Use Azure Files for FSLogix User Profile Data with Window Virtual Desktop

Reading Time: 10 minutes

In this blog post I will go through the process of configuring FSLogix within a Windows Virtual Desktop platform using Azure file share. I will also go through the process to enable Active Directory authentication.

What is FSLogix
FSLogix is a set of solutions that enhance, enable, and simplify non-persistent Windows computing environments. FSLogix solutions are appropriate for Virtual environments in both public and private clouds. FSLogix solutions may also be used to create more portable computing sessions when using physical devices.

FSLogix Requirements
Before we get started and at the time of writing this blog post, there are a few requirements for FSLogix. You are eligible to access FSLogix Profile Container, Office 365 Container, Application Masking, and Java Redirection tools if you have one of the following licenses:

  • Microsoft 365 E3/E5
  • Microsoft 365 A3/A5/ Student Use Benefits
  • Microsoft 365 F1/F3
  • Microsoft 365 Business
  • Windows 10 Enterprise E3/E5
  • Windows 10 Education A3/A5
  • Windows 10 VDA per user
  • Remote Desktop Services (RDS) Client Access License (CAL)
  • Remote Desktop Services (RDS) Subscriber Access License (SAL)

FSLogix solutions may be used in any public or private data center, as long as a user is properly licensed. FSLogix tools operate on all operating systems newer than, and including:

  • Desktop – Windows 7
  • Server – 2008 R2
  • FSLogix solutions support both 32 bit and 64 bit where applicable
  • In no instance are FSLogix solutions supported in an environment that is not supported by Microsoft, or the original software or equipment vendor

What is Azure Files?

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol or Network File System (NFS) protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments. Azure Files SMB file shares are accessible from Windows, Linux, and macOS clients. Azure Files NFS file shares are accessible from Linux or macOS clients. Additionally, Azure Files SMB file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.

Azure Files is used extensively/recommended for storing user profiles using FSLogix. Azure Files provides multiple tiers that you can select based on your cost/performance needs.

In this blog i will also go through the process of setting up Azure Files for FSLogix Profiles in Windows Virtual Desktop.

If your organisation have password expiration policies in place you may have to create a separate OU to block the password expiring for the account which represents the Azure storage account. Your organisation may run automated cleanup scripts that delete accounts once their password expires. Because of this, if you do not change your password before it expires, your account could be deleted, which will cause you to lose access to your Azure file shares. If there are security concerns around creating a policy to prevent the computer account from expiring you could update the password before the 30 day expiration. The following Microsoft article provides guidance, Enable AD DS authentication to Azure file shares | Microsoft Docs (Below is a screenshot from the url above)



My lab environment includes a domain controller hosted in Azure, two Windows Virtual Desktop 10 session hosts. AD accounts are sync’d to Azure AD using Azure AD Connect. I created the WVD solution as part of the following blog post Deploying Windows Virtual Desktop


1) For this demo, I have created the following OU within AD

2) I have created a group policy and disabled password expiry for computer accounts residing in this OU. Further details below.

3) I logged into group policy management and created a new policy as follows:

For this example, I have named my policy Azure Files – Password Does Not Expire

4) Right click and edit the policy and browse to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

5) Locate: Domain Member: Maximum machine account password age

6) Click define this policy setting and set to 0. Save

7) Now that i have created an OU and Group Policy that prevents accounts within the Azure Files OU from expiring, I will link the newly created policy to the OU.

Right click the Azure File OU within the Group Policy console and click link existing GPO. Click OK


Create Storage Account in Azure

I will now create a storage account within the Azure Portal

  1. Login to the Azure Portal portal.azure.com
  2. Locate and click storage accounts

3. Click +Add


4. Complete the details (Example below). I have created a new resource group named AzureFileRG. If you require higher IOPS up to 100,000, you may want to look into premium instead of standard.

Ensure storage account name is 15 or less characters. I’ll explain why later

5. Lock down your storage account so that only the VM’s on selected virtual networks have access to the file share

– Select Public endpoint (Selected Networks) and click the VNET to where your session hosts are connected to
– Click all subnets that the domain controller and sessions hosts connect to

6. I will leave the rest of the settings as default and click review and create.

7. Once validation passes, click create

Create File Share

Now that we have created the storage account, let’s create the file share

1. Click storage accounts and click the storage account you just created

2. Click File shares

3. Click + File share

4. Input new file share details and click next. For this example, I have inputted details as below. If you don’t configure a quota, the default limit is configured.

