26]# .\frx.exe add-rule ?
frx add-rule -redirect -src-parent C:\Windows -src=test.ini -dest-parent __USER_PROFILE_PATH__ -dest test.ini
frx add-rule -hide -src-parent C:\Windows
frx add-rule -hide -src-parent \Registry\User\*\Software -src MySoftware
frx add-rule -specific-data -src-parent \Registry\Machine\Software -src Value -datatype DWORD -data 42000000
frx add-rule -vhd-attach -src-parent C:\MyVolFolder -dest C:\VHDs\mydisk.vhd
All the options for the command line are specified in the Automation chapter below
Let´s be creative
I have installed FSLogix Apps on one RDSH server with the following applications installed:
- Microsoft Project 2016
- Adobe Reader DC
- Mozilla Firefox
- Foxit Reader
I have two users that launch a desktop session each on the same RDSH server.
User “TestA” is not allowed to use Microsoft Project 2016, Mozilla Firefox and Foxit Reader. He has a text file on his desktop that should be launched from the local system. “TestA” is also allowed to use Profile Containers.
You can see that the text file located in “C:\Users\Public\Desktop” is opened locally and that the user is allowed to start Adobe Reader DC. Microsoft Project 2016 is not available.
User “TestB” is allowed to launch Microsoft Project 2016 and is not allowed to use Adobe Reader DC. He has the exact same textfile on his desktop that is redirected to a file located on a file server. “TestB” is configured to use a Roaming Profile.
You can see in this example that the file located in C:\Users\Public\Desktop is opened from the file server although the details show something different. You can also see that Microsoft Project 2016 can be used by this user and that he openes PDF documents with Foxit Reader instead of Adobe Reader DC.
This is a very simple example to give you an idea how rules work and what can be done with them. Let´s look at another feature…
Attaching VHDs to specific folders
In order to have a sleak and thin base image you can attach VHD or VHDX files from other locations to folders on your systems. Let me show you how.
I will attach a VHD with system tools to a folder on my RDSH server under the following path: “C:\tools”. The VHD is located on my file server.
This is the rule I will apply it to the system:
Now watch what happens after applying it:
This is so freakin´ simple and we haven´t even begun to be creative with that stuff.
I really love automation and I love to be able to create configurations by writing scripts. If you want to have a baseline configuration of certain systems you could create a script that automatically creates the rules. This could look like this:
.\frx.exe add-rule -hide -src-parent="C:\" -src="Personality.ini"
.\frx.exe add-rule -hide -src-parent="C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools"
.\frx.exe add-rule -hide -src-parent="C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility"
.\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\"
.\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\"
.\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight\"
.\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\"
.\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows System\"
.\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Accessories\"
.\frx.exe add-rule -hide -src-parent="C:\temp"
Look at the further Parameters we have here. We could attach VHDs wherever we want, hide certain Printers or redirect files and folders.
[Rule Type] Only one of the following rule types may be specified
-hide Hiding rule
-redirect Redirection rule
-vhd-attach VHD auto-attach rule
-printer Printer hiding rule
-specific-data Returns specific data for a registry value
-src-parent Parent directory/key or printer to which the rule applies
-src *File or value name
-dest-parent *Destination directory or key (redirection rules only)
-dest *Destination file or value (redirection rules only)
-no-copy *Creates a blank copy of the item upon redirection if it does not exist (default is to copy the source item)
-volatile *Volatile rule that will not persist across a machine reboot
-datatype *Type of specific data to return (SZ, DWORD)
-data *Hexadecimal representation of data to return
* Optional parameters
Special Variables (usable in -dest-parent/-dest parameters):
__USER_SID__ User's SID
__USER_NAME__ User's username
__USER_PROFILE_PATH__ Path to users profile
If you do it this way you should be aware of the fact that no rule in the Rules folder is created. You will find these rules in the CompiledRules folder and as _DefaultRules.fxc file:
A deeper look into the file reveals the details. If you like you can edit the file directly.
Because the FXR and FXA files are simple text files we could also create them with a script without the need of using the RuleEditors. But you should be very careful with that. Today there is no documentation about the HEX values in the config files. I might try to document them if I find the time to test them and to be sure that they work.
This is it for a first look. I hope it was interesting and usefull for you. Now we will switch to the Profile Containers.
In order to get Profile Containers up and running you need to change a few things on your target system.
First of all you should have a look at your local security groups. There should be two groups after the installation of the FSLogix components:
- FSLogix Profile Exclude List
- FSLogix Profile Include List
The Include List has “Everyone” as member. If you don´t want this you need to remove the Everyone-group and insert whoever you want to have user Profile Containers enabled. I would suggest adding the users via Group Policy to have a standardized way for all your systems in your environment.
You need to configure the Profile Containers Path in the registry. Add the Key “VHDLocations” as REG_MULTI_SZ with a minimum of one Path under the following path “HKLM\SOFTWARE\FSLogix\Profiles”. If there is no path inserted or the key is missing it won´t work.
There are some other optional keys you can set to configure the Profile Containers:
VHDLocations as REG_MULTI_SZ
(\\server\share\Profiles). Local paths must be in drive letter format (C:\Profiles).
VolumeType as REG_SZ
(optional) Type of container to use, VHD or VHDX – If not specified, default is VHD. Note that VHDX format is only supported on Windows 8 or Server 2012 (or later).
VHDXSectorSize as REG_DWORD
(optional) Sector size, 0 or 4096 (0x1000) – If not specified, default is 0 which simply triggers the container default.
SizeInMBs as REG_DWORD
(optional) Size in MBs for new containers. If not specified, default is 30000 (30 GBs). Pay attention to Decimal vs Hex when specifying the number.
IsDynamic as REG_DWORD
(optional) 0 indicates Full Allocation, and 1 indicates Dynamic. Full Allocation means that the VHD file is immediately sized to the specified size of the disk. Dynamic Allocation means that the file is resized as new space is required. Full Allocation is slower at creation time, but produces better performance when writes happen since the entire space is already allocated. Dynamic is faster at creation time but may result in some latency as the file is resized accordingly.
If everything is fine you will see a Profile Container in the configured path.
If you want to migrate your existing profiles to Profile Containers you can use the command line:
[18:47:28][C:\Program Files\FSLogix\Apps[/fusion_text][fusion_text]25]# .\frx.exe copy-profile
Copies the specified user profile into a VHD or VHDX.
If the VHD or VHDX file does not exist, it will be created.
By default the VHD or VHDX will be 30 GBs and sized dynamically.
-filename Specifies the path to the VHD or VHDX file
-username 'username' or 'domain\username'
-sid Can be used instead of username to identify the profile
-size-mbs *Size in number of MBs for new VHD/VHDX
-vhdx-sector-size *VHDX sector size
-dynamic *Set to 1 if VHD should be dynamic, 0 for full allocation
-src-parent *Path to the parent VHD(X) file for differencing disks
-verbose *Enables verbose output
-profile-path *Specify the profile path
-label *Disk volume label (default is Profile)
* Optional parameters
frx copy-profile -filename C:\Profile.vhd -username DOMAIN\USERNAME
A Profile Container will only be created if there is no existing user profile for the user on the system the user logs on to. Otherwise no Profile Container will be created. In this case look at the command line above.
And you must be aware of the fact that the Profile Container can only be accessed from one location at a time. If you start applications from multiple RDSH servers you won´t be able to access the Profile Container from the second machine.
From the field
A few words about rule assignments. In a XenApp or XenDesktop environment you typically create a domain local group for the resource assignment (e.g. Published application). A domain local group is used to integrate the users and this group is nested into the resource group.
I suggest you use the same resource group for the Published Applications and the Rule Assignment in FSLogix. This makes administration easy and you can implement a clean process.
As long as you have programs that are easy to scan with the RuleEditor everything is easy. Things are getting harder when you have to take care of FTAs or you want to install different versions of the same applications side-by-side. If you are a geek and are aware of that then you shouldn´t have any problems. If you don´t have deeper operating system knowledge you might get stuck here and there. And don´t hide important operating system files. Be aware of the fact that rules are created for everyone as long as you don’t change this with an assignment. You might create a system that is not working anymore.
The overall experience is great and most problems you might have are very simple to solve. Look at me, I could solve some access and redirection scenarios on my own ;-).
All information without warranty.
I love to hear from your experiences with FSLogix and if you achieved a major hack with it I would be glad if you would share it. If someone knows what “enable-shnot” does, let me know. I couldn’t find anything in the documentation. Thanks!