Azure Virtual Desktops (AVD) are modernizing desktop deployment by offering a scalable and secure cloud-based workspace. However, configuration and deployment can become intricate for specific scenarios, especially those pushing the boundaries of traditional AVD functionality. Thankfully, AVD offers straightforward solutions for most common use cases. But what about those niche situations that require a more creative approach?
Today, we’ll delve into one such scenario: utilizing cloud-only accounts within AVD and leveraging FSLogix for user profile management. This specific configuration currently lacks official Microsoft support, though they’ve hinted at future integration. The challenge lies in the inherent requirement of FSLogix to connect to an Azure Active Directory (AAD) tenant that’s synchronized with either a traditional Active Directory (AD) or Azure AD Domain Services (AAD DS). This dependency poses a Limitation for those solely relying on cloud-identities managed through a Microsoft Entra ID tenant.
But fear not! This blog post will unveil a workaround that allows you to leverage the combined power of cloud-only accounts with AVD and FSLogix, all without the need for a traditional AD or AAD DS environment. We’ll guide you through the configuration steps, enabling you to unlock the benefits of persistent user profiles even within a cloud-only AVD deployment.
Part 1: Creating a Storage account to store Profile Containers
The first step is to create a storage account that will host our profile containers. When creating the storage account, make sure to set the account type to Premium File Shares as shown in the screenshot below.
After creating the storage account, create a file share to host AVD users’ profile containers. In my case, I have created a file share named “profiles”
After creating the file share click on connect and click on Show script
Please make a copy of the script and save it to a location that we can access later. We will need it at a later time.
Important: For Azure Virtual Desktop (AVD) host pool virtual machines, ensure they are joined to a Microsoft EntraID tenant, not an Active Directory domain.
Part 2: Prepare the PowerShell script to configure the host pool virtual machines to use FSlogix.
Let’s retrieve the connection script we received from the file share when we created the storage account.
Extract the file share name which is in my case: azurevirtualdesktop2024.file.core.windows.net and assign it to the variable $fileShare
for $user variable extract it from the connection script which is localhost\azurevitualdesktop2024
And lastly the key provided in the variable pass from connection script and assign it to to $accesskey variable
# Display a message indicating the start of FSLogix configurationswrite-host"Starting FSLogix configurations"# Define the file share location on Azure$fileShare=""# Construct the profile file share path using the defined file share location$profilefileShare="\\$($fileShare)\profiles"# Define the user for the Azure Virtual Desktop$user=""# Define the access key for the Azure Virtual Desktop$accesskey=""# Create a new registry key for FSLogix under SOFTWARE, ignore if it already existsNew-Item-Path "HKLM:\SOFTWARE"-Name "FSLogix"-ErrorAction Ignore# Create a new registry key for Profiles under FSLogix, ignore if it already existsNew-Item-Path "HKLM:\SOFTWARE\FSLogix"-Name "Profiles"-ErrorAction Ignore# Enable FSLogix ProfilesNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "Enabled"-Value 1-force# Set the location for VHD filesNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "VHDLocations"-Value $profilefileShare-force# Allow concurrent user sessionsNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "ConcurrentUserSessions"-Value 1-force# Delete the local profile when a VHD should be appliedNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "DeleteLocalProfileWhenVHDShouldApply"-Value 1-force# Change the profile directory name on each login/logoutNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "FlipFlopProfileDirectoryName"-Value 1-force# Enable dynamic VHD(X) disk typeNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "IsDynamic"-Value 1-force# Do not keep a local copy of the profile directoryNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "KeepLocalDir"-Value 0-force# Set the profile type to localNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "ProfileType"-Value 0-force# Set the maximum size of the VHD(X) in MBsNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "SizeInMBs"-Value 40000-force# Set the disk type to VHDXNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "VolumeType"-Value "VHDX"-force# Access the network as a computer objectNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "AccessNetworkAsComputerObject"-Value 1-force# Add the storage account credentials to the Windows Credential Managercmdkey.exe/add:$fileShare/user:$($user)/pass:$($accesskey)# Turn off Windows Defender Credential Guard, this step is only necessary for Windows 11 22H2New-ItemProperty-Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"-Name "LsaCfgFlags"-Value 0-forcewrite-host"FSLogix has been configured successfully"New-Item-Path "HKLM:\SOFTWARE"-Name "FSLogix"-ErrorAction IgnoreNew-Item-Path "HKLM:\SOFTWARE\FSLogix"-Name "Profiles"-ErrorAction IgnoreNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "Enabled"-Value 1-forceNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "VHDLocations"-Value $profilefileShare-forceNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "ConcurrentUserSessions"-Value 1-forceNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "DeleteLocalProfileWhenVHDShouldApply"-Value 1-forceNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "FlipFlopProfileDirectoryName"-Value 1-forceNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "IsDynamic"-Value 1-forceNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "KeepLocalDir"-Value 0-forceNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "ProfileType"-Value 0-forceNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "SizeInMBs"-Value 40000-forceNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "VolumeType"-Value "VHDX"-forceNew-ItemProperty-Path "HKLM:\SOFTWARE\FSLogix\Profiles"-Name "AccessNetworkAsComputerObject"-Value 1-force# Store credentials to access the storage accountcmdkey.exe/add:$fileShare/user:$($user)/pass:$($accesskey)# Disable Windows Defender Credential Guard (only needed for Windows 11 22H2)New-ItemProperty-Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"-Name "LsaCfgFlags"-Value 0-force# Add the storage account credentials to the Windows Credential Managercmdkey.exe/add:$fileShare/user:$($user)/pass:$($accesskey)# Turn off Windows Defender Credential Guard, this step is only necessary for Windows 11 22H2New-ItemProperty-Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"-Name "LsaCfgFlags"-Value 0-forcewrite-host"FSLogix has been configured successfully"
Part 3: Configuring FSLogix on Host Pool virtual machines
Note: That this script needs to be installed on each virtual machine in the host pool seperatly
Once we have prepared the PowerShell script, we can run it on our host pool. To do so, we need to select the virtual machine that is part of the host pool from the Azure portal. Then, under the Operations section, we should choose “Run Command” and select “RunPowerShellScript”. We need to copy the script into the indicated box and hit “run”. After the script has been executed, we should see a message in the output section confirming that FSLogix has been configured successfully.
After configuring each virtual machine in the host pool, I will access the AVD virtual desktop. As you can see from the initial loading, the FSLogix profile is being processed.
Let’s verify if the profile containers are created in the file share. It appears that my profile container has been created successfully.
Conclusion
This blog post explores a way to configure FSLogix for persistent user profiles in an Azure Virtual Desktop (AVD) environment that uses cloud-only accounts with Microsoft Entra ID.
While FSLogix traditionally relies on Active Directory (AD) or Azure AD Domain Services (AAD DS), this workaround enables its functionality without them.
The key steps involve:
Creating a storage account in Azure to store user profile containers.
Preparing a PowerShell script to configure FSLogix on the AVD host pool VMs. This script sets registry keys and stores storage account credentials.