Azure Files offers four different tiers of storage, premium, transaction optimised, hot, and cool to allow you to tailor your shares to the performance and price requirements of your scenario:

  • Premium: Premium file shares are backed by solid-state drives (SSDs) and are deployed in the FileStorage storage account type. Premium file shares provide consistent high performance and low latency, within single-digit milliseconds for most IO operations, for IO-intensive workloads. Premium file shares are suitable for a wide variety of workloads like databases, web site hosting, and development environments. Premium file shares can be used with both Server Message Block (SMB) and Network File System (NFS) protocols.
  • Transaction optimized: Transaction optimized file shares enable transaction heavy workloads that don’t need the latency offered by premium file shares. Transaction optimized file shares are offered on the standard storage hardware backed by hard disk drives (HDDs) and are deployed in the general purpose version 2 (GPv2) storage account type. Transaction optimized has historically been called “standard”, however this refers to the storage media type rather than the tier itself (the hot and cool are also “standard” tiers, because they are on standard storage hardware).
  • Hot: Hot file shares offer storage optimized for general purpose file sharing scenarios such as team shares and Azure File Sync. Hot file shares are offered on the standard storage hardware backed by HDDs and are deployed in the general purpose version 2 (GPv2) storage account type.
  • Cool: Cool file shares offer cost-efficient storage optimized for online archive storage scenarios. Azure File Sync may also be a good fit for lower churn workloads. Cool file shares are offered on the standard storage hardware backed by HDDs and are deployed in the general purpose version 2 (GPv2) storage account type.

More info can be located here

5. File share configured successfully

Enable SMB Authentication

Next, I will enable SMB Authentication

1. Download AzFilesHybrid.zip from https://github.com/azure-samples/azure-files-samples/releases

2. Extract the files


3. Launch Powershell and type the below command. This command will allow the current user to execute scripts.

4. Next browse to the folder where the three scripts are stored as shown below.

5. Run the CopyToPSPath.ps1 script
This script adds the directory to the power shell path

6. Next we import the AZFilesHybrid Module using the command below. The import will take a few minutes.

7. Next, I connect to my Azure Tenant


8. Login when prompted, and we’re connected


9. Type Select-AzSubscription -SubscriptionId <subscription ID> and press enter

One of the places to retrieve your subscription ID: Click your storage account and click overview from the left menu.

10. Next we will run the following:

Please note that the domain account can be either a Computer or service account. For this example, i’m creating a computer account.

The next commands will create the object within your Windows Active Directory OU that was created earlier.

Join-AzStorageAccountForAuth
-ResourceGroupName AzureFileRG
-Name cbazurefile
-DomainAccountType ComputerAccount
-OrganizationalUnitDistinguishedName “OU=Azure Files,OU=CloudBuild,DC=CloudBuild,DC=co,DC=uk”

Note: “-Name” is the name of your storage account you created in the Azure Portal earlier. The commands i’ll be running are documented above. Your config will be different.

Note: You can obtain the OU Distinguished name, by right clicking the OU (Enable Advanced Features for options to appear), Clicking properties, Attribute Editor and then locating Distinguished Name as shown below.


11. Success

12. Now let’s check if the computer account has been created within AD Users and Computers.

Note that the computer name is the same as the storage account name. If the storage account had been more then 15 characters, the scripts above would have failed as only a maximum of 15 characters are allowed for a computer name.



13. Next, let’s assign permissions to the share we created in Azure. Go back to the Azure Portal > Click the Storage Account > File shares

14. Click the file share name and then click Access Control (IAM)

15. Click Add role assignments


The following SMB roles exist. We’re only adding the top two roles.

  • Storage File Data SMB Share Contributor: permissions to read, write and modify
  • Storage File Data SMB Share Elevated Conttributor: permissions to read, write, modify and manage NTFS permissions
  • Storage File Data SMB Share Reader: permission to read.

16. The first role is SMB Share Elevated Contributor and i’ll be assigning an admin account to this role as shown below. Cloud Build User 1 is my admin account.

17. Click save and add role assignment again and add SMB Share Contributor. I have assigned my WVD Users Group to this role

Anyone part of the WVD Users group will be assigned a FSLogix Profile.

18. Next we will require the Storage Access Key. Click the storage account and click Access Keys

19. Copy either key 1 or key 2 and paste to notepad for now (Keep this key SAFE. It’s the key to your storage account and files!)

In the next steps i will mount the share and assign NTFS permissions

19. I will now run the below command to check that i can mount the new share. I’ll be running the command from my domain controller but you can run from any domain joined machine.

net use W: "\\<StorageAccountHere>.file.core.windows.net\<ShareNameHere>" /user:Azure\>StorageAccountNameHere> <StorageAccountKeyHere>
net use W: "\\cbazurefile.file.core.windows.net\cloudbuildshare" /user:Azure\cbazurefile XXXXXXXXXXXXXNacmCQY6CDV3SDQ2DUxosXXXXXXXXXXR2eiBJ/xKemkX5coX7xE2EFYtO6XXXXXXXX8V8XgWLg==

20. Success

And the file share has mounted

21. Let’s create a folder for FSLogix Profiles

22. Next we will set permissions to allow user profies to be created and to prevent users from accessing other user profiles:

Right click the Profiles folder
Click properties
Click the Security tab
Click the advanced button
Click the disable inheritance button

