Use Amazon FSx for Windows File Server and FSLogix to Optimize Application Settings Persistence on Amazon AppStream 2.0
AppStream 2.0 is a fully managed application streaming service that provides users with instant access to their desktop applications from anywhere. In many cases, users may want to persist their personal application settings across sessions. Amazon FSx for Windows File Server provides fully managed, highly reliable, and scalable file storage. These characteristics make it ideal for storing AppStream 2.0 user settings.
AppStream 2.0 already provides a powerful native feature for application settings persistence. User application customizations and Windows settings are stored to a Virtual Hard Disk (VHD) file in an Amazon S3 bucket. However, this feature may not be suitable for all use cases. Large VHD files (especially those over 1 GB) increase the time it takes users to start application streaming sessions (since user data must be downloaded from S3 during login).
Profile Containers from FSLogix is an alternate solution for persisting user settings. Profile Containers provide excellent performance in AppStream 2.0 and support large user profiles without significantly increasing session start time. FSLogix provides administrators with greater control around what folders in the user profile should be persisted between sessions. FSLogix also overcomes well-known performance limitations you may have encountered with roaming profiles, the native feature in Windows for transferring profiles between computers.
Amazon FSx for Windows File Server is an excellent option for storing FSLogix Profile Containers in AWS. Amazon FSx is fully managed. It offers Multi-AZ deployment options to increase high availability, integration with Microsoft Active Directory, and a great deal of flexibility. You can increase your file system size or performance characteristics as your users’ needs change.
- An AWS account
- An AppStream 2.0 environment with image builder, stack, and a domain joined fleet. If your AppStream 2.0 fleet is not already configured in this manner, you can follow the instructions in Amazon AppStream 2.0 Administration Guide.
- Check that you meet all entitlement requirements for FSLogix.
- Consider the storage requirements for your users’ application settings. For example, if you have 1000 unique AppStream 2.0 users with a 5-GiB profile each, you need storage capacity of at least 5000 GiB.
- A VPC security group that allows access to your Amazon FSx file system. Amazon VPC Security Groups provides the necessary steps to create a security group with the correct inbound and outbound rules.
- An Active Directory Security Group for your AppStream 2.0/FSLogix users.
- Access as a domain user with delegated permissions to create new GPOs.
This post walks you through the following steps:
- Create an Amazon FSx for Windows File Server file system with deployment options appropriate for this use case.
- Install FSLogix onto an AppStream image.
- Create a GPO that will allow you to centrally configure FSLogix behavior.
- Log into an AppStream 2.0 fleet and validate that FSLogix has been configured properly.
Step 1. Create the Amazon FSx file system
We start by creating an Amazon FSx for Windows File Server file system. You will use it as a target for FSLogix to persist profile containers for our users. If you already have an Amazon FSx file system you’d like to use, you can skip to step #9.
- Sign in to the AWS Management Console and open the Amazon FSx console.
- Choose Create file system.
- Select Amazon FSx for Windows File Server.
- Choose Next.
- Under File System Details:
- (Optional) Enter a name for your file system to make it easier to find and manage.
- For Deployment type, select Multi-AZ, which is recommended to maintain availability of your data if an Availability Zone (AZ) is inaccessible. However, Single-AZ is lower cost and will work for this use case as well.
- For Storage type, I recommend you select SSD since this option provides the lowest possible file operation latency for users.
- Storage Capacity can be increased later, so start with small file system for initial testing with a few users. Ultimately, you need enough storage capacity for all AppStream 2.0 users in your environment. For example, if you have 1000 unique AppStream 2.0 users and each will have a 5-GiB profile, you would need storage capacity of at least 5000 GiB.
- The Recommended throughput capacity should be sufficient for testing. Throughput can be increased or decreased later to optimize cost or performance. IOPS and throughput requirements are typically the highest for FSLogix when users are first logging in (when the FSLogix virtual disk is initially mounted).
- Under Network & security:
- Select the VPC and subnets where your AppStream 2.0 fleet resides.
- Select a security group, which allows your AppStream 2.0 fleet instances to access the file system.
