Getting started with FSLogix profile containers on Azure Files in Windows Virtual Desktop

Published Jul 10 2019 10:00 AM 29.5K Views

Back in March, we released the public preview of Windows Virtual Desktop, a cloud-based desktop and app virtualization service that supports multi-session Windows 10 experiences, Remote Desktop Services (RDS), and Office 365 ProPlus. Today I wanted to share some guidance on how to set up FSLogix profile containers on Azure Files with Azure Active Directory (Azure AD) Domain Services authentication, a scenario also available in public preview as of the date of this post.

For the purposes of this step-by-step guide, I’m going to assume that you already have a set of virtual machines (VMs) that are part of a Windows Virtual Desktop environment. If not, you can find information on how to get started with Windows Virtual Desktop on the Tech Community or through our official technical documentation on Docs.

This post will walk you through the process of:

  • Configuring Azure AD Domain Services.
  • Creating an Azure Files storage account and enabling Azure AD Domain Services authentication
  • Configuring FSLogix.

Configuring Azure AD Domain Services

First, you’ll need to log in to the Microsoft Azure Portal with an account that has contributor or administrator permissions.

From the sidebar, select All services, type “domain services” in the search box, select Azure AD Domain Services, and hit Enter.


In the Azure AD Domain Services window, select Create.


This will start the wizard for configuring an Azure AD Domain Services deployment.

For step 1, Basics:

  • Enter the DNS domain name.
  • Select an active Azure subscription (if multiple are available).
  • Select an empty resource group or create a new one by selecting Create new.
  • Select a location.


For step 2, Network, configure a virtual network or select an existing one. Our recommendation is to create a new one by selecting Create new and entering the following information:

  • Name
  • Address space
  • Subnet name
  • Subnet address range


For step 3, Administrator group, select the Azure AD users that are going to be managing the Azure AD Domain Services configuration.

For most deployments, there is no need to change any of the information in step 4, Synchronization. The default values should suffice.

In step 5, Summary, you will see a summary of your configuration, similar to that shown below.


Click OK to continue. This will start the deployment in Azure. If it is not automatically shown, you can click on the Notifications icon in the global controls bar to view deployment progress, as shown here:


Once the deployment has completed, navigate to Azure AD Domain Services and confirm that Azure AD Domain Services is running.


Adding additional Azure AD Domain Services administrators

To add additional administrators, we are first going to create a new user and then grant permissions to that user. To do this:

  1. Select Azure Active Directory from the sidebar, select All users, and select New user.

  1. Enter user details.

  2. Back in the Azure Active Directory left pane, select Groups.

  3. Select the AAD DC Administrators.

  4. In the left pane, select Members, then select Add members in the main pane. This will show a list of all users available in Azure AD. Select the user that was just created.


Create an Azure Files storage account and enable Azure AD Domain Services authentication

Now it’s time to enable Azure AD Domain Services authentication over Server Message Block (SMB). For more details on this process, see the Azure Storage Documentation.

First, navigate to the Microsoft Azure Portal, select All services from the sidebar, and select Storage accounts.


Next, click Add to start the Create storage account wizard. Enter the following details:

  • Select Subscription (if applicable).
  • Select an existing Resource group or select Create new to create a new one.
  • Enter the Storage account name.
  • Select the (We recommend using the same location as the session host VMs.)
  • Select the Performance
  • Select a StorageV2 (general purpose V2) Account kind.

Select Review + create.

create sa.png

This will trigger validation of the input, as shown below.

confirm creation.png

Once the account has passed validation, select Create. This will start the deployment.


Once the deployment has completed, proceed to the next step by selecting Go to resource.


Select Configuration from the left pane, then enable Azure Active Directory authentication for Azure Files (Preview) in the main pane. Confirm this change by selecting Save.


Once saved, select Overview in the left pane, then Files in the main pane.


Select File share and enter the Name and Quota.


Copy and paste the following information into Notepad or other plain text application:

  "Name": "<Custom-Role-Name>",
  "Id": null,
  "IsCustom": true,
  "Description": "Allows for read, write and delete access to Azure File Share over SMB",
  "Actions": [
  "NotActions": [
  "DataActions": [
  "AssignableScopes": [


Replace <Custom-Role-Name> with AADDCpreview and replace <Subscription-ID> with the subscription I in which the storage account is located.

Note: To get the subscription ID, navigate to the Microsoft Azure Portal, select All services from the sidebar, and select Subscriptions from the Everything menu.

Save the file as CustomRole.JSON.

Open Windows PowerShell as an administrator.


In PowerShell,

  1. Execute the following command:
  2. When prompted, enter Global administrator or Contributor.

  3. If needed, select the desired subscription, then execute the following command:
    New-AzureRmRoleDefinition -InputFile "C:\temp\CustomRole.json" 
  4. When prompted to -InputFile, enter the file path for the JSON file.

  5. Assign the new role to all users that will be getting user profiles.

    #Get the name of the custom role:
    $FileShareContributorRole = Get-AzRoleDefinition "<role-name>"

    #Constrain the scope to the target file share:
    $scope = "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/fileServices/default/fileshare/<share-name>"

    #Assign the custom role to the target identity with the specified scope.
    New-AzRoleAssignment -SignInName <user-principal-name> -RoleDefinitionName $FileShareContributorRole.Name -Scope $scope 

    Make the following modifications to commands above:

    • For <role-name>, specify the same name as one defined in JSON (AADDCpreview).
    • Replace <subscription-id> with the desired subscription id.
    • Replace <resource-group> with the name of the resource group where the storage account is (profiles).
    • Replace <storage-account> with the name of the resource storage (fsprofile).
    • Replace <share-name> with the name of the share created earlier (share).
    • Replace <user-principal-name> with user principal names of those users that will utilize FSLogix profiles on Azure Files.

      Here's an example: 
      $FileShareContributorRole = Get-AzureRmRoleDefinition "AADDCpreview"

      #Compose the scope as to the target file share:
      $scope = "/subscriptions/1783ee2d-7d93-47ee-afc1-1ce9f7dc7678/resourceGroups/profiles/providers/Microsoft.Storage/storageAccounts/fsprofile2/fileServices/default/fileshare/share"

      #Assign the customer role to target user with UPN
      New-AzureRmRoleAssignment -SignInName "" -RoleDefinitionName $FileShareContributorRole.Name -Scope $scope)

  6. Finally, navigate to the Microsoft Azure Portal, select Virtual machines from the sidebar, select the desired VM, select Overview in the left pane, then Connect in the main pane to sign in as an administrator and start a Remote Desktop (RDP) session.


Obtain storage account access key

From the Microsoft Azure Portal sidebar, select Storage accounts. From the list of storage accounts, select the account for which you enabled Azure AD Domain Services and created the custom roles in steps above.

Under Settings, select Access keys and copy the key from key1.


Note: If the key contains the “/” symbol, hit the Refresh icon to generate a new key.

Navigate to the Virtual Machines tab and locate any VM that is going to be part of your hostpool.

Click on the name of the VM under Virtual Machines (adVM) and select Connect.


This will download an RDP file that allows you to connect to the VM via the credentials specified during VM creation.


Once remotely connect to the VM, run Command Prompt as an administrator.


Execute the following command, making the modifications noted below:

net use <desired-drive-letter>: \\<storage-account-name>\<share-name> <storage-account-key> /user:Azure\<storage-account-name>


Modifications to this command should be as follows:

  • Replace <desired-drive-letter> with a drive letter of choice (e.g. y:).
  • Replace all instances of <storage-account-name> with the name of the storage account specified earlier.
  • Replace <share-name> with the name of the share created earlier.
  • Replace <storage-account-key> with the storage account key from Azure.

Here’s an example of what the command will look like:

net use y: \\\share HDZQRoFP2BBmoYQ=(truncated)= /user:Azure\fsprofile)


Execute the following command to grant full access to the Azure Files share:

icacls <mounted-drive-letter>: /grant <user-email>:(f)


Modifications to this command should be as follows

  • Replace <mounted-drive-letter> with a drive letter of choice.
  • Replace <user-email> with the UPN of the user who will be accessing the session host VMs and needs a profile.

