Send Us Your Nerdio Manager for Enterprise Feature Requests!  

At Nerdio we LOVE customer feedback and always have. It’s how we learn and improve our products and services to better help our customer and partners. You are the ones using Nerdio, so who better to tell us what works, what doesn’t, or what you might be missing to better service your clients and employees?!  

Almost weekly we receive new feature ideas and suggestions from our customers, partners, and community enthusiasts. It’s amazing to see how creative some of you are! And to see how quickly we can incorporate your suggestions into our product.  

Our New Feature Request Form  

To make the process of suggesting a new Nerdio Manager for Enterprise feature more structured and flexible we’ve created a submission page and feature request form. Traditionally we’ve heard about new features through a personal email or while on a call with a current customer. We’re hoping this will provide a faster, easier route that is accessible anytime!  

Timing + Consideration  

Although we greatly appreciate your ideas and suggestions (and the time you take out of your busy schedules to submit) to help improve our products and services, we cannot guarantee that your submission will make it into Nerdio Manager for Enterprise.  

If your idea makes sense and addresses a market need, your chances of making it into the product are good. The time this normally takes depends on where we are in our next sprint release, the complexity of the request, and so on. This can range from a few weeks to several months.   

Next Steps  

One we receive your submission; we will review internally. If we have any questions, we will reach out via the email you provided with the submission.  

As always, thank you very much for your interest in Nerdio! We appreciate your ongoing support in helping us improve our services.  

VDI, DaaS, and Emerging Technologies That Better Fit the SSL VPN Use Case

Whether evaluating their current function or considering implementing them as part of a remote work strategy, many organizations have undoubtedly evaluated SSL VPNs and their efficacy in securing the applications, data, and services of remote workers.  

But while VPNs might have more recognition, having been around for decades, there are technologies now that better fit the VPN use case in securely connecting remote workers to their corporate environments. Below we’ll look at the drawbacks of SSL VPNs that enterprises must be aware of and more modern technologies that are equipping enterprises with the security, connectivity, and improved end user experience that VPNs are lacking.  

SSL VPNs and Why They Are Used  

Virtual Private Networks (VPNs) provide users with secure remote connectivity. They are a mature, well-established technology that effectively allow a remote user to plug their laptop into the corporate network. SSL VPNs are software clients connecting end users to corporate networks. Connections are encrypted end-to-end so anyone “eavesdropping” on the network can’t intercept the traffic. That being said, SSL VPNs are increasingly being exploited by cybercriminals and nation states. This prompted the CISA and NSA to issue a detailed guide to help organizations and users understand the risks VPNs pose and how to select and configure a secure VPN.  

However, I’d be remiss not to detail where these types of VPNs are used safely and effectively. An effective use case for example, is when companies issue company-managed devices to their employees. Fully managed and secured devices can enable users to connect from various locations via a SSL VPN without sacrificing much in terms of cybersecurity and protection. Of course, there are a lot of components that go into making a device managed and secured. These include enforcing password policies and multi factor authentication (MFA) on both laptop and VPN connections, equipping employee devices with anti-virus / anti-malware, current patches, etc.  

The bottom line is SSL VPNs are a satisfactory solution if the environment matches it – meaning the client device connecting to the company network must be trusted as if it was physically present. It doesn’t work when WFH/WFA users install the company VPN client on a personal machine that has keyloggers or other nastiness compromising the environment’s security.  

Drawbacks of SSL VPNs 

SSL VPN connectivity is typically a function of a corporate firewall or router with VPN functionality being a non-scalable component of the core network. In many cases, they are designed to support up to a certain number of users or bandwidth threshold. If that’s exceeded then performance suffers dramatically, or users simply will not be able to connect. Upgrading VPN capabilities often requires changes to the core network infrastructure and scaling it up and down based on remote user need, so the state of pandemic and work from home policies has made managing and maintaining a robust and flexible VPN solution at scale very challenging. 

