Just as a note for those cost conscious companies - Premium File Shares will charge you based on your provisioned capacity, regardless if you are using the storage. In your example of 3TB, you are paying for 3TB from day 1, even if you have 100 users with 10GB profiles at the start consuming ~1TB. I like to put in storage alerts to expand the provisioned capacity, or leverage Nerdios dynamically scaling storage if it's in-place. Great video! The ODFC was something I thought I knew, but I learnt something for sure.
Keep in mind that the provisioned size of a premium file share directly impacts its performance. So there is a performance benefit to over-provisioning the share.
Yes there can be, but if you over provision for performance and try to shrink to save cost…you’re in for a shock. You can decrease the size of the share when ever you want, but the cost only goes DOWN once every 24 hours. 🤕
You have no idea how many of the co-workers I work with and clients I do FSL or FS migrations for don't understand share/ntfs permissions lol. Nice you showed this with authenticated users vs everyone
Thank you for the video Dean and starting the discussion. Avoiding unnecessary high Azure backup costs can be a good reason to use ODFC so we can separate the Office cache from the User profile containers. Correct?
No ODFC is the general best practice in AVD. The cost of Azure Backup can also be limited by not using the ODFC, for the reasons I talked about...AND using redirections to keep the big cache items out of the profile. Most everything else in ODFC is small...try it out and see the difference for yourself!
Thank you Dean for providing the valuable info. I have setup the FSLogix with Active directory integration with File Share Azure Storage account. I'm facing the profile size of vhdx size increasing day by day. Kindly advise on fix required.
I'm sorry, but have you tried the difference between outlook in online mode and offline mode? Thinking it's just as fast running it in online mode in AVD is simply not true. While its definately faster in AVD than on-prem, it's still snail slow compared to a file backed cahed mode outlook. So the whole point about the office container being a mistake, is really not valid, not to mention you don't really mention any benefits to not using it? While having it makes cleaning up and resetting user profile more versatile/faster/better.
its not a mistake...but in MOST cases in AVD. it should not be used. This is NOT my opinion...but the product team who invented it...its stated in the docs because most people, most of the time in AVD do not need it, and should not use it. The benefits of NOT using it were talked about several times...did you watch the whole video? I even had a whole section on why you may want to use it! from 02:17 - 03:20
@@AzureAcademy I guess I'm a bit far, or maybe just don't consider your mistake as a mistake. I couldn't remember you mentioning a single problem with the office container, only facts about why it might not be necessary for everyone. But again if it's not a mistake maybe it shouldn't be listed a mistake #1 🙂
@@AzureAcademy Yeah I have to agree with Jonas, Just because the developer mentioned it does not make it true in the real world. We tried this is the past and the amount of raised help desk calls around slow Outlook at caused us to roll back. I showed this video to our MS partner; most deployments still use both.
The mistake is using it in AVD. The issue is that it takes more management, complexity and cost for no real benefit for most use cases. BUT if you have 1 of the reasons I called out, which are included in the docs, it’s ok to use it. It’s just going to be more work than benefit to most customers
It is true that developers do not always align with the real world. But FSLogix has been around a long time, much longer than AVD. So a lot of those partners learned it way back when. So I’m not surprised they still use it. Just saying that in general, for most situations in AVD the ODFC does not bring more benefits, just overhead, complexity and cost. However, like I said in the video, there are a few edge cases that make sense
It is true that you need good disks which is why I suggest premium disks on all pooled session hosts. Also your FSLogix file share needs to have good performance…as well as enough CPU and RAM…it all works together
Hello Dean, Thank you for this video. Regarding the last part for the Antivirus exclusions, we are already doing this with a third party AV (SentinelOne). I noticed on the screenshare you also added it on the GPO for Defender. Is that only necessary in the instances that you are using Defender Endpoint as the primary AV, or should we make sure to put that in place regardless if there is a third party AV in place ?
