Use Azure Files with Entra ID joined method for AVD

Avatar
Nerdio Product Support

Use Azure Files with Entra ID joined method for AVD

This is a workaround until Microsoft fully supports Entra ID with Kerberos. Instead of using Azure Blob Storage, Azure Files Premium can run much faster and supports backups in Nerdio Manager.

Warning: For Azure Virtual Desktop, if your session hosts are running Windows 11 22H2 or later, Windows Defender Credential Guard automatically removes the StorageAccountKey from Windows Credential Manager each time a session host is stopped (deallocated). For more details, see Credential Guard overview - Windows Security.

For this method, complete the following steps:

Step 1: Create the required Azure resources

The first step is to create the required Azure resources. This includes a storage account and a file share in that storage account.

To create the required Azure resources:

  1. At the account level, navigate to Azure Files and select Add Azure Files.

  2. In the new dialog box, enter the following information:

    • Storage account: Enter the name for a new storage account, and then under the field, select Create [your account name] as new Storage account.

      Notes:

      • The storage account name must be globally unique to the Azure region.

      • It must contain no more than 15 characters, numbers and lowercase letters, with no special characters or spaces.

    • Resource group: From the drop-down list, select the resource group for the newly created storage account and file share.

    • Location: Select the Azure region where this storage account and file share should be created.

      Note: For AVD host pools, the region must be the same as for AVD session host VMs.

    • Performance: From the drop-down list, select the performance tier for the Azure Files share.

      Tip: It is recommended that you select Premium for the best user experience.

    • Redundancy: From the drop-down list, select the redundancy setting for the share.

      Note: For the file share with the Premium performance tier, only the following options are available:

      • Locally redundant storage (LRS): Copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option, but it isn't recommended for environments requiring high availability or durability. It provides the lowest cost with basic protection against server rack and drive failures, and is recommended for non-critical scenarios.

      • Zone redundant storage (ZRS): Copies your data synchronously across three Azure availability zones in the primary region. It provides protection against datacenter-level failures, and is recommended for high availability scenarios.

    • File Share name: Define the name for the file share.

    • Provisioned capacity (GiB): Enter the size of the provisioned capacity. It should exceed 100 GB.

    • Permissions (SMB Share Contributors): Specify users, groups, and/or security groups to have Storage File Data SMB Share Contributor role on the share.

      Notes:

      • This is required for read / write access to the share.

      • If you don't have the group provisioned yet, the field can remain undefined.

    • Add users / groups from host pools: From the drop-down list, select one or more host pools and users / groups currently assigned to these host pools to be assigned the Storage File Data SMB Share Contributor role on the share.

    • Join to AD: Clear this option to prevent the file share from joining the AD.

    • Enable SMB Multichannel: Select this option to improve the Azure Files Premium performance.

      Note: Azure Files SMB Multichannel enables clients to use multiple network connections that provide increased performance. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.

  3. Select OK.

  4. Copy the storage account name (not the file share name) and paste it to Notepad. You will later add it to a secure variable in Nerdio Manager.

  5. Copy the UNC path of the Azure Files share, which you will need to provide in Step 4: Configure the FSLogix profile:

    1. Next to the Azure Files share name, select the copy icon.

    2. Paste the copied UNC path to Notepad.

Step 2: Copy the storage account key

Once you have created a new storage account, and a new file share in that storage account, you can now copy the StorageAccountKey value that you need to include in the script.

To copy the storage account key:

  1. In the Azure portal, navigate to Storage accounts, and then select the name of the storage account you created.

  2. In the left blade, in the Security + networking section, select Access keys.

  3. Under the Key1 field, copy and then paste the key to Notepad.

Step 3: Create a scripted action with secure variables

The next step is to create a scripted action for Entra ID Join Windows Credential Manager and the required secure variables.

To create a scripted action:

  1. In Nerdio Manager, at the account level, navigate to Scripted ActionsWindows scripts.

  2. Select Add scripted action.

  3. In the new dialog box, enter the following information:

    • Name: Enter EntraIDJWindowsCredentialManager.

    • Description: Enter the script's description.

    • Tags: From the drop-down list, select optional tags for the script. These tags are used for searching and organization.

    • Script Execution Mode: From the drop-down list, select Individual with restart.

    • Script: Paste the following script into the field:

      #Variables

      $storageAccount=$SecureVars.FSlgxStorageAccount

      $user="localhost\$($storageAccount)"

      $fileserver="$storageAccount.file.core.windows.net"

      $secret=$SecureVars.FSLgxSecret

      #Create the local credentials for the storage account

      cmdkey.exe /add:$($fileServer) /user:$($user) /pass:$($secret)

      # Check if the key exists

      if (-not(Test-Path "HKLM:\Software\Policies\Microsoft\AzureADAccount")) {

      # Create the key if it doesn't exist

      New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force

      }

      # Add or modify the property

      New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -Type DWord -Force

      #Disable Credential Guard

      New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -force

  4. Once you have entered all the desired information, select OK.

To add the required secure variables:

  1. At the account level, navigate to SettingsIntegrations.

  2. Create the storage account variable:

    1. In the Variables tile, select Add secure variable.

    2. In the new dialog box, enter the following information:

      • Name: Enter FSlgxStorageAccount.

      • Value: Paste the storage account name that you previously saved to Notepad.

      • Windows scripts: Clear the All scripts option, and then select the previously created EntraIDJWindowsCredentialManager script.

    3. Select OK.

  3. Create the FSLogix secret variable:

    1. In the Variables tile, select Add secure variable.

    2. In the new dialog box, enter the following information:

      • Name: Enter FSLgxSecret.

      • Value: Paste the storage account key that you previously saved to Notepad.

      • Windows scripts: Clear the All scripts option, and then select the previously created EntraIDJWindowsCredentialManager script.

    3. Select OK.

Step 4: Configure the FSLogix profile

This step focuses on deploying the FSLogix profile per account. This method allows you to create a single FSLogix policy that you can reuse across multiple host pools within an individual account.

Note: For details about how to customize the FSLogix profile for an individual host pool, or deploy a global FSLogix profile, see FSLogix settings and configuration.

To configure FSLogix settings for an account:

  1. At the account level, navigate to Settings > Integrations.

  2. In the FSLogix Profiles storage tile, select Add.

  3. In the new dialog box, enter the following information:

    • Name: Enter the FSLogix profile name.

    • Global profile: Ensure Skip use of Global configuration is defined, and you are not using any of the existing global profile settings.

    • Use Cloud Cache: Select this option to enable the FSLogix Cloud Cache.

      Note: Cloud Cache allows you to specify multiple profile storage locations. It asynchronously replicates the profiles and makes the profiles available in multiple storage locations at the same time. So, if one of the locations is not available, the session host automatically fails over to one of the alternate locations. To learn more, see Cloud Cache Overview.

      Warning: For performance reasons, it is strongly recommended that your storage is configured to use Premium SSD disks when Cloud Cache is enabled. Standard SSD disks might be sufficient only in very small environments or for testing scenarios.

    • Use Azure Page Blobs: When using Cloud Cache, select this option to use storage account blob containers to store user profiles. These containers are accessed using storage account access keys.

    • Configure session hosts registry for Microsoft Entra Joined storage: Do not select this option if you are using cloud-only identities.

      Note: When selected, this option enables the Entra ID Kerberos functionality for hybrid user identities. To learn more, see Enable the Microsoft Entra Kerberos functionality.

    • Exclude the Nerdio stored admin account from FSLogix: Select this option to prevent local admin's profile creation in the FSLogix storage location.

    • Exclude the domain admin account from FSLogix: Select this option to prevent domain admin's profile creation in the FSLogix storage location.

      Note: When FSLogix is having issues on a session host, you can still sign in with the excluded local admin or domain admin account for troubleshooting purposes.

    • Domain admin username: Provide the domain admin username.

    • FSLogix version: From the drop-down list, select the FSLogix version you want to install across the session hosts within that single account.

      Note: By default, the most recent FSLogix version is predefined and marked as "Latest". You can select the latest version or any older version, as per your requirements.

      Warning: The version you select can be installed only if your session hosts are created from the desktop image with no FSLogix app pre-installed. Otherwise, the version you define in this field will be ignored.

    • FSLogix Profiles path (VHDLocation): Enter the file share UNC path that you previously copied.

      Note: To copy the UNC path:

      1. At the account level, go to Azure Files.

      2. Next to the Azure Files share name, select the copy icon.

    • FSLogix Registry Options: From the drop-down list, select whether you want to work with Common settings or All settings of the FSLogix install. Modify the configurations as needed.

      • For All settings, next to the AccessNetworkAsComputerObject registry option, select Not configured, and then set the value to 1.

    • Configure Office Container to redirect Microsoft Office user data: Enable this option to redirect only those areas of the profile that are specific to Microsoft Office.

      Note: Office Containers separate Microsoft Office data (for example, OST files) from the overall user profile for easier troubleshooting. Office Containers and Profile Containers are stored in separate VHDX files, and can be stored on different file shares. See this Microsoft article for details.

      • FSLogix ODFC container path ($VHDLocation): Enter the file share UNC path that you previously copied.

      • FSLogix ODFC container Registry Options: From the drop-down list, select whether you want to work with Common settings or All settings of the FSLogix configuration that will be applied when a session host VM is provisioned, and FSLogix is installed. Modify the configurations as needed.

        Note: The settings you define for FSLogix ODFC container Registry Options must match the FSLogix Registry Options settings defined earlier.

    • Redirections: Enable this option to enter the redirections that you want to include in the profile for reuse across customer accounts.

      • Note: For more information about redirections, see Types of containers.

  4. Once you have entered all the desired information, select OK.

Step 5: Configure the VM deployment

The next step is to configure the VM deployment settings per host pool.

Note: To complete the VM deployment steps, you need to have a host pool created. To create a host pool, see:

To configure the VM deployment:

  1. At the account level, navigate to AVDHost Pools.

  2. Locate the host pool you wish to work with.

  3. From the action menu, select Properties > VM Deployment.

  4. In the Scripted Actions section, enter the following information:

    • Run Scripted actions when host VM is CREATED / Run Scripted actions when host VM is STARTED: Enable these options.

    • Windows scripts: From the drop-down list, select EntraIDJWindowsCredentialManager.

  5. Once you have entered all the desired information, select Save or Save & close.

Step 6: Re-image the host pool

To apply the new FSLogix and VM settings across all session hosts, you need to re-image the host pool. Re-imaging ensures every VM is rebuilt with the updated configuration. For details, see Update a desktop image and hosts.

Was this article helpful?

1 out of 1 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Article is closed for comments.