The future of Roaming Profiles – Add fast logon performance and Office 365 support to your virtual desktop (VDI) – Azure Virtual Desktop environment with Microsoft FSLogix Profile Container


Since news broke that FSLogix was being acquired by Microsoft, the question most often asked by the community was about ongoing product availability. Specifically, customers wanted to know if they’d still be able to use FSLogix products in their existing on-premises deployments, or if those products would be limited to AVD (other great news today, because it’s released to Public Preview today as well!). We haven’t had an official answer–until now. As of today, FSLogix products will become available for almost everyone with very few limitations!

“Roaming Profiles is a relatively old technology with lots of disadvantages. The future workspace is built on advanced filter-driver technologies for constant performance no matter what the size of the users profile isChristiaan Brinkhoff

This article will cover one of the most impressive products—Profile Container—including all the steps that are needed to install and configure it, plus tips and tricks to make the transition from your existing profile management solution to Profile Container seamless.

Please, continue reading to learn more…

Note: This article also applies to Azure Virtual Desktop or any other DaaS and/or virtual desktop workload(s).

FSLogix for almost everyone! 

As said earlier, all the FSLogix products, such as Profile and Office container, but also AppMasking, and Java Redirection will become part of the core technology of Windows (and Azure Virtual Desktop). Additionally, if you own or subscribe to anything on the following list, you’ll also be entitled to FSLogix (it’s a pretty broad list, so there’s a good chance you are entitled!).

You are eligible to access FSLogix Profile Container, Office 365 Container, Application Masking, and Java Redirection tools if you have one of the following licenses:

  • Microsoft 365 E3/E5
  • Microsoft 365 A3/A5/ Student Use Benefits
  • Microsoft 365 F1
  • Microsoft 365 Business
  • Windows 10 Enterprise E3/E5
  • Windows 10 Education A3/A5
  • Windows 10 VDA per user
  • Remote Desktop Services (RDS) Client Access License (CAL) – SA not required
  • Remote Desktop Services (RDS) Subscriber Access License (SAL) – SA not required

FSLogix is available for download here

Disruptive technology – why containers are better

Disruption is a term in IT that we hear a lot these days because disruption among competitors drives innovation, right? Roaming profiles have been around for over 20 years, and have remained largely the same during that time even though the way we used them changed. In other words, they were ripe for disruption.

“Profile Container will disrupt roaming profiles.”

Folder Redirection was there to rescue you when the size of the user’s profile became too large. However, this all works on file-based storage; you always had limited options. Profile container work though filter-drivers which are block-based. The profile streams it directly, whether it’s 1GB or 100GB in size – it doesn’t matter anymore. No file transfer takes place on the background, which overcomes the corruption of profiles as well!

Compare it when watching a movie through Netflix or downloading it yourself – you must wait longer… This filter-driver technology is also one of the base fundamentals why this product works best with all the Office 365 products, such as OneDrive and Teams. The size of the profile is becoming bigger and bigger due to this and becomes a bottleneck for roaming profiles as well – using a filter-driver – caching disk technology is the only way to leverage Office 365 services on top of VDI correctly…

Some important disadvantages to know about roaming profiles…

  • Large roaming profiles take a long time to download, extending logon times that can be measured in minutes. In fact, 20,5% of customers surveyed by VDILIKEAPRO in 2019 – and the state of the union 2018 survey – recorded logon times of greater than 1 minute, though the majority of respondents (57%) indicated <25 second logon times. Logon times of over 10 minutes have been encountered.
  • Roaming profiles also need to be uploaded at logoff, and if this process is interrupted the profile could be left in a corrupt state. When this happens, temporary profiles are created. These profiles are completely empty and IT intervention is needed to resolve the problem.
  • Customers using folder redirection place an increased load on their network by creating large amounts of SMB traffic between the desktop and the file server. Each request to a file is treated as a new connection–an effect that uberAgent’s Helge Klein calls a “mini denial of service attack on your fileserver.”

Differences between the profile and office container explained

FSLogix Profile Container puts a user’s entire profile into a VHD or VHDX container. This container is typically stored on a file server and attached dynamically as the user logs on. Profile Container can be used with any 3rd party profile solution. It also adds the support for Outlook cache plus Search, OneDrive, SharePoint, Teams, Skype, OneNote and the cache of the Office 365 ProPlus computer activation license.

The FSLogix Profile product.

  • Encapsulates the entire user profile, including the registry, in an in-guest container (VHD/VHDX) i.e. %USERPROFILE% and NTUSER.DAT.
  • Can also include the Outlook cache, OneDrive cache and Search Index**.
  • VHD(x) is automatically created and saved on a File Store.
  • Improve login times.
  • Persist critical files between sessions and devices.
  • Eliminates folder redirection**, especially %APPDATA%

The FSLogix Office Container is a subset of the FSLogix Profile Container feature plus the ability to roam the Windows Search database with the user. Profile Container solve the issues that Office 365 has in a roaming profile environment. It also adds the support for OneDrive, SharePoint, Teams, Skype, OneNote and the cache of the Office 365 ProPlus computer activation license – all based on an existing roaming profile management solution.

Note: It is possible to use Profile and Office Container together to for example separate the OneDrive data in a separate container on cheaper and/or different storage locations. This could be beneficial in some use-cases.

Filter driver architecture

As mentioned in the previous section, profile container are not the same as roaming profiles. FSLogix products, such as Profile Container let the operating system think that the Office 365 product folders are local. This can be achieved by using smart filter drivers in Windows, which inject the folder mountings of Office 365 on the file system level so the operating system cannot detect any mounting points. Because of this approach, Microsoft Outlook, Search, OneDrive and Teams are working inside FSLogix container products. Also, it does not matter anymore how big your profile because FSLogix works in a streaming manner. Folder redirection can be eliminated when implementing Profile Container because it doesn’t copy the profile back and forth like roaming profile solution do.

See below how FSLogix operates to the operating system in a more architectural concept. The agent needs to be installed in the VDI image. After you are done that, two filter-drivers inject into the operating system. By setting various of registry (or ADMX) settings, you will be able to place a VHD(x) container on a file system/SMB share location.

If you are interested in the different options to store your Profile Container on Azure-Managed storage as well as the differences-make sure to check out the matrix below out of this Microsoft Docs article I wrote earlier.

If you’re ready to create your own FSLogix profile containers, get started with one of these tutorials:

Table of Contents

Click on the title to forward in the article:

Did you know?

    • While migrating apps to a more published apps/RemoteApp approach, you want to have the fastest performance possible when clicking on the icon from the start menu. Profile Container can achieve a stable and consistent logon duration easily due to the filter-driver / block-based technology. This becomes more and more important these days while we moving more to SaaS apps and want to give our end-users the same experience for the win32 apps (leftovers). 
    • It is possible to use Profile and Office Container together to for example separate the OneDrive data in a separate container on cheaper and/or different storage locations. This could be beneficial in some use-cases.
    • If you are using Windows 10 Virtual Desktops with Profile Container, you are (in advance) already prepared for Windows 10 Multi-User. Windows 10 Enterprise for Virtual Desktops runs on the same profile version, so you can simply drag and drop profile container to Azure without any migration solution in between!
    • Because the size is not important and in terms of performance, Profile Container are very beneficial for AutoCAD or any other applications that require to be stored in the profile.
    • Microsoft entitlements will replace all the FSLogix logos after the GA launch of Azure Virtual Desktop
    • You can store the Profile Container on every storage location that supports SMB/NFS storage. We also support storing it in Azure Storage blobs with Cloud Cache
    • Always make sure to remove all the local profiles from your golden image before you start using Profile Container. You’ll get a temporary profile when a local profile already exists on the virtual desktop environment. To overcome this issue, use the following registry setting, which removes the local profile first before the user logs on “DeleteLocalProfileWhenVHDShouldApply” (note: this delays the logon process by up to 5 sec.)
    • Profile Container lower your management effort needs on your environment and designs due to the performance benefits and decommissioning of folder redirection
      • Only storage consumption is what matters – that’s a pretty good feeling, right?
    • We will support direct storage of Profile Container and Office 365 Container in Azure Files as well as result of the Azure Files NTFS ACLs and classic Active Directory public preview which is available right now. The huge benefit of this that you overcome the need for a dedicated fileserver / DFS server or Azure Files endpoint in Azure Infrastructure-As-a-Service (IaaS), which effectively saves you money!

