Windows User Profiles in a Frame world
“I love Windows User Profiles, said No One, ever”By Ruben Spruijt
Although introduced over 25 years ago, user profiles are still a fundamental part of today’s physical Windows PCs and virtual desktop and application solutions. Check out this blog to learn the foundation of Windows user profiles, the pros and cons of different profile solutions, and how to leverage them with Nutanix Frame to deliver the best user experience.
The summer of ‘93
With the introduction of Windows NT in July 1993, Microsoft introduced the first true multi-user operating system and provided the ability for different users to log in to a single operating system. Windows user profiles introduced with Windows NT laid the groundwork for the user profile as we know it today. Windows Server 2012R2, 2016, 2019, 2022, and also Windows XP, 7, and Windows 10 all use the same basic profile foundation.
The user profile contains the user registry hive (user.dat) and various folders stored on the C:\Users\%Username%, including Downloads, MyDocuments, “AppData”, Desktop, Start Menu, and more. The type of user profile, it’s size, the storage type and location, the ability to roam, and options to manage the user profile have a huge impact on the user and administrator experience. It is important to understand the foundation of user profiles, the pros and cons of different user profile technologies, and the solutions you can use within Nutanix Frame. Although introduced in ‘93, user profiles are still a fundamental part of today’s physical Windows PCs and virtual desktop and application solutions.
The focus of this blogpost is the use of profile solutions within Frame Desktop as a Service solution. If you are interested in learning more about the benefits of DaaS, check out my blog: Why Should You Care About VDI and Desktop-as-a-Service?
Foundation - local profiles
Local Windows user profiles are available on every machine, including virtual machines and physical PCs. It is a core functionality of the Windows operating system. When the end-user logs in for the first time, the system creates a user profile based on the “Default User” profile and stores the profile on the local system drive. When the user logs off, the local profile copy remains on the machine. When the user logs on this same machine again, the local profile is reloaded, as this is the unique user profile.
The advantages of local profiles are super fast log on times, since the profiles normally are stored on fast virtual machine (VM) storage when using Desktop as a Service.
The downside with local profiles is that there are no roaming capabilities. When used in a non-persistent “pooled” setup, the user profile isn’t persistent, which means application preferences and user data are lost after each user session.
Foundation - roaming profiles
Roaming Windows user profiles can follow the user across the network providing the user the ability to roam among virtual desktops and applications sessions. The roaming option allows users to roam across different computers and have their settings follow them.
Typically, the Windows profiles are stored on an SMB file share and the files are copied from the file server at logon and saved back to the central repository at user logoff. The bigger the profile, the longer the copy takes, which means the user logon and user logoff time will be substantial, resulting in a poor user experience or maybe even corrupted user profiles (if the profile fails to fully be saved to the file share after user logoff).
The advantage of roaming profiles is that user profiles can roam among sessions in both non-persistent and persistent environments. The downside is that since the profile is stored centrally on a file share, profiles are copied and saved over the network, impacting user logon and logoff performance.
Foundation - mandatory read-only profiles
A mandatory user profile is a user profile that has been preconfigured with specific user-settings. Changes made during a user's session that are normally saved to a local or roaming windows user profile are not saved after a reboot.
Mandatory roaming user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
Foundation - Profile Containers / Profile Disk
With user profile “container” or user “profile-disk” technology, the Windows user profile is stored inside a virtual disk. This profile-disk typically is stored on a (SMB) network file share, such as Windows File Server, Azure Files, Nutanix Files, or on the same storage as the VMs are stored.
When the user logs in, the profile-disk is attached and at logoff the disk is detached from the user VM or user session. The biggest advantage here is that user logon and user logoff times are independent of the size of the disk. Consistent user logon and logoff times can occur even when the user profile is 50GB in size. Especially with Windows 10, Office 365, and Windows Search enabled, the user profile will be large, impacting user experience, specifically in a non-persistent Desktop as a Service environment.
Foundation - User Environment Management (UEM)
User Environment Management (UEM) software solutions provide a wide range of functionality to set up, configure, control, and overall manage the complete Windows user environment. Managing the Windows user profiles is one important element of UEM. Other UEM functionality includes:
- User Profile Management: handling the storage part of the user profile and ability to exclude files and folders within the profile to roam. It also is possible to bridge profiles across different Windows OS versions, making it easier to work with user profiles in a mixed Windows OS environment.
- User Personalization: define and push Windows application, operating system settings, and configuration preferences. Set up user personalization such as printer default settings, Outlook email signatures, application shortcuts, and browser favorites.
- Application and Access Control: enforce specific security policies, lockdown and control access to applications based on user groups, environment variables, or other parameters.
- System Resource Management: provides technology to optimize the application and operating system and underlying system resources providing consistent performance.Application License Management: provides application license usage, reports, and control.
- Application License Management: provides application license usage, reports, and control.
Different UEM software solutions provide different functionality. Some are included in the desktop as a service license bundle. Many are flexible and powerful, but can also be complex to set up, configure, and maintain. Still others are much simpler, but provide less functionality.
Following are some widely used UEM solutions in the virtual desktop and application industry:
- Citrix Windows Environment Manager (WEM)
- Ivanti Workspace Control and User Workspace Manager
- Liquidware Labs ProfileUnity
- Microsoft Windows - Group Policy Objects (GPO), Group Policy Preferences (GPP) with roaming profiles and folder direction
- Microsoft User Experience Virtualization (UE-V)
- VMware Dynamic Environment Manager (DEM), formerly known as UEM
The contexts in which these UEM solutions are the best choice is a great question for a future blog post.
