Professional Documents
Culture Documents
FSLogix Admin Guide
FSLogix Admin Guide
FSLogix Documentation
Overview
What is FSLogix?
Tutorials
Configure Profile Container
Configure Office Container
Configure Cloud Cache
Implement Application Masking
Concepts
Cloud Cache for resiliency and availability
Profile Container content
Application File Containers
Profile Container vs. Office Container
How-to Guides
Install FSLogix Agent
Create and managing Application Masking Rules
Apply masking rules to users, groups, and other contexts
Create Java Version Control rules
Configure concurrent and multiple connections
Configure Search Roaming
Configure storage for Profile Containers and Office Container
Configure per-user or per-group
Configure device-based licensing
Use visibility reports for Application Masking
Troubleshoot FSLogix
Reference
Profile Container registry configuration reference
Office Container registry configuration reference
Cloud Cache registry configuration reference
FSLogix Command Line Utility
FSLogix Disk Management Utility
Logging and diagnostics
FSLogix status and error codes
FSLogix installed components and functions reference
What is FSLogix?
7/9/2019 • 2 minutes to read
FSLogix is a set of solutions that enhance, enable, and simplify non-persistent Windows computing environments.
FSLogix solutions are appropriate for Virtual environments in both public and private clouds. FSLogix solutions
may also be used to create more portable computing sessions when using physical devices.
FSLogix solutions include:
Profile Container
Office Container
Application Masking
Java Version Control
Heres what you can do with FSLogix solutions:
Maintain user context in non-persistent environments
Minimize sign in times for non-persistent environments
Optimize file IO between host/client and remote profile store
Native (Local) profile experience, eliminating many compatibility issues with solutions using visible redirection,
such as User Profile Disk (UPD ).
Simplify the management of applications and 'Gold Images'
Specify the version of Java to be utilized by specific URL and applications
Key capabilities
Redirect user profiles to a network location using Profile Container. Profiles are placed in VHD (X) files and
mounted at run time. It's common to copy a profile to and from the network, when a user signs in and out of a
remote environment. Because user profiles can often be large, sign in and sign out times often became
unacceptable. Mounting and using the profile on the network eliminates delays often associated with solutions
which copy files.
Redirect only the portion of the profile that contains Office data by using Office Container. Office Container
allows an organization already using an alternate profile solution to enhance Office in a non-persistent
environment. This functionality is useful with the Outlook .OST file.
Applications use the profile as if it were on the local drive. Because the FSLogix solutions use a Filter Driver to
redirect the profile, applications don't recognize that the profile is on the network. Obscuring the redirection is
important because many applications won't work properly with a profile stored on remote storage.
Profile Container is used with Cloud Cache to create resilient and highly available environments. Cloud Cache
places a portion of the profile VHD on the local hard drive. Cloud Cache also allows an administrator to specify
multiple remote profile locations. The Local Cache, with multiple remote profile containers, insulates users from
network and storage failures.
Application Masking manages access to an application, font, printer, or other items. Access can be controlled by
user, IP Address range, and other criteria. Application Masking significantly decreases the complexity of
managing large numbers of gold images.
Requirements
You are eligible to access FSLogix Profile Container, Office 365 Container, Application Masking, and Java
Redirection tools if you have one of the following licenses:
Microsoft 365 E3/E5
Microsoft 365 A3/A5/ Student Use Benefits
Microsoft 365 F1
Microsoft 365 Business
Windows 10 Enterprise E3/E5
Windows 10 Education A3/A5
Windows 10 VDA per user
Remote Desktop Services (RDS ) Client Access License (CAL )
Remote Desktop Services (RDS ) Subscriber Access License (SAL )
FSLogix solutions may be used in any public or private data center, as long as a user is properly licensed. FSLogix
tools operate on all operating systems newer than, and including:
Desktop - Windows 7
Server - 2008 R2
FSLogix solutions support both 32 bit and 64 bit where applicable
In no instance are FSLogix solutions supported in an environment that is not supported by Microsoft, or the
original software or equipment vendor
FSLogix solutions may have unique integration and advantages when used in conjunction with Windows Virtual
Desktop
Provide feedback
Visit the FSLogix forum to interact with the product team, support, and community participants.
Next steps
To get started, you'll need to download and install FSLogix then configure your environment for the desired
solution(s):
Install FSLogix
Profile Container is a full remote profile solution for non-persistent environments. Profile Container redirects the
entire user profile to a remote location. Profile Container configuration defines how and where the profile is
redirected.
Profile Container is inclusive of the benefits found in Office Container.
When using Profile Container, both applications and users see the profile as if it's located on the local drive.
In this tutorial, learn how to:
Configure Profile Container Registry Settings
Set up Include and Exclude User Groups
Prerequisites
Before configuring Profile Container:
Verify that you meet all entitlement and configuration requirements
Download and install FSLogix Software
Consider the storage and network requirements for your users' profiles
Verify that your users have appropriate storage permissions where profiles will be placed
Profile Container is installed and configured after stopping use of other solutions used to manage remote
profiles
Exclude the VHD (X) files for Profile Containers from Anti Virus (AV ) scanning
Adding a user to the FSLogix Profile Exclude List group means that the FSLogix agent will not attach a FSLogix
profile container for the user. In the case where a user is a member of both the exclude and include groups,
exclude takes priority.
Profile Containers is now configured and ready to be used. In order to verify that Profile Container is working,
sign in as a user in the Included List group. Using File Manager, navigate to the location specified in
VHDLocations. Verify that a folder, with the user name and SID has been created.
