Azure Stack HCI & Azure Virtual Desktop: What it is, benefits, use cases, and more  

In this article, we are going to explain the foundational concepts of Azure Stack HCI, what it is used for, its benefits, use cases, and finally how Nerdio manages Azure Virtual Desktop (AVD) for Azure Stack HCI.  

Azure Stack HCI is two different technologies coming together:  

  • Azure – Microsoft’s cloud platform for centralized management, monitoring, and deployment of workloads; 
  • Hyper-Converged Infrastructure (HCI) – a solution that combines software-defined compute, storage, and networking with hardware.  

What is Azure Stack HCI?

Microsoft explains Azure Stack HCI as a solution that “allows you to deploy Windows and Linux-based virtualized and containerized workloads on a hyper-converged infrastructure (HCI) cluster in your own datacenter, or in a data center managed by a service provider.” It allows customers to extend Azure into their on-premises environment and manage it via the Azure Portal by leveraging Azure Arc.  

Azure Stack HCI enables customers to have dedicated compute and storage in their own data center. This allows them to create private clouds, virtualize workloads, and run modern, cloud-native applications on-premises. You can use Azure Stack HCI to support diverse workloads, including AVD, backup and disaster recovery, databases, big data analytics, Kubernetes, and edge computing. Many organizations utilize it to retain certain data and workloads on-premises, ensuring compliance, security, or performance requirements are met.

Azure Stack vs. Azure Stack HCI: How They Differ

Azure Stack is a hybrid cloud platform that allows organizations to deploy Azure services on-premises. It provides consistent development and management experience across Azure and on-premises environments. 

Azure Stack HCI optimizes virtualized workloads and utilizes the Windows Server 2019 operating system. It incorporates software-defined computer, storage, and networking technologies. This solution caters to customers desiring on-premises virtualized workloads while leveraging the ease and flexibility of the Azure ecosystem.

The main differences between Azure Stack and Azure Stack HCI are their intended use cases and the services they provide. Azure Stack is designed for hybrid cloud scenarios, allowing customers to run Azure services on-premises and in the cloud, while Azure Stack HCI is optimized for virtualized workloads and provides a hyper-converged infrastructure solution for on-premises data centers. 

What is Azure Stack HCI used for? 

In the context of this post, the main feature Azure Stack HCI enables is running AVD session hosts on-premises. By running AVD on Azure Stack HCI, end-users get the same desktops and resources they are used to, but with the increased performance that Azure Stack HCI brings by having dedicated computing, storage, and networking in their own data center. Additionally, the AVD desktops are located in data centers close to users and their data. Further, some organizations have mandatory requirements to store that locally and not in the public cloud. Finally, it also brings low-latency connections to their AVD desktops.  

Benefits of Azure Stack HCI

Azure Stack HCI improves performance when there is high latency connectivity to Azure, and compliance by running AVD session hosts on Azure Stack HCI hardware located on-premises. This provides end-users with a low latency connection and fast access to data. 

New take: 

Azure Stack HCI offers several benefits that enhance performance and compliance, particularly in scenarios with high latency connectivity to Azure. Here are the key benefits: 

  1. Improved performance by deploying AVD session host on Azure Stack HCI hardware that is located on-premises, reducing the network latency, and allowing for faster access to applications and data.  
  1. Compliance and data residency can be strictly enforced with Azure Stack HCI as organizational data remains on-prem.  
  1. Hybrid cloud flexibility: Azure Stack HCI allows organizations to use Azure services with workloads that run on-prem.  
  1. Cost optimization with Windows 10 and 11 multi-session running on-prem. 

Use Cases for Azure Stack HCI with AVD 

Below are the key benefits an enterprise receives when using AVD for Azure Stack HCI:  

a. Hybrid Cloud: AVD for Azure Stack HCI can be used to deploy a hybrid cloud infrastructure where customers can leverage their existing on-premises infrastructure to host virtual desktops and applications and integrate with Azure for identity and access management, backup and disaster recovery, and other services. 

b.  High-performance virtual desktops: AVD for Azure Stack HCI can provide high-performance virtual desktops for power users and designers who need access to demanding workloads such as video editing, 3D rendering, and other graphically intensive applications. 

c. Regulatory compliance: Some organizations, such as those in the healthcare or financial sectors, have strict regulations around data residency and privacy. AVD for Azure Stack HCI can provide a secure and compliant virtual desktop infrastructure that meets these requirements. 

d. Remote work: AVD for Azure Stack HCI can provide a flexible and secure remote work environment for employees who need to work from home or other remote locations. 

Overall, Azure Stack HCI with AVD provides a versatile and scalable solution for deploying and managing virtual desktops and applications on-premises or in a hybrid cloud environment.  

Considerations of Azure Stack HCI 

As with any solution, there are also scenarios when it shouldn’t be used: 

a. Limited scalability within a cluster: An Azure Stack HCI cluster can support a maximum of 16 servers. This is sufficient for small-to-medium-sized organizations. For larger deployments that require more than 16 servers, you can deploy multiple clusters. 

b. Management overhead: While Azure Stack HCI simplifies some aspects of deploying and managing virtualized environments, it can still be a complex system to set up and maintain. This can require specialized expertise and additional resources. However, it’s familiar for Hyper-V and server admins, allowing them to leverage existing virtualization and storage concepts and skills. Plus, it works with existing data center processes and tools such as Microsoft System Center, Active Director, Group Policy, and PowerShell scripting.. 

c. Additional cost: Azure Stack HCI requires you to purchase Azure Stack HCI and server hardware, while you don’t have to worry about that with Azure. However, Azure Stack HCI utilizes industry-standard hardware (not proprietary) so you can choose the vendor that best meets your needs. Microsoft has a full list of over 550 Microsoft-validated solutions. For example, our partner DataON has over 110 validated Integrated Systems and validated nodes in the Azure Stack HCI Catalog. 

d. Limited support: Azure Stack HCI is a relatively new technology, and there may be limited support options available compared to more established virtualization solutions. 

e. Dependency on Azure: While Azure Stack HCI can operate as a standalone solution, it is tightly integrated with Azure services and requires a connection to Azure for certain features. This can limit its use cases in environments where a connection to Azure is not feasible or desirable.

How Nerdio helps with managing AVD on Azure Stack HCI 

Nerdio simplifies the management of AVD in Azure and on Azure Stack HCI.  

In previous versions, Nerdio Manager supported AVD on Azure Stack HCI with Hybrid Workers. Microsoft has since rolled out a new option using Resource Bridge. With Resource Bridge linking your Azure Stack HCI cluster to Nerdio Manager has been simplified.  

Nerdio allows IT administrators to manage host pools in Azure and Azure Stack HCI from one management portal.  

IT administrators can use Nerdio Manager to create, manage, and update images. The process remains the same regardless of where the host pools are going to be hosted. The only difference comes from the extra time needed to “push” the image to Azure Stack HCI.  

Both Azure Image Gallery and Azure VMs can be used as sources of the image.

Key Takeaways

This article covered Azure Stack HCI and how it differs from Azure Stack. It explores the use of Azure Stack HCI, its benefits, and use cases, which include hybrid cloud deployment, high-performance virtual desktops, regulatory compliance, and remote work. It highlights some considerations of Azure Stack HCI, including limited scalability, complexity, cost, limited support, and dependency on Azure. Lastly, the article explains how Nerdio Manager simplifies the management of AVD on Azure Stack HCI. 

If you would like to learn more about Nerdio Manager for Enterprise and its benefits for organizations like yours, click here

If you would like to schedule a demo, click here

Unified Application Management (UAM) & Nerdio Manager for Enterprise: A Functional Overview 

Unified Application Management Common Use Cases

Application Management poses several challenges to the modern organization. Application estates are often diffused, with packages located across different repositories and deployed by a variety of deployment mechanisms. These can include: 

  • Manual deployment from file shares or network drives. 
  • Group policy-based deployment. 
  • Configuration Manager (SCCM) deployment 
  • Installation into master images for both VDI and physical devices 
  • Application streaming and application virtualization technologies (various) 
  • Scripted installation of applications using 3rd party tools 
  • Intune deployment 
  • Delegated permissions (user deployment) 

While it may be uncommon to see all the above in a single environment, most organizations have more than one repository and more than one delivery mechanism in place. This is often because organizations have accumulated various applications over time. Applications and application types vary by department.

Large enterprises frequently do not prioritize the modernization of such applications. As a result, these applications were built years ago and rely on outdated technology for storage and delivery. In some cases, not only is the application itself from years ago, but the underlying Windows OS also can be from years ago. This leads to applications needing to be supported across several OS versions. The need to deploy applications from various sources often demands the use of multiple often highly complex tools, which have a high technical barrier to entry. Very few people inside an organization are versed with the technology and new staff members coming in may not be trained or be familiar with the technology being used. 

How Nerdio Manager for Enterprise Helps with Application Management 

Nerdio aims to simplify this deployment landscape through the creation of the Unified Application Catalog. You can utilize this tool to horizontally search all linked repositories and identify the applications you want to deploy. You can prioritize applications for easier future access.

Microsoft aims to enhance the application management experience for Windows by introducing Winget, a built-in package manager. This new tool enables programmatic deployment, update, and removal of applications on Windows devices. Unified application management supports the deployment and removal of applications from the Winget Community repository and local private Winget repositories. Administrators may upload their line of business application installers (such as .MSI and .EXE packages) to local private repositories for deployment to AD-domain joined AVD hosts. Upcoming releases will add support for additional repository types and Azure Active Directory joined devices.


Once you select the required applications, you can deploy them to AVD host pools, enabling end-users using AVD desktops to access the necessary applications for their daily work. Simultaneously, IT Pros can regulate access to specific applications, including the version they grant access to. In the case of dedicated desktops, applications can be directed to individual users or groups. This feature provides robust filtering options for deployments. Additionally, future releases will include support for Intune-managed Windows 365 and Physical devices.

Figure 1: Screenshot of Nerdio Manager’s Unified Catalog screen. Here, we can see a list of applications that are stored across Microsoft’s public Winget repository and the customer’s one or more private Winget repositories. One unified view across multiple repositories.

Application Management Deployment Policies

Deployment policies allow for the ongoing deployment of applications to new and reimaged devices within the scope of the policy. When a new AVD desktop is created, it will be audited for compliance, and any missing applications automatically installed.  

In the below example, we can see two applications are targeted for installation to personal desktops across two host pools (TS-General-Dedicated and Power Users Personal). However, we have limited this scope to members of the Sales Department Group. Therefore, desktops across the selected host pools will only have the applications installed if their assigned user is a member of this group.  

Learn more about Application Management here.

Regular audits will assess compliance. If administrators add new users to the group, the application will automatically install on their desktops. You can also review the status of hosts targeted by a policy from the Detailed info page of the policy.

Conclusion

Nerdio Manager for Enterprise’s Unified Application Management (UAM) feature can help administrators simplify the application deployment and auditing for AVD desktops. NME UAM will allow for further application management simplification in the future with the addition of physical and Windows 3665 Cloud PC support.  

Our objective is to enable the deployment of any Windows application to any Windows device, via a simple centralized catalog. We will be enhancing the functionality of the catalog in the future by adding support for additional repositories including Configuration Manager (SCCM), Intune, and the Microsoft Store.

The Unified Application Management beta is now available to all customers in Nerdio Manager for Enterprise. We encourage you to test the feature and would welcome suggestions and feedback. 

Azure Stack HCI – Why Wait? Explore On-Premises Azure Virtual Desktop (AVD) Benefits via Nerdio Today

“Are we able, or when will we be able, to run Azure Virtual Desktop (AVD) on-premises?”

Ever since Azure Virtual Desktop (AVD; still named Windows Virtual Desktop/WVD back then) went GA this has been the hot question, and one top of mind for companies regardless of industry or location.

AVD enables companies to leverage the scalability and flexibility of the Microsoft Azure cloud delivering (virtual) desktops and applications with just a few clicks in a secure and effective manner. Furthermore, AVD provides a central management for administrators to manage desktops and applications across their organization, whether it be for a handful of users or thousands spread across the globe.

