Deploying FSLogix Profile Containers

Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а𝐭]amorales[․]org

This is an extension of my FSLogix Office 365 container guide. All of the steps in that guide should be followed before continuing onto this one.

Overview

FSLogix profile containers allow you to easily roam user files and settings across multiple machines. A VHDX file will be created and it will store all user settings. This is similar to roaming profiles, but you do not have to deal with any login delays while files copy. Instead, the VHDX file is attached to the RDS server and the user's profile loads immediately.

FSL Profiles vs UPDs

Windows has a native solution called User Profile Disks, but it has some big limitations. With UPDs some applications will detect that data is being stored in a UNC path and malfunction. The best example of this is the inability to install Google Chrome extensions on UPDs. FSLogix drivers trick the OS into thinking that the VHDX data is local to the machine so applications never know that the data is in a network path.

If there is a brief network loss UPDs will disconnect and user profiles will crash out and going into limbo. FSL profiles will try to re-connect if there is a network loss. In my experience it is not perfect, but it does seem to keep most of the profile running.

Deployment

  1. Follow all the steps on the FSLogix Office 365 container guide
  2. Make sure that no other profile management solution (UPD, UPM, Roaming Profiles, etc.) is enabled.
  3. Delete any local profiles on the machine (not mandatory, but recommended)
  4. Create a group in AD called "APP_FSLogixProfiles_Exclude"
    1. You will use this to easily exclude users from AD
  5. Create the exclusions file (optional)
    1. Instructions below
  6. Create a new GPO just for FSLogix Profile settings (don't combine ODFC and profiles into one GPO)
    1. GPO settings are at the bottom of this article
  7. Apply the GPO to the server, run GPUpdate, and restart to confirm that everything has been closed out.
  8. Login as a test user and confirm that a profile and ODFC VHDX is created
  9. Confirm that you see a local_*user* folder under c:\users
  10. Create some files in one of your excluded folders.
  11. Log out of the RDS and log back in. Confirm that the excluded folders no longer have any files in them. Also confirm that the profile settings are persisting across logins.

Maintenance

FSL disk are dynamically allocated which means that they expand to whatever size is required, but they do not automatically shrink. This can lead to unnecessary disk usage on your file server.

Also, there are instances where some user profiles will get left behind in C:\Users.

To combat both of these issues see the sections titled "Delete bad folders under the Users Folder" and "Compact your UPDs" on the Best Practices for Deploying User Profile Disks article.

Exclusions

By default FSL will copy all of the user's data into the VHDX file. However, you also have the ability to exclude certain folders. Excluding temp and cache folders will allow you to keep your VHDX files as small as possible.

To configure this:
  1. Create a folder called FSLRedirections
    1. I create this in the same directory as the FSL files
    2. Make sure that all users have read only permission to this folder. Only admins should have write access.
  2. Create a Redirections.xml file in this location
    1. You can find the XML file I use here. I try to stick to only cache and temp data.

GPO Settings

Computer Configuration/Policies/Windows Settings/Restricted Groups
Group: FSLogix Profile Exclude List
Members: APP_FSLogixProfiles_Exclude (make sure to browse for the group, don't just type it in)

Computer Configuration/Policies/Administrative Templates/FSLogix/Profile Containers/VHD location
Enabled
Path to your FSLogix share (DFS prefered)

Computer Configuration/Administrative Templates/FSLogix/Profile Containers/Advanced/Provide RedirXML file to customize redirections
Enabled
\\%DFS%\FSLogix\FSLRedirections (just the folder, not the file)

Computer Configuration/Policies/Administrative Templates/FSLogix/Profile Containers/Allow concurrent user sessions
Disabled (you might need this enabled depending on your config)

Computer Configuration/Policies/Administrative Templates/FSLogix/Profile Containers/Delete local profile when FSLogix Profile should apply
Enabled

Computer Configuration/Policies/Administrative Templates/FSLogix/Profile Containers/Dynamic VHD(X) allocation
Enabled

Computer Configuration/Policies/Administrative Templates/FSLogix/Profile Containers/Enabled
Enabled

Computer Configuration/Policies/Administrative Templates/FSLogix/Profile Containers/Profile type
Enabled
Normal direct-access profile

Computer Configuration/Policies/Administrative Templates/FSLogix/Profile Containers/Store search database in profile container
Disabled (it will be stored in the ODFC container)
Don't enable this at all on Server 2019!

