Blog Post

FSLogix Blog
3 MIN READ

FSLogix profile containers for Azure AD cloud only identities

Jason_Parker's avatar
Jason_Parker
Icon for Microsoft rankMicrosoft
Feb 10, 2023

Over the past several weeks, the number of customers seeking this type of guidance has increased significantly. I am glad see that our customers continue to push the boundaries of our product and growing in their Azure based deployments of RDS, Azure Virtual Desktop, and other VDI solutions in Azure.

 

FSLogix does support non-traditional configurations for Azure AD only scenarios. We are working to add this to our public documentation, however due to the number of instances where I've been asked about these configurations, a blog post was more immediate.   Customers who have Azure AD cloud only identities can use FSLogix in one of two configurations.

 

Cloud Cache using Azure Page Blob storage account(s)

 

First, read this article on how to secure the Storage keys.  The document is planned for an update, but the concept is sound.  Next, review the list of recommendations below, before implementing this solution.

 

NOTE:  These are recommendations for an optimal experience. 

 

  1. Do not use standard tier storage for Azure page blobs for production workloads.
  2. Ensure the Azure page blob storage account is in the same region as the virtual machine(s) for optimal performance.
  3. The Azure page blob storage account should use zone-redundant storage (ZRS) if available.  If not available, use two (2) unique Azure page blob storage accounts using local-redundant storage (LRS)
  4. Ensure the OS volume allocation size matches Azure page blob and the container (VHDx).
  5. The virtual machine(s) should have high performaning local OS disks as Cloud Cache will create a local VHD for each profile as the source while keeping the blob versions up to date. Alternatively, the virtual machine could have a high-performance temp or data disk.
  6. Typical Azure based deployments recommend 1 user per 1 vCPU. Using Cloud Cache, you should start with 1 user per 2 vCPU and closely monitor CPU and disk I/O. Continue to increase user load on the virtual machine(s) to find the right mix for your workload.
  7. Do not use the CcdMaxCacheSizeInMBs setting.
  8. Do not use ProfileType 1, 2, or 3.
  9. Read all the Cloud Cache configuration settings on our public documentation page.

 

 

 

$fslBlob1ConnectString = (Get-AzStorageAccount -ResourceGroupName CONTOSO -Name fslstgacct001premblob).Context.ConnectionString

$fslBlob2ConnectString = (Get-AzStorageAccount -ResourceGroupName CONTOSO -Name fslstgacct002premblob).Context.ConnectionString

& "C:\Program Files\FSLogix\Apps\frx.exe" add-secure-key -key fslstgacct001-CS1 -value $fslBlob1ConnectString

& "C:\Program Files\FSLogix\Apps\frx.exe" add-secure-key -key fslstgacct002-CS1 -value $fslBlob2ConnectString

New-ItemProperty -Path HKLM:\SOFTWARE\FSLogix\Profiles\ -Name CCDLocations -PropertyType multistring -Value ('type=azure,name="AZURE PROVIDER 1",connectionString="|fslogix/fslstgacct001-CS1|";type=azure,name="AZURE PROVIDER 2",connectionString="|fslogix/fslstgacct002-CS1|"') -Force

 

 

Alternate options:

Spare the Share: AADJ AVD and FSLogix Cloud Cache 

Great article from a fellow AVD enthusiast and self-proclaimed, crusty old tech, focused on helping public sector entities leverage cloud technology.

 

Azure Files SMB with access-based credentials stored using cmdkey

If you've been in the EUC community or Azure Virtual Desktop space for any amount of time, Marcel Meurer is no doubt a recognizable name. He recently posted a blog article describing this solution.  Please give him a follow and read his walkthrough here.

 

Our team is invested in expanding our cloud-based solutions and hope that these two (2) configurations will meet the needs of most while we work on other ways to address these types of deployments.

 

Cheers,

Jason Parker

Sr. Product Manager, FSLogix

Updated Mar 16, 2023
Version 3.0
  • edwins48's avatar
    edwins48
    Copper Contributor

    Everything works fine except credential manager inside the user session.

    Fslogix saves everything but the credentials in credential manager.

    After logoff the credentials are still in credential manager and I can see them in AppData\Roaming\Microsoft\Credentials. But after reboot of the server the credential manager is empty. Also the folder AppData\Roaming\Microsoft\Credentials is empty. We use Azure Virtual Dekstop Multisession.

    Solution was already mentioned by GIS_DaveS

    reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1

     

  • GIS_DaveS's avatar
    GIS_DaveS
    Brass Contributor

    Thanks, AzureAcademy!

    That's the exact problem we had.

    I was trying to do it within my user context like you demonstrated in the video. Oops.

    Once we ran the script from the run command blade, in the azure portal, it worked!

     

    The only other configuration we needed to do for the cloud only environment was add another registry key
    (reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1) (Details about the key are HERE) before users login otherwise their browser cookies/passwords in their AVD session are forgotten every time the host reboots. (See this forum post for more details)

     

  •  the issue is probably that you did not run the script in the SYSTEM Context.  
    to do this you can go to the VM blade to the operations section and use the run command. 
    Run the PowerShell script in there and you are done. 
    The other way would be inside windows you could use PSExec from sysinternals to elevate your command prompt. 
    let me know if that works!
     
  • TonyCai's avatar
    TonyCai
    Copper Contributor

    Excited to see this being supported! Nerdio has had this capability for over 2 years using the same techniques for Azure AD join only AVD scenarios.

  • Darkangle9610's avatar
    Darkangle9610
    Copper Contributor

    I am sorry if this is the wrong forum for this but new to fslogix. What does this do "FoldersToRemove"=hex(7):00,00