How to Set Up Azure Virtual Desktop With FSLOGIX?

Azure Virtual Desktop FSLogix setup enables businesses to deliver a secure, high-performing virtual desktop experience. Azure Virtual Desktop simplifies remote access to desktops and applications, while FSLogix profile containers streamline user profile management and reduce login times.

It ensures users have a consistent and reliable workspace across sessions on any device, whether it’s a PC, laptop, or Mac.

This guide walks you through the step-by-step process to configure FSLogix with Azure Virtual Desktop, including storage account configuration, profile container setup, and best practices to provide a seamless and efficient virtual desktop environment.

Prerequisites

1. Have a host pool with session hosts joined to either an Active Directory Domain Services (AD DS) domain or a Microsoft Entra Domain Services managed domain. Assign users to that pool.
2. Create a security group in the domain that contains the users who will access the profile container. When using AD DS, synchronize this group to Microsoft Entra ID.
3. Hold sufficient permissions on the Azure subscription to create a storage account and assign roles.
4. Use a domain account that can join computers to the domain and run an elevated PowerShell session.
5. Keep the Azure subscription ID where the storage account will reside.
6. Prepare a domain-joined computer running a Windows-supported version to install and run the PowerShell modules that join the storage account to the domain. A session host can also serve this purpose.

Note: Local profiles already exist if you have previously signed in to these session hosts. An administrator must delete those local profiles before the profiles can be stored in a profile container.

Step-by-Step Guide to Set Up Azure Virtual Desktop with FSLOGIX

Step 1: Set Up a Storage Account for the Profile Container

• Create an Azure Storage account if one does not already exist.
• Change your Organization-Specific Settings.
• Choose the Premium tier only if higher IOPS or lower latency is required. See Container storage options for details.
• On the Advanced tab, turn Enable storage account key access on.
• Create an Azure Files share in the storage account to store FSLogix profiles.

Step 2: Join the Storage Account to Active Directory

Enable Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services so the file share can use domain accounts for permissions. Choose the method that matches your environment, as this process joins the storage account to the domain and creates a computer account.

Option A: Active Directory Domain Services (AD DS)

Step 1: Join the storage account to your domain

1. Use a computer joined to your AD DS domain or one of your session hosts.
2. Download and extract the latest AzFilesHybrid module from the Azure Files samples GitHub repo.
3. Note the folder where you extracted the files and open an elevated PowerShell prompt.
4. Change to the directory where you extracted the files.
5. Run this command .\CopyToPSPath.ps1. It will add the AzFilesHybrid module to your user’s PowerShell modules directory:
6. Import the AzFilesHybrid module with this command:

PS> Import-Module -Name AzFilesHybrid
  

7. Sign in to Azure using this command- Connect-AzAccount. Select the correct subscription by setting your context if your Azure account has access to multiple tenants or subscriptions.
8. All users need to use an account that has Storage account owner, Owner, or Contributor role-based access control (RBAC) roles.
9. Join the storage account to your domain. Replace values with your details and run: 

PS> $subscriptionId = "subscription-id"

PS> $resourceGroupName = "resource-group-name"

PS> $storageAccountName = "storage-account-name"

PS> Join-AzStorageAccount `
-ResourceGroupName $resourceGroupName `
-StorageAccountName $storageAccountName `
-DomainAccountType "ComputerAccount"
  

Note: Users can also add the parameter -OrganizationalUnitDistinguishedName. This specifies an Organizational Unit (OU) in which to place the computer account.

10. Confirm the account is joined. Replace values with your details and run:

PS> $resourceGroupName = "resource-group-name"

PS> $storageAccountName = "storage-account-name"

PS> (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.DirectoryServiceOptions;
PS> (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.ActiveDirectoryProperties
  

Note:  Update your password before it expires to prevent authentication failures when accessing Azure file shares.

Step 2: Assign RBAC role to users

Users who store profiles in the file share must have the Storage File Data SMB Share Contributor role. Here’s how to do it:

1. Open the storage account in the Azure portal.
2. Navigate to the file share you created.
3. Select Access control (IAM) and then + Add → Add role assignment.
4. Choose Storage File Data SMB Share Contributor.
5. Select “Next” and you will be headed to the Members tab.
6. Choose User, group, or service principal, and click + Select members.
7. Search the security group and click on it. It contains the users who will use the profile container.
8. Select Review + assign to finish and assign user roles quickly.

Step 3: Get the Access Key for your storage account

Retrieve the storage account access key to set NTFS permissions on the folder.

1. Go to the Azure portal.
2. Search for Storage accounts and click on it.
3. Choose the storage account that you joined to AD DS or Microsoft Entra Domain Services and assigned the RBAC role to earlier.
4. Under Security + networking, select Access keys.
5. Click Show next to key1, then copy the key.