Furthermore, SSL VPN functionality is generally seen as a low performance way to give users access to their data and applications. Unlike these VPNs that have users connect to the internet from unmanaged locations (ex. home network) and “pull” data across to their local PC, remote desktop solutions allow users to access data over higher bandwidth and lower latency connections by nature of their desktop running adjacent to the data source, and only send streaming images to the user’s home connection.  

Finally, being a mature technology solution also means that in many cases SSL VPNs were not architected with modern security and availability considerations in mind. For instance, some solutions may not have multi-factor authentication enabled or may not have redundancy built in. Many organizations have traditionally used SSL VPNs for a small minority of users working remotely as opposed to within the confines of a corporate office. Because of this, a VPN failure could be tolerated because the majority of a company’s users used the corporate network to connect to corporate data and apps. In today’s WFH world, SSL VPNs simply don’t stack up to modern alternatives.  

Emerging Technologies Better Fit the SSL VPN Use Case  

A number of technologies like SD-WAN, SASE and SDP have emerged to address the same issues VPNs traditionally have by offering secure, encrypted remote access. It’s worth noting that some of these still suffer similar drawbacks such as reduced performance from accessing data at a distance and being susceptible to compromised end user devices. Many organizations have also replaced SSL VPN technologies with zero-trust methods and tools along with modern identity and access management (IAM) solutions.  

That being said, organizations have also increasingly turned to virtual desktop infrastructure (VDI) and Desktop-as-a-Service (DaaS) solutions as they seek out not only more modern ways to securely enable remote work but also evaluate corporate device policies and hardware investments. These solutions, like Microsoft’s Azure Virtual Desktop and Windows 365 offerings, keep all data and work within the secured environment. As a result, there is no worry if a user is logging in from a company laptop, home computer, or public machine – users working inside VDI prevents the need for any data to travel outside the company network. So, the potential attack surface is much smaller while the scalability and opportunity for BYOD initiatives increases.  

Additionally, today’s VDI solutions are very flexible, allowing users the option to security access their resources without needing extra software. Users can quickly connect through web browsers and without any installs, making remote work fast, flexible, and safe. And for simple cases like accessing internal apps or web resources, organizations won’t find it necessary to provide users a full desktop and can be selective in only giving users the resources they need and abiding by zero-trust principles.  

The bottom line is that SSL VPNs are often a slower, less reliable, non-scalable, and less secure way to enable work from home.  This is why VDI and DaaS solutions are better, more modern, and flexible alternatives. 

AVD Identity Management Part 1: Historic Limitations + The Introduction of Azure Active Directory  

Identity management in Microsoft Azure is a huge component of overall management and architecting a successful environment. It is necessary for delivering apps, data and tools needed to be productive, maintain proper group policies and permissions, and much more.  

In this blog post learn about the history of Microsoft’s Active Directory, it’s evolution, and the new era of identity management in Azure Virtual Desktop utilizing Azure AD Join. This is the first in a two-part series around identity management in Azure Virtual Desktop and more broadly, Azure.

A Brief History Lesson 

If you are as old as I am then you will remember the phrases Primary Domain Controller and Backup Domain Controller which went waaaaaay back to Windows NT4. In 2000, Microsoft released something called Active Directory alongside Windows 2000 (I hope lots of memories are flooding back now!).  

Active Directory was an essentially a database with a schema, which consisted of all the user accounts, computer accounts, security groups and other information for the Active Directory “Domain”. This information was replicated around to other “Domain Controllers” throughout a company’s Active Directory forest and domains. This allowed users to log onto the company domain and authenticate to access other resources using Kerberos or NTLM authentication.  

As part of Active Directory, Microsoft also introduced the concept of Group Policies, a way of configuring settings and applying them to centrally to all of a company’s computers which were domain-joined.  

Active Directory continues to be extremely popular today, an impressive 22 years after its initial release! If you ask any enterprise company running Windows, and even most SMBs using the OS, there is a high chance they will be using Active Directory. 

