How to Use Azure Files with Entra ID (AADJ) Method for AVD

This is a workaround until Microsoft fully supports Azure AD with Kerberos. Instead of using Azure Blob Storage, Azure Files Premium can run much faster and supports backups in Nerdio. Credit to Marcel Meurer.

 

DO THIS IN AZURE

Create a new Storage Account:

 

Go into that Storage Account, Add an Azure Files Share – Premium 100GB.

Note down the UNC path of your share

\\[[STORAGEACCOUNTFQDN]\[FILESHARE]

 

Go to Access Keys to obtain Access Key from Key1:

 

Copy this Key1 on a Notepad.

 

DO THIS IN NERDIO

 

STEP 1:

Create a new Scripted Actions with Individual with Restart Setting called “AADJWindowsCredentialManager”.

 

Paste this in as the script

 

cmdkey.exe /add:[[STOREAGE ACCOUNT FQDN]] /user:localhost\[[STORAGE ACCOUNT NAME]] /pass:[[STORAGE ACOUNT KEY]]

# Check if the key exists
if (-not(Test-Path "HKLM:\Software\Policies\Microsoft\AzureADAccount")) {
    # Create the key if it doesn't exist
    New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force
}

# Add or modify the property
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -Type DWord -Force

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -force

Example:

cmdkey.exe /add:aadjazfileswinhart.file.core.windows.net /user:localhost\aadjazfileswinhart /pass:h/0xqVkR6V5KaJNoFWEYCXSwP5kXjXLcTXViWrbFqfskMLvmlizotlBRLFw+f6HEupw5cKw0IKvV+AStMO632Q==

# Check if the key exists
if (-not(Test-Path "HKLM:\Software\Policies\Microsoft\AzureADAccount")) {
    # Create the key if it doesn't exist
    New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force
}

# Add or modify the property
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -Type DWord -Force

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -force

STEP 2:

 

Add this to your Custom FSLOGIX Profile Path inside of the Host Pool properties:

\\[[STORAGEACCOUNTFQDN]\[FILESHARE]

Example:

\\ aadjazfileswinhart.file.core.windows.net\profiles

Specify the File Share name in the UNC path of the FSLOGIX Profile Path and Add the following Key in additional to your normal keys.

 

"AccessNetworkAsComputerObject"=dword:1

 

Example:

"DeleteLocalProfileWhenVHDShouldApply"=dword:1

"PreventLoginWithFailure"=dword:1

"PreventLoginWithTempProfile"=dword:1

"VolumeType"=string:"vhdx"

"FlipFlopProfileDirectoryName"=dword:1

"AccessNetworkAsComputerObject"=dword:1

 

STEP 3: Add the AADJWindowsCredentialManager scripted when the VM host gets created.

 

You can now proceed to add a new session host in this host pool.

WINDOWS 11

There are reports that newer versions of Windows 11 has Credential Guard enabled by default which will periodically remove the StorageAccountKey from Windows Credentials which causes permissions issues accessing AVD.

If you are using this on Windows 11, please consider disabling Credential Guard (however, it is not what we are recommending) Disabling Credential Guard lowers your security posture: Configure Credential Guard - Windows Security | Microsoft Learn

3

Comments (8 comments)

Avatar
DStephenson

Great article, Tony Cai!

We were able to take this one step further and set up the scripted action to use Secure Variables instead of putting the storage information in plain text.

It requires you to set up 2 secure variables on the account (i.e. FSLgxStorageAccount = Storage Account Name, FSLgxSecret = Storage Account Access key), but it gives you the added benefit of being able to use the same script on multiple accounts in NMM.

 

1
Avatar
Tony Cai

Thanks for sharing Dave. Yes, I was too lazy to add the Secure variable stuff in. Thanks for doing it!

1
Avatar
Tony Cai
(Edited )

I would also add this Scripted Actions for when a machine is STARTED as well, not just on Create.

Also run the script on a scheduled basis every morning at 5AM to make sure the credential stays in the Windows Credential Manager.

1
Avatar
DStephenson
(Edited )

I'm curious why you would want this scripted action on STARTED and CREATED

Is it just to help minimize a potential issue if a windows/fslogix update changes the registry setting back (i.e. Belt and Suspenders?) or is there something else that would prompt us to have a Scripted Action (any script not just this one in particular) run on start and create vs one or the other?
Example: Install Microsoft Teams (New) (on Start and on Create) vs RDP Shortpath (on Create)

0
Avatar
Tony Cai

DStephenson Yes I have had a few people say that for some reason their AVD host loses the storage account key credentials in Windows Credential Manager. So just to be safe, I run it daily and also recommend it in multiple other places.

1
Avatar
Tony Cai

DStephenson have you had problems following this after youve gone live? I suspect people are somehow reimaging their machines somehow and the script did not run.

0
Avatar
DStephenson

Ahh... Yes. 
We've seen the credentials missing from Credential Manager because of the Credential Guard "feature" in Windows 11.
If we disable Credential Guard (which has its own set of risks) or use a Windows 10 image (which doesn't have it (Credential Guard) enabled by default) we haven't seen the issue.

 

0
Avatar
Tony Cai

There are reports that newer versions of Windows 11 has Credential Guard enabled by default which will periodically remove the StorageAccountKey from Windows Credentials which causes permissions issues accessing AVD.

If you are using this on Windows 11, please disable Credential Guard: Configure Credential Guard - Windows Security | Microsoft Learn

0

Please sign in to leave a comment.