Next Steps
Configure Cloud Cache
Tutorial: Configure Office Container to redirect
Microsoft Office user data
6/28/2019 • 6 minutes to read
Office Container redirects only areas of the profile that are specific to Microsoft Office, and is a subset of Profile
Container. Office Container enables and enhances the Microsoft Office experience in non-persistent
environments. Office Container will generally be implemented with another profile solution. Other solutions
must be configured to exclude the portions of the profile managed by Office Container.
When using Office Container, both applications and users see the portions of the profile managed by Office
Container as if they're located on the local drive.
All benefits of Office Container are automatic when using Profile Container. There is no need to implement
Office Container if Profile Container is your primary solution for managing profiles. Office Container could
optionally be used in conjunction with Profile Container, to place Office Data in a location separate from the rest
of the user's profile.
In this tutorial, learn how to:
Configure Office Container Registry settings
Set up Include and Exclude User Groups
Configure third party profile exclusions
Prerequisites
Before configuring Office Container:
Verify that you meet all entitlement and configuration requirements
Download and install FSLogix Software
Consider the storage and network requirements for your users' Office Containers
Verify that your users have appropriate storage permissions where Office Containers will be placed
Office Container is installed and configured only after configuring other profile solutions to exclude profile
areas managed by Office Container
Exclude the VHD (X) files for Office Container from Anti Virus (AV ) scanning
Adding a user to the FSLogix ODFC Exclude List group means that the FSLogix agent will not attach a FSLogix
office container for the user. In the case where a user is a member of both the exclude and include groups, exclude
takes priority.
Office Containers is now configured and ready to be used. To verify Office Container is working, sign in as a user
included in the Include List group. Using File Manager, navigate to the location specified in VHDLocations. Verify
a folder, with the user name and SID has been created.
Next Steps
Configure Cloud Cache
Tutorial: Configure Cloud Cache to redirect profile
containers or office container to multiple Providers
6/28/2019 • 3 minutes to read
Cloud Cache is an optional add on to Profile Container and Office Container, understand Cloud Cache.
Full Configuration Settings for Cloud Cache are Here. For a full description of the purpose and use of Cloud
Cache, visit this page.
In this tutorial, learn how to:
Configure Cloud Cache for SMB
Configure Cloud Cache for Azure Page Blobs
Protect Azure Keys with Credential Manager
Prerequisites
Make sure the requirements are met
Install FSLogix
Verify that users have appropriate access to network file storage
Enabled DWORD 1
Enabled DWORD 1
Enabled DWORD 1
Enabled DWORD 1
Enabled DWORD 1
Any information that you would like to protect may be saved in Credential Manger, and accessed in this way. For
Instance, if you wanted to protect both the Account Name and the Account Key, then system keys could be created
for both and used in the connection string as described above.
There are a number of ways to use Credential Manger, and any will work with the Azure connection string,
provided that the credential is stored under the SYSTEM user. The credential type is “generic”, and the credential
name is prefixed with fslogix/.
frx.exe may be used to create, list and delete system keys.
frx.exe add-secure-key -<key keyName> -<value keyValue> *Creates a key with a key name of
fslogix/<keyName> value of
fslogix/<keyValue>
* /fslogix is added automatically when using frx.exe, don't manually add /fslogix
Next Steps
Implement Application Masking
Tutorial: Implement FSLogix Application Masking
6/28/2019 • 2 minutes to read
Use Application Masking to manage user access of installed components. Application Masking may be used in
both physical and virtual environments. Application Masking is most often applied to manage non-persistent,
virtual environments, such as Virtual Desktops.
In this tutorial, learn how to:
Create your first Rule Set
Test your Rule Set
Make Assignments for your Rule Set
Deploy your Rule Set
Prerequisites
Verify that Entitlement and other Requirements are met
Install FSLogix on all client machines that will use Application Masking
Install Application Masking Rules Editor on machines that administrators will use to create rules
Install all applications, printers, fonts, and other resources to be managed with Application Masking
Apply any organization-specific configuration for intended environments
Next Steps
Configure Profile Container
Cloud Cache to create resiliency and availability
6/28/2019 • 4 minutes to read
Cloud Cache is a technology that provides incremental functionality to Profile Container and Office Container.
Cloud Cache uses a Local Profile to service all reads from a redirected Profile or Office Container, after the first
read. Cloud Cache also allows the use of multiple remote locations, which are all continually updated during the
user session. Using Cloud Cache can insulate users from short-term loss of connectivity to remote profile
containers. Cloud Cache can also provide real time, 'active active' redundancy for Profile Container and Office
Container.
It's important to understand that, even with Cloud Cache, all initial reads are accomplished from the redirected
location. Likewise, all writes occur to all remote storage locations, although writes go to the Local Cache file first.
Cloud Cache doesn't improve the users' sign-on and sign out experience when using poor performing storage. It's
common for environments using Cloud Cache to have slightly slower sign-on and sign out times, relative to using
traditional VHDLocations, using the same storage. After initial sign-on, Cloud Cache can improve the user
experience for subsequent reads of data from the Profile Container or Office Container, as these reads are
serviced from the Local Cache file.
IMPORTANT
This configuration is not suitable for a profile that is shared between the physical device and virtual sessions, unless virtual
sessions are never accessed from alternate devices while the physical device is offline. If a remote container file is accessed by
a second session, then the remote Cloud Cache Provider and Local Cloud Cache Provider will not be synchronized. If this
occurs, the remote Provider that was accessed last will replace the data in all Cloud Cache Providers.