Computer Configuration/Policies/Administrative Templates/FSLogix/Profile Containers/Container and Directory Naming/Swap directory name components
Enabled

Computer Configuration/Policies/Administrative Templates/FSLogix/Profile Containers/Container and Directory Naming/Virtual disk type
Enabled
VHDX

Comments

  1. Hello Andy.
    I have a problem. I would like to test the FSLogix for some users to see how it will work.
    So as I understood the Group APP_FSLogixProfiles_Exclude creating for excluding users.
    1. WS 2016. DC, RDSH
    2. Installed FSLogix on DC, RDS.
    3. Created OU RDS Hosts. Put in the RDS computer.
    4. Created Security Group APP_FSLogixProfiles_Exclude.
    5. Created GPO FSLogix User GPO:
    Restricted Group have this props: Mydomain\FSLogix Profile Exclude List Mydomain\FSLogix Profile Exclude List Mydomain\APP_FSLogixProfiles_Exclude.
    Made FSLogix/Profile Containers props.
    6. Put usertest to the APP_FSLogixProfiles_Exclude.
    7. Rebooted RDS, DC in HV. Did not login in RDS.
    8. Log in for RDP on VM RDS.
    9. But usertest have vhd disk. I dont want that.
    Thanks for your help.

    ReplyDelete
    Replies
    1. You need to assign that group to be a member of "FSLogix Profile Exclude List" on the actual server. See here: https://i.imgur.com/eTXQzYg.png

      Delete
  2. I think need to put:
    Computer Configuration/Policies/Windows Settings/Restricted Groups
    Group: FSLogix Profile Exclude List (DO NOT SELECT DOMAIN GROUP, JUST TYRE IT IN!)
    Members: APP_FSLogixProfiles_Exclude (make sure to browse for the group, don't just type it in)

    ReplyDelete
  3. I couldn't find a good refrence/explaination of the redirections.xml. After much research I created this xml file with documentation in it. Thought it could be helpful for those in the same situation...








    ReplyDelete
  4. Is there a way in FSLogix to exclude specific accounts? Ideally i would like to exclude admin accounts from having 'roaming' profiles. These admin accounts would also likely sign into multiple machines at the same time so only one sessions would get attached vhd.

    ReplyDelete
    Replies
    1. Add them to the APP_FSLogixProfiles_Exclude or "FSLogix Profile Exclude List"/"FSLogix ODFC Exclude List" groups

      Delete
  5. When copying the GPO files -> please note that following locations were needed - at least in my case for the GPO MMC to work..
    Copy the ADMX file (FSLogixODFC?.?.admx) to %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions
    Copy the ADML file (FSLogixODFC?.?.adml) to %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\en-US

    ReplyDelete
  6. Hello Andy, I have an issue.
    when a user logs in he gets a message :
    Group Policy Client service failed the logon. Access denied.

    I followed these steps but still the same thing : http://stefanos.cloud/blog/kb/how-to-resolve-error-group-policy-client-service-failed-the-logon-access-denied-in-citrix-and-fslogix-environments/

    Do you have an idea regarding this problem ?

    Regaring the path for Office 365 containers and Profile containers, is this the same path as the user profiles set up in the RDS collection?

    Thanks a lot for your help.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. Sorry I have never run into that issue so I don't have much to offer there.

      The path for profile and 365 containers should be the same

      Delete
    3. We ran into the very same issue with Group Policy Client service failed the login. As it turns out we had a GPO which was applying the regional settings at the computer level when it should have been applied at the user level. Have a good look through your group policy objects in the affected OU to determine if there is something that is requesting elevated privileges as a user.

      Delete
  7. Hi Andy,
    Thanks for the article, it was very helpful. Sorry to be dense but what files are actually redirected into FSLogix Profile disks?
    In my test, I have no Exclusions XML in place and all files are still sitting locally e.g. C:\users\username\Desktop even though VHDx disk is mounted.

    Should we still deploy a traditional GPO for Folder Redirections in addition to the FSLogix Profile disks and if so, is the Exceptions XML file needed at all?

    Thank you.

    ReplyDelete

Post a Comment

Popular posts from this blog

FSLogix Troubleshooting guide

Best Practices for Deploying User Profile Disks

Removing Application UAC Requirements with Shims