We are noticing that it takes rather a long time for users to log in to our VDI environment (~2 minutes, in some circumstances). I did some analysis of login times using Sysinternals Procmon. (Enable boot logging, use the “view process tree” feature to look at process times at logon. See http://blogs.technet.com/b/markrussinovich/archive/2012/07/02/3506849.aspx for details). What I found was that a child process of explorer.exe called “ie4uinit.exe” was running for most of this time. This process appears to be part of Microsoft “Active Setup” (discussed in some detail here: http://blog.ressoftware.com/index.php/2011/12/29/disable-active-setup-revealed/).
So what if we disable Active Setup? Noise on the Internet suggests that this is possible , simply be deleting the key:
as suggested here:
However, there is some indication that this could have unintended consequences. In my case, it immediately caused a logon script to fail to run. Bummer!
What other solutions are possible? Members of the Windows in Higher Education mailing list recently recommended using mandatory profiles. There is a reasonably good rundown of the mandatory profile creation process here:
Missing details are:
- It is possible for the mandatory roaming profile to be stored locally (i.e. “C:UsersVDI_Mandatory.V2” to avoid over-the-network profile copy delays. However, in our View environment, using a network location appears to be faster!
- The mandatory roaming profile can be specified using the Group Policy settings in Computer -> Policies -> Administrative Templates -> System -> User Profiles. (See “Set roaming profile path for all users logging onto this computer” and “Delete cached copies of roaming profile”.)
In testing, I found initial logon times were reduced from two minutes to approximately 20 seconds. Good! (But still not great.) Additional benefits are that it is no longer necessary to run the logon script that I developed to customize the Start Menu and Task Bar. I also can remove the Group Policy preferences that clean up local profiles on the computer.
This week we are continuing testing of the new Microsoft Bitlocker Administration and Management 2.0 tool (MBAM).
MBAM is not overly complicated, but it does have several service tiers and dependencies which make initial setup a bit irksome. After plowing though configuration of a SQL database, SQL Reporting Services, and IIS, we are still need to configured MBAM Group Policy settings, and then we needed to do a fir number of tweaks to make the service actually work. Here are the most significant deviations from the official documentation:
- The Group Policy templates for MBAM are not uploaded to the AD Policy Store during product installation, nor does the documentation recommend that you complete this step. However, if you want to be able to edit MBAM Policy from any workstation in the domain, you really do need to upload the ADMX templates. Making this happen is easy… just use the MBAM installer to install the MBAM policy templates locally, then open c:windowsPolicyDefinitions, and copy BitLockerManagement.admx and BitLockerUserManagement.admx to \[domain]SYSVOL[domain]PoliciesPolicyDefinitions (you will need domain admin rights to do this. Also copy the corresponding .adml files in the local language directory of your local PolicyDefinitions directory to the local language directory on the domain controller (in my case, these are in the “en-US” subdirectory).
- After installing the MBAM Client and policy settings, clients were failing to auto-initiate encryption, and were failing to report status to the management server. The MBAM Admin Event Logs were showing the following error:
Log Name: Microsoft-Windows-MBAM/Admin
Event ID: 4
Task Category: None
Description: An error occurred while sending encryption status data.
Error code: 0x803d0013
This is occurring for a few reasons. One, the MBAM server is not trusted for delegation, so it cannot perform Kerberos authentication in IIS. Two, the public URL for MBAM services (https://bitlocker.uvm.edu) does not match the internal name of the server (BAM1). To fix this, we needed perform a few additional configuration steps:
- Create the following key and value on the MBAM management server:
DWORD(32-bit) - DisableMachineVerification
Value = 1
- On the MBAM Administration Server AD object, enable the “Trust for delegation for any service (Kerberos Only) option”, under the Delegation tab.
- Use the “setspn” utility to add additional principal names for the public URL of the server to the AD server account:
setspn -A HOST/bitlocker.mydomain.com MYDOMAINMyServer$
setspn -A HTTP/bitlocker.mydomain.com MYDOMAINMyServer$
setspn -A RestrictedKrbHost/bitlocker.mydomain.com MYDOMAINMyServer$
(Note that if using a service account to run the MBAM Administration Service, you should use “setspn” to set the HOST/HTTP names for the service account instead of the domain computer account).
- It appears that it may also be necessary to add the “BackConnectionHostNames” Reg_multi_Sz value to “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0” to include any public dns names used by the MBAM Administration Server (this likely only is necessary in a load balanced configuration).
We then needed to perform an IISRESET on the management server, and cycle the MBAM Clients.
- The MBAM Help Desk web application was failing to display reports. This was happening because the installer grabbed the unencrypted reporting services URL from the reporting services instance. I had to open:
C:inetpubMicrosoft BitLocker Management SolutionHelp Desk Websiteweb.config
Then locate the tag, and edit the URL value to the SSL version of the Reporting Services web site.
- The MBAM documentation claims that you will use MBAM policies in place of standard Windows BitLocker policies. This is somewhat misleading… Many MBAM policy settings also will change the “classic” BitLocker policy settings, so it will appear that you have configured both classic and MBAM policies in the editor. This would not really be a problem were it not for the fact that MBAM policies are not comprehensive. You may need to return to the “classic” settings to configure appropriate behavior in your environment. For example, we experienced difficulty in encrypting a Dell Latitude 10 tablet using MBAM. On this machine, we saw the following error in the MBAM Admin Event Log:
Event ID: 2
An error occurred while applying MBAM policies.
Error Code: 0x803100B6
Details: No pre-boot keyboard or Windows recovery Environment detected. The user may not be able to provide the required input to unlock the volume.
This error is happening because our policy is set to “Allow PIN” (BitLocker PIN Authenticator is allowed, but not required). Apparently, MBAM default-fails the attempted encryption, even though this is not a “fatal” error. To allow encryption to continue, I needed to set the classic policy “Enable use of BitLocker authentication requiring preboot keyboard input on slates” as defined here:
With this policy in place, encryption completes successfully on the tablet computer.
Other than these caveats, the tool does appear to be working. Setting up our PGP Universal Server was easier, but suffering though the pain of ongoing PGP disk encryption support was agonizing. Hopefully a little time spent on configuring a solid BitLocker support environment will bear lasting fruit for our constituents down the road.
Rick Delserone’s MBAM: Real World Information – A rundown on MBAM Certificate Configuration, Group Policy Templates, and undocumented registry settings: