Author Archives: Jason Yeo

Windows 7 Update taking forever to scan

if your Windows update for Windows 7 is taking to scan, even after many hours… it’s possible that your Windows 7 is in need of a patch to for it’s “patching service”.

Since Windows Update by this time (end of October 2016) is not able to get to the update server to get the update on it’s own, it will need a bit of help from you, the user/administrator. The patch was first released with KB 3161647, then superseded by KB 3172605, and then superseded again. I used the patch for KB 3172605 to resolve the problem I was seeing.

Hope this is useful for you.

windows_update_scan

 

Network portfast validation test for system administrators

In the virtualisation best practice, one of the earliest best practice since many moons ago was to have network admins configure switch ports which are connected to ESXi hosts to have portfast enabled. For many who know this, I find that it tends to be just a regurgitation of what have been read. Very few people actually understood why, and how to validate that it is actually working.

Let’s start with the why. In almost all enterprise network which complex switching, the Spanning Tree Protocol (STP) are enabled. This is to avoid network loops from forming, even though physically loops have been created. Loops are bad, as they basically create a feedback, where network packets are sent and multiplied across the network. The result will simply be a packet storm that floods the LAN and clogs up the network. So, STP is important and understandly why network admins want to enable it. The drawback for enabling STP is that for any network connection that tries to come online, a series of checks and tests are done by the network switch to detect if a loops is created by allowing the port to come online. The detection process takes at least 10 seconds, and at times go beyond.

The result will be that when a port comes online, it takes quite a long while before it is allowed to carry any traffic. The switch essentially blocks all traffics until it is satisfied that there are no loops.

Looking at from the host perspective, it may see that a NIC port has come online, and may (depending on configuration policy) start sending traffic down that link. If the switch is not yet ready, all packets will be black holed. Which is a bad thing. There are many other similar situations, which we essentially want to avoid. A worst case scenario will be if a host has lost redundant uplinks simultaneously and when one returns, it takes extra time for it to be useful. If such a case happens for a VMware ESXi host that is part of a cluster, it may very well result in a long enough “outage” to trigger the HA response.

So, we don’t want that to happen.

We want any network connection to come back online as quickly as possible. Hence, we want to enable portfast. How this is accomplished varies between switch manufacturers. In Cisco Catalyst and Nexus switches, these are configured per network port. I would typically expect a good network admin to know how to make this happen.

The purpose of this post is not to show you how to do this, but as a systems admin, how to check that the network team has configured it in the way that it’s actually working the way you want.

How do you want it, and how do you test for it? It’s not that difficult, and it is much easier to be verified if you have physical access to disconnect the network cables.

The ideal time to test this is during setup, when there is no workload on the host.

  • The setup – a virtualisation host, can be ESXi, Hyper-V, AHV (in fact, any physical server)
  • Typically the network uplinks from the host to the switch have been teamed or bonded to provided redundancy, but this is also completely valid for situations where only a single uplink is used
  • Make sure you have the ability to do a ping either from within the host out, or from outside in

The procedure

  1. Start with all links to be tested to be online
  2. Start a continuous ping that traverse the link you want to test; there must be a response, if not troubleshoot until you get one
  3. Physically disconnect all uplinks to be tested; the ping must start to time out, if not troubleshoot to figure out why
  4. This step is key – reconnect one link; and you should expect a ping response to return within 1 ping time out, which should not be more then a couple of seconds; typically if portfast is not enabled, you would see at least 4-5 ping timeouts before any positive returns are observed. Obviously take note of any bad links and ask the network team to fix it.
  5. Disconnect the link, and move on to the next link, repeating steps 4-5 until all links are completed.

After the network admin resolves the configuration gap, I would repeat the tests again for any links that failed previously.

From my experience, something simple like this can completely address strange behaviours where hosts are going offline for short periods without good explanation. So, taking time to verify portfast is crucial for a good deployment of any virtual environment.

Nutanix Deployments are Darn Fast!!

