FSLogix Container (Office/Profile) in Citrix Environments

Recently, I have been involved more and more in projects where Office365 is to be fully implemented in Citrix environments. This means that the customer not only needs the standard Office applications Outlook, Excel and Word, but also wants to use teams and OneDrive.

But this is exactly where we, without additional software, have big problems in non-persistent desktop environments. For example with our profiles (Team Installer stores its data in the profile) or so that the data is downloaded from the Internet every time (excluding OneDrive Sync data in the profile).

However, we have recently been in the fortunate position of being able to use FSLogix “free of charge” for this purpose, if we meet the following requirements:

  • Microsoft 365 E3/E5
  • Microsoft 365 A3/A5/ Student Use Benefits
  • Microsoft 365 F1
  • Microsoft 365 Business
  • Windows 10 Enterprise E3/E5
  • Windows 10 Education A3/A5
  • Windows 10 VDA per user
  • Remote Desktop Services (RDS) Client Access License (CAL)
  • Remote Desktop Services (RDS) Subscriber Access License (SAL)
Profile Container Multiple Sessions FSLogix

FSLogix Technologies

A short list of the individual FSLogix components.

Profile Container

Profile Container basically moves all profile files and folders into a VHD / VHDX file in the network and then mounts it as a container in the target system when logging on. This will replace the existing profile solutions where the files are copied over the network to the target system, like Roaming Profile or Universal Profile Management.

Profile Container FSLogix

Office365 Container

Office365 Container redirects only the part of the profile that contains Office data. This allows FSLogix to be used parallel to already implemented profile solutions. This functionality is useful for the Outlook OST file, Team Installer or OneDrive Offline files.

Office Container FSLogix

Application Masking

Application Masking manages access to applications, fonts, printers, etc. Access can be controlled by user, IP address range and other criteria. This significantly reduces the number and complexity of Golden Master Images.

Application Masking FSLogix

Java Version Control

Java Version Control allows all applications & websites to work with the Java version they need. The selected Java version must be installed on the client computer. Multiple versions of Java can be installed side by side. All within the same client system.

Java Version Control FSLogix

MSIX App Attach

MSIX App Attach assigns applications stored at a central location in MSIX format to the operating system. After it is attached, the applications look locally installed to both the user and the operating system. Based on application groups, applications can be deployed immediately without the need to deploy a new Golden Image.

MSIX App Attach FSLogix

By combining FSLogix Profile Container and MSIX App Attach, the operating system remains completely clean and data, profiles, and applications are completely separated.

Detailed article about MSIX App Attach

Setup of FSLogix Container

In this blog I don’t look at the complete FSLogix technology palette in detail, but first I’ll only discuss the features Profile & Office365 Container.

Prerequisites

I assume the following things and do not go into them in detail:

  • Installed and licensed Citrix environment (StoreFront, DDC etc.)
  • Established profile solution (here UPM) for Office365 Container Feature
  • Installed Office365 for Office365 Container Feature

Profile Container

In order to use the Profile Container feature, the required package must be installed on the Golden Master Image and activated via GPO.

If another profile method (roaming, UPM, etc.) is to be already used and be replaced, this must be deactivated before activating Profile Container (here UPM via WEM).

Deactivate UPM in WEM

Migration Methods

To migrate from existing Profile solutions to FSLogix Profile Containers, there are various existing instructions.

UPM to Profile Container

Local Profile to Profile Container

UPD to Profile Container

File Server

  • Create a folder on your file server for the Profile Container of the users.
  • Set the following permissions.
User AccountFolderPermissions
CREATOR OWNERSubfolders and Files OnlyFull Control
SYSTEMThis Folder, Subfolders and FilesFull Control
AdministratorThis Folder, Subfolders and FilesFull Control
UsersThis Folder OnlyCreate Folder / Write Data
UsersThis Folder OnlyList Folder / Read Data
UsersThis Folder OnlyRead Attributes
UsersThis Folder OnlyTraverse Folder / Execute File
File Server FSLogix
  • Activate the share and set the share permissions for the Authenticated Users to Change and Read.
Share Permission

Golden Master Image

  • Download the FSLogix package and extract it
Download FSLogix Paket and extract files
  • Launch the installer FSLogixAppsSetup
Start FSLogixAppsSetup install
  • Click in the following window on “I agree to the license terms and conditions
Install FSLogix Profile Container Office Container Java Version Control Application Masking
  • Via the button Options you can adjust the path of the installation
Setup Options FSLogix Apps Setup
  • Click Install to start the installation.
Setup Progress Processing
  • After the installation you can check the Services menu, that the FSLogix services are installed and running.
FSLogix Apps Services FSLogix Cloud Caching Services

Active Directory Server

  • Copy the ADMX & ADML file from the extracted FSLogix folder
fslogix.adml fslogix.admx kopieren
  • Paste these files into your PolicyDefinitions folder
PolicyDefinitions fslogix.admx GPO
  • Open the Group Policy Management Console
Group Policy Management Console
  • Create a GPO in the OU of your Worker Machines
GPO FSLogix Cloud Cache Office 365 Container Profile Container
  • Now configure the settings you need for Profile Container

Profile Container GPO

The folowing are the most important settings from the FSLogix ADMX file.