Not every Desktop as a Service customer requires a full-blown UEM solution. Many do well with a lean and mean approach using profile disk technology combined with Microsoft Group Policy Objects (GPO), and Group Policy Preferences (GPP).
What we do see in the field?!
For a long time, it was very common to use roaming user profiles combined with Windows folder redirection, GPOs. and GPPs, especially in the Windows XP and Windows 7 days. With Windows 10, the default user profile size has increased big time and applications such as Microsoft Teams, Microsoft Office 365, Outlook cache, and Windows search increase the user profile size even further. All negatively impact user experience using roaming user profiles.
Recently, the “State of the EUC Union 2021 - VDI Like A Pro” survey asked
How large are your Windows Profiles on average as part of your virtual apps and desktop environment?
Gone are the days of Windows roaming profiles, friends don’t let friends use roaming profiles in 2021 and beyondRuben Spruijt
Another question from “State of the EUC Union 2021 - VDI Like A Pro” was:
How is the user environment managed within virtual applications and desktops environment? e.g. Security, Windows User profiles, Printer/drive mappings, etc.
Nutanix Frame and User Profiles Deployments Options
What are the common Windows User Profiles and User Environment Management deployment options with Nutanix Frame?
- Local Profiles
- Frame Enterprise Profiles using Profile Disk
- Microsoft (FSLogix) Profile Containers
- Liquidware ProfileUnity
- Microsoft Roaming Profiles with Folder Redirection
Let’s deep dive into each deployment option with its use-cases, advantages, and downsides
|Local Profiles*||Super simple and easy to manage; use default “Frame User” in the sandbox to configure the OS and Application preferences.||No user profile persistency; application settings and data in the user profile are gone after logoff. Personal Drive can be leveraged to redirect certain data to a persistent personal disk. Also, with persistent desktops the local profile is great to use. More about storage options here.|
|Secure: always a pristine “clean” user profile at logon - fast, secure, and easy to manage.||Management overhead--when settings in the “Default Frame user” profile are frequently updated, production pools must be updated frequently as well through a “publish.”|
|Super fast user logon, local disk performance, and streamlined user profile.|
|No additional storage costs, profile is stored within the VM.|
|Network File Server or services not required.|
|*||With a Frame customization script, it’s possible to load and store user profile data from a different persistent location|
|Fast and consistent logon and logoff. The profile disk attaches at logon and detaches at logoff with the same performance, independent of the size of the profile disk.||Additional logon time compared to the local profile.|
|1-click setup and configuration. No additional setup or configuration needed for Enterprise Profiles.
||Since the design goal is “super simple,” no advanced configuration options are possible. Can’t choose to store Frame Enterprise Profile Disk on Nutanix Files or Azure Files.|
|AutoGrow option of user profile defined by Admin.||Everything in the user profile is captured in the profile disk - no exclusions possible.|
|User-driven backup/restore of user profile via Frame LaunchPad.||No automatic shrink of Profile Disk|
|No additional costs for profile disk capability. It is included as part of Frame user subscription.|
|Simple storage configuration, leverage the same storage platform as VMs. All automatic setup via 1-click.|
|Super simple and easy to manage; use Windows default user in the Sandbox to configure the OS and Application preferences.|
|Supported in both non-domain-joined and domain-joined Windows VMs.|
|Fast and consistent logon and logoff. The profile disk attaches at logon and detaches at logoff with the same performance, independent of the size of the profile disk.||Classic AD domain joined required.|
|No additional license costs. The entitlement of FSLogix is in Microsoft RDS/VDA license or subscription.||Network file share is required, additional management (permissions, availability, monitoring) needed.|
|Advanced configuration options for the placement of profile containers. Valuable in large enterprise and DR configurations.||No automatic shrink of Profile Container.|
|Ability to separate Office-related settings and the rest of the user profile for optimal user profile and storage consumption configuration.|
|Ability to exclude folders from profile containers.|
|*||Frame Guest Agent (FGA) v8.0 or greater with Overlay File System (OFS) is required|
(and other UEM solutions)
|All the benefits of a very advanced User Environment Management solution that covers much more than Profile Management alone.||Additional costs|
|People with knowledge and skills to design, setup, and maintain UEM solution needed.|
|No automatic shrink of Profile Disk|
|Classic AD domain joined required.|
|Microsoft Roaming Profiles w/ Folder Redirection||No additional license costs.||Poor user experience. Depending on user profile size session, logon and logoff can take a while.|
|With a small user profile or mandatory user profile, the logon and logoff experience is fine.||Network file share is required, additional management (permissions, availability, monitoring) needed.|
|Classic AD domain joined required.|
|Profiles can get corrupted because of network dependency.|
|Redirection of application data can cause a lot of strange application issues.|
Frame walkthrough, happy watching!
If you want to see Frame in action, be sure to check out this blog “Frame Video Walkthroughs, as easy as 1-2-3.” Want more deep dives on EUC, DaaS, and Frame? All my blogs are available and visible in one simple overview here. Happy reading!
Ruben Spruijt - Sr. Technologist Nutanix - @rspruijt
© 2021 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and all Nutanix product and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. Other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. This post may contain express and implied forward-looking statements, which are not historical facts and are instead based on our current expectations, estimates and beliefs. The accuracy of such statements involves risks and uncertainties and depends upon future events, including those that may be beyond our control, and actual results may differ materially and adversely from those anticipated or implied by such statements. Any forward-looking statements included herein speak only as of the date hereof and, except as required by law, we assume no obligation to update or otherwise revise any of such forward-looking statements to reflect subsequent events or circumstances.