By default the profile container VHD will contain the entire Windows profile for the user, except for:
The TEMP (TMP ) folder location
The IE Cache folder location
The Windows user profile is composed of the contents of a specific folder location, and some registry information.
Typically this folder location is something like C:\Users\<username>.
If desired, the admin can specify that parts of the user profile are persisted in the profile container. Exclusions are
done with a redirections.xml file. The redirections.xml file instructs the FSLogix agent to redirect specific folders out
of the profile container and into the local C: drive. Any part of the profile that is excluded is deleted at sign out.
local_ Folder
When a user signs in and a FSLogix Profile container is connected and used by that user, you will see two
additional folders in the C:\Users directory:
A \<username> folder (or some variation)
A local_<username> folder
The <username> folder is a link into the profile container. FSLogix advanced redirection capabilities make contents
of the profile container look as if they exist at this location. The second folder, local_<username>, is a real folder on
C:.
At user sign out, the <username> redirect will disappear and the local_<username> folder is lazily deleted by the
FSLogix service.
redirections.xml
The redirections.xml file is used to control what folders are redirected out of the profile container to the C: drive. It
can also, optionally, sync the contents of these folders to and from the profile container at user sign out and sign in
respectively.
Location The redirections.xml file resides in the profile container in the <ProfileRoot>\AppData\Local\FSLogix
folder
Distribution The admin can use the built-in distribution capabilities of the FSLogix agent, or any other
mechanism, to place the file into the profile container. To use the built-in copy mechanism, use the
RedirXMLSourceFolder setting. At user sign in, the FSLogix agent will copy the redirections.xml file from the
specified location (if it exists) and process it immediately. The user must have Read permissions to the file.
Auto-attach VHDs provide administrators the ability to move directories, with their files and subdirectories, to a
VHD or VHDX volume. When the contents of the directory are accessed, FSLogix Apps dynamically attaches the
VHD and redirects to the attached volume.
Auto-attach VHDs are useful to create Application File Containers to reduce the size of Gold Images. Applications
that consume a large amount of disk space can be redirected to a VHD, where They're immediately available when
needed.
VHD creation
The VHD can be created by any means, but FSLogix Apps provides a tool that can be used for this purpose. The
FSLogix command-line utility, provides copyto-vhd and moveto-vhd commands.
VHD deployment
The VHD can be located on the local drive or on a network drive. Local paths must be in drive letter format
(C:\vhd). Network paths must be in UNC format (\server\share\vhd).
If the VHD is on a network drive, Read permission for the VHD file must be given to the Active Directory computer
object.
Rule creation
Create a VHD Auto-attach Rule using the FSLogix Apps Rule Editor.
Specify the folder that should be redirected, and the location of the VHD or VHDX file.
Assign users to receive this VHD using the Manage Assignments dialog.
Rule deployment
Copy the created .fxr and .fxa files to the C:\Program Files\FSLogix\Apps\Rules folder on each computer where
you want the Auto-attach Rule applied.
Considerations
The directory that is to be redirected to the VHD must exist in the base system.
VHDs are opened in read-only mode. Because the VHDs Can't be changed, they can be accessed
simultaneously in multiple sessions.
Profile Container vs. Office Container
6/28/2019 • 2 minutes to read
It's important to understand the differences between Profile Container and Office Container for proper use and
maximum benefit.
Office Container is a subset of Profile Container. Although all of the benefits of Office Container are also delivered
from Profile Container, there are times when it may be beneficial to use them together.
Profile Container and Office Container are configured differently. It's important to completely understand the
configuration process, especially when using them together.
Profile Container
Profile Container is used to redirect the full user profile. Profile Container is used in non-persistent, virtual
environments, such as Virtual Desktops. When using Profile Container the entire user profile, except for data that is
excluded.
For users familiar with managing profiles in non-persistent environments, the function of Profile Container may be
compared to Microsoft User Profile Disk, Microsoft Roaming Profiles, or Citrix UPM. Although the function is
similar the underlying method and technology is different, resulting in certain benefits as described here
Office Container
Office Container is generally implemented with another profile solution, and is designed to improve the
performance of Microsoft Office in non-persistent environments. As opposed to Profile Container, Office
Container redirects only the local user files for Microsoft Office. When configuring Office Container, each Office
component is independently included base on settings.
When Office Container is used with other profile solutions, it's that those solutions are configured to [exclude
certain data] (configure-office-container-tutorial.md#configure-third-party-exclusions).
The data contained in the Office Container can be re-created from various server locations. As an example, the
.OST file is generated from the email server(S ), if the file is lost or damaged it may be recovered.
Download FSLogix
FSLogix is available for download here
Application Masking manages access to Applications, Fonts, and other items based on criteria. The Application
Rules Editor is used to Describe the item, such as application, to be managed. The Editor is also used to define
criteria rules are managed by. For instance, GitHub should be hidden from the Accounting group. Things you can
do with the Apps Rules Editor:
Create new Rule Sets
Edit existing Rule Sets
Manage the user and group assignments for Rule Sets
Temporarily test rule-sets
Before using the Application Rules Editor, it must be installed
Rule Types
FSlogix supports four rule types
Hiding Rule - hides the specified items using specified criteria
Delete a rule
Select an existing Rule Set from the left panel
Select one or more Rules from the right panel
Select Edit then Delete Rule
Edit a rule
Select an existing Rule Set from the left panel
Select an existing Rule from the right panel
Select Edit then Edit Rule
VARIABLE DESCRIPTION
Environment Variables
The following Environment Variables may be used in both source and destination paths
NOTE
Environment variables are case sensitive.