/ Computer Configuration / Policies / Administrative Template / FSLogix / Profile Container

  • Profile type (Must be configured)

Normal direct-access profile

The client tries to mount the VHD(X) file directly when logging in. No Difference Disks are used. If simultaneous further access is attempted, it fails with a share violation (error 20). When logging off, the VHD(X) file is unmounted again.

Read-write profile

The client performs the following logon steps:

  • The Difference Disk RW.VHD(X) is tried to open with read/write access. If successful, the Difference disk will be merged with the parent Profile disk. When the merge is complete, the RW.VHD(X) file is deleted.
  • A new RW.VHD(X) Difference Disk is created.
  • The new RW.VHD(X) file is mounted as a profile disk.

The following steps are performed during logoff:

  • Detaches the RW.VHD(X) difference disk (the user’s Profile VHD/X)
  • Attempts to open the RW.VHD(X) difference disk with Read/Write access. If it is successful, it merges the difference disk to the parent. If it completes the merge, the RW.VHD(X) file is deleted

The RW Difference Disk is stored in the network directly next to the Profile Disk.

Read-only profile

The client performs the following logon steps:

  • Client attempts to delete the previous RO difference disk (if it exists)
  • A new RO-Difference disk will be created
  • The new RO difference disk are attached as the user’s Profile VHD

The following steps are executed during logoff:

  • Client detaches the RO difference disk
  • The RO-Difference Disk will be erased

The RO Difference Disks are stored in the local Temp directory of the client and are called %usersid%_RO.VHD(X).

Try for read-write profile and fallback to read-only

Client checks to see if a RW.VHD(X) file exists. If no file exists, it performs the same steps as for Read-write profile. If the file RW.VHD(X) exists, the client assumes the role Read-only profile and performs these steps.

  • Store search database in profile container

Windows Search Service must be started and set to automatic for this feature. Delayed start should not be enabled. The Citrix Provisioning Server Optimization tool disables the Windows Search Service and should therefore be reactivated via GPO.

Multi-user search

Multi-user search extracts the user part of the search index and saves it in the Profile Container. The user-specific part of the .edb file, which takes over the Outlook search, is extracted and integrated into the Profile Container. The user-specific part of the .edb file and the files necessary to support the search are stored in the folder \WSearch in the VHD(X).

This feature allows you to roam a user’s Outlook search information across multiple systems.

Single-user search

Single-user search saves the entire search database in the profile container of the user. The .edb file from the ProgramData folder is then included in the user’s Profile Container. The redirected .edb file and the files required to support the search are stored in the \WSearch folder on the VHD(X).

By redirecting the Windows search database, the Windows search is available immediately after logon and no re-indexing is required.

  • Set Outlook cached mode on successful container attach

If this feature is enabled and the Profile container is successfully attached, the Outlook setting that enables cache mode is temporarily set for the current session until the container is removed. This ensures that the cache mode is only used when the container is attached.

  • Enabled (Must be configured)

This point activates the complete Profile Container feature.

  • VHD location ( Must be configured )

A list of file system locations to search for the user’s profile VHD(X) file. If one isn’t found, one will be created in the first listed location. These values can contain variables that will be resolved. Supported variables are %username%, %userdomain%, %sid%, %osmajor%, %osminor%, %osbuild%, %osservicepack%, %profileversion%, and any environment variable.

  • Dynamic VHD(X) allocation

If Dynamic VHD(X) allocation is enabled, the VHD(X) files are assigned dynamically. This means that the file size of the VHD(X) file only grows when data is added to the Profile Container. If this option is not enabled, automatically created VHD(X) files will be directly allocated to the full data storage space.

  • Delete local profile when FSLogix Profile should apply

If this is enabled, the user’s local profile is permanently deleted if Container is enabled for this profile. The user is then logged on with the FSLogix profile.

  • Size in MBs

Sets the size of the newly created VHD(X) file in MB. Depending on the type of use, it is recommended to plan between 5 and 15 GB per user.

