In this chapter, you will learn about FSLogix, which is used to store user profiles on remote storage. It is important to understand the FSLogix options so that you can select an appropriate option for your requirements. In this chapter, you will be planning, installing, and configuring FSLogix for pooled desktops and all the profile options such as containers and cloud caches to store the user profile on remote storage.
User profile storage is important in a pooled desktop, because user sessions can go to any back-end session host (Azure VM) based on the load balancing set on a pooled desktop; therefore, user profiles need to be stored on remote storage so that the user can get the same profile/desktop experience on any session host.
Let’s get started with planning FSLogix for Azure Virtual Desktop (AVD).
Plan for FSLogix
FSLogix enhances and simplifies nonpersistent Windows computing environments. AVD recommends FSLogix profile containers as a user profile solution. FSLogix is designed to roam user profiles in Azure Virtual Desktop by storing a complete user profile in a single container on remote storage. A user profile contains data elements about an individual, including configuration information such as desktop settings, persistent network connections, and application settings. At the time of user sign-in, this container dynamically gets attached to the Azure Virtual Desktop session host using a natively supported virtual hard disk (VHD) and Hyper-V virtual hard disk (VHDX). The user profile is immediately available and appears in the system exactly like a native user profile at the time of sign-in.
FSLogix remote user profile on Azure storage
User profiles can be copied to and from the network when a user signs in and out of AVD, but user profiles can often be large, and sign-in and sign-out times often became unacceptable due to coping profiles to network storage. That’s where FSLogix helps to redirect a profile instead of copying it from the network. FSLogix containers redirect user profiles to a network location, and user profiles are placed in VHDx files so that they can easily be mounted at runtime/sign-in time. Mounting and using a profile on the network eliminates the delays often associated with solutions that copy files.
Are Multiple User Profile Connections Possible?
Having concurrent or multiple connections to user profiles means the user is connected to multiple hosts/sessions and using the same user profile stored on remote storage. Concurrent or multiple connections are not recommended in Azure Virtual Desktop, because they may result in temp profiles on a concurrent session and lead to data loss. The best practice is to create a different user profile storage for each host pool. Users cannot have concurrent sessions on the same host pool, so you can use only one profile storage per host pool.
Profile Storage Performance Requirements
FSLogix depends on the storage type used for the user profile VHDx files, as well as on the host pool location and storage location.
Profile storage IOPS needs to be considered and calculated properly for all users while selecting profile storage. For example, you may need around 1,000 input/output operations per second (IOPS) for 100 users, and around 5,000 IOPS during sign-in and sign-out. If you increase the number of users or if many users log in during a short period of time creating a log-in storm, then it will impact the Azure Virtual Desktop performance.
Storage Options for FSLogix Profile Containers
Azure offers multiple storage solutions that you can use to store your FSLogix user profile container. Azure recommends storing FSLogix profile containers on Azure Files or Azure NetApp Files for most customer scenarios. Check Chapter 3 for the difference between Azure Files and Azure NetApp Files before you select the profile storage solution for your organization.
Azure NetApp Files has been proven to be a great managed storage solution for FSLogix user profiles and Azure Virtual Desktop. The low latency and high amount of IOPS is a great combination for enterprises at scale.
Azure File Share Best Practices for Pooled User Profile Storage
FSLogix user profile storage best practices (profile storage per host pool)
The Azure Files storage account must be in the same region (and data center) as the session host VMs.
Azure Virtual Desktop users must have the minimum Storage File Data SMB Share Contributor permissions on Azure Files (refer to Chapter 5 for details).
Each session host from the same host pool must be built of the same type, size, and master image.
Exclude the VHD(x) files for profile containers from antivirus scanning to avoid performance bottlenecks.
Separate the user profile storage per host pool, while having two active sessions.
Install and Configure FSLogix
- 1.
Log in to the Azure portal and click “Create a resource” to create a new VM. See Figure 6-3.
FSLogix installation, image VM creation
- 2.
Click Compute and then select “Virtual machine.” See Figure 6-4.
FSLogix installation, image VM creation- select resource type
- 3.
Select a subscription and resource group where you create an image and enter all the information such as the VM name and region. Select an image for the Windows 10 enterprise multisession. See Figure 6-5.
FSLogix installation, image VM creation page- virtual machine information
- 4.
On the same page, select the size and enter a username and password for the VM. See Figure 6-6.
FSLogix installation, image VM creation page 2
- 5.
Select the inbound port to 3389, which is required for you to connect to the VM and install FSLogix. Select the Licensing checkbox and click the Next button. See Figure 6-7.
FSLogix installation, image VM creation, NSG tab
- 6.
