Integrating FSLogix Profile Containers with the VMware Horizon Just-in-Time Management Platform (JMP)

VMware Horizon 7 version 7.10 and later VMware Dynamic Environment Manager 9.9 and later VMware App Volumes 2.18 and later

Overview

VMware Horizon® accommodates a number of desktop and application models. One of these models involves assembling disposable virtual machines with attached containerized applications and saved settings in such a way that users think they are using the same machine from one session to the next.

These nonpersistent VMs provide significant improvements in speed and efficiency of desktop and application lifecycle management. The guide Managing User Experience with VMware Horizon 7 Enterprise describes the benefits, constraints, and technologies used to build a nonpersistent desktop service with a persistent user experience.

Microsoft recently acquired FSLogix and has made the software available to many of its customers. FSLogix integrates with VMware technologies to complement Horizon desktop models. FSLogix Profile Container can persist user data and user configuration data between nonpersistent desktop sessions. See What is FSLogix? for an overview and requirements of the software.

Purpose of This Tutorial

This tutorial takes you through the steps to integrate Microsoft FSLogix with the VMware Horizon® 7 Just-In-Time Management Platform (JMP) to build a nonpersistent desktop service while providing a persistent user experience.

Disclaimer

FSLogix is one of many third-party solutions that work with VMware Horizon. While this tutorial shows example models for integration, VMware assumes no responsibility to provide support for the use of FSLogix software with VMware products. As with any profile management technology, proper design, component redundancy, backup, and other management practices are imperative to ensure a good user experience and to prevent loss of user data. VMware provides this tutorial to demonstrate functional compatibility of FSLogix Profile Container with Horizon JMP components.

For design guidance regardingVMware Horizon, see the VMware Workspace ONE and Horizon Reference Architecture. For guidance on sizing, scaling, and maintaining the FSLogix components, consult Microsoft documentation.

Horizon JMP and FSLogix Profile Container

In this tutorial, you will integrate the FSLogix Profile Container with your VMware Horizon implementation.

  • FSLogix Profile Container is used to persist user data and user configuration data between nonpersistent desktop sessions.
  • Horizon 7 instant clones deliver a new Windows 10 image with each user session.
  • VMware App Volumes™ AppStacks are used to manage and dynamically distribute applications.
  • App Volumes user-writable volumes are used to persist user-installed applications.
  • VMware Dynamic Environment Manager™ (formerly known as User Environment Manager) provides privilege elevation and other customized user environment settings, along with personalization and predefined settings as needed.

Horizon JMP and FSLogix Profile Container

Figure 1: Horizon JMP with FSLogix Profile Container

Each exercise in this tutorial addresses one or more components of the model described in this figure. Some exercises include steps that are prerequisites for a later exercise. It is recommended that you complete the exercises in this tutorial in the order in which they are presented.

Horizon JMP and FSLogix Office Container

FSLogix also offers an Office Container, which persists only the areas of the profile specific to Microsoft Office, rather than persisting the entire user profile. See the Microsoft document Configure Office Container to redirect Microsoft Office user data for more information.

Note: The FSLogix Office Container is not used in this tutorial. This section is for informational purposes only.

In this model:

  • FSLogix Office Container is used to persist only the portions of the profile specific to Microsoft Office between nonpersistent desktop sessions.
  • Horizon 7 instant clones deliver a new Windows 10 image with each user session.
  • App Volumes AppStacks are used to manage and dynamically distribute applications.
  • App Volumes user-writable volumes are used to persist user-installed applications.
  • Dynamic Environment Manager provides folder redirection for user data, persists user configuration data between sessions, enables IT to distribute customized, predefined application and Windows settings, and provides privilege elevation and other customized user environment settings.

Horizon JMP with FSLogix Office Container

Figure 2: Horizon JMP with FSLogix Office Container

Integrating the FSLogix Office Container with your VMware Horizon implementation is outside the scope of this tutorial.