Also, I wrote a previous article on Office 365 ProPlus and Office 2019 challenges. I encourage you to use that article in advance to this one.

VDILIKEAPRO Performance results

We at VDILIKEAPRO did another short performance survey as part of the performance summit in January in the Amsterdam – Johan Cruyff Arena. After slow applications, the majority says that slow logons are still the number 2 problem on their infrastructure – something FSLogix Profile Container can solve…

UPDATE: The 2019 state of the union survey is questionnaire is live. Please help us shape the results here!>> https://www.questionpro.com/t/ANHzkZdzLK

“What’s the most common performance complaint in your infrastructure.

The User’s logon process demystified

The user’s logon process based on Remote Desktop Services (RDSH) is segmented the way below picture explains. Tuning your environment to create the best user experience possible is always on top of mind of IT consultants/Architects.

The FSLogix Profile Container product will solve the User Profile part of the logon process. Next, to this phase, the Group Policies part can be faster with UEM environment solutions because they perform all the actions after the initial logon screen of windows.

Extend your existing profile management solution – Best of both worlds!

So, the million-dollar question is

Can I use it together with existing UEM/Profile Management solutions?

The answer is yes. The good thing about Profile Container is that it runs completely independent from anything else. You simply disable the roaming profile / Profile Management part of your current profile management solution and your good to go in leveraging Office 365 services and improving logon duration. That’s basically the only thing that you must do because all the parts will be consolidated into the profile container solution and run separately from the existing UEM/Profile Management solution.

The Group Policies part of the logon process will be solved by UEM products, because the settings, such as drive mappings, will be configured after the initial logon screen of Windows. To make your life a bit easier here, I cover most of the products below – with the required setting to disable first before you start the deployment and configuration of FSLogix Profile Container upon your virtual desktop environments (all the steps are listed below) 😊.

Also, thank you, Carl Stalhood, David Wilkinson and Chris Twiest for the help on gathering the information below.

Note: When you forget to disable/exclude the settings, you’ll cache your profile double end up with the same slow performance that you had before the implementation of profile container.

See below yourself how stable and fast profile container work.

Citrix Workspace Environment Management (previous Norskale)

Citrix acquired Norskale a couple of years back and included the solution as own UEM product going by the name Workspace Environment Management (WEM). WEM is just a user configuration management solution without the profile part, so you always need to use it together with Citrix UPM – yes, that’s a roaming profile solution. The good thing about this limitation is that you simply can disable the use of User Profile Management (UPM) and replace it for Profile Container – nothing more than that. Simply disable the – Enable Profile Management – Configuration and you’re all set.

VMware User Environment Management (previous Immidio)

VMware also delivers one UEM product standardly as part of VMware Horizon and Horizon on Azure. The essence of this product is the same as all the others, simplify the configuration of user settings. It also includes a similar roaming profile technology, such as Citrix UPM, although VMware UEM creates separate configuration settings per profile location and per application.

To disable the personalization/roaming profile part of VMware User Environment Manager, simply remove all the custom created settings underneath the General – Applications.

Or simply disable the Profiles archives and Profiles archives backup policy from the GPOs.

Ivanti Environment Manager (previous AppSense – Environment Management)

Ivanti Environment Manager is split into 2 parts as well, one user settings – policy configuration part (which you see in the picture below), and a user personalization part. Using profile container together with Ivanti EM only required you to remove the Personalization groups from the User Personalization menu – simply remove them all – so, you ensure that no Application personalization or windows personalization roles are applied – and activated.

Ivanti Workspace Control (previous RES Workspace Manager)

It’s relatively simple to exclude the roaming profile management part of Ivanti Workspace Control. Open your Workspace Control Console and open the User Settings menu. The final step is to Disable the – Track User Settings – settings and you are ready to configure Profile Container!

Note: Using Profile Container together with Ivanti Workspace Control right now prepares your environment as well to switch over to Ivanti Environment Management later on with complete Office 365 services support and the logon duration benefits.

FSLogix configuration guidance

The approach of configuring and using FSLogix Profile Container is very simple. It does not require any database or application server. You only must ensure you are installing on a supported platform. Windows 7/8/10 and Windows Server 2008 R2 and above (32 bit and 64 bit) are supported.

Create the FSLogix network file share

The first requirement for using FSLogix Office Container is to have a Windows File Share up and running. Make sure to set up the NTFS rights correctly as shown in the table below.

Want to use Azure storage blogs for your container storage location? Please visit this article.

Note: The local groups can be replaced with domain groups.

Most of the permissions are special NTFS permissions. Below an example of how it looks when the settings are set on the FSLogix VHD Location share.

Create the share and set the share permission which can be set to Authenticated Users – Change and Read Control because all the important rights are defined through NTFS permissions.

­­­­­­

Install the FSLogix Apps client

Install the FSLogix Agent in the Golden Image of your VDI environment. The distribution zip file contains 32- and 64-bit versions of FSLogixAppsSetup.exe.

FSLogix is available for download here

Choose the appropriate installer for your platform.

Install the FSLogix agent in the master image, or also called the golden image of your VDI environment

Screenshot of click through license

Wait for the installation to be finished…

Screenshot of progress screen

Configure the FSLogix Profile Container

The configuration part of FSLogix Profile Container can be performed in either registry settings or group policy files. The most simple and effective method is using the registry settings below.

Open regedit.exe and browse to “HKEY_LOCAL_MACHINE\Software\FSLogix\Profiles”

Create a REG_SZ value name “VHDLocations” and enter the earlier created network file share path where the VHDX container files will be created.

Note This path can be a local path or a UNC path. \\ServerName\share. Ensure that the user you will be testing has the correct permissions as provided earlier in the document for the specified path. The user will need to be able to create files and folders.

The most important settings for the usage of FSLogix Profile Container are the Enabled and VHDLocations registry setting.

Configure the FSLogix Profile Container with Group Policy

The ADMX and ADML files are included in the distribution agent zip file. Upload the .ADMX and ADML to the Policy Definitions location of Windows.

Browse to Computer Configuration | Administrative Templates | FSLogix | Profile Container

You can find all the settings for FSLogix Profile Container here as well.

https://docs.fslogix.com/display/20170529/Group+Policy+Template+Files

Other advanced settings here

https://docs.fslogix.com/display/20170529/FSLogix+Profiles+Configuration+Settings

Include or Exclude FSLogix Users from assignment

There might be situations when you only want to act and provide FSLogix Profile Container for a certain number of users. This can be accomplished by adding a pre-created Active Directory Group to the local PROFILE Include Group. You can find the group on every virtual machine where FSLogix is installed. You can use the exclude group to exclude users or administrators from the Container creation process as well.

Note: Make sure to remove the local everyone group from the ODFC Profile Include list Group as we don’t use this solution right now.

Configure and activate Windows Search

Roaming the Windows Search database means that Windows Search is available immediately after logon and no re-indexing needs to take place.

Note: If you’re using Windows 10 Enterprise for Virtual Desktop – or also known as Windows 10 Multi-User, the Windows search service is running default as part of the marketplace image rollout.

To enable the Windows Search database roaming to be saved in the Profile Container, set ‘RoamSearch’ to value ‘1’ or ‘2’. as documented in the table below in registry locations HKLM\SOFTWARE\Policies\FSLogix\Profiles and HKLM\SOFTWARE\FSLogix\Apps.

Single user are desktop operating systems, such as Windows 7/8/10.

Multiuser are server operating systems, such as Windows Server 2008 R2 and above.

Make sure to enable the Windows Search service in the golden image of your virtual desktop environment. There are different ways to do that, andI recommend the following approaches when using different operating systems.

Note: Microsoft Office ProPlus needs to be repaired once when you installed the application before activating Windows Search. Microsoft Office registers itself into the search database at the moment of installation.

Windows 7/8/8.1/10

Client operating systems are simple enough the Windows Search service simply needs to be running and set to Automatic start. This configuration is for Single User search only

Windows Server 2008 R2

This operating system does not support Windows Search roaming.

Windows Server 2012 R2

you need to install the “feature” to enable the “service”. Without the feature, the service doesn’t exist. The two are one and the same on this OS.

Install the “feature”, and the “Windows Search” service

Windows Server 2016 and above

Only enable the Windows Search service. No need to activate the Windows Search service feature in the server manager console. The Windows Search Service needs to be set to Manual, it will auto-start the service when you do a search in Outlook.

