FSLogix Setup Lab for the AVD (Azure Virtual Desktop)
Pre-requisite:
Must have configured AVD Host Pool, Domain Controller, Session Hosts
Step:1
Create Storage Account >> Create File-Share
Step:2
Login your controller and do this activity
Enabling SMB Authentication
We will add computer object in active directory that will represent our storage account as computer object.
Goto Domain Controller >> Create OU (AzStorageAccount) >> Right click >> Properties >> Copy the OU path
To creating object storage account required to run some PowerShell script
Enable ADDS Authentication:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable
Note: Remove the $SAMAccountName & once script run successfully you can see one object storage will be added on created
OU
Step:3
Set NoPasswordExpiry policy for the object storage account
Goto gpmc.msc >> Domains>> Group Policy Object >> Right click >> Create New GPO (NoPasswordExpiry) >> Right Click >>
Edit >> Computer Configuration >> Policies >>
Windows Settings >> Security Settings >> Local Policies >> Security Options >>
Domain member: Maximum machine account password age >> Set 0 Days >> apply & OK
Now apply this GPO on OU (AzStorageAccount) >> Right click on OU >> Link an existing GPO >> Select NoPasswordExpiry >> OK
Step:4
Assigning Share Permission (SMB Contributor & SMB Elevated Contributor)
Goto Storage Account >> Open IAM >> Add New Role >> Search (SMB Share Elevated Contributor) >> Assign to Azure Admin
Account >> Apply Ok
Add Another role >> SMB Share Contributor >> Assign to AVDUserGroups >> Apply >> OK
To proceed next step, collect the required details >> Fileshare Name & Access Key
CMD to mount the share drive:
net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName> /user:localhost\<YourStorageAccountName>
Open Domain Controller >> Run PowerShell and run the above script >> The File-share is mounted on your PC
Step:5
Now set the NTFS permission so only those users can access their profile data whose profile has been created.
Open domain controller file explorer >> open shared drive >> create new folder >> UserProfile >> right click >> properties >>
security >> advance >> disable inheritance >> convert inheritance permission >> Remove – Authenticated Users, Users >>
Modify – Creator (Only Modify Permission not full control)
Click on Add >>
Select a principle >> Add AVDUserGroup >> Applies to –This folder only with Modify permission >> OK >> Apply
>> OK
Step:6
Create separate OU for the AVD session host to implement the GPO policies.
Open dsa.msc >> Create New OU (AVDSeesionHostPC) >> Open Computers & Move all the SessionHosts to New created OU
Note: All the session host already joined into AD hence those session host showing on computers OU
Step:7
Setup the FSLogix GPO >> Download Fslogix app: https://aka.ms/fslogix_download
Download the FSLogix on domain controller PC >> Copy the .admx & .adml file and paste it on below path
Paste .admx file
C:\Windows\SYSVOL\domain.com\policies\PolicyDefinations
Paste .adml file
C:\Windows\SYSVOL\domain.com\policies\PolicyDefinations\en-US
Now create new GPO for the FSLogix >> Open gpmc.msc >> Right click on Group Policy Objects >> Create New GPO (FSlogix) >>
Edit >> Computer Configuration >> Administrative Templates >> FSLogix >>
Profile Container
Enables >> Yes
VHDLocations >> \\.file.core.windows.net\
Size In MB >> 15000 (Max. 30000)
Delete Local Profile When VHD Should Apply >> Enabled
Container and Directory Naming
Volume type >> VHDX
Flip Flop Profile Directory Name >> Enabled
Note: Make sure the FSLogix GPO is link to your OU (AVDSeesionHostPC)
As session hosts doesn’t have public IP so you can take remote access using private IP address with your domain controller to
install the FSlogix if not installed.
Once FSLogix installation has been done just run gpupdate /force to update the policy and restart the PC and try to login using
AD users who already has been added into AVDUserGroup and check users VHDX profile has been created on fileshare.
Reference Links
Enable ADDS Authentication:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable
Download Fslogix app:
https://aka.ms/fslogix_download
FSLogix GPO (Group Policy Object) setting:
https://learn.microsoft.com/en-us/fslogix/how-to-use-group-policy-templates
Assign Share level Permissions:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-assign-share-level-permissions?tabs=azure-portal
Mount the share:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-configure-file-level-permissions
Thank You...