Audience

This tutorial is intended for IT administrators and product evaluators who are familiar with VMware Horizon 7, App Volumes, and Dynamic Environment Manager. You should have a working Horizon 7 environment with the JMP components available for testing in order to complete this tutorial.

Prerequisites

Before beginning the exercises in this guide, verify that you have the following software and user accounts, and that you have created the necessary master image, which is used in a later exercise.

VMware Horizon Technologies

Although not all components of Horizon JMP are required for all exercises, the following items are recommended. Links are included to quick-start guides, should you need to add any of these components to your environment before continuing.

Master Image for Instant Clone Desktop Pool

The master image described in this operational tutorial was created according to the following instructions:

User Accounts

The following accounts and their associated roles are used throughout this tutorial. Simply substitute your own accounts from your environment to conduct the exercises in this tutorial.

  • Active Directory user account for end-user access: eterple.betavmweuc.com

    Note: eterple has standard account privileges to the Windows 10 desktops.

  • Office 365 account: virtualspence@joshspencer.onmicrosoft.com

Administrator Account

  • An account with permissions to create file shares is required.

  • An account with the ability to import ADMX templates and configure group policy objects is recommended, though not required.

Microsoft FSLogix

Before you perform the procedures in the next chapter, obtain the FSLogix download bundle from Download and Install FSLogix.

Installing FSLogix

Installing FSLogix involves configuring network shares, creating and configuring a group policy object (GPO) or registry settings, and installing the FSLogix agent.

Configuring Network Shares

Network shares are used to store VHD(X) files and to centralize logging information. For more information, see the Microsoft document Configure storage permissions for use with Profile Containers and Office Containers.

  1. Configure the Containers share, which will store the FSLogix Profile Containers:
    Note: This share will be referred to as the Containers share throughout this tutorial.
    1. Create a folder at the following location \\fs1\FSLogix\Containers
    2. Share the folder and configure the following share permissions:
      Authenticated UsersChange and Read

      Authenticated Users

    3. Configure the following NTFS permissions:
      • Domain UsersModify - This folder only
      • CREATOR OWNERModify - Subfolders and files only
      • Desktop AdminsFull control - This folder, subfolders and files

      NTFS permissions

  2. Configure the Logs share:
    Note: This share will be referred to as the Logs share throughout this tutorial.
    1. Create a folder at the following location: \\fs1\FSLogix\Logs
    2. Share the folder and configure the following share permissions:

      Authenticated UsersChange and Read

      Authenticated Users

    3. Configure the following NTFS permissions:
      • Domain ComputersModify - This folder, subfolders and files
      • Desktop AdminsFull control - This folder, subfolders and files

      NTFS permissions

Now that the network shares are set up, you can configure a GPO so that all instant clones in a particular organizational unit (OU) will store their profile containers and logs in these shares.

Note: If you prefer not to use GPOs to configure FSLogix, Windows Registry values can be modified directly on the master image. See the Microsoft document Profile Container registry configuration reference and Logging and diagnostics for registry configuration options.

Configuring a Group Policy Object for FSLogix

FSLogix can be configured using direct Windows Registry key manipulation or group policy. This tutorial uses the ADMX template provided with the FSLogix download bundle to configure a GPO and apply it to many computer objects at once.

This environment uses a Central Store. For more information, see the Microsoft document How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

  1. From an administrator's machine, copy the ADMX and ADML files to the PolicyDefinitions folder:

    1. Navigate to the FSLogix download bundle.

    2. Copy fslogix.admx to
      \\DomainController\sysvol\domain\policies\policydefinitions

      FSLogix

    3. Copy fslogix.adml to
      \\DomainController\sysvol\domain\policies\policydefinitions\en-US
  2. Create and configure the GPO:
    1.  
    2. Open the Group Policy Management console from an administrative PC.
    3. Navigate to the OU where the pool of Horizon instant-clone VMs will reside.
    4. Create and link a GPO: FSLogix.