Step 4: Set NTFS permissions

1. Sign in to a session host in the host pool.
2. Open an elevated PowerShell prompt.
3. Run the command to map the storage account as a drive. The drive won’t appear in File Explorer, but will show with net use.

C:\\> net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\\<share-name> <storage-account-key> /user:Azure\\<storage-account-name>
  

• Replace <drive-letter> with a letter of your choice (for example, Y:).
• Replace both <storage-account-name> entries with the storage account name.
• Replace <share-name> with the file-share name.
• Replace <storage-account-key> with the access key.

It should be like this:

C:\\> net use y: \\fsprofile.file.core.windows.net\share HDZQRoFP2BBmoYQ(truncated)== /user:Azure\fsprofile
  

4. Set share permissions following the command below. It helps Azure Virtual Desktop users to create their own profiles. However, they cannot access others’ profiles.
5. Use an Active Directory security group that contains the required users. Replace <mounted-drive-letter> with the mapped drive letter and <DOMAIN\GroupName> with the domain and group name (or a specific UPN) in the permission commands you run next.

C:\\> icacls <mounted-drive-letter>: /grant "<DOMAIN\GroupName>:(M)"

C:\\> icacls <mounted-drive-letter>: /grant "Creator Owner:(OI)(CI)(IO)(M)"

C:\\> icacls <mounted-drive-letter>: /remove "Authenticated Users"

C:\\> icacls <mounted-drive-letter>: /remove "Builtin\Users"
  

It should look like this:

C:\\> icacls y: /grant "CONTOSO\AVDUsers:(M)"

C:\\> icacls y: /grant "Creator Owner:(OI)(CI)(IO)(M)"

C:\\> icacls y: /remove "Authenticated Users"

C:\\> icacls y: /remove "Builtin\Users"
  

Step 5: Configure a Windows Device to Use Profile Containers

1. Install or update FSLogix Apps. FSLogix is preinstalled on Windows 10/11 Enterprise multi-session, but update to the latest version if needed.  Run FSLogixAppsSetup.exe. to install the latest version. Install FSLogix Apps in your image while using a custom image.

Note: Group Policy Preferences is recommended to set registry keys and values at scale across all session hosts. You can also set the keys in a custom image.

2. Open an elevated PowerShell prompt and run the below command. Replace \\<storage-account-name>.file.core.windows.net\<share-name> with the UNC path to your storage account.

PS> $regPath = "HKLM:\SOFTWARE\FSLogix\profiles"

PS> New-ItemProperty -Path $regPath -Name Enabled -PropertyType DWORD -Value 1 -Force

PS> New-ItemProperty -Path $regPath -Name VHDLocations -PropertyType MultiString -Value \\<storage-account-name>.file.core.windows.net\\<share-name> -Force
  

3. Restart your device and repeat these steps for any remaining devices.

Step 6: Validate profile creation

1. Sign in with a user account assigned to an application group or desktop in the host pool. 
2. If the user has a local profile, delete it first or use a new test account. 
3. Sign in to Azure Virtual Desktop as the test user. 
4. Sign in to the Azure portal to check the profile container. 
5. During sign-in, a message appears: “Please wait for the FSLogix Apps Services.” 
6. Open the storage account used for FSLogix profiles to check if the profile folder is created.  
7. Go to Data storage > File shares. 
8. Open the file share and confirm that a folder for the test user’s profile exists. 

Option B: Microsoft Entra Domain Services

Step 1: Enable Entra Domain Services

1. Open the storage account created on the Azure portal and select “Files” in the Data storage section.
2. Go to the page’s main section and select “Not Configured” next to Active Directory.
3. Select “Set up” and tick the box to Enable Microsoft Entra Domain Services.
4. Select Save, and an AzureFilesConfig Organizational Unit (OU) is created at the root of the domain.
5. A computer account with the same name as the storage account is added to this OU and serves as the Azure Files service account.

Step 2: Assign RBAC role to users

Users who store profiles in the file share must have the Storage File Data SMB Share Contributor role. Here’s how to do it:

1. Open the storage account in the Azure portal.
2. Navigate to the file share you created.
3. Select Access control (IAM) and then + Add → Add role assignment.
4. Choose Storage File Data SMB Share Contributor.
5. Select “Next” and you will be headed to the Members tab.
6. Choose User, group, or service principal, and click + Select members.
7. Search the security group and click on it. It contains the users who will use the profile container.
8. Select Review + assign to finish and assign user roles quickly.

Step 3: Get the Access Key for your storage account

Retrieve the storage account access key to set NTFS permissions on the folder.