On the Disks page, select the HDD type and click Next. See Figure 6-8.
FSLogix installation, image VM creation, Disks tab
- 7.
On the Networking tab, select the existing VNet or subnet or create a new VNet in case you want to keep the image in an isolated environment. Click the Next button. See Figure 6-9.
FSLogix installation, image VM creation, Networking tab
- 8.
On the Management tab, deselect “Enable auto-shutdown” so that the VM will not shut down during the image creation process. Keep the auto updates enabled so that the image will have all the updates installed. Click Next once you’re done with all the changes. See Figure 6-10.
FSLogix installation, image VM creation, Management tab
- 9.
You can keep the default values on the Advanced tab and click the Next button. See Figure 6-11.
FSLogix installation, image VM creation, Advanced tab
- 10.
Add tags on the Tags tab and click the Next button. See Figure 6-12.
FSLogix installation, image VM creation, Tags tab
- 11.
Click “Review + create” and then after validation click the Create button. See Figure 6-13.
FSLogix installation, image VM creation, Review + create tab
- 12.
Once the VM is ready, then go to the Overview page and click the Connect button at the top. See Figure 6-14.
FSLogix installation, image VM, Overview page
- 13.
Since we have not created a public IP for the image VM, you must use Bastion to connect to the VM. Once you click Bastion, it will ask for the VM credentials and connect to the VM. If Bastion is not enabled on the VM/VNet, then it will prompt you to create a Bastion subnet and enable it. See Figure 6-15.
FSLogix installation, image VM, Connect menu
- 14.
Enter the Bastion credentials and click the Connect button. See Figure 6-16.
FSLogix installation, image VM connect, credentials
- 15.
You will be able to see the Windows 10 multisession login screen. See Figure 6-17.
FSLogix installation, image VM login screen
- 16.
Windows 10 multisession comes with FSLogix pre-installed, so please verify if FSLogix is already there in the VM, before you proceed further with download and installation of FSLogix. Now open your favorite browser and download FSLogix from https://aka.ms/fslogix/download.
- 17.
Extract the downloaded ZIP file and open the connect setup file from the subfolders. If you are using a 64-bit system, then go to the x64 folder and run the FSLogixAppSetup.exe file. See Figure 6-18.
FSLogix installation, FSLogix download
- 18.
Once you run the FSLogix EXE file, you will be able to see the setup screen, select the license and condition checkbox, and click the Install button. See Figure 6-19.
FSLogix setup
- 19.
Wait for setup to complete. See Figure 6-20.
FSLogix setup status
- 20.
Restart the VM after setup. See Figure 6-21.
FSLogix restart
- 21.
The next step would be to configure the FSLogix profile container registry once you are done with the setup and VM reboot.
Configure Profile Containers
First let’s understand what the FSLogix profile container is, and then we will see the steps to configure it. The profile container is a fully remote profile solution for nonpersistent environments like pooled virtual desktops; it allows you to store the user profile on remote storage. The profile container redirects the entire user profile to a remote location like an Azure file share or NetApp. The profile container configuration defines how and where the profile is redirected.
It’s recommended that you use dedicated storage for each host pool, so you must decide if you want to set up this FSLogix container setting in the image or use GPO for it. If you set up the FSLogix profile container setting inside the image, then you need different images for each host pool as the image will have the storage information in the container registry. You can always also use GPO to deploy the settings after creating the host pool and the session host and use a single image for all host pools.
Additionally, you also must decide if you want to store the user profile to single storage or want multiple copies of the user profile in the case of DR. If you want a user profile copy in a DR region, then you can go with the cloud cache instead of the profile container.
The following are the major differences between the FSLogix VHDLocation and the cloud cache.
VHDLocation vs. the Cloud Cache
There are two ways to define the profile locations in FSLogix for Azure Virtual Desktop. The first is the traditional SMB share path, which allows you to write to effectively any represented SMB share including a Windows file share and Azure storage file share. If you use the VHDLocation setting for the Azure Virtual Desktop pooled user profile, then there will be only one active profile location. FSLogix does not limit you to defining one location in the VHDLocation registry; however, only one location based on the order defined in registry and the location which is reachable and readable will be considered as active.
The second option is the FSLogix cloud cache, which provides the active profile locations. The cloud cache allows you to define multiple profile storage locations including an SMB share and an Azure blob at the same time. All the locations mentioned in the registry will be updated if there are changes in the profile data, and it’s a better option if you want to consider DR for the primary region.
If the profile container is the option you want to go with, then follow the next steps to configure the profile container settings in the image or go to the “Configure the Cloud Cache” section.