      GPO

  • Edit the FSLogix GPO:
    1. Navigate to Computer Configuration > Administrative Templates > FSLogix > Profile Containers.

       FSLogix Profile Containers

    2. Configure the following settings:
      • EnabledEnabled
      • VHD locationEnabled, with the path set to \\Fs1\Containers

      Note: See the Microsoft document Profile Container registry configuration reference for a list of default settings to be used for all options left not configured.

Now that the policies have been configured, you can install the agent on the master image from which your virtual desktops will be created.

Installing the FSLogix Agent

Installing the agent on the master desktop image is a simple matter of running the FSLogixAppsSetup.exe file.

Note: Administrative privileges are required to install the agent.

  1. Log in to the machine you will use as your Windows 10 master image.

  2. Copy the installer file to the system where it will run or to a location accessible to the system.

  3. Navigate to the FSLogix installer package.

    FSLogix installer package

  4. Run FSLogixAppsSetup.exe to install the FSLogix agent.
  5. Verify that Microsoft FSLogix Apps appears in the list of installed applications.

    FSLogix Apps

Creating and Using an FSLogix Profile Container

In this exercise, you will verify an FSLogix Profile Container VHD (virtual hard disk) is created and working properly.

Prerequisites

Before you perform the exercises in this chapter, verify that you have performed the following tasks:

  • (Required) Create a master image from which you will create a Horizon desktop pool. At a minimum, the image should include Windows 10; agents for VMware Horizon, App Volumes, Dynamic Environment Manager; and the FSLogix agent. See Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop for detailed steps to build a master image.

  • (Recommended) Install Microsoft Office or other applications in the master image.
    Note: Microsoft Office is used to in this tutorial to demonstrate how files, activation, and credential data can persist from VM to VM. If Office is not available, you may substitute one or more applications.

Provisioning a Desktop Pool

  1. Create a Horizon instant-clone desktop pool using the following specifications:
    • Type - Automated desktop pool
    • User assignment - Floating assignment
    • Display name - JMP FSL O365PP
    • VM naming pattern - FSLO365-
    • AD container - OU=JMPvdiFSL,OU=Horizon_JS
    • Number of machines - 3

    Important:This desktop pool is required for all exercises in this tutorial.

  2. Verify the VMs are created in the OU where the FSLogix GPO is applied.

    FSLogix GPO

Verifying Profile Container Creation

Use the VMware Horizon® Client to log in to an instant-clone desktop pool.

  1. On the Horizon Client, authenticate to Horizon server with user eterple.
  2. Connect to the desktop pool with the display name JMP FSL O365PP.

    JMP FSL O365PP

    During the logon process, the FSLogix Profile Container is automatically created on the Containers share.

  3. Navigate to the Containers share and verify the virtual hard disk (VHD file) was created.

    FSLogix Profile Container

  4. Navigate to the Logs share and verify the logs are being written.

    FSLogix Logs

    If the profile container was created, changes to the user profile on the instant-clone VM will be written to and persisted in the VHD file.

  5. Run CMD.EXE and type hostname. Make note of the VM name you are connected to. 

    command prompt

    Note: Because you are using a floating assignment desktop pool, the VM you connect to will be random and may have a different name than the name displayed in this screenshot.

  6. Modify the user profile:
    1. Open one of the Office 365 applications and sign in to activate Office. In this tutorial PowerPoint was used to activate Office.

      Microsoft

    2. Sign in to OneDrive using the same Office 365 credentials.

      One Drive

      After signing in, you see the application file (for this example, PowerPoint) appear in the OneDrive folder.

       EUC TM
    3. Use Excel to create and save a spreadsheet to the Desktop.

      JMP FSL

  7. Once you are done modifying the user profile, select Options > Disconnect and Log Off to disconnect and log off of the VM so it will be deleted.

    JMP FSL O365PP

  8. On Horizon Client, authenticate to the Horizon server with the end-user account; for our example, eterple.
  9. Connect again to the desktop pool with the display name JMP FSL O365PP.