1. Go to the Azure portal.
2. Search for Storage accounts and click on it.
3. Choose the storage account that you joined to AD DS or Microsoft Entra Domain Services and assigned the RBAC role to earlier.
4. Under Security + networking, select Access keys.
5. Click Show next to key1, then copy the key.

Step 4: Set NTFS permissions 

1. Sign in to a session host in the host pool. 
2. Open an elevated PowerShell prompt. 
3. Run the command to map the storage account as a drive. The drive won’t appear in File Explorer, but will show with net use. 

C:\\> net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\\<share-name> <storage-account-key> /user:Azure\\<storage-account-name>
  

• Replace <drive-letter> with a letter of your choice (for example, Y:). 
• Replace both <storage-account-name> entries with the storage account name. 
• Replace <share-name> with the file-share name. 
• Replace <storage-account-key> with the access key. 

It should be like this: 

C:\\> net use y: \\fsprofile.file.core.windows.net\share HDZQRoFP2BBmoYQ(truncated)== /user:Azure\fsprofile
  

4. Set share permissions following the command below. It helps Azure Virtual Desktop users to create their own profiles. However, they cannot access others’ profiles.
5. Use an Active Directory security group that contains the required users. Replace <mounted-drive-letter> with the mapped drive letter and <DOMAIN\GroupName> with the domain and group name (or a specific UPN) in the permission commands you run next.

C:\\> icacls <mounted-drive-letter>: /grant "<DOMAIN\GroupName>:(M)"

C:\\> icacls <mounted-drive-letter>: /grant "Creator Owner:(OI)(CI)(IO)(M)"

C:\\> icacls <mounted-drive-letter>: /remove "Authenticated Users"

C:\\> icacls <mounted-drive-letter>: /remove "Builtin\Users"
  

It should be like this:

C:\\> icacls y: /grant "CONTOSO\AVDUsers:(M)"

C:\\> icacls y: /grant "Creator Owner:(OI)(CI)(IO)(M)"

C:\\> icacls y: /remove "Authenticated Users"

C:\\> icacls y: /remove "Builtin\Users"
  

Step 5: Configure a Windows Device to Use Profile Containers

1. Install or update FSLogix Apps. FSLogix is preinstalled on Windows 10/11 Enterprise multi-session, but update to the latest version if needed.  Run FSLogixAppsSetup.exe. to install the latest version. Install FSLogix Apps in your image while using a custom image.

Note: Group Policy Preferences is recommended to set registry keys and values at scale across all session hosts. You can also set the keys in a custom image.

2. Open an elevated PowerShell prompt and run the below command. Replace \\<storage-account-name>.file.core.windows.net\<share-name> with the UNC path to your storage account.

PS> $regPath = "HKLM:\SOFTWARE\FSLogix\profiles"

PS> New-ItemProperty -Path $regPath -Name Enabled -PropertyType DWORD -Value 1 -Force

PS> New-ItemProperty -Path $regPath -Name VHDLocations -PropertyType MultiString -Value \\<storage-account-name>.file.core.windows.net\\<share-name> -Force
  

3. Restart your device and repeat these steps for any remaining devices.

Step 6: Validate profile creation

1. Sign in with a user account assigned to an application group or desktop in the host pool.
2. If the user has a local profile, delete it first or use a new test account.
3. Sign in to Azure Virtual Desktop as the test user.
4. Sign in to the Azure portal to check the profile container.
5. During sign-in, a message appears: “Please wait for the FSLogix Apps Services.”
6. Open the storage account used for FSLogix profiles to check if the profile folder is created.
7. Go to Data storage > File shares.
8. Open the file share and confirm that a folder for the test user’s profile exists.

Useful Commands for FSLogix and AVD Setup

When configuring Azure Virtual Desktop (AVD) with FSLogix, certain tools and commands can simplify SSO, MFA, and profile management:

• Get-Acl – Retrieves NTFS permissions and generates SDDL strings. Use this to verify folder and FSLogix profile permissions.
• cmdkey.exe /add – Adds credentials to Windows Credential Manager, helping enable seamless SSO for users.
• PsExec.exe -s – Runs commands in the system context, useful for applying configuration changes that require elevated privileges.
• Azure VM Run Command (PowerShell) – Lets you run scripts remotely in system context via the Azure portal, simplifying automated tasks across VMs.

Final Thoughts

Setting up Azure Virtual Desktop with FSLogix gives users a consistent, personalized desktop experience and makes profile management easier. FSLogix profile containers speed up logins, keep profiles consistent across session hosts, and improve overall performance and security. You configure storage accounts, join them to your domain, and set up FSLogix to deliver a smooth and reliable virtual desktop experience.

Ace Cloud Hosting provides a fully managed Azure Virtual Desktop with 24/7 human support, so you don’t deal with setup or technical issues. Start your free trial today and enjoy a reliable virtual desktop experience.