Configure the Profile Container Registry Settings
The profile container can be enabled through the registry settings and FSLogix user groups. As you have learned, the registry settings may be managed manually inside the image or manually on each session host or with GPOs, and you can make the decision based on your requirements. It is always recommended to automate the profile registry by GPO or image creation to avoid typing mistakes. The configuration settings for the profile container are set in HKLMSOFTWAREFSLogixProfiles on each VM inside the same host pool.
FSLogix User Profile Container Registry Setting
Value | Type | Configured Value | Description |
|---|---|---|---|
Enabled (required setting) | DWORD | 1 | 0: Profile containers disabled. 1: Profile containers enabled. |
VHDLocations (required setting) | MULTI_SZ or REG_SZ | A list of file system locations to search for the user’s profile VHD(X) file. If one isn’t found, one will be created in the first listed location. |
Adding a Profile Container Registry Key
- 1.
You have to get the Azure file share path from the storage account we created for the user profile before you add the registry key. Let’s go to the user profile storage account and click “+File share.” See Figure 6-22.
FSLogix container registry, getting the storage file share
- 2.
Click the three dots in front of the file share and click Connect. See Figure 6-23.
FSLogix container registry, getting the storage file share, step 2
- 3.
Copy the storage account path from the Connect pop-up, as shown in Figure 6-24.
FSLogix container registry, getting the storage file share, step 3
VHDLocation Registry Key
Value | Type | Configured Value | Description |
|---|---|---|---|
Enabled (required setting) | DWORD | 1 | 0: Profile containers disabled. 1: Profile containers enabled. |
VHDLocations (required setting) | MULTI_SZ or REG_SZ | A list of file system locations to search for the user’s profile VHD(x) file. If one isn’t found, one will be created in the first listed location. |
FSLogix container registry, VHDlocation registry key
- 5.
You can also look at additional registry keys in Table 6-3 and add them in case you want them based on the organization requirements.
VHDLocation All Extra Registry Keys
Value | Type | Configured Value | Description |
|---|---|---|---|
DeleteLocalProfileWhenVHDShouldApply | DWORD | 0 | 0: No deletion. 1: Delete local profile if it exists and matches the profile being loaded from the VHD. |
FlipFlopProfileDirectoryName | DWORD | 0 | When set to 1, the SID folder is created as "%username%%sid%" instead of the default "%sid%%username%". This setting has the same effect as the setting SIDDirNamePattern = "%username%%sid%" and SIDDirNameMatch = "%username%%sid%". |
PreventLoginWithFailure | DWORD | 0 | If set to 1, the profile container will load FRXShell if there’s a failure attaching to or using an existing profile VHD(x). The user will receive the FRXShell prompt (default prompt to call support), and the users’ only option will be to sign out. |
PreventLoginWithTempProfile | DWORD | 0 | If set to 1, the profile container will load FRXShell if it’s determined a temp profile has been created. The user will receive the FRXShell prompt (default prompt to call support), and the users’ only option will be to sign out. |
Optional Registry Settings for Profile Container
Table 6-3 shows the addition registry keys.
Can User Groups Be Included and Excluded in FSLogix?
FSLogix container registry, profile exclude list
FSLogix container registry, default profile include list
FSLogix container registry, modifying profile include list
Adding a user to the FSLogix Profile Exclude List group means that the FSLogix agent will not create FSLogix remote user profile (profile container) for the user and the user profile remains locally. Exclude takes priority in case the user is a member of both the exclude and include groups.
FSLogix container registry, modifying the profile exclude list
Once both the mandatory registry keys are added to all the VMs in the pool, then users can log in with the user ID that is part of the include group and also have permission on the file share and verify whether the profile is on the Azure storage file share.
What Are the Possible Scenarios with the Profile Container?
These are the options:
FSLogix, single SMB share with FSLogix
FSLogix, DFS SMB share with FSLogix
FSLogix, multiple SMB share with FSLogix
Configure the Cloud Cache
In this section, you’ll learn how to configure the cloud cache.
What Is the Cloud Cache?
The cloud cache is an alternative to the profile container, and it also provides some additional functionality to the profile container. The cloud cache uses a local profile to service all reads from a redirected profile or office container, after the first read. The cloud cache also allows the use of multiple remote locations, which are all continually updated during the user session. Using the cloud cache can insulate users from short-term loss of connectivity to remote profile containers. The cloud cache can also provide a real-time, “active-active” redundancy for the profile container and office container.
It’s important to understand that, even with cloud cache, all initial reads are accomplished from the redirected location. Likewise, all writes occur to all remote storage locations, although writes go to the local cache file first.