Just on AV scanning, how do you recommend the profile containers get scanned outside of the real-time logon? So say weekly at the weekend to make sure there are no nasties stored in the user's profile?
depends on the AV software you have and if it can scan the file share directly...if it can't, then you need to mount the profile disks to a VM and scan them. if you must go this way...do it during off hours or a maintenance window
Great vid as usual! I have one question on the exceptions path part. I noticed that in the screenshots you showed the “value” being the path to exclude, while we’ve got the “value name” as the path and the value set to zero? Should we have it reversed where the value is the path and value name is something random? Thanks!
Thanks Dean for the great video. However I have a small question: At 1:44 you mentioned that all of the office cache data lives in user profile anyways so you are not giving anything up. I believe you mean if we just create profile container and disable ODFC container we will still be caching office into the profile container, just that we will not have a different ODFC container. If this is correct then is it correct to assume that the OST will be created in the profile container? If yes then why we would do that as it would for sure increase the profile container size/cost?
That is correct. If you allow OST to be created YES it will then be in the profile container. An option could be to not you have to cache so much email in your OST. Another choice is to use the redirections.xml so it’s not in your profile either
@@AzureAcademy I think you mean have a group policy or use redirection.xml to completely remove caching of OST or decrease the number of days of caching
Is cached mode policy setting still required/recommended when not using O365 containers in AVD? Migrating from RDS Farm to AVD and curious if online mode will perform well with only Profile containers and without cache mode enabled for X amount of time. Thank you sir!
Hello, In the Defender Exclusion you said your profile wont be scanned during sign in, that means once user is logged in defender will start scanning. We are not stopping the defender permanently correct? What if user is using 3rd party tools for endpoint protection?
Actually yes, we are 100% excluding the users profile from being scanned BY THE SESSION HOST. And this goes for 3rd party tools as well! However You SHOULD scan the profiles while they are offline by another system, Not a session host so you don’t impact the users performance. Can you imagine crushing the CPU by 20 users being logged on the same host and all getting scanned at the same time. Performance would go to Zero!
Great video ! So many issues about FSLogix misconfigurations. Same with you about Premium File Share best practice. One question about redirection : the excluded folders will only be hosted on the AVD Host, right ? Therefore they will disappeared as soon the user log off, right ?
Good video, thanks Dean! Quick question - with AD Connect, best practices dictate that "on prem" Domain Admins are not synced to Azure AD. So, what's the best practice for administering Azure File shares? We grant the SMB elevated contributor IAM role to an AD security group and then grant that same AD group the required NTFS root permissions on the share. Is that the best option?
You do NOT have to grant the elevated contributor role to a domain admin. it could be anyone who administers AVD or the profiles...it is only to set the NTFS permissions. Yes this is the only option in many cases because Azure and Windows don't really know how to talk to each other...but they are working on it.
@@AzureAcademy Hmm, I didn't say that we granted that IAM role to Domain Admins - as I mentioned, no Domain Admin accounts are even replicated to Azure AD. Instead, we assign a regular AD user account to an AD security group that in turn is assigned the IAM role. Likewise for NTFS permissions. Based on your other comments though, it sounds like we are following best practices. Thanks for confirming
hello dean one que like we have an avd env which a pooled one and setup fs logix the problem here is first time the fs logix profile got created and when we disconnected from our session it is giving us the fs logix errpr as network path not found
In FSLogix settings / policies do you have access network as computer enabled? How about the enabled setting and VHD Location? What is the path in VHD Locations?
By excluding the OST from your profile via the XML are you creating IO and data transfer cost by having the avd have to recreate it each time you log in? Especially when you have you OST be more then 6 months of data
It is true that excluding the ost will cause you to redownload it each time…but most of the customers I have worked with want to save the space rather then have an instant email experience. The middle ground would be to include the OST but limit the OST file size / how far back in email they can have in the OST.
Office Data Filtering Catalog apparently.. I have to disagree with setting your Premium Files share to the maximum from the start. Billing for Premium Files is based on provisioned size. It will take your users quite a while to reach the 30GB limit of their profile size, if they ever get there at all. Meanwhile you're paying for unused capacity and, it's not cheap. Premium File share provisioned size can be increased and decreased after the fact, and increasing the size can even be done automatically as demand increases.
Those are good points. But I’ve worked with too many customers who never increase their size until the share runs out of room and everyone crashes…they all think set it and forget it…but if you can plan and monitor correctly…awesome!
Keep in mind that the provisioned size of a premium file share directly impacts its performance. So there is a performance benefit to over-provisioning the share.
"I do not think anyones profiles are actually that large" .. well sir, let me introduce to our marketing team - periodicaly destroying DFS and deduplication by moving terabytes of data from one folder to another since internet was invented :D. Now they are frustrated with sharepoint, cuz they cannot force IT work several hours on dedup restoration anymore :D. And also I limited their profile container for 15GB. Sweet revenge
Part of the reason for 30GB profiles is not because they need it that large…but because most people never reach the limit. That way you never have to do profile maintenance. Work smarter, not harder! And remember the disks are dynamic ☺️ but if you have a bunch of “heavy users”. Then you work around it as needed
@@AzureAcademy exactly.. 90% of our tribe never fills even 5GB of profile. We are using Citrix xenapp and I set policies in a way that if they are saving files they see only C drive of their laptop not Citrix C drive. Rest of them are somehow crafty and found a way around.... Usually ppl like that are asking why file is not appearing on their desktop where they saved it xD
@@AzureAcademy It's actually the entire video. Your voice moves around from mostly right to almost left. At first I thought it might be because I'm using Dolby Access (Windows, by the way, not on a phone), but it just makes it more pronounced. If I turn of the spatial sound, or switch over to DTS Unbound or even Windows Sonic, it's still the case. No other weirdness installed. And it's not just on my headphones, it's on my speakers as well. Love your content by the way, it's just something that I've noticed watching your videos. (And just yours.)
Strange? I don’t hear that in my mix. So just to be clear, are you saying that my voice moves 100% left and right during the video or is it more like you can still hear it on both sides but sound is more dominate on 1 side
Same for me, in my headset it's kind of surreal sometimes where your voice seem to bounce back and forth, like those binaural music things 😄 Not 100%, but like the volume is increasing/decreasing just slightly between each side back and forth quickly.
@@AzureAcademy sure i hope so, problem is not only with these but the troubleshooting with numerous profile issues arising after the updates are challenging. Every hotfix or updates creates some new issues. As admins we have customers call us for all kinds of issues. Can i request may bea video on troubleshooting for fslogix
Just as a note for those cost conscious companies - Premium File Shares will charge you based on your provisioned capacity, regardless if you are using the storage.
In your example of 3TB, you are paying for 3TB from day 1, even if you have 100 users with 10GB profiles at the start consuming ~1TB.
I like to put in storage alerts to expand the provisioned capacity, or leverage Nerdios dynamically scaling storage if it's in-place.
Great video! The ODFC was something I thought I knew, but I learnt something for sure.
Good point on the cost of premium files. Thanks for watching, and contributing to the comments ☺️
Keep in mind that the provisioned size of a premium file share directly impacts its performance. So there is a performance benefit to over-provisioning the share.
Yes there can be, but if you over provision for performance and try to shrink to save cost…you’re in for a shock. You can decrease the size of the share when ever you want, but the cost only goes DOWN once every 24 hours. 🤕
This channel became one of my favorites keep the coming Dean!
Awesome, More to come so stay tuned and if you have any suggestions let me know
You have no idea how many of the co-workers I work with and clients I do FSL or FS migrations for don't understand share/ntfs permissions lol.
Nice you showed this with authenticated users vs everyone
Glad I could help, Please share with your customers and friends! Stay tuned for the FSLogix storage video
Wow.. Really good content in this video! Perfectly timely as I was just running into the AD auth settings. Looking forward to the Storage video!
Glad you enjoyed it! Storage video should be out in the next week, stay tuned!
Great channel! Any update on the deep dive on storage you mention at 4:20?
