【Azure】User profile management solution — FSLogix profile containers within your AVD environment
In our previous posts, we explored configuring an Azure Virtual Desktop (AVD) environment specifically tailored for secure SAP access. Now, let’s shift our focus to use profile containers for AVD environment.
Microsoft suggests using FSLogix profile containers as the preferred solution for managing user profiles in AVD. FSLogix offers several advantages over roaming profiles, including:
- Improved Performance:
Traditional roaming profiles can become fragmented and slow down over time. FSLogix stores user profiles in a single, virtual disk (VHD) container, offering much faster access and reducing complexity. - Reduced Management Overhead:
Configuring and managing roaming profiles can be intricate, involving group policies and potential troubleshooting headaches. FSLogix takes a simpler approach, streamlining deployment and ongoing maintenance. - Scalability for Cloud Environments:
FSLogix integrates seamlessly with Azure Files, a managed file share service in Azure. This integration allows your AVD deployment to easily scale up or down as needed, without worrying about profile storage limitations. - Non-Persistent Desktop Compatibility:
AVD typically utilizes non-persistent desktops, where virtual machines are recreated periodically. Roaming profiles might not synchronize in time, leading to data loss. FSLogix containers are independent of the underlying VM, ensuring user profiles persist even with frequent rebuilds. - Offline Access Option (with caching):
FSLogix offers the ability to cache profile data locally on the AVD session host. This enables users to access some of their profile information even when offline, improving their experience.
Below outlines the preliminary steps required to set up FSLogix Profile Container with Azure Files and Microsoft Entra Domain Services.
Configure profile containers
FSLogix profile containers are a complete roaming profile solution for virtual environments, in this my case, I will make the container redirects the user profile into a storage account.
- The defaults on the remaining tabs don’t need to be changed.
- On the Advanced tab, Enable storage account key access must be left enabled.
For set up NTFS permissions, on each VM in the AVD pool, should run…
net use w: \\yourstorageaccountname.file.core.windows.net\profile [storageaccountaccesskey] /user:Azure\yourstorageaccountname
icacls w: /grant “domainname\AVDUsers:(M)”
icacls w: /grant “Creator Owner:(OI)(CI)(IO)(M)”
icacls w: /remove “Authenticated Users”
icacls w: /remove “Builtin\Users”
To use profile container, make sure the lastest FSLogix Apps is installed. Then, use below commands to enable Profile Container and configure the storage account of the share.
$regPath = “HKLM:\SOFTWARE\FSLogix\profiles”
New-ItemProperty -Path $regPath -Name Enabled -PropertyType DWORD -Value 1 -Force
New-ItemProperty -Path $regPath -Name VHDLocations -PropertyType MultiString -Value \\yourstorageaccountname.file.core.windows.net\profile -Force
Lastly, restart the VM in the pool. If you have more than 1 VM in the pool, please repeat these steps for other VMs remains. Check file share folder to see if the user profile exists once connected.
A possible consideration of IDLE time out GPO
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
- Set time limit for disconnected sessions
End a disconnected session: 15 minute - Enabled the Policy: End session when time limits are reached
- Enabled the Policy: Set time limit for logoff of RemoteApp sessions