question

MuchR-5838 avatar image
2 Votes"
MuchR-5838 asked ·

FsLogix - Unclean logoff causing locked files until server reboot

Problem is described by M4deman under unclean-logoff-causing-locked-files-until-server-reboot

It seems to have something to do with the 2009 version.
The latest version of FSLogix is installed whats-new


Description

After a user logoff, the "System" Process (PID 4) locks the following folders:

C:\Users\local_username\AppData\Local\Microsoft\Credentials
C:\Users\local_username\AppData\Roaming\Microsoft\Credentials

The user is completely logged of, according to Task Manager.

In the FSLogix Profile Log file I can see the following:

[07:53:55.601][tid:00000c90.0000ce44][ERROR:00000020] Delete profile failed for sid S-1-5-21-3364776539-3721753400-1968955100-1179, Cleaning up manually. (Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.)
The last sentence means that the process cannot access the file, because another process already uses it.

Also the whole "local_username" folder cannot be deleted:

[08:23:15.479][tid:00000c90.0000bcc4][WARN: 00000005] Failed to delete C:\Users\local_usename (Access is denied)
Access Denied

Does someone have any info on this behaviour?




windows-remote-desktop-serviceswindows-server-fslogix
· 5
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are currently experiencing the same issue. The user VHDX is locked by system and can only be unlocked by rebooting the server.
Has Microsoft acknowledged this issue?

Currently using: 2.9.7654.46150

1 Vote 1 ·

Did you activate the registry value HKEY_LOCAL_MACHINE\SOFTWARE\FSLogix\Apps\CleanupInvalidSessions (REG_DWORD, 0x1)?
Do you use Cloud Cache or not?

Also, maybe you can check with the frx command line tool if there are still some redirects pointing to the use VHDX file. You can then use that tool to delete them manually and detach the VHDX files afterwards using diskpart.

1 Vote 1 ·

Hello @MuchR-5838

Did you check affected user has full control and Owner over their FSLogix Folder and the VHDX files ?

Thanks
Karlie

0 Votes 0 ·
MuchR-5838 avatar image MuchR-5838 KarlieWeng-MSFT ·

Hello,

Where is my answer from yesterday?
Why was this deleted?

How can I open a ticket at Microsoft now?

Thank you

0 Votes 0 ·

Hello @MuchR-5838

sorry I was going to delete my comment as it wasn't helpful, and your comment is below mine, so it seems they were deleted together. I want to restore but it doesn't has this option.

FSLogix is supported for use with versions of Windows and Office that are still included in the Microsoft Support Lifecycle.

How to open a FSLogix Support Request
https://social.msdn.microsoft.com/Forums/en-US/14ea5f6f-760b-4ad2-83cf-23c3cbc1bcc4/how-to-open-a-fslogix-support-request?forum=FSLogix

Best regards
Karlie

0 Votes 0 ·
MuchR-5838 avatar image
1 Vote"
MuchR-5838 answered ·

Hi,

Permissions are OK.

In the screenshot you can see that the folders are blocked by lsass.exe.
56562-openfiles.png


I also noticed when the problem occurs I get the message:
The Group Policy Client service failed the sign in. Access is denied
56549-message.png


The problem is also described here:
fslogix-error-34group-policy-client-service-failed.html



openfiles.png (8.5 KiB)
message.png (4.1 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MuchR-5838 avatar image
0 Votes"
MuchR-5838 answered ·

Am I the only one in the world who has the problem?

Thanks
Regarts
Michael

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

We also started seeing this issue with some users.
Similar as you described, although local profile cleanup fails with: (The directory is not empty)

Doesn't happen for all users.
rolling back while we investigate

0 Votes 0 ·
KarlieWeng-MSFT avatar image
0 Votes"
KarlieWeng-MSFT answered ·

Fix: The Group Policy Client Service Failed the Logon

"Therefore this error is caused by a group policy that fails to respond or if it stops running. This could be due to bad registry calls or a corrupt registry. Usually, this is caused by system updates and upgrades that might mess with the registry. A bad shutdown or startup process can also cause this issue.

This can also happen when you try to logon using a non admin account in a PC that had some applications or drivers that were installed with admin privileges before. "

FAQ: FSLogix Troubleshooting Guide
"Some registry settings cannot be set through a GPO as they need to be read too early in the boot process that a GPO can’t set them early enough."


How to resolve error “Group Policy Client service failed the logon. Access denied.” in Citrix and FsLogix environments



· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FredrikEndresen-9130 avatar image
0 Votes"
FredrikEndresen-9130 answered ·

Check your GPO settings that defines the local FSLogix include\exclude groups.

FSLogix now uses the SID of the local include\exclude groups. So if the GPO is set up to "replace" instead of "update", it will stop working after a gpupdate within users session. This because the local groups get recreated and get new SIDs.

