Enable User layers
User layers persist user profile settings, data, and user-installed applications in non-persistent VDI environments.
You can enable User layers on an image template, and use the template to publish User layer-enabled images that you use to provision systems.
In most cases, when a user logs onto a desktop that is User layer-enabled, a new Search index database is created. This incorporates search information from the user layer and any elastic layers. The Search feature is only available when the indexing is complete.
You can enable the following types of User layers:
- Full - All of a user’s data, settings, and locally installed apps are stored on their User layer.
- Office 365 - (Desktop systems) Only the user’s Outlook data and settings are stored on their User layer.
- Session Office 365 - (Session hosts) Only the user’s Outlook data and settings are stored on their User layer.
The setting you select results in different types of layered images: those that persist all user data and setting, and those that persist Office 365 data and settings.
Requirements and considerations
Before enabling User layers, be sure to meet the requirements outlined below.
You can enable a Full User layer, an Office 365 User layer, or an Office 365 User layer. Full User layer includes everything that Office 365/Session Office 365 User layer saves, along with the settings and data for other applications.
Requirements for all User layers
When you enable User layers you need:
- Adequate network bandwidth. Bandwidth and latency have a significant effect on the User layer. Every write goes across the network.
- Enough storage space allocated for users’ data, configuration settings, and their locally installed apps. (This leaves the main storage location for packaging layers, publishing layered images, and serving up Elastic Layers.)
Requirements for Full User layers
- When using UPM with a Full User Layer you need to turn off the deletion of the user’s information on logoff. Depending on how you are deploying the settings, you can do this either via a GPO or through the policy on the DDC.
Requirements for Office 365 User layers
- You must use a profile manager, such as the Citrix User Profile Manager (UPM). Otherwise, Outlook assumes that every user who logs in is a new user and creates new OS files for them.
- The Office layer must be included in the image template and deployed in the layered image. However, you can use other Elastic layers with an Office 365 User layer.
- Microsoft Office is supported as an App layer in a published image only, not as an Elastic Layer.
- Any change to the default location of the search index files will not be preserved in the Office 365 layer.
- This feature has been tested for one desktop per user at a time (Single sign-on).
Full User layers are supported on the following platforms:
- Operating systems:
- Windows 7, 64-bit
- Windows 10, 64-bit
- Publishing platforms:
- Citrix Virtual Desktops
- VMware Horizon View
Applications supported on the User layer
Applications that a user installs locally on their desktop become part of the User layer.
Applications NOT supported on the User layer
The following applications are not supported on the user layer, and therefore should not be installed locally by the user:
- Enterprise applications: Certain enterprise applications, such as MS Office, MS Office 365, and Visual Studio must be installed in App layers, not as user-installed applications in the User layer. (User layers are based on the same technology as Elastic layers, and therefore share the same limitations.)
Applications with drivers that use the driver store. Example: a printer driver.
You can make printers available using GPO. See GPO-installed printers in the following section.
- Applications that modify the network stack or hardware. Example: a VPN client.
- Applications that have boot level drivers. Example: a virus scanner.
Windows updates must be disabled on the User layer.
Outlook Store add-ins
Store add-ins are disabled by Citrix UPM. The first time Outlook is run, the Store/Add-ins icon on the Ribbon Bar displays a window with a long list of add-ins. On subsequent logins, the Store/Add-ins icon displays a blank white window. If you installed add-ins during the initial login when they were available, the add-ins will appear on the Ribbon Bar on subsequent logins.
If a domain user logs onto a non-persistent Windows 10 machine that is joined to a domain and has User layers enabled, printers installed using GPO are listed in the user’s Devices & Printers, application printer settings, and Device Manager. You can create a GPO (User Preference) to deploy each network printer, and then assign it to the machine. When logged in as a domain user, verify that the printer is listed in Devices & Printers, Notepad, and Device Manager.
VMware Horizon View
View must be configured for non-persistent desktops, and the desktop must be set to Refresh at log off. Delete or refresh the machine on log off. Example:
After logging off with View set to Refresh Immediately, the desktop goes into maintenance mode. If there is only one machine in the pool, the pool will not be available until that machine has completed the refresh.
- The first time a user logs into his/her desktop, a User layer is created for the him/her.
- If there is problem loading the elastically assigned layers for the user, they will still receive their User layer.
- If you rename the user in AD, a new directory and User layer will be created for the new name. To avoid this, rename the directory on the file share and the VHD file in the directory structure to the new AD user name.
User layer location
When you enable User layers on a layered image, the data, settings and user-installed applications for each user are persisted between sessions.
When deploying with User layers enabled, you must add storage locations for those layers, rather than allowing user data to be saved on the appliance’s main file share. (The main file share is used for upgrading the App Layering software, serving up Elastic layers, and for manually moving files to platforms for which there is no connector available.)
The first storage location added to the appliance becomes the default location for User layers not associated with any other storage location. When you add more storage locations, they are listed in priority order.
You can assign Groups of users to each storage location that you add for User layers.
Where a User layer is stored when the user belongs to more than one group
If a user belongs to more than one group and those groups are assigned to different storage locations, the person’s User layer is stored in the highest priority storage location.
If you change the priority order of the storage locations that the user is assigned to after the person’s User layer was saved to the highest priority location, data saved up until that point remains in the original location. To preserve the person’s User layer, you must copy their User layer to the new highest priority location.
How to specify the User Layer file share location on a specific image
You can support a user who needs to access two separate images at the same time, where both images need the persistence of User layers, and both images are built from the same OS layer.
To configure User layer file share assignments:
- Include the following Registry key in the Platform layer or an App layer, or as a machine GPO in one or more of your published images before any user logs in:
This key, if it exists in the image before a user logs in, causes the appliance to ignore the User layer share assignments set in the appliance. Instead, all users on this machine use the specified share for User layer VHDs. The \Users subtree is appended to this key to locate the actual layers.
