Introduction to FSLogix

FSLogix is a profile management solution used to apply personalization to user sessions for application and desktop virtualization technologies such as Citrix and Microsoft Azure AVD (Azure Virtual Desktop) and enable “roaming profiles”. It used to be common to copy a profile to and from the network when a user signs in and out of a remote environment. Because user profiles can often be large, sign in and sign out times often became unacceptable. FSLogix is used as it reduces user logon times by offloading user profiles to a VHD(X) file and redirect a user’s data and settings to a centralized share repository and attach to those VHD(X) disks at logon.

Figure 1: How FSLogix works

Mounting and using a profile on the network eliminates delays often associated with solutions that copy files. FSLogix used to have several solutions, all based on a single agent (filter driver). Acquired by Microsoft in 2018, the technology has now been tightly integrated within the Microsoft Portfolio. Most importantly for RDS/VDI and cloud digital workspace deployments, they offer Profile Containers and Office 365 Containers. The FSLogix agent driver sits as a filter driver on the file system. On a remote file server, for each user a VHD(X) is created. This VHD(X) is attached for each user when the user signs in. A separate VHD is used for the Profile container associated with a user, to the Office container, and either one or both may be implemented. Microsoft has some easy-to-read documentation on the architecture of FSLogix that covers details of the filter driver, see FSLogix for the enterprise – Azure Architecture Guide | Microsoft Docs.

Profile Containers

These redirect pretty much everything in the user profile to the VHD, although some exclusions of temporary data are made (see: excluded) and are used to implement non-persistent desktops. This has a significant impact on logon times, because instead of having to create the profile and such like with solutions from Ivanti, the profile only has to be attached. This can take logons down from > 30 secs to figures as low as 7-8 seconds in total. It also takes away the horror of managing profile settings, you just store everything. It also mitigates the issues that EUC (End User Computing) veterans remember which used to be common, associated with network or roaming profiles, which resulted in longer copy times and profile corruption. Solutions such as FSLogix have made this type of issue largely a thing of the past.

Figure 2: How FSLogix profile container works

A failure or slowdown to attach FSLogix VHDs (Virtual Hard Disks) has a significant impact on logon times, and it is a key part of the user experience that needs to be captured for every user logon and proactively monitored for any signs of a decrease in performance.

Office 365 Containers

These are not that different to Profile containers, in fact they are essentially a subset of full Profile containers, as they only deal with the part of the user profile associated with Microsoft 365 office applications instead of the entire profile. FSLogix also implements some significant intelligence specific to Office 365 which helps with things like outlook indexing, cached address book and alike. FSLogix Office Containers can also be used when users are using an alternative Profile Container management solution to FSLogix itself (e.g., Ivanti). Given the nature of the data associated with Office 365 applications e.g., email accounts for Outlook, the VHDs associated with Office 365 containers can be large and need to be monitored. Some history on the need for Office containers is given in Kasper Johansen’s blog: Why is FSLogix O365 Container essential when using Office 365? –

Figure 3: How FSLogix O365 container works

Some users will choose to implement both Profile and Office containers using FSLogix, see Profile Container vs. Office Container – FSLogix | Microsoft Docs for an overview of this strategy. This can offer benefits in environments such as AVD (Azure Virtual Desktop) deployed on Microsoft Azure, particularly because of the options it enables to control IOPs and costs, including:

  • IOPs and Storage savings
  • HA/DR (High Availability/Disaster Recovery) and Backup exclusions

HA/DR and Backup exclusions: Within a cloud digital workspace, office data is cached data, maintained locally, with the original data secured within Office 365. Backups, HA (High Availability) and DR (Disaster Recovery) cost money with clouds such as Azure and since the definitive master data is already protected in Office 365 such operations are usually redundant. Office 365 containers allow users to reduce costs. In the event of a failure or data loss, a new office profile can always be created, and it will get synchronized to the Office 365 cloud. Excluding the Office profile from Azure backup or snapshots can reduce costs and this practice is widespread.

IOPs and Storage savings: When rationalizing the costs of IOPS, users sometimes choose strategies such as hosting the user profile on standard file storage whilst implementing their Office profile on Azure Premium files or premium third-party storage such as Azure NetApp Files with high IOPS throughput. This can have some benefits when deploying AVD users at scale by balancing the performance benefits against the cost implications of premium storage in a targeted manner.

Monitoring and optimizing the costs and IOPs performance is critical to ensure success with FSLogix and for eliminating bottlenecks. Unlike traditional profile distribution mechanisms large profiles should not impact logon performance, however it is also important to continually monitor your IOPS and review FSLogix profiles particularly real-user data in scenarios where there may be a logon storm at the start of an office day, after lunch logon and call center or healthcare shift change.