This is my first post on Nutanix since I joined in July 2015. Other than being really busy, I also wanted to gain much more experience with the platform before I write. Now, four months in and having deployed many clusters and nodes all over APJ, I have quite a bit to write.

This post focuses on one of the results which I am really impressed with, the speed on deploying a brand new cluster, and expanding an existing cluster.

This by the way is also a winning reason for one of my customers in Singapore. Their first deployment of Nutanix was in 2013, and for VDI with Horizon View. The project manager was pretty impressed that the whole project took only 4 weeks to complete! This is a financial institution and you can expect all the heavy processes and change management involved.

It was because of the success of the first project, their counterparts in other countries in the region started to adopt Nutanix as a platform. They have embraced the quick time to market they can achieve by virtualizing on Nutanix.

Another global customer whom I have deployed at least 10 clusters in the region have already standardised on Nutanix. Each time I drop into one of their sites for deployment, the job to complete a fully functional & resilient Hyper-V cluster, from unboxing to production ready is just that few hours. Amazing!!

Never have I been able to do a complete cluster deployment with compute and storage in a day. With Nutanix, it’s possible!

How about adding new nodes to the cluster? It’s even faster!! Simply rack up, power on, re-image where necessary, join cluster and done!

I am loving this true webscale Hyper Converged Infrastructure. As one of my friends who tried the CE Edition, this is a true software defined solution in a box!

Tune PCoIP for LAN like picture quality over WAN

This is a question that was posed to me recently, it’s an unusual but valid scenario which I feel is worthy of sharing.

This is a Horizon View virtual desktop use case where the virtual desktop is hosted in Singapore, and the users are located overseas. In this situation they were in China and Korea, but this would also apply to anywhere in the world with similar 100ms latency.

The primary requirement is that customer had to deliver LAN like picture quality to the remote users. In fact the users have already tried and were complaining of fuzziness in the screen, particularly when they scroll quickly through their emails in Microsoft Outlook.

Now, most common concern about virtual desktop usage over the WAN is the bandwidth required. All technologies in the world are constrained by the laws of maths and physics, with a given resource, there is a limited about of data that can be sent across the wire. The more constraint the bandwidth, the lower the picture quality. As a result, the most common tuning for PCoIP is to optimise bandwidth usage without giving up too much quality, it is a trade off and the balance must be sought for each deployment scenario.

PCoIP on its own is a self adjusting protocol. It aim to deliver the best realtime quality picture given the end to end network condition. Throughout the session, PCoIP will be constantly adjusting quality based on the full network condition it observes between the virtual desktop and the client. In a situation where latency goes up, the time it takes for PCoIP to adjust itself also increases.

Now, one key consideration given to us in this case is that the customer’s top priority is to deliver the best picture quality; assume that bandwidth is not a concern and can be provisioned as needed.

Given the higher (but tolerable) latency, we can help guide PCoIP to desired state sooner. This is achieved by applying some tuning to the PCoIP parameters via the AD Group Policy template.

Be Warned – the following settings can result in higher bandwidth usage, and should only be applied when you fully understand the implications.

If you are ready, below are the parameters we applied – if you need, take this as an example, some tweaking should always be done to find your sweet spot between picture quality and resource consumption. Also, I would consider the users here to have the highest expectations and demands than I have encountered.

  • Minimum Image Quality – 70
    This tells PCoIP the lowest quality of the image to attempt to send across the wire. As we were witnessing fuzziness in the image, this means the default image quality value was too low and should be raised for this scenario.
  • Maximum Initial Image Quality – 90
  • Maximum Frame Rate – 50
    This particularly important for fast moving screen changes. It was tested from 30 FPS, 40 FPS and finally it was settled at 50 FPS. It was at this setting where the end user was satisfied.
  • PCoIP session bandwidth floor – 2000
    This tells PCoIP that the environment is ready to handle 2000 Kbps for the session. It doesn’t mean that PCoIP will consume that much regardless. If the screen is idle, you would see only a few Kbps moving across the wire. This is one of the parameters that helps PCoIP achieve a steady state stream with less “guess work”

Horizon View – Session Timeout Changes in 6.x

Here’s something that changed in Horizon View 6.x that we have noticed recently. This particularly affects Zero Client users more, or more specifically clients that are not able to report client activity (if the keyboard and mouse are in use). This came about because of how the clients have changed since 3.0.