The cloud cache doesn’t improve the users’ sign-on and sign-out experience when using poorly performing storage. It’s common for environments using cloud cache to have slightly slower sign-on and sign-out times, relative to using traditional VHDLocations, using the same storage. After initial sign-on, the cloud cache can improve the user experience for subsequent reads of data from the profile container or office container, as these reads are serviced from the local cache file.
Cloud Cache Design and Functionality
The cloud cache uses one or more remote profile containers, along with metadata. The combination of a profile container and metadata is referred to as a cloud cache provider. The cloud cache uses a local cache file that contains part of the dataset stored in the cloud cache providers. The data gets stored and accessed from the local cache file after any read from a cloud cache provider. Additionally, the local cache file will service any writes from the system and then send those writes to all cloud cache providers in the cloud cache configuration registry. This is a synchronous process that depends on the performance of the various components such as client, network, and storage.
If a provider is not available, then the system will continue to operate with the remaining provider. If a provider that was unavailable becomes available before the user signs out, then it will be brought up-to-date from the local cache. When a provider isn’t available when the user signs out, it will be brought up-to-date in subsequent sessions by having all its data replaced from an existing and up-to-date provider. If all remote providers are stale, the provider with the latest metadata is considered the source of truth.
Configure Registry Settings for the Cloud Cache with SMB
CCDLocation Registry Key for File Share
Registry Value | Type | Value |
|---|---|---|
CCDLocations | REG_SZ / MULTI_SZ | type=smb,connectionString=<Location1Folder1>;type=smb,connectionString=<Location2folder2> |
Enabled | DWORD | 1 |
The following are two different examples of using the cloud cache with a file share or blob.
Cloud Cache with File Share
Table 6-4 shows the registry key for a file share.
Cloud Cache with Blob
CCDLocation Registry Key for Blob
Registry Value | Type | Value |
|---|---|---|
CCDLocations | REG_SZ / MULTI_SZ | type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=|FSLogix/account|;AccountKey=|FSLogix/key|;EndpointSuffix=";type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=|FSLogix/account|;AccountKey=|FSLogix/key|;EndpointSuffix=" |
Enabled | DWORD | 1 |
Combing a File Share and Blob for a Single Host Pool
CCDLocation Registry Key for Blob and File Share
Registry Value | Type | Value |
|---|---|---|
CCDLocations | REG_SZ / MULTI_SZ | type=smb,connectionString=<FILESERVERSharedFolder>;type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=|FSLogix/account|;AccountKey=|FSLogix/key|;EndpointSuffix=" |
Enabled | DWORD | 1 |
Adding a Cloud Cache Registry Key with a File Share
- 1.
You have to get the Azure file share path from the storage account we created for the user profile before you add the registry key. You can follow the same instructions mentioned in the profile container to get the file share name.
- 2.
Now log in to the image VM using Bastion and the open registry with an Administrator context (Run as Administrator). Browse the registry path HKLMSOFTWAREFslogixProfiles and create both registry keys mentioned in Table 6-7. Note: If there is a VHDLocation key present, you have to delete it before adding the cloud cache key. See Figure 6-33.
CCDLocation Registry Key for File Share
Registry Value | Type | Value |
|---|---|---|
CCDLocations | REG_SZ / MULTI_SZ | type=smb,connectionString=<Location1Folder1>;type=smb,connectionString=<Location2folder2> |
Enabled | DWORD | 1 |
FSLogix: CCDLocation registry key
- 3.
Make sure that the correct user group is added in the FSLogix include group. See Figure 6-34.
FSLogix include list
- 4.
Restart the VM and try to log in with the user ID, which is a member of the group added in the FSLogix include list group.
Adding a Cloud Cache Registry Key with a Blob
- 1.
You have to get the Azure blob connection string from the storage account we created earlier for the user profile, before you add the registry key. See Figure 6-35.
FSLogix config, storage account connection string
- 2.
Since we have the storage name and key in the connection string, we should not store it directly in the registry, because users can read the registry with read permission. So, the best way to protect the storage account name and key is to store them in a credential manager on a VM. To do that, you must log in to the image VM using Bastion, open the command prompt as an administrator (CMD), and go to the C:Program FilesFslogixApps folder. See Figure 6-36.
FSLogix configuration, adding the password in to the credential manager, step 1
- 3.
Type the following command and change the storage account name before executing the command. See Figure 6-37.
FSLogix config- add password in credential manager step 2
- 4.
Add the storage account key using the following command. See Figure 6-38.
FSLogix config, add password in credential manager step 3
- 5.
