top of page
Search

FSLogix Profiles with Microsoft EntraID only and Nerdio

  • davidpereira20
  • Mar 21
  • 4 min read

Updated: Mar 24

If like me you have to configure Azure Virtual Desktop (AVD) for a customer with no On-Premises presence or without Active Directory Domain Services (ADDS) running in their Azure tenant you are posed with a problem.


The problem:

FSLogix relies on file shares and Kerberos for authentication and Microsoft EntraID doesn't natively support Kerberos.


The Solution:

There's a couple of posts out there that document how to workaround this including the Microsoft official documentation. This post will explain the steps we used to get this working while using Nerdio, please note this was Nerdio NMM and while its relevant to NME the consoles can be slightly different.


Assumptions:

  • You know your way around Nerdio.

  • You have a Master/Base Image

  • You have appropriate permissions for Nerdio the Master Image and Azure Portal


High-Level Steps

  1. Create Storage Account

  2. Create SMB Share

  3. Gather details

  4. Configure FSLogix Profile in Nerdio

  5. Create the necessary PS scripts

  6. Automate the solution with Nerdio


How To:

1- Create a Storage Account in the same Region as the AVD deployment

Navigate to the Azure Portal > Storage Accounts



Note: Microsoft recommends Premium Storage for FSLogix Profiles


Under Networking select "Enabled from selected virtual networks and IP addresses" and then select the network used for your AVD, this will prevent access to the FSLogix share from all public networks.


Now that you have a storage account we can create the FSLogix file share

Under Data Storage > File Share, click + File Share

Give it a name and enough space for the number of profiles you're storing. Make sure SMB is selected under protocol.

Now that we have a storage account and a file share the next step is to collect some info so we can configure access to it from the AVD hosts.

We need to collect the following.


Internet or network address: <FQDN of your storage account e.g. auxlabfslogix.file.core.windows.net>


This will be whatever you called your storage account followed by .file.core.windows.net


User name: localhost\<StorageAccountName e.g. localhost\auxlabfslogix>

Password: <Storage account access key>

You can find that here


So you will end up with something like this on a notepad 

auxlabfslogix.file.core.windows.net

localhost\auxlabfslogix

hXsIUYFG06O9jTcEZhlEvUdLH3K9086asdf987adsf56f7985da8o29v4Pux8Df+Mcx2W1ZpidteAUomvpbC+AS0as98d7as8d90d==

There's a few different ways to achieve the next step I wanted it to be as hands free as possible so I used Nerdio as much as I could. I've configured the FSLogix settings in Nerdio then used some scripts to configure the rest on the master image during Host deployment.


You can create a FSLogix Profile under Settings > Integrations and clicking add as highlighted



You can configure the FSLogix setting as you see fit but the highlighted are recommended by MS and AccessNetworkasComputerObject is a requirement for this to work. I also recommend using the "VHDCompactDisk 1" as it prevents profiles from bloating over time.




The only missing thing for this to work is to create a credential in the AVD host for the storage account.


To do this we will run the following script


start-transcript c:\temp\fslprereq.txt
#Script to run in System account context using a Scheduled Task
write-host "Configuring FSLogix pre-reqs"
$profileShare="\\$($fileServer)\profiles"
$user="localhost\oakminsterfslogix"
$secret="is9kjgasd98756Ufa8P6YKJNXMIXD8Nn14UFt9876asflbjk34HGuvtJxE5UnPONRYqMbr3Ugc-097gdskljb0Q=="
# Include credentials in the profile
New-Item -Path "HKLM:\Software\Policies\Microsoft" -Name "AzureADAccount" -ErrorAction Ignore
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -force
# Store credentials to access the storage account
cmdkey.exe /add:$fileServer /user:$($user) /pass:$($secret)
# Disable Windows Defender Credential Guard (only needed for Windows 11 22H2)
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -force
remove-item c:\windows\scripts\fslogixprereq.ps1
write-host "The script has finished."
stop-transcript

Now on our master image we created a folder in C:\windows\Scripts\ and created the script above as fslogixprereq.ps1


Then created the following script in Nerdio 





Start-transcript c:\temp\nerdioscript.txt
$TaskName = "FsLogixPrereqTask"
$TaskDescription = "Runs FsLogix prerequisite script as SYSTEM"
$ScriptPath = "C:\Windows\Scripts\FsLogixPrereq.ps1"
# Ensure the script path exists
if (!(Test-Path $ScriptPath)) {
    Write-Host "Error: Script not found at $ScriptPath"
    exit 1
}
# Get the current time and add 1 minute for scheduling
$TriggerTime = (Get-Date).AddMinutes(1)
# Ensure a valid DateTime value
if ($TriggerTime -eq $null) {
    Write-Host "Error: Failed to get a valid scheduled time."
    exit 1
}
# Define the action to run the script
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -File `"$ScriptPath`""
# Ensure Action is valid
if ($Action -eq $null) {
    Write-Host "Error: Failed to create task action."
    exit 1
}
# Create a one-time trigger
$Trigger = New-ScheduledTaskTrigger -Once -At $TriggerTime
# Ensure Trigger is valid
if ($Trigger -eq $null) {
    Write-Host "Error: Failed to create task trigger."
    exit 1
}
# Set task to run as SYSTEM
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
# Create the scheduled task
$Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -Description $TaskDescription
# Ensure Task is valid
if ($Task -eq $null) {
    Write-Host "Error: Failed to create scheduled task object."
    exit 1
}
# Register the scheduled task
try {
    Register-ScheduledTask -TaskName $TaskName -InputObject $Task -Force
    Write-Host "Scheduled task '$TaskName' created successfully."
} catch {
    Write-Host "Error: Failed to register the scheduled task. $_"
    exit 1
}
Stop-transcript

This will create a scheduled task on the host to run the script we previously created.


There's a few different ways we could have done this for example using PSExec, manually but the idea is that if we ever replace the hosts the scripts will run against the new host and the host will be ready for production with minimal intervention.


To fully automate this solution configure the following settings


Now every time a host is deployed it will run the script.



That's it, the script in C:\windows\scripts will be deleted once it runs to avoid leaving the storage access key in the machine so if you ever wish to rotate that key you will have to update it in the master image and redeploy the host.


You can now see in the FSLogix logs that a .vhdx was created and mounted and if you make changes to your profile like changing the background colour they will persist.



I think it's worth mentioning the two sources of inspiration for this solution.





Comments

Never Miss a Post.
Subscribe Now!

Thanks for submitting!

  • Youtube
  • Grey Twitter Icon
Tech Talk Lockup.png
bottom of page