To a View 5.x admin, the parameter I’m writing about is Session timeout, officially documented here. In Horizon View 6.x, this parameter has been renamed to Forcibly disconnect users, officially documented here.

Simply put, this setting specifies how long a user’s View session is allowed to stay connected, regardless of user activity. Yes, even if a user is actively using, the session will be forced to disconnect. Disconnect, not logged off; so the users just needs to reconnect and continue the session. There are good reasons for this setting, and it needs another blog post. For now, I’m just going to focus on what has changed.

In v5.x the admin there is no option to disable the timer, instead it is just to set some impossibly long time like 999999 minutes. I’ve done this for some of my clients who have setup Zero clients for wall display systems. Those displays are meant to be up 24×7, e.g. IT Operations Room monitoring screens.

In v6.x this setting has changed, not just in name but in behaviour as well. It can now be set to Never disconnect, but it is not completely true. It depends if the View client understands it. Horizon View soft clients since 3.0 will work, however Zero clients do not.

Zero client users will have to watch out here. There is a caveat. If the value is set to Never or anything above 1200 minutes (20 hours), Zero clients will always get disconnected after 20 hours. This can be undesirable, especially for the IT Monitoring Screen use case I mentioned above.

Fortunately, there is a workaround to this, and we can make some under the cover changes to prevent Zero clients from being disconnected. The steps are documented in the VMware KB article 2091458. It requires making changes to the View Connection Server’s AD LDS, so make sure you have a backup and get familiar with the procedures first.

Private VLANs with Distributed vSwitch & Extreme Networks Switches

I came across this just this week working with on a virtual desktop deployment. One of the requirements is to disallow virtual desktops in the same subnet to talk to each other. The most efficient way to do this was to make use of Private VLANs and put the desktops in an Isolated PVLAN. It was relatively easy to configure this on the distributed switch in vCenter Server. Please check out this KB article (1010703) if you need some guidance.

Just to help illustrate in this post, the Primary Promiscuous PVLAN was defined to be 100, and the Secondary Isolated PVLAN, 101.

Now, just making the configuration on the Distributed vSwitch is not enough. We have to make sure that the physical network is also PVLAN aware, and knows the relationship between 100 and 101. Why you may ask? simply because anything in PVLAN 101 must be able to talk to anything in PVLAN 100 across all the hosts. The physical switches must be able to move these packets between hosts to make this happen. Additionally, the physical switches must honour the Isolation requirement for PVLAN 101. So it is logical that there must be some configuration needed on the physical switches.

It was probably the first time the Network engineer is working on PVLANs and I had to give him the above explanation to convince him that there’s something that he needs to do on the physical side.

The environment had a pair of Extreme Networks switches. I have had no prior experience with these and found 2 pieces of information to work with the Network Engineer.

We studied the materials and did some testing, and finally got the minimal settings needed to get things working.

The KB article had steps which we discovered to be unnecessary. Below is an example of what was applied for PVLAN to be fully operational.

create vlan VDIPri
configure vlan VDIPri add port XXXX 'where XXXX are the ports connected to the ESXi hosts
configure vlan VDIPri tag 100 
create vlan VDIDesktops
configure vlan VDIDesktops add port XXXX
configure vlan VDIDesktops tag 101

'at this point the VLANs have simply been created, tagged and associated with the relevant ports
create private-vlan VDIPrivate
configure private-vlan "VDIPrivate" add network "VDIPri" 
configure private-vlan "VDIPrivate" add subscriber "VDIDesktops"

That’s all. In the KB article and documentation, there were additional commands for “translation” which we learnt were not needed in our case.

