Logon times are funny. It’s the first interaction that a user has with a system and they will base a lot of their opinion around the solution based on that first interaction. With a stateless VDI desktop that VMware View can provide, the user is logging onto a machine that they’ve never logged onto….every time. This creates an interesting problem. The first time you EVER log onto a PC, the experience usually stinks. It’s because your profile is being built from whatever has been defined on your box as the “default profile”, plus whatever scripts and GPOs need to be applied resulting in a 40-60 second login.
I am here to tell you today that the last few weeks of my life were dedicated to strapping a rocket to logon times with Windows 7, then adding the Imprivata solution into the mix and seeing how fast I could get logons from there. The use case that I was working with didn’t care about saving a users profile, they wanted the FASTEST VMware View logon times available no matter what it took, and Kiosk mode was not an option because user security context needed to be established. My first thought was, hey, let’s see if we can use mandatory profiles or somehow force all users to use the same profile that’s already loaded on the desktop. I was not successful with mandatory profiles or with forcing a user into a profile that was already on the machine, but during my search I was able to get connected with a Sysadmin who was able to achieve subsequent 10 second logins with Windows 7 and VMware View.
Quick breakdown on the environment I was working with: VMware View 5.1.1, ESXi 5.0, vCenter 5.0, Imprivata OneSign 4.6.
Here is what I learned during the course of my time.
- Windows XP is a dog. Get off it if you’re on it. You’re about to be forced to anyway, since the VMware stance is that they will not support a product that the original manufacturer itself won’t support.
- Establish baselines without hardware performance in the picture. If performance is an issue, troubleshoot that as well, but do it apart from your baselining. If you can’t prove what you Establish a best case for physical and virtual. Put your VDI linked clones on a flash LUN if you have one to remove the possibility of storage contention.
- Look at group policy and logon scripts. In my case this wasn’t the issue, but I’ve seen countless others where simply turning on asyncrhonous policy processing cut the times in half. Here’s the GPO optimization guide Microsoft has. Good stuff there. http://support.microsoft.com/kb/315418
- Slim and Trim down the profile. If the use case you have doesn’t need any profile data such as the desktop or documents folder? Guess what? Don’t include it.
Here are the tricks that I used to get 10 second initial logins with VMware View and Windows 7 while insuring the AppData in the profile didn’t bloat up over time and ultimately hurt login times again. Remember that in this use case, we expected that the users utilize their mapped drives to save ANY DATA that they cared about. It was understood and expected that their desktop folder and documents folder would NOT follow them around.
- We got group policy out of the equation. Machines were in a blocked OU. No loopback policy, only one GPO was utilized for the persona management configurations. Ensure that policy is processed and you log on with domain user in the golden image before building the pool. Let’s be honest, with refresh on logoff, how bad can a user mess up their PC?
- We used VMware View persona management and didn’t synchronize anything. I’ll go into the exact policy settings I utilized later and what I would have done if it were a requirement to keep the documents and desktop folders. Remember, we’re going for total speed here, not saving a user’s hello kitty wallpaper.
- Windows 7. Optimized for View following the guide. 2GB Memory. 1 vCPU. Initial logon times with a 1.75MB profile on a known good performance profile share. Consistently 15-17 second login.
- Windows 7. Optimized for View following the guide. 2GB Memory. 2 vCPU. Initial logon times with a 1.75MB profile on a known good performance profile share. Consistently 10 second login. This was one of the bigger performance notices. And before you go wild bumping your golden images to 2 vCPUs, make darn sure you’re aware of the impact that’s going to make on your hosts.
At this point we had a working solution with consistent 10 second logins post profile build. Now what do we do? We start layering in pieces of the solution and document logon times ONE BY ONE.
One such piece of of the solution was the Imprivata OneSign agent. We noticed that once we installed the OneSign agent MSI, the logon times went from 10 seconds to 30. Then we noticed that if for some reason we didn’t refresh that machine, subsequent logins were back to 10 seconds again. What the heck? We discovered that when you install the OneSign agent from the OneSign Appliance web page..it will automatically stuff the Trusted CA cert for the self signed cert on the Imprivata appliances into the machines local certificate store. This doesn’t happen when you install the MSI. So once we manually put the CA cert in the machines local store, we were back to 10 second logins. Another tip is to ensure that Domain Users have modify rights to C:\ProgramData\SSOProvider, as that’s where Imprivata keeps its DAT files which are regularly updated. Since users are the ones logging on, they should have full rights to that folder so they can be updated.
And so the story continues for me, layering in the solution one at a time. One pro-tip….do AV LAST. If you do it first it might have a performance impact that you’re confusing with application performance, when in fact it’s AV. Another pro-tip is to use a VDI optimized AV, such as a host based AV, or one that can scan and hash all the files in the golden image.
So here’s what you probably scrolled to the bottom to see: the list of Persona Management settings. Well here you go. We also ran into that “White start bar icons” with Windows 7, and were able to work around it by including the synchronization of the AppData\Local\IconCache.dll, along with the AppData\Roaming\Microsoft\Internet Explorer\Quick Launch folder. Pretty much everything else was excluded. If we would have wanted the Documents and Desktop folder redirected, we would have excluded them from the “Do not sync” policy, and redirected them either with native Windows policy or using the “VMware View Agent Configuration/Persona Management/Folder Redirection” section of the GPO.
If you have knowledge worker/power users that need all their documents and AppData redirected and are going to be using Linked Clones, my suggestion is to not go the persona management route, but to use a third party product such as Liquidware Labs, RES, or another suitable product. I’ve seen those two work well.
VMware View Agent Configuration/Persona Management/Roaming & Synchronization Manage User Persona: Enabled Profile Upload interval (in minutes): 10 Persona Repository Location: \\servername\servershare\%USERNAME%\Personal Override Active Directory Path if configured: enabled Roam Local Settings Folders: enabled Files and Folders Excluded from Roaming: AppData AppData\Local Contacts Desktop Documents Documents\My Music Documents\My Pictures Documents\My Videos Downloads Favorites Links My Documents\My Music My Documents\My Pictures My Documents\My Videos My Music My Pictures My Videos Saved Games Searches Files and Folders Excluded from Roaming (exceptions): AppData\Local\IconCache.db AppData\Roaming\Microsoft\Internet Explorer\Quick Launch