This is a workaround until Microsoft fully supports Azure AD with Kerberos. Instead of using Azure Blob Storage, Azure Files Premium can run much faster and supports backups in Nerdio. Credit to Marcel Meurer.
DO THIS IN AZURE
Create a new Storage Account:
Go into that Storage Account, Add an Azure Files Share – Premium 100GB.
Note down the UNC path of your share
\\[[STORAGEACCOUNTFQDN]\[FILESHARE]
Go to Access Keys to obtain Access Key from Key1:
Copy this Key1 on a Notepad.
DO THIS IN NERDIO
STEP 1:
Create a new Scripted Actions with Individual with Restart Setting called “AADJWindowsCredentialManager”.
Paste this in as the script
cmdkey.exe /add:[[STOREAGE ACCOUNT FQDN]] /user:localhost\[[STORAGE ACCOUNT NAME]] /pass:[[STORAGE ACOUNT KEY]]
# Check if the key exists
if (-not(Test-Path "HKLM:\Software\Policies\Microsoft\AzureADAccount")) {
# Create the key if it doesn't exist
New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force
}
# Add or modify the property
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -Type DWord -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -force
Example:
cmdkey.exe /add:aadjazfileswinhart.file.core.windows.net /user:localhost\aadjazfileswinhart /pass:h/0xqVkR6V5KaJNoFWEYCXSwP5kXjXLcTXViWrbFqfskMLvmlizotlBRLFw+f6HEupw5cKw0IKvV+AStMO632Q==
# Check if the key exists
if (-not(Test-Path "HKLM:\Software\Policies\Microsoft\AzureADAccount")) {
# Create the key if it doesn't exist
New-Item -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Force
}
# Add or modify the property
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -Type DWord -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -force
STEP 2:
Add this to your Custom FSLOGIX Profile Path inside of the Host Pool properties:
\\[[STORAGEACCOUNTFQDN]\[FILESHARE]
Example:
\\ aadjazfileswinhart.file.core.windows.net\profiles
Specify the File Share name in the UNC path of the FSLOGIX Profile Path and Add the following Key in additional to your normal keys.
"AccessNetworkAsComputerObject"=dword:1
Example:
"DeleteLocalProfileWhenVHDShouldApply"=dword:1
"PreventLoginWithFailure"=dword:1
"PreventLoginWithTempProfile"=dword:1
"VolumeType"=string:"vhdx"
"FlipFlopProfileDirectoryName"=dword:1
"AccessNetworkAsComputerObject"=dword:1
STEP 3: Add the AADJWindowsCredentialManager scripted when the VM host gets created.
You can now proceed to add a new session host in this host pool.
WINDOWS 11
There are reports that newer versions of Windows 11 has Credential Guard enabled by default which will periodically remove the StorageAccountKey from Windows Credentials which causes permissions issues accessing AVD.
If you are using this on Windows 11, please consider disabling Credential Guard (however, it is not what we are recommending) Disabling Credential Guard lowers your security posture: Configure Credential Guard - Windows Security | Microsoft Learn
Comments (8 comments)