 

Errors in a KB Article – Horizon View 6.x Network Ports

This post was written on the 5th May 2015. Hopefully sometime in the near  future it is no longer relevant, but until then, be aware of an error in a KB article (2085383) for Horizon View 6.x network ports.

I’m compelled to write this post as I’ve just encountered a 2nd partner who got misled by this erroneous article.

For the proper reference, the Horizon View 6.x documentation lists out the ports that are required. The direct link to the web based documentation is here. I recommend using this.

If you want to see a correct diagram on how the ports should be like, you can look at the slightly older KB article (2061913) for View 5.x. The key differences between View 5.x and 6.x are the following

  • View 6.x no longer support Local Mode – but since it shares ports 80 & 443 for other purposes, you’ve got to keep them.
  • View 6.x adds Cloud Port Architecture – so this is a new port for View Pod to View Pod communication.
  • View 6.x adds Enhanced Message Security mode – and this also adds a new port between View Connection Servers only.

Back to the erroneous article.

The part which needs to be fixed are the ports depicted for the Horizon View Client to communicate with a View Security Server. This is typical of a situation when an end device is situated in an untrusted network (e.g. the Internet), and the connection has to be tunnelled through a View Security Server that sits in the corporate DMZ. Under such a situation, there are only 3, at most 4 ports which are required, and they are

  • 80 TCP (HTTP) – for users who use a web browser and simply just hit the access URL without prefixing a HTTPS:// in the address bar. This will simply allow the Security Server to do a redirect to the same URL, but with HTTPS
  • 443 TCP (HTTPS) – all non-desktop traffic goes through this HTTPS encrypted connection. So right from the start, all communications between a View Client and the Security Server are fully encrypted; additionally, if RDP is the chosen protocol, it will be embedded within this HTTPS communication. So, there is no need for 3389 TCP to be opened between the View Client and Security Server.
  • 4172 TCP & 4172 UDP (PCoIP) – all PCoIP based desktop traffic will use these 2 ports. The TCP port is only used for the initial setup of the PCoIP connection. Once it’s up, all desktop activities will be just 4172 UDP.

the diagram below was cut out of the KB article. You’ll see 3 additional ports which I’ve crossed out in red.

  • 9472 TCP (MMR) – this is the Multimedia Redirection port. It is not used between the View Client and Security Server. The View Client will only use it when it does a direct connection with the Virtual Desktop.
  • 3389 TCP (RDP) – this is the well known RDP port. As mentioned above, when the session is tunnelled, RDP is embedded within the 443 TCP traffic, and does not use 3389 TCP. Again, the View Client will only use this port if it is to do a direct connection with the Virtual Desktop.
  • 32111 TCP (USB) – this port is used for USB redirection. When tunnelled through a Security Server, the View Client will not use this port; instead it will send the traffic via 4172 UDP. When the View Client is to have a direct connection to the Virtual Desktop, it will then use 32111 TCP.
Horizon View 6.x - Client to Security Server Ports

Horizon View 6.x – Client to Security Server Ports

Windows 7 – Optimise Visual Effects for all New User Profiles

Optimisation Type [explain] : user experience (↓↑) / resource optimisation (↑) / functionality (-) / administration (-)

this is my 3rd post about Visual Effects optimisation. It must seem I have some obsession about this. Kind of!! As I haven’t found a completely reliable source of information on how to do this.

In the land of remote access to Windows desktops, regardless of protocols, any changes on the screen will have to be sent across the network. The more changes, the higher the network bandwidth requirements. I would think this is probably one of the reasons why Windows have an advance settings page to allow you to tweak the visual effects. Another reason would be some of these actually take up more CPU cycles, so on slower/older PCs it will actually impact the user experience.