When using the Rule Editor to add or edit Rules, these variables automatically replace the proper text in the Source and
Destination strings.
%WindowsFolder%
%CommonAppDataFolder%
%CommonStartMenuFolder%
%CommonFilesFolder32%
%ProgramFilesFolder32%
%SystemFolder32%
%CommonFilesFolder64%
%ProgramFilesFolder64%
%SystemFolder64%
Redirecting to a network
Files and directories can be redirected to resources located on a network. The user must have appropriate rights to
the network resource. To redirect to a network location, enter the path (in UNC format) into the Destination field.
Rule Sets are assigned to users, groups, and other entities using the Rules editor. Before using the Application
Rules Editor, it must be installed.
By default, Rule Sets apply to Everyone when active. The following process changes the scope that the Rule Set is
applied to.
Assignment Order
Assignments are executed from top to bottom.
Example: Consider if two assignments were made for the same Rule Set. The first assignment applies the Rule
Set to Everyone, the second specifies the Rule Set does NOT apply to User1. In this case, the Rule Set would apply
to everyone except User1.
If the assignments above is reversed, so the application to Everyone is after the exclusion of User1, the Rule Set
would apply to Everyone.
Managing Assignments
After creating Rule Sets and Rules, select the rule set you want and click File then Manage Assignments.
Click Add, then select the type of assignment you want, to create a new assignment
Select one or more Assignments and click Remove to Delete Assignments
Select one or more Assignments and click Move up or Move Down to reorder Assignments
Use the Radio Button for does or doesn't apply, the click Apply to determine the application to an entity.
Whether an Assignment applies is represented by the Applies column.
User Assignment
Group Assignment
Process Assignment
Computer Assignment
Directory Container Assignment
Only Environment Variables present at sign-on are supported. Environment variables set during sign-on aren't
supported.
Set as Template
After you've configured the assignment list, you can select Set As Template and all new assignment lists will default
to the current state of the assignment list.
Configure Java Version Control rules
7/2/2019 • 3 minutes to read
Java Version Control allows specific Websites and URLs to be assigned to a specific installed version of Java.
Prerequisites
Before configuring Profile Container:
Verify that you meet all entitlement and configuration requirements
Download and install FSLogix Software
IE 8 and later is supported
Applications must run in IE7 or later
Java 1.6.0_10 or later is supported
Java 1.4.2 and later is supported for redirection
Only versions of IE currently supported by Microsoft are supported in Java Version Control
NOTE
There is a known issue regarding ActiveX blocking feature of IE that may cause applets, in certain circumstances, to stop
responding when FSLogix version selection is in place. In order to workaround this, add the domain containing the applet
URL to the Trusted Sites list in Internet Explorer.
NOTE
If rules are changed, restart the Internet Explorer instances for the modified to rules.
URL
Select URL as the type
Specify the URL
Using Wildcards
Protocol may be http, https, or *. * matches http or https. As an example *://contoso.com matches
http://contoso.com and https://contoso.com.
Sub-Domain may be specified as *. As an example https://*.contoso.com matches
www.contoso.com, test.contoso.com and contoso.com.
Path * matches full URL under where * is specified. As an example, https://contoso.com/* matches
the entire domain. https://contoso.com/app/* matches everything in the path under app.
Specify the version of Java to use from the drop-down. As an example 1.6.0_45.
Save the Java Project file.
Click File > Generate to generate the Java Rule Files.
The files generated depend on whether the rule is for a Website (URL ) or an Application.
For URLs, there will be an XML file created.
For Applications two files will be generated, one Rule Set file (.fxr) and one Assignment file (.fxa).
Deploy the generated files, see Deploying Rule Sets and Assignment Files.
NOTE
If the latest version of Java is selected in the Java Version Field, The Java Version control and associated features are
effectively disabled for the given URL.
NOTE
The selected Java version must be installed on the client computer or the rule will not work. Multiple versions of Java can be
installed side-by-side. Major Java versions will not conflict with each other, as each installs to a unique directory. However,
Java versions that are the same major version but different minor versions install into the same directory by default. You can
simply change the path during the installation to avoid this problem.
NOTE
In almost all cases the 32-bit versions of Java should be used. Typically only if there are specific instructions to use 64-bit
Java should it be tested before the 32-bit versions.
NOTE
Any rule sets copied into / updated / deleted from the Rules folder will be automatically detected by the Service (frxsvc.exe)
and compiled into a special format used by the Drivers (frxdrv.sys and frxdrvvt.sys). The service will then notify the driver of a
change and the driver performs a live update of your installed rule sets. The compiled rule set files are located in C:\Program
Files\FSLogix\Apps\CompiledRules
Configure Profile Container and Office for concurrent
connections and multiple connections
6/28/2019 • 6 minutes to read
Users connect to their stateless working environments in different ways, depending how desktops and applications
are delivered. When using Virtual Desktops and Remote Applications users may:
Have one connection at a time
have multiple concurrent connections to a single instance of Windows
Connect to multiple instances of windows
It's important to configure Profile Container and Office Container correctly for use with concurrent connections
and multiple connections.
Prerequisites
Before configuring for Concurrent or Multiple connections, install and configure Profile Container or Office
Container
Multiple Connections
Multiple Connections with Profile Container and Office Container is supported through the use of VHD (X)
difference disks. The registry configuration and functionality for Office Container and Profile Container is different.