Where User layers are created on the appliance
On the appliance’s network file share, User layers are created in the Users folder. For example:
Each user has his/her own directory within the Users directory, named as follows:
- User’s login name: jdoe
- User’s Domain: testdomain1
- OS layer: MyOSLayer (ID is in hexidecimal format: 123456)
- User Layer would be created in:
Where users can access their User layer
When Full User layers are created, users can access the files in the following directory:
When Office 365 layers are created, the User layers directory is redirected to the Office 365 layer:
Add a storage location
To add a storage location for an image’s User layers:
Log into the management console.
Select System > Storage Locations. A list of file shares is displayed, with the exception of the appliance’s main file share.
Select Add Storage Location, and enter a Name and Network Path for the new location.
On the User Layer Assignments tab, expand the directory tree and select the check box(es) for one or more groups to add to the new storage location.
A list of file shares is displayed, with the exception of the appliance’s main file share.
On the Confirm and Complete tab, click Add Storage Location.
Once the storage locations are added, you must set security on the User layer fFolders.
Configure security settings on User layer folders
You can specify more than one storage location for your User layers. For each storage location (including the default location) you need to create a /Users subfolder and secure that location.
The security on each User layer folder must be set to the following values by a domain administrator:
|Setting name||Value||Apply to|
|Creator Owner||Modify||Subfolders and Files only|
|Owner Rights||Modify||Subfolders and Files only|
|Users or group:||Create Folder/Append Data; Traverse Folder/Execute File;List Folder/Read Data; Read Attributes||Selected Folder Only|
|System||Full Control||Selected Folder, Subfolders and Files|
|Domain Admins, and selected Admin group||Full Control||Selected Folder, Subfolders and Files|
To configure security on User layer folders:
Log into the management console.
Select System > Storage Locations. The file shares displayed are the storage locations defined for User Layers. For example, say you’ve defined three Storage Locations so that you can more easily manage storage for Group1 and Group2 separate from everyone else in the organization:
- Default location - \MyDefaultShare\UserLayerFolder\
- Group1 - \MyGroup1\Share\UserLayerFolder\
- Group2 - \MyGroup2\Share\UserLayerFolder\
Note: The appliance’s main file share, which is used for storing OS, App, and Platform Layers, is not listed as a User Layer Storage Location.
Create a \Users subdirectory under each file share:
Apply the security settings listed above to each subdirectory under \Users.
Move existing User layers to the new storage location
Copy each User layer storage location to its new location:
Make sure the User Layer is not in use.
If a user logs in before you move his/her User Layer, a new User Layer will be created. No data will be lost, but you will need to delete the newly created User Layer, and copy it to the new directory, ensuring that the user’s ACLs are preserved.
Browse to the directory containing the User Layer VHD file.
Using the following command, copy each of the User Layer VHD files from the previous location to the new one
xcopy Domain1\User1 Domain1_User1\ /O /X /E /H /K
Verify that all permissions are correct on the following directories, and files within them:
If you let users create new User layers
If you choose to let users create new User layers, you must manually clean up the original directories and files from your share.
Set the User layer size
The User layer size is set to a maximum of 10GB by default. You can change the maximum size, however, by defining a quota for the User layer share. If a quota is defined, the User layer will be configured to be a maximum of that size.
When using Office 365 User layers, the Outlook layer defaults to 10 GB, but Outlook sets the volume size based on the amount of free disk space and may use more or less space based on what is available on the layered image. The size reported is based on the layered image.
Set a quotas
You can set a hard quota on the User layer size using either of Microsoft’s quota tools: File Server Resource Manager (FSRM) or Quota Manager.
The quota must be set on the User Layer directory, meaning the one named Users.
Note: Changing the quota (increasing or decreasing) only impacts new User layers. The maximum size of existing User layers was previously set and will remain unchanged when the quota is updated.
Max size registry overrides
It is possible to over-ride the default User layer max size using the registry on managed machines. The following keys are optional and do not need to be configured for normal operation. If needed they must be added manually using a layer or a GPO/GPP.
Registry Root: HKLM\Software\Unidesk\Ulayer
|UseQuotaIfAvailable||String||True; False||True to enable discovery and use of quotas. False to disable.|
|DefaultUserLayerSizeInGb||DWord||User defined||The size of the user layer in GB (E.g. 5, 10, 23, etc.) When not specified the default is 10.|
|QuotaQuerySleepMS||DWord||User defined||The number of milliseconds to wait after creating the directory for the user layer before checking to see if it has a quota. This is necessary to give some quota systems time to apply the quota to the new directory (FSRM requires this). When not specified the default is 1000|
Customize User layer notification messages
When a user is unable to access their User layer, they receive a notification message.
User layer messages
User layer notification messages include the following. You can customize the first two of the messages, using the steps listed below.
User Layer In Use (customizable message)
We were unable to attach your User Layer because it is in use. Any changes you make to application settings or data will not be saved. Be sure to save any work to a shared network location.
User Layer Unavailable (customizable message)
We were unable to attach your User Layer. Any changes you make to application settings or data will not be saved. Be sure to save any work to a shared network location.
System not reset after user sign out
This system was not shutdown properly. Please log off immediately and contact your system administrator.
How to customize a message
You can customize notification messages as follows. Messages you enter can be in any language.
- Log into the management console as administrator.
- Select Add Storage Location if creating a new location, or Edit Storage Location if customizing messages for an existing location.
- In the Add/Edit Storage Location wizard, select the User Layer Messages tab and the Override check box.
- Enter the messages exactly as you want them to be displayed.
- Use the Confirm and Complete tab to save your changes.