You can apply several best practices to optimize Compute Engine instancesthat run Microsoft Windows Server. This article describes how you can utilizeother products available on Google Cloud and to ensure your Windows instancesare performing optimally in terms of performance, security, redundancy andavailability. For further information on configuration and setup of Windowsinstances, seeWindows Workloads. ForMicrosoft SQL instances, refer toBest Practices for SQL Server.

General Compute Engine best practices

• Understand whichversions of Windows Serverare supported, best suited for your use case, and which versions might be comingup to theend of Windows Server support on Google Cloud.Further information can be found atLifecycle FAQ from Microsoft.
• Understand how to correctlyAdd a persistent disk to your Windows VM.
• Enable or disable Windows Server operating system features not required forthe services run by your organization, unused features will consume resourcesyou might not be using.
• Launch new instances with the latest image version provided by Google Cloudpublic images, if you are usingPay-as-you-go (PAYG) licence.

Security

• If you are running Windows, you should be running antivirus software.Malware and software viruses present a significant risk to any system connectedto a network, and antivirus software is a simple mitigation step you can use toprotect your data. Microsoft provides advice about onantivirus software.
• Understand how tocreate new local usersandgrant/revoke Administrator privilegeson local accounts to limit critical applications and system files.
• If you are using Active Directory, make use ofConfiguring User Access Control and Permissionsto implement the principle of least privilege for user permissions within theWindows operating system. For further information seesummary of best practices for Active Directory.

Backup & Recovery

• Routinely review and verify your backup and recovery strategy.
• Enable regularPersistent Disk Snapshotsfor a quick recovery from a previous backup if there is a VM failure.
  • Only enableVSSsnapshots on data volumes and where the application is VSS compatible. Avoidcreating VSS snapshotson the operating system disk because the VSS service marks this disk asread-only.

Patch Management

• Confirm your Windows operating system is updated to the latest version and allsystem and quality updates (also referred to as "cumulative updates" or"cumulative quality updates") are installed.
• Make use of automatic Windows Update on your instance. Microsoft releasespatches every second Tuesday of each month at minimum. You should have astrategy for applying these updates to help safeguard the system from known bugsand/or vulnerabilities. If automatic restarts are not an option, considercreating patch jobs by using VM Manager, which canschedule updates and restart your instances at an appropriate time.

Logging and Monitoring

• Enable virtual displaysto better understand the current state of the operating system, and to allow youto view the console in case your instance is inaccessible.
• If your VM instance is stopped, logs from theserial consolewill no longer be available, to retain these logs you canstream serial portoutput to Cloud Loggingand use the output stored to assist with troubleshooting and auditing.
• Consider configuring theOps Agent tocentralize the logs you see in Event Viewer bystreaming logs to Cloud Logging,this allows for easier retrieval of the logs and more consistent retention.This step is completely optional, but recommended.
• Consider installing theOps Agent to monitorand retain the monitoring data of your instance performance.
• Considerstreaming logs from third-party Applications.

Google related drivers, agents & features

• When you use Microsoft software, you are responsible for understanding andcomplying with any licensing agreements that you might have with Microsoft.To understand the requirements and options for licensing, refer to theMicrosoft Licensesdocumentation.
• Keep the guest environment updated in line with your Windows Update strategy.Regularlyupdating the guest environmentof your Windows instance will ensure you are running the latest and most stableversion of all necessary Google Cloud agents and drivers.