    JMP FSL O365PP

  10. Run CMD.EXE and type hostname.
    Note: You are connected to a different VM than in the previous step.  

    command prompt

  11. Verify that the changes you made have been persisted to the new desktop.
    • PowerPoint is activated and authenticated.
    • OneDrive is activated and authenticated.
    • The Excel spreadsheet remains on the Desktop.
  12. Disconnect and log off the VM.

Integrating App Volumes AppStacks with FSLogix Profile Container

App Volumes abstracts applications from the master image, enabling delivery of applications to users or computers. App Volumes also persists applications, while FSLogix Profile Container persists the user configuration for the applications between nonpersistent desktop sessions.

In this exercise, you will verify that user-based and computer-based AppStacks work with the Profile Container.

Prerequisites

Before you perform the exercises in this chapter, verify that you have performed the following tasks:

For the example used in this tutorial, the following AppStacks were created:

  • W10-Browsers - Firefox and Chrome
  • W10-Graphics Apps - GIMP, Paint.NET, IrfanView

Assigning an AppStack to an Active Directory OU

It is a common practice to create an AppStack containing applications that you want to make available to all users in an organization.

For the purposes of this tutorial, the W10-Browsers AppStack will be used. This AppStack contains the Google Chrome and Mozilla Firefox applications. The AppStack that you create for this exercise should be similar but need not contain the exact same applications.

Assign your AppStack to the Active Directory OU where the computer objects of the instant-clone desktop pool machines are located. The AppStack will be attached to the VMs when they are powered on.

W10-Browsers

Figure 3: Assignment of the W10 - Browsers AppStack to an OU Containing Instant-Clone Computer Objects

Assigning an AppStack to an End User

It is also a common practice to create an AppStack containing applications that you want to make available only to members of a single department or to individual users.

For the purposes of this tutorial, the W10-Graphics Apps AppStack will be used. The AppStack that you create for this exercise should be similar but need not contain the exact same application.

Assign your AppStack (for our example, W10-Graphics Apps) to the standard user account you plan to use for this tutorial. For our example, the user account is eterple. The AppStack will be attached when the user logs in to a guest VM (instant-clone desktop).

Graphics Apps AppStack to an End-User Account

Figure 4: Assignment of the W10 - Graphics Apps AppStack to an End-User Account

Recovering Instant-Clone VMs in the Desktop Pool

Initiating a recovery operation on the desktops in the instant-clone desktop pool will cause them to be deleted and recreated, enabling the computer-assigned AppStack to be attached.

  1. From the Horizon Console, navigate to the Machines tab of the desktop pool, select the machines, and click the Recover button to recover the machines in the desktop pool.

    FSL Office

  2. Use Horizon Client to log in and authenticate to the Horizon server with the end-user account; for our example, eterple.
  3. Connect to the desktop pool JMP FSL O365PP.

    JMP FSL O365PP

  4. Verify that all applications included in the AppStacks are available.

    JMP FSL O365PP

Customizing an Application Delivered with an AppStack

AppStacks are read-only by design. Customizations to application configuration settings will be stored in the FSLogix Profile Container and persisted between nonpersistent desktop sessions.

  1. If you are not still logged in to the virtual desktop, use Horizon Client to log in and access the virtual desktop.
  2. Open Chrome.
  3. Edit Chrome settings:
    • Display the bookmarks bar.
    • Display the Home button.
    • Create bookmarks and add them to the bookmarks bar.

    VMware Techzone

  4. Close Chrome.
  5. Select Options > Disconnect and Log Off to disconnect and log off the VM.

    JMP FSL O365PP

  6. Use Horizon Client to authenticate to the Horizon server again with the same end-user account; for our example, eterple.
  7. Connect to the desktop pool JMP FSL O365PP again.

