Pebkac

Preventing Windows automatically installing drivers

A problem that has frustrated me for some time now is the insistence of Windows 10 to automatically install drivers at its leisure, often accompanied with a nag screen prompting me to enhance my device’s capabilities by downloading some other poorly made bloatware from the manufacturer’s website. Recently, I was working with a MDT task sequence where I was deploying the latest Nvidia GPU driver, using the Chocolatey package nvidia-display-driver.

Before my task sequence step had time to run, Windows would jump in and drag down 500MB of an outdated WHQL certified Nvidia driver and install it, and when my own driver installation ran, I’d be left with all of the unwanted artifacts from the previous driver, or worse, it would fail because the background driver installation hadn’t completed yet. I didn’t want to add the driver into MDT because I didn’t want to be updating the driver every time the wind changed, and I also knew from experience that a massive display driver adds quite a lot of time onto the dism step that applies the unattend file inside the task sequence.

I couldn’t locate any substantive Microsoft documentation that described how to configure the automatic driver installation behaviour.

A web search revealed a number of promising Group Policy settings I could use to control driver updates. Many of these were Windows 7 centric, as the machinery for driver updates in Windows Update has been around for quite some time. I found much debate over the behaviour of the SearchOrderConfig setting in the DriverSearching key, while some articles also suggested setting the ExcludeWUDriversInQualityUpdate setting. There was also quite a few guides for blacklisting individual devices from installation based upon their PCI device IDs, which seemed messy and time consuming to me.

Ultimately, after significant testing on my part, no combination of values in these policies changed the behaviour. Windows still dutifully streamed that GPU driver down, much to my chagrin.

I debated configuring a firewall rule that temporarily blocked the access of the Windows Update and BITS services from internet, but decided this approach was inelegant, and also wouldn’t solve the problem in the long term.

After a bit of investigation with procmon, I noticed that the Windows service responsible for the download was DsmSvc, or Device Setup Manager. Microsoft describe the functionality of this service as “Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configured with outdated software, and may not work correctly.”

Intrigued, I quickly set about disabling this service to check the behaviour. My task sequence completed with no automatic GPU driver installation, and as a bonus there were no popups asking me to download the “enhanced” software for my mouse or webcam. These devices still worked fine because I had already added the driver files for them to MDT. Great success!

Searching online, I again could not find any good documentation specific to this service. I did read that in Windows Server, the service only exists when Desktop Experience is installed, not Server Core, which provided me with some reassurance.

Conscious of the fact that disabling Windows Services often has unintended consqeuences, I used the system as a daily driver for a few weeks, periodically checking the event logs for issues. At the time of writing, I’m yet to encounter any problems.

So, if you are also a control freak like I am, and would prefer to deploy your own handpicked drivers for your hardware, then go ahead and disable your DsmSvc, and you’ll be able to cross another item off the list of Windows 10 annoyances.

If anybody reading this can find any official documentation about this service, or the automatic updating behaviour, please post in the comments. If there’s a supported way to control this functionality without turning off the service, that’s definitely the way I want to go.

Server 2016 as a desktop

There’s scant documentation around the web about running Windows Server 2016 as a daily driver desktop, and probably for good reason. There’s a multitude of reasons why you’d be well advised not to use a server SKU on anything except a server. You can also achieve a pretty similar experience by using the Windows 10 LTSB/LTSC.

About a month ago I was getting ready for a clean install on my machine at home, and fatigued by the mere thought of de-bloating the new Windows 10 client out of the box, decided to experiment with Server 2016 instead. I was surprised by how well things went, so I thought I would do this post outlining my steps, the caveats, as well as some pros and cons.

To pre-empt comments I’ll get about wasting money on licensing, I have licenses available that I didn’t pay for. I would not advocate doing this if it involves you buying a retail license.

Configuring the system

At time of writing, the current build of server that contains the desktop experience role is 1607. There’s a 1709 build available, but the WIMs contain only server core. My speculation after reading Microsoft’s documentation is that Desktop Experience will be available in whatever build of server is on the long-term servicing channel, while the semi-annual channel will be core only. I used the Standard SKU, as I didn’t need any of the additional resource limits Enterprise offers, and I don’t intend to use any server roles.

You can install the OS in any of the typical ways. I use Rufus to make bootable Windows installs on USB flash media. My system is a Kaby Lake H270 desktop board, with a 980TI. Most systems are going to be pretty safe driver wise. If you’re using the vanilla image, you’ll get a one page OOBE asking you to set the Administrator password. At the end you’ll get dumped into a desktop and the server manager app will open.

From here you can configure the system like a workstation using PowerShell alone.

First, I created a local user account, added it to the administrators group, and then disabled the built-in Administrator account:

New-LocalUser -FullName 'Pebkac.io' -Name 'pebkac' -PasswordNeverExpires
Add-LocalGroupMember -Group 'Administrators' -Member 'pebkac'
Disable-LocalUser -Name 'Administrator'
logoff

After logging into the new account, you’ll have UAC behaving per the Windows 10 defaults, so you’ll have to explictly launch an elevated PowerShell to do any heavy lifting.

The Server Manager is set to automatically open at login for all users, with a Scheduled Task. You can turn that off for all users without engaging with the abhorrent UI at all:

Get-ScheduledTask -TaskName 'ServerManager' | Disable-ScheduledTask

Since processor scheduling is defaulted to Background Services in the server SKUs, I changed this to the Programs setting.