  • Allow concurrent user sessions

This setting should be used when the target system is multi-session and allows simultaneous logins for the same Windows account on the same server.

/ Computer Configuration / Policies / Administrative Template / FSLogix / Profile Container / Advanced

  • Provide RedirXML file to customize redirections

The file redirections.xml is stored here to define which files and folders should not be saved in the Profile Container.

When you log on, the FSLogix agent copies the redirections.xml file from the specified location to <profile>\AppData\Local\FSLogix (inside the VHD) and processes it immediately. The user must have read permission for the file.

Typically this location might be in the root or a sub-directory of the location where profiles are stored: \\<FileServer>\\Container$\Redirection\ (the redirections.xml would be placed in the Redirection folder).

The basic structure of the redirections.xml file is as follows:

<?xml version=”1.0″ encoding=”UTF-8″?>
<FrxProfileFolderRedirection ExcludeCommonFolders=”<OPTIONAL>”>
<Excludes>
<Exclude Copy=”<VALUE>”>AppData\Low\FolderToDiscard\</Exclude>
<Exclude>… another exclude folders… </Exclude>
</Excludes>
<Includes>
<Include>AppData\Low\FolderToDiscard\FolderToKeep</Include>
<Include>… another include folders… </Include>
</Includes>
</FrxProfileFolderRedirection>

What’s included / excluded is only taken into account at login. If changes are made then a logoff / logon sequence must be done to sync to files.

You can specify any numbers of items inside the Includes and Excludes tags. Folders are relative to the user profile only (That’s why AppData is shown in this example).

Exclude folders are redirected to base (meaning the \Users\local_<username> folder FSLogix creates) and include folders are used when certain folders should remain on virtual profile. Include are usually used when redirecting a branch to base EXCEPT some sub-folders.

<OPTIONAL> should be replaced by one of the following values:

If the ExcludeCommonFolders attribute is specified, folders specified by the bitmask value are excluded, so redirected to base.

1 = Contacts folder
2 = Desktop folder
4 = Documents folder
8 = Downloads folder
16 = Links folder
32 = Music and Podcasts folders
64 = Pictures and Videos folders
128 = Folders like AppData\LocalLow

To Example if you want to exclude Contacts & Links Folder, set the Value 17 (1+16).

If you want to avoid copy to / from base in some common folder, you can add an Exclude item to override. Exclude items have priority over common folders exclusions.

If the same folder is specified as Exclude and as Include item, the exclude will have priority.

<VALUE> should be replaced by one of the following values:

0 = No files are copied in or out. Only the folders are created in the directory local_<user_name> .
1 = Files are copied to the local profile. Any existing file in an excluded folder is copied to the local profile.
2 = Files are copied back into the virtual profile. Each modified file in the local profile is copied back into the Profile Container when the user logs off.
3 = Files are copied from & to the local profile. Combination of Value 1 and 2.

/ Computer Configuration / Policies / Administrative Template / FSLogix / Profile Container / Container and Directory Naming

  • Virtual disk type

Defines the type of the automatically created Profile Container file (VHDX or VHD).

  • Swap directory name components

If it is enabled, new directories are named with the user name first, followed by the SID.

Result

After successful setup, the result can be viewed as follows.

  • Run compmgmt.msc from cmd or Run
Computer Management compmgmt.msc
  • Under Disk Management you can now see the attached Profile Container (here Profile-manuel)
Disk 2 Profile-username Disk Management
  • Click with the right mouse button on the profile disc and assign a drive letter to it.
Change Drive Letter and Paths
  • Now you can access the drive and check the data

Office365 Container

In order to use the Office365 Container feature, the corresponding package must be installed on the Golden Master Image and activated via GPO.

Office365 Container can be used parallel to existing profile methods (Roaming, UPM etc.).

File Server

  • Create a folder on your file server for the profile containers of the users
  • Set the following permissions.
User AccountFolderPermissions
CREATOR OWNERSubfolders and Files OnlyFull Control
SYSTEMThis Folder, Subfolders and FilesFull Control
AdministratorThis Folder, Subfolders and FilesFull Control
UsersThis Folder OnlyCreate Folder / Write Data
UsersThis Folder OnlyList Folder / Read Data
UsersThis Folder OnlyRead Attributes
UsersThis Folder OnlyTraverse Folder / Execute File
File Server FSLogix
  • Activate the share and set the share permission for the Authenticated Users to Change and Read.
Share Permission

Golden Master Image

  • Download the FSLogix package and extract it
Download FSLogix Paket and extract files
  • Launch the installer FSLogixAppsSetup
Start FSLogixAppsSetup install
  • Click in the following window on “I agree to the license terms and conditions
Install FSLogix Profile Container Office Container Java Version Control Application Masking
  • Via the button Options you can adjust the path of the installation
Setup Options FSLogix Apps Setup
  • Click Install to start the installation
Setup Progress Processing
  • After the installation you can check the Services menu, that the FSLogix services are installed and running
FSLogix Apps Services FSLogix Cloud Caching Services

Active Directory Server

  • Copy the ADMX & ADML file from the extracted FSLogix folder
fslogix.adml fslogix.admx kopieren
  • Paste these files into your PolicyDefinitions folder
PolicyDefinitions fslogix.admx GPO
  • Open the Group Policy Management Console
Group Policy Management Console
  • Create a GPO in the OU of your Worker Machines
Office Container GPO ADMX ADML
  • Now configure the settings you need for Office365 Container

Office365 Container GPO

The folowing are the most important settings from the FSLogix ADMX file for Office365 Container.

/ Computer Configuration / Policies / Administrative Template / FSLogix / Office 365 Container

  • Include Office activation data in container

If this is enabled, the activation data of the Office license is stored in the Office365 Container.

  • Include Outlook data in container

Activated, the Outlook data files are included in the Office365 container.

  • Size in MBs

Set the size of the newly created VHD(X) file in MB. Depending on the type of use, it is recommended to plan between 2 and 5 GB per user.

  • Sync OST to VHD

Copy OST to VHD

Existing local OST file (if existing) are synchronized into the Office365 Container VHD(X) file.

Do not mirror OST to VHD

Existing local OST file are not moved to the Office365 container.

Move OST to VHD

Existing local OST file (if existing) are initially moved to the Office365 Container VHD(X) file.

  • VHD location (Must be configured)

A list of file system locations to search for the Office365 Container VHD(X) file. If one isn’t found, one will be created in the first listed location. These values can contain variables that will be resolved. Supported variables are %username%, %userdomain%, %sid%, %osmajor%, %osminor%, %osbuild%, %osservicepack%, %profileversion%, and any environment variable.

  • Include OneDrive data in container

Activate the OneDrive cache to be included in the Office365 container.

  • Number of per-Session VHDs to persist

This setting is used when the VHD access type is set to Unique disk per session. This controls the number of session VHDs that are persistent. For example, if this is set to ‘2’ and the user creates a third session, a new session VHD is created and used, but is deleted when the third session ends.

  • Virtual disk type

Specifies the type of automatically created container file (VHDX or VHD).

  • VHD access type

Difference disk stored on local machine

The following steps are performed during logon:

  • The Client attempt to remove a previous Difference Disk (%usersid%_ODFC.VHD(X)) for this user from the temporary folder.
  • A new Difference Disk named %usersid%_ODFC.VHD(X) is created. This Difference disk will be created in the Temp directory.
  • The client mount the Difference Disk as O365 VHD.

The following steps are executed during logoff:

  • Client detaches the difference disk.
  • The system tries to merge the Difference Disks. The merge can only be successful if the user’s last session has ended.
  • Client deletes the difference disk.

Difference disk stored on network

At the logon:

  • An attempt is made to open the Difference Disk merge.vhd(x) with read/write access. If successful, it merges the Difference disk with the original Office 365 container. When the merge is complete, the Difference disk is deleted.
  • All previous Difference Disks for the logged on system (%Computername%_ODFC.VHD(X)) will be deleted.
  • A new Difference disk named %computername%_ODFC.VHD(X) is created. This difference disk is created on the network share next to the parent VHD(X) file.
  • The Differnce disk is attached as O365 VHD.

When you log off:

  • The Difference Disk is unmounted.
  • The Difference Disk will be renamed to merge.vhd(x). If this renaming is successful, an attempt is made to merge the difference discs. The merge can only be successful if the user’s last session has ended.
  • The Difference Disk is deleted.

Direct access

When logging in, the system tries to attach the VHD(X) file directly. No Difference Disks are used. If simultaneous access is attempted, it fails with a share violation (error 20).

When logging out, the VHD(X) is unmounted.

Unique disk per session

The VHD(X) files are named ODFC-%username%-SESSION-<sessionnumber>.VHD(X), where sessionnumber is an integer from 0 – 9.
The maximum number of VHD(X) files per session is 10.

When you log on, the following steps are performed:

  • It searches for a VHD(X) file for the session that is not currently in use.
  • If one is found, it is mounted and used directly.
  • If none free is found, a new one is created and used.
  • If a new VHD is created and so the number of VHDs per session is greater than the specified number under Number of per-Session VHDs to persist, this VHD(X) will be marked for deletion and deleted when logging off.

When you log off:

  • The VHD(X) file is unmounted.
  • When the VHD(X) is marked for deletion, it is deleted.
  • Store search database in Office 365 container

Windows Search Service must be started and set to automatic for this feature. Delayed start should not be enabled. The Citrix Provisioning Server Optimization tool disables the Windows Search Service and should therefore be reactivated via GPO.

Multi-user search

Multi-user search extracts the user part of the search index and saves it in the Office365 Container. The user-specific part of the .edb file, which takes over the Outlook search, is extracted and integrated into the Office365 Container. The user-specific part of the .edb file and the files necessary to support the search are stored in the folder \WSearch in the VHD(X).

This feature allows you to roam a user’s Outlook search information across multiple systems.

Single-user search

Single-user search saves the entire search database in the Office365 Container of the user. The .edb file from the ProgramData folder is then included in the user’s Office365 Container. The redirected .edb file and the files required to support the search are stored in the \WSearch folder on the VHD(X).

By redirecting the Windows search database, the Windows search is available immediately after logon and no re-indexing is required.

  • Enabled (Must be configured)

This item activates the Office365 Container feature.

  • Set Outlook cached mode on successful container attach

If this feature is enabled and the Office365 Container is successfully attached, the Outlook setting that enables cache mode is temporarily set for the current session until the container is removed. This ensures that the cache mode is only used when the container is attached.

  • Dynamic VHD(X) allocation

If Dynamic VHD(X) allocation is enabled, the VHD(X) files are assigned dynamically. This means that the file size of the VHD(X) file only grows when data is added to the Office365 Container. If this option is not enabled, automatically created VHD(X) files will be directly allocated to the full data storage space.

  • Include Teams data in container

When Enabled, the Teams files are included in the Office365 Container.

  • Allow concurrent user sessions

This setting should be used when the target system is multi-session and allows simultaneous logins for the same Windows account on the same server.

/ Computer Configuration / Policies / Administrative Template / FSLogix / Office 365 Container / Container and Directory Naming

  • Swap directory name components

If it is enabled, new directories will be named with the user name first, followed by the SID.

Existing Profile Solution

You should exclude the following paths in your existing profile solution so that Office365 Container work smoothly.

  • OneDrive

%USERPROFILE%\AppData\Local\Microsoft\OneDrive

%USERPROFILE%\OneDrive – <TenantName>

  • Outlook

%USERPROFILE%\AppData\Local\Microsoft\Outlook

Result

After successful configuration, the result can be viewed as follows.

  • Launch compmgmt.msc from cmd or Run
Computer Management compmgmt.msc
  • Under Disk Management you can now see the attached Office365 container (here O365-mwinkel)
Office365 Container
  • Click with the right mouse button on the Office365 Disk and assign a drive letter to it.
Change Drive Letter and Paths
Office365 Container with Drive Letter
  • Now you can access the drive and check the data
Office365 Container with Data

Update existing FSLogix installation

Since I didn’t have good experiences with Inplace Upgrades with several versions of FSLogix, here’s my recommendation for the update process.

  • Replace FSLogix ADMX files
  • Deinstallation of the existing FSLogix components
  • Restart the machine
  • Installation of the new FSLogix version

Troubleshooting

Some notes on troubleshooting about FSLogix.

Log Location

The log files are stored under the following path in the target system. The GPO can be used to define which logs are created.

C:\ProgramData\FSLogix\

Log Location FSLogix
FSLogix ODFC Log File

Anti-Virus Exceptions

Target System (Worker)

  • C:\Program Files\FSLogix\Apps\frxdrv.sys and frxsvc.exe
  • C:\Windows\TEMP\Exclude .VHD and .VHDX

File Server

  • VHD(X) Directory, including subdirectory

Registry

In the registry you can check which settings are currently being used. These can be found under the following registry path.

Profile Container

HKLM\SOFTWARE\FSLogix\Profiles

Registry Reference

Office Container

HKLM\SOFTWARE\Policies\FSLogix\ODFC

Registry Reference

Cloud Cache

HKLM\SYSTEM\CurrentControlSet\Services\frxccd\Parameters

HKLM\SYSTEM\CurrentControlSet\Services\frxccds\Parameters

Registry Reference

Leave a Reply

Your email address will not be published. Required fields are marked *

* I consent to having this website store my submitted information so they can respond to my inquiry.