Multiple Connections with Profile Container
Profile Container is configured for multiple connections using ProfileType when configuring Profile Container
ProfileType is set to 0, 1, 2 or 3.
Mode 0 (Normal / Default)
Sign on:
Client tries to directly attach the VHD (X) file. No difference disks are used. If a concurrent access is
attempted, it will fail with a sharing violation (error 20)
Sign out:
Client detaches the VHD (X)
Mode 1 (Read / Write)
Sign on:
Client attempts to open the RW.VHD (X) difference disk with Read/Write access. If it is successful, it
merges the difference disk to the parent. If it completes the merge, the RW.VHD (X) file is deleted.
Client creates a new RW.VHD (X) difference disk.
Client attaches the RW.VHD (X) as the Profile VHD.
Sign out:
Client detaches the RW.VHD (X) difference disk (the user’s Profile VHD/X).
Client attempts to open the RW.VHD (X) difference disk with Read/Write access. If it is successful, it
merges the difference disk to the parent. If it completes the merge, the RW.VHD (X) file is deleted.
Mode 2 (Read Only)
Sign on:
Client attempts to open the RW.VHD (X) difference disk with Read/Write access. If it is successful, it
merges the difference disk to the parent. If it completes the merge, the RW.VHD (X) file is deleted.
Client attempts to delete the previous RO difference disk (if it exists).
Client creates the new RO difference disk.
Client attached the RO difference disk as the user’s Profile VHD.
Sign out:
Client detaches the RO difference disk.
Client deletes the RO difference disk.
Client attempts to open the RW.VHD (X) difference disk with Read/Write access. If it is successful, it
merges the difference disk to the parent. If it completes the merge, the RW.VHD (X) file is deleted.
Mode 3 (Attempt Read/Write Fall Back Read Only)
Sign on:
Client checks to see if a RW.VHD (X) file exists. If it doesn't, the client takes the RW role and performs the
same steps as ProfileType = 1. If the RW.VHD (X) file does exist, the client takes the RO role and does the
same steps as ProfileType = 2.
General Information
RO difference disks are stored in the local temp directory and are named %usersid%_RO.VHD (X).
The RW difference disk is stored on the network next to the parent VHD (X) file and is named RW.VHD (X).
The merge operation can be safely interrupted and continued. If one client begins the merge operation and is
interrupted, For Example, powered off, another client can safely continue and complete the merge. For this
reason, both the RW and RO clients begin by attempting a merge of the RW.VHD (X).
Merge operations on an ReFS file system, where the difference disk and the parent are on the same ReFS
volume, are nearly instantaneous no matter how large the difference disk is.
Merge operations can only be done if there are no open handles to either the difference disk or the parent
VHD (X). For this reason, the RO client also attempts to merge the RW VHD (X) as it may be the last session to
disconnect.
Multiple Connections with Office Container
Office Container is configured for multiple connections using VHDAccessMode when configuring Office Container.
VHD Access Mode is set to 0, 1, 2 or 3.
Mode 0 (Normal / Default)
Sign on:
Client tries to directly attach the VHD (X) file. No difference disks are used. If a concurrent access is
attempted, it will fail with a sharing violation (error 20)
Sign out:
Client detaches the VHD (X)
Mode 1 (Network)
Sign On
Client attempts to open the merge.vhd(x) difference disk with Read/Write access. If it's successful, it
merges the difference disk to the parent. If it completes the merge, the difference disk file is deleted.
Client attempts to remove any previous difference disk for this machine
(%computername%_ODFC.VHD (X)) on the network share.
Client creates a new difference disk named %computername%_ODFC.VHD (X). This difference disk is
created on the network share next to the parent VHD (X) file.
Client attaches the difference disk as the O365 VHD.
Sign out
Client detaches the difference disk.
Client attempts to rename the difference disk to merge.vhd(x). If this rename is successful, the client
attempts to merge the difference disk. The merge will only succeed if it's the last session that is ending.
Client deletes the difference disk.
NOTE
Mode '1' (Network) should not be used if the O365 Container is being used with Outlook Cached Exchange mode. Use mode
'0' or '3'.
Mode 2 (Local)
Sign On
Client attempts to remove any previous difference disk (%usersid%_ODFC.VHD (X)) for this user from
the temp folder.
Client creates a new difference disk named %usersid%_ODFC.VHD (X). This difference disk is created in
the temp directory.
Client attaches the difference disk as the O365 VHD.
Sign out
Client detaches the difference disk.
Client attempts to merge the difference disk. The merge will only succeed if it's the last session that is
ending.
Client deletes the difference disk.
NOTE
Mode '2' (Network) should not be used if the O365 Container is being used with Outlook Cached Exchange mode. Use mode
'0' or '3'.
Windows Search is roamed for single user systems such as WVD Desktop, XenDesktop, or VDI. Search may also
be roamed for multi-user systems such as WVD Applications, RDSH, XenApp. In multi-user systems, only the
Outlook email search information is roamed.
Prerequisites
Before configuring for Concurrent or Multiple connections, install and configure Profile Container or Office
Container
Overview
The Windows Search Service is included with Windows. The Search Service provides search functionality for a
user's files, Outlook email, and so on. The Search Service indexes all information to a single, system-wide database.
When a user roams to another machine, all of the information that they expect to search must be reindexed on the
new system. Re-indexing has significant impact on CPU when a user logs on. Typically Search is disabled in
environments where users roam between computers to avoid CPU impact.
Disabling local Search detracts from the user experience. Without local search, users are unable to search as they
expect. If the search is sent to a remote server, performance is slow.
FSLogix provides two mechanisms to roam Search information, Single-user Search and Multi-user Search.
Multi-user Search Yes Yes (2010 and later) No, Outlook only Windows 8 and later,
Windows Server 2012
R2 and later
NOTE
Single-user Search requires either Profile Container or Office Container be used. Multi-user Search may be implemented with
Profile Container, Office Container or any other profile roaming solution.
Profile Containers and Office Container store user information in a VHD (X) file. Generally these files are stored in
a network location. Profile Containers and Office Containers can automatically create the needed folders and files.
For correct and secure use, user permissions must be created to allow permissions to create and use a profile,
while not allowing access to other users profiles.
There are many ways to create secure and functional storage permissions for use with Profile Containers and
Office Container. Below is one configuration option that provides new -user functionality that doesn't require users
to have administrative permissions.
By default settings for Profile Container and Office Container are applied per-machine. Per-machine configuration
can be overridden by specifying settings that apply t0 specific users or specific groups.
User specific settings are given first priority, followed by group specific settings and finally the per-machine
settings.
To create a user or group setting:
Create a key named ObjectSpecific in the registry under one of the following keys:
HKLM\Software\FSLogix\Profiles (for Profile Container)
HKLM\Software\Policies\FSLogix\ODFC (for Office Container)
Under this key, create a key named with the SID of the object. This object is the user or group to which the new
value will be assigned.
Under the SID key, create the value that represents the Profile Container setting or Office Container setting. For
example, (DWORD ) IsDynamic = 1
You can verify that the setting is taking effect by examining the log file. There will be an entry in the log file where
the value is being read. The log file entry will show where the setting is being read from.
Example (using the VolumeType setting):
In the log files saved at \programdata\fslogix\logs\profiles... the following will be seen for the VolumeType setting,
based on configuration.
To determine the SID of an object, you can use the wmic.exe command. For example:
To retrieve the SID of a user whose name is john, run wmic useraccount where name="john" get sid.
To retrieve the SID of a group whose name is Domain Admins, run wmic group where name="Domain
Admins" get sid.
To retrieve the name of a user whose SID is S -1-5-21-2417102143-4260430507-1482311895-1919, run wmic
useraccount where sid="S -1-5-21-2417102143-4260430507-1482311895-1919" get name.
To get the name of a group from a SID follow the pattern of the user example but apply to the item on how to
get the SID of a group.
Use device-based licensing
6/28/2019 • 2 minutes to read
Device-based licensing helps administrators manage their application hiding rules to be compliant with product
license agreements. The feature is designed for software products that are licensed on a per-device basis.
With Device Based Licensing you can:
Set a time-frame during which an assigned license can't be unassigned
Record a time stamp of when a license was assigned to a device
Record a time stamp of when a license was unassigned to a device
Generate a report showing license usage over a specified time
Warn the administrator when they attempt to unassign a license that hasn't been assigned for the minimum
time
Prerequisites
Before configuring Profile Container:
Verify that you meet all entitlement and configuration requirements
Download and install FSLogix Software including Application Masking Rules Editor
The device-based licensing features are effective only after this step is complete.
Licensing Reports
A report can be generated to show the historical license assignments by clicking File then Licensing Report, and
selecting a date range for the report.
Use Visibility reports in Application Masking
6/28/2019 • 2 minutes to read
Administrators use the Reporting feature to see where applications are visible. Reports are generated for Active
Directory users, groups (in the Rule Editor), and all users.
The Reporting feature is accessible from the Rule Editor and from the Command Line (frx.exe).
Generate a Visibility Report in Rule Editor
Click File then Reporting from the main menu
AD reporting is also available by clicking the AD Reporting button in the Assignments dialog
Click New Query
Profile Container
Compare the current values of Status, Reason, and Error to the documentation here.
Check the log files. Look for non-zero codes being returned (zero indicates success).
Verify all prerequisites have been met
When using Windows 7 or Windows Server 2008 R2? You must have this patch installed in order for the
FSLogix Profiles product to work properly. If the patch isn't installed processes in the system will begin to
deadlock.
Is the 'Enabled' setting set to '1'?
Do you have a valid file system location in the 'VHDLocations' setting?
Does the user have appropriate permissions to the VHD (X) file on the file server?
Is the user a member of the local FSLogix Profiles Include group and NOT a member of the FSLogix Profiles
Exclude group?
Does a local profile already exist for the user?
Office Container
Compare the current values of Status, Reason, and Error to the documentation here.
Check the log files. Look for non-zero codes being returned (zero indicates success).
Verify all prerequisites have been met
Is the 'Enabled' setting set to '1'?
Do you have a valid file system location in the 'VHDLocations' setting?
Is the user a member of the local FSLogix ODFC Include group and NOT a member of the FSLogix ODFC
Exclude group?
Using Windows Server 2016, OneDrive Icons don't appear. This behavior is intended.
Outlook does not show up in the windows indexing options when FSLogix is virtualizing Outlook Search. This
behavior is intended.
Application Masking
Make sure the rules have been moved to the Rules folder. For more information about deploying rules see:
Deploying Rule Sets.
Check to make sure the service and the driver are running by using:
sc query frxsvc
sc query frxdrv
Check the logs to make sure no non-zero errors are logged
Check the assignment files to make sure the user is included in the assignment
Open the rule in the rule editor
Click on the manage assignments button
Make sure that the user in question is listed and the rule does apply to them.
If folders or files are being masked from an excluded user, make sure the Apply Rules to System button isn't
clicked.
