VMware Horizon Community
Poom22
Enthusiast
Enthusiast

Anyone using Onedrive app with Files on demand in Horizon in any way?

As title says

I've tried linked clone floating Pool , linked clone with  Persistent disk, Linked clone app volume over a couple of years now and there is always some kind of problem ,

Apparently there is an App volume update coming soon to fix this

Does it work well for anyone here at the moment and if so what is your setup?

41 Replies
epa80
Hot Shot
Hot Shot

I've opened a ticket with Trend Micro for us as well, and even pointed them at this thread. Waiting for their reply, but, hoping to get some ideas from them. I'll update this thread when I hear something.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

I got this reply here. Not much new info.

To answer your question, we are aware of the problem, and we have a two workarounds:

1. Implement an exclusion to the full path of the OneDrive folder, I.e. C:\Users\vdiuser\AppData\Local\Microsoft\OneDrive. Please note that due to the way that VMware doesn't support * wildcards for exclusions, this will have to be done for each user.
2. Implement Anti-Malware protection using the Deep Security Agent and it's anti-malware module for protection.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

So because we used the /allusers switch in our install, we found that excluding "C:\Users\edward\OneDrive - OUR COMPANY" did indeed work. Note we didn't use any wildcarding. Needless to say though, this really isn't preferred. Not scanning OneDrive at all seems scary to me, and if we go ahead and create a specific scheduled scan for that directory during a low user load time (say 3AM), you'd still run into the issue where the system gets locked up. So you're back at square one.

Reply
0 Kudos
KjellO
Enthusiast
Enthusiast

As with all security vs user experience scenarios, you will have to choose and perhaps implement other security measures like for example AppLocker.

I've asked Trend Micro support for the possibility to contact Microsoft and find a solution. It should be possible since Microsoft Defender probably supports it and Microsoft do mention that "Files On-Demand might not be compatible with some third-party antivirus solutions.": Save disk space with OneDrive Files On-Demand for Windows 10 - Office Support

Reply
0 Kudos
shawnwat2
Enthusiast
Enthusiast

Having the same issues.  Removing network introspection made OneDrive seem to work.   I am getting around the wild card issue by using a writeable volume, assigning it a drive letter (hidden) and then excluding d:\writeable\OneDrive.  I redirected OneDrive to that folder.  More to follow as we get more information.

Reply
0 Kudos
Mickeybyte2
Hot Shot
Hot Shot

After weeks of testing and support:

  • VMWare support: contact Trend Micro
  • Trend Micro Support: Guest introspection cannot use wildcard exclusions. Use agent based protection so we can use wildcard exclusions or put OneDrive files in a specific folder so we can exclude without wildcards

So, either way, OneDrive will be excluded from scanning, which makes me worried...

Or we go the "fat" way:

  • disable files on demand and just re-download users' full OneDrive contents each time they logon to their non-persistent desktop, which puts extra load on our network every morning again
  • store all users' full OneDrive contents in their FSLogix Office container, which will require us to provision loads of extra storage

But we are better protected...

Seems there's no good or better solution here, only bad or worse, depending on your environment and priorities... (not sure to which category "migration to MS Defender" belongs Smiley Wink)

Regards, Michiel.
Reply
0 Kudos
shawnwat2
Enthusiast
Enthusiast

Here is what Trend provided:
To fix the issue with onedrive, you have to whitelist the one drive application by adding the full path (C:\Users*\AppData\Local\Microsoft\OneDrive\OneDrive.exe) on the File List exclusion. Since File list exclusion does not accept wildcard, you have to create an Environment Variable by following the article below.

https://success.trendmicro.com/solution/1096634

As far as excluding the OneDrive folder from scans, I seem to remember that there is some scanning built into OneDrive.  I found the following:  Virus detection in SharePoint Online - Office 365 | Microsoft Docs.  You should check with Microsoft to confirm what kind of scanning/protection is provided as I am not a expert in this area.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

We have a ticket open with NSX where we repeated the behavior and provided a bunch of logs/dumps for them to review. Everything from NSX Manager bundles, to ESXi host logs, to a procmon dump from the VM experiencing the issue, as well as the VM's .vssm file. I'll update if anything comes about.

We really don't think we'll be pursuing the exclusion functionality, so, it's gonna have to break somewhere else in our instance. For now as a short term fix we've done the exclusion (only have a few users right now in need of OneDrive), but, it's not where we're going long term.