23. Click Convert inherited permissions into explicit permissions on this object

24. Next, click authenticated users and click remove

25. Click users and click remove

26. Next, click CREATOR OWNER and click edit

27. Untick Full Control and save

28. Next add WVD Users, click add, click Select a principle, locate your WVD Users group and click ok

29. For WVD Permissions, select the modify option and change applies to This Folder Only

30. Click ok and apply

As a test you should be able to launch the WVD default desktop by accessing WVD and mapping to the following:

STORAGE-ACCOUNT-NAME-HERE.file.core.windows.net\FILE-SHARE-NAME-HERE

The next post will continue with configuring the FSLogix Group Policy and installing the FSLogix Service. Click the following link to continue – Configure FSLogix Group Policy and Install FSLogix App

Configure FSLogix Group Policy and install FSLogix App

Reading Time: 5 minutes

Continuing from the previous post where I used Azure Files for FSLogix User Profile Data with WVD, I will now continue with creating a group policy for FSLogix settings, installing the FSLogix service and testing. You can check out the previous post by clicking the following link Use Azure Files for FSlogix User Profile Data with Window Virtual Desktop

Before we get started, download the FSLogix templates from aka.ms/fslogix_download

The files will be required to allow you to configure FSLogix Group Policy settings.

  1. I start with logging into my domain controller and launch AD Users and Computers
  2. I created a new OU named WVD Session Hosts

3. I created a couple of WVD session hosts in a previous blog post. The blog post can be located at Deploying Windows Virtual Desktop in Microsoft Azure

I move the two hosts to my newly created OU. By default the sessions hosts were created in the Computers OU

4. ok, so both session hosts are now included in the new OU WVD Session Hosts

5. Now, back to the FSLogix files we downloaded at the beginning of this post

6. Copy the fslogix.admx file and paste it to your domain sysvol folder. As shown below.

In my case i will be browsing to:
\CloudBuild-Serv\SYSVOL\CloudBuild.co.uk\Policies\PolicyDefinitions

and will copy my admx file here as shown below. I had to create the PolicyDefinitions folder because this is a new domain controller. You may already have this folder in place.

7. Next i will copy the language file fslogix.adml file

I will copy this file to folder en-US. A folder didn’t exist because this is a new domain controller.

8. Next launch Group Policy

9. Create a new policy. I have named my policy FSLogix Profiles

10. Right click and edit the policy

11. Expand Computer Configuration > Administrative Templates > FSLogix and click Profile Containers

12. Firstly, i’ll enable FSLogix

Double click Enabled and click enable, Save

13. Next I will set the VHD location to where the FSLogix profiles will be stored. Don’t forget to add your profiles folder to the end of the path. Save settings

14. Then click Size in MBs

The default is 30GB, we’ll change to 20GB and save settings

15. Next, i click on Delete local profile when FSLogix Profile should apply

16. Click container and directory naming

17. Access Swap directory name components and enable as show below. Save

18. Next click virtual disk type, configure (Select VHDX) as shown below and save

That’s it for configuring the GPO

19. I will now link the GPO to the OU i created earlier

20. Now we’re ready to install the FSLogix client. So, I have two Windows 10 session hosts that were deployed as part of a previous blog post. You can check the post at the following link Deploying Windows Virtual Desktop in Azure

I’m going to RDP to both and install the FSLogix client. If you have a base image also known as a gold image, the application can be deployed to the the base image. I will cover this in a separate blog post.

Here is what i did to install the FSLogix App

1. RDP to both Windows Session Hosts from my domain controller
2. Visit and http://aka.ms/fslogix_download to download the FSLogix client
3. Extract the folder
4. Access the folders named x64 > Release
5. Run the FSLogixAppsSetup file
6. When ready to accept license agreement, click install

7. Run gpupdate /force
– Open command prompt on the session hosts
– Type gpupdate /force and enter
– Log off both hosts

8. Now the moment has arrived. We will be testing FSLogix

Login options via
– https://rdweb.wvd.microsoft.com/webclient/index.html
– Download and configure the Windows Virtual Desktop Client

9. Login with a user part of the WVD Users group

10. Let’s create a couple of test folders on the desktop

11. Now i need to log off and back on, but this time I want to logon to the second session host. I will enable drain mode on the host I am currently logged on to. Drain mode means that the session will not accept sessions. Similar to Maintenance mode in Citrix.


12. To enable drain mode on the WVD session host that i am currently logged onto:
– Log in to the Azure Portal
– Click Windows Virtual Desktop
– Click Host Pools
– Click on the host pool
– Click Session hosts from the left pane
– Click the session host showing an active session

13. Enable Drain mode

]

14. Log off and log back on

15. And here are the two folders we created on the desktop



16. Now lets access the Azure file share and check the profile

Success

I am logged onto the second host, whilst Drain mode is enabled on the other host


Stay tuned for further WVD posts 🙂