by creating a Group Policy Security Template on a Windows 7 desktop, and importing this in the GPO for the VMware View desktops. This post will show how this is done.

First you have to decide which services can safely be disabled. As usual “it depends” on your environment and requirements. I recently used this list:

BitLocker Drive Encryption Service
Block Level Backup Engine Service
Bluetooth Service
Desktop Window Manager Session Manager
Diagnostic Policy Service
Disk Defragmenter
Error Reporting Service
Home Group Listener
Home Group Provider
IP Helper
Microsoft iSCSI Initiator Service
Offline Files
Parental Controls
Secure Socket Tunneling Protocol Service
Tablet PC Input Service
Windows Error Reporting
Windows Media Center Scheduler Service
Windows Media Center Receiver Service
Windows Media Player Network Sharing Service
Wireless Zero Configuration
WLAN AutoConfig
WWAN AutoConfig

Dec 23, 2011

Block VMwareTray.exe using Software Restriction Policies in AD


In this post I described how it’s possible to hide the VMware Tools Control Panel applet in Windows 7 using Active Directory GPO. Another thing I like to clean up is the VMwareTray application. It’s again a way into the VMware Tools applet and regular users should need no access to it. Also it’s a running process without a real purpose. VMwareTray.exe is located in C:\Program Files\VMware\VMware Tools. It’s started by default for every user by the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VMware Tools.

VMware’s solution for these things is again KB 1006354. It advises to remove this key so the process does not run. This works of course but for me there are two problems:

  • The user could start vmwaretray.exe manually. Not a disaster this, but still not what you’re trying to achieve
  • If the VMware Tools are upgraded the keys will re-appear and will have to be removed again

So I prefer it to be fixed by GPO. If it’s done right it works better and is far less troublesome from a management point of view.

Hiding the VMware Tools applet from the Control Panel


I spend quite some time designing and building VMware View environments. If you’re like me you don’t want the users of your View desktops limited too much. After all, one of the great advantages of using VDI is that users are less limited than on a Citrix or RDS server. If the View desktop looks like the one at home users will like it more.

It’s still better however if regular users are prohibited from accessing certain settings. Just to make sure that they don’t break crucial things. This is best done with GPO’s (group policy objects in Active Directory). One of the things I don’t want users to see is the VMware Tools applet in the Control Panel. It’s this one:

VMware Tools Control Panel Applet

It’s not too obvious how this should be hidden. Of course many Control Panel applets can be hidden using Active Directory GPO.

Dec 20, 2011

Enable VMware vShield Manager and vShield Endpoint

For use with Trend Micro Deep Security 7.5

Lately I’ve been working on implementing Trend Micro’s Deep Security in a medium sized VMware View 4.5 environment. We’ll use it to replace the in-VM virus scanning solution now in use. The goal is of course to make the AV management easier and to reduce the load in every VM. The current version of Deep Security is 7.5. It’s not supported yet on vSphere 5, but our View 4.5 pools run on vSphere 4.1 anyway.
First a picture of the DS / vShield architecture to get an idea of what’s involved:
vShield Deep Security Architecture
There’s a number of things that have to be done to get DS 7.5 running. Firstly it’s dependent on the presence of VMware vShield Endpoint which has to be enabled first. I’ll focus this post on enabling vShield Endpoint and get back to DS 7.5 later in another post.To enable vShield Endpoint:
  • You need to add Endpoint licenses to vCenter
  • Get vShield Manager up and running
  • Enable vShield Endpoint on your ESX hosts.

Dec 13, 2011

vShield Endpoint 5 driver integrated with VMware Tools


One of the nice new features of vSphere 5 is that the vShield platform is being further developed. Among the changes that were announced earlier was the integration of the vShield Endpoint Thin Agent into VMware Tools. If you deploy vSphere 5 now however, you won’t find the integrated Endpoint driver. Fortunately it really is integrated with VMware Tools but it’s necessary however to get the latest version from It’s all described in VMware KB 2002778 right here. This is how it’s done:

Dec 12, 2011

Jun 14, 2009

VMware View Security Server – How to use a commercial wildcard certificate

Recently I had to configure a View Security Server with a wildcard certificate. For me this was a first, and it cost me quite a bit of time. I also found the documentation on it (in the View Admin guide) fairly minimal, so I'll share my experiences here.

The Certificate Issues

My scenario: I was given a wildcard certificate in .cer format, and a separate keyfile, in .key format. As these are not the right format for View (what I needed is .Pfx,this is stated in the Admin guide), I combined them using Openssl. The version I used is from the GNUWin32 utilities at The command I used for this was:
openssl.exe pkcs12 -export -out -inkey keyfile.key -in star_website.crt