Windows Persistent Profiles with FSLogix

note

For automated FSLogix setup with Kasm autoscaled VMs see the FSLogix Container Profiles section of Auto Scale Configuration.

FSLogix Overview

Kasm Workspaces can leverage FSLogix Profile Containers to deliver high-performance, persistent user profiles for Windows Desktops and Remote Apps. FSLogix provides a local profile experience ensuring that personal settings, application data, and customizations remain persistent across sessions, while allowing the underlying VM infrastructure to be stateless and disposable.

For additional information, see Learn Microsoft - What is FSLogix?

Prerequisites

Supported Operating Systems
Windows 10, Windows 11, and Windows Server 2016, 2019, 2022, and 2025

Directory Services
FSLogix utilizes Windows identities to secure and assign Windows profiles to user sessions. To utilize FSLogix, your Windows VMs and storage provider must share an identity source. Supported configurations include: Active Directory, Microsoft Entra ID, or Entra Domain Services domain joined VMs.

Profile Storage Location
SMB share (Azure Files or on-premise file servers) or Azure Page Blobs

Kasm Connection Credential Type
The Kasm Connection Credential Type for the Windows server must be Single Sign-on with Active Directory or Prompt User

Create a SMB Share

Proper permissions are required to ensure user profile isolation, prevent unauthorized access, and maintain system stability. This guide outlines the recommended NTFS and share permissions along with PowerShell commands for manual configuration.

For additional information, see Learn Microsoft - Configure SMB Storage Permissions

Create SMB Share and set Permissions

• Administrators: Full Control
• Domain Users: Change

$SharePath = "C:\FSLogixProfiles"
$ShareName = "FSLogixProfiles"

# Create the directory
New-Item -Path "C:\FSLogixProfiles" -ItemType Directory -Force

# Create the SMB share
New-SmbShare -Name $ShareName -Path $SharePath -FullAccess "Administrators" -ChangeAccess "Domain Users"

Configure NTFS Permissions

• CREATOR OWNER: Full Control (Subfolders and files only)
• Domain Users: Modify (This folder only)
• Administrators: Full Control (This folder, subfolders, and files)
• SYSTEM: Full Control (This folder, subfolders, and files)

# Disable inheritance and remove inherited permissions
$ACL = Get-Acl -Path $SharePath
$ACL.SetAccessRuleProtection($true, $false)
Set-Acl -Path $SharePath -AclObject $ACL

# Remove all existing permissions
$ACL = Get-Acl -Path $SharePath
$ACL.Access | ForEach-Object { $ACL.RemoveAccessRule($_) } | Out-Null

# Add SYSTEM - Full Control
$SystemRule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$ACL.AddAccessRule($SystemRule)

# Add Administrators - Full Control
$AdminRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$ACL.AddAccessRule($AdminRule)

# Add CREATOR OWNER - Full Control (Subfolders and files only)
$CreatorRule = New-Object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER", "FullControl", "ContainerInherit,ObjectInherit", "InheritOnly", "Allow")
$ACL.AddAccessRule($CreatorRule)

# Add Domain Users - Modify (This folder only)
$UsersRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain Users", "Modify", "None", "None", "Allow")
$ACL.AddAccessRule($UsersRule)

# Apply the ACL
Set-Acl -Path $SharePath -AclObject $ACL

Print Network Path

Print the network path of the SMB share. You will need this to configure FSLogix on the Windows VM.

Write-Host "Network path: \\$env:COMPUTERNAME\$ShareName"

Install FSLogix

On your Windows VM install and configure FSLogix.

$Archive = "FSLogix_latest.zip"
$Installer = ".\FSLogix_latest\x64\Release\FSLogixAppsSetup.exe"

# Download and extract installer
Invoke-Webrequest -Uri "https://aka.ms/fslogix_download" -OutFile $Archive
Expand-Archive -Path $Archive

# Run installer
Start-Process -FilePath $Installer -ArgumentList "/install /quiet /norestart" -Wait

# Replace with network path from above
$Hostname = "<replace-me>"
$VHDLocations = "\\$Hostname\FSLogixProfiles"

$RegistryPath = "HKLM:\SOFTWARE\FSLogix\Profiles"

New-Item -Path $RegistryPath -Force

# Add registry settings for profile container configuration
New-ItemProperty -Path $RegistryPath -Name VHDLocations -PropertyType string -value $VHDLocations -Force
New-ItemProperty -Path $RegistryPath -Name ProfileType -PropertyType dword -Value 3 -Force
New-ItemProperty -Path $RegistryPath -Name Enabled -PropertyType dword -Value 1 -Force
New-ItemProperty -Path $RegistryPath -Name DeleteLocalProfileWhenVHDShouldApply -PropertyType dword -Value 1 -Force
New-ItemProperty -Path $RegistryPath -Name FlipFlopProfileDirectoryName -PropertyType dword -Value 1 -Force
New-ItemProperty -Path $RegistryPath -Name LockedRetryCount -PropertyType dword -Value 3 -Force
New-ItemProperty -Path $RegistryPath -Name LockedRetryInterval -PropertyType dword -Value 15 -Force
New-ItemProperty -Path $RegistryPath -Name ReAttachIntervalSeconds -PropertyType dword -Value 15 -Force
New-ItemProperty -Path $RegistryPath -Name ReAttachRetryCount -PropertyType dword -Value 3 -Force
New-ItemProperty -Path $RegistryPath -Name SizeInMBs -PropertyType dword -Value 30000 -Force
New-ItemProperty -Path $RegistryPath -Name VolumeType -PropertyType string -Value vhdx -Force

For more information on FSLogix configurations, see Learn Microsoft - Configuration Setting Reference