Tutorial: Configure Cloud Cache to redirect profile containers or office container to multiple Providers

Cloud Cache is an optional add-on to Profile Container and Office Container, understand Cloud Cache. Full Configuration Settings for Cloud Cache are Here. For a full description of the purpose and use of Cloud Cache, visit this page.

In this tutorial, learn how to:

  • Configure Cloud Cache for SMB
  • Configure Cloud Cache for Azure Page Blobs
  • Protect Azure Keys with Credential Manager

Prerequisites

Configure Cloud Cache for SMB

Configuring Cloud Cache for Profile Container

All settings are applied here: HKLM\SOFTWARE\FSLogix\Profiles

Remove any setting for VHDLocations

Add (or verify)

Registry Value Type Value
CCDLocations REG_SZ / MULTI_SZ type=smb,connectionString=<\Location1\Folder1>;type=smb,connectionString=<\Location2\folder2>
Enabled DWORD 1
  • <Location for Cloud Cache Provider>
  • Each Provider is separated by a ;
  • This sample is for two SMB Providers

Configuring Cloud Cache for Office Container

All settings are applied here: HKLM\SOFTWARE\Policies\FSLogix\ODFC

Remove any setting for VHDLocations

Add (or verify)

Registry Value Type Value
CCDLocations REG_SZ / MULTI_SZ type=smb,connectionString=<\Location1\Folder1>;type=smb,connectionString=<\Location2\folder2>
Enabled DWORD 1
  • <Location for Cloud Cache Provider>
  • Each provider is separated by a ;
  • The sample is for two SMB Providers

Configure Cloud Cache for Azure Page Blobs

Warning

Do not use the directions in this section for production.

The instructions in this section are to provide an understanding of the conceptual use of Cloud Cache with Page Blobs. The instructions in this section would expose sensitive Azure credentials to any user with access to the host registry, if implemented in production. When creating a production implementation, care must be used to protect these credentials, this may be accomplished following the instructions for Credential Manager.

Configuring Cloud Cache for Profile Container

All settings are applied here: HKLM\SOFTWARE\FSLogix\Profiles

Remove any setting for VHDLocations

Add (or verify)

Registry Value Type Value
CCDLocations REG_SZ / MULTI_SZ type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=;AccountKey=;EndpointSuffix="
Enabled DWORD 1
  • <Location for Cloud Cache Provider>
  • Each provider is separated by a ;
  • This sample is for one Azure Page Blob provider
  • Page Blob connection string should be enclosed in "" (see sample)
  • These settings are used to create the Azure Connection String:
  • DefaultEndpointsProtocol=[http or https]
  • AccountName=myAccountName
  • AccountKey=myAccountKey
  • EndpointSuffix=mySuffix
  • The following screenshot shows where to find the payload for the connection string in the Azure portal:

Screenshot of Azure portal Storage Access

More about Azure Connection Strings can be found here and here

Azure Account Keys are sensitive and may be protected using Credential Manager

Configuring Cloud Cache for Office Container

All settings are applied here: HKLM\SOFTWARE\Policies\FSLogix\ODFC

- Remove any setting for VHDLocations

Add (or verify)

Registry Value Type Value
CCDLocations REG_SZ / MULTI_SZ type=smb,connectionString=<\FILESERVER\SharedFolder>;type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=;AccountKey=;EndpointSuffix="
Enabled DWORD 1
  • <Location for Cloud Cache Provider>
  • Each provider is separated by a ;
  • This sample is for one SMB Provider and one Azure Page Blob provider
  • Page Blob connection string should be enclosed in "" (see sample)
  • These settings are used to create the Azure Connection String:
  • DefaultEndpointsProtocol=[http or https]
  • AccountName=myAccountName
  • AccountKey=myAccountKey
  • EndpointSuffix=mySuffix

More about Azure Connection Strings can be found here and here

Azure Account Keys are sensitive and may be protected using Credential Manager

Protect Azure Key with Credential Manager

FSLogix will read system credentials, from Windows Credential Manager, if they're saved with fslogix/ as a prefix. To use credential manager to protect your Azure Account Key, with a credential named 'myAccountKey' a SYSTEM key should be added as fslogix/myAccountKey. Protected keys are accessed within the connection string using |fslogix/<key>|.

Any information that you would like to protect may be saved in Credential Manger, and accessed in this way. For Instance, if you wanted to protect both the Account Name and the Account Key, then system keys could be created for both and used in the connection string as described above.

The sample below assumes that a secure-key has been added named 'key' with the storage key. Also a secure key named 'account' has been added for the account name.

Registry Value Type Value
CCDLocations REG_SZ / MULTI_SZ type=smb,connectionString=<\FILESERVER\SharedFolder>;type=azure,connectionString="DefaultEndpointsProtocol=https;AccountName=|fslogix/account|;AccountKey=|fslogix/key|;EndpointSuffix="
Enabled DWORD 1

An alternate approach would be to place the entire connection string in a secure-key, the CCDLocations value could then be ...,connectionString="|fslogix/ConnectionString|".

There are a number of ways to use Credential Manger, and any will work with the Azure connection string, provided that the credential is stored under the SYSTEM user. The credential type is "generic", and the credential name is prefixed with fslogix/.

frx.exe may be used to create, list and delete system keys.

Command Parameters Result
frx.exe add-secure-key -<key keyName> -<value keyValue> *Creates a key with a key name of fslogix/<keyName> value of fslogix/<keyValue>
frx.exe del-secure-key -key keyName *Deletes specified key
frx.exe list-secure-key Lists secure keys with fslogix/ prefix

* /fslogix is added automatically when using frx.exe, don't manually add /fslogix

Default Proxy and Cache folder Settings

Microsoft does not recommend changing the default Cloud Cache proxy and cache folder locations, however you may do so via the CacheDirectory and ProxyDirectory registry keys.

By default, FSLogix the FSLogix Cloud Cache proxy and cache folders are stored in C:\ProgramData\FSLogix\Cache and C:\ProgramData\FSLogix\Proxy.

If folder permissions do not match the default values then a warning will be written to the system event logs. You must set the SilenceACLWarning registry key to 1 to disable the warning. Adjusting the default folder permissions may expose user data.

Default Proxy and Cache Directory Permissions

Principal Access Inherited from Applies to
CREATOR OWNER Modify None Subfolders and files only
Users Modify None This folder only
Administrators Full control None This folder, subfolders and files
System Full control None This folder, subfolders and files

Default Creator Owner Permissions

Users and CREATOR OWNER modify permissions are set to Modify, Read & execute, List folder contents, Read, Write

Next Steps