FSLogix Profiles with Microsoft EntraID only and Nerdio
- davidpereira20
- Mar 21
- 4 min read
Updated: Mar 24
If like me you have to configure Azure Virtual Desktop (AVD) for a customer with no On-Premises presence or without Active Directory Domain Services (ADDS) running in their Azure tenant you are posed with a problem.
The problem:
FSLogix relies on file shares and Kerberos for authentication and Microsoft EntraID doesn't natively support Kerberos.
The Solution:
There's a couple of posts out there that document how to workaround this including the Microsoft official documentation. This post will explain the steps we used to get this working while using Nerdio, please note this was Nerdio NMM and while its relevant to NME the consoles can be slightly different.
Assumptions:
You know your way around Nerdio.
You have a Master/Base Image
You have appropriate permissions for Nerdio the Master Image and Azure Portal
High-Level Steps
Create Storage Account
Create SMB Share
Gather details
Configure FSLogix Profile in Nerdio
Create the necessary PS scripts
Automate the solution with Nerdio
How To:
1- Create a Storage Account in the same Region as the AVD deployment
Navigate to the Azure Portal > Storage Accounts

Note: Microsoft recommends Premium Storage for FSLogix Profiles
Under Networking select "Enabled from selected virtual networks and IP addresses" and then select the network used for your AVD, this will prevent access to the FSLogix share from all public networks.

Now that you have a storage account we can create the FSLogix file share
Under Data Storage > File Share, click + File Share

Give it a name and enough space for the number of profiles you're storing. Make sure SMB is selected under protocol.

Now that we have a storage account and a file share the next step is to collect some info so we can configure access to it from the AVD hosts.
We need to collect the following.
Internet or network address: <FQDN of your storage account e.g. auxlabfslogix.file.core.windows.net>
This will be whatever you called your storage account followed by .file.core.windows.net
User name: localhost\<StorageAccountName e.g. localhost\auxlabfslogix>
Password: <Storage account access key>
You can find that here

So you will end up with something like this on a notepad
auxlabfslogix.file.core.windows.net
localhost\auxlabfslogix
hXsIUYFG06O9jTcEZhlEvUdLH3K9086asdf987adsf56f7985da8o29v4Pux8Df+Mcx2W1ZpidteAUomvpbC+AS0as98d7as8d90d==
There's a few different ways to achieve the next step I wanted it to be as hands free as possible so I used Nerdio as much as I could. I've configured the FSLogix settings in Nerdio then used some scripts to configure the rest on the master image during Host deployment.
You can create a FSLogix Profile under Settings > Integrations and clicking add as highlighted

You can configure the FSLogix setting as you see fit but the highlighted are recommended by MS and AccessNetworkasComputerObject is a requirement for this to work. I also recommend using the "VHDCompactDisk 1" as it prevents profiles from bloating over time.

The only missing thing for this to work is to create a credential in the AVD host for the storage account.
To do this we will run the following script
start-transcript c:\temp\fslprereq.txt
#Script to run in System account context using a Scheduled Task
write-host "Configuring FSLogix pre-reqs"
$fileServer="auxlabfslogix.file.core.windows.net"
$profileShare="\\$($fileServer)\profiles"
$user="localhost\oakminsterfslogix"
$secret="is9kjgasd98756Ufa8P6YKJNXMIXD8Nn14UFt9876asflbjk34HGuvtJxE5UnPONRYqMbr3Ugc-097gdskljb0Q=="
# Include credentials in the profile
New-Item -Path "HKLM:\Software\Policies\Microsoft" -Name "AzureADAccount" -ErrorAction Ignore
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -force
# Store credentials to access the storage account
cmdkey.exe /add:$fileServer /user:$($user) /pass:$($secret)
# Disable Windows Defender Credential Guard (only needed for Windows 11 22H2)
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -force
remove-item c:\windows\scripts\fslogixprereq.ps1
write-host "The script has finished."
stop-transcript
Now on our master image we created a folder in C:\windows\Scripts\ and created the script above as fslogixprereq.ps1
Then created the following script in Nerdio


Start-transcript c:\temp\nerdioscript.txt
$TaskName = "FsLogixPrereqTask"
$TaskDescription = "Runs FsLogix prerequisite script as SYSTEM"
$ScriptPath = "C:\Windows\Scripts\FsLogixPrereq.ps1"
# Ensure the script path exists
if (!(Test-Path $ScriptPath)) {
Write-Host "Error: Script not found at $ScriptPath"
exit 1
}
# Get the current time and add 1 minute for scheduling
$TriggerTime = (Get-Date).AddMinutes(1)
# Ensure a valid DateTime value
if ($TriggerTime -eq $null) {
Write-Host "Error: Failed to get a valid scheduled time."
exit 1
}
# Define the action to run the script
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -File `"$ScriptPath`""
# Ensure Action is valid
if ($Action -eq $null) {
Write-Host "Error: Failed to create task action."
exit 1
}
# Create a one-time trigger
$Trigger = New-ScheduledTaskTrigger -Once -At $TriggerTime
# Ensure Trigger is valid
if ($Trigger -eq $null) {
Write-Host "Error: Failed to create task trigger."
exit 1
}
# Set task to run as SYSTEM
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
# Create the scheduled task
$Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -Description $TaskDescription
# Ensure Task is valid
if ($Task -eq $null) {
Write-Host "Error: Failed to create scheduled task object."
exit 1
}
# Register the scheduled task
try {
Register-ScheduledTask -TaskName $TaskName -InputObject $Task -Force
Write-Host "Scheduled task '$TaskName' created successfully."
} catch {
Write-Host "Error: Failed to register the scheduled task. $_"
exit 1
}
Stop-transcript
This will create a scheduled task on the host to run the script we previously created.
There's a few different ways we could have done this for example using PSExec, manually but the idea is that if we ever replace the hosts the scripts will run against the new host and the host will be ready for production with minimal intervention.
To fully automate this solution configure the following settings

Now every time a host is deployed it will run the script.
That's it, the script in C:\windows\scripts will be deleted once it runs to avoid leaving the storage access key in the machine so if you ever wish to rotate that key you will have to update it in the master image and redeploy the host.
You can now see in the FSLogix logs that a .vhdx was created and mounted and if you make changes to your profile like changing the background colour they will persist.


I think it's worth mentioning the two sources of inspiration for this solution.