Repeat the steps for an additional storage blob in case you want to use multiple blobs, but make sure you are changing the key name and value and not overwriting the same key and value. The following are example commands to add an additional storage blob:
- 6.
Open the registry with the Administrator context (Run as Administrator). Browse the registry path HKLMSOFTWAREFslogixProfiles and create both the registry keys mentioned in Table 6-8. Note: if there is a VHDLocation key present, then you have to delete it before adding the cloud cache key.
CCDlocation with Credential Manager
Registry Value | Type | Value |
|---|---|---|
CCDLocations | REG_SZ / MULTI_SZ | type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=|FSLogix/account|;AccountKey=|FSLogix/key|;EndpointSuffix=";type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=|FSLogix/account1|;AccountKey=|FSLogix/key1|;EndpointSuffix=" |
Enabled | DWORD | 1 |
CCDLocation Without Credential Manager
Registry Value | Type | Value |
|---|---|---|
CCDLocations | REG_SZ / MULTI_SZ | type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=;AccountKey=;EndpointSuffix="; type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=;AccountKey=;EndpointSuffix="; |
Enabled | DWORD | 1 |
FSLogix config, CCDLocation registry key
- 7.
Make sure that the correct user group is added in the FSLogix include list group. See Figure 6-40.
FSLogix config, FSLogix include list group
- 8.
Restart the VM and try to log in with a user ID that is a member of the group added in the FSLogix include list group and verify if the user profile gets created on the file share. See Figure 6-41.
FSLogix, user profile on remote storage
- 9.
You can also look at an additional registry key for the cloud cache in Table 6-10 and add it if you want it based on the organization requirements.
CCDLocation Extra Registry Key
Name | Type | Default | Detail |
|---|---|---|---|
CcdMaxCacheSizeInMBs | DWORD | 0 | CcdMaxCacheSizeinMBs specifies the maximum local cache size in megabytes, per user, during normal operation. Setting CcdMaxCacheSizeinMBs to 0 (default value) means there is no limit of the local cache size. |
ClearCacheOnLogoff | DWORD | 0 | By default, the local cache file won’t be removed when the user signs out. If you want to have the local cache file deleted when they sign out, set ClearCacheOnLogoff to 1. |
CacheDirectory | REG_SZ | C:ProgramDataFslogixCache | CacheDirectory specifies the location of the local cache file. By default, the local cache file will be placed in C:ProgramDataFslogixCache. The local cache file may be placed on another mapped drive or a UNC. CacheDirectory and ProxyDirectory must not be in the same location as the proxy file and the cache file are the same name and will conflict. |
ProxyDirectory | REG_SZ | N/A | ProxyDirectory specifies the location of the local proxy stub file. By default, the local cache file will be placed in C:ProgramDataFslogixProxy. |
SilenceACLWarning | DWORD | N/A | Set SilenceACLWarning to 1 to disable the event log warning the proxy or cache that the ACLs do not match the default values. |
What Are the Possible Scenarios with the Profile Container?
Single SMB file share to store the user profiles in a single region
Multiple SMB shares to store the user profiles in multiple regions with auto sync
Multiple Azure blobs to store the user profiles in multiple regions with auto sync
SMB file share + Azure Blob to store the user profiles in multiple regions with auto sync
Migrate User Profiles to FSLogix
If you already have some other VDI platform or other desktop solution and you want to migrate user profiles to FSLogix so that you can use an Azure Virtual Desktop pooled host pool, then there are different options available to do that.
FSLogix, user profile on remote storage
If you have a user profile on any VM or RDS server, then you can use PowerShell to convert user profiles in the VHD and the folder structure on the target share. The PowerShell file is available on PowerShell to convert the user profile to a VHD and migrate to FSLogix/Migrate-UserProfileToFslogix.ps1. The file can be executed on any Windows VM/server where you have the profile.
Once all user profiles are migrated to the FSLogix file share, the user can simply log in to the Azure Virtual Desktop and FSLogix will check if the profile is there on the file share and use the profile for user login.
- 1.
Change the source and target path in the script.
- 2.
Run the script as an administrator.
- 3.
Install the FSLogix app on the VM you want to execute the script.
- 4.
Copy all the profiles to a single folder, pass it as the source, and run the script so all profiles will get migrated together.
- 5.
The target path can be the FSLogix profile container file share.
Summary
In this chapter, you learned how to create an Azure Virtual Desktop host and host pools using the Azure portal, PowerShell, command-line interface (CLI), and Azure Resource Manager templates. Additionally, you learned how to configure host pool settings, assign users to host pools, apply OS and application updates to a running Azure Virtual Desktop host, and apply security and compliance settings to session hosts.