On-premises Azure Virtual Desktop

While running your workloads in the cloud has many advantages, sometimes companies prefer to keep their apps and desktops close to their users. Why? Minimizing latency, for example, is toward the top of the list. Being in control (or the feeling of) over the back-end infrastructure is another one. Cost optimization and moving part of the (infrastructure) costs to a CapEx model, also comes to mind. And of course, there are more.

Historically running workloads on-premises has not been possible when using AVD, for reasons well known. Well, that is no longer the case. Microsoft has been hard at work to finalize their own hyper converged infrastructure solution or ‘HCI’, named Azure Stack HCI, that integrates with AVD.

Azure Stack HCI

With Azure Stack HCI, Microsoft allows organizations to deploy and run their virtualized workloads on-premises while integrating with Azure cloud services, AVD being one of them. It combines storage, compute, and networking in a single certified hardware appliance. Today, almost all well-known hardware vendors are part of their program and companies have a variety of choice when it comes to choosing their preferred hardware vendor. Some of which they might already be or have been using throughout the years.

This also means that overall management has the same look and feel as they are used to when working with Microsoft Azure. Think of it as an extension.

Over the years, Nerdio has been helping thousands of companies globally to build out their cloud practice, manage, and optimize their AVD workloads. Using Nerdio, deployments and daily management tasks are greatly simplified, bringing down times from days / weeks to hours, or minutes even. We’ve seen cost reductions as high as 80% + when compared to using AVD natively, all due to our famous auto-scaling engines and other types of automation applied to both compute and storge. Well, I’m excited to say we are taking our work with Azure Stack HCI a step further.

Nerdio and Azure Stack HCI

Ever since we announced that Nerdio Manager for Enterprise would integrate with Azure Stack HCI our phones haven’t stopped ringing. The interest is huge and today we have many customers already working with Nerdio combined with Azure Stack HCI and dozens more kicking the tires, as they say. And we don’t expect interest will slow down any time soon.

Needless to say, our team has been working non-stop to provide IT teams with the best of Nerdio combined with all the advantages that come with Microsoft’s latest Azure Stack HCI release. Our roadmap is quite impressive, if I do say so myself.

Using Azure Stack HCI combined with Nerdio, organizations create a hybrid cloud infrastructure that provides the scalability and flexibility of the cloud while keeping their data and applications on-premises and are still getting all the advantages of our powerful platform. Some of which include:

  • Simplified deployment and management of AVD and related services like FSLogix, monitoring, identity services, applications, and much more. Nerdio automates the deployment and management of your AVD infrastructure, while Azure Stack HCI simplifies on-premises infrastructure management.
  • Scale AVD workloads efficiently: With Azure Stack HCI, organizations can scale their VDI workloads to meet their business needs without having to rely on expensive hardware upgrades – easy and flexible.
  • Provide a consistent user experience: Nerdio ensures a consistent user experience across on-premises and cloud environments, allowing organizations to deliver AVD workloads from any location.
  • Reduce costs: By using a hybrid cloud infrastructure, organizations can take advantage of the cost savings of on-premises infrastructure while leveraging the scalability and flexibility of the cloud. Combine this with Nerdio’s powerful automation and scaling capabilities and you have a winning formula not found elsewhere.

We are excited about Azure Stack HCI’s capabilities, as are many of our customers, and we can’t wait to share what we have in store moving forward!

In our next post on Azure Stack HCI, you can check out exact details of what an average Nerdio / Azure Stack HCI setup might look like and explore use cases.

To learn more about Nerdio Manager for Enterprise, click here.

Unified Endpoint Management (UEM) & Nerdio Manager for Enterprise: A Functional Overview 

Unified Endpoint Management Common Use Cases

Endpoint management for Windows devices poses several challenges, especially in mixed estates, where administrators are responsible for managing physical desktops and laptops as well as Windows 365 Cloud PC and Azure Virtual Desktop resources. This often leads to overlap between different teams, with responsibility being shared or duplicated.  

Many organizations transitioned to Microsoft Intune for centralized orchestration and management of Windows devices. However, administrators may take time to develop the necessary skills, and delegating access to junior staff can be challenging in larger organizations. Consequently, senior and costly IT resources are often needed for endpoint management and support.

How Nerdio Helps Enterprise Organizations with Endpoint Management 

With Unified Endpoint Management (UEM), Nerdio Manager for Enterprise aims to simplify the assessment and management of Intune enrolled devices, both physical and virtual devices, providing a single, simple intuitive console for administrators to review the status of their devices and perform management tasks such as updating Windows Defender for Endpoint definitions. 

Devices with configuration issues are immediately obvious from the main console, allowing administrators to focus on and interrogate the device’s status. The Device Details button provides granular information on the device’s status laid out in a simple, logical manner. You can also perform standard device actions from the dropdown in the Device Details.

Unified Endpoint Device Details

The Device Details page enables IT Pros and tier 1 staff to troubleshoot end-user issues, providing deep insights and analytics. It is divided into logical tabs, offering detailed information on Intune applications, policies, and endpoint analytics. Additionally, it allows for the management of Azure Active Directory (AAD) group membership for the device and primary user, facilitating the assignment or removal of policies and applications at the group level.

You can interrogate Configuration profiles, Compliance policies, and Applications to discover their status. Additionally, you can assess the individual rules within the policy, swiftly identifying problematic settings.

Graphical user interface, text, application, chat or text message Description automatically generated

Endpoint Role-Based Access Control

Unified Endpoint Manager provides granular Role Based Access Control for delegated permissions. You can create custom delegated roles using this powerful tool. The console instantly reflects the assigned information, features, and functions for administrators, improving productivity and reducing risk.

For instance, a configured role allows access only to Read Devices, Read Policies, and Manage Antivirus. The result is that administrators who have this role assigned see a restricted console, with no Application or Update status. The only management option for devices is the ability to update Windows Defender definitions.

Conclusion

Nerdio Manager for Enterprise’s console has been designed to simplify and enhance the administrative experience for all Windows devices. With UEM, Nerdio Manager provides a simple, focused management console for Intune-enrolled devices. UEM makes use of a dedicated service account for integration with Intune. This allows organizations to significantly reduce the administrative assignments required within the Azure console. This enhances the security posture and reduces the attack surface. Nerdio Manager for Enterprise logs all actions, which you can review from the Logs page.

With this new feature, Nerdio Manager provides significant enhancements for its physical and Windows 365 Cloud PC management scenarios.  

Azure Files Geo-redundancy for Standard File Shares with Large File Support in Public Preview

Microsoft this week announced public preview support for geo-redundancy on Azure Files standard file shares with large file shares enabled. Let’s look at what this is and how it could affect an AVD implementation with FSLogix. But first, some background information may be helpful.

Azure Files IOPS

To start, let’s talk about inputs outputs per second or IOPS.  IOPS measures storage performance and represents the number of read and write operations available on a storage account. IOPS are important with FSLogix profiles. If the number of requested IOPS exceeds what’s available on the storage account, requests are throttled, and user experience will suffer.

An Azure Files standard account supports up to 1000 IOPS by default with options for geo-redundant storage (GRS), geo-zone redundant storage (GZRS), locally redundant storage (LRS), and zone-redundant storage (ZRS). Geo-redundant features of a storage account provide the option for replicating data to a second region, a good option for disaster recovery. However, 1000 IOPS is not sufficient to support FSLogix profiles.

Enabling large file shares can increase IOPS on an Azure Files standard storage account from 1000 to 20,000 IOPS, a significant performance enhancement. Enabling large file shares also increases the total throughput and capacity of the file share. The downside to enabling large file shares is that it’s only available with LRS and ZRS storage accounts. Geo-replicated storage accounts GRS and GZRS have not previously supported enabling large file shares.

That brings us back to the public preview feature that allows us to enable geo-redundancy for Azure Files standard storage accounts with large file shares enabled. With this preview feature, it is possible to get the advantages of large file shares, including 20,000 IOPS, 300 MiB/s of throughput, and up to 100 TiB of data on an Azure Files standard share as well as the ability to replicate data to a secondary region.

Highlights of New Azure Files Geo-redundancy Public Preview  

Let’s pull out a few highlights that go beyond the IOPS relevance and benefits from this week’s announcement.

Replication is asynchronous and snapshot-based.

With the preview feature enabled, a snapshot is taken every 15 minutes in the designated primary region and replicated to a secondary region. The most recent snapshot available in the secondary region is used in the event of a failover. The recovery point objective (RPO) for Azure Files standard with geo-replication is 15 minutes or longer, depending on the snapshot size and the geo-replication lag between the primary and secondary regions.

Azure Files with geo-replication support customer-initiated failover.

This feature allows the customer to initiate a failover from the primary to the secondary location. For example, users can initiate a failover due to an availability issue in Azure, a configuration issue, or to test disaster recovery processes.  Customers are not dependent on Microsoft to initiate a failover.

Geo-replication for Azure Files standard file shares with large file shares is a significant change that provides an option for highly available file shares with FSLogix. However, in most scenarios, the recommendation is to use Azure Files premium with FSLogix due to IOPS support above 20,000.  Currently, Azure Flies premium does not support geo-redundant storage. FSLogix Cloud Cache may be a better option if an FSLogix implementation requires over 20,000 IOPS and replication to a secondary region.

Please get in touch with our team to learn more about Azure Virtual Desktop and FSLogix storage options or discuss any related initiatives!

5 Things MSPs Must Know about FSLogix  

Microsoft’s FSLogix is known for being a powerful profile management tool. It has many desirable features for managed service providers (MSPs) operating in Azure.  Launched in 2012 as a startup independent of Microsoft, FSLogix provided a tool to reduce the number of resources, time, and labor required to support virtual desktops. Because of the natural synergies with our mission, Nerdio has been a big fan of FSLogix since the beginning and closely kept an eye on the evolution of their product.  

And we weren’t the only ones! In 2018 Microsoft acquired the company. They noticed the value FSLogix brought to profile and application containerization and the company’s alignment with their own goals as it related to Azure Virtual Desktop (AVD), called Windows Virtual Desktop (WVD) at the time.  

Skip to today and we have seen the investments Microsoft has made into this technology and bringing it to the masses via AVD pay off significantly. MSPs who have an Azure practice have come to rely on FSLogix to optimize their environments.

As Managed Service Providers (MSPs) navigate the intricacies of virtual desktop environments, understanding the transformative capabilities of FSLogix becomes crucial. This blog post serves as an indispensable resource, equipping MSPs with the essential knowledge needed to leverage FSLogix effectively. By exploring the core concepts, benefits, and practical implementation strategies of FSLogix, this article empowers MSPs to optimize performance, streamline management, and enhance user experiences. Whether you’re new to FSLogix or seeking to deepen your understanding, this comprehensive guide offers invaluable insights, best practices, and real-world examples to help MSPs harness the full potential of FSLogix and deliver exceptional virtual desktop solutions to their clients.

Below I outline the five key things your MSP should know when it comes to FSLogix and how you can use them to your advantage. 

1. A Premium Experience Requires Premium Storage 

We see a good deal of our MSP partners leveraging FSLogix alongside Azure Files, a popular solution for hosting files and folders, including user-profiles, on Microsoft Azure. Specifically, they are seeing great results with this combination when using the Premium storage tier because profiles are so read/write-intense. Azure Files Premium coupled with FSLogix maintains the best user experience by providing the highest IOPS and throughput for the disk.  

To further the above benefits while reducing storage costs, combine these technologies with the powerful auto-scaling capabilities available in Nerdio Manager. It helps MSPs eliminate common issues around over-provisioning or incorrectly guessing how much storage is needed by effectively turning the Premium tier into a pay-as-you-go model. 

2. How to Automate the Security and Access You Require  

Azure Virtual Desktop is a service that is constantly improving when it comes to identity and access management (IAM) and ensuring security at scale. Roles-Based Access Controls (RBAC) roles are available in AVD and Nerdio Manager, with the latter giving MSPs the ability to create custom RBAC roles. In ensuring FSLogix helps support your access policies, MSPs can automate setting the Azure Storage File Data SMB Share Contributor Role on the Azure Files profile share for all users within a Security Group.  

This role is required to provide the needed Read/Write access for the profile share. You can read more about this role and others available via Microsoft’s documentation. By automating this setting, MSPs can consistently uphold zero trust principles whenever a new user or group is added.  

Pro Tip – Consider these best practices for NTFS Permissions on the profile share: 

3. Configure Outlook Cache to Avoid Overspending Real CASH 

One of the biggest benefits of FSLogix profiles is the ability to roam the user application caches, for example, Outlook mailbox data, and avoid constantly recreating it. Strategically defining individual cache settings allows MSPs to plan for growth and spending. What most MSPs don’t consider is that if left undefined, application caching can grow quickly and not all of it is crucial to your users’ experience.  

As an example, consider again a user’s Cached Exchange Mode settings. Is it wise to download all their mailbox if they only need “fast/local” access to the last three months’ worth of data?  

Most MSPs find that it is in their best interest to configure a Group Policy Setting to manage Cached Exchange Mode which will define the amount of a user’s profile dedicated to Mailbox content storage. We have seen MSP partners configure this setting for as little as three months and as much as one year. Knowing the details of this setting can allow you to strategically assume/plan for the amount of growth in a user’s profile. Read Microsoft’s documentation about planning and configuring for additional insights and recommendations.  

4. FSLogix Is More Than Just Profile Management  

FSLogix is a great way to create roaming user profiles in non-persistent computer environments like an AVD host pool with users logging into different hosts on what could be a daily basis. Profiles would no longer be dependent on an individual machine due to the added flexibility with FSLogix. This allows MSPs to provide customers dynamic environments with a consistent user experience.  

But FSLogix includes a suite of tools focused on much more than just profile containers. Skilled and advanced MSPs have found value in using FSLogix for roaming Office profiles and cache, and masking applications so only the right users can see and access them. And some also use it for the ability to manage Java versioning. 

5. Why Application Masking May Be Our Favorite Feature  

FSLogix includes some incredible tools to manage application restrictions within multi-user environments. If you only want a subset of users to have access to an application on a multi-session host, you can implement app masking to hide apps from users. Looking to make app masking and management easier? Learn more about how Nerdio Manager helps managed installed apps and rule sets using FSLogix.  

I hope this has been an informative read on what is without a doubt one of the most helpful (but complex!) Azure Virtual Desktop-related technologies. To discuss FSLogix further or how your MSP can benefit from using or optimizing it, you can contact our team or join me at the Nerdio Partner Success Community.  

FSLogix Application Masking  

As a Nerdio partner, you get a standing invitation to our Monthly Partner Webinar. We use these 45-minute sessions to dive into the Azure, AVD and Windows 365 topics and tips most important to MSPs and their technical staff.  

In fact, our June webinar was entirely dedicated to FSLogix – a technology that has many benefits but is a bit complex to learn and master. One of the favorite things partners learned about from that session was the ability to perform application masking with FSLogix.  

For those seeking to enhance security and streamline user experiences in virtual desktop environments, FSLogix Application Masking is a powerful solution worth exploring. This blog post serves as an insightful resource, offering a comprehensive overview of FSLogix Application Masking and its role in controlling application access within virtual desktop infrastructures. As MSPs and IT professionals navigate the complexities of application management, understanding how FSLogix Application Masking works and its practical implementation becomes essential. By examining its functionalities, benefits, and best practices, this article empowers readers with the knowledge needed to leverage FSLogix Application Masking for enhanced security, improved performance, and simplified application access management.

Here we break it down in detail in addition to an overview of how MSPs can deliver it in their clients’ Azure environments.  

What Is Application Masking? 

Application masking is used to manage user access of installed applications. Within a shared AVD computing environment, this can amount to upwards of 80-100 applications. And we know not all users need access to the apps technically available to them.  

Desktop images with lots of apps typically feed one or two host pools. Without a tool like app masking, there’s a somewhat common practice of putting all apps on an image regardless of who could use them. Let’s face it, in today’s busy business climate there are not likely too many of your clients’ employees and contractors with extra time to poke around the environment aimlessly – so it’s not a horrible action to take as an overworked IT pro.  

But let’s talk through how not using app masking could negatively impact your organization. If an employee launches something they’re not supposed to, they could trigger a license issue or take a license out of the available pool and away from a user who needs it to do their job. This could lead to additional licensing fees or issues. Additionally, employees who do not need the app but come across it or are curious about its use, could create demand (or just the appearance of it) for applications they don’t really need. This could unintentionally lead to your clients’ organizations spending money on applications or licenses they do not need.   

How Do MSPs Deliver App Masking with FSLogix?  

Via FSLogix Rules Editor, these are the actions to take per each application you are looking to mask:  

1. Create a rule set  

  • Open FSLogix Rules Editor  
  • Click “File, New”  
  • Create new Rule Set and name it  
  • Choose the application you want to manage 
  • Scan to detect the application settings  
  • Some bulit in functionality with app masking and could manually do these settings  

2. Assign the rule set  

  • Click “File” then “Manage Assignments”  
  • Click “Add” 
  • Configure the assignment  
  • Determine the “Apply” or “Not Apply” status 

3. Deploy the rule set 

  • Copy over FSA and FXR files 
  • Must be on all hosts and client machines  

As (almost) always, there is an easier way to do this through Nerdio Manager for MSP 😊 Watch the below clip to learn how you can automate application masking with FSLogix:  

Looking for more FSLogix content? Check out my blog, ‘5 Things MSPs Must Know about FSLogix.’ And don’t forget to register for our next Monthly Partner Webinar for MSPs happening Wednesday, August 31 at 2pm CST!  

FSLogix Anatomy + Common Issues: Storage, App, Profile Container 

Here at Nerdio, we’ve been entrenched in Azure Virtual Desktop (AVD) since the very beginning, which means we’re chock-full of knowledge about Microsoft’s recommended profile solution for AVD: FSLogix.   

FSLogix may be new to many MSPs who haven’t worked with Azure or AVD, so we’re always compiling tips and helpful ways to train MSPs on what FSLogix is and how to troubleshoot it.  The best route for training we’ve found with FSLogix is to start with breaking down its anatomy and the related common troubleshooting issues for each component.  

For those seeking a deeper understanding of FSLogix and its impact on virtual desktop environments, this blog post serves as an essential resource. In this comprehensive guide, we will explore the intricacies of FSLogix and shed light on its crucial role in addressing common challenges associated with storage, application management, and profile containers. As MSPs and IT professionals navigate the complexities of virtual desktop infrastructure, gaining insight into FSLogix’s functionality and its potential solutions to prevalent issues becomes paramount. By examining its anatomy and delving into practical strategies, this article empowers readers with the knowledge needed to harness the full potential of FSLogix, enhance performance, and streamline user experiences.

What is FSLogix? 

FSLogix is a robust profile solution for non-persistent desktops (like AVD hosts). It is Microsoft’s recommended profile solution for AVD and moves MSPs away from “roaming” profiles to a profile that is mounted and feels like a local profile.   If you’ve worked with User Profile Disks (UPDs), you’ll feel right at home with FSLogix. 

3 Moving Parts 

FSLogix’s name may be more intimidating than what is really under the hood. There are essentially three pieces at its core.  

Storage 

Most users decide to use one of two FSLogix storage options: either a file server VM (virtual machine) or Azure Files. A file server VM requires the user to manage the underlying server object, and it needs to be in the same region as the host. Azure Files uses Azure Storage, which is an IaaS (Infrastructure-as-a-Service) service, so the underlying assets don’t need to be manually managed. Using premium storage is recommended for both a file server VM and Azure Files. Learn more about these options in this video.  

You’ll find when adding an account in Nerdio Manager for MSP that you are required to establish a new, or pointing to an existing, FSLogix storage path.  This Server Message Block (SMB) share is where the FSLogix profile containers will be stored.  Permissions are critical to this share and are the most common support request we see with FSLogix.  You can find more information about FSLogix permissions via  Microsoft’s documentation linked HERE

The performance of your storage is a major player in FSLogix performance. Slow login times are a common symptom of under-performing storage. If Azure Files is used for this storage, we always recommend using premium storage and perhaps auto-scaling your Azure Files storage to optimize through put during working hours.  Nerdio Manager for MSP has a great feature for Auto-Scaling Azure Files. This scaling feature can also ensure there is adequate available space as your FSLogix storage grows.  One last word of caution on the storage front – you must back up your FSLogix storage! It is essential as it stores user profile data. 

FSLogix Application 

The second piece of the FSLogix puzzle is the application. We rarely see a support issue related to the FSLogix application itself and more often we’ll see a misconfiguration of the FSLogix settings. The FSLogix app is only required on a session host (AVD host) that users are logging into. It is not required on the user’s storage device, image or anywhere else they would not be logging in.   

The biggest things we see MSPs struggle with related to the application are updating the registry settings and keeping the application updated to the latest version.  

Registry settings for the FSLogix application are used to provide FSLogix settings and point FSLogix to your storage location.  Nerdio Manager for MSP allows you to store these settings in an FSLogix Configuration profile under Settings>Integrations for your customer accounts.   

Nerdio can then install FSLogix (latest GA version) with your settings upon AVD host creation, taking the worry out of keeping FSLogix updated and retaining your settings via our automation.  Combine this with Auto-healing features available for Auto-scale (Including FSLogix health checks) and the application piece of FSLogix is no sweat.   

Profile Container 

Yes, this is all leading up to the user profile, I promise!  With storage established and FSLogix running on the AVD host, all you need now is users.    

Upon a user’s first login, a profile container will be created in the storage location designated.   The user’s profile will be a VHDX or VHD file depending on the settings configured (with VHDX being preferred).  By default, this will include the user’s entire profile.  Think of everything that would be in a user’s C:\User\<username> folder and this will be stored in their FSLogix profile container.   

 When a user logs in, the FSLogix app will go to the storage location and mount that user’s profile container to the AVD host.  When the user logs off, this is dismounted from that host.  This gives a user the ability to potentially login to a new host with each login but feel as though they’re logging into their same desktop each day. This also gives the opportunity to scale-in (remove) AVD hosts, reimage, delete and move users to a different pool without losing their data and settings.   

Common support issues we’ll see related to profile containers include the following: 

  • Profile locked due to the file being in use 
  • Profile (VHD/VHDX) reached FSLogix’s default 30GB maximum size 
  • Symptoms are “full disk” errors, unable to receive new mail in Outlook 
  • FSLogix has a 30GB default size limit for containers. This can be expanded via registry setting 
  • Profile Corruption 
  • If the VHD/VHDX file were to be corrupted, FSLogix may rename the file with a “CORRUPT” in the file name.   
  • May be resolved by restoring a backup of the VHD/VHDX from a known working date 

FSLogix is a great solution to use alongside Azure Virtual Desktop, but it can be a complex tool. Here at Nerdio, we can help you learn how to use it. Read our blog on ‘5 Things MSPs Must Know about FSLogix for additional insights or contact us to discuss your MSP’s unique needs.

FSLogix Profile Containers in Azure Virtual Desktop (AVD): Here’s What You Need to Know

A common question we get from Managed Service Providers (MSPs) is about the way FSLogix profiles are configured and how they work with Azure Virtual Desktop (AVD).  In this article, I’ll provide a technical overview of the technology.  This is a 200-level technical article.

First, you can find everything there is to know about FSLogix here. This is an extensive documentation repository but can be overwhelming at first glance.  I’ll try to distill the relevant information here.

What is FSLogix Profile Container technology and why should it be used?

There are actually 4 FSLogix products:

  1. Profile Container
  2. Office Container
  3. Application Masking
  4. Java Version Control

Here, we will focus on #1 only – Profile Container (PC).  Office Container benefits are automatically included in the Profile Container product, so we won’t discuss Office Container at all.  Application Masking and Java Version Control are interesting technologies that we’ll explore in future articles.

In a nutshell, Profile Container redirects a user’s profile (what’s typically stored in C:\Users) to a VHD file on a file share.  This allows a user to log into a different desktop VM each time they connect and still have access to the same user profile settings since the profile container is mounted under C:\Users whenever a user logs in. 

This functionality is what enables users to be assigned to session host pools with multiple VMs and still have a consistent user experience when they get redirected to a different VM each time by the AVD connection broker.

How is FSLogix Profile Container enabled?