The purpose of this post is to provide the method on how to apply the same settings to users from the moment their user profile is created the first time. Now, although the default settings applied to new users may be what IT prefers, but savvy users will know a trick or two and change the settings to what they may like. To counter these, we need to add on a second control to enforce the settings.

I wrote a post earlier on how to enforce the Visual Effects settings via GPO. That is still an important step. Applying the settings via GPO helps to keep individual user settings to that desired by IT. Although it may not be a realtime enforcement, but it will make sure the settings are what it needs to be each time the user logs on.

Back to this.

I’ve read many documents and posts and quite a few just suggest to tweak registry settings to the default user profile. I couldn’t find any that gives the complete solution. I hope this post will you out, if you are looking for a solution.

The most common solution I found was to simply set the registry which defines the setting for “Adjust for best XXXXX” settings, and the checkboxes below. Unfortunately, that doesn’t help.

The registry value which stores the setting is

HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects > VisualFXSetting

By setting the value to 0x2 (hex) it adjusts the radio button to “Adjust for best performance”. As you can the picture below on the right, the desired setting is in place, and all the check boxes are turned off. It is suppose to mean all visual effects have been disabled. Well, it’s not really the case. Compare the appearance of the two windows below. The one on the left is when the settings are truly in place and in effect. So, setting that registry value alone is insufficient.

Best Performance Windows 7 Visual Effects when applied

Best Performance Windows 7 Visual Effects when applied

Best Performance Windows 7 Visual Effects Not in Effect Best Performance Windows 7 Visual Effects Not in Effect[/caption]

The second registry value that is also commonly suggested is

HKU\Control Panel\Desktop > UserPreferencesMask

Making changes to the above value in default user profile does nothing at all. It is only useful when we push settings from GPO on an ongoing basis, but when a new profile is being created, quite unexpectedly the settings are not inherited from the default user profile. In fact, these settings are actually taken from a particular key under HKEY_LOCAL_MACHINE.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects

I have create a batch file that you can run to turn everything off. Feel free to copy the below into a text file in notepad and save as a .bat file. Of course, if you may not need to turn everything off, please pick and choose the values to maintain.

@REM Use this script for Windows 7 desktops to tune down Visual Effects
@REM Setting Default HKLM values
@REM Script by Jason Yeo; @jasonyzs88
@REM Script Version 1.1 - covers 3D (AERO) and 2D Visual Effects; disables Themes service.

reg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"
reg add "hku\temp\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 0x3 /f
reg unload "hku\temp"

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\CursorShadow" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DragFullWindows" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DropShadow" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMAeroPeekEnabled" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMEnabled" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMSaveThumbnailEnabled" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\FontSmoothing" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\FontSmoothing" /v NoApplyDefault /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListBoxSmoothScrolling" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListviewAlphaSelect" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListviewShadow" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\SelectionFade" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimations" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ThumbnailsOrIcon" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TransparentGlass" /v DefaultValue /t REG_DWORD /d 0x0 /f

sc config Themes start= disabled
sc stop Themes

pause

Conclusion & Recommendation

How I would optimise an environment is to apply both the settings from this post, and to enable ongoing enforcement of the settings via GPO. This would be a complete solution where user visual settings are configured up front right from the first time their profiles are created. If the settings change, the GPO enforcement will then re-apply the settings back to what is desired by IT.

 

Custom Database Role for Horizon View Events Log

This post is based on something I am working on and since I found no other information on it, I had to figure it out. Now that I think I’ve got all the pieces in place, I’d like to share it too.

The request is simple, to avoid granting dbo rights to the database account. The task is to figure out the exact MS SQL database permissions required for View to operate the View Events database.

For View Composer, it’s simple as the Horizon View documentation already has a section on custom role for View Composer database access. If that is what you are looking for, it’s available here for Horizon 6.1.

For View Events, I believe the database operations are much simpler (compared to View Composer), and so it seems that a subset of the permissions (compared to View Composer) is required. True enough, I was right about this. Once I had the permissions in place, I was able to complete configuring the View Events database from the Horizon View admin portal. Otherwise, the operation will fail with an error.

