In this article, we’ll cover the considerations for deploying FSLogix Containers to provide a one-stop location for getting up and running quickly.
I’ve written previously on deploying Office 365 Containers and securing Profile Container and Office 365 Containers. This article is an updated version of those articles in a single location with some additional information to make your deployment successful.
Architecture
The beauty of FSLogix Profile Containers and Office 365 Containers is the simplicity in approach that FSLogix has taken to solving the challenges of the end-user and administrator experiences.I like to refer to FSLogix’s approach as no-architecture or architecture-less. What I mean by this is that there are no components, other than the FSLogix agent, to implement in your environment. In this approach, FSLogix solutions are flexible and deployed practically anywhere, whether on-premises or in a public cloud.The FSLogix Containers architecture consists of:
- The FSLogix agent – a single agent that provides all functionality. The agent is either deployed to physical PCs, virtual desktops or in a master image
- Group Policy – centralised configuration with existing infrastructure
- Storage – host FSLogix Containers on standard SMB-based storage. Be sure to match SMB versions between clients and server for best performance. Shared folders could be hosted on Windows Server or natively by an existing storage array.
That’s it! No additional management layers, no back-end, no database, no web tier. Deployed using the services you already own.
Storage
The most detailed considerations you may have will be for storage. Most partners and customers that I’ve spoken to are using tiered storage or all-flash arrays, so storage performance should be excellent. You may need to give more consideration for storage performance to Profile Containers (rather than Office 365 Containers), given the nature of Windows Profiles; however, FSLogix Profile Containers will assist in optimising storage performance for profiles.
Your storage layer should provide high availability, so disaster recovery will be something that to design for based on specific recovery requirements. In most cases, there’s no need to replicate the Office 365 Containers because they contain only a cache of data stored in Office 365. Profile Containers will have a more significant impact on the user experience if unavailable, so consider replications to a secondary data centre.
Preparing for Deployment
To prepare for deploying Profile Containers or Office 365 Containers, the primary process will be:
- Create a secure shared folder to host the FSLogix Containers
- Install the FSLogix agent into your master image
- Create domain groups to allow targeting Containers to specific users
- Create a Group Policy Object to configure the Profile Containers and Office 365 Containers Computer settings
Finally, you can deploy your master image and link the GPO to the OU containing your computer accounts.
A secure shared folder location for the FSLogix Containers is vital for ensuring least privilege. It’s likely you’re already doing this for home folders or user profiles.
Microsoft has documented this approach in this article: How to dynamically create security-enhanced redirected folders or home folders
If you want to take a shortcut, or are looking to automate the process, we have a script that you can use as a template, listed below. Use at your own risk, of course.
| @ECHO OFF | |
| REM Creating secure shared folders | |
| REM Sample articles: | |
| REM https://support.microsoft.com/en-us/help/274443/how-to-dynamically-create-security-enhanced-redirected-folders-by-using-folder-redirection-in-windows-2000-and-in-windows-server-2003 | |
| REM https://technet.microsoft.com/en-us/library/jj649078(v=ws.11).aspx | |
| REM Create and share folders with permissions for FSLogix Profile Containers or Office 365 Containers | |
| md e:FSLogixContainers | |
| net share FSLogixContainers=e:FSLogixContainers /GRANT:Users,CHANGE /GRANT:Administrators,FULL /CACHE:None /REMARK:“FSLogix Containers“ | |
| icacls e:FSLogixContainers /inheritance:d | |
| icacls e:FSLogixContainers /remove Users | |
| icacls e:FSLogixContainers /grant Users:(S,RD,AD,X,RA) |
view rawNew-SecureSharedFolder.cmd hosted with ❤ by GitHub
Install the FSLogix Agent
Install the agent via the simple Setup programme – the only options you’ll have to change are the product key or the installation folder. If you are installing an evaluation, use an evaluation key or leave the product key blank to enable the agent fully featured for 30 days.
Installing the FSLogix agent
Documentation for installing the agent, including a silent install, see the FSLogix documentation article: FSLogix Apps Agent Installation.
For testing or evaluation, you could install in a stand-alone VM or a test image. Installing the agent will require a reboot.
Domain Groups
With the agent installed, local groups are created to enable the inclusion or exclusion of users for Profile Containers and Office 365 Containers. By default, the local FSLogix Include groups include Everyone, which will enable Containers for administrator accounts as well.
Via Group Policy, we’ll replace these memberships with new domain groups. The best method will be to remove Everyone and add the domain groups for the most straightforward configuration. Adding users or groups the local Exclude groups will increase complexity.
We recommend creating two groups to target each of the Container products – one for Profile Containers and the other for Office 365 Containers. Add users to these groups to enable the features on target desktops.
Configure Group Policy
FSLogix Apps version 2.8.10 (and above) includes an administrative template for configuring Profile Containers and Office 365 Containers.
In this article, I’m going to configure both Profile Containers and Office 365 Containers. The settings outlined below are equally applicable for deploying Office 365 Containers only.
Settings for each feature set are documented here:
At a minimum, I want to enable Containers, configure a storage location and add the domain groups to the local machine groups.
The tables here lists the settings I’ve used in this scenario for an RDS or XenApp deployment on Windows Server 2012 R2 or above. Some settings such as Search Roaming and Virtual Disk type may need to be adjusted accordingly.
| Path | Setting | Value |
|---|---|---|
| FSLogix | Enable search roaming | Multi-user search |
| FSLogix / Office 365 Containers | Enabled | Enabled |
| Include Office activation data in container | Enabled | |
| Include OneDrive data in container | Enabled | |
| Include OneNote data in container | Enabled | |
| Include Outlook data in container | Enabled | |
| Include Skype data in container | Enabled | |
| Include Office activation data in container | Enabled | |
| Set Outlook cached mode on successful container attach | Enabled | |
| Store search database in Office 365 container | Enabled | |
| VHD location | \serversharefolder | |
| Virtual disk type | VHDX | |
| FSLogix / Profile Containers | Enabled | Enabled |
| VHD Location | \serversharefolder | |
| Delete local profile when FSLogix Profile should apply | Enabled | |
| FSLogix / Profile Containers / Advanced | Redirect temporary file folders to local computer | Enabled |
| FSLogix / Profile Containers / Container and Directory Naming | Virtual disk type | VHDX |
Local Groups
Local group membership is best managed through Group Policy Preferences. Here I’m ensuring the groups I created earlier are added to the local groups to enable targeting of the FSLogix features.
Managing FSLogix Local Groups with Group Policy
Deploy
Now that the individual components are configured, we can deploy the solution. The essential steps in a deployment process should be:
- Add user accounts to the domain groups
- Link the GPO to the correct target computer organisational unit
- Deploy the updated master image
The FSLogix agent creates a Profile or Office 365 Container at user login. Viewing the user’s folder will then look similar to this:
My containers after logging into a published desktop a few times
With several user sessions having logged into my environment, I can see a folder for each user in my target share.
FSLogix Container share
Tips
It is important to understand that the FSLogix agent does not change the behaviour of applications – instead it enables applications to operate just as they do on a physical PC.
Here are our tips for success:
- Ensure the GPO is assigned to the OU containing the computer accounts
- Double check share permissions and anything that could possibly lock Containers (e.g. backup products using VSS)
- Ensure OST files are stored in the default location (AppDataLocalMicrosoftOutlook)
- Remove user-level GPOs that enforce Outlook cached-mode so that the FSLogix agent can set this automatically
- Configure the ‘Mail to keep offline’ feature in Outlook to keep the cache to a minimum. It’s likely that most users can live a cache set to 3-months; however, some environments may require more
- On Windows Server, install the Windows Search feature and enable the Windows Search service
- The OneDrive client will synchronise the user’s entire folder. On Windows 10 1709 and above, the ‘Files On-Demand’ feature enabled download of files on access, thus reducing storage requirements
- Use ReFS for best performance
Finally, I highly recommend enabling Modern Authentication across your Office 365 tenant to improve the overall user experience.