In particular, the ability to investigate and correlate the actual application usage of users of Office 365 applications is especially important as applications like Teams can lead to excessive profile bloat and storage costs. A full overview of considerations around Teams is covered by James Rankin in his article: QuickPost – how to stop FSLogix Profile Containers bloating when running Microsoft Teams – JAMES-RANKIN.COM. Office 365 and Teams application monitoring are available alongside real-user experience monitoring in eG Enterprise to enable you to assess the impact of any optimization you make around FSLogix.

FSLogix – The Impact on Login Times

Adopting FSLogix makes it an intrinsic part of the logon process and the time it takes to attach and load profiles will influence the time it takes a user to log on and get access to their applications. Problems with profile loading and any associated attached storage etc. will impact availability. As such it is essential to capture key metrics, logs and events associated with FSLogix for every user logon to identify slowdowns and potential issues. Long term, the data from eG Enterprise can help you determine how to configure what should be included or excluded from the Profile Containers to optimize the logon process.

Changes in 2022 as to whether FSLogix processed GPOs (Group Policy Objects) synchronously or asynchronously had a widely discussed impact on Citrix logon times, as discussed in an article by James Kindon, see FSLogix Synchronous Processing ( Workarounds are discussed by James Rankin, see: Make Citrix logons use asynchronous user Group Policy processing mode – JAMES-RANKIN.COM.

How to Troubleshoot FSLogix Containers

Typically, logs are used to record significant events associated with FSLogix and troubleshooting or diagnosis of issues requires an admin to examine these logs. Microsoft documentation: FSLogix Logging and Diagnostics – FSLogix | Microsoft Docs covers basic information on how to investigate issues using native tools.

For those looking to collect and parse the FSLogix Apps Event Log within an Azure / AVD context, there is a useful guide from Microsoft’s Billy York describing how to use Log Analytics and Kusto queries to get such data: see: Collect and Parse FSLogix Event Log – Cloud, Systems Management and Automation (

Unfortunately, parsing logs is a manual process and whilst custom scripts can semi-automate this process and check for concerning log entry there is no out-of-the-box solution, and the information remains uncorrelated to data about the configuration and performance of the underlying infrastructure such as network throughput and storage IOPS. David Pisa has written on xenappblog about a community tool he has developed to probe FSLogix data, which may be useful to those looking to do similar, see: FSLogix Monitor – xenappblog. Some of the challenges of approaching such a home-grown solution are described on the Microsoft Q&A site, see: Monitoring Approach for FSLogix – Microsoft Q&A.

By default, for AVD, FSLogix logs are only retained and available for 7 days and some installers may set it to 2 days, many of our customers use eG Enterprise to enable longer term capacity planning, auditing, and performance baselining. Unlike many other monitoring products FSLogix data and all logon data is collected routinely by process and is always available within the core product without the need for custom scripting or poking around a user’s session manually.

FSLogix is just one of the virtualization features eG Enterprise supports within a framework of over 200+ technologies to provide comprehensive end-to-end proactive monitoring and historical reporting and auditing out-of-the-box alerting thresholds and root-cause diagnostics will continually check your entire IT (Information Technology) application and infrastructure landscape without the need for unsupported bespoke scripting skills or KQL (Kusto Query Language) tooling. Data is presented in help desk and administrator friendly dashboards and topology visualizations.

Below I will cover some specific examples of what eG Enterprise offers for FSLogix monitoring and troubleshooting, without trawling the native logs:

Ten Ways in Which eG Enterprise Helps Monitor and Troubleshoot FSLogix

1. How to find out if a profile has failed to attach and why

If troubleshooting manually, Microsoft advise using the diagnostic logs and comparing the current values of Status, Reason, and Error to the documentation here. A Status code of 0 = STATUS_SUCCESS coupled with a Reason code of 0 = REASON_PROFILE_ATTACHED indicates that the FSLogix Container is attached and working for this user. If a problem has occurred, the Error code field will usually contain more specific information (using standard Windows error codes) regarding the failure e.g., 3 = ERROR_PATH_NOT_FOUND or ERROR_SHARING_VIOLATION 32 (0x20) (The process cannot access the file because it is being used by another process).

In the event of a Status other than STATUS_SUCCESS, the Reason code is only occasionally set to a more informative value and usually takes the undocumented value STATUS = 5 (REASON_UNKNOWN). Occasionally the Reason will be set to a value between 1 and 4 that is more informative. However, most of the time, the real error diagnostics will be in the Error code.

Out-of-the-box eG Enterprise continually collects metrics, events, logs, and errors and probes the Status, Reason and Error codes. If a problem is found an alarm is triggered notifying the administrator and deeper diagnostic information collected and made available – e.g., the path to the VHD(X) that was used to try to attach the disk is not accessible.

Figure 4: Here an FSLogix container has failed to attach in an AVD (Azure Virtual Desktop) environment triggering an alarm to the eG Enterprise system. The detailed diagnostic icon (the magnifying glass) can be clicked on to investigate deeper.

Figure 5: On clicking to detailed diagnostics, we find details of the attach failure indicating that there was an error accessing the VHD(X) disk, details of the error 32 (0x20) = ERROR_SHARING_VIOLATION – “The process cannot access the file because it is being used by another process.” are provided

FSLogix Profile VHD(X) Attach – Troubleshooting Tip

  • Check you have a valid file system location in the ‘VHDLocations’ setting?
  • Check the user has appropriate permissions to the VHD(X) file on the file server
  • Check the user a member of the local FSLogix Profiles Include group and NOT a member of the FSLogix Profiles Exclude group?

2. What type of profiles are in use?

A Profile Container is configured for multiple connections using ProfileType when configuring Profile Container ProfileType is set to 0, 1, 2 or 3. You can easily check via the eG Enterprise interface what the profile type is. In practice for Citrix and similar deployments, the profile type is usually 0 (Normal / Default) or 3 (Attempt Read/Write Fall Back Read Only). Information on profile types is available in: Supporting concurrent connections and multiple connections with Profile Container – FSLogix | Microsoft Docs.

Figure 6: Here an Office Container is being monitored which has successfully attached. You can see the profile type is Normal, that the application service is running and so on.

3. Is the FSLogix disk nearly full?

eG Enterprise proactively monitors the FSLogix disk usage (%) of your containers and raises alerts as they near capacity, allowing you to resolve capacity issues before they impact on your users.

Figure 7: Multi-level alerting is set out of the box to raise alerts when the FSLogix disk is 95% full or higher; a Minor alert at 95%, Major at 97% and Critical at 99%.

4. Instant alerting if FSLogix profile loading is causing user logons to be slow

Out-of-the-box alert thresholds are also configured for key parameters such as the “FSLogix profile load duration (Seconds)” metric. These thresholds can be adjusted by the administrator to reflect the specific usage of profiles within their organization and beyond this the dynamic AIOps (Artificial Intelligence for Operations) powered auto-tuning capabilities of eG Enterprise can be used to learn the seasonal, day-of-the-week and time-of-day normals for the system under realistic loads enabling automated anomaly detection.

Slow logons can manifest themselves as a black screen at login and are often associated with an issue with a File Server or storage. There are many user descriptions of how this may appear to the end user on both the Microsoft support forums and the Citrix support forums, alongside tips for resolving such issues.

Figure 8: The out-of-the-box thresholds that trigger alerts for FSLogix loads can be viewed by help desk staff and tuned and adjusted by administrators with bespoke needs – an FSLogix failure code or an excessive ” FSLogix profile load duration” time occurs

5. Checking if the ‘Enabled’ setting has a value of ‘1’?

A common user error as described in Microsoft’s troubleshooting guide “Profile Container trouble shooting guide“, is to have misconfigured the container as disabled, to be enabled a flag must be explicitly set in the “Profile Container Registry Settings” as detailed in Configure Profile Container Tutorial – FSLogix | Microsoft Docs. eG Enterprise explicitly exposes this information to the administrator (see: Figure 6 above) to allow an instant sanity check of this and other key configuration settings.

Note: You will also be able to monitor the value of “Is allow concurrent user session?” corresponding to the ConcurrentUserSessions setting in FSLogix. This is a parameter that has caused much confusion and for most users it is likely its value has never made a difference or been relevant in Citrix environments. For an excellent explanation of this, see Mike Streetz article: FSLogix and the ConcurrentUserSessions Controversy (

6. How to understand FSLogix disk usage?

Within the eG Enterprise console, you can easily examine the disk usage of a container alongside key information such as whether the VHD(X) used is “dynamic”. Understanding how FSLogix manages disk space is essential to optimizing your storage costs and usage. Given that the default disk size for FSLogix is 30GB and whilst dynamic disks will expand as needed, space is not reclaimed as data is deleted (usage is “high waterline”). Microsoft support covers a lot of useful information within their articles, My storage is running out of space because of FSLogix! – Microsoft Tech Community.

The data and overview of FSLogix usage across all users within eG Enterprise will allow you to long term plan for optimized disk sizing for FSLogix.

Figure 9: Here we see a “dynamic” VHD(X) is being used on a Profile Container and the metrics for the disk usage are instantly available.

7. Is there a problem with the storage the FSLogix Container resides on?

Storage performance and availability is critical for FSLogix. The Microsoft article, “FSLogix for the enterprise – Azure Architecture Guide”, provides insights on designing, sizing, and implementing a Microsoft FSLogix Profile Container solution for large enterprises. This article also shows how to avoid performance problems in production. eG Enterprise supports all major storage and networking solutions both on-premises and within clouds such as Azure allowing you to proactively monitor and review your connectivity, resource usage and bottlenecks. Key metrics such as capacity, network bandwidth and throughput and IOPS are monitored along with numerous other metrics, events and logs that will diagnose problems with the storage you use for your FSLogix VHD(X) Containers.

Figure 10: In this case the FSLogix disks were hosted upon Azure storage.

Figure 11: Thresholds are set out of the box to alert if any key storage metrics are of concern on appropriate timescales. Note: in the case of some metrics this is based on dynamic “auto” levels, tuned by the eG Enterprise AIOPs (Artificial Intelligence for Operations) engine to learn what is normal for this storage component.

8. Non-domain expert friendly views and guidance for L1 / L2 help desk

eG Enterprise is designed to be easy to use by non-domain experts including those in frontline L1 / L2 roles. Minimal understanding of FSLogix is needed to understand any alarms triggered as all the thresholds and metric limits used to monitor components are available to the help desk operator alongside eG Enterprise’s comprehensive built-in “Knowledge Base” which explains every metric, log and event checked and the associated alarms, reasons for triggering, potential fixes, and other parameters to check. You can read more about how eG Enterprise features can optimize help desk functions to reduce unnecessary escalations and escalations routed to the wrong IT team in Empowering IT Help Desks with IT Service Monitoring.

Figure 12: The built-in eG Enterprise Knowledge Base for FSLogix is continually available from the console so non-domain experts can access information on FSLogix and understand alerts without using Google Search or trawling FSLogix Documentation

Figure 13: The built-in eG Enterprise Knowledge Base for FSLogix explains alert thresholds, metrics, logs, and errors alongside clear explanations of how they relate to the performance and availability and impact users. Information on further investigations and practical solutions designed for the non-domain expert is available to frontline support staff.

Figure 14: A real user experience drilldown dashboard for each and every login is available for frontline triage help desk workflows including all elements of the log on experience including alerts pertaining to FSLogix issues.

9. Understanding real-user application usage to rationalize costs

James Rankin has detailed rolling out FSLogix at scale in conjunction with Office 365 and applications such as Teams can be costly especially if using premium storage to optimize the user experience. In practice, in many large organizations’ there can be a surprisingly large numbers of users who rarely or never use their cloud digital workspaces or VDI (Virtual Desktop Infrastructure) desktops and / or rarely use the Office 365 apps such as Teams available to them. eG Enterprise’s comprehensive O365 and Teams monitoring, and reporting will enable you to audit your resource usage and make cost-saving decisions such as the use of premium storage based on real user needs and the actual benefits gained.

Figure 15: eG Enterprise will reveal your most active O365 users and the applications they use.

10. Synthetic testing of user logon on times

eG Enterprise includes a full suite of synthetic tools including logon simulators and full-session simulation. Using these “robot users” can periodically log on to probe the system for problems before real users encounter them. With full-session simulations these robot users can open applications and use them to test beyond logon the user experience when an application such as Teams is opened and started. This type of workflow is used quite heavily by our customers deploying FSLogix Office Containers in particular.

Figure 16: The eG Enterprise Simulator Dashboards for AVD (Azure Virtual Desktop) includes FSLogix Alerts – in this case the alerts show that profile containers failed to attach and the detailed FSLogix data in the top right of the dashboard is unavailable. When access to the disks is available FSLogic disk usage data is added to this dashboard.


Long term monitoring and auditing your FSLogix usage can help you make capacity planning decisions and performance optimizations. To understand more about what you may wish do, you might like to explore Aaron Parker’s articles, see: A Practical Guide to FSLogix Containers Capacity Planning and Maintenance | Aaron Parker ( and Ray Davis’ blog, see: How to Prune a FSLogix Profile.

Try for yourself

If you would like to out eG Enterprise to monitor FSLogix Containers within the context of your entire virtualized environment, eG Enterprise is available as a SaaS-based service or an on-premises solution and is suitable for multi-tenant MSP (Managed Service Provider) environments and we have a Free Trial available.

Learn More: