As title says
I've tried linked clone floating Pool , linked clone with Persistent disk, Linked clone app volume over a couple of years now and there is always some kind of problem ,
Apparently there is an App volume update coming soon to fix this
Does it work well for anyone here at the moment and if so what is your setup?
Refer to the below blog to know more about Microsoft Onedrive and VMware Horizon. https://virtualblog.nl/2019/05/28/vdi-onedrive-windows-10/
Poom22
Yes, we have!
Our setup:
This setup works and is supported by Microsoft!
the "but..."
It only works when the VMWare Guest Introspection drivers are disabled or uninstalled. Which makes our TrendMicro DeepSecurity protection useless... (has nothing specific to do with TrendMicro I guess, cause I finally found a similar case with Kaspersky after searching for weeks: OneDrive freezes Explorer )
If the introspection drivers are installed and DeepSecurity protection is enabled on the VDI, OneDrive starts behaving very strange, sync hangs, onedrive.exe prevents users from logging of their desktop, ... so unusable.
Currently still searching who will be the best partner to contact for a quick solution: VMware or TrendMicro?
Hi! I‘ve been troubleshooting this with Trend Micro. The lock does not happen in the DSVA, so Trend Micro suspects that the lock is in the Guest Introspection appliance and want’s us to do a trace with VMware, so I would recommmend you to do the same.
With Agent based protection, Files OnDemand has worked fine on Horizon 7.9, Windows 10 1809 non-persistant VDI without any caching and App Volumes 2.15
KjellO
Thanks. I'll submit a SR with VMWare. Are you willing to share your SR number so I can reference it?
KjellO
Our partner has opened a support request with VMware (SR 20116382604). They collected logs yesterday and are now investigating those.
Hi! Due to the situation with COVID-19, I've not had the capasity to start troubleshooting with VMware, hope you find a solution!
/Kjell
This is the answer from VMware support. I don't have any experience with TrendMicro nor do I have access to it, so I'm not sure what they mean by this. Our partner will open a case with TrendMicro too.
“Possible root cause of the issue what you observing is because filter rules were not applied. Directory was not present when filter rules were applied.
We currently do not support applying filter rules by matching regular expression strings and Partners need to apply those filters at their end.
Since most of the paths had regular expression () (for all users) while attempting exclusion like follows:
2020-04-16T08:47:01.418Z| vcpu-1| I125: Guest: vsep: DEBUG: QueryCommandLine : Commandline: "C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe" /background
Some test that we can also perform is to install OneDrive on other location. For example - "C:\Users\OneDrive\
Could you please open a ticket with trend micro and request them to review the logs? I am requesting this as the actions performed by guest introspection are pushed by Trend Micro usually.”
We have been successful with this:
No issues other than Office365 or LibreOffice in an AppStack can't access the OneDrive folder when FOD is enabled. Both applications needed to be locally installed. Still investigating but it seems that the lock/meta file is the source of the issue... still digging.
I did need to create a script to add the hidden attribute to $RECYCLE.BIN folders. OneDrive FOD leaves these visible to users and caused some complaining.
Onedrive (with file-on demand) issue with App Volumes has been resolved in 2.18.2 release.
Please download it : Download VMware App Volumes
Evidence:
VMware App Volumes 2.18.2 Release Notes
Please mark the reply as helpful/correct if it address your issue.
Thanks Shreyskar
The release notes state this is occurring with writable volumes. I am not using writable volumes.
Are you stating that 2.18.2 also resolves the issue with OneDrive FOD and Office365 on an AppStack?
Thank you.
Hi RTrigger
The release note mentions about the fix that only applies if onedrive FOD breaks with writable volume.
However you can still test with appvolumes agent 2.18.2.
Unfortunately AppVolumes 2.18.2 did not resolve my issue in LAB.
I was able to use OneDrive Files On Demand with LibreOffice in an AppStack by adding the soffice.exe, swriter.exe and scacl.exe to "HookInjectionWhitelist" located in [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svdriver\Parameters].
Thats interesting about the introspection,thanks
They seemed to have fixed this in app volumes 2.18.2 FYI for anyone reading this thread
Hi,
Trend said the same about Guest Introspection not supporting regex-exclusions and that we should open a ticket with VMware, so you end up in cicles. VMware is investigating the OneDrive issues, so I hope they not send me back to Trend support :smileygrin:
As a backup solution, I've setup a VDI image with the Deep Security Windows Agent, and that is working much better, and with combined mode you could easily setup policies for the VDI's you want to use either Appliance based protection, or Agent based protection.
/Kjell
If you follow these steps you should be golden. Biggest thing is to get /allusers setup in the install. Also if you are entitled to FSLogix the office container makes things much easier when used with DEM.
Best Practices for Delivering Microsoft Office 365 in VMware Horizon 7 | VMware
and for FSLogics
Regards,
Would love to see a permanent fix from VMware on this. We're running agentless Deep Security Virtual Appliances in our environment, and on persistent VMs that utilize OneDrive, they're absolutely worthless. Deactivating their protection in DS resolves them, but, yeah that doesn't work out long term.
The agent protection on the VM as a workaround is a solid idea, but, hoping VMware comes back with a fix for the DSVA implementation. Was hoping to get away with upgrading VMware tools, but, no luck. Went to 11.0.6 and the issue remained. Ah well.
So we came across this issue in our persistent Windows 10 1909 image with Deep Security protection. Sure enough, if you disable the DSVA protection, all good. Naturally, that doesn't work. I see in this post that you mention using the "/allusers" switch should resolve that? Am I reading it right? We've tried that and it's still no go.
Steps in order:
With those steps, the OneDrive process starts but eventually hits that wall of processing where it just hangs explorer.
I should note we are NOT using App Volumes or RDSH. OneDrive is installed thick within the VM.
Thanks in advance.
-Ed
Hi,
You need to exclude files accessed by OneDrive, or you will experience these issues, but since Guest Introspection don't handle exclusions with wildcards, the exclusions don't work.
For example, with OneDrive you would like to exclude this path: C:\Users\*\OneDrive*\, and to make that work with Deep Security, you will need to install the Agent which handles wildcards without problem.
You could also raise the issue to VMware, perhaps if they get more SR they will figure out how to implement it in Guest Introspection.
Kind regards
Kjell Øyvind
Small update on our case:
Yesterday, I've created a new policy from scratch in DeepSecurity containing only the recommended exclusions for Horizon. I tested OneDrive with that policy and it worked! I couldn't believe it, so I tested again and again and again (setting a onedrive folder to keep offline and then setting the clear space for that folder again, so onedrive does a download and clears space is a good test I've noticed). It just worked. I then logged on with the same user to another desktop with the same DeepSecurity policy and it blocked immediately. Logged back on to the previous desktop and it still worked... Then I reverted back to the old Deep Security policy, and it kept working!? Tried again and again, but still it kept working. Just as I was about to notify our partner about this, it just stopped working... 😞
Our partner, who is communicating with Trend Micro about this, said they were close to a solution, so as soon as I have more information, I'll update this thread.
KjellO, I understand that excluding the OneDrive folder might be a solution (using the agent then), but I'm not sure I really want that. What if one user has malware on his onedrive?
Regards.