User Profile Management with Amazons EUC Services

Following from Mark Homers post on key persistence settings for Amazon WorkSpaces and Amazon AppStream 2.0, this blog outlines the solutions that can be chosen to meet your users and organization requirements.

User profiles contain files and settings that are used by different applications and the operating system. User files are typically stored in document, pictures and desktop, however, other folders maybe included. Applications typically store data in the user registry hive, in the Appdata folder, however, some may save settings and data in a custom location requiring more advanced configurations. Custom scripting maybe required to save that data to a different location, possibly with the use of Session Scripts. For non-persistent solutions, profile management is an essential architectural consideration, and maybe as simple as a hard coded setting, or may require more advanced solutions that provide highly granular selective persistence whilst supporting applications that can be problematic.
There are different types of user profiles including Roaming User Profiles, Local User Profiles, Mandatory User Profiles and Temporary User Profiles. This blog focuses on Local and Roaming user profile solutions.

By default, the local user profile is in the c:\users\%username% directory , however in some circumstances the location can change e.g. d:\users\%username% directory for Amazon WorkSpaces Personal.
Most users are familiar with the documents subfolder which is the default destination for applications to save data. Desktop and Pictures are the other user files directories typically managed.
NTUSer.dat is a file at the root of the profile that contains the user registry hive. The user registry hive is a commonly used per user setting store for operating system and application settings.
AppData\Local, AppData\Roaming and AppData\LocalLow reside in the root of the profile. By design, AppData\Roaming is the location for applications to save data that should roam between user sessions. Local and locallow are directories are for settings and data to persist locally only, however, the decision is down to the application developer and implementations vary. Per user installed applications may end up in the local or locallow directory.
There are other settings with more complex locations and configurations, such as the Windows Task Bar layout, which are covered in depth elsewhere and may required a more advanced solution.

Solutions that synchronize large amounts of data can impact of login performance, or may hit support limits. This could be that profile has a lot of files, or, an application may use large files such as CAD Drawings and Video Editing files. Solutions include selective caching of frequently used files and the use of high IO file systems to store profile disks.

Microsoft Outlook caches and email archive files are only supported when loaded from a local file system. Users can experience performance and stability issues when using remote SMB mount solutions such as folder redirection or mapped network drives. Other challenging applications include Microsoft Teams and OneDrive, which, like Outlook can download large amounts of data at login.

Non persistent, and multi platform (e.g. laptop and DaaS) services require updated data and files to be available after login, without impacting login times. This allows users to make changes on a file or application, and see that follow to their next login, or when they operate from a PC.

Profile management simplifies costly operating system upgrades and migrations by handling the data and settings out of the box. Some solutions handle the challenge with migration function, which, may take time, still takes the heavy lifting and user responsibility away, minimizing the risks of file loss.

AppStream and Pools home folders synchronize data from a local VHD to an S3 bucket and login and log off/session end. Home folders are limited to 1GB by default and, for, login time reasons, it is recommended to keep the size to that limit. The solution will work across operating systems and fleets, but does not work out of the service and has not granular settings to limit folders and file types. Home folders works for most workloads, however, the recommendation is that Outlook is placed in online mode to reduce login times. A common performance issue is that the AS2 or pools instance routes publicly to the S3 bucket. The solution is simple and built into the services.
Enable and Administer Persistent Storage for WorkSpaces Pools - Amazon WorkSpaces
Use Home Folders - Amazon AppStream 2.0

Settings persistence handles folders such as AppData and the user registry hive. Settings and data are loaded at login and out via a VHD file that is stored in an S3 bucket. Settings Persistence now supports 5GB of data allowing a greater range of applications such as MSFT teams to be supported. If 5GB is not sufficient, then an alternative solution should be considered.
How Application Settings Persistence Works - Amazon AppStream 2.0
Amazon AppStream 2.0 increases application settings storage limit - AWS

Settings persistence handles folders such as AppData and the user registry hive. Settings and data are loaded at login and out via a VHD file that is stored in an S3 bucket. Settings Persistence supports 1GB of data allowing a greater range of applications such as MSFT teams to be supported. If 1GB is not sufficient, then an alternative solution should be considered.
Enabling application settings persistence - Amazon WorkSpaces

Amazon WorkSpaces Personal user disks are built into the service and are seen as the d drive of a WorkSpace. The disks are snapshotted every 12 hours and provide a performant, scalable solution that can be restored from the AWS Console. The disks support challenging applications due to the persistent nature of the service. Outlook caches, archives and Teams work without extra configuration. User disks do not copy to WorkSpaces pools, nor any other service. If dynamic roaming, or more granular RTO/RPO recovery is required, then an alternate solution should be considered.
Amazon Workspaces provides a migrate functionality which moves the profile directory to a new destination, such a new operating system or a new image, whilst charges are pro-rated for the month.
Amazon WorkSpaces migrate - Best Practices for Deploying WorkSpaces

Roaming profiles synchronize user files and data, including user file data at login an logoff, to an SMB file share. The setup is simple and built into Active Directory, however, large profiles and files can cause login slowdowns. Folder Exclusions can be used, particularly when there are problematic applications that cause apparent corruption. Roaming profiles are dynamic and work across solutions, however, problems can occur across operating systems. Common problems include users experiencing temp profiles, applications not supporting roaming profiles and login performance.

Folder redirection is configured with Microsoft Active Directory Group Policy, and, mounts user data folders such as Documents, on an SMB file share. When initially configured, folder redirection can move files from the local drive to a file-share. Folder redirection works across Operating System versions, however, can be problematic when used with folder syncing from systems that go offline and away from a file server, e.g. a home laptop, Files unsupported when mounted on a fileshare e.g. Outlook Caches and archives, can cause application freezes and data corruption. Folder redirection works across Amazon EUC services, and in hybrid solutions with DFS.

The proliferation of cloud file services e.g. Microsoft OneDrive, Google Drive etc, have provided users with a multi platform service for accessing files, whether on a PC, Apple Mac, iPad, iPhone or Android OS. The services work out of the box on persistent DaaS solutions such as WorkSpaces Personal, however, non persistent services need care to avoid file download storms during login.

Third party profile management solutions can selectively persist application and operating system settings as well as support the challenging applications the other solutions cannot do. Microsoft FSLogix and Liquidware Labs Profile unity and Ivanti are some of the major products. Citrix and and Horizon have capabilities that work with Amazon WorkSpaces Core in an AWS or, hybrid architecture, however, only work within their vendors overall solution. The solutions support items such as Outlook caches, archives as well as Cloud File Caches, preventing download storms and can configure complex items such as task bar layouts.
Advanced Profile Management requires an SMB storage in the same region to ensure a low latency to minimize login times. Customers typically use FSX NetApp ONTAP to store containers to ensure enough IO for peak periods.

The correct profile management solution is best looked at by going from the simplest to the most complex with each ruled out by hard requirements. An ISV using Amazon AppStream 2.0 maybe able use no profile management and use session scripts for dynamic configuration. Assess the profile size, user experience, file offloading options and application requirements first before jumping into Advanced Profile Management.