In this blog post I will go through the process of configuring FSLogix within a Windows Virtual Desktop platform using Azure file share. I will also go through the process to enable Active Directory authentication.
What is FSLogix
FSLogix is a set of solutions that enhance, enable, and simplify non-persistent Windows computing environments. FSLogix solutions are appropriate for Virtual environments in both public and private clouds. FSLogix solutions may also be used to create more portable computing sessions when using physical devices.
FSLogix Requirements
Before we get started and at the time of writing this blog post, there are a few requirements for FSLogix. You are eligible to access FSLogix Profile Container, Office 365 Container, Application Masking, and Java Redirection tools if you have one of the following licenses:
- Microsoft 365 E3/E5
- Microsoft 365 A3/A5/ Student Use Benefits
- Microsoft 365 F1/F3
- Microsoft 365 Business
- Windows 10 Enterprise E3/E5
- Windows 10 Education A3/A5
- Windows 10 VDA per user
- Remote Desktop Services (RDS) Client Access License (CAL)
- Remote Desktop Services (RDS) Subscriber Access License (SAL)
FSLogix solutions may be used in any public or private data center, as long as a user is properly licensed. FSLogix tools operate on all operating systems newer than, and including:
- Desktop – Windows 7
- Server – 2008 R2
- FSLogix solutions support both 32 bit and 64 bit where applicable
- In no instance are FSLogix solutions supported in an environment that is not supported by Microsoft, or the original software or equipment vendor
What is Azure Files?
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol or Network File System (NFS) protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments. Azure Files SMB file shares are accessible from Windows, Linux, and macOS clients. Azure Files NFS file shares are accessible from Linux or macOS clients. Additionally, Azure Files SMB file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.
Azure Files is used extensively/recommended for storing user profiles using FSLogix. Azure Files provides multiple tiers that you can select based on your cost/performance needs.
In this blog i will also go through the process of setting up Azure Files for FSLogix Profiles in Windows Virtual Desktop.
If your organisation have password expiration policies in place you may have to create a separate OU to block the password expiring for the account which represents the Azure storage account. Your organisation may run automated cleanup scripts that delete accounts once their password expires. Because of this, if you do not change your password before it expires, your account could be deleted, which will cause you to lose access to your Azure file shares. If there are security concerns around creating a policy to prevent the computer account from expiring you could update the password before the 30 day expiration. The following Microsoft article provides guidance, Enable AD DS authentication to Azure file shares | Microsoft Docs (Below is a screenshot from the url above)
My lab environment includes a domain controller hosted in Azure, two Windows Virtual Desktop 10 session hosts. AD accounts are sync’d to Azure AD using Azure AD Connect. I created the WVD solution as part of the following blog post Deploying Windows Virtual Desktop
1) For this demo, I have created the following OU within AD
2) I have created a group policy and disabled password expiry for computer accounts residing in this OU. Further details below.
3) I logged into group policy management and created a new policy as follows:
For this example, I have named my policy Azure Files – Password Does Not Expire
4) Right click and edit the policy and browse to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
5) Locate: Domain Member: Maximum machine account password age
6) Click define this policy setting and set to 0. Save
7) Now that i have created an OU and Group Policy that prevents accounts within the Azure Files OU from expiring, I will link the newly created policy to the OU.
Right click the Azure File OU within the Group Policy console and click link existing GPO. Click OK
Create Storage Account in Azure
I will now create a storage account within the Azure Portal
- Login to the Azure Portal portal.azure.com
- Locate and click storage accounts
3. Click +Add
4. Complete the details (Example below). I have created a new resource group named AzureFileRG. If you require higher IOPS up to 100,000, you may want to look into premium instead of standard.
Ensure storage account name is 15 or less characters. I’ll explain why later
5. Lock down your storage account so that only the VM’s on selected virtual networks have access to the file share
– Select Public endpoint (Selected Networks) and click the VNET to where your session hosts are connected to
– Click all subnets that the domain controller and sessions hosts connect to
6. I will leave the rest of the settings as default and click review and create.
7. Once validation passes, click create
Create File Share
Now that we have created the storage account, let’s create the file share
1. Click storage accounts and click the storage account you just created
2. Click File shares
3. Click + File share
4. Input new file share details and click next. For this example, I have inputted details as below. If you don’t configure a quota, the default limit is configured.
Azure Files offers four different tiers of storage, premium, transaction optimised, hot, and cool to allow you to tailor your shares to the performance and price requirements of your scenario:
- Premium: Premium file shares are backed by solid-state drives (SSDs) and are deployed in the FileStorage storage account type. Premium file shares provide consistent high performance and low latency, within single-digit milliseconds for most IO operations, for IO-intensive workloads. Premium file shares are suitable for a wide variety of workloads like databases, web site hosting, and development environments. Premium file shares can be used with both Server Message Block (SMB) and Network File System (NFS) protocols.
- Transaction optimized: Transaction optimized file shares enable transaction heavy workloads that don’t need the latency offered by premium file shares. Transaction optimized file shares are offered on the standard storage hardware backed by hard disk drives (HDDs) and are deployed in the general purpose version 2 (GPv2) storage account type. Transaction optimized has historically been called “standard”, however this refers to the storage media type rather than the tier itself (the hot and cool are also “standard” tiers, because they are on standard storage hardware).
- Hot: Hot file shares offer storage optimized for general purpose file sharing scenarios such as team shares and Azure File Sync. Hot file shares are offered on the standard storage hardware backed by HDDs and are deployed in the general purpose version 2 (GPv2) storage account type.
- Cool: Cool file shares offer cost-efficient storage optimized for online archive storage scenarios. Azure File Sync may also be a good fit for lower churn workloads. Cool file shares are offered on the standard storage hardware backed by HDDs and are deployed in the general purpose version 2 (GPv2) storage account type.
More info can be located here
5. File share configured successfully
Enable SMB Authentication
Next, I will enable SMB Authentication
1. Download AzFilesHybrid.zip from https://github.com/azure-samples/azure-files-samples/releases
2. Extract the files
3. Launch Powershell and type the below command. This command will allow the current user to execute scripts.
4. Next browse to the folder where the three scripts are stored as shown below.
5. Run the CopyToPSPath.ps1 script
This script adds the directory to the power shell path
6. Next we import the AZFilesHybrid Module using the command below. The import will take a few minutes.
7. Next, I connect to my Azure Tenant
8. Login when prompted, and we’re connected
9. Type Select-AzSubscription -SubscriptionId <subscription ID> and press enter
One of the places to retrieve your subscription ID: Click your storage account and click overview from the left menu.
10. Next we will run the following:
Please note that the domain account can be either a Computer or service account. For this example, i’m creating a computer account.
The next commands will create the object within your Windows Active Directory OU that was created earlier.
Join-AzStorageAccountForAuth -ResourceGroupName AzureFileRG
-Name cbazurefile -DomainAccountType ComputerAccount
-OrganizationalUnitDistinguishedName “OU=Azure Files,OU=CloudBuild,DC=CloudBuild,DC=co,DC=uk”
Note: “-Name” is the name of your storage account you created in the Azure Portal earlier. The commands i’ll be running are documented above. Your config will be different.
Note: You can obtain the OU Distinguished name, by right clicking the OU (Enable Advanced Features for options to appear), Clicking properties, Attribute Editor and then locating Distinguished Name as shown below.
11. Success
12. Now let’s check if the computer account has been created within AD Users and Computers.
Note that the computer name is the same as the storage account name. If the storage account had been more then 15 characters, the scripts above would have failed as only a maximum of 15 characters are allowed for a computer name.
13. Next, let’s assign permissions to the share we created in Azure. Go back to the Azure Portal > Click the Storage Account > File shares
14. Click the file share name and then click Access Control (IAM)
15. Click Add role assignments
The following SMB roles exist. We’re only adding the top two roles.
- Storage File Data SMB Share Contributor: permissions to read, write and modify
- Storage File Data SMB Share Elevated Conttributor: permissions to read, write, modify and manage NTFS permissions
- Storage File Data SMB Share Reader: permission to read.
16. The first role is SMB Share Elevated Contributor and i’ll be assigning an admin account to this role as shown below. Cloud Build User 1 is my admin account.
17. Click save and add role assignment again and add SMB Share Contributor. I have assigned my WVD Users Group to this role
Anyone part of the WVD Users group will be assigned a FSLogix Profile.
18. Next we will require the Storage Access Key. Click the storage account and click Access Keys
19. Copy either key 1 or key 2 and paste to notepad for now (Keep this key SAFE. It’s the key to your storage account and files!)
In the next steps i will mount the share and assign NTFS permissions
19. I will now run the below command to check that i can mount the new share. I’ll be running the command from my domain controller but you can run from any domain joined machine.
net use W: "\\<StorageAccountHere>.file.core.windows.net\<ShareNameHere>" /user:Azure\>StorageAccountNameHere> <StorageAccountKeyHere>
net use W: "\\cbazurefile.file.core.windows.net\cloudbuildshare" /user:Azure\cbazurefile XXXXXXXXXXXXXNacmCQY6CDV3SDQ2DUxosXXXXXXXXXXR2eiBJ/xKemkX5coX7xE2EFYtO6XXXXXXXX8V8XgWLg==
20. Success
And the file share has mounted
21. Let’s create a folder for FSLogix Profiles
22. Next we will set permissions to allow user profies to be created and to prevent users from accessing other user profiles:
Right click the Profiles folder
Click properties
Click the Security tab
Click the advanced button
Click the disable inheritance button
23. Click Convert inherited permissions into explicit permissions on this object
24. Next, click authenticated users and click remove
25. Click users and click remove
26. Next, click CREATOR OWNER and click edit
27. Untick Full Control and save
28. Next add WVD Users, click add, click Select a principle, locate your WVD Users group and click ok
29. For WVD Permissions, select the modify option and change applies to This Folder Only
30. Click ok and apply
As a test you should be able to launch the WVD default desktop by accessing WVD and mapping to the following:
STORAGE-ACCOUNT-NAME-HERE.file.core.windows.net\FILE-SHARE-NAME-HERE
The next post will continue with configuring the FSLogix Group Policy and installing the FSLogix Service. Click the following link to continue – Configure FSLogix Group Policy and Install FSLogix App
Thanks for creating this easy to understand post