Jan 31, 2012

Disable Windows 7 Services to save resources with View


Every VMware View implementation will try to squeeze as much VM’s out of the available hardware resources as possible. One of the easier ways to do this is to disable unnecessary Windows services to save on RAM and CPU.

This can of course be achieved by disabling the services in the master or template, but from a management perspective it’s better to use Active Directory (AD) group policy to do this. If anything changes later on and some service has to be enabled that was previously thought unnecessary, it can be done dynamically by changing the Group Policy Object (GPO).

A problem with this approach can be that if the Group Policy Management Console (GPMC) is used on a Windows 2008 R2 Server some services that are specific for Windows 7 (and not present on Windows 2008 R2) are not seen. What you can’t see is difficult to disable Winking smile 

Easiest resolution for this is of course to install the GPMC on a Windows 7 VM in the domain. For all kinds of reasons involving permissions on OU’s managed by other departments and compliance reasons I was recently in a position where this was not possible, at least not without a lot of hassle. So for me disabling the Windows 7 Services had to be done in two stages:

  • Making and exporting a security profile on a Windows 7 View desktop
  • Importing this security profile on a Windows Server 2008 R2 domain controller

Another advantage to this approach is that the Security Profile that will be created is just a list that can be applied again later. If you’re a consultant and have to do this again and again it saves a lot of time and makes sure you don’t forget things or make typos.

This can be done by creating a Group Policy Security Template on a Windows 7 desktop, and importing this in the GPO for the VMware View desktops. This post will show how this is done.

First you have to decide which services can safely be disabled. As usual “it depends” on your environment and requirements. I recently used this list:

BitLocker Drive Encryption Service
Block Level Backup Engine Service
Bluetooth Service
Desktop Window Manager Session Manager
Diagnostic Policy Service
Disk Defragmenter
Error Reporting Service
Home Group Listener
Home Group Provider
IP Helper
Microsoft iSCSI Initiator Service
Offline Files
Parental Controls
Secure Socket Tunneling Protocol Service
Tablet PC Input Service
Windows Error Reporting
Windows Media Center Scheduler Service
Windows Media Center Receiver Service
Windows Media Player Network Sharing Service
Wireless Zero Configuration
WLAN AutoConfig
WWAN AutoConfig

Always check what these services actually do. Look at the description and check with Google and Microsoft Technet. Another thing is to check the dependencies of the service. If a service is disabled by GPO, all other services that depend on it will fail to start. With this caution out of the way we can get into the “How-to” of disabling them.

First a list of these services and their startup types has to be made on a Windows 7 VM to import into the GPO. For this you should be on a Windows 7 VM that’s part of the AD domain. Open a MMC and add the plugin “Security Templates”:

AD GPO Security Templates

Once this plug-in is loaded it needs to be pointed to a path where it can find and store security templates. Use “New Template Search Path…”:

AD GPO Security Template Search Path

I used C:\Temp. Next do “New Template” and give it a name, you’ll end up with an empty security template:

Security Template Services List

In this template, locate “System Services”. Select one of the services that’s to be disabled:

Security Template Service Status

Select “Define this policy..” and change the setting to “Disabled”. Also don’t forget to check the “Edit Security” button just to make sure you’ve touched these settings. The permission will than change to “Configured”. Now follows the joy of checking all the services you want disabled. Lots of clicking involved:

Security Template Services Permissions

When all the services have been checked,the template needs to be exported so it can later be imported into the GPO in place for View:

Security Template Export

Use “Save As..” and select a location. The file will have the .inf extension.Security Template export file

This file now needs to be read by the AD GPO that’s made for your VMware View. Open your Group Policy Management Console and edit you View GPO. Go to Computer \ Policy \ Windows Settings and do “Import Policy”. Select the .inf file made earlier and it will be imported into your View GPO.

Security Template Services List

The result will be that all Windows 7 Services deemed not necessary for use by VMware View will now be disabled, including the services that would not have been seen on the Windows 2008 (R2) platform.

Alternative for the whole thing: Do it in Group Policy Preferences. It also has the ability to change services. I personally think as it’s a limitation forced on users a GPO is the best place for it.

Resources saved, better density of VM’s per host, more value for money Smile


Technorati Tags: ,,

1 comment: