Optimizing the VDI User Experience with FSLogix Containers and Application Masking 

Cloud Computing

Remote and virtual desktop solutions provide a flexible way for users to access remote services securely while maintaining control of how the users access those services. In this article, I’ll explain how FSLogix can optimize remote and virtual desktop environments by leveraging Profile Containers and Application Masking. I’ll also detail the FSLogix features allowing users to provide customized, user-based access to applications in a virtual desktop environment.

How FSLogix Profile Container and Application Masking optimize the VDI experience 

Providing a consistent experience as users log into non-persistent or shared desktops is an essential factor in the success of a remote and virtual desktop environment. Microsoft acquired FSLogix in 2018, and it is the recommended way to manage user profiles in Azure Virtual Desktop environments.

FSLogix is not limited to use with Microsoft solutions. It is available to use with Citrix, VMware Horizon, and other virtual desktop infrastructure (VDI) platforms to manage user profiles and the desktop experience. 

There are three main components included with FSLogix:  

  1. Profile Container
  1. Application Masking 
  1. Java Version Control 

FSLogix Profile Container creates a container on a network share that holds the user’s profile. The profile is available as the user moves between different computers in a remote or virtual desktop environment, providing a consistent desktop experience with non-persistent and multi-user desktops. 

Departments or business units within an organization require access to unique combinations of applications. Managing images with different collections of applications can be time-consuming in these environments. FSLogix Application Masking simplifies image management by dynamically hiding and blocking access to applications based on user or group membership. This leads to fewer images to manage while limiting access to applications on those images. 

Lastly, Java Version Control allows administrators to specify versions of Java for web applications based on a URL. Java Version Control only works with Internet Explorer. Internet Explorer has reached its end of life, and I won’t cover Java Version Control in this article.  

How FSLogix Profile Container works

FSLogix provides a way to centralize user profiles so they can be accessed as users log into different computers. Centralizing profiles provides a consistent desktop experience in shared, non-persistent, and multi-user desktop environments.  

When a user who is enabled for FSLogix Profile Container logs into a computer, the FSLogix application checks the network share for a profile. Then, the Profile Container is mounted if it exists. If not, one is created and then mounted. The Profile Containers are in a .VHD or .VHDX virtual disk format.  

The FSLogix application redirects profile reads and writes to the Profile Container on the network share.  Some profile items, such as temporary files or session-specific information, do not need to be stored in the profile container. A file with the format “Local_UserName” is created on the local computer to store these items. This folder is removed once the user logs off. 

FSLogix Profiles Overview
FSLogix Profile Container overview (Image credit: Petri/Travis Roberts)

Office Containers 

The Profile Container stores all user data by default. Sometimes, it may be desirable to separate Office 365 data into a separate container. Separating Office 365 data is possible with FSLogix Office containers

Office 365 data is a cached copy of Office 365 data, Outlook .OST files, and the local OneDrive cache. For example, Office 365 data is easily recreated from the Microsoft online copy.

By splitting Office 365 data, we can limit the amount of data backed up and replicated for disaster recovery preparation. Also, separating the Office 365 data into a different Profile Container will spread profile reads and writes across multiple file shares, potentially increasing performance. 

Office 365 Containers
How Office 365 Containers work (Image credit: Petri/Travis Roberts)

Cloud Cache 

With traditional Profile Containers, only one file share location is used for profiles and another file share for Office 365 data, if used. However, some organizations require a low recovery point objective (RPO) for their business continuity and disaster recovery plans.

FSLogix Cloud Cache offers near real-time profile redirection to multiple file share locations. Cloud Cache uses multiple file locations simultaneously, keeping all copies updated with changes. 

Cloud Cache leverages the computer’s local drive to build a profile cache when the user logs in. The cache is populated with profile data from one of the remote shares. The profile reads come from the cache. Profile writes are written to the local cache, then asynchronously to the profile shares. The remote profiles are kept up to date in near real-time. 

FSLogix Cloud Cache
How FSLogix Cloud Cache works (Image credit: Petri/Travis Roberts)

The profile locations can be local, at a remote or disaster recovery site, or both. Should one copy become unavailable, the available copy is used. The offline location is brought up to date once it’s available again. This makes Cloud Cache a good option for high availability with failover to a remote site. 

FSLogix Cloud Cache Unavailable
What happens when FSLogix Cloud Cache is unavailable (Image credit: Petri/Travis Roberts)

Cloud Cache is a good option for high availability, but there are some things to consider before implementing it:

  • User log-ons can be slower as FSLogix builds the local profile from the remote cache.
  • Logoffs can be slower as FSLogix updates all changes to the remote locations at logoff.
  • The time between logons and logoffs can be faster as all profile reads and writes occur locally at the cache. Therefore, using fast local disks with Cloud Cache in multi-user environments is important.
  • Fast local disks are required to avoid read-and-write contention. 

How FSLogix Application Masking works

Image management requires significant time and effort in environments with various applications and many business units. Each department has its own catalog of applications that must be available to end users. Creating images for virtual and remote desktops that meet the application requirements can lead to multiple images, and managing these multiple images can be time-consuming and complex. 

FSLogix Application Masking lets us control what applications users have access to on the client operating system. For example, an organization can reduce the number of images by adding more applications to a smaller number of images. Access to the applications is granted or denied with Application Masking based on the user, group membership, or other factors. 

App Masking rules are created with the Application Masking rule editor. The rule editor can be found in the FSLogix installation files. The rule editor has the option to create a blank rule, a rule from a program file path, or select an installed application.  

App Masking Rule Editor
App Masking Rule Editor (Image credit: Petri/Travis Roberts)

Here’s what you can do in practice:

  • You can use the rule editor to add one or more applications to the rule.
  • Next, add the rule assignments after adding the applications to the rule.
  • After that, apply the assignment to a user, group, process, network location, computer, directory container, or environmental variable.
  • The assignments can apply to the target or not apply to the target. That allows for granular control over how the rule is applied. 
App Masking Rule Assignments 
App Masking Rule Assignments (Image credit: Petri/Travis Roberts)

FSLogix Application Masking streamlines the image creation and management process. More applications can be added to a smaller number of images, reducing image management overhead. Application Masking controls access to the application with rule assignments.  

What do you need to use FSLogix? 

Eligibility to use FSLogix is dependent on Microsoft licensing. The list below shows the license eligibility to use FSLogix: 

  • Microsoft 365 E3/E5 
  • Microsoft 365 A3/A5/ Student Use Benefits 
  • Microsoft 365 F1/F3 
  • Microsoft 365 Business 
  • Windows 10 Enterprise E3/E5 
  • Windows 10 Education A3/A5 
  • Windows 10 VDA per user 
  • Remote Desktop Services (RDS) Client Access License (CAL) 
  • Remote Desktop Services (RDS) Subscriber Access License (SAL) 
  • Azure Virtual Desktop per-user access license 

FSLogix can be used in public or private data centers. It supports Windows 7 clients, Windows Server 2008 R2, and newer client and server operating systems. 


FSLogix Profile Container solves the problem of profile management by creating a central location for user profiles, then attaching those profiles to user sessions as they move between computers in a virtual or remote desktop environment. In addition, FSLogix Profile Container provides a way to split Office 365 data into its own profile container, and it can keep multiple copies of profile containers up to date in near real-time with Cloud Cache. 

Lastly, FSLogix Application Masking simplifies image management by managing access to applications installed on the image. Users are restricted to only the applications they need access to with App Masking rules. Overall, FSLogix Profile Container and Application Masking are really helpful tools for optimizing your user’s VDI experience.