Azure RemoteApp is the service within Azure that allows you to publish your Win32 applications from the cloud. Part of this service is that a User Profile Disk (UPD) is created for every user logs on for the first time. This UPD is a single .VHDX file that contains the complete user profile, basically anything under C:\user\<username>. This .VHDX file file is then mounted on the fly under C:\user\<username> during logon which allows you to store settings centrally, without having to cache profile settings locally. And since it is a mount path to a .VHDX file, it’s fully transparent for users as well as applications. For more information on UPD also see Easier User Data Management with User Profile Disks in Windows Server 2012
UPD’s are not new with Azure RemoteApp, within any on premises or hosted solution of Remote Desktop Services, UPD can be configured as part of the Deployment, as shown below.
Azure RemoteApp comes with UPD out of the box. UPD is great for many scenario’s since this is easy to set up and basically captures every user setting. You do have to be careful though with allowing users to store data inside their profile (.OST files, One Drive for Business cache, or large data), since the UPD file has a maximum capacity of 50Gb. In some scenarios you might not want to use UPD, but rather use your own profile management solution like i.e. Microsoft UE-V, or a solution provided by vendors like FSLogix, AppSense, RES et cetera. When using those vendor solutions, in some cases UPD will not conflict and you can use them side by side, but in other cases you could run into compatibility issues or conflicts when you run those profile management solutions on top of UPD.
What many don’t know however is that using UPD is not mandatory in Azure RemoteApp! You can, if you want, have UPD disabled for a specific Azure Subscription. Send an e-mail to remoteappforum@microsoft.com, provide your Azure Subscription ID and ask for UPD to be disabled. Do note that Microsoft currently cannot disable UPD on a Collection level, only at a Azure Subscription level. This means that is you are running multiple Azure RemoteApp Collections within your subscription, UPD can only be disabled for all Collections.
In my lab I have created a new Azure RemoteApp Hybrid Collection called hybridnoupd, connecting back to my on premises (in this case Azure IaaS) environment.
To be able to distinguish other Azure RemoteApp deployments, I provided a separate OU during the configuration of this collection. As you can see, 2 computer objects (RD Session Host servers) have been created by Azure RemoteApp in my designated OU. This also allows me to easily create separate GPO’s for these RD Session Host servers.
For this newly created Azure RemoteApp Collection I have asked Azure RemoteApp support to disable UPD for the Azure Subscription it is running in. There are various ways of confirming that UPD is in fact disabled. The most easy one is simply logged on a test user to Azure RemoteApp and launching an application. If we open an Azure RemoteApp application from the Collection where UPD is not disabled, and then connect to that RD Session Host server using our administrator account and browse to C:\user we’ll see a 50Gb the mounted UPD file for in this case a user called testuser. Or, if you did not create any policies yet to prevent access to the local C: drive of the RDSH, simply publish explorer.exe as a RemoteApp.
if we now open an Azure RemoteApp application from the Collection where UPD is disabled and connect to that RD Session Host server as an admin we’ll see a regular local profile created.
The fact that it is now a regular local profile obviously means that, without configuring anything else, no profile settings will roam across multiple RD Session Host servers as part of our Azure RemoteApp Collection. This however fully opens possibilities to start using other profile management solutions like Microsoft UE-V, FSLogix, AppSense, RES et cetera! Do note that Microsoft UE-V and RemoteApp in general are not the best mix when you want to store synchronous settings (settings that can only be stored during Logoff, and can only be applied during LogOn) like i.e. Roaming Credentials or Desktop Settings. I wrote an article on that here Caution when using User Experience Virtualization (UE-V) with Microsoft RemoteApp
To test one of the 3rd party Profile Management solutions I choose FSLogix Profile Containers. In the screenshot below you see a user logged on to Azure RemoteApp with a FSLogix Profile (similar to UPD) stored on a FileServer in Azure IaaS! I can now fully manage this profile disk running on my File Server.
I won’t explain the setup and configurations of all these profile solutions here because this is no different than using these profile solutions in an on premises or hosted RDS environment. One of the great things about the hybrid model of Azure RemoteApp is, as we have also seen in this article, the fact that RD Session Host servers that are deployed as part of your Collection will be become members servers of your domain. This means that we can manage those RD Session Host servers as if they were running on premises, leveraging the same Group Policy objects et cetera. There are many articles & how to guides out there that discuss and describe these profile solutions. Applying those should not be different for Azure RemoteApp collections with UPD disabled.
There are however 3 things you need to be aware of
- The RD Session Host servers created as part of a Azure RemoteApp collection are provisioned & removed by Azure as needed as part of the elastic runtime. In other words, the RD Session Host servers itself are non persistent. This means that you need to install software agents for the profile solution you wish to use, inside the Azure RemoteApp Template Image, not inside each individual RD Session Host that gets deployed. You can however use GPO to configure these software agents by simply creating a new GPO and linking that to the OU where your configured Azure RemoteApp to create your RD Session Host servers.
- If you have UPD disabled and don’t perform any additional configuration, cached copies of user profiles will be created on the OS partition of the RD Session Host servers created as part of a Azure RemoteApp collection, and they will stay there. Without configuring another profile solution or additional configuration to clean cached copies of roaming profiles using GPO, cached copies of those user profiles will pile up and could eventually cause disk space issues on the OS partition of RD Session Host servers, which could lead into unresponsive behavior. This is of course no different compared to any on premises deployment of RDS, but something to be aware, because Microsoft cannot be held responsible for this.
- Only create a Hybrid Collection in a Azure Subscription where UPD is disabled. If you create a Cloud collection, the RD Session Host servers as part of a Azure RemoteApp collection will run in a workgroup, not in a Active Directory Domain you can manage. In those scenario's Azure RemoteApp will create a “shadow user” on the fly locally on the RD Session Host server. With UPD disabled, this will result in a TEMP profile. I would advise to only Hybrid Collections for UPD disabled Subscriptions.
Conclusion
UPD is not mandatory in Azure RemoteApp! Disabling User Profile Disks (UPD) on your Azure RemoteApp Collection fully opens the doors for your favorite Profile Management Suite! Whether its Microsoft UE-V, FSLogix, AppSense, RES or anything else, refer to installation guides, configurations and best practices for an on premises Microsoft RDS environment, keeping in mind the 3 implications of disabled UPD that I described above.
No comments:
Post a Comment