Reply
0 Kudos
shawnwat2
Enthusiast
Enthusiast

I actually have it working without removing NSX,  I added Outlook.exe and Onedrive.exe HookInjectionWhitelist registry setting.  Would you mind sharing your SR or is it listed above?

Reply
0 Kudos
Mickeybyte2
Hot Shot
Hot Shot

Update: I currently have it working by specifying a fixed location for the OneDrive contents via GPO. As we are using single user VDI, we can do this, if you're using multi-user, then this is not a solution I'm afraid.

OneDrive location: c:\OneDrive

Files-On-Demand: enabled

Exclusion for DeepSecurity: C:\OneDrive\

Positive side note: I was afraid this would force a re-download each time a user logs in to his non-persistent session, but it seems FSLogix is smart enough to see this change of location and still stores the new OneDrive location in the user's office container VHDX!

Regards, Michiel.
Reply
0 Kudos
epa80
Hot Shot
Hot Shot

So you're excluding that directory from Real Time scanning I take it. Are you hitting that directory at all later with a scheduled scan, like off hours? If so, does the issue not happen? I assumed it would so, excluding from a scheduled scan would be mandatory too.

We're just trying to avoid the exclusion path because who knows what users ever put in there. Like you though, if we do the exclusion, OneDrive on Deep Security seems to work.

Reply
0 Kudos
Mickeybyte2
Hot Shot
Hot Shot

epa80

Yes, the OneDrive folder is excluded. Since we are using non-persistent linked clones, once the user logs off, the desktop is refreshed and the OneDrive folder is deleted. So there's no way we can schedule a scan of this folder off-hours. I'll have to rely on the fact that MS is also scanning the OneDrive contents on his own servers and blocks suspicious uploads/downloads.

Only have been testing the current setup for one day last week. When I logged in this morning, my OneDrive seemed to be hanging again... After another logon, it worked fine again. So, I need more testing time to make final conclusions!

Regards, Michiel.
Reply
0 Kudos
Mickeybyte2
Hot Shot
Hot Shot

With "Files-On-Demand" enabled, the OneDrive regularly said 'syncing changes' forever... Was very unstable, sometimes a few files got through, but mostly it was unusable.

After disabling the Files-On-Demand option it seems to work better.

Regards, Michiel.
Reply
0 Kudos
epa80
Hot Shot
Hot Shot

Our SR is 20125104205. I tried excluding onedrive.exe (both just as the single file as well as the full folder path) in Deep Security, but, it didn't work out. Same bad behavior. The registry setting I didn't think was applicable for us since we're not using App Volumes today.

Provided support with a bunch of stuff, but, they're still looking into it. One suggestion was to exclude ONLY the logs folder under the OneDrive path, but, that didn't pan out either. Think the next test will be trying a driver

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

Figured I'd reply to this thread with our my case went, so this thread doesn't become one of those ones people Google later and come to find there's never a solution Smiley Happy.

Support gave me a test vsepflt.sys driver to test with, and when doing so, I used Deep Security with my canned policies (no special OneDrive exclusions), and the issue went away. OneDrive behaved as normal. It sounds like this driver will be provided in a future VMware tools release. If I heard them right, the release date will be August.

I've been using the test driver going on about 2 or 3 weeks now, and it's been flawless, so, I think they got it.

Thanks.

-Ed

Mickeybyte2
Hot Shot
Hot Shot

epa80

Can you share which version of the vsepflt.sys driver you're currently using?

Thanks

Michiel.

Regards, Michiel.
Reply
0 Kudos
epa80
Hot Shot
Hot Shot

Sure. It looks like it's 11.1.5.0.

Annotation 2020-07-09 095256.png

epa80
Hot Shot
Hot Shot

And it looks like VMware tools 11.1.5 is out. Release notes includes the fix for OneDrive.

VMware Tools 11.1.5 Release Notes

shawnwat2
Enthusiast
Enthusiast

Best news I have seen in a while.

Reply
0 Kudos
Mickeybyte2
Hot Shot
Hot Shot

According to the VMware interoperability matrix, VMware Tools 11.1.5 is only supported for Horizon 7.12 and 8 (2006)!

Regards, Michiel.
Reply
0 Kudos