In this blog post I will deploy virtual servers within the Azure Portal using Powershell via Azure Cloudshell.
1) Login to the Azure Portal portal.azure.com 2) Click the Cloud Shell icon found towards the top of the portal
3) Click Powershell
4) Click Create Storage. If you want to configure custom settings, click Show Advanced Settings
5) and we’re connected
6) Before creating a Virtual Machine, I will create a resource group to where I will deploy my new VM. My new resource group is named CloudBuildPSRG (PS for PowerShell and RG for Resource Group). My location is UKSouth. You could create this resource group as part of the VM Build commands further down this blog post but for the purpose of this demo, I will create the resource group first.
-ResourceGroupName “CloudBuildPSRG” – I will use an existing Resource Group that I created in this blog post earlier. In the event the resource group does not exist, a new resource group will be created.
-Name “CloudBuildPSVM” – This is the name of the VM
-Location “UK South” – The VM will be built in region UK South
-VirtualNetworkName “CloudBuild-PSVNET” – I am creating a new VNET but you could also use an existing VNET name if you have already created one
-SubnetName “subnet1” – A new subnet will be created named subnet1. Again you could use an existing by specifying the name.
-SecurityGroupName – NSG name for the VM (Network Security Group)
-PublicIpAddressName “GBPublicIpAddress” – For the purpose of this lab, I will be creating a public IP address. This is something you don’t want to do for a production server. You could use Azure Bastion to connect to a VM from the portal, or connect to the VM from your internal network over VPN.
-OpenPorts 80,3389 – Opening ports within the NSG (Network Security Group) to allow access to the web service and Remote Desktop access. My next blog post will include the installation of IIS via powershell and testing access externally.
10) Let’s continue with running the script. After triggering the script, you’re prompted to create a new local admin username and password for the VM.
and the machine build is in progress
VM build successful
11) Let’s check the status of the VM
get-azvm -name CloudBuildPSVM
12) Let’s check the Azure Portal. There it is. The VM has been deployed in my existing resource group CloudBuildPSRG
13) I’ll now obtain the Public IP address of the VM so I can connect to it. (Note that this is a demo. In a production environment you don’t want to allow RDP access externally). The Public IP could also be obtained from the Azure Portal, but as we’re doing everything within PowerShell, let’s continue with Powershell.
Here is the command I will run to obtain the public IP address of my newly created VM
This process creates a Windows 2016 Datacenter server, but what if you want to use a different image available within the Microsoft Azure Marketplace?
Let’s continue with building another VM but this time specifying what image we want to use.
15) Type Get-AzVMImageOffer -Location “UK South” -PublisherName “MicrosoftWindowsServer”
A Marketplace image in Azure has the following attributes:
Publisher: The organisation that created the image. Examples: Canonical, MicrosoftWindowsServer
Offer: The name of a group of related images created by a publisher. Examples: UbuntuServer, WindowsServer
SKU: An instance of an offer, such as a major release of a distribution. Examples: 18.04-LTS, 2019-Datacenter
Version: The version number of an image SKU.
MicrosoftWindowsServer is a VM publisher name. If you want to view all VM image publishers available within the market place in the UK South region, the command is as follows: Get-AzVMImagePublisher -location “UK South”
16) Here are the results from step 14. The below results show that I have a number of Microsoft Server authors available in the UK South region. I will be using WindowsServer
17) We now dig deeper and find out what images are available within the WindowsServer Publisher selection
Note: AsJob allows the command to run in the background allowing you to use PowerShell for other tasks and not have to wait for the script to complete, as you’ll see from the results below.
latest – is a command which requests for the latest image available
After running the script above, as you can see from the screenshot below the output is different because of the additional command -AsJob. The job is now running in the background which means I don’t have to wait for PowerShell to complete the process.
20) And we have successfully deployed a Windows 2012 R2 Datacenter server
In this blog post I will be backing up an Azure File Share that I created to store my Windows Virtual Desktop FSLogix Profiles.
1) Login to the Azure Portal portal.azure.com
2) Firstly, i’ll create a recovery services vault
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases.
Search and click Recovery Services Vault
3) Click Add
4) Complete details for your new Recovery Services Vault. See example below
5) Add tags as required and click create
6) Next, visit Recovery Services Vault and click your newly created vault
7) Click + Backup
8) Click the notice as highlighted below
9) As you’ll see, by default the storage replication type is set to geo-redundant. For the purpose of this lab, i’ll be configuring locally-redundant. You may wish to select local or one of the other options depending on your requirements.
10) I select Locally-redundant and click save
11) From the drop down (What do you want to backup?) select Azure FileShare
12) Click Backup
13) Click Select under Storage Account
14) Click your storage account and click ok
15) Click ‘Create a new policy’
16) Click Add and select the Azure Fileshare
17) Set your backup policy as per your requirements. For the purpose of this demo, I have configured as follows
18) Click Enable Backup
19) Wait for confirmation. Takes less then a minute
20) Next, visit your Recovery Services Vault, click backups from the left pane and then click Azure Storage (Azure Files)
21) Notice the backup is pending
22) Click the backup
23) Click Backup now
24) I’m going to leave the data retention as one month. You may wish to set as per your organisation requirements. Click OK
25) Wait for configuration to complete
26) If required, to modify the backup, click the recovery services vault, click backup policies and then select the policy.
If you wish to monitor backups or restore data, visit the storage account and use the backup and snapshot options in the left pane
In this blog post I will go through the process of configuring FSLogix within a Windows Virtual Desktop platform using Azure file share. I will also go through the process to enable Active Directory authentication.
What is FSLogix FSLogix is a set of solutions that enhance, enable, and simplify non-persistent Windows computing environments. FSLogix solutions are appropriate for Virtual environments in both public and private clouds. FSLogix solutions may also be used to create more portable computing sessions when using physical devices.
FSLogix Requirements Before we get started and at the time of writing this blog post, there are a few requirements for FSLogix. You are eligible to access FSLogix Profile Container, Office 365 Container, Application Masking, and Java Redirection tools if you have one of the following licenses:
FSLogix solutions may be used in any public or private data center, as long as a user is properly licensed. FSLogix tools operate on all operating systems newer than, and including:
Desktop – Windows 7
Server – 2008 R2
FSLogix solutions support both 32 bit and 64 bit where applicable
In no instance are FSLogix solutions supported in an environment that is not supported by Microsoft, or the original software or equipment vendor
What is Azure Files?
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol or Network File System (NFS) protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments. Azure Files SMB file shares are accessible from Windows, Linux, and macOS clients. Azure Files NFS file shares are accessible from Linux or macOS clients. Additionally, Azure Files SMB file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.
Azure Files is used extensively/recommended for storing user profiles using FSLogix. Azure Files provides multiple tiers that you can select based on your cost/performance needs.
In this blog i will also go through the process of setting up Azure Files for FSLogix Profiles in Windows Virtual Desktop.
If your organisation have password expiration policies in place you may have to create a separate OU to block the password expiring for the account which represents the Azure storage account. Your organisation may run automated cleanup scripts that delete accounts once their password expires. Because of this, if you do not change your password before it expires, your account could be deleted, which will cause you to lose access to your Azure file shares. This will make more sense as we go through this blog post.
My lab environment includes a domain controller hosted in Azure, two Windows Virtual Desktop 10 session hosts. AD accounts are sync’d to Azure AD using Azure AD Connect. I created the WVD solution as part of the following blog post Deploying Windows Virtual Desktop
Please skip to section Create Storage Account in Azure if expiration policies don’t apply to your organisation.
1) For this demo, I have created the following OU within AD
2) I have created a group policy and disabled password expiry for computer accounts residing in this OU. Further details below.