The key permissions needed by the database account are the following

  • ALTER
  • CONNECT (typically already granted by default)
  • CREATE TABLE
  • CREATE VIEW
  • DELETE
  • EXECUTE
  • INSERT
  • SELECT
  • UPDATE

Below is an example, do make the necessary changes to suit your implementation.

Item Specification Remarks
Horizon View 6.1 this is what I tested with
MS SQL Server 2008 R2 this is what I tested with
SQL Database ViewEventsDB change as needed
SQL User Account viewuser change as needed
SQL Role role_ViewUser change as needed

Below is the SQL script that I used, do customise it with to suit your needs. Prior to running the script, you will need to first create the database. With the database created, you can then run the script to create the account, role and grant the rights.

USE [master]
GO
CREATE LOGIN [viewuser] WITH PASSWORD=N'YourPasswordHere',DEFAULT_DATABASE=ViewEventsDB, DEFAULT_LANGUAGE=us_english, CHECK_POLICY=OFF
GO

USE [ViewEventsDB]
CREATE USER [viewuser] for LOGIN [viewuser];
CREATE ROLE [role_ViewUser] AUTHORIZATION [dbo];
EXEC sp_addrolemember [role_ViewUser], [viewuser];
GO

use [ViewEventsDB]
GRANT CREATE TABLE TO [role_ViewUser]
GRANT CREATE VIEW TO [role_ViewUser]
GRANT DELETE TO [role_ViewUser]
GRANT EXECUTE TO [role_ViewUser]
GRANT INSERT TO [role_ViewUser]
GRANT SELECT TO [role_ViewUser]
GRANT UPDATE TO [role_ViewUser]
GRANT ALTER TO [role_ViewUser]
GO

Optimising Windows 8.1 Visual Effects

Optimisation Type [explain] : user experience (↓↑) / resource optimisation (↑) / functionality (-) / administration (-)

I have just been involved with a View deployment where the customer wants to use the latest and greatest Windows 8.1. It gave me a good opportunity to figure out the registry settings to optimise the Visual Effects for Windows 8.1.

Windows 8.1 Visual EffectsThe method to apply this is identical to how we would do it for Windows 7, and I have written about it here. So this post will just focus on what you need for Windows 8.1.

Comparing with Windows 7, there are a few more options in Windows 8.1, and one setting gone. If haven’t noticed, the task bar is different in Windows 8.1. The setting to “use visual styles on windows and buttons” is no longer available, as such we can turn everything off.

Initially, I tried to just “Adjust for best performance”, the settings would not take effect. I can see that the settings dialog box was reflecting the two registry changes, but the actual behavior did not change. Instead, I just went straight to set it as “Custom” and un-check all the boxes via the registry. Below is the full list of settings that I applied via GPO.

I’ve also noted this time that the DWORD values have to be set as Hexadecimal, and some of the values are of different type.


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects]
(REG_DWORD;Hexadecimal) VisualFXSetting = 0x00000003

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
(REG_DWORD;Hexadecimal) IconsOnly = 0x00000001
(REG_DWORD;Hexadecimal) TaskbarAnimations = 0x00000000
(REG_DWORD;Hexadecimal) ListviewAlphaSelect = 0x00000000
(REG_DWORD;Hexadecimal) ListviewShadow = 0x00000000

[HKEY_CURRENT_USER\Control Panel\Desktop]
(REG_BINARY) UserPreferencesMask = 9012038010000000
(REG_SZ) DragFullWindows = 0
(REG_SZ) FontSmoothing = 0

[HKEY_CURRENT_USER\Control Panel\Desktop\WindowsMetrics]
(REG_String) MinAnimate = 0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM]
(REG_DWORD;Hexadecimal) EnableAeroPeek = 0x0000000
(REG_DWORD;Hexadecimal) AlwaysHibernateThumbnails = 0x0000000