Aaron Parker, a solutions architect at Insentra, will walk us through the deployment basics for FSLogix profile containers and Office 365 containers.
READ THE TRANSCRIPT
Aaron: Hello, and, welcome to this deployment guide for FSLogix profile containers and Office 365 containers. My name is Aaron, and I’m a solution architect at Insentra. In this video, I’ll walk you through the deployment basics and some of the technical considerations for getting FSlogix containers up and running for an evaluation. Before we jump into configuring containers, let’s take a quick look at the architecture.
The architecture is very simple, very straightforward, consists mainly of an agent. The agent is deployed into your Windows desktop VMs or Windows Server, whether you’re deploying XenApps, XenDesktop, Microsoft RDS, VMware Horizon. It’s all the same approach, the agent goes into your master image, goes into your virtual machines, and review and managing those VMs.
Management is done through group policy. There’s no management infrastructure introduced by FSLogix, all the configuration is done via group policy or group policy preferences. It works with existing storage. That storage could be Windows file server or it could be the native storage presented by your underlying storage line. The containers themselves are either a VHD or VHDX that are stored on that fileshare and accessed via the agent over SMB.
At this point, it’s worth pointing out that the architecture is independent of the underlying hypervisor. In this instance, I may be deploying into an on-prem deployment, and I can support Hyper-V, vSpheres and server, AHV. Whatever it is, it doesn’t really matter to FSLogix because the agent is installed inside the Windows desktop. Additionally, this makes it independent of public Cloud platforms. The same approach can be taken if I was deployed to Microsoft Azure or Amazon AWS as well.
With profile containers, I can redirect or encapsulate the entire user profile into a virtual disk. By virtue of that, virtual disk being reattached to the VM when the user logs on, their profile, the entire profile in this case will roam between sessions. This enables you to support new operating systems like Windows 10 or Windows Server 2016, which are a bit of a challenge to support with traditional profile management solutions.
It also enables you to support additional application types. Consider applications such as Microsoft Teams, Slack, and so on, that install into the user’s profile. Profile containers makes it very simple to support these new types of applications. With Office 365 containers, it’s simplest to think of Office 365 containers as a subset of profile containers. Office 365 containers allows you to provide the feature set with an existing profile management solution.
For example, you could deploy Office 365 containers with Citrix profile management. In this case, with Office 365 containers, I can support a number of features including the Office 365 activation. I can enable Outlook cache mode, I can install the OneDrive for Business client and run the sync folder. I can capture or store the Skype for Business address book. Similarly, with OneNote. OneNote stores a cache in the local profile, and I can run that with Office 365 containers.
Finally, I can also run Windows search. Windows search, I might turn on for things like Outlook. I want to enable instant search in Outlook, and this works on the XenApp, Windows Server 2016, IDS and VMware Horizon, and then Windows search if I’m using that in the VDI environment. This will also capture the index for the file system as well. Now that we’ve had a brief look at the architecture, I’m going to move on to configuration of profile containers and Office 365 containers in my live environment.
It’s important to know that my live environment is fairly simple. I’ve run a couple of Hyper-V hosts. I have a Windows Server 2016, image deployed via Citrix XenDesktop. I’m going to be using a Windows Server 2016 file server. In this instance, I’m going to configure Office 365 containers first, and then I’m going to go back and reconfigure profile containers in the second part. The first ever course will be to download the binaries.
If you are a customer doing an evaluation, we’ll have typically provided you with an evaluation license that link to the installer of the binaries. For partners and customers who have already purchased the license, you’ll have access to support.fslogix.com. This is great because it provides you access to all the latest releases. Also, it gives you access to a knowledge base and the forum.
Once I log in, and I go to the announcements and product download section, I can see the available downloads. It’s important perhaps to keep an eye on this as there are new releases released fairly regularly which may address issues. Here, I’m going to go and download FSLogix apps version 2.8.10. I’m going to install the FSLogix apps agent into my master image. I’ve downloaded the latest version of the agent and extracted it locally.
The first thing you’ll see here is an administrative template group policy, we’ll use to configure profile containers and Office 365 containers a bit later. I’m going to go and install the 64-bit version of the agent because I’m on Windows Server 2016, quick install. Then if I leave this without a product key– it don’t necessarily need an evaluation key. If I leave it without a product key, I will get a fully featured 30-day trial.
It will install to program files, a quick install. Pretty straightforward and fast installation, click close and I’m done. Now, this will typically require a reboot, but you would likely be doing that as part of your image update management anyway. One of the things to note with the agent is that it creates a few local groups. There are Office 365 exclude list, include list, and the profile exclude list and the include list.
What this does, this enables you to target profile containers and Office 365 containers to specific users or groups of users. If I look in the include groups, this will include everyone by default. The Office 365 include list has the everyone group, and the profile include list group has the everyone group in there by default in there as well. What this means is that once you enable the functionality, if you enable profile containers and you enable Office 365 containers, by default, the functionality will work for everyone who logs on to the machine.