- For Windows authentication, enter the same domain and DNS server IP addresses, which you use for your Directory Configs in AppStream 2.0.
- Configure other options as desired and choose Next to finish creating the file system.
- In the Amazon FSx console, after the status becomes “Available”, choose your file system and note its DNS name, which will look similar to amznfsx4sgxuqa0.amazon.com. You will need the DNS name later.
Modify share permissions for the default Windows share (called “share”) on your file system and NTFS permissions for the shared folder, which will contain user profile containers. This allows FSLogix/AppStream 2.0 users to have appropriate access to your network share. You can complete this step and modify permissions by mapping the share as a domain user that is a member of the delegated administrators group (instructions are available in Amazon FSx for Windows File Server User Guide).
In this example, I use the top level “share” folder to store profile containers. But, if you wish, you could also create a subfolder (like a folder called “containers”). The FSLogix documentation provides information on what NTFS permissions are necessary for this folder. Assign these permissions to the AppStream 2.0/FSLogix Active Directory Security Group.
Then, for Authenticated Users set the Modify, Read & execute, List folder contents, Read, and Write share permissions to Allow.
Step 2. Configure AppStream 2.0 Image
Next, install and configure FSLogix on an AppStream 2.0 image.
- In the AppStream 2.0 console, choose Images and launch or connect to an existing image builder.
- When the image builder is ready, log in to the instance as the administrator.
- Download FSLogix from Microsoft on the image builder and run it. Click through the wizard to complete installation.
- Once installation is complete, execute lusrmgr.msc from a Run prompt to open the Local Users and Groups manager.
- We aren’t going to use Office 365 Containers, another feature of FSLogix, in this blog. As a result, we’re going to remove all Members from the Group called FSLogix ODFC Include List. Choose Groups and then FSLogix ODFC Include List. Remove “Everyone” from Members and then choose Apply and OK.
- Select the FSLogix Profile Include List group. Remove “Everyone” and modify the list of Members so that your Security Group for AppStream 2.0/FSLogix users is included. Choose Apply and OK.
- Note: You must configure registry settings on the image to enable FSLogix. This can be done manually by modifying the registry values as the Template user on the Image Builder. However, in this blog, I use GPO to set registry values as described in step 3.
- Finish creating your AppStream 2.0 image using the Image Assistant.
- Once the image is ready, deploy your AppStream 2.0 image to a domain joined fleet. Verify that the native “application settings persistence” AppStream 2.0 feature has been disabled on the associated stack.Take note of the OU specified in the Directory Configs for your fleet: in subsequent steps, you will link a GPO to this OU.
Step 3. Configure Registry Settings with Group Policy
In the final configuration step, I show you how to configure Group Policy to manage registry settings for FSLogix. The FSLogix archive you downloaded earlier (in the Configure your AppStream 2.0 Image section) contains two Administrative template files: fslogix.adml and fslogix.admx. Use these files to configure GPO in the following steps:
- Copy the two template files you downloaded into your central store. You can copy the templates into the PolicyDefinitions directory on a domain controller (where FQDN is your fully qualified domain name):
Copy fslogix.adml into
\\<FQDN>\SYSVOL\<FQDN>\Policies\PolicyDefinitions\en-USCopy fslogix.admx into \\<FQDN>\SYSVOL\<FQDN>\Policies\PolicyDefinitions
You may have to create the PolicyDefinitions and en-US folders if they do not already exist.
- As a domain user (with delegated permissions to create new GPOs), open the Group Policy Management console.
- Create a new policy FSLogix GPO, right-click it and choose Edit. In the new menu, under Computer Configuration -> Policies -> Administrative Templates, you should find “FSLogix”
- Under Profile Containers, there are two required settings you must modify:
- Enabled: Set this to “Enabled”
- VHDLocation: This is the location where user Profile Containers are stored. Provide your Amazon FSx file system DNS name you noted in step 1.9. The location value you enter should look similar to \\amznfsx4sgxuqa0.amazon.com\share
Also consider setting the following values:
- SizeInMBs: By default, this is 30 GB. You can set it to whatever value you’d like to allocate for each user’s profile container.