Profile Container (PC) is enabled via a simple registry entry in HKLM\SOFTWARE\FSLogix\Profiles after it is downloaded and installed.  Here you enable the Profile Container and point it at a UNC of a file share location where the profile VHD file will be created when users log in.

Nerdio Note:

FSLogix Profile Container is enabled by default on the Nerdio configured AVD Windows 10 multi-session template VM.  The profile location is set to \\FS01\Profiles\%Username%.

Also, there is an XML file in the \\FS01\Profiles location that excludes the Desktop and Documents folders from being included in the FSLogix PC.  Instead, these folders are redirected to \\FS01\Users\%username% folder using Group Policy.  This reduces the size of the FSLogix VHD file and allows enables IT administrators to centrally back up and manage users’ personal data.

That’s all it takes to enable FSLogix Profile Container.

What happens when a user logs in?

When a user logs into a desktop VM where FSLogix PC is enabled, the system first checks for the presence of a local profile for the user.  If a local profile exists (e.g. a folder is present in c:\users and registry entry for the local profile exists in ProfileList key), then FSLogix PC skips the process of creating or connecting to a network profile specified by the registry entry mentioned above.

If no local profile exists, PC tries to connect to the UNC location specified in the registry and connect to a profile that already exists or will create a new one.  The user must have Modify permissions to the profile folder on the file share.  If the PC cannot mount or create a profile, it will default to using a local profile if one exists or create a new one if it does not.  In this situation, all user personalization settings will be stored in c:\users and will be lost once the user logs into another desktop VM in the future.

Nerdio Note:

To avoid a situation where a local profile that already exists on a desktop VM prevents the creation of a network-based profile, the Nerdio golden image includes an entry that will automatically delete the local profile and create a VHD one in the file share.

The registry entry is DeleteLocalProfileWhenVHDShouldApply and it is set to value of 1.

How can you tell if the Profile Container redirection is working?

There are a few ways to do this:

  1. Look in C:\Users and see if there is a folder called “Local_username”. The presence of this folder with a recent modified date indicates that profile container redirection to a file share is working.
  2. Look in the file share for the VHD file and note its modified date. If it is current, then redirection is likely working.
  3. If the user account has local administrator rights on the desktop VM, check the disk configuration Windows utility. You’ll see a virtual mapped drive listed.

What can you do if Profile Container redirection is not working?

If you notice that profile redirection isn’t working, verify the following:

  1. Profile Container operation can be controlled with local security groups that can be used to include or exclude users or groups from having their profiles redirected. Use Computer Management>Local Users and Groups to verify that that the user (or a group that includes the user) is not excluded from PC.
  2. Make sure that there is not a local copy of the profile already on the desktop preventing PC from turning on. If there is, either delete the local profile or use the DeleteLocalProfileWhenVHDShouldApply registry key to have FSLogix PC do this for you automatically on the next login.
  3. Make sure the user can access the UNC file path where FSLogix PC is expecting to create the profile VHD file. Make sure that the path is correct and browsable and that the user can create and delete items inside of the file share.  If not, troubleshoot share access or NTFS permissions.
  4. In Event Viewer, find the FSLogix Apps operation log and look for the entry that shows whether the profile mount worked. If the exit code is not 0, look up the code here.
  5. Once you’ve verified 1-4 above, see if the user may be logged in to another session host desktop VM and the VHD file on the file share is locked by that session. You can log into the file server and check Computer Management>Open files for more information.  If the profile container VHD file is locked, close the file handle and log in again.

Additional recommendations for FSLogix Profile Container

FSLogix Profile Container requires little configuration to enable and gracefully fail over from a redirected profile to a local profile.  Unfortunately, this can create a situation in which a user may not be aware that their settings aren’t being saved on the file share and are going to be discarded because they are saved locally.  To avoid this situation, it may be advisable to prevent users whose profiles cannot be redirected from logging in and using the system with local profiles.  To do so, the following two registry entries can be added on the desktop VMs and set to a value of 1.

  • PreventLoginWithFailure
  • PreventLoginWithTempProfile

Azure Virtual Desktop: More Information

As Managed Service Providers (MSPs) adapt to the ever-evolving landscape of virtual desktop infrastructure, understanding the potential of Azure Virtual Desktop (AVD) becomes crucial. This blog post serves as a comprehensive resource, introducing MSPs to the myriad benefits of AVD and its implications for optimizing virtual desktop experiences. By delving into the core features and capabilities of AVD, we aim to equip readers with the knowledge needed to harness its power for their clients. Whether you’re a seasoned professional or new to AVD, this guide will provide invaluable insights, practical tips, and best practices to unlock the full potential of Azure Virtual Desktop in your MSP offerings.

Read more on Azure Virtual Desktop and how to work with Nerdio

Putting it all together

Here is the recommended configuration of FSLogix on host pool template VM in the Nerdio environment.

At Nerdio, our mission is to empower MSPs to build successful cloud practices in Microsoft Azure with technology and knowledge.  Nerdio for Azure simplifies and automates the deployment, pricing, management, and cost-optimization of AVD environments in Azure, and our educational content is custom-tailored for MSPs to help them succeed with Azure and partner with Microsoft.

SCHEDULE A DEMO

What Does Windows 365 Cloud PC Mean for MSPs? Here’s What You Need to Know

What-Does-Windows-365-Cloud-PC-Mean-for-MSPs_-Heres-What-You-Need-to-Know-300x169

If you are reading this, you are probably aware of Satya Nadella’s keynote speech at Microsoft Inspire on July 14th, 2021, where he announced Windows 365 Cloud PC. To read the detailed technical overview of the product, visit Microsoft Windows 365: Introducing a New Product to End-user Computing and Windows 365 vs. Azure Virtual Desktop (AVD) – Comparing Two DaaS Products.

What is Windows 365 a nutshell? It’s Microsoft’s Desktop-as-a-Service (DaaS) solution made to be sold in a SKU-based fashion. It’s an individual persistent desktop offering in a few canned sizes running in Azure. Just like Microsoft launched Office 365 almost a decade ago, which came to replace all Exchange servers running on-premises, Windows 365 is meant to replace all fat client desktops as we know them.

I know what you’re thinking…here we go again; Microsoft is coming after MSPs by selling PCs directly to customers. So, where does that leave the business of managing desktops, networks, and servers for your customers? Instead of fearing the change that Windows 365 cloud PC is going to make, I would look at it as a huge opportunity – just like M365 provided a huge opportunity for MSPs to provide management services around security, consulting services, and project labor to get clients migrated to it. Every year, VDI vendors like to say, “this year is the year of VDI”, but now may be that time.  Microsoft has just made VDI mainstream with this announcement. Offering a true apples-to-apples offering to compete with AWS Workspaces and making it easy enough that anyone, regardless of their technical capabilities (or lack thereof), can purchase a virtual desktop from their Microsoft 365 admin account.

Windows 365 Cloud PC represents a paradigm shift in the way businesses and individuals access and interact with their desktop environments. This innovative solution leverages the power of the cloud to deliver a secure, scalable, and fully managed Windows experience to users, enabling them to access their personalized desktop and applications from any device with internet connectivity. We will explore the potential advantages of Windows 365 Cloud PC for MSPs, including simplified management, enhanced security, and improved flexibility for their clients.

As an MSP, understanding the deployment considerations and optimizing your service offerings are crucial for success. We will delve into the various deployment options available, from fully cloud-based to hybrid approaches, and examine how they align with different customer requirements. We will also explore how Windows 365 Cloud PC opens up new opportunities for MSPs to deliver value-added services such as performance optimization, security enhancements, and proactive monitoring.

Where is the MSP Opportunity?

As an MSP offering services to customers, there is tremendous opportunity over the next decade to transition and leap into the world of providing virtual desktop services. Windows 365 is built on top of the Azure Virtual Desktop (formerly Windows Virtual Desktop) stack running exclusively on Microsoft Azure. If you have a cloud practice around VDI, you are in a good position to take advantage of this free marketing that Microsoft will generate with this new service. If you are not yet considering offering VDI services, it is not too late to start. If you are not currently offering VDI services, start now. Do not get caught not knowing anything about the subject and worst of all, not leading with VDI as part of your service offering.

Windows 365 is meant to be easy to purchase and procure but it is still NOT the lowest cost solution when it comes to offering a virtual desktop solution to customers. Since it’s built on top of the Azure Virtual Desktop (AVD) stack of technologies, AVD, if built optimally, is still more economical than the MSRP of Windows 365. This means that MSPs who take the approach to offer VDI strategically can leverage native Azure Virtual Desktop and come in at a price much lower than your competitors who are just plain reselling Windows 365 as a SKU with the standard distribution discount.

Windows 365 will come in two flavors; a Microsoft Endpoint Managed (MEM) version (Enterprise) and a Standalone self-managed version (Business). Most MSPs will gravitate towards the Enterprise version of Windows 365 since it is a more flexible and can be tied in with the rest of their existing Azure infrastructure. For those not familiar with Microsoft Endpoint Manager, MEM is a rebrand of two existing products coming together, Microsoft Intune + SCCM = Microsoft Endpoint Manager. Endpoint Manager will be a skillset MSPs will need to rush to acquire knowledge about rather quickly as it is a model gives the MSP the opportunity to manage the entire customers’ environment (virtual and physical) without using legacy RMM.

Less mature MSPs may be content with the Business version of Windows 365 and continue using legacy RMM tools to manage those customers’ Cloud PCs. Use cases for Windows 365 Business may be limited since it lacks basic network management. The opportunity for MSPs is to leverage Microsoft Endpoint Manager and offer policy, compliance, and security management, as well as consulting around the M365 stack.

From our speculation, since Window 365 hasn’t been released into General Availability yet, AVD pooled model will likely comes in substantially lower than its new Windows 365 cousin, especially when leveraging auto-scaling.

What about Hardware?

Of course, endpoint hardware is still going to be required to access Windows 365. You’ll see VDI specialized hardware become mainstream. Vendors like 10Zig, IGEL, and nComputing, whom have all created a business around providing thin and zero clients for VDI brokers have also strategically aligned themselves with AVD since launch will now play in the big leagues as they had an early start with AVD. In a way, big box vendors will need to change their messaging to catch up. The opportunity here is for MSPs to provide hardware-as-a-service. Thin and zero client physical endpoints should cost less than your average PC and typically will last longer than your average PC lifecycle. Many MSPs will start bundling in Windows 365 and pair it with hardware to be sold as a monthly package. If hardware breaks, it simply gets replaced and dropped shipped directly to the client reducing a lot of onsite visits for hands on repair.

Nearly a decade ago, MSPs were unsure of Microsoft’s direction with Office 365. Many saw Microsoft coming after the livelihoods of MSPs. Where would the revenue come from if we don’t have our clients’ Exchange Servers to manage? Now, it’s not even a question to consider when deciding whether to migrate a customer to M365 or not. Microsoft is here again to break the status quo. The PC chip shortage may be a temporary issue, but this is just one small reason what everyone should pay attention to Windows 365 Cloud PC. It will open many doors for partners all around the world.

MSPs who already have a practice around Azure Virtual Desktop should also very excited about this news since this legitimizes going to market with your existing AVD solution. AVD is still the lowest cost and most flexible solution available. Windows 365 will be free marketing for your existing offering; however, this will wake up a lot of your competition as well, as they’ll likely start jumping onto this bandwagon.

We are here to say take advantage of the momentum of this announcement. Train your sales and technical teams to be prepared to sell and offer these services on day one! The VDI revolution has begun, for real this time. Unlike other public preview offerings from Microsoft Azure, Windows 365 will not be able to be trialed until early August. Take this small Window to learn about how Nerdio can help you start, grow, and enhance your Azure cloud practice with support for Azure Virtual Desktop and Windows 365 on day 1.

Nerdio has been working with Microsoft engineering in shaping Windows 365 for well over a year before its launch, and we are the trailblazers in the Azure space for MSPs.  Nerdio is the easy button for Azure, Azure Virtual Desktop, and Windows 365 Cloud PC. If you’ve looked at Nerdio in the past, I urge you to look again! Contact us to get a 1-on-1 demo of our newest product, Nerdio Manager for MSP.

Schedule a demo