Here’s an example of what the command will look like:

icacls y: /grant



Configure FSLogix on session host VMs

Now it’s time to configure the FSLogix profile container. For more details on this process, see Set up a user profile share for a host pool.

While still remotely logged in to the session host VM, download and install the FSLogix agent (.zip file, 166 MB. Unzip the downloaded file and navigate to x64\Releases and execute FSLogixAppsSetup.exe.

Note: if there are multiple VMs in the host pool the below configuration must be done for each VM.


Once the installer launches, select I agree to the license terms and conditions. If applicable, provide a new key. Select Install.


Navigate to C:\Program Files\FSLogix\Apps to confirm that the FSLogix agent was properly installed.


Run Registry Editor (RegEdit) as an administrator.


Navigate to Computer\HKEY_LOCAL_MACHINE\software\FSLogix, right click on FSLogix, select New, then Key. Create a new key named Profiles.


Right click on Profiles, select New, and select DWORD (32-bit) Value. Name the value Enabled and set the Value data to 1.


Right click on Profiles, select New, and select Multi-String Value. Name the value VHDLocations and set enter the URI for the Azure Files share (\\\share) as the Value data.


Assign users to session host

Run Windows PowerShell as an administrator and log in to Windows Virtual Desktop through PowerShell by executing the following command:

Import-Module Microsoft.RdInfra.RdPowershell
(Optional) Install-Module Microsoft.RdInfra.RdPowershell
$brokerurl = ""
Add-RdsAccount -DeploymentUrl $brokerurl

When prompted for credentials, enter the same user that was granted the Tenant Creator role or RDS Owner/RDS Contributor role on the Windows Virtual Desktop tenant.

Execute the following commands to assign the user to the remote desktop group:

$tenant = "<your-wvd-tenant>"
$pool1 = "<wvd-pool>"
$appgroup = "Desktop Application Group"  
$user1 = "<user-principal>"
Add-RdsAppGroupUser $tenant $pool1 $appgroup $user1

Here’s an example of what the command will look like:

$pool1 = "airlift2020"
$tenant = "airlift2020"
$appgroup = "Desktop Application Group"  
$user1 = ""
Add-RdsAppGroupUser $tenant $pool1 $appgroup $user1)

Verify the profile creation

You are now ready to verify that the profile was created.

To do this:

  1. Open a browser of choice.
  2. Navigate to
  3. Sign in with the user account that was assigned to the remote desktop group.

  4. Once the user session has been established, navigate back to the Microsoft Azure Portal and log in with an administrative account.
  5. From the sidebar, select Storage accounts.
  6. Select the storage account that was configured as the file share for your session host pool and enabled with Azure AD Domain Services.
  7. Select the Files icon, then expand your share.


    Inside there will be a Directory named <user SID>-<username>



This short video demonstrates the end user experience once all configuration steps in this document have been completed. For more detail on FSLogix profile containers and Azure Files from a conceptual perspective—as well as information on why Azure Files is a preferred method for storing user profiles, performance insights, and best practices—see our Windows Virtual Desktop documentation.

New Contributor

You cannot create a Premium storage account as general purpose V2 and then set it up for AAD authentication.  The option is unavailable. In this images in this documentation, it shows the storage account being built as Premium, but when they go to the configuration page to change to identity-based directory service, you can clearly see it is standard and not premium. This documentation needs to be fixed.

Occasional Contributor

I am not able to install fslogix into my hostpool virtual machine, also i am the global admin and also part of all administrators group. It is throwing the  following error: Please help me out with this issue asap.fslogix error.png

New Contributor


@sarahpotrick2573 how are you logged into the machine? I kept finding my guys were logging in through the WVD connection, and not through standard RDP. This caused some issues installing software. 

Occasional Contributor

I have logged in through WVD connection @BBoozer1968 and not through standard rdp

New Contributor

I would definitely be logged into via RDP to the server and not via the gateway. That is most likely the reason for your failure. It is just locally installed software (contrary to the original explanation of the service given to me). It does work surprisingly well.