In October 2015, Microsoft released Azure Active Directory Domain Services (Azure AD DS) to the world.  Azure AD DS is an Azure-managed PaaS (platform-as-a-service) service for Active Directory. This effectively brought Azure Directory into the cloud. 

Each Azure AD DS deployment consisted of two domain controllers in the company’s specified region. These are deployed and managed by Microsoft. Alternatively, some customers deployed virtual machines (VMs) into Azure and then installed AD DS onto them. Generally, this provided more compatibility and kept operating costs around the same, but it meant introducing an additional VM to manage within one’s Azure Environment.  

Enter the modern era of cloud computing and we now have a third identity management service in the Microsoft mix – Azure Active Directory (Azure AD).  Azure AD was initially released to support Office 365 and work alongside Azure AD DS or AADS.  Admins sync users and security groups from either of these solutions into Azure AD and then Office 365 and other Microsoft services use Azure AD to authenticate users.  

However, Azure Virtual Desktop hosts still had join to Active Directory domains.  

Image Credit: Microsoft

This is All Getting a Bit Complicated 

Azure Virtual Desktop was released September 2019, known as Windows Virtual Desktop at the time. With Azure Virtual Desktop, users must be synced to Azure AD, and Azure Virtual Desktop hosts must be joined to either AD DS or Azure AD DS. This presented a problem as companies had to go through the process of authenticating twice: first to Azure AD to authenticate access to the Azure Virtual Desktop service, and second to authenticate against the computer account for the domain. This was known as a double logon, which inevitably begged the question, “Wouldn’t it be great if we could authenticate against only one service?” 

Enter Azure AD Join 

In September 2021, Microsoft released Azure AD Join for Azure Virtual Desktop hosts. This introduced the capability to Azure AD Join an Azure Virtual Desktop host, which takes away the requirement to deploy either Azure AD DS or AD DS into an Azure environment.  

Before you get too excited, the users must still be synced into Azure AD from Azure AD DS or AD DS if you want to use FSLogix profiles. Many do, and will still need to deploy these for now. This is a limitation which Microsoft is working to unblock that will hopefully be remedied later this year.  For now, though, it gives us the ability to Azure AD Join our session hosts and to not have line of sight of our domain controllers. Not having to have line of sight of our domain controllers means that we do not have to deploy additional network infrastructure to ensure connectivity to the domain controllers, for example, site-to-site domain controllers 

What about FSLogix Profiles? 

Eagle-eyed readers of this article by now will have thought, “If I have my FSLogix profile sitting on an Active Directory storage account, how is logging into my session using my Azure AD credentials going to work?”  

Well…Microsoft also recently released the capability to Azure AD Join storage accounts into public preview! This means that if session hosts are Azure AD Joined, and the storage account containing the FSLogix profiles is Azure AD Joined, it will all work like magic!  

The process of performing Azure AD Join is quite complicated to get to the above ideal scenario, but Nerdio makes it easy through automation – a screenshot of Nerdio Manger for Enterprise is below to illustrate. Note Azure AD Join is currently in Public Preview so please only use this in non-production environments.  

Once Azure Virtual Desktop hosts and storage accounts are Azure AD Joined, admins will only ever have to authenticate against Azure AD for a seamless experience.  

Note, at this moment in time, the user must be synced from Active Directory Domain Services for this to work. Azure Active Directory Domain Services is not supported currently but will be in the future.

We all also now have the capability to auto-subscribe to the Azure Virtual Desktop feed via MEM Configuration which means a true single-sign on experience is possible for our end users.  

I hope you enjoyed this post! Check back in a few weeks for Part 2 in this series on identity management in Azure. We will do a technical deep dive on how Azure AD Join is configured and some other things you need to think about when using the service.  

For more information, please check out the following Microsoft resources:  

Deploy Azure AD joined VMs in Azure Virtual Desktop – Azure | Microsoft Docs 

Create an Azure file share with Azure Active Directory (preview) | Microsoft Docs 

What are FSLogix Profile Containers in Azure Virtual Desktop (AVD)? Here’s What You Need to Know

A common question we get from Managed Service Providers (MSPs) is about the way FSLogix profiles are configured and how they work with Azure Virtual Desktop (AVD).  In this article, I’ll provide a technical overview of the technology.  This is a 200-level technical article.

First, you can find everything there is to know about FSLogix here. This is an extensive documentation repository but can be overwhelming at first glance.  I’ll try to distill the relevant information here.

What is FSLogix Profile Container technology and why should it be used?

There are actually 4 FSLogix products:

  1. Profile Container
  2. Office Container
  3. Application Masking
  4. Java Version Control

Here, we will focus on #1 only – Profile Container (PC).  Office Container benefits are automatically included in the Profile Container product, so we won’t discuss Office Container at all.  Application Masking and Java Version Control are interesting technologies that we’ll explore in future articles.

In a nutshell, Profile Container redirects a user’s profile (what’s typically stored in C:\Users) to a VHD file on a file share.  This allows a user to log into a different desktop VM each time they connect and still have access to the same user profile settings since the profile container is mounted under C:\Users whenever a user logs in. 

This functionality is what enables users to be assigned to session host pools with multiple VMs and still have a consistent user experience when they get redirected to a different VM each time by the AVD connection broker.

How is FSLogix Profile Container enabled?

Profile Container (PC) is enabled via a simple registry entry in HKLM\SOFTWARE\FSLogix\Profiles after it is downloaded and installed.  Here you enable the Profile Container and point it at a UNC of a file share location where the profile VHD file will be created when users log in.

Nerdio Note:

FSLogix Profile Container is enabled by default on the Nerdio configured AVD Windows 10 multi-session template VM.  The profile location is set to \\FS01\Profiles\%Username%.

Also, there is an XML file in the \\FS01\Profiles location that excludes the Desktop and Documents folders from being included in the FSLogix PC.  Instead, these folders are redirected to \\FS01\Users\%username% folder using Group Policy.  This reduces the size of the FSLogix VHD file and allows enables IT administrators to centrally back up and manage users’ personal data.

That’s all it takes to enable FSLogix Profile Container.

What happens when a user logs in?

When a user logs into a desktop VM where FSLogix PC is enabled, the system first checks for the presence of a local profile for the user.  If a local profile exists (e.g. a folder is present in c:\users and registry entry for the local profile exists in ProfileList key), then FSLogix PC skips the process of creating or connecting to a network profile specified by the registry entry mentioned above.

If no local profile exists, PC tries to connect to the UNC location specified in the registry and connect to a profile that already exists or will create a new one.  The user must have Modify permissions to the profile folder on the file share.  If the PC cannot mount or create a profile, it will default to using a local profile if one exists or create a new one if it does not.  In this situation, all user personalization settings will be stored in c:\users and will be lost once the user logs into another desktop VM in the future.

Nerdio Note:

To avoid a situation where a local profile that already exists on a desktop VM prevents the creation of a network-based profile, the Nerdio golden image includes an entry that will automatically delete the local profile and create a VHD one in the file share.

The registry entry is DeleteLocalProfileWhenVHDShouldApply and it is set to value of 1.

How can you tell if the Profile Container redirection is working?

There are a few ways to do this:

  1. Look in C:\Users and see if there is a folder called “Local_username”. The presence of this folder with a recent modified date indicates that profile container redirection to a file share is working.
  2. Look in the file share for the VHD file and note its modified date. If it is current, then redirection is likely working.
  3. If the user account has local administrator rights on the desktop VM, check the disk configuration Windows utility. You’ll see a virtual mapped drive listed.

What can you do if Profile Container redirection is not working?