NOTE
When configuring Profile Container registry settings are added here: Registry Key: HKLM\SOFTWARE\FSLogix\Profiles
When configuring Profile Container the entire contents of the registry will be redirected to the FSLogix Profile Container. If it
is desired to redirect only Office related information see Profile Container for Office registry configuration reference.
NOTE
When configuring Office Container registry settings are added here: HKLM\SOFTWARE\Policies\FSLogix\ODFC
Office Container is a special sub-set of Profile Container used to enable and enhance Office in a non-persistent
environment. All Office Container functionality is also delivered when using Profile Container. Office Container is generally
used in conjunction with a full non-persistent profile solution.
For a full non-persistent profile solution see Profile Container registry configuration reference.
IncludeOneNote DWORD 1
NOTE
Cloud Cache configuration may be used for both Profile Container and Office Container. For Profile Container registry
settings are applied here: HKLM\SOFTWARE\FSLogix\Profiles. For Office Container registry settings are applied here:
HKLM\SOFTWARE\Policies\FSLogix\ODFC.
When using Cloud Cache, CCDLociations replaces VHDLocations. CCDLocations and VHDLocations may not both be present
at the same time.
For a the full Profile Container reference see: Profile Container registry configuration reference. For a the full Office Container
reference see: Office Container registry configuration reference.
The following values are Cloud Cache Specific and are used for all Cloud Cache implementations whether applied to Profile Containers
or Office Containers. These settings are applied here: Registry Key: HKLM\SYSTEM\CurrentControlSet\Services\frxccd\Parameters
The following values are Cloud Cache Specific and are used for all Cloud Cache implementations whether applied to Profile Containers
or Office Containers. These settings are applied here: Registry Key: HKLM\SYSTEM\CurrentControlSet\Services\frxccds \Parameters
NOTE
Although it is possible to change the location of the Proxy Directory, it is strongly recommended that this is only done when
there is no C drive. The Proxy Directory contains no data.
FSLogix Command-Line Utility command reference
6/28/2019 • 11 minutes to read
Redirection
Command
add-redirect
Description
Add a new path redirection for the virtualization (VT) driver
-src= (required)
Specifies the source path to redirect
-dest= (required)
Specifies the path to act as redirection target
Example
frx add-redirect -src C:\mysource -dest d:\mytest
frx add-redirect -src C:\mysource -dest \?\VolumeXXXXX\Test
Hiding Rule
Command
add-rule -hide
Description
To add a hiding rule, specify the following options with add-rule:
-hide (required) -src-parent= (required) If this rule is for a directory or registry key, the directory or key path is
entered here. If this is for a file or registry value, the parent directory or parent registry key path is entered here.
-src= (optional)
represents the name of the file or registry value. This parameter is not used when the rule is targeted for a
directory or registry key.
-volatile (optional)
This option tells the system not to persist this Rule. The Rule will disappear when the driver is stopped (either
manually or if the system is restarted).
Example
frx add-rule -hide -src-parent="C:\users\admin\desktop" -src="chrome.lnk" -volatile
frx add-rule -hide -src-parent=<folder or directory key>
Redirect Rule
Command
add-rule -redirect
Description
To add a redirect rule, specify the following options with add-rule:
-redirect (required) -src-parent= (required) If this rule is for a directory or registry key, the source directory or
source key path is entered here. If this is for a file or registry value, the source parent directory or source parent
registry key path is entered here.
-src= (optional)
represents the name of the source file or source registry value. This parameter is not used when the source object
of a rule is a directory or registry key.
-dest-parent= (required)
If this rule is for a directory or registry key, the destination directory or destination key path is entered here. If this
is for a file or registry value, the destination parent directory or destination parent registry key path is entered
here.
-dest= (optional)
represents the name of the destination file or destination registry value. This parameter is not used when the
destination object of a rule is a directory or registry key.
-no-copy (optional)
By default, when a redirect is about to happen, the FSLogix Apps Agent checks to see if the destination file,
directory, registry key, or registry value exists. If it does exist, the request is simply redirected. If the object does not
exist, the object will be created (and in the case of a file or registry value, the contents of the source object copied
to the destination object) and then the redirection will happen. This flag tells the system not to do this check and to
simply redirect.
-volatile (optional)
This option tells the system not to persist this Rule. The Rule will disappear when the driver is stopped (either
manually or if the system is restarted).
Example
frx add-rule -redirect -src-parent="C:\windows" -src="bad.ini" -dest-
parent="USER_PROFILE_PATH\badprogram" -dest="bad.ini"
frx add-secure-key -key=<key variable name> -value=<value of key to be assigned to variable name in credential
manager>
Edit Profile
Command
begin-edit-profile
Description
Attaches the specified VHD or VHDX and attaches the registry hive so the contents of the profile can be viewed
and edited. Prints out a cookie that should be handed back with a end-edit-profile command line to clean up.
-filename (required) Specifies the path to the VHD (X) file \n );
Example
frx begin-edit-profile -filename C:\Profile.vhd
frx copyto-vhd -filename=<VHD file for folder to be copied to> -src=<folder to be copied to vhd>
frx copy-profile -filename=<VHD file for folder to be copied to> -username=<username for profile>
frx creae-junction -src=<source folder for redirection> -dest=<destination vhd for junction>
frx create-ruleset -filename=<name of file to be created> -install-dir=<specifies the path where the
application to be scanned is installed> -ARP-keyname<add remove program registry location>
frx enable-schnot
frx end-edit-profile -cookie=<cookie provided from begin edit profile> -filename=<filename of vhd containing
the profile being edited>
Help
Command
help
Description
Displays frx help without parameters, or help for specific command if specified
Example
frx help
frx help
frx help add-rule
frx help
frx list-redirects
frx list-rules
List all secure key names in Credential Manager with a fslogix/ prefix
Command
list-secure-key
Example
frx list-secure-key
frx moveto-vhd -filename=<folder/filename for vhd to move folder to> -src=<folder to be moved to VHD>
frx reload-rules
Command
show -junction-info
Description
Shows information about a junction point
-src (required)
Specifies the path to the junction point.