Occasional Contributor

But this is my production environment and we don't want the users to be logging through RDP and only through WVD connection. Earlier when I had did a demo on FSLogix, that time I was able to install FSlogix into my demo environment. @BBoozer1968 

New Contributor

@sarahpotrick2573, I never suggested the end users logging in via RDP, only admins to install software for Apps or Desktop. FSLogix falls into that category. I installed it in my production environment literally days before going live, while I had users in test. It doesn't interfere. It should install flawlessly as long as you have the latest version (2.9.7237 on 1903).

Senior Member

Excellent article, thanks @Stefan Georgiev 

Occasional Contributor

@BBoozer1968  I am not able to rdp into my hostpool vm but I can connect it through WVD connection

New Contributor

@sarahpotrick2573 If you are the Azure Global admin as you stated, then I don't quite understand. Even if the servers were put in a DMZ, you could still establish a point to site connection. You shouldn't be administering servers in a hostpool via the gateway, as each server (assuming there is more than one) needs the software installed.

Senior Member

Since FSLogix profiles are recommended best practices for any WVD deployment, MSFT should rewrite this tutorial.  There are several inconsistencies that resulted in wasted time for myself and likely many others.  These include:


1) images showing incorrect info like using premium storage, which does not support file services or AD DS auth, instead of standard storage

2) a mix of AzureRM and Az powershell commands which do not co-mingle as per the warning in PowerShell when you try to run both


Also, please add instructions for azure-cli, in addition to the PS and portal instructions.

New Contributor

Does this need to be installed and configured on each host in the pool?

I am looking for ability to roam profiles to any host available in the pool. In event other hosts are shut down in the pool a user can still carry their profile to new host.

New Contributor

The short answer is yes. The long answer is don’t do it. Currently this is broken. Microsoft pushed this forward without it being ready. FSLogix isn’t the problem. Modern apps are. They do not support roaming profiles; they were never designed to. So what ends up happening is the user profile breaks, spawning a new one that no longer syncs to the container and loses all its customization, so every time the user logs back it’s like starting anew. There is a fix in the works, but no ETA. 


The document has been update to address your feedback. Thank you for your patience and participation.

Occasional Contributor

Now my user profiles are succesffully created and i can see thouse user profiles into azure file share that i have mapped inside my WVD VM. the user profiles conatisn VHD files. Can i then mount those VHD files into the vm from directly going into fileshare? Because I tried to do the same so I was getting an error that error mounting the file. could i get a possible workaround @BBoozer1968 

New Contributor

@sarahpotrick2573 The VHDs are not mountable (I tried right from the beginning). While I am no FSLogix expert (and neither is the support team from my experience so far), my observations are that the profiles sync locally over time, and as as user is or does log out, it syncs back to the VHD and removes the local files to keep disk impact at a minimum. That being said, you will now want to undo everything you have done for FSLogix. I'm sure you missed my earlier post. It turns out, it is not yet capable of properly functioning in a Windows 10 environment. It is not FSLogix, but instead modern apps that they began pushing with Windows 8.1. They are not capable of running in a roaming profile. What eventually ends up happening is it breaks the profile, and causes a new one to be started every time. Any local user customization are lost and the profiles stop syncing back to the VHD. It won't be obvious at first. It was almost 3 weeks before a user reported it to us, and then we saw one by one, they were all breaking, as I checked the VHDs and saw that many had not been written to as long as 3 weeks earlier. Microsoft is currently working on a fix for the OS, but there is no timeline on it. To be clear, NO roaming profile solution will work. Our current solution was to disable the service in production and keep the secondary server in the hostpool turned off (as you cannot control availability in a multi-server hostpool, and users would need a configured profile on either machine). I still had my test environment up, and it has been converted to prod, and I am split assigning users. If you need the multi-server to work, you can copy the profiles and Profile list registry entries to the other server to make sure all current users have a profile on both (I have tested with a single profile and this did work). 


Hello everyone,


I am one of the managers that is in charge of the engineers who support the FSLogix product. I apologize for any support that has not met your expectations. I actively work daily with each of the engineers to bring the quality you receive on your support to be better. 


