Use Azure Files with Entra ID Joined Method for AVD

This is a workaround until Microsoft fully supports Entra ID with Kerberos. Instead of using Azure Blob Storage, Azure Files Premium can run much faster and supports backups in Nerdio Manager.

For this method, complete the following steps:

• Step 1: Create the Required Azure Resources

• Step 2: Create a Scripted Action in Nerdio Manager

• Step 3: Configure the FSLogix Profile

• Step 4: Configure the VM Deployment

Step 1: Create the Required Azure Resources

The first step is to create the required Azure resources. This includes a storage account and a file share in that storage account.

To create a storage account:

1. At the Account level, navigate to Azure Files and select Add Azure Files.

   

2. Enter the following information:

   • Storage account: Enter the name for a new storage account, and then under the field, select Create [your account name] as new Storage account.

     Notes:

     • The storage account name must be globally unique to the Azure region.

     • It must contain no more than 15 characters, numbers and lowercase letters, with no special characters or spaces.

   • Resource group: From the drop-down list, select the resource group for the newly created storage account and file share.

   • Location: Select the Azure region where this storage account and file share should be created.

     Note: For AVD host pools, the region must be the same as for AVD session host VMs.

   • Performance: From the drop-down list, select the performance tier for the Azure Files share.

     Tip: It is recommended that you select Premium for the best user experience.

   • Redundancy: From the drop-down list, select the redundancy setting for the share.

     Note: For the file share with the Premium performance tier, only the following options are available:

     • Locally redundant storage (LRS): Copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option, but it isn't recommended for environments requiring high availability or durability.

     • Zone redundant storage (ZRS): Copies your data synchronously across three Azure availability zones in the primary region.

   • File Share name: Define the name for the file share.

   • Provisioned Capacity (GiB): Enter the size of the provisioned capacity. It should exceed 100 GB.

   • Permissions (SMB Share Contributors): Specify users, groups, and/or security groups to have Storage File Data SMB Share Contributor role on the share.

     Notes:

     • This is required for read / write access to the share.

     • If you don't have the group provisioned yet, the field can remain undefined.

   • Add users / groups from host pools: From the drop-down list, select one or more users / groups currently assigned to these host pools to be assigned the Storage File Data SMB Share Contributor role on the share.

   • Join to AD: Clear this option to prevent the file share from joining the AD.

   • Enable SMB Multichannel: Select this option to improve the Azure Files Premium performance.

     Note: Azure Files SMB Multichannel enables clients to use multiple network connections that provide increased performance. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.

3. Select OK.

4. Copy the UNC path for the new file share:

   1. At the Account level, go to Azure Files.

   2. From the action menu next to the file share, select Copy UNC path.

      

   3. Paste the UNC path to Notepad to use it later in the script.

Once you have created a new storage account, and a new file share in that storage account, you can now copy the StorageAccountKey that you need to include in the script.

To copy the StorageAccountKey:

1. In the Azure portal, navigate to Storage accounts, and then select the name of the storage account you created.

2. In the left blade, in the Security + networking section, select Access keys.

3. Under the Key1 field, copy and then paste the key to Notepad.

   

Step 2: Create a Scripted Action in Nerdio Manager

The next step is to create a scripted action for Entra ID Join Windows credential manager.

To create the scripted action:

1. In Nerdio Manager, at the Account level, navigate to Scripted Actions > Windows scripts.

2. Select Add scripted action.

   

3. Enter the following information:

   • Name: Type AADJWindowsCredentialManager.

   • Description: Type the script's description.

   • Tags: From the drop-down list, select optional tags for the script. These tags are used for searching and organization.

   • Script Execution Mode: From the drop-down list, select Individual with restart.

   • Script: Paste the following script into the field.

     cmdkey.exe /add:[[STOREAGE ACCOUNT FQDN]] /user:localhost\[[STORAGE ACCOUNT NAME]] /pass:[[STORAGE ACOUNT KEY]]

     # Check if the key exists
     if (-not(Test-Path "HKLM:\Software\Policies\Microsoft\AzureADAccount")) {

     # Create the key if it doesn't exist

     New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force
     }

     # Add or modify the property

     New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -Type DWord -Force

     For example:

     cmdkey.exe /add:aadjazfileswinhart.file.core.windows.net /user:localhost\aadjazfileswinhart /pass:h/0xqVkR6V5KaJNoFWEYCXSwP5kXjXLcTXViWrbFqfskMLvmlizotlBRLFw+f6HEupw5cKw0IKvV+AStMO632Q==

     # Check if the key exists

     if (-not(Test-Path "HKLM:\Software\Policies\Microsoft\AzureADAccount")) {

     # Create the key if it doesn't exist

     New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force
     }

     # Add or modify the property

     New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -Type DWord -Force

     Important: For Windows 11-based desktop images, additionally add the following code to the bottom of the script:

     (New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -force)

4. Once you have entered all the desired information, select OK.

Step 3: Configure the FSLogix Profile

This step focuses on deploying the FSLogix profile per account. This method allows you to create a single FSLogix policy that you can reuse across multiple host pools within an individual account.

To configure FSLogix settings for an account:

1. At the Account level, navigate to Settings > Integrations.

2. In the FSLogix Profiles storage tile, select Add.

   

3. Enter the following information:

   • Name: Enter the FSLogix profile name.

   • Global profile: Ensure Skip use of Global configuration is defined, and you are not using any of the existing global profile settings.

   • Use Cloud Cache: Select this option to enable the FSLogix Cloud Cache.

     Note: Cloud Cache allows you to specify multiple profile storage locations. It asynchronously replicates the profiles and makes the profiles available in multiple storage locations at the same time. So, if one of the locations is not available, the session host automatically fails over to one of the alternate locations. To learn more, see Cloud Cache Overview.

     Warning: For performance reasons, it is strongly recommended that your storage is configured to use Premium SSD disks when Cloud Cache is enabled. Standard SSD disks might be sufficient only in very small environments or for testing scenarios.

   • Use Azure Page Blobs: When using Cloud Cache, select this option to use storage account blob containers to store user profiles. These containers are accessed using storage account access keys.

   • Configure session hosts registry for Microsoft Entra Joined storage: Select this option to enable the Entra ID Kerberos functionality and Entra ID account credentials loading. To learn more, see Enable the Microsoft Entra Kerberos functionality.

   • Exclude the Nerdio stored admin account from FSLogix: Select this option to prevent local admin's profile creation in the FSLogix storage location.

   • Exclude the domain admin account from FSLogix: Select this option to prevent domain admin's profile creation in the FSLogix storage location.

     Note: When FSLogix is having issues on a session host, you can still sign in with the excluded local admin or domain admin account for troubleshooting purposes.

   • Domain admin username: Provide the domain admin username.

   • FSLogix version: From the drop-down list, select the FSLogix version you want to install across the session hosts within that single account.

     Note: By default, the most recent FSLogix version is predefined and marked as "Latest". You can select the latest version or any older version, as per your requirements.

     Warning: The version you select can only be installed if your session hosts are created from the desktop image with no FSLogix app pre-installed. Otherwise, the version you define in this field will be ignored.

   • FSLogix Profiles path (VHDLocation): Enter the file share UNC path that you previously copied.

     Note: To copy the UNC path:

     1. At the Account level, go to Azure Files.

     2. From the action menu next to the file share you created, select Copy UNC path.

   • FSLogix Registry Options: From the drop-down list, select whether you want to work with Common settings or All settings of the FSLogix install. Modify the configurations as needed.

     • For All settings, next to the AccessNetworkAsComputerObject registry option, select Not configured, and then set the value to 1.

       

   • Configure Office Container to redirect Microsoft Office user data: Enable this option to redirect only those areas of the profile that are specific to Microsoft Office.

     Note: Office Containers separate Microsoft Office data (for example, OST files) from the overall user profile for easier troubleshooting. Office Containers and Profile Containers are stored in separate VHDX files, and can be stored on different file shares. See this Microsoft article for details.

     • FSLogix ODFC container path ($VHDLocation): Enter the file share UNC path that you previously copied.

     • FSLogix ODFC container Registry Options: From the drop-down list, select whether you want to work with Common settings or All settings of the FSLogix configuration that will be applied when a session host VM is provisioned, and FSLogix is installed. Modify the configurations as needed.

       Note: The settings you define for FSLogix ODFC container Registry Options must match the FSLogix Registry Options settings defined earlier.

   • Redirections: Enable this option to enter the redirections that you want to include in the profile for reuse across customer accounts.

   Note: See this Microsoft article for more information about redirections.

4. Once you have entered all the desired information, select Ok.

   Notes:

   • You can add DWORD values in the format: "ValueName":dword:ValueData (example: "ProfileType"=dword:00000003).

   • You can add string values in the format: "ValueName":"ValueData" (example: "VolumeType":"vhdx").

   • These values are added under the HKLM\SOFTWARE\FSLogix\Profiles key. See the above link for Microsoft documentation on the FSLogix profile container registry reference.

Step 4: Configure the VM Deployment

The next step is to configure the VM deployment settings per host pool.

To configure the VM deployment:

1. At the Account level, navigate to AVD > Host Pools.

2. Locate the host pool you wish to work with.

3. From the action menu, select Properties > VM Deployment.

4. In the Scripted Actions section, enter the following information:

   • Run Scripted actions when host VM is CREATED / Run Scripted actions when host VM is STARTED: Enable these options.

   • Windows scripts: From the drop-down list, select AADJWindowsCredentialManager.

     

5. Once you have entered all the desired information, select Save or Save & close.