FSLogix Default Exclusions explanation and quick Fix
As you know, FSLogix does have profile exclusions, and more importantly, they have 2 significant FSLogix profile exclusions built-in. But in this quick little blog, I will focus on a little FSLogix Gotcha, but not really. It's More of an MS GPO that many of us have set for specific scenarios that we needed in older Profile cases. Well, with FSLogix, it will backfire. In my case, if IE will slow down and get tons of calls (Yes, I know IE stinks, and it's moving from soon 😊), This blog post is not about putting in extra exclusions, and it's not about if you should or shouldn't.
I noticed that my INetcahce was not being cleared when I users logged out, and it was causing the issue for some legacy applications that require IE in my use case. I research the default FSLogix Exclusion, and the MS article states this
Profile Container content - FSLogix | Microsoft Docs
How to resolve the FsLogix INetCache access denied issue (stefanos.cloud)
At first, I was like, ok, cool, but it's not working. When the users log into any VDI/RDSH or where FSLogix is applied, you will see that the Local_Username will have its exclusions. You should see the folder here for any exclusions you add. However, not that FSLOGIX wasn't designed for many exclusions. I still do it today, but with caution, and I don't go nuts. If you want to learn more about this, you can read this Microsoft link. As I stated above, it's not about adding more to the default list.
Profile Container content - FSLogix | Microsoft Docs
Here is an Example of Teams and those cases where I think you should
Back on track now.
But for some reason, its not doing this. But why? So, I reached out to my fellow Slack buddies and got some good advice.
Kasper Johansen educated me that if I have the GPO set then it will not do what its designed to do. Extra information from and on this as well, which helped me. He also mentioned it would list it in the event log. Which it did 😊
Nick Panaccio, posted You must assign the "Prohibit User from manually redirecting Profile Folders" registry action to all users, which sets "DisablePersonalDirChange"
to 0 at logon
-If you do not apply this setting, WEM sets the value to 1, and FSLogix will fail to redirect INetCache successfully
Dennis Mohrmann also updated on if WEM folder redirection is on it will affect this.
So, after going through my environment, I found this, and this GPO will not allow INetCache. In my case, to be deleted correctly. Or, in better words, move it to the local_Username. This means the cache will not get disregarded on logoff, and then you have to come behind it and put in extra GPO as I did because I did not know this.
The GPO to avoid while using FSLogix
"Prohibit User from manually redirecting Profile Folders"
After you have this set, you will see in this location that the key exists.
Inside the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
You will see DisablePersonalDirChange set to value = 1.
Now you can set the policy to not configured, but it will not change the registry value back as it tattoos the registry for the user hive. Now its clear you can come back around and set this with Citrix WEM or any UEM tool, or simply set the GPO to disabled. Which will remove the entry altogether and reverse it to the way it should have been.
As you can see here, it will log into the Event logs as not Working
You will also notice that it will create the TEM and INetcache folder in the Local_username, but it will not move the contents either.
You will see the Cache and Temp folder in the normal profile paths. Such as c:\users\%username\Appdata\Local\Miscrosoft\Windows\Inetcache for example.
After setting this to disabled
You will see that it's working now.
I understand this is very basic. However, for me, it was a big deal in my environment, and anything that was in the INetCache now will be disregarded, and it will fix an issue that I am having with Slow IE browsing after about 5 hours for my web applications.
I understand many of you are using more modern browsers, but in some environments, things are behind, and IE is still the go-to for some things. I hope you find this helpful as I did.
No comments:
Post a Comment