If you notice that profile redirection isn’t working, verify the following:

  1. Profile Container operation can be controlled with local security groups that can be used to include or exclude users or groups from having their profiles redirected. Use Computer Management>Local Users and Groups to verify that that the user (or a group that includes the user) is not excluded from PC.
  2. Make sure that there is not a local copy of the profile already on the desktop preventing PC from turning on. If there is, either delete the local profile or use the DeleteLocalProfileWhenVHDShouldApply registry key to have FSLogix PC do this for you automatically on the next login.
  3. Make sure the user can access the UNC file path where FSLogix PC is expecting to create the profile VHD file. Make sure that the path is correct and browsable and that the user can create and delete items inside of the file share.  If not, troubleshoot share access or NTFS permissions.
  4. In Event Viewer, find the FSLogix Apps operation log and look for the entry that shows whether the profile mount worked. If the exit code is not 0, look up the code here.
  5. Once you’ve verified 1-4 above, see if the user may be logged in to another session host desktop VM and the VHD file on the file share is locked by that session. You can log into the file server and check Computer Management>Open files for more information.  If the profile container VHD file is locked, close the file handle and log in again.

Additional recommendations for FSLogix Profile Container

FSLogix Profile Container requires little configuration to enable and gracefully fail over from a redirected profile to a local profile.  Unfortunately, this can create a situation in which a user may not be aware that their settings aren’t being saved on the file share and are going to be discarded because they are saved locally.  To avoid this situation, it may be advisable to prevent users whose profiles cannot be redirected from logging in and using the system with local profiles.  To do so, the following two registry entries can be added on the desktop VMs and set to a value of 1.

  • PreventLoginWithFailure
  • PreventLoginWithTempProfile

Putting it all together

Here is the recommended configuration of FSLogix on host pool template VM in the Nerdio environment.

At Nerdio, our mission is to empower MSPs to build successful cloud practices in Microsoft Azure with technology and knowledge.  Nerdio for Azure simplifies and automates the deployment, pricing, management, and cost-optimization of AVD environments in Azure, and our educational content is custom-tailored for MSPs to help them succeed with Azure and partner with Microsoft.

NerdioCon 2023 Location Announced! 

Back in late February we kicked off NerdioCon 2022, our first-ever in-person user conference and industry event. It was a smashing success and one met with a fantastic reception by the global managed service provider (MSP) and channel community.  

Not only were we able to engage in-person with partners and MSPs from all over the world – but they were able to meet, learn and connect with each other and the channel’s top vendors and thought leaders. Attendee feedback has been overwhelmingly positive, with many expressing appreciations for the venue, location, and dedication to creating community.  

But the question on everyone’s mind (and in our inboxes!) is undoubtedly… “Where and when will NerdioCon 2023 take place?!” 

The number of inquiries about this in the months following NerdioCon 2022 already has us super excited for our next user conference. And thinking hard on how we can replicate the success of this year’s event with a dedicated enterprise track for our Nerdio Manager for Enterprise customers and community. While many details are still being ironed out – we couldn’t hold our tongues anymore.  

We’re announcing that we will be returning to beautiful Cancun, Mexico in February 2023 for another amazing all-inclusive event!  

Watch prominent channel leaders from Nerdio, Datto, Pax8 and Blackpoint Cyber in the video above discuss NerdioCon highlights and overall takeaways. Sign up at www.nerdiocon.com to stay informed on event updates and when tickets go on sale!  

5 Things MSPs Must Know about FSLogix  

Microsoft’s FSLogix is known for being a powerful profile management tool. It has many desirable features for managed service providers (MSPs) operating in Azure.  Launched in 2012 as a startup independent of Microsoft, FSLogix provided a tool to reduce the number of resources, time, and labor required to support virtual desktops. Because of the natural synergies with our mission, Nerdio has been a big fan of FSLogix since the beginning and closely kept an eye on the evolution of their product.  

And we weren’t the only ones! In 2018 Microsoft acquired the company. They noticed the value FSLogix brought to profile and application containerization and the company’s alignment with their own goals as it related to Azure Virtual Desktop (AVD), called Windows Virtual Desktop (WVD) at the time.  