    JMP FSL O365PP

  8. Open Chrome and verify that all customizations were persisted.

Supporting User-Installed Applications with App Volumes User-Writable Volumes

In the previous exercise, you used App Volumes AppStacks to deliver IT-managed applications to users and computers. You might also need to provide end users with the capability to install their own applications and have these user-installed applications persist from one nonpersistent desktop session to the next.

Although FSLogix Profile Container can persist the application configuration data in the profile, it cannot persist a user-installed application. App Volumes user-writable volumes are uniquely suited to address this requirement and integrate seamlessly with FSLogix Profile Containers. User-installed applications are persisted on the writable volume, and application customizations are persisted in the FSLogix Profile Container.

In this exercise, you will create and assign an App Volumes user-writable volume to an end user, install an application, and verify that the application and user customizations are persisted between desktop sessions.

Prerequisites

Before you perform the exercises in this chapter, verify that you have performed the following tasks:

Creating a User Writable Volume

From the App Volumes Manager console, create a writable volume and assign it to the end user account; for example, eterple.

Note: Be sure to select the UIA Only template. This ensures that only user-installed applications are stored on the volume.

Writable Volume Assigned to eterple and Created Using UIA Only Template

Figure 5: Writable Volume Assigned to eterple and Created Using UIA Only Template

Configuring Privilege Elevation with Dynamic Environment Manager

Most applications require administrator privileges during installation, and some applications even require administrator privileges to run once installed. Dynamic Environment Manager provides the privilege elevation feature so that IT administrators can remove administrative privileges from standard end users, while still enabling them to install and run applications. To learn more about the privilege elevation feature, see the Privilege Elevation Feature Walk-Through video.

The end user account eterple used throughout this tutorial has standard user privileges, preventing the installation of applications to Windows. In this exercise, we configure privilege elevation to enable eterple to install software from an IT-approved software repository.

  1. Enable privilege elevation and create a path-based elevation rule to elevate applications installed from a network repository.

    In this tutorial, the following path is used: \\fs1\desktopapps\*

    FSLogix Environment

  2. Using either a GPO or the NoAD mode feature of Dynamic Environment Manager, apply the Dynamic Environment Manager configuration to the virtual machines and users.

     GPO or the NoAD mode

    For a step-by-step tutorial on this feature, see the Configure Privilege Elevation for Installing an Application exercise in Quick-Start Tutorial for User Environment Manager.

Updating an AppStack Assignment

In a previous exercise, the W10-Browsers AppStack was assigned to an Active Directory OU containing computer objects. Because writable volumes are not supported for use with a computer-based AppStack assignment, the AppStack should instead be assigned to the end user.

Edit the W10-Browsers AppStack, remove the OU assignment, and assign the AppStack to the end-user account; for example, eterple.

Browsers AppStack to End User eterple

Figure 6: Assignment of the W10 - Browsers AppStack to End User eterple

Recovering Instant Clone VMs in the Desktop Pool

Initiating a recovery operation on the desktops in the instant-clone desktop pool will cause them to be deleted and recreated. The W10-Browsers AppStack will be detached from the desktops.

From the Horizon console, navigate to the Machines tab of the desktop pool, select the machines, and click the the Recover button to recover the machines in the desktop pool.

 Machines Tab of the FSLOffice Desktop Pool

Figure 7: Machines Tab of the FSLOffice Desktop Pool

Installing an Application

  1. Use Horizon Client to log in and authenticate to the Horizon server with the end-user account; for our example, eterple.
  2. Connect to the desktop pool JMP FSL O365PP.

    JMP FSL O365PP

  3. Navigate to the file share \\Fs1\DesktopApps and install Notepad++.

    JMP FSL O365PP

  4. Open the Notepad++ application and customize the interface.

    1. Settings > Preferences > Toolbar - Big Icons

    2. Settings > Preferences > Document List Panel - Show

    JMP FSL O365PP

  5. Select Options > Disconnect and Log Off to disconnect and log off the VM.

    JMP FSL O365PP

  6. Use Horizon Client to authenticate to the Horizon server again with the same end-user account; for our example, eterple.
  7. Connect to the desktop pool JMP FSL O365PP again.

