Workaround for adding FSLogix storage key to Credential Manager with Start on Connect - bad idea?

Using Scripted Actions to add the Azure Files storage key for FSLogix profiles to Credential Manager (to allow Entra ID joined hosts to store profiles in Azure Files) is not an option for Start on Connect, because Start on Connect bypasses NMM. There is nothing to trigger a Scripted Action; the VM just starts. My workaround for this is to add a Scheduled Task to the desktop image, that runs at startup, and executes cmdkey.exe. I enable the "Hidden" option for the task, which makes if invisible to non-admin users, and, as far as I can tell, the storage key is not logged anywhere. Does this seem like an unreasonable security risk? I am interested in any opinions. The only alternatives I see are to not enable Start on Connect, or to disable Credential Guard, which carries its own security risk. 

0

Comments (6 comments)

Avatar
Dave Stephenson

That's definitely a workaround, but it does have the potential for the key to be exposed in some way.
It's just a matter of balancing the risk vs. the benefit.

I know for us, we disabled the "Start on Connect" feature because when we had it enabled, there would be a host running all day (or multiple days) with an HDD vs an SSD and we would get numerous complaints about performance issues.

With the amount of usage we were having, it was more cost effective to have a single host running 24x7, with an Azure Reserved Instance, instead of using "Start on Connect". You can check the actual runtime of each host from the Auto-Scale History button. As far as I remember from my last Nerdio Bootcamp, if a host is running more than average of 65 hours a week, it's going to be more cost effective to use a reserved instance.

Assuming you setup an always available host, you won't need to worry about having a scheduled task because Autoscale will be able to inject a Scripted Action anytime a host is started.

0
Avatar
Jan Scholte

That is a way of doing it, or use the Powershell secret management module: Microsoft.PowerShell.SecretManagement Module - PowerShell | Microsoft Learn
And register a Azure keyvault as SecretVault source. So basically you wont have the secret stored on the machine itself.

Hopefully full native support from FSLogix will be there soon so you don't need to add the access key any more to the Windows Credential Manager.

1
Avatar
Jan Scholte
(Edited )

Also I recently added a easy script for deploying a scheduled task with script content in one action, the template can be found here in the Sales Engineers Github: NMM-SE/Scripted Actions/Template-Create-Trigger_StartUp_ScheduledTask.ps1 at main · Get-Nerdio/NMM-SE (github.com)

 

Keep in mind these are no official solutions provided by Nerdio please refer to the disclaimer on the repo: Get-Nerdio/NMM-SE (github.com)

1
Avatar
Peter Yasuda

Thank you, Dan and Jan. Our solution to "Start on Connect" resulting in VMs running HDDs was to leave them as P10s all the time. I haven't done an in-depth cost analysis, but since the disks are not large, and non-premium disks can incur transaction charges, I think it's fine. And occasionally Auto-scale failed to upscale the disk, so it's one less thing to go wrong. 

I have not seen the PS Secret Management Module, so thanks for that suggestion. 

And thanks for the script to add a scheduled task! I was thinking, when I have more time I need to figure out how add a scheduled task with a script, and you had already done it. That will be useful in many ways. I saw Alwin's use case, and it was very interesting. 

0
Avatar
Jan Scholte

Peter Yasuda 

So about the disks staying on HDD you could easily workaround this limitation by setting up an Automation Account or FunctionApp and convert the disks of the AVD hosts before you pre-stage them in the morning. 

But this would also raise some challenges, what if a user needs to login around 8 PM and you're disks are still HDD and the function App did not run to convert the disks? :D

So what you could do maybe is consider this is not a problem since maybe in you case 1 or 2 maybe 3 users login and performance is good enough.. or you could let the disk converting off in Nerdio and user the FunctionApp to do the conversions of the disks too after like 10PM or a another time slot that you're almost 90% sure no one logs in. And let the FunctionApp convert them back 5/6 AM in the morning before you let Nerdio pre-staged the hosts. This way you will still save like 7/8 hours per 24 hours of Premium SSD time.

Unfortunately this is a limitation since there is no way currently yet to trigger a automation before when the "Start VM on Connect" gets invoked, as for now this bypasses Nerdio because its MS native.

I also seen some examples in the field where they disable "Start VM on Connect" fully and use a custom PowerApp or FunctionApp with a webhook and desktop shortcut to start the VM that way. This would give you full control and also be able too work around this.

I hope some of these ideas concepts may help you out.

0
Avatar
Peter Yasuda

Jan Scholte thanks for the suggestions. I'd love to try them out in the future. I'm not sure how easy it would be for me, since I have to ask: What's a FunctionApp? An Azure Functions app? Azure Functions is on my list of things to learn. 

0

Please sign in to leave a comment.