Tutorial: Configure Cloud Cache to redirect profile containers or office container to multiple Providers
Cloud Cache is an optional add-on to Profile Container and Office Container, understand Cloud Cache. Full Configuration Settings for Cloud Cache are Here. For a full description of the purpose and use of Cloud Cache, visit this page.
In this tutorial, learn how to:
- Configure Cloud Cache for SMB
- Configure Cloud Cache for Azure Page Blobs
- Protect Azure Keys with Credential Manager
Prerequisites
- Make sure the requirements are met
- Install FSLogix
- Verify that users have appropriate access to network file storage
- If using Azure Page Blobs for Cloud Cache verify that an appropriate Azure Storage service is being used.
Configure Cloud Cache for SMB
Configuring Cloud Cache for Profile Container
All settings are applied here: HKLM\SOFTWARE\FSLogix\Profiles
Remove any setting for VHDLocations
Add (or verify)
| Registry Value | Type | Value |
|---|---|---|
| CCDLocations | REG_SZ / MULTI_SZ | type=smb,connectionString=<\Location1\Folder1>;type=smb,connectionString=<\Location2\folder2> |
| Enabled | DWORD | 1 |
- <Location for Cloud Cache Provider>
- Each Provider is separated by a ;
- This sample is for two SMB Providers
Configuring Cloud Cache for Office Container
All settings are applied here: HKLM\SOFTWARE\Policies\FSLogix\ODFC
Remove any setting for VHDLocations
Add (or verify)
| Registry Value | Type | Value |
|---|---|---|
| CCDLocations | REG_SZ / MULTI_SZ | type=smb,connectionString=<\Location1\Folder1>;type=smb,connectionString=<\Location2\folder2> |
| Enabled | DWORD | 1 |
- <Location for Cloud Cache Provider>
- Each provider is separated by a ;
- The sample is for two SMB Providers
Configure Cloud Cache for Azure Page Blobs
Warning
Do not use the directions in this section for production.
The instructions in this section are to provide an understanding of the conceptual use of Cloud Cache with Page Blobs. The instructions in this section would expose sensitive Azure credentials to any user with access to the host registry, if implemented in production. When creating a production implementation, care must be used to protect these credentials, this may be accomplished following the instructions for Credential Manager.
Configuring Cloud Cache for Profile Container
All settings are applied here: HKLM\SOFTWARE\FSLogix\Profiles
Remove any setting for VHDLocations
Add (or verify)
| Registry Value | Type | Value |
|---|---|---|
| CCDLocations | REG_SZ / MULTI_SZ | type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=<myAccountName>;AccountKey=<myAccountKey>;EndpointSuffix=<mySuffix>" |
| Enabled | DWORD | 1 |
- <Location for Cloud Cache Provider>
- Each provider is separated by a ;
- This sample is for one Azure Page Blob provider
- Page Blob connection string should be enclosed in "" (see sample)
- These settings are used to create the Azure Connection String:
- DefaultEndpointsProtocol=[http or https]
- AccountName=myAccountName
- AccountKey=myAccountKey
- EndpointSuffix=mySuffix
- The following screenshot shows where to find the payload for the connection string in the Azure portal:
More about Azure Connection Strings can be found here and here
Azure Account Keys are sensitive and may be protected using Credential Manager
Configuring Cloud Cache for Office Container
All settings are applied here: HKLM\SOFTWARE\Policies\FSLogix\ODFC
- Remove any setting for VHDLocations
Add (or verify)
| Registry Value | Type | Value |
|---|---|---|
| CCDLocations | REG_SZ / MULTI_SZ | type=smb,connectionString=<\FILESERVER\SharedFolder>;type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=<myAccountName>;AccountKey=<myAccountKey>;EndpointSuffix=<mySuffix>" |
| Enabled | DWORD | 1 |
- <Location for Cloud Cache Provider>
- Each provider is separated by a ;
- This sample is for one SMB Provider and one Azure Page Blob provider
- Page Blob connection string should be enclosed in "" (see sample)
- These settings are used to create the Azure Connection String:
- DefaultEndpointsProtocol=[http or https]
- AccountName=myAccountName
- AccountKey=myAccountKey
- EndpointSuffix=mySuffix
More about Azure Connection Strings can be found here and here
Azure Account Keys are sensitive and may be protected using Credential Manager
Protect Azure Key with Credential Manager
FSLogix will read system credentials, from Windows Credential Manager, if they're saved with fslogix/ as a prefix. To use credential manager to protect your Azure Account Key, with a credential named 'myAccountKey' a SYSTEM key should be added as fslogix/myAccountKey. Protected keys are accessed within the connection string using |fslogix/<key>|.
Any information that you would like to protect may be saved in Credential Manger, and accessed in this way. For Instance, if you wanted to protect both the Account Name and the Account Key, then system keys could be created for both and used in the connection string as described above.
The sample below assumes that a secure-key has been added named 'key' with the storage key. Also a secure key named 'account' has been added for the account name.
| Registry Value | Type | Value |
|---|---|---|
| CCDLocations | REG_SZ / MULTI_SZ | type=smb,connectionString=<\FILESERVER\SharedFolder>;type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=|fslogix/account|;AccountKey=|fslogix/key|;EndpointSuffix=<mySuffix>" |
| Enabled | DWORD | 1 |
An alternate approach would be to place the entire connection string in a secure-key, the CCDLocations value could then be ...,connectionString="|fslogix/ConnectionString|".
There are a number of ways to use Credential Manger, and any will work with the Azure connection string, provided that the credential is stored under the SYSTEM user. The credential type is "generic", and the credential name is prefixed with fslogix/.
frx.exe may be used to create, list and delete system keys.
| Command | Parameters | Result |
|---|---|---|
| frx.exe add-secure-key | -<key keyName> -<value keyValue> | *Creates a key with a key name of fslogix/<keyName> value of fslogix/<keyValue> |
| frx.exe del-secure-key | -key keyName | *Deletes specified key |
| frx.exe list-secure-key | Lists secure keys with fslogix/ prefix |
* /fslogix is added automatically when using frx.exe, don't manually add /fslogix
Default Proxy and Cache folder Settings
Microsoft does not recommend changing the default Cloud Cache proxy and cache folder locations, however you may do so via the CacheDirectory and ProxyDirectory registry keys.
By default, FSLogix the FSLogix Cloud Cache proxy and cache folders are stored in C:\ProgramData\FSLogix\Cache and C:\ProgramData\FSLogix\Proxy.
If folder permissions do not match the default values then a warning will be written to the system event logs. You must set the SilenceACLWarning registry key to 1 to disable the warning. Adjusting the default folder permissions may expose user data.
Default Proxy and Cache Directory Permissions
| Principal | Access | Inherited from | Applies to |
|---|---|---|---|
| CREATOR OWNER | Modify | None | Subfolders and files only |
| Users | Modify | None | This folder only |
| Administrators | Full control | None | This folder, subfolders and files |
| System | Full control | None | This folder, subfolders and files |
Default Creator Owner Permissions
Users and CREATOR OWNER modify permissions are set to Modify, Read & execute, List folder contents, Read, Write
Next Steps
Feedback
Submit and view feedback for