Deploy VMware UEM & App Volumes for Citrix XenDesktop & VMware Horizon to Manage Windows 10 Apps, Profiles, Outlook Cache, and Search Indexing !!!

Introduction:

I am a big advocate of Citrix VDI technology never the less, that does not mean other vendors do not have strong points when it comes to their EUC offerings. We always as humans tend to limit our choices to “either this or that” in order to make it easier for our brain to make a decision but remember what Obi-wan told Anikan “Only a Sith Deals in Absolutes”.

Assuming a “Sith” is a person that makes poor unrational subjective choices like joining the dark side of the force, we as IT professionals no matter how we personally feel about any company or technology “Even if we work for a specific company” should always keep an open mind set and promote products that are genuinely technically superior. I know of no company in the world that is number 1 in all of its offerings and I believe this to be an undeniable fact through I know of a few vendors that might argue otherwise.

This definitely applies to Citrix and VMware when it comes to VDI, especially products that contribute to EUC ecosystem. Why Citrix is a superior technology, in terms of core VDI functionality, than VMware is out of scope of this post never the less VMware is stronger in my very humble opinion AS OF NOW in two areas that are User Environment Management and Application Layering. As we do not deal with absolutes, a good way of integrating VMware and Citrix products for an ultimate EUC environment would be to use App Volumes application layering and User Environment Management with Citrix XenDesktop VDI on top of vSphere which is still to date the most used hypervisor for VDI environments “VDI Like A PRO EUC Survey” .

VMware knew it will take a long time for Blast Extreme or PCOIP to take on ICA along with surrounding Citrix core VDI functionality, thus investing in App Volumes and UEM to gain a strong foothold in User Environment Management and Application Layering and a clear advantage over Citrix. Citrix took back the initiative by acquiring UniDesk for application layering ( and a little bit more ) and Norskale for User Environment Management  ( and a little bit more ). By more I mean OS/Platform layering with UniDesk on top of multi Hypervisor multi Cloud support and  CPU/RAM/IO Optimization  with legacy Norskale now Citrix Workspace Environment Management.

Citrix Application Layering and Citrix WEM are fully functional production products but as of now are not fully Citrix XD integrated and miss core UEM functionalities in terms of management, integration, and supportability against VMware when it comes to pure VDI deployments. From a technology perspective UniDesk is a much more powerful product than App Volumes but we don’t know the time Citrix will take to integrate all components and make them production ready. WEM and UEM have similar features that can be compared like Policy management while different set of functionalities like Profile mgmt. and OS Optimization that cannot be compared.

Citrix WEM is not a profile management solution so it relies on Citrix Profile Management for the same, while VMware UEM is a profile management solution on its own that can handle personalization thus cannot be used with Persona Management. Both products do policy management and eventually aim to make user experience more consistent, login times faster, and provide granular context based policy control. WEM includes OS optimization in terms of CPU/RAM/IO which VMware UEM does not do. From a Policy management perspective both act the same by applying policies after login is completed which speeds up login/logoff experiences, WEM consolidated most policies into simple buttons like locking down the desktop OS or lets say most used policies in VDI are integrated into WEM, while VMware UEM has some integrated and some that rely on GP ADMX import.

To me GP ADMX import into WEM, Application profiling (even if used for UPM inclusions/exclusions not WEM specifically) and UI/Cache/Agent fixes are still missing from WEM and are required to match policy mgmt. of VMware UEM (even without GP Import, WEM can still can be configured using external tasks and Registry policies to do the same but with a bit more work). Will Citrix drop UPM and add Personalization to WEM in the future which is definitely a better approach !? One never knows …

Citrix Unidesk not only does Application Layering but also includes OS and Platform layering which allows the product to be Hypervisor and Cloud agnostic, something which VMware App Volumes is not capable of as of now. I will not compare both products but from a VDI perspective and until Citrix fully integrates Unidesk into Studio, App Volumes is a better fit for pure application layering and subsequently user writable volumes (think persistent disk on non-persistent virtual desktops). Citrix Application Layering User Layers similar to VMware writable volumes is still in Technical Preview mode while App Volumes writable volumes are production ready given that vSphere hypervisor is used (Citrix App Layering supports a wide range of hypervisors and cloud environments).