Skip to today and we have seen the investments Microsoft has made into this technology and bringing it to the masses via AVD pay off significantly. MSPs who have an Azure practice have come to rely on FSLogix to optimize their environments. And MSPs who aren’t in Azure may not know about the benefits FSLogix provides… this article is for you!  

Below I outline the five key things your MSP should know when it comes to FSLogix and how you can use them to your advantage. 

1. A Premium Experience Requires Premium Storage 

We see a good deal of our MSP partners leveraging FSLogix alongside Azure Files, a popular solution for hosting files and folders, including user-profiles, on Microsoft Azure. Specifically, they are seeing great results with this combination when using the Premium storage tier because profiles are so read/write-intense. Azure Files Premium coupled with FSLogix maintains the best user experience by providing the highest IOPS and throughput for the disk.  

To further the above benefits while reducing storage costs, combine these technologies with the powerful auto-scaling capabilities available in Nerdio Manager. It helps MSPs eliminate common issues around over-provisioning or incorrectly guessing how much storage is needed by effectively turning the Premium tier into a pay-as-you-go model. 

2. How to Automate the Security and Access You Require  

Azure Virtual Desktop is a service that is constantly improving when it comes to identity and access management (IAM) and ensuring security at scale. Roles-Based Access Controls (RBAC) roles are available in AVD and Nerdio Manager, with the latter giving MSPs the ability to create custom RBAC roles. In ensuring FSLogix helps support your access policies, MSPs can automate setting the Azure Storage File Data SMB Share Contributor Role on the Azure Files profile share for all users within a Security Group.  

This role is required to provide the needed Read/Write access for the profile share. You can read more about this role and others available via Microsoft’s documentation. By automating this setting, MSPs can consistently uphold zero trust principles whenever a new user or group is added.  

Pro Tip – Consider these best practices for NTFS Permissions on the profile share: 

3. Configure Outlook Cache to Avoid Overspending Real CASH 

One of the biggest benefits of FSLogix profiles is the ability to roam the user application caches, for example, Outlook mailbox data, and avoid constantly recreating it. Strategically defining individual cache settings allows MSPs to plan for growth and spending. What most MSPs don’t consider is that if left undefined, application caching can grow quickly and not all of it is crucial to your users’ experience.  

As an example, consider again a user’s Cached Exchange Mode settings. Is it wise to download all their mailbox if they only need “fast/local” access to the last three months’ worth of data?  

Most MSPs find that it is in their best interest to configure a Group Policy Setting to manage Cached Exchange Mode which will define the amount of a user’s profile dedicated to Mailbox content storage. We have seen MSP partners configure this setting for as little as three months and as much as one year. Knowing the details of this setting can allow you to strategically assume/plan for the amount of growth in a user’s profile. Read Microsoft’s documentation about planning and configuring for additional insights and recommendations.  

4. FSLogix Is More Than Just Profile Management  

FSLogix is a great way to create roaming user profiles in non-persistent computer environments like an AVD host pool with users logging into different hosts on what could be a daily basis. Profiles would no longer be dependent on an individual machine due to the added flexibility with FSLogix. This allows MSPs to provide customers dynamic environments with a consistent user experience.  

But FSLogix includes a suite of tools focused on much more than just profile containers. Skilled and advanced MSPs have found value in using FSLogix for roaming Office profiles and cache, and masking applications so only the right users can see and access them. And some also use it for the ability to manage Java versioning. 

5. Why Application Masking May Be Our Favorite Feature  

FSLogix includes some incredible tools to manage application restrictions within multi-user environments. If you only want a subset of users to have access to an application on a multi-session host, you can implement app masking to hide apps from users. Looking to make app masking and management easier? Learn more about how Nerdio Manager helps managed installed apps and rule sets using FSLogix.  

I hope this has been an informative read on what is without a doubt one of the most helpful (but complex!) Azure Virtual Desktop-related technologies. To discuss FSLogix further or how your MSP can benefit from using or optimizing it, you can contact our team or join me at the Nerdio Partner Success Community.