A bit later on, I’m going to utilize group policy preferences to control the local group membership. Let’s have a quick look at the agent itself, or after it’s been installed. If I go to program files FSLogix apps, I’m just going to filter here on application or see a few files, so we have the configuration tool. This can be used to configure profile containers. It won’t configure Office 365 containers.
Instead though, I’m going to go and configure that via group policy. I’m going to configure profile containers and Office 365 containers through a consistent method. I also have an FRx tray. This will show you the status of profile containers. Today, it doesn’t show you the status of Office 365 containers. This trips people up sometimes. It’s worth just noting this will only show the status for profile containers.
Now, I’ve got two configuration tasks to get the containers up and running. The first is to provide storage, and then the second is to configure group policy to deploy the configuration to my target endpoints. This storage I’ve created, I foldered, that’s going to be shared out to where the containers will be stored. We can set secure permissions for this folder. Here, I have Creator Owner with full control, and users with special permissions to only create folders within this top level folder. This is exactly the same approach as you would take for secure home directories or profiles.
If you’re going to put this on Windows Server 2016, and your endpoints or your virtual machines are running Windows 10 or Windows Server 2016, I will highly recommend considering formatting the petition with our AFS. This will provide better performance because our AFS provides much better support for disk operations with virtual disks or VHDs, VHDXs, is that in that virtual container or that virtual disk will be instantly created. If there’s any point that that virtual disk needs to expand, then that disk operation, again, is going to be faster.
I’ve also taken those group policy templates and copied them over to my policy definitions folder on my controller. Now, when I go and create a group policy object, I can assign this and edit the FSLogix settings in it. First thing I’ve done here though, is I’ve created a number of groups, actually, two groups. One for profile containers and one for Office 365 containers. What I do with these domain groups, is then I use these to target specific users for Office 365 containers or profile container’s functionality.
If I wanted to target this only for a specific subset of users, or as I showed you previously, those local groups, the include list groups include everyone. This includes the administrators who logon to the machine. What I’m going to do through group policy is remove the everyone group and replace that with these groups. Now, I’m going to create my group policy object, accredited GPO, and assign this to the organizational unit that contains my target VM computer accounts.
All the FSLogix apps, GPO configuration is a computer level configuration. If everyone look at this, I’ve got a few settings in here that I’ve enabled, and I’m just going to walk through those. First off, we’re going to enable Office 365 containers, pretty straightforward. All of the feature is enabled or disabled. Then I’m going to include the various Office 365 functionality within the container. Basically, what I’m doing here is I’m explicitly enabling these features to be turned on. Typically, they should be turned on automatically, but I can explicitly set them in the GPO.
Next, I’m going to have the FSLogix agent automatically configure Outlook into cache mode on successful container attach. What this means is if the container is attached and the users starts Outlook, it will be set into cache mode. If you have a GPO that is perhaps enforcing cache mode or forcing online mode on the user organizational unit, your setting there will override the FSLogix setting in this GPO.
I’m also going to store the search database in Office 365 containers. I can store the Windows search database in the profile container or the Office 365 container. If I’m setting up Office 365 containers only, of course, I need to set the search database to be there. If I’m configuring both profile containers and Office 365 containers, I would still highly recommend putting the Windows search database into the Office 365 container, just reducing the size of the profile container.
I’m going to set a VHD location. I have a DFS namespace that I have configured to host my profile containers and Office 365 containers, and I’m going to set a virtual disk type. In this instance, I’m using Windows Server 2016. If you’re using Windows 10, Windows Server 2016, even if you’re on Windows 2012 or Windows 8, you can use VHDX. If you are still on Windows 7 or Windows Server 2008R2, those operating systems don’t understand VHDX, so you need to use VHDs.
Next, I’ll configure group policy preferences to manage the local groups. We saw previously, we have the ODFC include and exclude list groups and the profile include and exclude list groups. By default, those include lists include everyone. I think it’s important to instead target the functionality to a specific domain group. I’m going to configure group policy preferences to delete all member groups and users, and add in my Office 365 domain group into that local group. I’m going to do the same thing with profile container list as well.
I think, regardless of whether you are using Office 365 containers and profile containers, or perhaps you’re only using Office 365 containers, I would actually configure group policy preferences to manage the group membership of both of those local groups. Now, I’m going to test the functionality of Office 365 containers. The way I’m going to do this is I’m going to log directly onto my master image with my test account.
I’ve done that now. The way I can actually go and test whether Office 365 containers is working, is I can go and view the virtual disk attached with disk manager, or I can go and look at the FRx command line tool to show me what’s actually being redirected into the container. First, I’m going to elevate a command prompt so that I can look at disk manager. Here, I can see the virtual disk attached to this virtual machine. This is the virtual disk that is being redirected into my session.