    JMP FSL O365PP

  8. Verify that Notepad++ was persisted by the App Volumes writable volume.
  9. Open Notepad++ and verify that all customizations were persisted by the FSLogix Profile Container.

Additional Integrations for Dynamic Environment Manager with FSLogix Profile Containers

In the exercise Supporting User-Installed Applications with App Volumes User-Writable Volumes, the privilege elevation feature of Dynamic Environment Manager was used to enable a standard user account to install software.

Dynamic Environment Manager provides a variety of capabilities for Windows-based virtual, physical, and cloud-hosted computers. The features provided by the User Environment tab are recommended to simplify desktop administration and provide added functionality when using FSLogix Profile Containers with VMware Horizon JMP.

Dynamic Environment Manager Console

Figure 8: Features Listed on the User Environment Tab of the Dynamic Environment Manager Console

As you have seen in this tutorial, FSLogix Profile Containers persist the entire user profile between nonpersistent desktop sessions, ensuring custom application settings are always available to the end user. Dynamic Environment Manager provides this capability through a feature called personalization. Although there is an overlap in capabilities here, enabling personalization for an application with Dynamic Environment Manager introduces additional functionality.

Predefined Settings for Notepad++ on the Personalization Tab of the Console 

Figure 9: Predefined Settings for Notepad++ on the Personalization Tab of the Console

Dynamic Environment Manager Self-Support

Self-support enables end users to restore application settings from a backup, or reset them to defaults, without having to contact IT for assistance. See Using VMware Dynamic Environment Manager Self-Support for more information.

Dynamic Environment Manager Predefined Settings

Predefined settings provide IT administrators with the ability to distribute custom application settings based on a variety of conditions. With a single application configuration in the base image or dynamically delivered by an AppStack, predefined settings dynamically evaluate dozens of conditions and apply custom settings for end users. Whether setting app defaults and allowing end users to make changes or enforcing settings so the application works consistently with every use, the predefined settings feature adds a level of control not possible with FSLogix Profile Container alone.

Recommended Practices for Personalization with FSLogix Profile Container

Enable personalization for those applications that would benefit from predefined settings or self-support. Leverage the DirectFlex option so custom settings are read from and written to the network share at application start and stop. Any remaining application customizations will be persisted by the Profile Container.

DirectFlex Settings

Figure 10: DirectFlex Settings for Notepad++ on the Personalization Tab of the Console

Summary and Additional Resources

This tutorial demonstrated just how quickly and easily you can integrate Microsoft FSLogix Profile Container with VMware Horizon JMP.

  • The App Volumes component of JMP persists applications, while FSLogix Profile Container persists the user configuration for the applications.
  • App Volumes writable volumes allow end users to install and persist their own applications, while FSLogix Profile Container persists configuration data for user-installed applications.
  • The Dynamic Environment Manager component of JMP allows end users to install their own applications without requiring those users to have administrator (elevated) privileges.
  • Dynamic Environment Manager personalization features can be used in conjunction with FSLogix Profile Container. Use Dynamic Environment Manager when you want to offer self-support to users, or when you need to enforce predefined settings for certain applications, which can be applied either at login or at application launch. Use Profile Container for any remaining application customizations you want to persist.

Additional Resources

Besides the documents previously referenced in this tutorial, be sure to check out these learning paths, available on Digital Workspace Tech Zone:

Author and Contributors

Author

Josh Spencer is an EUC Staff Architect in End-User-Computing Technical Marketing, VMware

Contributors

  • Jim Yanik, Senior Manager in End-User-Computing Technical Marketing, VMware
  • Chris Halstead, EUC Staff Architect, End-User-Computing Technical Marketing, VMware

Reviewers

  • William Uhlig, EUC Private Sector C1 Solutions Engineer
  • John Kramer, Senior EUC Architect - Field Engineering ( @vJohnKramer on Twitter)

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.