FSLogix Profiles with Microsoft EntraID only and Nerdio

If like me you have to configure Azure Virtual Desktop (AVD) for a customer with no On-Premises presence or without Active Directory Domain Services (ADDS) running in their Azure tenant you are posed with a problem.

The problem:

FSLogix relies on file shares and Kerberos for authentication and Microsoft EntraID doesn't natively support Kerberos.

The Solution:

There's a couple of posts out there that document how to workaround this including the Microsoft official documentation. This post will explain the steps we used to get this working while using Nerdio, please note this was Nerdio NMM and while its relevant to NME the consoles can be slightly different.

Assumptions:

• You know your way around Nerdio.

• You have a Master/Base Image

• You have appropriate permissions for Nerdio the Master Image and Azure Portal

High-Level Steps

1. Create Storage Account

2. Create SMB Share

3. Gather details

4. Configure FSLogix Profile in Nerdio

5. Create the necessary PS scripts

6. Automate the solution with Nerdio

How To:

1- Create a Storage Account in the same Region as the AVD deployment

Navigate to the Azure Portal > Storage Accounts

Note: Microsoft recommends Premium Storage for FSLogix Profiles

Under Networking select "Enabled from selected virtual networks and IP addresses" and then select the network used for your AVD, this will prevent access to the FSLogix share from all public networks.

Now that you have a storage account we can create the FSLogix file share

Under Data Storage > File Share, click + File Share

Give it a name and enough space for the number of profiles you're storing. Make sure SMB is selected under protocol.

Now that we have a storage account and a file share the next step is to collect some info so we can configure access to it from the AVD hosts.

We need to collect the following.

Internet or network address: <FQDN of your storage account e.g. auxlabfslogix.file.core.windows.net>

This will be whatever you called your storage account followed by .file.core.windows.net

User name: localhost\<StorageAccountName e.g. localhost\auxlabfslogix>

Password: <Storage account access key>

You can find that here

So you will end up with something like this on a notepad

auxlabfslogix.file.core.windows.net

localhost\auxlabfslogix

hXsIUYFG06O9jTcEZhlEvUdLH3K9086asdf987adsf56f7985da8o29v4Pux8Df+Mcx2W1ZpidteAUomvpbC+AS0as98d7as8d90d==

There's a few different ways to achieve the next step I wanted it to be as hands free as possible so I used Nerdio as much as I could. I've configured the FSLogix settings in Nerdio then used some scripts to configure the rest on the master image during Host deployment.

You can create a FSLogix Profile under Settings > Integrations and clicking add as highlighted

You can configure the FSLogix setting as you see fit but the highlighted are recommended by MS and AccessNetworkasComputerObject is a requirement for this to work. I also recommend using the "VHDCompactDisk 1" as it prevents profiles from bloating over time.

The only missing thing for this to work is to create a credential in the AVD host for the storage account.

To do this we will run the following script

start-transcript c:\temp\fslprereq.txt

#Script to run in System account context using a Scheduled Task

write-host "Configuring FSLogix pre-reqs"

$fileServer="auxlabfslogix.file.core.windows.net"

$profileShare="\\$($fileServer)\profiles"

$user="localhost\oakminsterfslogix"

$secret="is9kjgasd98756Ufa8P6YKJNXMIXD8Nn14UFt9876asflbjk34HGuvtJxE5UnPONRYqMbr3Ugc-097gdskljb0Q=="

# Include credentials in the profile

New-Item -Path "HKLM:\Software\Policies\Microsoft" -Name "AzureADAccount" -ErrorAction Ignore

New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -force

# Store credentials to access the storage account

cmdkey.exe /add:$fileServer /user:$($user) /pass:$($secret)

# Disable Windows Defender Credential Guard (only needed for Windows 11 22H2)

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -force

remove-item c:\windows\scripts\fslogixprereq.ps1

write-host "The script has finished."

stop-transcript

Now on our master image we created a folder in C:\windows\Scripts\ and created the script above as fslogixprereq.ps1

Then created the following script in Nerdio

Start-transcript c:\temp\nerdioscript.txt

$TaskName = "FsLogixPrereqTask"

$TaskDescription = "Runs FsLogix prerequisite script as SYSTEM"

$ScriptPath = "C:\Windows\Scripts\FsLogixPrereq.ps1"

# Ensure the script path exists

if (!(Test-Path $ScriptPath)) {

    Write-Host "Error: Script not found at $ScriptPath"

    exit 1

}

# Get the current time and add 1 minute for scheduling

$TriggerTime = (Get-Date).AddMinutes(1)

# Ensure a valid DateTime value

if ($TriggerTime -eq $null) {

    Write-Host "Error: Failed to get a valid scheduled time."

    exit 1

}

# Define the action to run the script

$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -File `"$ScriptPath`""

# Ensure Action is valid

if ($Action -eq $null) {

    Write-Host "Error: Failed to create task action."

    exit 1

}

# Create a one-time trigger

$Trigger = New-ScheduledTaskTrigger -Once -At $TriggerTime

# Ensure Trigger is valid

if ($Trigger -eq $null) {

    Write-Host "Error: Failed to create task trigger."

    exit 1

}

# Set task to run as SYSTEM

$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount

# Create the scheduled task

$Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -Description $TaskDescription

# Ensure Task is valid

if ($Task -eq $null) {

    Write-Host "Error: Failed to create scheduled task object."

    exit 1

}

# Register the scheduled task

try {

    Register-ScheduledTask -TaskName $TaskName -InputObject $Task -Force

    Write-Host "Scheduled task '$TaskName' created successfully."

} catch {

    Write-Host "Error: Failed to register the scheduled task. $_"

    exit 1

}

Stop-transcript

This will create a scheduled task on the host to run the script we previously created.

There's a few different ways we could have done this for example using PSExec, manually but the idea is that if we ever replace the hosts the scripts will run against the new host and the host will be ready for production with minimal intervention.

To fully automate this solution configure the following settings

Now every time a host is deployed it will run the script.

That's it, the script in C:\windows\scripts will be deleted once it runs to avoid leaving the storage access key in the machine so if you ever wish to rotate that key you will have to update it in the master image and redeploy the host.

You can now see in the FSLogix logs that a .vhdx was created and mounted and if you make changes to your profile like changing the background colour they will persist.

I think it's worth mentioning the two sources of inspiration for this solution.

Store FSLogix profile containers on Azure Files using Microsoft Entra ID. - FSLogix | Microsoft Learn

Using FSLogix file shares with Azure AD cloud identities in Azure Virtual Desktop - cloud-only, AVD | ITProCloud Blog