When using in-guest application layering, both products are not limited to any hypervisor, on top of that with Citrix App Layering as of now, in order to provide layered applications to users or user layers, virtual desktops must be created using an OS/Platform layer which introduces a big hassle to existing XenDesktop admins since catalogs will need to be recreated to support layers …

A major challenge faced in VDI environments nowadays is handling Outlook cache and indexing in non-persistent VDI on top of Windows 10 Start Menu, File Type Associations, and Default Apps not to mention login times. In this scenario I want to tackle all of these issues and provide a consistent user experience to Citrix VDI Windows 10 users using VMware products. Note that the same procedure below works for VMware Horizon 7.X as well .

Now that the ground has been set, what I would like to do in this post is walk you through deploying and configuring VMware App Volumes and User Environment Manager to create a consistent Windows 10 VDI environment using Citrix XenDesktop virtual desktops. On top of that configure UEM for Windows 10 to ensure profile and personalization mimic a stable profile for users ( think Start Menu and File Type Associations ) and App Volumes writable volumes to support roaming Outlook OST cache and Outlook Search indexing in a non-persistent XenDesktop VDI environment.

Components:

The components configured for the sake of this demonstration post are:

1 x vSphere 6.5 u1 cluster on VSAN 6.6 hybrid

1 x Citrix XenDesktop DDC 7.17 with SF

1 x VMware App Volumes 2.13 (SQL Express) | VMware UEM 9.3 Console

1 x File Server

1 x Windows 10 1709 Base Image

3 x Windows 10 1709 non-persistent virtual desktops

All of these components would normally be highly available in a production environment but for the sake of this post I will keep this to core requirements to demonstrate the required configuration and fit this into one post. UEM configuration is always pulled from a centralized file share so a dedicated server for UEM is not required thus I will be installing UEM console on App Volumes server. I have opted for Win 10 1709 because it is the hardest to control policy wise.

Multiple instances of App Volumes can be installed pointing to same DB for high availability while load balancing them using NetScaler or F5. On the base image we can also manually add several App Volumes servers incase load balancer fails for some reason and is a best practice. SQL high availability can be through clustering, mirroring, or AlwaysOn. File server can be clustered or HA maintained through DFS-R, also NAS highly available CIFS shares work fine for UEM config/data/profiles.

Before we start, though many might argue against it, I always like to apply policies that rarely change on the base image itself to avoid GP issues effecting VDI environment when using UEM to push everything else. UEM requires a GP to point the agent to the profile and personalization for logged in user and also a logoff script to force UEM agent to sync changes.

These policies are normally configured through AD GP but I always do it on local GP of the base image to ensure that it is applied no matter the situation. UEM can be configured in NoAD mode as well to remove dependency on group policy to point UEM agent to required configuration/personalization/profile shares.

Deployment:

VMware UEM:

1- Create three file shares one for UEM configuration, one for User Data (Folder Redirection), and one for User Profiles (UEM Archive, Backup, & Logs).

NTFS Permissions for User Data and User Profiles repositories (UEMData | UEMProfiles):

NTFS Permissions for UEM Config repository (UEMConfig):

Share Permissions for User Data, User Profiles , and UEM Config repositories (UEMData | UEMProfiles | UEMConfig):

Sizing for UEMConfig is linked to how many application profiles are imported into UEM, these are small config files that contain application specific configuration, 1GB is a good starting point. UEMProfiles sizing depends on the user profile size which should not exceed 100MB per user especially when AppData is not completely synced except for specific applications using UEM. UEMData sizing depends on how much data users will be allowed to save on desktop,documents,downloads,… through folder redirection which is specific to each environment, I have seen 2GB and have seen 20GB per user …

2- Install User Environment Manager Console:

3- UEM Initial Configuration:

Point to UEM configuration share created earlier:

Choose the appropriate Office settings to by synced for users:

Verify that UEM configuration has been created inside the UEMConfig repository:

General contains Personalization settings synced for users that are configured through UEM console:

Default Personalization settings for applications and Windows synced for users when using easy start with UEM:

4- UEM Personalization Configuration:

Lets start by looking at Windows settings synced with user profile to make sure that users get a consistent Windows 10 experience (remember that AppData is not folder redirected nor synced):

Though we are going to delete Active Setup Installed Components when optimizing base image, its always better to add Active Setup to UEM Windows settings so that users do not get the preparing your profile every time a login is initiated:

Default Apps and FTAs are very tricky in Windows 10 and while UEM has a prebuilt setting for that, it doesn’t sync user changed Default Apps and FTAs out of the box so we have to do the following changes:

[IncludeRegistryTrees]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations
HKCU\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts

[IncludeIndividualRegistryValues]
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserSignedIn

Now we have to add a condition so that these values are only applied to users when using Windows 10:

Always remember to save config file:

Another important Windows 10 setting to sync is Start Menu so we need to create a config file for it as well. Now on base image we are going to customize the start menu and copy it to the default profile so all users will get the same clean start menu. This setting will make sure that custom start menu changed by users will load on logon, and an we are going to create a logoff script as well that will sync the start menu changes when the user logoffs.