3) I logged into group policy management and created a new policy as follows:
For this example, I have named my policy Azure Files – Password Does Not Expire
4) Right click and edit the policy and browse to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
5) Locate: Domain Member: Maximum machine account password age
6) Click define this policy setting and set to 0. Save
7) Now that i have created an OU and Group Policy that prevents accounts within the Azure Files OU from expiring, I will link the newly created policy to the OU.
Right click the Azure File OU within the Group Policy console and click link existing GPO. Click OK
Create Storage Account in Azure
I will now create a storage account within the Azure Portal
Login to the Azure Portal portal.azure.com
Locate and click storage accounts
3. Click +Add
4. Complete the details (Example below). I have created a new resource group named AzureFileRG. If you require higher IOPS up to 100,000, you may want to look into premium instead of standard.
Ensure storage account name is 15 or less characters. I’ll explain why later
5. Lock down your storage account so that only the VM’s on selected virtual networks have access to the file share
– Select Public endpoint (Selected Networks) and click the VNET to where your session hosts are connected to – Click all subnets that the domain controller and sessions hosts connect to
6. I will leave the rest of the settings as default and click review and create.
7. Once validation passes, click create
Create File Share
Now that we have created the storage account, let’s create the file share
1. Click storage accounts and click the storage account you just created
2. Click File shares
3. Click + File share
4. Input new file share details and click next. For this example, I have inputted details as below. If you don’t configure a quota, the default limit is configured.
Azure Files offers four different tiers of storage, premium, transaction optimised, hot, and cool to allow you to tailor your shares to the performance and price requirements of your scenario:
Premium: Premium file shares are backed by solid-state drives (SSDs) and are deployed in the FileStorage storage account type. Premium file shares provide consistent high performance and low latency, within single-digit milliseconds for most IO operations, for IO-intensive workloads. Premium file shares are suitable for a wide variety of workloads like databases, web site hosting, and development environments. Premium file shares can be used with both Server Message Block (SMB) and Network File System (NFS) protocols.
Transaction optimized: Transaction optimized file shares enable transaction heavy workloads that don’t need the latency offered by premium file shares. Transaction optimized file shares are offered on the standard storage hardware backed by hard disk drives (HDDs) and are deployed in the general purpose version 2 (GPv2) storage account type. Transaction optimized has historically been called “standard”, however this refers to the storage media type rather than the tier itself (the hot and cool are also “standard” tiers, because they are on standard storage hardware).
Hot: Hot file shares offer storage optimized for general purpose file sharing scenarios such as team shares and Azure File Sync. Hot file shares are offered on the standard storage hardware backed by HDDs and are deployed in the general purpose version 2 (GPv2) storage account type.
Cool: Cool file shares offer cost-efficient storage optimized for online archive storage scenarios. Azure File Sync may also be a good fit for lower churn workloads. Cool file shares are offered on the standard storage hardware backed by HDDs and are deployed in the general purpose version 2 (GPv2) storage account type.
Note: “-Name” is the name of your storage account you created in the Azure Portal earlier. The commands i’ll be running are documented above. Your config will be different.
Note: You can obtain the OU Distinguished name, by right clicking the OU (Enable Advanced Features for options to appear), Clicking properties, Attribute Editor and then locating Distinguished Name as shown below.
12. Now let’s check if the computer account has been created within AD Users and Computers.
Note that the computer name is the same as the storage account name. If the storage account had been more then 15 characters, the scripts above would have failed as only a maximum of 15 characters are allowed for a computer name.
13. Next, let’s assign permissions to the share we created in Azure. Go back to the Azure Portal > Click the Storage Account > File shares
14. Click the file share name and then click Access Control (IAM)
15. Click Add role assignments
The following SMB roles exist. We’re only adding the top two roles.
Storage File Data SMB Share Contributor: permissions to read, write and modify
Storage File Data SMB Share Elevated Conttributor: permissions to read, write, modify and manage NTFS permissions
Storage File Data SMB Share Reader: permission to read.
16. The first role is SMB Share Elevated Contributor and i’ll be assigning an admin account to this role as shown below. Cloud Build User 1 is my admin account.