Here ya go
ruclips.net/video/yJqTJh2Tgxo/видео.htmlsi=v1JMaUOQvk1vxrPu
Thank you for the video Dean and starting the discussion. Avoiding unnecessary high Azure backup costs can be a good reason to use ODFC so we can separate the Office cache from the User profile containers. Correct?
No ODFC is the general best practice in AVD.
The cost of Azure Backup can also be limited by not using the ODFC, for the reasons I talked about...AND using redirections to keep the big cache items out of the profile. Most everything else in ODFC is small...try it out and see the difference for yourself!
Great content! Very timely as well. Thanks
Glad you enjoyed it! Please share with others!
You can reduce the white space usage the disk mounted will still be the same size but the file in azure storage is less
The profile containers will shrink when you reduce the white space IF you are using dynamic disks.
Thanks. Very useful presentation
Glad it was helpful!
Thank you Dean for providing the valuable info. I have setup the FSLogix with Active directory integration with File Share Azure Storage account. I'm facing the profile size of vhdx size increasing day by day. Kindly advise on fix required.
This is the normal behavior of a dynamic disk no fix required. The vhdx disks grow as the users save data into their profiles.
I'm sorry, but have you tried the difference between outlook in online mode and offline mode? Thinking it's just as fast running it in online mode in AVD is simply not true. While its definately faster in AVD than on-prem, it's still snail slow compared to a file backed cahed mode outlook. So the whole point about the office container being a mistake, is really not valid, not to mention you don't really mention any benefits to not using it? While having it makes cleaning up and resetting user profile more versatile/faster/better.
its not a mistake...but in MOST cases in AVD. it should not be used. This is NOT my opinion...but the product team who invented it...its stated in the docs because most people, most of the time in AVD do not need it, and should not use it. The benefits of NOT using it were talked about several times...did you watch the whole video?
I even had a whole section on why you may want to use it! from 02:17 - 03:20
@@AzureAcademy I guess I'm a bit far, or maybe just don't consider your mistake as a mistake. I couldn't remember you mentioning a single problem with the office container, only facts about why it might not be necessary for everyone.
But again if it's not a mistake maybe it shouldn't be listed a mistake #1 🙂
@@AzureAcademy Yeah I have to agree with Jonas, Just because the developer mentioned it does not make it true in the real world. We tried this is the past and the amount of raised help desk calls around slow Outlook at caused us to roll back. I showed this video to our MS partner; most deployments still use both.
The mistake is using it in AVD. The issue is that it takes more management, complexity and cost for no real benefit for most use cases. BUT if you have 1 of the reasons I called out, which are included in the docs, it’s ok to use it. It’s just going to be more work than benefit to most customers
It is true that developers do not always align with the real world. But FSLogix has been around a long time, much longer than AVD. So a lot of those partners learned it way back when. So I’m not surprised they still use it. Just saying that in general, for most situations in AVD the ODFC does not bring more benefits, just overhead, complexity and cost. However, like I said in the video, there are a few edge cases that make sense
Have fast disk performance is key on making VDI /AVD work. It doesn’t matter how many cpus And how much memory you have if you have a subpar disk IO.
It is true that you need good disks which is why I suggest premium disks on all pooled session hosts. Also your FSLogix file share needs to have good performance…as well as enough CPU and RAM…it all works together
Hello Dean,
Thank you for this video. Regarding the last part for the Antivirus exclusions, we are already doing this with a third party AV (SentinelOne). I noticed on the screenshare you also added it on the GPO for Defender. Is that only necessary in the instances that you are using Defender Endpoint as the primary AV, or should we make sure to put that in place regardless if there is a third party AV in place ?
correct, you only need to add that GPO IF you use defender. But since you are using SentinelOne...just put them in there!
Just on AV scanning, how do you recommend the profile containers get scanned outside of the real-time logon? So say weekly at the weekend to make sure there are no nasties stored in the user's profile?
depends on the AV software you have and if it can scan the file share directly...if it can't, then you need to mount the profile disks to a VM and scan them. if you must go this way...do it during off hours or a maintenance window
Great tips Dean!
Thanks for watching!
Great vid as usual! I have one question on the exceptions path part. I noticed that in the screenshots you showed the “value” being the path to exclude, while we’ve got the “value name” as the path and the value set to zero? Should we have it reversed where the value is the path and value name is something random? Thanks!
What time is that shown in the video?
Danke sehr, How can we set the ost file with fslogix. What is the best image to set it? User profiles fill up quickly
How much email are you allowing in your OST?
Are your profiles containers 30GB or smaller?
Thanks Dean for the great video. However I have a small question: At 1:44 you mentioned that all of the office cache data lives in user profile anyways so you are not giving anything up. I believe you mean if we just create profile container and disable ODFC container we will still be caching office into the profile container, just that we will not have a different ODFC container. If this is correct then is it correct to assume that the OST will be created in the profile container? If yes then why we would do that as it would for sure increase the profile container size/cost?
That is correct. If you allow OST to be created YES it will then be in the profile container. An option could be to not you have to cache so much email in your OST. Another choice is to use the redirections.xml so it’s not in your profile either
@@AzureAcademy I think you mean have a group policy or use redirection.xml to completely remove caching of OST or decrease the number of days of caching
Yes
Very great video!
Thanks!
Is cached mode policy setting still required/recommended when not using O365 containers in AVD? Migrating from RDS Farm to AVD and curious if online mode will perform well with only Profile containers and without cache mode enabled for X amount of time. Thank you sir!
In AVD, your hosts are right next to the exchange servers so outlook should function fine in online mode.
Hello, In the Defender Exclusion you said your profile wont be scanned during sign in, that means once user is logged in defender will start scanning. We are not stopping the defender permanently correct? What if user is using 3rd party tools for endpoint protection?
Actually yes, we are 100% excluding the users profile from being scanned BY THE SESSION HOST. And this goes for 3rd party tools as well!
However You SHOULD scan the profiles while they are offline by another system, Not a session host so you don’t impact the users performance. Can you imagine crushing the CPU by 20 users being logged on the same host and all getting scanned at the same time.
Performance would go to Zero!
Great video ! So many issues about FSLogix misconfigurations.
Same with you about Premium File Share best practice.
One question about redirection : the excluded folders will only be hosted on the AVD Host, right ?
Therefore they will disappeared as soon the user log off, right ?
Correct, redirected folders go to the local_username folder while in the session and delete at log off
@@AzureAcademy Thanks Dean !
Anytime
Good video, thanks Dean! Quick question - with AD Connect, best practices dictate that "on prem" Domain Admins are not synced to Azure AD. So, what's the best practice for administering Azure File shares? We grant the SMB elevated contributor IAM role to an AD security group and then grant that same AD group the required NTFS root permissions on the share. Is that the best option?
You do NOT have to grant the elevated contributor role to a domain admin. it could be anyone who administers AVD or the profiles...it is only to set the NTFS permissions.
Yes this is the only option in many cases because Azure and Windows don't really know how to talk to each other...but they are working on it.
@@AzureAcademy Hmm, I didn't say that we granted that IAM role to Domain Admins - as I mentioned, no Domain Admin accounts are even replicated to Azure AD. Instead, we assign a regular AD user account to an AD security group that in turn is assigned the IAM role. Likewise for NTFS permissions. Based on your other comments though, it sounds like we are following best practices. Thanks for confirming
👍👍
Hello Dean, What is ODFC Stands for?
Office data file container
@@AzureAcademy Thank You So Much...
Anytime
Great content ❤
Thanks Ram!
is this applicable to win10/11 multi-session or just single-session OS? Thanks.
Typically I don’t recommend FSLogix for single session VMs
hello dean one que like we have an avd env which a pooled one and setup fs logix the problem here is first time the fs logix profile got created and when we disconnected from our session it is giving us the fs logix errpr as network path not found
In FSLogix settings / policies do you have access network as computer enabled?
How about the enabled setting and VHD Location?
What is the path in VHD Locations?
By excluding the OST from your profile via the XML are you creating IO and data transfer cost by having the avd have to recreate it each time you log in? Especially when you have you OST be more then 6 months of data
It is true that excluding the ost will cause you to redownload it each time…but most of the customers I have worked with want to save the space rather then have an instant email experience. The middle ground would be to include the OST but limit the OST file size / how far back in email they can have in the OST.
Are you saying this will reduce the azure storage costs? I am not understanding the advantage of redirection@@AzureAcademy
YES, The advantage is a smaller profile which can help keep storage costs down.
Office Data Filtering Catalog apparently..
I have to disagree with setting your Premium Files share to the maximum from the start. Billing for Premium Files is based on provisioned size. It will take your users quite a while to reach the 30GB limit of their profile size, if they ever get there at all. Meanwhile you're paying for unused capacity and, it's not cheap. Premium File share provisioned size can be increased and decreased after the fact, and increasing the size can even be done automatically as demand increases.
Those are good points. But I’ve worked with too many customers who never increase their size until the share runs out of room and everyone crashes…they all think set it and forget it…but if you can plan and monitor correctly…awesome!
Keep in mind that the provisioned size of a premium file share directly impacts its performance. So there is a performance benefit to over-provisioning the share.
It does to a point…but if total required IOPS is 10,000 having 50,000 doesn’t help more ☺️
@@AzureAcademy yea, we developed automation that evaluates the size regularly and increases it accordingly.
cool
Why would you allow using OST on terminal servers? Save the space by turning it off.
Listen…I agree with you! But some people…🤷🏼♂️🤦♂️
ODFC = Office Data File Containers
We have a winner!!!
"I do not think anyones profiles are actually that large" .. well sir, let me introduce to our marketing team - periodicaly destroying DFS and deduplication by moving terabytes of data from one folder to another since internet was invented :D. Now they are frustrated with sharepoint, cuz they cannot force IT work several hours on dedup restoration anymore :D. And also I limited their profile container for 15GB. Sweet revenge
Part of the reason for 30GB profiles is not because they need it that large…but because most people never reach the limit. That way you never have to do profile maintenance. Work smarter, not harder! And remember the disks are dynamic ☺️ but if you have a bunch of “heavy users”. Then you work around it as needed
@@AzureAcademy exactly.. 90% of our tribe never fills even 5GB of profile. We are using Citrix xenapp and I set policies in a way that if they are saving files they see only C drive of their laptop not Citrix C drive. Rest of them are somehow crafty and found a way around.... Usually ppl like that are asking why file is not appearing on their desktop where they saved it xD
LOL got it!
Why is your voice always alternating between left and right audio channels? It's super distracting.
I balance the left and right in the video...so you should NOT be hearing that. at what time do you think its happening so I can look into it?
@@AzureAcademy It's actually the entire video. Your voice moves around from mostly right to almost left. At first I thought it might be because I'm using Dolby Access (Windows, by the way, not on a phone), but it just makes it more pronounced. If I turn of the spatial sound, or switch over to DTS Unbound or even Windows Sonic, it's still the case. No other weirdness installed. And it's not just on my headphones, it's on my speakers as well.
Love your content by the way, it's just something that I've noticed watching your videos. (And just yours.)
Strange? I don’t hear that in my mix. So just to be clear, are you saying that my voice moves 100% left and right during the video or is it more like you can still hear it on both sides but sound is more dominate on 1 side
Same for me, in my headset it's kind of surreal sometimes where your voice seem to bounce back and forth, like those binaural music things 😄
Not 100%, but like the volume is increasing/decreasing just slightly between each side back and forth quickly.
hm...thanks for telling me...I'll look into fixing that!
Fslogix has been a pain in the arse, none of the documentation of ms is simple.
hopefully this video...and my next one make it easy for you!
@@AzureAcademy sure i hope so, problem is not only with these but the troubleshooting with numerous profile issues arising after the updates are challenging. Every hotfix or updates creates some new issues. As admins we have customers call us for all kinds of issues. Can i request may bea video on troubleshooting for fslogix
Here it is! Enjoy, and let me know what you think! ruclips.net/video/yJqTJh2Tgxo/видео.html