You can change this setting in the registry as follows:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\PriorityControl' -Name 'Win32PrioritySeparation' -Value 38

A value of 38 is equivalent to setting the Programs radio button.

Next, I activated Windows, applied Windows Updates, and then installed the most recent Nvidia driver for my video card. If you have some other hardware needing drivers that didn’t get serviced by Windows Update, you can install those at this point as well.

Desktop composition effects get pretty crippled out of the box, with sensible defaults for a server:

You can change this setting in the registry as well. A value of 1 is equivalent to selecting the Adjust for best appearance radio button.

Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects' -Name 'VisualFXSetting' -Value 1

The Shutdown Event Tracker is enabled by default, annoying you with this at system shutdown:

Typically people disable this with the Local Group Policy editor, but since I’m a fan of automation, I again go straight to the registry:

New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT' -Name 'Reliability'
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Reliability' -Name 'ShutdownReasonOn' -Value 0

I personally have no qualms about pressing Ctrl+Alt+Delete at the welcome/login screen, but if you want to switch this off:

Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'DisableCAD' -Value 1

Windows 10 also enables Memory Compression by default, but to get it in Server you’ll need to run:

Enable-MMAgent -mc

Now, after a reboot, Server will be behaving about as closely to a vanilla Windows 10 as you can get.

What’s missing?

To be frank, a whole bunch of stuff. There’s nothing there I use, but your mileage may vary.

A non-exhaustive list:

  • Cortana (including start menu web search and search suggestions)
  • Windows Store
  • Almost all user facing default AppX/UWP packages. That includes Edge, Photos, Mail etc.
  • Signing in to Windows with Microsoft accounts
  • Windows Spotlight
  • Game bar, Game DVR, most of the Xbox related features.
  • System restore
  • Windows Hello (goodbye!)

It’s glorious, I know.

What’s different?

  • Start menu search actually works, and consistently too, just like with your comrade Windows 7.
  • No preloaded OneDrive, as well as no OneDrive shell extensions clogging up your explorer windows and context menus.
  • Windows Update doesn’t reboot your machine unless you want it to, and doesn’t push a new build on you more often than you change your clothes.
  • The ability to turn off the Defender AV engine in the Settings app, without it switching itself back on.
  • A bunch of default tiles in the start menu (for example, mstsc, taskmgr, and eventvwr.msc are there) I left them alone because they’re infinitely more suitable defaults than Twitter and Microsoft Solitaire Collection.
  • A lot less Telemetry, and the ability to opt-out more easily with the UI.
  • calc.exe, a shining beacon in the darkness. I’ve missed you old friend.

What about gaming?

Aside from AppX/UWP, work off the assumption it’s Windows 10. DirectX 12 is there. Vulkan installs and works fine. Nvidia/AMD drivers, GeForce Experience, and Steam all work fine. I even found some older titles like Company of Heroes actually worked better, since Server is lacking the “Full screen optimizations” feature Microsoft sneaked into a recent Windows 10 build. I didn’t test the EA Origin client, because I have self respect.

Performance wise, in the overwhelming majority of cases, is identical to Windows 10, or within a few FPS either way. Anyone who advocates strongly for either 2k16 or Windows 10 for the best gaming performance is just wrong, and made assumptions without doing any testing.

Quality of life improvements

  • You’ll naturally install another web browser according to your preference. Internet Exploder 11 is never a valid choice.
  • Instead of the Photos app, you can restore the Windows 7 style viewer, or use an app like ImageGlass.
  • For other media, I personally like MPC-HC, but VLC is also a good and more popular choice.
  • If you don’t want advanced PDF functionality, give SumatraPDF a shot as a viewer.
  • There’s a slightly out of date article on Technet with some extra system services you can disable, should you feel inclined.
  • Not really specific to this article, but get Chocolatey and change your life.

Wrapping up

I’m still using Server 2016 on my workstation at time of writing, and I’m yet to encounter any dealbreakers. The system is leaner and more liberated from the bloat of the Windows 10 client, and behaves more like I would prefer out of the box, given my 20 years of experience with Windows..

Windows Server 2016 RTM in Azure

Despite the fact that there are no Windows Server 2016 RTM images up in Azure yet, after a bit of experimentation I’ve managed to get an RTM build (14393.206) installed and activated just fine. It seems that Microsoft enabled KMS activation around the same time as Ignite began. It’s been awfully handy having the RTM up and running ahead of the official release.

Windows Update doesn’t mind servicing these machines as normal. I’ve got no idea if Microsoft approve of this behaviour though, so use caution.

If you’ve managed to obtain any of the RTM ISOs, simply install the Datacenter SKU in a local Hyper-V VM, Sysprep and generalize, copy your image up to your Azure storage account, and create a VM with it. Read the Microsoftian on how to do that if you need to.

Once your VM is up and running in Azure, install a 2016 VL product key by running this from an elevated PowerShell:

iex "$env:windir\system32\cscript.exe $env:windir\system32\slmgr.vbs /ipk CB7KF-BWN84-R7R2Y-793K2-8XDDG"

The final step is activation, and it’s dead simple. Deliver this sweet one liner to point your box at the friendly Azure KMS:

iex "$env:windir\system32\cscript.exe $env:windir\system32\slmgr.vbs /skms kms.core.windows.net:1688"

Winning

Screenshot of Windows Server running on Azure VM