I wanted to take a moment and discuss the Modern Apps issue that @BBoozer1968 is referring to. We have had multiple engineers with cases opened by customers on this and it has proven to be a verify difficult case to investigate. FSLogix is a simple solution, but has numerous dependencies, which includes an application's ability to work under a roaming profile. Since the FSLogix team does not support other solutions on the market that are similar to the FSLogix solution, it did cause a narrow scope of view on the overall visibility for the FSLogix team. Fortunately, cases were being opened directly to the UEX team that supports the Windows Operating system from companies that used other solutions and over time, it became clearer the issue was with Modern Apps over roaming profiles.


I am happy to report that the UEX team has rolled out a patch to resolve this issue, however, it is currently only available if you are signed up for "Insider's Preview". I do not currently have information on when it will be released into mainstream updates.  

New Contributor

@dlsherson I appreciate the info, as all I have gotten is "it's coming". I was foretold the Insider Preview dilemma. While it sounds good in theory, this is a production server, and the way Insider preview was built to work is completely not conducive to that type of environment. You would have no control over the updates applied, as opposed to be easily able to add, test and remove if needed a single update without introducing other risk. In our case, this is HIGHLY critical as I sold our management on this solution to replace our Remote Desktop Gateway which had to be retired by EOY 2019 (Server 2008 R2). As of today, we begin a 8 day COVID-19 readiness testing as departments commit to working remotely, and not being able to have our multi-server configuration in place , saw us already hemorrhaging in the first 30 mins. After the test, we will begin regular rotating work-from-home schedules, and this major flaw is dramatically undermining my company's confidence in Microsoft's ability to handle this current situation. 


How is it possible to get just this patch? We resume on Monday, and I have fixes I am going to attempt to put in place over the weekend and test to see whether or not I can stabilize systems to run the secondary server. 


I know that we cannot be the only one's affected by this current pandemic, and emergency situations have to take some precedent over status quo.  


@BBoozer1968, I appreciate the inherent problems with "Insider's Preview" in a production environment. There are work arounds that can be employed, however they cause issues with performance and they have to be applied each time the user logs in, especially for those using non-persistent VDI solutions. 


Relating to getting a standalone patch, this is something that would require a case being opened with the Windows Operating system team directly. The FSLogix team does not have direct access to request this on your behalf since it is a completely different team. 


You are correct, we have seen a sharp increase of cases on the FSLogix team relating to this issue and while this is actually an underlying issue in the Operating System, the FSLogix Engineers do have two workarounds that I have starting last week asked them to discuss with customers as viable options. 


We are also currently receiving numerous cases around OneDrive and credential prompts. This is a result of multiple unique session IDs being created which OneDrive currently does not support. While the underlying issue is with OneDrive's ability to support the configuration, I am actively encouraging my team to work with the customers to see if we can help a "best practice" on how OneDrive can be configured with the product. If you are facing this issue, I encourage that you engage a case directly with OneDrive. Please make sure the description is about "multiple unique session IDs". This will help ensure proper focus is placed on your case and you are not transferred back to the FSLogix team.


Final note, we have discussed this forum with the owner, he wanted to discuss that this article was designed for a "Preview" release. While it is only a few months old, we are no longer in "Preview", which means in the current versions this article no longer applies. The team that built this article is currently creating an updated article to be released. Many of the items in this article that did not work have reportedly been resolved. For customers that open cases with us relating this article, we will not be able to resolve this specific article, but will work diligently to resolve individual issues and ensure the updated article does not contain the same issues.


Thank you for your patience. 

Senior Member

@dlsherson thank you for your candidness. I opened azure ticket 120030421001630 on March 4th and have only received a single response asking for a me to generate the zip file using the fslogix support tool.  I did that and have been following up to no avail - radio silence.  I need someone to help me ASAP since these issues are jeopardizing my WVD project and my credibility with my client. 


