How to use ProfileUnity with PCs and Windows 365 Cloud PCs

What’s up, everyone!

Welcome to the third post about Liquidware ProfileUnity. Make sure to checkout my previous posts to get an introduction to what ProfileUnity is and how to set it up to manage user profiles for various scenarios on Azure Virtual Desktop.

In this post I will explore the possibility to manage user profiles using Portability settings on Windows 365 Cloud PCs and by extension Windows 11 based computers. Let’s add another option into the mix by storing the user profile settings in an Azure storage account and use Global Secure Access to enable secure access to the license server. Enjoy!

The series:

Part 1: Introducing ProfileUnity by Liquidware
Part 2: How to use ProfileUnity with Azure Virtual Desktop
Part 3: How to use ProfileUnity with PCs and Windows 365 Cloud PCs
Part 4: Introducing FlexApp (ONE)
Part 5: Using FlexApp

I want to send a big thank you to my friends at Liquidware for allowing me to set up a demo environment!

Enjoy!

Preparing the Azure storage accounts

If you followed along in the second post, you might remember that we used two locations. We used the Netlogon share to save the configuration settings and we used a file share to store Portability settings. This principle holds true if you want to save your settings in Microsoft Azure.

We need to create two storage accounts:

A storage location for the console configuration; this will contain the clientsettings.xml and the .ini file.
A storage location for the Portability settings; this will contain the actual Portability files for each user.

The process of creating the storage accounts is the same so I will show a demo for Portability settings.

Next to Microsoft Azure, you can also use:

Amazon Simple Storage Service (S3)
Google Cloud Storage

There are a couple of things to be aware of when selecting cloud storage. For example, you cannot use ProfileDisks on cloud storage. Liquidware prepared the following overview:

Portability settings vs ProfileDisk Portability settings are managed from the ProfileUnity console. They save individual settings like certificates, start menu etc. Each setting is saved in it's own file. By saving the most important bits of the user profile, you get a nice way to migrate settings across desktops. ProfileDisks are more like FSLogix containers. They save the entire user profile instead of individual files. Make sure to checkout the following table to see which solution is supported for your configuration:

Let’s go ahead and create the storage account in Azure.

Tip: only use lowercase letters. Storage locations in Azure are case sensitive. Only using lowercase letters might just prevent issues later on. You’ll see in my post that I used capital letters as well, and it caused me some issues.

From the Azure portal;

Search for Storage Accounts.
Click + Create.
Give the storage account a name, select the region and make sure to select Azure Blob Storage as the primary service.
Feel free to review other settings and change them as desired.

We will need to create a container in the storage account. From the storage account:

Data storage, Containers.
Click the + Container button.
Enter a name for the container. I used portabilitysettings.
Make sure the access level is set to private.

Access to the storage account will be granted using an access key. From the storage account:

Go to Security + networking.
Select Access Keys.
Make sure to save the storage account name, key and connection string somewhere safe. These details are needed when settings are configured in the ProfileUnity console.

Now repeat the process to create a storage account for the console settings.

Somewhere down the line our Cloud PCs will make use of the ProfileUnity client and it should be able to read (not change) the settings in the Console Configuration storage account. Follow these steps to configure read-only client access to the Console configuration storage account. From the Azure portal:

Select Security + Networking.
Select Shared access signature.
Allowed services: Blob
Allowed resources types: Service, Container, Object.
Allowed permissions: Read, List.
Configure the end date. Liquidware recommends to use 5 years.
Click the Generate SAS and connectiong string button.

Now that we prepared the storage environment in Azure, it’s time to…

Configure Portability settings

Let’s add both storage accounts to ProfileUnity. Sign into your server and open the ProfileUnity console:

Hover over the user icon and select Administration.
Under Cloud storage, click Add Cloud Credentials.

Give the cloud credentials a name. Let’s start by adding the storage account that holds the console settings.

I chose the name Azure Console settings.
Make sure to select Microsoft Azure as the Cloud Storage Provider.
Provide the name of the Storage Account, alternatively you can also add in the name of the container. In my environment it’s called puconfiguration.
Paste the storage account key that corresponds with this storage account.

Click save:

It’s a good idea to add the second storage account for Portability settings while you are in this window. You can also choose to add the storage account during the guided setup, which you can see later on in this post.

Let’s start with enabling Portability settings for Cloud PCs stored on Blob storage:

From Configuration Management:

Click the red Create button.
Select Guided setup or create a manual configuration. I will just go with the guided setup.
Select the correct template to get started: Windows 10, 11, 2016, 2019 or 2022 Profiles Stored Azure Blob Storage.

We need to provide console credentials and enter the storage path. We can simply use the credentials we entered earlier by clicking on the drop down menu and select Azure console settings. Also add in the Blob Service SAS URL for read-only access.

I would recommend to validate the configuration. Everything should check out:

Continue to the next step and configure the cloud storage location for the Portability settings. Make sure to end with %username% so each user receives their own folder.

The guided setup now presents the GPO section but we can skip this in our scenario.

Finish up by deploying the Configuration to the storage account:

Here is what the result looks like on the storage account:

That concludes the guided setup to configure Portability settings stored on Azure Storage Accounts.

Deploying the client and settings using Intune

Now it’s time to find out how to deploy the client and the configuration to our Cloud PCs. We can use the following method to deploy the client to our Cloud PCs:

Download the installation script from Liquidware’s GitHub.
Edit the script variables so it will work for your environment.
Wrap the client and upload it to Microsoft Intune for deployment.
Make sure the ProfileUnity client can connect to the license server.

Step 1: Download the script.

Here is the download link on GitHub.

Step 2: Edit the script variables so it will work for your environment.

Open the script in your favorite editor. I would recommend to read through the script to get a good understanding of that it does. Make sure to change a couple of values for your environment:

$UserINIPath: change the value to the correct path. In my environment it’s AZ://pusettings/INI
$LicenseServerConnectionString: Copy the details from the ProfileUnity console. The method is explained in the script. Once you click the copy icon, you will get an encrypted version of the connection string.
$AzureStorageCredentials: provide the encrypted details of the blob service SAS URL with read-only rights. I will show how that is done below.
Optionally you can exclude local accounts in the script. Cloud PCs have the local admin account disabled by default. But you can actually enable them and use LAPS to manage the name and password.

Here is a screenshot of the silent installation script:

Azure locations are case sensitive Did you deploy everything correct following this blog, but you do not see the splash screen while signing in? In my case I entered AZ://pusettings/ini, but the folder in my container is using capital letters. Changing ini into INI was the fix. You can make your life a little bit more easy by selecting only lowercase letters during setup.

Let’s get back to getting the encrypted details of the Blob service SAS URL. From the ProfileUnity Console, hover user the user icon, select Administration. Locate the Cloud Storage section and click the copy icon next to the storage account that holds the Portability settings:

In case you just went “Hey, what’s going on here?” Let me explain a bit more:

ProfileUnity will create an encrypted copy of:

The Portability storage account name along with the key (read-write access).
The SAS key of the settings storage account (with read-only access.)
This encrypted copy will be stored in the registry at the client. The client will now have read access to retrieve the configuration and read-write access to the Portability storage account to save the portability settings.

If you accidentally copied the wrong set, you can easily fix that yourself on the client. Create the correct set of credentials and copy it to your client in the registry on the following location. Make sure to give the (Cloud) PC a reboot to make sure the settings will take effect:

Back to the configuration process. The only thing that is left is to save the file and move on to…

Step 3: Wrap the client and upload it to Microsoft Intune for deployment.

Use the Microsoft Win32 Content Prep tool to package the app. You probably have used this tool millions of times before so I will not go into detail on how to wrap the client, but I will give some extra information:

Make sure to download the client tools from the ProfileUnity console. Extract it to your source folder in the client subfolder for example.
Make sure to include the silent (un)installation scripts from Liquidware.
Install command: powershell -executionpolicy bypass -file install.ps1
Uninstall command: powershell -executionpolicy bypass -file uninstall.ps1
Detection rule: there are numerous ways to detect if Microsoft Intune installed the application. I checked for the existence of a folder: C:\Program Files\ProfileUnity. Another way to go is by checking the registry keys that are mentioned in the installation script.

The good news is that you just made sure that the client will install correctly with the correct settings using the prepared installation script.

There is also some bad news. If you sign into you Cloud PC at this point, you will see a nice popup of the ProfileUnity client that it cannot reach the license server.

Guess what we have to configure next?

Step 4: Make sure the ProfileUnity client can connect to the license server.

We need to make sure that the Cloud PCs, or physical Windows 11 endpoints, can safely connect to the license server. Here are a couple of ways you can accomplish that:

Microsoft Entra Application Proxy
Global Secure Access (Entra Private Access)
3rd party VPN solution

Recently I posted a blog on using Global Secure Access with Windows 365. It was really easy to configure and super stable. It can be used for Cloud PCs and physical W11 endpoints so it makes for an excellent candidate to solve this issue.

Make sure to check the link above to see how to enable Entra Private Access, install and configure both the connection and client app.

I won’t leave you hanging here, instead I will give some pointers to make your life more easy:

We need to determine the port that is used by the Liquidware license server. Just use netstat -a to get an idea of the ports that the server is listening on. An educated guess was that the license server was listening on port 443. Use the following Powershell command to make sure:

Add the IP address of the server as an application segment and configure TCP 443 as the allowed port. Make sure the port validates.

Remember to create a private DNS zone so the name of the server will resolve correctly. Also make sure to enable DNS in the Private DNS tab in the screenshow below:

Make sure that the GSA client is connected and the DNS name resolves. Don’t worry about the ping timing out, we only allowed port 443 in the application segment step.

As an alternative you can also use the following Powershell command:

Test-NetConnection Server -port 443

Connectivity is now established and the ProfileUnity license client can now connect to the ProfileUnity license server. You should not see any ProfileUnity license messages on the (Cloud) PC anymore.

Did you know that Liquidware prepared a document that helps to setup a separate stand-alone license server that holds the config which is not exposed to internet? This is really great for production environment. You can find the document here (link).

All that is left to do is to sign in and sign out of the (Cloud) PC since the ProfileUnity client saves the Portability files when signing off. Make sure to check the storage account to make sure that everything works like it should: