Category: Virtual Apps and Desktops

Folder Redirection a thing of the past

Folder Redirection a thing of the past

Are you still using folder redirection and do you still rely on it, to provide a decent logon performance? Then this article is probably for you.

This article has been in my head for a quite some time. A while ago I was on an assignment at a customer I hadn’t done any previous work for. The customer was using Citrix Profile Management with a couple of folder redirections, including folder redirection of AppData.

It’s still not uncommon for me to come across setups with Citrix Profile Management and folder redirection of the documents and desktop folders, occasionally I also see the start menu and favorites folders being redirected. However I haven’t seen redirection of the AppData folder for the better part of 10 years now, and there seems to be a general consensus in the EUC world, that redirection of the AppData folder is a no-go as it can lead to a variety of different application related issues. If you are still redirecting AppData, please stop, there are alternatives to both Citrix Profile Management AND folder redirection available.

With FSLogix Profile Container now being the de facto solution for profile management, there really is no need to do any kind of folder redirection anymore. With that said, I do recognize that redirecting the documents folder and maybe the desktop folder as well, may in some circumstances still be relevant, mainly in scenarios where we need to be able to backup files/folders in the Documents and/or Desktop folders.

Today we have the technology to lay the last remnants of folder redirection to rest. With the new Microsoft Edge browser and Microsoft OneDrive, we are able to provide a modern way of redirecting the documents, desktop and favorites folders.

I have written a couple of articles about the new Microsoft Edge browser, which you can find here and here. These articles lay the ground work for the Microsoft Edge deployment and configuration and really should be the baseline for any Microsoft Edge deployment.

Hybrid Azure AD Join

To provide the best solution, when signing in to Edge and OneDrive I recommend configuring hybrid Azure AD join. This configuration provides seamless sign-in to both Edge and OneDrive. Microsoft has a decent article about how to configure hybrid Azure AD join.

Microsoft Edge Enterprise Sync

The Enterprise Sync feature in Microsoft Edge enables synchronization of favorites, passwords, extensions etc. to the Azure cloud, which enables you to roam most of the Edge configuration between different devices. The Enterprise Sync feature requires an Azure AD Premium subscription.

Manual configuration

The manual configuration approach is fairly easy. Log on with your Azure AD credentials (usually your email address) by clicking the “Not syncing” button in the top right corner:

You will have to go through a small wizard

Move the little slider to “Yes” and click Confirm.

Once logged on, you should see the “Sync is on” message:

And the final verification that sync is configured:

As you can see it’s not yet possible to synchronize the history and open tabs browser data.

Automatic configuration

Even though the manual configuration of the sync feature is fairly simple, we don’t want each and everyone of our users to go through this process. The sync feature can be enabled and enforced via group policy. The enforcement prevents the user from inadvertently disabling the sync feature.

Group Policy settings

These group policy settings enables and enforces the sync feature:

The “Browser sign-in settings” enforces the sign-in process, suppressing the sync wizard.

The “Configure whether a user always has a default profile automatically signed in with their work or school account” enables auto sign-in, with a Work profile, using the Azure AD account.

The “Force synchronization of browser data and do not show the sync consent prompt” partly does what it says. It enables and enforces the sync feature and the user will not be able to disable it. However the “do not show the sync consent prompt” is not working in Edge v85.x, as you will see in the screen recording below. This means that the user will have to click the “Sync” button, to enable the sync feature.

With the upcoming v86.x version, which is currently released in the BETA channel and, according to Microsoft, due to hit the stable channel within the coming week, it’s possible to suppress the consent box . This will enable and enforce the sync feature without bothering the user at all.

Microsoft OneDrive Known Folder Move

The Known Folder Move (KFM) feature in OneDrive has been around for a while and I am seeing more and more customers implementing it in production.
KFM redirects, the documents, desktop and pictures folders to your OneDrive for Business account, which makes it easy to access your data when moving between different devices. OneDrive is available in a wide range of different subscriptions, however I usually see it delivered with via a subscription that can be activated in a shared computer setup, like the Microsoft 365 E3 or E5 subscriptions.

Manual Configuration

Like the Enterprise Sync in Edge, we can also configure KFM manually. This configuration is also driven by a wizard so it’s easy to set up.

Click sign in and provide valid OneDrive credentials.

A few clicks later, the wizard has setup the OneDrive client. Right click the little blue cloud in the tray area and click Settings.

Go to the Backup tab (no this isn’t very intuitive) and click managed backup.

Once you click Start Backup, the Desktop, Documents and Pictures folders will be redirected to OneDrive.

As with the Enterprise Sync feature, we really don’t want to leave the configuration of KFM to the user.

A word of advice. If you have folder redirection already configured, you will have to disable it. The traditional folder redirection policies and OneDrive KFM cannot coexist.

Automatic Configuration

The OneDrive configuration and the KFM feature can both be configured and enforced via Group Policy configuration. The most important part of the group policy configuration is the OneDrive (Azure AD) tenant ID, this has to be specified in the OneDrive configuation GPO.

There are a few different ways to obtain the tenant ID. One way is to configure OneDrive, manually, on a computer and get the ID from the registry in HKEY_CURRENT_USER.

The value “ConfiguredTenantId” contains the OneDrive (Azure AD) tenant ID.

If you have access to the Azure portal and Azure AD, this is probably the easiest way to obtain the tenant ID, at least it beats manually configuring the OneDrive client.

With the tenant ID you are now ready to configure the OneDrive and KFM configuration GPO.

I usually configure one GPO with both the computer configuration policies and user configuration policies, it’s basically up to you how to configure that part, however both configuration types are needed to provide a seamless configuration of OneDrive and the KFM feature.

To manage OneDrive via group policy, you’ll have to get the ADMX and ADML files. The ADMX and ADML files are located in the %LOCALAPPDATA%\Microsoft\OneDrive\CurrentBuildNumber\adm folder on any computer with OneDrive installed.
More information about OneDrive group policy configuration can be found in this guide by Microsoft.

Computer Configuration

This configuration will setup both the OneDrive client and the KFM feature. It will also activate the Files On-Demand feature which let’s the user decide which files/folder should be synced to the local OneDrive cache and it also prevents the OneDrive client from doing a complete sync of the online OneDrive content.

When using group policy, the configuration of the OneDrive client with the specified tenant ID will be enforced. That will prevent the user from removing the OneDrive client configuration.

User Configuration

In here the OneDrive tutorial is suppressed and more importantly, the OneDrive folder location is enforced and the user is prevented from changing that location. The %USERPROFILE%\OneDrive – tenantname is the default location for the OneDrive folder, I usually recommend not changing this location, however it is possible to have the OneDrive folder at another location, do NOT put in on a network drive!

Here is a screen recording showing the automatic configuration of the OneDrive client and Known Folder Move feature.

OneDrive pro tip

This is a strange one. When I started with the OneDrive testing and configuration, I was using the manual configuration approach, to get the feel of how to configure OneDrive. When I had the basic OneDrive configuration mastered, I looked into the KFM feature and this is where it gets strange. I noticed the “Backup” tab was missing, and at first I thought I had configured something to remove the tab, however I experienced the same behavior with no group policy configuration applied.

It turns out if the URL g.live.com is blocked on the network, the KFM feature is not available. In my setup, the URL was blocked by my Pi-Hole, as soon as I configured the URL to be in the whitelisted URLs the KFM feature magically appeared.

So, armed with Microsoft Edge Enterprise Sync and Microsoft OneDrive Known Folder Move, you can leave the last remnants of folder redirection in the past and move forward with more modern ways of syncing user data, files and folders.

This concludes the article. As always feel free to contact me on Twitter or in the World of EUC Slack channel if you have any comments or questions.

How to get rid of Internet Explorer

How to get rid of Internet Explorer

The time is right. Internet Explorer has had a very, very good run and it has been a good browser. For years it was the only Microsoft supported browser in a Windows Server operating system, even when Edge (the 1st) was released we still had to make due with Internet Explorer in Windows Server operating systems.
It’s now time to look in a different direction. A direction where we have a fully supported and modern browser with the new Edge browser based on the Chromium project. This browser is also available and supported in a Windows Server operating system.

During the last 6 months I have written a couple of articles about how to install and configure the new Edge browser, I have even penned an article about how to remove the pesky pinned takbar shortcut, which is created during the first launch of Edge.

In my article about how to configure Edge via group policy, I finish off by showing that it is possible to run sites with java content in Edge, something we historically had to use Internet Explorer to do. This is no longer the case, or technically it is, but we can now use “emulated IE” tabs, called IE Mode, within the Edge browser, so we don’t have to leave the browser when accessing legacy sites.

A couple of days ago I was helping a customer, and I noticed that he had Edge running, but Internet Explorer was also running in the same session. So we had a short conversation about IE Mode, he knew about it and what the possibilities were with sites with java content. It turned out he was accessing a Hitachi storage web based configuration site, which needed Adobe Flash Player. Seriously Hitachi, you need Adobe Flash in 2020? In all fairness I have to mention that I don’t know if my customer is on an older model of a Hitachi storage box, which for some reason can’t be updated.
Nonetheless we are also able to use IE Mode with sites with Flash based content.


