In this chapter, we take more of an in-depth look at FSLogix and the benefits associated with it. First, in Chapter 5, Implementing and Managing Storage for Azure Virtual Desktop, we covered some of the planning requirements for FSLogix and storage, and now we move on to the implementation and management of FSLogix.
FSLogix profile containers enable you to roam user data between computing session hosts. This allows you to remove the user's dependency on a specific device. The benefits of this include the fact that the user's sign-in times are minimized as they don't have to create a new profile with each logo, along with providing the flexibility of connecting to different business desktops/remote apps with the same user profile experience.
To summarize how FSLogix works, it uses both a filesystem driver and a registry filter driver, which handles any filesystem or registry requests that allow the user profiles to be redirected.
Here are the topics that will be covered in this chapter:
The following conceptional architecture diagram shows how FSLogix works within the Windows operating system:
The preceding architecture diagram shows how the FSLogix filter driver sits within an operating system and some of the services it redirects. The diagram depicts the redirection of user data using filter drivers to a remote storage solution.
Now, let's take a brief look at the license requirements for FSLogix profile containers.
To use FSLogix profile containers, you must have one of the following licenses:
You will note that these license requirements are the same as those for accessing the Azure Virtual Desktop service.
Let's now take a quick look at the key capabilities of FSLogix profile containers.
We now take a look at the key capabilities/benefits of using FSLogix profile containers:
Now that we have covered the basics of what FSLogix is, let's take a look at installing the FSLogix components for profile containers.
In this section, I will provide instructions on how to download and install FSLogix.
Before we get started, I want to set out the steps for deploying FSLogix profile containers at a high level. The following diagram shows the steps for configuring FSLogix profile containers:
As you can see, in the following two sections, FSLogix installation and configuration and Configuring profile containers, we will look at the four areas of deployment set out in the preceding diagram. You may want to refer back to this to ensure that you have configured all the required steps.
Important Note
To obtain the latest copy of FSLogix, you can download it from the following link: https://aka.ms/fslogix/download.
To configure both profile containers and office containers, you must download and install FSLogix Apps on the session host. FSLogix Apps install all the required core drivers and components for FSLogix to work.
Tip
When using the Azure Marketplace templates, FSLogix will come preinstalled on the Windows 10 Multi-Session + Microsoft 365 app image template.
Once you have downloaded and unzipped the files, follow these steps:
You should now see the FSLogix files within the Program Files directory.
Tip
To install silently, use the following switches: "C: empFslogixWin32ReleaseFSLogixAppsSetup.exe" /install /quite /norestart.
We now move on to configuring the required antivirus exclusions for FSLogix profile containers.
This section looks at the required antivirus file and process exclusions as are necessary for FSLogix. Even if you are using Microsoft Defender Antivirus, it is recommended that you configure the recommended exclusions.
The following table shows the files, processes, and Cloud Cache file exclusions you should configure in your Azure Virtual Desktop environment:
The following script can be used to configure your template image with the required exclusions for FSLogix profile containers. You will note that this particular script is for Microsoft Defender. The script essentially adds exclusions for the profile container virtual disks, both VHD and VHDX:
# A140 FSLOGIX AV Exc
#Defender Exclusions for FSLogix
$Cloudcache = $false # Ensure you Set for true if using cloud cache
$StorageAcct = "
storageacct" # Enter a Storage Account Name
$filelist = ' # Files to be excluded
"%ProgramFiles%FSLogixAppsfrxdrv.sys", '
"%ProgramFiles%FSLogixAppsfrxdrvvt.sys", '
"%ProgramFiles%FSLogixAppsfrxccd.sys", '
"%TEMP%*.VHD", '
"%TEMP%*.VHDX", '
"%Windir%TEMP*.VHD", '
"%Windir%TEMP*.VHDX", '
"\$Storageacct.file.core.windows.netshare*.VHD", '
"\$Storageacct.file.core.windows.netshare*.VHDX"
$processlist = ' # processes to be excluded
"%ProgramFiles%FSLogixAppsfrxccd.exe", '
"%ProgramFiles%FSLogixAppsfrxccds.exe", '
"%ProgramFiles%FSLogixAppsfrxsvc.exe"
Foreach($item in $filelist){
Add-MpPreference -ExclusionPath $item}
Foreach($item in $processlist){
Add-MpPreference -ExclusionProcess $item}
If ($Cloudcache){
Add-MpPreference -ExclusionPath "%ProgramData%FSLogixCache*.VHD"
Add-MpPreference -ExclusionPath "%ProgramData%FSLogixCache*.VHDX"
Add-MpPreference -ExclusionPath "%ProgramData%FSLogixProxy*.VHD"
Add-MpPreference -ExclusionPath "%ProgramData%FSLogixProxy*.VHDX"}
Now that we have installed FSLogix on the session host/session host template, we can proceed with configuring profile containers.
In this section, we run through the configuration of FSLogix profile containers. The configuration of profile containers to redirect user profiles is relatively straightforward as this consists of several registry settings you can add to the master image template or roll out using group policy.
The two areas we will look at are the configuration of the storage location and the setup of the Include and Exclude user groups.
Important Note
Ensure that you exclude your VHD(X) files from any antivirus software.
Before you can configure group policy, you need to ensure that the FSLogix adm/admx files are copied into the correct policy definition folder or central store. These files can be found in the downloaded ZIP archive I showed in the previous section.
Once FSLogix is added to the PolicyDefinitions folder/Group Policy Central Store, you will see the folder appear within Computer Configuration | Administrative Templates | FSLogix.
Two required settings must be applied for FSLogix profile containers to work. These are (1) the setting to enable profile containers, and (2) specifying the VHDLocations storage location.
To configure these, perform the following steps:
Tip
It is recommended that you use Azure Files for smaller deployments and Azure NetApp Files for enterprise FSLogix deployments.
Let's now take a look at configuring this using the registry rather than group policy.
You can also configure FSLogix profile containers within the registry. You do this by enabling FSLogix profile containers and setting the path configuration settings with the following registry path: HKLMSOFTWAREFSLogixProfiles.
The following table lists the two mandatory settings that must be configured for FSLogix Profile Containers to work:
The table is taken from the Microsoft documentation: https://docs.microsoft.com/en-us/fslogix/configure-profile-container-tutorial#configure-profile-container-registry-settings.
The following screenshot shows you what the configuration looks like within the registry:
This configures the basics for getting started with FSLogix profile containers.
We will now take a look at FSLogix Profile Exclude and Include Lists.
Important Note
By default, the Everyone group is added to the FSLogix Profile Include List group.
When configuring profile containers, you need to consider the local administrators and other user accounts that should remain as local profiles. The way to do this is to enter users or groups into the FSLogix Profile Exclude List.
You can do this by navigating to Local Users and Groups > Select Groups, and you will see the FSLogix Profile Exclude List group. Within this group, add the users and groups you would like to exclude.
There may be cases where you want to remove everyone's configuration from the Include List; however, this does not need to be changed in most deployments.
The following table details the permissions you should configure on the storage for FSLogix profile containers.
In the next section, we take a look at Cloud Cache and its benefits.
Cloud Cache is a technology (a part of FSLogix) that enables you to use multiple remote locations continually updated during the user session. One of the use cases for Cloud Cache is disaster recovery and business continuity as it provides real-time, active-active redundancy for a profile container.
If the main or a storage provider becomes unavailable, Cloud Cache will continue to function/operate with the other storage providers. If an unavailable storage provider becomes available within the user session, it will be updated with the local cache. If the provider does not become available until after the user has signed out of their session, then the storage provider will be updated during the next session.
Important Note
When using Cloud Cache, all profile data writes go through the local cache first, and then the remote storage locations.
It is important to note that configuring Cloud Cache differs from configuring the typical FSLogix profile containers. The settings are configured in the same way as in the group policy or registry; however, you need to ensure that you remove any settings in the VHDLocations policy as Cloud Cache uses CCDLocations.