Here, I can go and assign a tool if I want to view what’s inside it. If I go and look at this, I can see inside the virtual disk. I can see that a few folders have been created in here, this look a little bit like Outlook. The Office licensing, of course, OneDrive and OneNote, a couple of Skype for Business folders and the Windows Search folder. To provide a little bit more information, let’s go and look at the FRx tool.
If I run FRx and list-redirect, I can see all the redirects that are recurring out of my user profile and into that virtual disk. Now that I have configured and tested Office 365 containers, I want to come back to the GPO and configure profile containers. Again, I’m going to go in here and enable setting. Pretty straightforward, and I’m going to set a VHD location. In this case, I’m setting the same DFS path. I could separate the two if I wanted to. I could put profile containers on different storage, and then I may do the Office 365 container.
Additionally, I want to set the VHD type. Because my target environment is Windows Server 2016, I want to use a VHDX. Now that I’ve set my group policy, I have my local group set as well, I’m going to get back to my master image, refresh group policy, and then log back on with my test account. Now that I have configured both profile containers and Office 365 containers, I’m going to log back on to my image with my test account and have a look at the result.
Here I can see now that in disk management, I have both a virtual disk for the profile container as well as the virtual disk for the Office 365 container. If I go and sign a drive later to the profile container, I can go and open this up and have a look inside this. It looks just like you’d expect a profile to look like. If I go and look at something like Google Chrome, for example, I can see in here that I’m actually encapsulating the Google Chrome profile folder inside the profile container.
If I go and look at the redirect, this will look a little bit different than I did previously because I’m going to have some additional redirects. I have redirects in here for the profile in addition to those redirects that I already had in place for the Office 365 container. I can go and look at Outlook now. I have set Outlook to cache mode. I’m storing three months worth at the mailbox.
It’s important to understand that the FSLogix agent does not change the behavior of the applications. The behavior of the apps still works exactly the same way that users would expect. From an application perspective, it has no idea what the FSLogix agent is doing underneath. Setting cache mode will work the same. The Outlook, the client, and Windows search will work exactly the same way as it did previously, and other applications like Skype for Business, OneDrive, and so on, will work just like they would do on a physical PC or a persistent virtual machine.
Now that we’ve tested the functionality, let’s go take a quick look at where the containers are actually stored. If I browse to that shared folder, I’m going to see a result that looks a bit like this. I have a folder that’s structured with the user’s ID and the username for each user. If I look inside that folder, I’m going to see a container for the profile container, and container or a virtual disk for the Office 365 container.
Note that this will start at 30 meg, and they will grow up to about 300 meg by default. You may want to consider your specific requirements or the environment that you’re working in, and work out what that maximum size should be. If 300 meg is not large enough, you can change the maximum size inside the GPO. In this deployment guide, I have provided a short overview of configuring and deploying FSLogix Office 365 containers and profile containers.
The task shown in this video, pretty straightforward. I’ve downloaded the FSLogix agent from the support.fslogix.com site. If you’re partners or a customer, it’s very important, I think, to keep an eye on that site for new releases and updates. I’ve configured storage in a fileshare on a Windows Server 2016 VM, with secure permissions for that fileshare as well. I’ve created actual directory groups to target the functionality. Rather than targeting everyone by default, I’m targeting only specific sets of users who are in those groups.
I’ve configured group policy for both profile containers and Office 365 containers, and I’ve created a GPO that I’ve assigned to the computer for my target VMs. I’ve installed the agent into my master image. In this guide, I’ve installed it manually, but you could install it with the install in any type of automated deployment solution. I’ve gone ahead and tested and deployed the solution.
I’ve logged on with the test account. I’ve shown you the containers that are attached to the virtual machine when the user logs on, and also running the FRx tool to look at the redirects. Again, it’s also important to note that the FSLogix agent is not changing behavior of the applications. The applications have no knowledge that the storage is being redirected into a virtual disk.
Functions such as Outlook cache mode, OneDrive for Business, Skype for Business, install and work, and I configured just exactly the same as you would do in a persistent environment. From a user perspective, they get the look and feel of a persistent virtual machine or even a physical desktop. For next steps, as I’ve shown you on the video, once you get access to the downloads, you install without a key, you get a fully featured 30-day evaluation.
If you’re a customer looking for a more formal evaluation, we can provide you with an evaluation key. For more information, please e-mail, email@example.com. Thank you.
Want these insights delivered straight to your inbox?
Enter your details to join Insentragram
ABOUT AARON PARKER
Microsoft MVP, Citrix Technology Professional; Solution Architect | Insentra
A user experience guy first and foremost, Aaron is an experienced End User Computing Solutions Architect with a history delivering innovative end user projects to customers and organisations in APAC and the UK.
Awarded Citrix Technology Professional (2012-2016, 1 of 50 people worldwide), Microsoft Most Valuable Professional (2011-2016) and AppSense Community Contributor (since 2012) for community involvement and contributions with blogging and regular speaking at events including Citrix Synergy (US/EU), BriForum (US/EU), E2EVC and the UK Citrix User Group.