Be aware that Adobe has announced that the 31st of december 2020 is the End of Life (EOL) for Flash Player.

This means that you should probably start looking at alternatives to whatever sites you are using, if Flash is still a requirement.

What is IE mode

IE Mode is a feature that allows us to specify that certain URLs should open in an “emulated IE” tab within the Edge browser. This is great because the user will never have to leave the primary browser, which is of course Edge, to access legacy sites or sites with legacy content (Java and Flash), everything is kept within the Edge browser window.
We can also open the specified sites outside the Edge browser in a standalone Internet Explorer browser, and not in an IE Mode tab in Edge. We might not get rid of Internet Explorer, but with IE Mode we can limit the use of Internet Explorer to a certain selection of URLs.

Java and Flash in IE mode tabs

I have included a screen recording of Java and Flash content running in IE Mode tabs within Edge:

Standalone Internet Explorer

Here we see the www.citrix.com and www.microsoft.com URLs both open in a standalone Internet Explorer. We also see that the Java.com site opens in IE Mode, we can have both configurations at the same time, so it’s not one or the other.

By now you might be wondering, what is stopping us from keep using the Internet Explorer window, which Edge conveniently launched for us? By default, nothing. We are able to use Internet Explorer all day long, we don’t want that, we want to get rid of Internet Explorer or at least limit the use of it.

Configure IE Mode

Let’s have a look at how to configure IE Mode, and how to prevent us from keep using Internet Explorer, if we are using standalone Internet Explorer windows. In this article I have configured IE Mode via traditional group policies. It is also possible to configure IE Mode via Microsoft InTune, this is not in scope here though.

Group Policy Configuration

The configuration of IE Mode is really easy, it’s basically 4 policies and you’re done.

With the policy configuration for Edge we have specified that we want to use Internet Explorer Mode (IE Mode) and we are also supplying a specific XML file using the Enterprise Mode Site List feature.
For Internet Explorer we have configured the “Send all sites not included in the Enterprise Site List to Microsoft Edge” and we are also, again, supplying the Enterprise Mode Site List.


Configuring the “Send all sites not included in the Enterprise Site List to Microsoft Edge” policy prevents the use of Internet Explorer all day long. If we are trying to access sites not specified in the Enterprise Mode Site List, we are directed back into the Edge browser. This is a very good way of limiting the use of Internet Explorer.

Enterprise Mode Site List

So, how do we create this so called Enterprise Mode Site List?
I would recommend the free tool by Microsoft called “Enterprise Mode Site List Manager”.

The Enterprise Mode Site List Manager can be found in Microsoft’s Download Center here:
https://www.microsoft.com/en-us/download/details.aspx?id=49974

The download provides you with a EMIESiteListManager.msi file. Go through the setup process:

Once installed you should have shortcuts to the Enterprise Mode Site List Manager on both the desktop and in the start menu.

When lauching the Enteprise Mode Site List Manager for the first time, it provides you with a blank site list configuration:

Here you will have to add the URLs for either IE Mode and/or standalone Internet Explorer.

Click Add:

  1. Specify in the URL, without http/https.
  2. Select Open In IE11
  3. If you want the URL to open in a standalone Internet Explorer, click the “Standalone IE:” check box
  4. If you check the “Allow Redirect” box, if there is a server-side redirected URL, it will have the same browser configuration applied.
  5. Leave the Compat Mode dropdown box at the default configuration

When you have the needed URLs configured, you will end up with something looking like this:

These are the URLs demonstrated in the screen recordings earlier. Notice the “Standalone IE” is true for www.citrix.com and www.microsoft.com, these URLs will open in standalone Internet Explorer windows, any other URLs will open in IE Mode within the Edge browser window.

To save the current list of URLs to an XML file go to File and select Save to XML:

Provide a name, in this example, for lack of creativity, I call it Sites.xml:

Once the XML file has been saved, be aware that a version number is assigned, you can find the version number here:

Or you can crack open the XML file and find it here:

The Sites.xml should be made available from a central location. Microsoft recommends to publish it via a web server, this is due to performance reasons. I usually makes it available via the NETLOGON share, as regular users cannot write/modify files and folders in that location.

When the user logs on, the Sites.xml is copied to the user’s profile, we’ll see where in a moment, the version of the Sites.xml is important, as the one in the user’s profile is compared to the one in the central location.

The downside by publishing is via NETLOGON or another file share, is that the file is copied to the user’s profile before a version comparison is made. If you have hundreds or thousands of URLs, it’s performs better via HTTP/HTTPS, as IE Mode can read the version number before copying the file.

If you need to make changes to an existing Sites.xml file, remember to also export the URL list configured.

The exported Sites.emie2 is needed for future changes as it keeps the version information.

So, import the Sites.emie2, make whatever changes necessary and then click Save to XML and save and overwrite the Sites.xml in the central location:

As you can see we are now on version 2 of the XML file.

The 65 seconds delay

The version comparison has a timeout of 65 seconds. This means that Edge and IE Mode does nothing with the Sites.xml until after 65 seconds after Edge is launched. At that time the Sites.xml in the central location and the one in the profile are compared and if a Sites.xml with a higher version exists in the central location, it’s copied and enumerated. This means that for 65 seconds after launching Edge, IE Mode is basically not in effect, which means that any sites that are configured to open in an IE mode tab or a standalone Internet Explorer are treated as any other sites, and will open in Edge.

I have worked with a lot of customers which wanted their intranet site as default startup page. If that intranet site is now configured to open in an IE Mode tab, because of the 65 seconds delay, that will not happen.

Luckily for us Microsoft introduced a new feature in Edge v84.0.522.40, which was released a couple of weeks ago, that enables us to prevent navigation in Edge if the Sites.xml does not exist in the user’s profile.
If a Sites.xml file exists, there is no longer a wait for the central Sites.xml and local Sites.xml to be compared, the local Sites.xml file will be used and any changes in the central Sites.xml file will be copied in the background. The feature can be enable via the Require that the Enterprise Mode Site List is available before tab navigation policy:

Here we see the new feature in effect. If we immediately after logon launch Edge, and type mycugc.org, Edge stalls until the Sites.xml is enumerated, as mentioned a great feature if you have an intranet site or a similar legacy site configure as a startup site. Unfortunately this new feature, doesn’t work with sites configured to open in a standalone Internet Explorer.

Keep in mind that Microsoft does not recommend enabling this feature, unless there is a specific need for it, as you can see it can/will slow down Edge in certain scenarios.

Now that we have the Sites.xml file and the 65 seconds delay covered, let’s see what happens on the client side.

IE Mode in effect

As mentioned, during logon the Sites.xml is copied to the user’s profile. The Sites.xml is copied to %LocalAppData%\Microsoft\Edge\User Data\Emiesitelist.xml and not Sitex.xml, a bit confusing:

If we open the EmieSitelist.xml with Notepad, we can see that the contents are the same as in the Sites.xml file:

Notice we are now using the version 2 of the Sites.xml, the one we created earlier.

This means that the latest addition to the Sites.xml file, www.mycugc.org, open in IE Mode within the Edge browser, as you have seen earlier.

The mycucg.org website is still opening in IE Mode tab within the Edge browser, so did both the Java test page and Adobe Flash test page.
The citrix.com and microsoft.com websites still open in a standalone Internet Explorer, but because of the “Send all sites not included in the Enterprise Site List to Microsoft Edge” policy we now also see that I am not allowed to use Internet Explorer to access youtube.com, that request is redirected back into the Edge browser.
There is a small delay on youtube.com, this is because of the Browser Content Redirection extension in Edge.

Troubleshooting IE Mode

The 65 seconds delay

When testing IE Mode the first thing that is almost always is reported back to me is, “IE Mode is not working!”. And it almost always turns out that the customer forgot about the 65 seconds timeout and being a bit more patient usually does the trick. If the Require that the Enterprise Mode Site List is available before tab navigation policy is configured that is probably not the case.

Also make sure that the Enterprise Mode Site list path and name is properly configured in the Configure the Enterprise Mode Site List policy.

Microsoft Edge policies

If you are experiencing IE Mode doesn’t work, make sure to check that Edge actually receives the IE Mode policies and a valid site list.
To verify the policies applied to Edge, you can enter edge://policy in the address bar:

If you don’t see the “InternetExplorerIntegrationLevel” and the “InternetExplorerIntegrationSiteList” values in this list, you can click the “Reload Policies” button, if that doesn’t help, you will probably have to check your GPO configuration.

Microsoft Edge Compatibility

If you are experiencing sites not opening i IE Mode or in a standalone Internet Explore, but you expect them to. You can verify which site list version is currently used and which sites are on the site list. This can be done by entering edge://compat in the address bar:

Now there should be no excuses for not getting rid of Internet Explorer, or at least limit the use of it.

This concludes the article. As always feel free to contact me on Twitter or in the World of EUC Slack channel if you have any comments or questions.