You should also note that the value when configuring Cloud Cache is also different to profile containers. Instead of entering the UNC path, you will need to use the value described below. Finally, you will note that I have detailed both SMB shares and the use of Azure Page Blob storage.
Important Note
To use Azure Blob storage, you must generate an access key within the chosen Azure storage account.
We now take a closer look at configuring Cloud Cache and the associated steps.
The following diagram shows the steps for configuring Cloud Cache; you will note that the diagram covers all the bases for existing FSLogix profile container implementations and greenfield deployments.
We will skip the installation step as this was shown in the previous, Installing and configuring FSLogix section.
To configure Cloud Cache, we need to enable and configure the group policy object Cloud Cache Locations:
You can also configure this using the registry on the Image template by using the following:
The preceding table was taken from the following Microsoft page:
As shown in the following screenshot, you can see that CCDLocations has been set with the storage provider locations, and that FSLogix is enabled:
Note
There are several additional configurations for FSLogix Cloud Cache; however, they are not covered within this book.
In this section, we looked at how to configure Cloud Cache for user profile roaming. In the next section, we will take a look at Microsoft Teams exclusions for FSLogix.
Microsoft Teams has a caching folder that can cause bloat on your user profile disk. The following details show how you can set an exclusion using an XML file to prevent both the media stack folder and meeting-addinCache from being stored in the profile container.
You first need to create an XML file with the required exclusions; you can do this using notepad.exe or another text editing tool. You then enter the required exclusions:
The XML file should look something like the following example:
?xml version="1.0" encoding="UTF-8"?>
<FrxProfileFolderRedirection ExcludeCommonFolders="0">
<Excludes>
<Exclude Copy="0">AppDataRoamingMicrosoftTeamsmedia-stack</Exclude>
<Exclude Copy="0">AppDataRoamingMicrosoftTeamsmeeting-addinCache</Exclude>
</Excludes>
</FrxProfileFolderRedirection>
You may have noticed from the preceding example that the exclude is configured with Copy=" 0". This means that no files are copied in or out.
You can configure other redirection values:
Once you have configured your XML file, you need to save and store this. The session host needs to access the redirection file from a folder share. In this example, I have configured the local C:RedirectFiles directory; however, you may wish to use the Active Directory NETLOGIN share.
To configure FSLogix to use the redirection file, you will need to follow the steps listed here:
There you have it. We have configured redirection exclusions for Microsoft Teams.
To configure via the registry, enter the following values:
You need to create a registry string value as detailed in the preceding table under the following registry path: ComputerHKLMSOFTWAREFSLogixProfiles.
The following screenshot shows how this should look once you have added the registry value:
You can now test to see whether redirection is working for your FSLogix roaming profile users.
For more information on setting up Azure Files, please refer to Chapter 5, Implementing and Managing Storage for Windows Virtual Desktop.
You can also read more from Microsoft's site here: https://docs.microsoft.com/en-us/azure/virtual-desktop/fslogix-containers-azure-files.
This short section details the best practices for enterprises. There are a few settings you can apply to your FSLogix deployment to improve management and the cleanup of profiles.
The following table shows some of the best practice settings when configuring FSLogix profile containers within an enterprise:
In this section, we briefly took a look at some of the best practices/recommended configurations you should apply when configuring FSLogix profile containers.
In this chapter, we ran through the implementation of FSLogix profile containers and Cloud Cache. First, we started with the basics of installing the software on a session host and the configuration of antivirus exclusions, and then we moved on to what is required to set up profile containers. We then discussed the need to remove the profile containers' VHDLocation path when configuring Cloud Cache and some of your other options. We then took a look at creating profile exclusions for Microsoft Teams and finished off the chapter by looking at a few enterprise best practices you can configure for FSLogix.
In the next chapter, we will take a look at configuring user experience settings. We will talk about Universal Print, group policy configurations, and troubleshooting both user profile issues and Azure Virtual Desktop clients.