[IncludeFiles]
<LocalAppData>\Microsoft\Windows\Shell\LayoutModification.XML

We also need to exclude the following registry value from Windows Explorer config file:

[ExcludeIndividualRegistryValues]
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuInit

Head over to User Environment to create a logoff script that will sync start menu changes when user logs off:

Powershell.exe Export-StartLayout -Path C:\Users\$env:USERNAME\AppData\Local\Microsoft\Windows\Shell\LayoutModification.XML

Before we head over to User Environment Policy settings for ADMX and Outlook cache configuration, let me show you how to quickly profile an application to save its settings within user profile.

I am going to use the base image to do the same though that is not recommended because you have to uninstall UEM agent, just create a Windows 10 machine and install UEM Application Profiler and App Volumes agent to use for both application profiling and later creating an App Volumes application Appstack. I will go for WinRAR profiling here:

Now that WinRAR has been installed, we can use UEM application profiling to create a config file that would know where WinRAR changes its settings in File System and Registry so that UEM is able to sync those settings for users within their profile. We have options of configuring predefined settings for applications as well but I wont cover this here, just do a bit of digging and you will figure it out.

When profiler is initiated, WinRAR will open, I always like to open some tabs and here is where you would change settings that you would like to persist for all users. Close the application when done.

You can see that WinRAR saves personalized settings in Registry and AppData. After we save this config file and add it into UEM, changes done to WinRAR will be synced within user profile. Save config file would only save the File system and registry location for WinRAR settings while choosing save config file with predefined settings would also save specific WinRAR settings that would persist for all users.

Now to import this configuration file into UEM, the fastest way is just to copy the folder content to the UEM config share and place in the General\Applications.

Back in UEM console, Refresh Tree and the application should now be visible:

VMware has a community forum repository for well known UEM profiled applications so make sure to check it out HERE.

First thing we need to do in UEM User Environment “Policy mgmt.” tab is add default domain GPs to make sure all settings can be pushed through UEM rather than GP. Either get these policies from your domain SYSVOL path or just copy it from one of the domain controllers C:\Windows\PolicyDefinitions .

Now lets configure UEM to configure Outlook OST caching to be synced with user profile and saved on App Volumes writable volumes ( App Volumes will be configured later on ).

Now lets configure folder redirection to make sure user data is forwarded to UEMData:

That’s it for now in terms of UEM configuration, of course for production environments you would need to configure more policies and add more applications. Last piece of the puzzle is to import UEM GP into local policy on base images and configure UEM agent:

Flex Config files point to UEM configuration share general repository \\SHARE\UEMCONFIG\General

A logoff script needs to be created so that UEM syncs user changes on logoff:

A bit of policies that enhance login experience when UEM is configured for Windows 10 (a must for any VDI environment):

Customize the start Menu on the base image and copy it to the Default user profile so that all new user profiles get the same start menu and based on UEM configuration any change on start menu will be saved within profile.

Make sure to run this after using Citrix Optimizer and VMware OS Optimizer to uninstall Windows 10 store applications ( I like to disable store as well and install legacy calculator ), on a side note especially with VMWare OS optimizer don’t just run the LoginVSI template directly, fine tune it based on your requirements because many things might break when doing so. DO NOT disable or remove SEARCH using any optimizer, VMware OS optimizer completely removes indexing when disabling search so even if you enable search again, Indexing would still be disabled.

Citrix Optimizer is a better fit for Windows 10 1709 Store applications and is a safer option when you don’t know all settings that need to be optimized:

Export-StartLayout -Path C:\StartLayout.xml

Import-StartLayout –LayoutPath C:\StartLayout.xml –MountPath $env:SystemDrive\

Finally lets install UEM Agent on Base Image (install UEM agent after App Volumes agent is installed):

App Volumes:

1- Install App Volumes Manager:

I am going to go with SQL Express for the sake of this demonstration but an external highly available SQL server is required for production environments.

2- App Volumes initial configuration:

Make sure to choose the VSAN Datastore, later on we will disable local server storage so that it doesn’t by used by mistake to host any volumes.

3- Create an layered application AppStack to be delivered to users through App Volumes, I will use WinRAR. We need a Windows 10 machine with App Volumes agent installed.

We need to install App Volumes agent on the Windows 10 machine to be used to create the Appstack, same procedure is done on base image to connect to App Volumes agent.

Now that App Volumes agent has been installed, Lets continue assigning the created appstack to the Windows 10 machine:

Connect to the windows 10 machine that was chosen earlier to install WinRAR application, Do not click OK before installing the application:

Now WinRAR has been layered, added to App Volumes, and assigned access to domain users. Lets move on with configuring writable volumes to support outlook caching and outlook search indexing before assigning to users. VMware has a KB for this configuration but is not very clear. Download the Outlookindexconfig file from the KB.

Connect to vCenter and navigate to VSAN datastore\cloudvolumes\writable_templates in order to create a new App Volumes writable template with the required changes from the downloaded files:

Copy the template_uia_plus_profile.vmdk to another folder and rename it accordingly.

Now in order to make changed to the new writable volume which I named “Officeindexing.vmdk”, we need to attach it to a VM as an existing hard disk and assign a drive letter. The ZIP file can be uploaded directly through App Volumes but I wanted to make sure that everything goes right so doing it manually is the way to go since its a one time job. When this is done it will apply to new users but for existing users it has to be done on their writable volume. In case you just want to support Outlook OST caching but not indexing roaming, no need for the following procedure just make sure to assign the “template_uia_only.vmdk” for the users in App Volumes and the previous UEM OST configuration will take care of the rest.

Lets copy the files from the download Outlookindexconfig to the attached writable volume and override existing files:

De-attach the writable volume from the VM and move the writable volume to the correct folder which is VSAN datastore\cloudvolumes\writable_templates:

Lets assign the new writable volume that supports outlook search indexing to VDI users from App Volumes Manager:

I created for all domain users because this is a lab and I have around 10 users but be careful if you have hundreds of users though writable disks are thin provisioned. I will be conducting tests with XD1 user.

Testing:

Now that base image has been optimized with both UEM agent and App Volume agent installed, I have provisioned a catalog with 2 virtual desktops on Citrix XenDesktop and assigned the delivery group to domain users. To properly test roaming applications, profile, data, outlook cache, and outlook indexing , testing will be conducted on 2 virtual desktops using the same user.

On a side note, when using any User Environment management solution with pooled virtual desktops or non-persistant, its always a good idea to increase the time that XD waits to restart a virtual desktop on logoff to 10 or 15 seconds.

1- Login to a virtual desktop to create the user profile/data making sure UEM config is applying and a profile has been created in the correct repository. Note that when logging in for the first time, sometimes the start menu wont appear until logoff occurs once (make sure to set devices.hotplug to false inside the base image advanced VM configuration to avoid this):

Lets check if a profile was created in the UEMprofile repository and folder redirection in UEMData repository:

Lets check if the writable volume assigned was successfully mounted for the first time:

Lets check if assigned appstacks WinRAR and Notepad++ are assigned and mounted noting that these where not installed on the base image but are delivered as layered applications:

Lets check if the start menu is appearing as customized during base image customization. Will also add couple of items to start menu to make sure roaming is working properly when logging in into other non-persistent virtual desktops:

Lets check Default applications and File Type Associations. Will also change some (adding paint as the default application for Photos and changing .cpp extension to use wordpad) to make sure that they are roaming properly when logging in into other non-persistent virtual desktops:

Lets open outlook and test both outlook caching settings which are applied through UEM and outlook indexing which is applied through the custom writable volume that we created:

In order to test if Outlook cache and Outlook search indexing are being redirected to the writable volumes we can browse c:\snapvolumestemp\writable and should find two folders one for outlook cache and one for search indexing.

2- Now for our final and most important test, lets logoff, and sign in to another non-persistant virtual desktop and find out if everything is persisting and user experience is consistent. I will put the currently used virtual desktop in maintenance mode just to make sure.

Woooohoooo !!!!!

Everything working as expected . Login Time Impact based on testing (Full SSD and a bit more optimizations/Workarounds can further reduce this but 33 seconds given the above configuration is more astounding):

UEM: 15 seconds.

UEM with AppStacks: 22 seconds.

UEM with AppStacks & Writable Volumes: 33 seconds.

Conclusion:

Aside from having to take a long break after this post, combining Citrix and VMware technologies to provide the best of breed EUC experience is not a bad idea at all and the results are astonishing to say the least.

Next up, we are going to spin the wheel, Deploying Citrix WEM and App Layering to VMware Horizon, Stay tuned !!!

Salam .