Third-Party User Profile Virtualization Solutions

It should be fairly clear that Roaming Profiles is a viable option in a single operating system, single concurrent logon environment. If your environment potentially requires multiple concurrent user logons and/or using different operating system versions and architectures, then the Roaming Profiles feature is extremely problematic. That’s primarily because Roaming Profiles, like Windows, treats the entire user registry area as a single replicated file, NTUSER.DAT, with no application-level granularity.

The top initiatives of many organizations today involve VDI, session virtualization, Bring Your Own Device (BYOD), and many more, all of which require users to log on to different devices and likely involve multiple logons at the same time. Roaming Profiles just doesn’t fit the bill. Fortunately, several third-party solutions have been designed to remedy the problems associated with Roaming Profiles.

Citrix has a basic solution as part of its session virtualization and VDI solutions that can help with some issues. However, the most powerful solutions are desktop virtualization products that focus purely on profile virtualization and the application-level granularity of settings, such as those from AppSense and RES Software. These solutions, which differ slightly in implementation, actually inject agents into the operating system that “hijack” an application or operating system component that tries to talk to the user’s profile. The agent detects the application or operating system component performing the action and separates the profile into application-specific and operating system component–specific areas. Each of these areas is stored separately on either a file system or a database and is synchronized with the local machine when applications start and stop, rather than at the traditional logon and logoff.

Synchronizing only the profile changes related to a specific application when the application starts and stops introduces some powerful new capabilities. First, because the application-specific settings are separate from the rest of the profile, they can therefore more easily move between different operating systems and architectures, provided the software has an agent for the operating systems and architectures being used. This means the same settings can be used across all available operating systems and architectures, meaning only one profile for the user.

Second, because the settings are synchronized as the application starts and stops, multiple logons are more easily handled. In a common scenario, a user who is logged on to a Windows XP machine launches PowerPoint and makes a change to the layout, opens a file, then closes PowerPoint but doesn’t log off. As PowerPoint closes, its application-specific profile settings (both registry and file system) are sent to the profile solutions storage, such as a SQL database. Now imagine the user also has an open session on a Windows 7 machine and starts PowerPoint. As PowerPoint starts, any changes to the configuration for PowerPoint are automatically downloaded and the application launches with the new layout; and the document previously opened on the other machine should appear on the recent document list. The same process would apply to using a session virtualization solution such as RDS, which can even replicate application settings between locally installed applications and virtualized applications—such as those with App-V, which typically do not work well with normal roaming profiles.

Beyond Profile Portability with Profile Component Rollback

Separation of the user’s profile into application-specific chunks introduces another powerful capability. Sometimes part of a user’s profile becomes corrupted and the entire profile has to be restored from a backup. However, if you’re using a third-party user virtualization solution that separates the profile into application-specific blocks, it is possible to view the profile at the application level. In the event of profile corruption for a specific application, you can just roll back and restore that application’s area to a previous point in time without having to modify the rest of the user’s profile. For example, Figure 6-5 shows the different elements of the profile visible through the AppSense interface, and the shortcut menu that allows you to roll back a specific part of the profile for only one application.

Figure 6-5: Using AppSense to roll back Excel to a previous point in time

Using Settings Management

This section touches on one other aspect of many third-party user virtualization solutions: user settings management. Many solutions allow settings to be configured and enforced on users. I’m generally not a fan of using this aspect of products because the Group Policy tool already provides a great solution, which is fully supported by Microsoft and does an excellent job. You can customize a Group Policy for most areas of the registry and pretty much every aspect of the operating system. I urge any clients of mine who are thinking about using the settings management component of a product to carefully consider why they might do so. If it’s for a specific group of settings that are not possible with Group Policy, then that makes complete sense. Otherwise, it is best to stick to using the Group Policy tool, considering other solutions only when Group Policy cannot meet the requirements.

User Experience Virtualization: The Evolution of User Virtualization with the Microsoft Desktop Optimization Pack

If I had been writing this book six months ago, I would have spent far more time on AppSense, recommending it as the best user profile virtualization solution. Prior to that, Microsoft did not really have a viable user virtualization option. That all changed with User Experience Virtualization (UE-V).

UE-V delivers a flexible and full-featured virtualization solution for the user’s settings where previously organizations would have to deploy Roaming Profiles or a third-party solution. Where roaming profiles are worked as a single object—the entire user registry synchronized at logon and logoff—UE-V separates each application’s settings into its own settings package that is synchronized when the application both starts and is closed. For desktop settings and ease of access configuration, the synchronization is performed at logon, logoff, connect, disconnect, lock, and unlock.

Not every application’s settings are virtualized with UE-V. Organizations can determine which applications need their settings made available between different operating system instances and UE-V enable those, while other applications will keep their settings local to each operating system instance.

Understanding UE-V Templates

When a user customizes an application or even his or her desktop, those user-specific customizations are written to the registry or the file system, and sometimes both. UE-V works by capturing those registry and file system locations where nominated applications store user settings and saving them to a settings package file. A settings package file contains all the user-specific settings for one application, so one user may have many different settings package files; for example, one for each application plus one for desktop settings and one for accessibility settings. The settings package is saved as a .pkgx file. When a UE-V virtualized application starts, the package for that application is processed and settings applied to the computer currently in use, making all customizations available. Once the user closes the application, those settings are recaptured and saved in an updated settings package.

The settings packages are stored on a file share, and that is the only server-side infrastructure required for UE-V. There is no UE-V server or special management tool. The file share that is created has a subfolder for each user, in which each user’s settings packages are stored. The settings packages are also cached locally on each machine using the Windows Offline Files functionality. It is very important to enable Offline Files when using UE-V; otherwise, UE-V cannot function. Caching the settings locally enables the application settings to be available even when a client is not connected to the network. Another option, if home folders are defined in Active Directory for each user, is to store the settings packages in the user’s home folder.

To define what applications should have their settings virtualized with UE-V, templates are used. These tell UE-V which process filenames identify a specific application—for example, CALC.EXE represents Microsoft Calculator—and then which areas of the file system and registry contain user-specific settings for that application. UE-V includes a number of templates to virtualize some of the most common applications and Windows accessories, including Microsoft Office 2010, Microsoft Lync 2010, Calculator, Notepad, WordPad, Internet Explorer 9, Internet Explorer 10, along with desktop themes and ease of access settings. Listing 6-1 shows the template that is supplied for the calculator. It includes the name of the application, its UE-V ID (MicrosoftCalculator6), and the version of the template. The next section identifies the processes that comprise the calculator application, which is just a filename, CALC.EXE, and you can specify a product version. In this example only a major version of 6 needs to be matched, but it is also possible to specify a minor version in order to precisely specify the versions of an application to which a particular UE-V template should apply. Finally, the settings that should be virtualized are specified, which for Calculator are all in the registry under the SoftwareMicrosoftCalc key. You can browse all the templates at C:Program FilesMicrosoft User Experience VirtualizationTemplates, which is a great way to learn the template format.

<?xml version="1.0" encoding="utf-8"?>
<!--
Do not modify this settings location template. Changes to this
template can result in User Experience Virtualization not working
for the designated application now or in the future.
-->
<SettingsLocationTemplate xmlns='http://schemas.microsoft.com/
UserExperienceVirtualization/2012/SettingsLocationTemplate'>
  <Name>Microsoft Calculator</Name>
  <ID>MicrosoftCalculator6</ID>
  <Version>0</Version>
  <Processes>
    <Process>
      <Filename>CALC.EXE</Filename>
      <ProductName>Microsoft&#174; Windows&#174; Operating System
       </ProductName>
      <ProductVersion>
        <Major Minimum="6" Maximum="6" />
      </ProductVersion>
    </Process>
  </Processes>
  <Settings>
    <Registry>
      <Path>SoftwareMicrosoftCalc</Path>
    </Registry>
  </Settings>
</SettingsLocationTemplate>

You can create new templates manually with an XML editor, but Microsoft also provides a UE-V Generator, which enables easy creation and modification of UE-V templates, as shown in Figure 6-6. Clicking on the Create a settings location template option starts the Create wizard, in which you first specify the file path of the executable file for the application, along with any command-line arguments and working folder. The UE-V Generator will launch the application and monitor the registry and file system areas that are user specific, displaying them for review, as shown in Figure 6-7, using MagicISO Maker as an example. Notice the separate tab for reviewing file locations. Finally, details about the application are shown, such as the product name and version. At this point you can modify any of the generated values under the corresponding tab (Properties, Registry, or Files) before creating the XML template.

Figure 6-6: The User Experience Virtualization Generator provides an easy way to quickly create new templates.

Figure 6-7: The UE-V Generator auto-launches the selected application and performs a scan of the user locations that are accessed for its settings, which are then displayed before finalizing the template.

The UE-V Agent Service

The engine behind UE-V that enables it to perform actions is the User Experience Virtualization Agent Service, UevAgentService. The agent is the only piece of UE-V code that needs to be deployed, and it must be installed on all operating systems that will use the UE-V technology. A single installer is used to deploy both the 32-bit and 64-bit versions of UE-V, and the standard installation also includes all the built-in templates. To install custom templates, the templates can either be registered using the Register-UevTemplate PowerShell cmdlet, which could be done when the UE-V agent is installed or at any later time, or a network folder can be created in which all templates are placed. The UE-V agent will parse this folder every 24 hours and load in any new templates. A folder is specified using the Set-UevComputerSetting PowerShell cmdlet and setting the SettingsTemplateCatalogPath registry value to the file share you use.

UE-V is supported on Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012; and because each application has its settings virtualized in its own settings package application, the configuration for each application (or version) can be shared between any of the supported operating systems. This means a user could have a local Windows 7 desktop, a remote Windows 8 VDI, and numerous sessions on Remote Desktop Session Hosts running a mix of Windows Server 2008 R2 and Windows Server 2012, and have all the same application customizations available. Contrast this with the monolithic roaming profiles where you need a separate profile for different combinations of OS and applications. At the time of writing, Metro applications cannot have their settings virtualized with UE-V, as Metro applications use a different process model than regular applications. UE-V also works across applications that are installed locally on an operating system and that are virtualized with technologies like App-V.

How UE-V Works

This section puts everything together by looking at how an application that has settings virtualized with UE-V runs:

Notice UE-V does not require any changes to the application; it simply delays an application from starting, gets the settings and applies them to the registry and the file system, and then allows the application to start, which reads the user settings from the normal local computer file system and registry user locations as defined by the application. Internet Explorer is just another application to UE-V—synchronizing settings as Internet Explorer starts and is stopped. Because of differences between Internet Explorer 9 and 10, settings are stored separately for them, which is reflected in two separate UE-V templates. Similarly, for desktop and ease of access settings, there are implementation differences between Windows 7/2008 R2 and Windows 8, which means there are separate templates and settings packages for each. If you disable the option to Hide protected operating system files and enable the option to Show hidden files, folders, and drivers in Folder Options, it’s possible to see the folders UE-V created for each application’s settings package, as shown in Figure 6-8.

I have often seen problems in which users have changed settings for an application to a point where the application no longer functions; that part of their profile has become corrupted. With typical profile solutions the only solution is to delete the entire profile, as a profile is a single object. With UE-V, each application has its own settings package, enabling application-level settings rollback. The first time a user starts a UE-V–enabled application, all the current settings defined to be captured in the template for that application are stored in the application’s settings package in a special “rollback” mode and saved, no matter what future settings are made. To roll an application back to its initial configuration, you can use the Restore-UevUserSettings PowerShell cmdlet, passing the name of the application template ID.

Figure 6-8: Using Windows Explorer it is possible to see the settings package files for each UE-V-enabled application.

UE-V is designed to replace Roaming Profiles, so organizations should not try to run both on the same machines; the results would be unpredictable, although it would probably be safe to assume that UE-V would overwrite any settings in Roaming Profiles. For organizations looking for a complete desktop virtualization solution, UE-V enhances the user experience when combined with folder redirection and application virtualization technologies. Check out http://www.savilltech.com/videos/UEVOverview/UEVOverview.wmv for a video walk-through of UE-V that shows the technology in action.