I don't know if my problems are widespread or limited to my deployments, but it is troubling that these issues exist with between Flagship Microsoft Software products like Office and Microsoft WVD/FSLogix.  I understand the need to raise tickets to raise awareness in various MSFT teams, but I believe that highlights an internal shortcoming.  How do we get someone involved at the WVD Product Ownership level pointing out that WVD is not a viable production VDI solution in it's current status and that it is going to take a concerted efforts and prioritization of the Office, OneDrive, WVD, and FSLogix teams to make it so?  I really hate complaining, but I honestly believe MSFT is letting massive potential for revenue rot on the vine as long as these issues exist.  


My issues since implementing FSLogix on WVD are:


1) Microsoft Office will not activate or requires frequent reactivation

2) OneDrive requires re-logging in way too much <- you mentioned this is a OneDrive shortcoming

3) Outlook will not persist mail profile settings such as accounts or account passwords

4) Citrix Files will not stay logged in <- less worried about this since my plan was to migrate everyone to OneDrive.




New Contributor

@AjantiDaggar I can only speak from my experience (but unfortunately it seems we are way ahead of the curve on this), but we hadn't any of this till this week. In our environment, we are on Azure AD Premium with all users on MFA. What changed this week was the public IP address of the server. Microsoft says that should never happen, but without a private IP, there are never guaranties. I found out, as we have the server's public IP whitelisted with a vendor. We started getting complaints about OneDrive the following day. I went back to Azure and updated the IP address in the trusted sites to bypass MFA. This immediately bypassed the MFA issue and resolved the problem. 


Not sure if this will apply to you, but I hope it does. 


@AjantiDaggarThank you for your post. 


I apologize for the delays in the reply from your engineer. It just so happens I was actively in a call with the owner of your case when your post came in. I understand the normal turn around times for responses to customers are not currently being met. I assure you this is not because we are deliberately ignoring customers. Your engineer has been mandated to review your logs and provide you feedback based on what he finds in the logs. I cannot promise he will have a solution since he still needs to review your logs, I do assure you that you will provide feedback by the end of his shift. 


Also to help set proper expectations. With the existing case load it has been difficult to communicate in an effective fashion with all of our customers and for that we are deeply apologetic. Unfortunately, as a result of the current Corona Virus precautions over night the number of support cases for WVD increased exponentially for the WVD team. As I am sure you can understand with an over night increase in case loads can be very challenging to maintain. I have already made the FSLogix team aware of this as I expect we too will also start to see an increase in support requests to help customers prepare their environments for work from home scenarios resulting from the same. I am doing my best to stay on top of my team to process these cases as quickly as possible, but communications will still be at a slower pace then even we find acceptable.


I appreciate everyone's patience as we work through our case load and strive to provide you with the best service possible. 

New Contributor

Trying to get this to work with local AD joined WVDs and Azure storage account joined to local AD..

Getting "An internal error occurred" when FSLogix tries to access the file share. Anyone tried this configuration?

It seems sometimes after logging in I get a "Windows cannot access(...)" when browsing the profile location in explorer. Then after a couple attempts it works fine.

New Contributor

@OlveJA I have heard of a few that got this working. I ran into the exact same issues and simply gave up, as I had only a few days to make a decision before having to enter UAT. However, please read the above comments. Currently, using FSLogix will break user profiles. The "fix" is supposedly available for testing if you have signed up and allow Windows Insider Preview, but of course, this means opening your servers to ALL preview updates. So, unfortunately, trying to set up multiple servers in a host pool will not work and after a few logins, users will notice any individualizations as well as any data stored in a normal user profile missing upon logout. While many users will simply disconnect and not logout, they will appear stable, until you end up forcing them to logout, as too many open sessions tax resources.


There is a document coming on doing this please ping me at my alias stgeorgi and I can share a draft


@Stefan Georgiev One of my support engineers will be reaching out to you shortly. Thank you.

Established Member

I believe there is a fix for this now from FSLogix....has anyone been notified ?

New Contributor

@JcVirt Supposedly it has been release for Windows Insider Preview. You have to log into the server with an account that is signed up and then allow it to take all available updates from WIP. Not ideal if it is already in production. 

Version history
Last update:
‎Mar 09 2020 01:56 PM
Updated by: