VMware Horizon Community
SummaCollege
Hot Shot
Hot Shot

Updated: working config! How to keep the writable volume as clean as possible?

Update: i have renamed this post to better represent the content.

All our users have 1 Writable Volume for OST and Search storage and a few Appstacks.

The Writable Volume is configured (snapvol.cfg) with the following entry:

#virtualize=\

Registry virtualization has been removed.

And the rest is the default snapvol.cfg + extra exclusions for virusscanner.

And using UEM/DEM we configured the OST to be placed on the writable volume.

This way we thought it would not virtualize the complete disk and only virtualize the paths we want, and it looked like this was working fine. Till now...

We now see stuff appearing inside the writable volume. Partly it's my fault not picking this up before. I wasn't looking at the right locations when testing this setup in our test environment and i thought everything was working as planned.

Our usecase is very simple. Writable Volume is used to store the OST and Search database and nothing else. The user profile part is managed using UEM/DEM.

Thats part 1 of the challenge we are facing; "How do we realize this usecase?" We thought we had this covered, but is seems we didn't.

Part 2 is that i need some more info on the relationship between Appstacks and Writable Volumes.

I did some testing with the following snapvol.cfg for my writable volume:

exclude_path=\ProgramData\

exclude_path=\Users\

exclude_path=\Windows\

exclude_path=\Program Files (x86)\

exclude_path=\Program Files\

When i use this snapvol.cfg for my writable vol and attach one or more appstacks as well, this isn't functioning like i was expecting.

I see that the folder structure from the appstack is visible in my file system, but the data is not accessible. That makes me think the processing of the appstack is influenced by the configuration of the writable volume. But both the appstacks and the writable volumes have there own snapvol.cfg. So that made me believe they are processed independently. My testing is indicating otherwise.

Can someone clearify this behaviour?

And maybe help me to correct our setup so it complies with our usecase; "Writable Volume is used to store the OST and Search database and nothing else"?

14 Replies
SummaCollege
Hot Shot
Hot Shot

I see there is no easy answer to my questions Smiley Wink

Lets simplify this a bit;

- How do i make sure that no data is saved to the writable volume by the apps that are installed inside the golden image and attached appstacks?

- Do i really need to exclude every process, folder, path, that is used by every installed application inside the golden image and appstacks to make sure no data like temp files, settings, updates, etc ends up in the writable volume? We have several appstacks with a lot of apps installed. It would take us ages to figure out what needs to be excluded i guess.

If this really is the only way and is there no other viable option then so be it. Better ask now instead of being sorry afterwards i guess...

Reply
0 Kudos
Ray_handels
Virtuoso
Virtuoso

In basic functionality the writable captures everything that is n ot excplicitly excluded within the writable volume, it has nothing to do with what you have installed on your GI or Appsatcks. If you were to install a new application and didn;t change anything on the snapvol.cfg it would eventually just grab everything.

I have seen people being able to just add a few folders but you would then need readjust the snapvol.cfg accordingly.

SummaCollege
Hot Shot
Hot Shot

Does the writable volume also collect data/files and registry settings that is created by processes started from an appstack? For example temp files or application settings?

I think that it does as the filter driver isn't selective in this, but am i correct? Just to be sure.

Managing a lot of application and excluding every process, path and registry that might process some data is an almost impossible task then, if your goal (like ours) is to not store this data.

Reply
0 Kudos
Ray_handels
Virtuoso
Virtuoso

Does the writable volume also collect data/files and registry settings that is created by processes started from an appstack? For example temp files or application settings?

I think that it does as the filter driver isn't selective in this, but am i correct? Just to be sure.

Yes it does. Windows cannot make the distinct difference between an appstack and a non appstack application.

Managing a lot of application and excluding every process, path and registry that might process some data is an almost impossible task then, if your goal (like ours) is to not store this data.

I believe someone did get this to work and just have the .ost file and windows search in the writable, not quite sure if that post is here or on the DEM forum.

Logically you would need to exclude all folders on the C drive exept the one where the .ost file is stored in.

That would mean use excludes that exclude the entire Program files and windows directory and you would be pretty good to go.

SummaCollege
Hot Shot
Hot Shot

I am in the process of creating and testing exactly that inside a new snapvol.cfg for this usecase. I will report back the results....

Thanks in advance!

Reply
0 Kudos
SummaCollege
Hot Shot
Hot Shot

By the way, i know exactly how to view the file contents of a writable volume. But how can i check what registry settings are saved inside the writable volume?

Reply
0 Kudos
SummaCollege
Hot Shot
Hot Shot

If i exclude the "\Windows" "\Program Files" and "\Program Files (x86)" inside the snapvol.cfg from the writable volume, the applications from the appstacks are not attached correctly. They don't appear in the start menu and are not visible at the filesystem.

The snapvol.cfg contained inside the Writable Vol is also impacting the Appstacks despite having there own snapvol.cfg

Why?

Reply
0 Kudos
sjesse
Leadership
Leadership

I'm pretty sure the writable is attached last, and the snapvol.cfg is either merged with the earlier ones, or the writable snapvol.cfg is used instead of the other ones(I was told this was the case by VMware, but recently people have been suggesting they get merged). Your seeing this here, I've never was able to get what your trying to do work. Small exclusions work, but trying to removable program files and the windows folders breaks everything.

Reply
0 Kudos
SummaCollege
Hot Shot
Hot Shot

You might be right there. We'll then have to really explicitly exclude a LOT.... Damn.

Is what we are trying to accomplish really that unique? Why include everything if it's not necessary. Including that much "useless" data is only going to slow things down, use up space, might be the source for issues in the future after updates/upgrades, god knows what else....

So, frustrations are vented, now continiu searching for solutions Smiley Wink

Reply
0 Kudos
sjesse
Leadership
Leadership

If your on a later version look at what's in the profile only snapvol.cfg, and maybe compare that to what you have, as that is "supposed" only do the profile.

Reply
0 Kudos
SummaCollege
Hot Shot
Hot Shot

Funny, that's exactly what i am doing right now Smiley Wink

Reply
0 Kudos
SummaCollege
Hot Shot
Hot Shot

The below configuration is what a few users are testing at the moment and it seems to do the trick for us.

The only stuff i see stored inside the Writable Volume is everything we change inside the "C:\Summa" folder, and nothing else from the filesystem.

In the registry i only see the releated search entries.

OST and Search database is written to the Writable Volume as well, and that setting is done by DEM.

We also have several AppStacks that seem to function fine (different snapvol.cfg).

The only thing i am unsure of is the need for the "Process Exclusions"? I don't see any stuff making it inside the Writable Volume, so i am not sure if i need to keep them in the config.

Our config:

################################################################

# Date:    10-12-2019

# Version: 2

################################################################

scope=volume

type=writable

writable_type=uia

################################################################

# File system

################################################################

virtualize=\summa

################################################################

# Registry

################################################################

virtualize_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Search

virtualize_to=\MACHINE\SOFTWARE\Microsoft\Windows Search

os=64

virtualize_registry=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Search

virtualize_to=\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Search

os=any

################################################################

# File system inclusions

################################################################

include_path=\summa

################################################################

# File system exclusions

################################################################

exclude_path=\$Recycle.bin

################################################################

# Registry inclusions

################################################################

include_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Search

os=64

include_registry=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Search

os=any

################################################################

# Registry exclusions

################################################################

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache

os=64

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Search\VolumeInfoCache

os=any

################################################################

# Process exclusions

################################################################

# exclude kaspersky

exclude_process_path=\Program Files (x86)\Kaspersky Lab\

# exclude Office Klik-en-klaar service

exclude_process_path=\Program Files\Common Files\Microsoft Shared\ClickToRun

# App-V 4.6 and 5.0

exclude_process_path=\ProgramData\App-V

exclude_process_path=\ProgramData\Microsoft\AppV

exclude_process_path=\ProgramData\Microsoft\Application Virtualization

exclude_process_path=\Program Files\Microsoft Application Virtualization

exclude_process_path=\svruby

exclude_process_path=\Program Files\SnapVolumes

exclude_process_path=\Program Files\CloudVolumes

#exclude_process_name=regedit.exe

exclude_process_name=CCmExec.exe

exclude_process_name=chkdsk.exe

exclude_process_name=chkntfs.exe

exclude_process_name=svcapture32.exe

exclude_process_name=svcapture64.exe

exclude_process_name=autochk.exe

exclude_process_name=wininit.exe

exclude_process_name=diskpart.exe

exclude_process_name=vds.exe

exclude_process_name=vdsldr.exe

# Windows Update

#exclude_process_name=wuapp.exe

#exclude_process_name=wuauclt.exe

#exclude_process_name=wusa.exe

# Windows Activation

exclude_process_path=%SystemRoot%\system32\wat

# McAfee

exclude_process_path=\Program Files\Common Files\McAfee\SystemCore

#AtHocGov

exclude_process_path=\Program Files\AtHoc

################################################################

# 64-Bit OS exclusions

################################################################

os=64

# exclude kaspersky

exclude_process_path=\Program Files (x86)\Kaspersky Lab\

# CloudVolumes

exclude_process_path=\Program Files (x86)\SnapVolumes

exclude_process_path=\Program Files (x86)\CloudVolumes

#AtHocGov

exclude_process_path=\Program Files (x86)\AtHoc

# AppSense

exclude_process_path=\Program Files (x86)\AppSense

# App-V 4.6 and 5.0

exclude_process_path=\Program Files (x86)\Microsoft Application Virtualization

# This should always be the last line in the policy

os=any

SummaCollege
Hot Shot
Hot Shot

A few days have passed now and testing with above config seems to work perfectly for us!

When looking through the writable volume of a few users, only OST ans Search data is present (plus a specific folder for testing usage). Also in registry no data is written besides related to OST and Search.

For us this config seems to be spot on. We also seen no negative impact in the performance and working of Windows 10.

ruiterrinhapale
Contributor
Contributor

Thank you for sharing all the steps you performed and the cfg file that works, it saved us huge amount of time and effort.