FSLogix Profile Containers and Office 365 Containers Deployment Guide

In this article, we’ll cover the considerations for deploying FSLogix Containers to provide a one-stop location for getting up and running quickly.

I’ve written previously on deploying Office 365 Containers and securing Profile Container and Office 365 Containers. This article is an updated version of those articles in a single location with some additional information to make your deployment successful.

Architecture

The beauty of FSLogix Profile Containers and Office 365 Containers is the simplicity in approach that FSLogix has taken to solving the challenges of the end-user and administrator experiences.I like to refer to FSLogix’s approach as no-architecture or architecture-less. What I mean by this is that there are no components, other than the FSLogix agent, to implement in your environment. In this approach, FSLogix solutions are flexible and deployed practically anywhere, whether on-premises or in a public cloud.The FSLogix Containers architecture consists of:

  • The FSLogix agent – a single agent that provides all functionality. The agent is either deployed to physical PCs, virtual desktops or in a master image
  • Group Policy – centralised configuration with existing infrastructure
  • Storage – host FSLogix Containers on standard SMB-based storage. Be sure to match SMB versions between clients and server for best performance. Shared folders could be hosted on Windows Server or natively by an existing storage array.

That’s it! No additional management layers, no back-end, no database, no web tier. Deployed using the services you already own.

Storage

The most detailed considerations you may have will be for storage. Most partners and customers that I’ve spoken to are using tiered storage or all-flash arrays, so storage performance should be excellent. You may need to give more consideration for storage performance to Profile Containers (rather than Office 365 Containers), given the nature of Windows Profiles; however, FSLogix Profile Containers will assist in optimising storage performance for profiles.

Your storage layer should provide high availability, so disaster recovery will be something that to design for based on specific recovery requirements. In most cases, there’s no need to replicate the Office 365 Containers because they contain only a cache of data stored in Office 365. Profile Containers will have a more significant impact on the user experience if unavailable, so consider replications to a secondary data centre.

Preparing for Deployment

To prepare for deploying Profile Containers or Office 365 Containers, the primary process will be:

  • Create a secure shared folder to host the FSLogix Containers
  • Install the FSLogix agent into your master image
  • Create domain groups to allow targeting Containers to specific users
  • Create a Group Policy Object to configure the Profile Containers and Office 365 Containers Computer settings

Finally, you can deploy your master image and link the GPO to the OU containing your computer accounts.

A secure shared folder location for the FSLogix Containers is vital for ensuring least privilege. It’s likely you’re already doing this for home folders or user profiles.

Microsoft has documented this approach in this article: How to dynamically create security-enhanced redirected folders or home folders

If you want to take a shortcut, or are looking to automate the process, we have a script that you can use as a template, listed below. Use at your own risk, of course.

  @ECHO OFF
  REM Creating secure shared folders
  REM Sample articles:
  REM https://support.microsoft.com/en-us/help/274443/how-to-dynamically-create-security-enhanced-redirected-folders-by-using-folder-redirection-in-windows-2000-and-in-windows-server-2003
  REM https://technet.microsoft.com/en-us/library/jj649078(v=ws.11).aspx
   
  REM Create and share folders with permissions for FSLogix Profile Containers or Office 365 Containers
  md e:\FSLogixContainers
  net share FSLogixContainers=e:\FSLogixContainers /GRANT:Users,CHANGE /GRANT:Administrators,FULL /CACHE:None /REMARK:"FSLogix Containers"
  icacls e:\FSLogixContainers /inheritance:d
  icacls e:\FSLogixContainers /remove Users
  icacls e:\FSLogixContainers /grant Users:(S,RD,AD,X,RA)

view rawNew-SecureSharedFolder.cmd hosted with ❤ by GitHub

Install the FSLogix Agent

Install the agent via the simple Setup programme – the only options you’ll have to change are the product key or the installation folder. If you are installing an evaluation, use an evaluation key or leave the product key blank to enable the agent fully featured for 30 days.

Installing the FSLogix agent

Documentation for installing the agent, including a silent install, see the FSLogix documentation article: FSLogix Apps Agent Installation.

For testing or evaluation, you could install in a stand-alone VM or a test image. Installing the agent will require a reboot.

Domain Groups

With the agent installed, local groups are created to enable the inclusion or exclusion of users for Profile Containers and Office 365 Containers. By default, the local FSLogix Include groups include Everyone, which will enable Containers for administrator accounts as well.