Concurrent User Sessions

In many environments, it is desirable that the user have concurrent access to their Profile Container, or, in other words, have their PROFILE VHD attached to several computers at the same time.

The way PROFILE Container uses difference disks is controlled via the “ProfileType” setting.

Mode ‘3’ should be used when the Profile Container is being used with Outlook Cached Exchange mode together with the ConcurrentUserSessions registry setting.

Registry location: HKLM\SOFTWARE\FSLogix\Profiles

Some additional notes on concurrent access

    • RO difference disks are stored in the local temp directory and are named %usersid%_RO.VHD(X).
    • The RW difference disk is stored on the network next to the parent VHD(X) file and is named RW.VHD(X).
    • The merge operation can be safely interrupted and continued. If one client begins the merge operation and is interrupted (e.g. powered off), another client can safely continue and complete the merge. This is why both the RW and RO clients begin by attempting a merge of the RW.VHD(X).
    • Merge operations on an ReFS file system (where the difference disk and the parent are on the same ReFS volume) are nearly instantaneous no matter how big the difference disk is.
    • Merge operations can only be done if there are no open handles to either the difference disk or the parent VHD(X). This is why the RO client also attempts to merge the RW.VHD(X). It may be the last session to disconnect.

Controlling the Content of the Profile Container

By default the Profile Container will contain the entire Windows Profile for the user, except for the TEMP (TMP) folder location and the IE Cache folder location. The Windows user profile is comprised of the contents of a specific folder location and some registry information. Typically this folder location is something like, “C:\Users\<username>”.

If desired, the admin can specify that certain parts of the user profile not be persisted in the Profile Container and that they be deleted on user logoff. This is done by deploying a redirections.xml which instructs the FSLogix agent to redirect specific folders out of the Container and into the local C: drive where they are removed on user logoff.

When a user logs on and a FSLogix Profile container is connected and used by that user, you will see two additional folders in the C:\Users directory: a “<username>” folder (or some variation) and a “local_<username>” folder. The “<username>” folder is really a link into the Profile Container. At user logoff, the <username> redirect will disappear and the “local_<username>” folder is lazily deleted by the FSLogix service.

The redirections.xml file is used to control what folders are redirected out of the Profile Container to the C: drive. It can also optionally sync the contents of these folders to and from the Profile Container at user logoff and logon respectively.

The basic structure of the redirections.xml document is as follows:

<?xml version="1.0" encoding="UTF-8"?>

<FrxProfileFolderRedirection ExcludeCommonFolders="###VALUE###">

<Excludes>

<Exclude Copy="###VALUE###">AppData\Low\FolderToDiscard</Exclude>

<Exclude>… another exclude folders… </Exclude>

</Excludes>

<Includes>

<Include>AppData\Low\FolderToDiscard\FolderToKeep</Include>

<Include>… another include folders… </Include>

</Includes>

</FrxProfileFolderRedirection>

Folders are relative to the user profile root (That’s why “AppData” is shown in this example).

You can put any number of entries inside the Includes and Excludes tags. See below an example for Google Chrome folder directories.

The redirections.xml file is processed at user logon. If the file is updated while the user is logged on, the changes will be reflected at the next logon.

More information can be found here.

FSLogix Advanced Container Sizing Settings

The following settings are optional. The first settings let you expand the Profile Container to a higher size than de default 30gb. Know that the container is dynamically expandable, so it does not allocate all the data on the creation.

The second setting let you choose between different VHD and VHDx. VHDx gives you more management options with PowerShell than VHD. Server 2008 R2 and Windows 7 are only supported with VHD.

Note: There are more advanced settings that can be applied to FSLogix we did not include them in this document due to the primary focus on using Exchange Online with Search on virtual desktop environments.

Registry location: HKLM\SOFTWARE\FSLogix\Profiles

I hope this helps to have a better understanding of how FSLogix/Microsoft Profiles operates.

Hope to see you back soon – and feel free to leave a comment if you’ve any questions.

Also, I wrote a previous article on Office 365 ProPlus and Office 2019 challenges. I encourage you to use that article in advance to this one.

Cheers,

Christiaan Brinkhoff