Keep your house tidy!
It only takes a mouse click to break an environment – and recently I found myself trawling through log files to investigate slow logon times with VMWare DEM – the root cause was, as always, frustratingly trivial – a deleted AD group that was still being referenced in the DEM config, but the steps taken to identify this can help you improve your VDI logon times across your estate (…assuming your our employer cares about this!). The below principles can be used in any VDI environment with a profile management tool in place.
I’ve split this into 2 sections. The first section How to troubleshoot a logon issue with VMWare DEM includes the actual steps taken to fix aforementioned issue. The second section 5 Tips to Improve VDI Logon Times offers a few ideas to consider in your environment.
How to troubleshoot slow logon with VMWare DEM
- First we need to enable granular logging so we can see what is happening during the logon process. For VMWare DEM you can do this by creating a text file named FlexDebug.txt and copy this into the Archive\Logs folder of the affected user. At logon, FlexEngine service reads the flag text file and logs at a more granular level to the FlexEngine.log file. Deleting the .txt file will revert your logging level back to INFO (or however it is configured in your DEM GPO).
2. Log the user out of any open desktop sessions, then delete their FlexEngine.log file so we have a clean log to work with.
3. Log them back on. Once the logon cycle completes, read through the timestamps of logon events and look for gaps of more than 1 or 2s.
In total, the below log file shows a gap of 28s where DEM was stuck trying to process erroneous data. The first event is a failed AD group lookup that wasted around 12s over 2 events. The AD group had been deleted from AD, but hasn’t been removed from the UEM config settings.
How to quickly identify a bad settings in your DEM config:
If you’re having trouble locating the offending setting in the GUI of DEM Management Console, then save time by searching the .ini config files directly:
- Browse to your UEM Config folder.
- Use windows explorer search bar and type content: to search for whatever text/setting/error/AD group/value is failing to process. This will search the contents of the .INI config files for your DEM installation and quickly identify where your problem lies.
Citrix registry value ‘LogOffCheckSysModules’ exists, but does not contain ‘FlexEngine.exe’
This error is caused by an AppVolume package (Adobe Professional) which created the above value in HKLM registry tree. Updating the AppVolume package and deleting the above registry key fixed this.
Issues like these cause overhead on your service desks, remember to keep your house tidy and have regular check-up’s on your logon times.
5 Tips To Improve VDI Logon Times
Mop Up Your Conditional Look Ups!
Be careful not to apply conditions to every setting within your given DEM environment. Every condition requires DEM to perform an operation, adding milliseconds to your logon, but as the old saying goes ‘every millisecond counts’….sorry I’ll get my coat.
You can shave seconds off the logon time by configuring Condition Sets and avoid using conditions on a per-setting basis.
Go Panning for Gold!
Logons are fastest when there is a low quantity of files and settings to import, minimal GPO processing and an optimised OS image. Sounds obvious, but if you want to improve logon times you must go panning for the golden settings and throw away the dirt, bloat and unnecessary files that are scooped up by your profile management tool. So how do you find the unnecessary files or settings?
- Refer to your Profile management log file e.g. FlexEngine.log if using DEM.
- Find the time stamps with the biggest gap, the example below shows Internet Explorer.zip is taking 5s to execute.
- Now browse to the users DEM profile and find the Internet Explorer.zip file. Copy it to your C:\temp and open it up, unzip the contents.
- Take a look at which folders have the highest quantity of files.
- In our example the VMWare UEM Console was roaming 922~ files and taking around 10s to extract.
2. By unzipping the contents and assessing it using a tool like TreeSize I could see over 500+ files of cached thumbnail images which could be removed from the registry. I updated the UEM template to exclude the bloat!
Another classic profile bloat is IE Cookies – consider excluding these from your UEM application template unless absolutely necessary. In the case of my client, they only use IE for intranet websites, so it’s not the default brower. Based on this, we agreed to scrap cookies entirely and shave 4 seconds of log on time.
Enable INFO Logging, Disable DEBUG Logging!
Remember, if you leave Debug logging enabled for your users, this will also slow down their logon because the FlexEngine process is outputting very granular details for every step of the logon process! Configure your DEM FlexEngine logging level to INFO. You can always enable DEBUG logging on a per-user basis as covered in step 1 of this post.
IOPs are King. Get the best storage media possible for your UEM and profile storage arrays to improve I/O response times.
Make Use of FlexDirect and Predefined settings
FlexDirect is a cool feature of DEM which lets you configure certain apps to only import their user settings when the application is launched. Closing and opening the app causes import and export of user settings. This directly improves logon speeds, but with a later penalty when the app is launched – so there’s a trade off involved.
Assess which apps carry a sizable .zip archive and consider configuring them to use FlexDirect instead. Another win for log on times! Predefined settings can help you enforce specific settings and you can then ‘ignore’ any custom user settings. This can also save profile space, but isn’t always a viable option.
The Big Picture
Although this post’s focus is solely on the DEM execution during logon, you should take a holistic approach to optimising your logon times and remember the other elements and infrastructure services that are invoked during a logon. I hope the below gives you some ideas:
Goodbye Group Policy!
Most organisations migrate to VDI from a physical desktop estate that houses a sprawling GPMC structure with thousands of GPO’s, logon scripts and noise processing at every logon. Computer and User GPO processing adds tens of seconds to logon times. When you implement VDI you should block inheritance on the OU where your VDI AD machine objects live, and from a policy standpoint: start from scratch!
I like to review User-based GPO’s and if I spot a setting in Group Policy that can be configured in DEM, then let’s configure them within DEM! Try to work to a general rule of using Group Policy for Computer settings, and DEM for ALL user settings.
Most profile management tools can now import ADMX templates into VMWare DEM (also possible with Profile Unity) , eradicating the need to use GPMC for User settings. However, remember that you are now at the mercy of the processing order for DEM/UEM or your chosen profile management tool – and thus, it’s always worth knowing the order of execution for troubleshooting logon issues.
DeCrapify Your OS Gold Image using VMWare OSOT and Google!
Your Gold Image should always be optimised for use in VDI. There’s many approaches to do this, I recommend using VMware OSOT is an awsome free tool for optimising your VDI gold image.
Google: Decrapify Windows 10 will lead you towards a lot of power shell scripts designed to strip out the bloatware built into Windows OS. I strongly recommend testing any decrapify scripts first – they’re usually very aggressive in removing services, registry keys, native applications from the windows store (think Calculator or MS Paint – people hate losing these). However, if tuned to your requirements, these scripts can be excellent and a huge time saver in preparing your gold image – so it’s well worth taking the time to download many of these scripts and chop/change/pick/choose the best bits of each of them. Combine a Decrapify script with OSOT will help you create a lean, lightweight OS image, which will ultimately improve VDI performance and maintenance of your gold image.
I hope you found this article useful.