Via Group Policy, we’ll replace these memberships with new domain groups. The best method will be to remove Everyone and add the domain groups for the most straightforward configuration. Adding users or groups the local Exclude groups will increase complexity.

We recommend creating two groups to target each of the Container products – one for Profile Containers and the other for Office 365 Containers. Add users to these groups to enable the features on target desktops.

Configure Group Policy

FSLogix Apps version 2.8.10 (and above) includes an administrative template for configuring Profile Containers and Office 365 Containers.

In this article, I’m going to configure both Profile Containers and Office 365 Containers. The settings outlined below are equally applicable for deploying Office 365 Containers only.

Settings for each feature set are documented here:

At a minimum, I want to enable Containers, configure a storage location and add the domain groups to the local machine groups.

The tables here lists the settings I’ve used in this scenario for an RDS or XenApp deployment on Windows Server 2012 R2 or above. Some settings such as Search Roaming and Virtual Disk type may need to be adjusted accordingly.

Path Setting Value
FSLogix Enable search roaming Multi-user search
FSLogix / Office 365 Containers Enabled Enabled
  Include Office activation data in container Enabled
  Include OneDrive data in container Enabled
  Include OneNote data in container Enabled
  Include Outlook data in container Enabled
  Include Skype data in container Enabled
  Include Office activation data in container Enabled
  Set Outlook cached mode on successful container attach Enabled
  Store search database in Office 365 container Enabled
  VHD location \\server\share\folder
  Virtual disk type VHDX
FSLogix / Profile Containers Enabled Enabled
  VHD Location \\server\share\folder
  Delete local profile when FSLogix Profile should apply Enabled
FSLogix / Profile Containers / Advanced Redirect temporary file folders to local computer Enabled
FSLogix / Profile Containers / Container and Directory Naming Virtual disk type VHDX

Local Groups

Local group membership is best managed through Group Policy Preferences. Here I’m ensuring the groups I created earlier are added to the local groups to enable targeting of the FSLogix features.

Managing FSLogix Local Groups with Group Policy

Deploy

Now that the individual components are configured, we can deploy the solution. The essential steps in a deployment process should be:

  • Add user accounts to the domain groups
  • Link the GPO to the correct target computer organisational unit
  • Deploy the updated master image

The FSLogix agent creates a Profile or Office 365 Container at user login. Viewing the user’s folder will then look similar to this:

My containers after logging into a published desktop a few times

With several user sessions having logged into my environment, I can see a folder for each user in my target share.

FSLogix Container share

Tips

It is important to understand that the FSLogix agent does not change the behaviour of applications – instead it enables applications to operate just as they do on a physical PC.

Here are our tips for success:

  • Ensure the GPO is assigned to the OU containing the computer accounts
  • Double check share permissions and anything that could possibly lock Containers (e.g. backup products using VSS)
  • Ensure OST files are stored in the default location (AppData\Local\Microsoft\Outlook)
  • Remove user-level GPOs that enforce Outlook cached-mode so that the FSLogix agent can set this automatically
  • Configure the ‘Mail to keep offline’ feature in Outlook to keep the cache to a minimum. It’s likely that most users can live a cache set to 3-months; however, some environments may require more
  • On Windows Server, install the Windows Search feature and enable the Windows Search service
  • The OneDrive client will synchronise the user’s entire folder. On Windows 10 1709 and above, the ‘Files On-Demand’ feature enabled download of files on access, thus reducing storage requirements
  • Use ReFS for best performance

Finally, I highly recommend enabling Modern Authentication across your Office 365 tenant to improve the overall user experience.

Want to trial FSLogix free and see how it can improve your business?

Click Here

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

[Modern Workplace]

IGEL – A Modern Edge OS for your Endpoints

By [Hugh Roberts]

Thin clients have been around for some time, conceptually great – a lightweight, secure, low maintenance and relatively cheap way to provide an endpoint which will connect to your virtual infrastructure, presenting a desktop or applications to users.

[Modern Workplace]

The Future of Cloud Workspaces at IGEL Disrupt Nashville 2020

By [Aaron Parker]

Last week in Music City itself, Nashville, Tennessee, along with 500 end-user computing (EUC) friends, I attended the IGEL Disrupt event.

[Modern Workplace]

What should the target be Mailbox or Online Archive - Part 2?

By [Nick Middleton]

In part 1 of this blog I went through what the positives and negatives are for choosing to target the Mailbox or Online Archive for a legacy archive migration.