This may cause the problem you describe.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MuchR-5838 avatar image
0 Votes"
MuchR-5838 answered ·

Hi there,

Thanks to everyone for the answers.

@ KarlieWeng-MSFT:
1. We only used FSLogix on Windows 2019 RDS server.
2. Software is only installed with admin users.
3. I already know the article. It also happens to users with a new profile.
4. The error with the GPO occurs when the folders described above are blocked by "System" or "lsass.exe". Only a restart releases the folder again. Then the logon works without any problems. Even several days ...

@ FredrikEndresen-9130:
We do not use a GPO to distribute or configure the groups. I do this manually for each RDS server.

Thanks

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MuchR-5838 avatar image
0 Votes"
MuchR-5838 answered ·

Hi,

I found Marco's article describing the same problem.

He also confirms the problem with the new version of FSLogix

Link: caution-fslogix-2009-2-9-7621-30127-profiles-wont-logoff-completely


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MuchR-5838 avatar image
0 Votes"
MuchR-5838 answered ·

Hi,

I saw that there is a update for the version 2009.
whats-new

Unfortunately, this doesn’t solve the problem either.

Best regards
Michael


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrackoEwald-6473 avatar image
0 Votes"
BrackoEwald-6473 answered ·

We are encountering the same issue with the 2004 release (2.9.7349.30108), too.
The fslogix agent doesn't delete the redirections and unmount the containers on rare occasions.
But when it starts to happen more and more users are affected.
A reboot of the system will "fix" it for the moment.
Maybe this is caused by another Microsft update...

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MuchR-5838 avatar image
0 Votes"
MuchR-5838 answered ·

I noticed the following, but I'm not sure.

We have a GPO active so that disconnected sessions are automatically logged off after 3 hours. I have currently disabled this setting.
There seems to be a difference whether the user logs out himself or whether this is done by the system.

Does anyone else have this setting active?

Instead of logging off the users whit GPO, we restart the RDS server every day. So far I haven't found any local_username folders

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are doing something similar than you right now (no auto logoff of the users until server-reboot). Due to those issues with the fxlogix profiles I even implemented a Powershell script to properly log off the users a few minutes before we restart our RDS servers because I assumed the issues might be caused by an improper logoff during the server-reboot.
This didn't help either.
If I understood you correctly you had those issues also with active auto disconnect & logoff settings.
There seems to be a general issue causing this kind of behavior as it looks like.

0 Votes 0 ·
MuchR-5838 avatar image MuchR-5838 BrackoEwald-6473 ·

As already written, I'm not sure if it has to do with the automatic logout.
It seems better if I disable this setting.

I can say more at the end of the week.

Or it's just a coincidence.....

0 Votes 0 ·
stefanosevangelou avatar image
0 Votes"
stefanosevangelou answered ·

Hello,

I am having the exact same issue in a production environment running Citrix Virtual Apps and Desktops LTSR 1912 CU1 on Windows Server 2019 Standard Session Machines with latest OS updates and Office365 updates. Citrix Profile Management components are disabled and not used in the environment. Only FsLogix latest stable release is being used for user profile management.

We have tried to apply the following workarounds, to no avail: https://stefanos.cloud/blog/kb/how-to-resolve-error-group-policy-client-service-failed-the-logon-access-denied-in-citrix-and-fslogix-environments/.

The root cause of the issue seems to be that the local_username profiles created by FsLogix are not released properly at logoff (see attached screenshot). The file handles are kept open by the lsass.exe process. This is reflected in the FsLogix profile container logs (cannot delete C:\users\username folder. Access denied). We tried to manually close these handles with the SYSTEM user but afterwards the FsLogix service would not startup in the session machine.
62107-citrix-fslogix-handle64-lasassexe.png
We have opened a technical case with Microsoft which is being escalated. We really hope that Microsoft provides a release soon including a fix for this issue.



· 6 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If you have a deeper look into this issue with the frx tool from fslogix and with diskpart you'll see that this lock is there because the folder redirections were not removed and the corresponding VHD(X) file wasn't detached during the logoff process. Applies to both profile and Office365 containers.

0 Votes 0 ·

Hello,

the screenshot i uploaded in my previous post is actually incorrect, as it refers to the C:\Users\username folder which corresponds to the fslogix profile container. The profile container is eventually properly released in my environment, so no issues there. The issue is with the local profile (C:\Users\local_username folder) which is not properly62995-fslogix-profile-issue.png released, see attached screenshot.


0 Votes 0 ·

I assume you have the GPO/GPP setting "Keep local folder after user logs out" (registry: HKLM\SOFTWARE\FSLogix\Profiles\KeepLocalDir) configured accordingly?

1 Vote 1 ·
Show more comments