Example
frx show -junction-info -src=C:\TestDir
Command
Description
Example
frx
frx versions
FSLogix Disk Management Utility Reference
6/28/2019 • 2 minutes to read
frxcontext.exe allows you to manage FSLogix containers and aid in managing containers by adding context menu's
to vhd(x) files.
The following commands are executed in an administrator command prompt.
Install
Command
--install
Description
Install FSLogix container management to the Windows context menu for vhd(x) files. Installs for all users.
Example
frxcontext.exe --install
Uninstall
Command
--uninstall
Description
Uninstall FSLogix container management from the windows context menu. Uninstalls for all users.
Example
frxcontext.exe --uninstall
frxcontext.exe --install-per-user
Uninstall per user
Command
--uninstall-per-user
Description
Uninstall FSLogix container management from the windows context menu. Uninstalls for the current (logged in)
user.
Example
frxcontext.exe --uninstall-per-user
Attach VHD)x)
Command
<vhd(x)>
Description
Attaches a FSLogix profile or Office 365 container for edit.
Example
frxcontext.exe <C:\path\to\profile_user.vhdx>
The various components of the FSLogix create comprehensive logs. Examination of log files is the first place to
look when diagnosing system behavior.
At the top of each log file, the system records basic information including versions of the FSLogix agent
components.
Each operation performed by FSLogix components will create a section that contains all of the relevant log entries
for that operation.
At the beginning of each day, a new log file is created. The daily log files are kept for 7 days by default. Log files
older than this period are deleted.
The default path for the log files can be changed. For example, it may be useful to redirect the log files to a
network share when using non-persistent machines.
For each log entry, an entry of zero indicates success. When looking for problems, scan for non-zero entries.
##Initial state
A new install (or an install after an uninstall) will set the default level of logging. A new install will also clear
previous logging settings and return to defaults. An upgrade install will leave all logging settings as they exist
before the ungrade install.
LogFileKeepingPeriod DWORD New log files are begun each day. This
specifies how many to keep. If the value
is not set, the default is ‘7’. Default set
by install is 2.
VALUE NAME VALUE TYPE VALUE DEFINITION
The Profile Container and the Office Container set three values that represent the state of Profile Container or
Office Container:
Status
Reason
Error
Profile Container stores error values here: HKLM\Software\FSLogix\Profiles\Sessions<UserSID>
FSLogix Office Container stores error values in two places:
HKLM\Software\Policies\FSLogix\ODFC\Sessions<UserSID> and HKCU\Software\FSLogix\ODFC\Sessions
If Status is zero, the system is in a working state and Reason will reflect the state. For example, if Status and
Reason are both zero, then the FSLogix Container is attached and working for this user.
Status Codes
CODE DESCRIPTION EXPLANATION
Reason Codes
CODE DESCRIPTION EXPLANATION
CODE DESCRIPTION EXPLANATION
Error Codes
Usually when an FSLogix component is not working, Error will be set. When it is set, it corresponds to a standard
Windows Error Code.
FSLogix installed components and functions
6/28/2019 • 2 minutes to read
There are five main components of the Agent. The command-line utility, service, two drivers, and the IE Browser
Helper Object. All of these components are installed in the main application installation directory at C:\Program
Files\FSLogix\Apps.
##frx.exe The command-line utility, frx.exe, lets you manage rule sets and many other features of FSLogix Apps. A
reference of all commands the command-line utility accepts may be found here. The utility is installed to
c:\program files\fslogix\apps.
frxsvc.exe
The service, frxsvc.exe, communicates with the Command Line (frx.exe) and Drivers (frxdrv.sys and frxdrvvt.sys), as
well as monitors the rules directory for changes.
The service starts automatically when the computer starts and remains running while the computer is powered on.
frxcontext.exe
frxcontext.exe allows you to manage FSLogix containers as well as aid in managing containers by adding context
menu's to vhd(x) files. A reference for frxcontext.exe is found here
frxrobocopy.exe
Frxrobocopy is used to exclude the file copy, done by the FSLogix agent, from Anti-virus scanners.
Since the FSLogix agent only copies files that have already been scanned by the AV product, the admin can use this
feature to bypass scanning of the files to improve system performance.
To enable this frxrobocopy:
Copy robocopy.exe to the %Program Files%\FSLogix\Apps folder as frxrobocopy.exe
Add an exclusion for the anti-virus product for %Program Files%\FSLogix\Apps\frxrobocopy.exe
If frxrobocopy.exe exists in the FSLogix\Apps folder, it will be used and the AV product will not scan the file copying
activity.
usermode DLL
In order to achieve the desired behavior in some circumstances. Processes must be hooked with an FSLogix User
mode module. These include Outlook to maintain a per user search database and printers in order to be hidden
properly depending on the user. Logs for User mode may be found in the User mode log.
Configuration for the User mode DLL: Registry Key: HKLM\SOFTWARE\FSLOGIX\UserModeDll