17. Click save and add role assignment again and add SMB Share Contributor. I have assigned my WVD Users Group to this role
Anyone part of the WVD Users group will be assigned a FSLogix Profile.
18. Next we will require the Storage Access Key. Click the storage account and click Access Keys
19. Copy either key 1 or key 2 and paste to notepad for now (Keep this key SAFE. It’s the key to your storage account and files!)
In the next stepsi will mount the share and assign NTFS permissions
19. I will now run the below command to check that i can mount the new share. I’ll be running the command from my domain controller but you can run from any domain joined machine.
net use W: "\\<StorageAccountHere>.file.core.windows.net\<ShareNameHere>" /user:Azure\>StorageAccountNameHere> <StorageAccountKeyHere>
net use W: "\\cbazurefile.file.core.windows.net\cloudbuildshare" /user:Azure\cbazurefile XXXXXXXXXXXXXNacmCQY6CDV3SDQ2DUxosXXXXXXXXXXR2eiBJ/xKemkX5coX7xE2EFYtO6XXXXXXXX8V8XgWLg==
And the file share has mounted
21. Let’s create a folder for FSLogix Profiles
22. Next we will set permissions to allow user profies to be created and to prevent users from accessing other user profiles:
Right click the Profiles folder Click properties Click the Security tab Click the advanced button Click the disable inheritance button
23. Click Convert inherited permissions into explicit permissions on this object
24. Next, click authenticated users and click remove
25. Click users and click remove
26. Next, click CREATOR OWNER and click edit
27. Untick Full Control and save
28. Next add WVD Users, click add, click Select a principle, locate your WVD Users group and click ok
29. For WVD Permissions, select the modify option and change applies to This Folder Only
30. Click ok and apply
As a test you should be able to launch the WVD default desktop by accessing WVD and mapping to the following:
13. Next I will set the VHD location to where the FSLogix profiles will be stored. Don’t forget to add your profiles folder to the end of the path. Save settings
14. Then click Size in MBs
The default is 30GB, we’ll change to 20GB and save settings
15. Next, i click on Delete local profile when FSLogix Profile should apply
16. Click container and directory naming
17. Access Swap directory name components and enable as show below. Save
18. Next click virtual disk type, configure (Select VHDX) as shown below and save
That’s it for configuring the GPO
19. I will now link the GPO to the OU i created earlier
20. Now we’re ready to install the FSLogix client. So, I have two Windows 10 session hosts that were deployed as part of a previous blog post. You can check the post at the following link Deploying Windows Virtual Desktop in Azure
I’m going to RDP to both and install the FSLogix client. If you have a base image also known as a gold image, the application can be deployed to the the base image. I will cover this in a separate blog post.
Here is what i did to install the FSLogix App
1. RDP to both Windows Session Hosts from my domain controller 2. Visit and http://aka.ms/fslogix_download to download the FSLogix client 3. Extract the folder 4. Access the folders named x64 > Release 5. Run the FSLogixAppsSetup file 6. When ready to accept license agreement, click install
7. Run gpupdate /force – Open command prompt on the session hosts – Type gpupdate /force and enter – Log off both hosts
8. Now the moment has arrived. We will be testing FSLogix
10. Let’s create a couple of test folders on the desktop
11. Now i need to log off and back on, but this time I want to logon to the second session host. I will enable drain mode on the host I am currently logged on to. Drain mode means that the session will not accept sessions. Similar to Maintenance mode in Citrix.
12. To enable drain mode on the WVD session host that i am currently logged onto: – Log in to the Azure Portal – Click Windows Virtual Desktop – Click Host Pools – Click on the host pool – Click Session hosts from the left pane – Click the session host showing an active session
13. Enable Drain mode
14. Log off and log back on
15. And here are the two folders we created on the desktop
16. Now lets access the Azure file share and check the profile
I am logged onto the second host, whilst Drain mode is enabled on the other host