Profile Containers store user information in VHD(X) files. These files are stored in a network location. Profile Containers and Office Containers can automatically create the folders and files needed. To avoid security issues, user permissions must be created to allow users to create and use a profile, while not allowing access to other users’ profiles.

Per FSLogix documentation (https://docs.microsoft.com/en-us/fslogix/configure-per-user-per-group-ht), the following is recommended:

FSLogix follows Microsoft’s Modern Lifecycle Policy. To remain eligible for support, customers must stay current with the latest FSLogix release. Updates and fixes are only provided for the most recent version. If issues are encountered on an older version, customers are required to upgrade before receiving support.

Support for FSLogix is available only to customers who meet product eligibility requirements and run the software on supported operating systems. The following operating systems are currently supported:

• Windows 10 (including multi-session SKUs from Azure Marketplace)

• Windows 11 (including multi-session SKUs from Azure Marketplace)

• Windows Server 2016

• Windows Server 2019

• Windows Server 2022

• Windows Server 2025

For a complete list of supported platforms, see:

Deprecated Features and Retired Platforms

• 32-bit architecture: Support retired as of February 11, 2025.

• Windows Server 2012 R2: Support retired as of February 11, 2025.

For a complete list of FSLogix Deprecated Features and Retired Platforms, see:

Please ensure that FSLogix Office or Profile Container is not configured by GPO on the server(s) as this will cause conflicts with the settings specified in the Parallels RAS Console or Management Portal.

For FSLogix Profile Container to work properly, configure your antivirus to exclude the following objects, as per Microsoft’s recommendations:

Files:

• %TEMP%\*\*.VHD

• %TEMP%\*\*.VHDX

• %Windir%\TEMP\*\*.VHD

• %Windir%\TEMP\*\*.VHDX

• \\server-name\share-name\*\*.VHD

• \\server-name\share-name\*\*.VHD.lock

• \\server-name\share-name\*\*.VHD.meta

• \\server-name\share-name\*\*.VHD.metadata

• \\server-name\share-name\*\*.VHDX

• \\server-name\share-name\*\*.VHDX.lock

• \\server-name\share-name\*\*.VHDX.meta

• \\server-name\share-name\*\*.VHDX.metadata

Cloud Cache specific exclusions:

• %ProgramData%\FSLogix\Cache\ (folder and files)

• %ProgramData%\FSLogix\Proxy\* (folder and files)

FSLogix profiles can also be stored directly on Azure Page Blobs. When using Azure Page Blobs, it is strongly recommended to store sensitive Azure credentials inside Windows Credential Manager. This prevents exposing sensitive Azure credentials to users with access to the session host registry. Chapter 3 explains how to leverage Azure Page Blobs and provides guidance on how to use Credential Manager to securely store the required Azure credentials. When deciding on the storage type and location, make sure to perform a cost calculation up front as there can be a significant cost difference between various storage solutions in Azure.

FSLogix profiles can also be stored on Azure Files with Active Directory Domain Services or Azure Active Directory Domain Services. Per FSLogix documentation (https://learn.microsoft.com/en-us/azure/virtual-desktop/fslogix-profile-container-configure-azure-files-active-directory), the requirements below need to be met. Once completed, the same NTFS permissions as outlined in the previous chapter need to be applied.

• Host pool where the session hosts are joined to an AD DS domain or Azure AD DS managed domain, and users are assigned.

• A security group in your domain that contains the users who will use FSLogix Profile Containers. If you’re using AD DS, it must be synchronized to Azure AD.

• You Azure subscription must allow you to create a storage account and add role assignments.

• A domain account to join computers to the domain and open an elevated PowerShell prompt.

• The subscription ID of your Azure subscription where your storage account will be.

A computer joined to your domain for installing and running PowerShell modules that will join the storage account to your domain. This device must be running a supported version of Windows. Alternatively, you can use a session host.

You are eligible to access FSLogix Profile Container, Office 365 Container, Application Masking, and Java Redirection tools if you have one of the following licenses:

• Microsoft 365 E3/E5

• Microsoft 365 A3/A5/ Student Use Benefits

• Microsoft 365 F1/F3

• Microsoft 365 Business

• Windows 10 Enterprise E3/E5

• Windows 10 Education A3/A5

• Windows 10 VDA per user

• Remote Desktop Services (RDS) Client Access License (CAL)

• Remote Desktop Services (RDS) Subscriber Access License (SAL)

FSLogix solutions may be used in any public or private data center if a user has the necessary license.

For more information, see: https://docs.microsoft.com/en-us/fslogix/overview.