- IsDynamic: If enabled, the profile container uses the minimum space on disk regardless of what is specified in SizeInMBs. As your user profile container grows in size, the amount of data on disk will grow up to the size specified in SizeInMBs.There are many other options. You can find the full list of Profile Container configuration settings in Profile Container registry configuration reference.
- Link your FSLogix GPO to the OU where your AppStream 2.0 computer objects exist.
Step 4. Validate FSLogix configuration
Now that we’ve completed configuring the necessary Group Policy, add your test user into the AppStream 2.0/FSLogix Active Directory group. Then authenticate into the AppStream 2.0 stack as the test user and start a session.
You can validate that FSLogix has created a Profile Container for your user by checking the contents of your Amazon FSx file system. Map your Amazon FSx file system on a Windows Server (instructions are available in Windows User Guide of Amazon FSx), and using Windows File Explorer validate that a folder with a user name and SID has been created.
In the AppStream 2.0 session itself, you should see the following folders under C:\Users:
- A \<username> folder
- A local_<username> folder
The contents of the <username> folder is redirected into the FSLogix profile container, and therefore persists between AppStream 2.0 sessions. The folder local_<username> is a real folder on the C-drive, and by default is not persisted between AppStream 2.0 sessions.
- By default, the FSLogix profile container contains the entire Windows profile for the user (with just a few exceptions). As a result, users can download large files to the Documents or Desktop folder within their profile. This can quickly consume all allowed storage capacity for a given user. For this reason, I recommend that you use redirections.xml from FSLogix to redirect the Downloads and Desktop folders (and potentially any other folders) to C:\Users\local_<username> on the AppStream 2.0 instance. Since AppStream 2.0 is non-persistent, all user data written to the C-drive will not persist between sessions.
- Enable data deduplication on your Amazon FSx file system. The commands required to enable and configure data deduplication are defined in Data Duplication in the Amazon FSx User Guide.
- You can view the throughput of your Amazon FSx file system in Amazon CloudWatch. If you find that your Amazon FSx file system is consistently exceeding its throughput capacity for extended periods of time (greater than 30 minutes), consider increasing your throughput capacity to maintain excellent performance for AppStream 2.0 end users. In general, FSLogix requires the greatest throughput the first time a user’s profile container is created (the first time they log in). As a result, you might consider only on-boarding a small fraction of your users into FSLogix at the same time.
- Amazon FSx supports Access Based Enumeration so that users cannot see files and folders to which they do not have access. This can be enabled on your Amazon FSx file system so that your users cannot easily view profile container folders other than their own on the network file share. You can use the Amazon FSx Remote Management CLI on PowerShell to run the Set-FSxSmbShare command to set FolderEnumerationMode to AccessBased. For more details, see the Amazon FSx Windows User Guide article File Shares.
In this blog, we deployed resources in an AWS account and made configuration changes in Active Directory. If you want to clean up these resources and reverse changes you made, you can complete the following steps:
- Unlink and delete the FSLogix GPO you created in the section Configure Registry Settings with Group Policy. If you want, you can remove the FSLogix Administrative templates you deployed to your central store.
- Remove users from your AppStream 2.0/FSLogix Active Directory group.
- Delete your Amazon FSx for Windows File Server file system.
- Delete or stop any AppStream 2.0 fleets, images, stacks, and image builders you have created specifically for this blog.
FSLogix Profile Containers and Amazon FSx for Windows File Server can be combined to create a powerful solution for AppStream 2.0 users to persist their application settings and customizations across sessions. These tools provide enhanced performance and flexibility compared to native roaming profiles from Windows and the native application settings persistence feature in AppStream 2.0, especially when a user’s application settings comprise several GB of data (or more). Amazon FSx for Windows File Server provides a sturdy foundation for FSLogix and a great end-user experience. Amazon FSx offers fully managed, highly available, and performant storage for storing FSLogix Profile Containers.
To learn more about FSLogix and other available FSLogix features, such as Application Masking, see the following:
To learn more about AppStream 2.0 and Amazon FSx, see: