Skip to main content

· 3 min read

If you are like me, you use the application launchers in the Microsoft 365 waffle daily, if not hourly! Then having it as a single pane of glass to access all your applications is a no-brainer!

That includes access to the Azure Virtual Desktop Web client! In addition, Microsoft has given us the ability to add Custom App Launchers for applications that are accessible to a URL to the Launchers in the waffle!

Create custom tiles that will appear in the All apps section of the Office 365 app launcher for all of your users. Users can pin the custom tiles directly to their app launcher for quick access.

You can add much more than the Azure Virtual Desktop web client to help improve your user's experience, but this quick guide will focus on adding the Azure Virtual Desktop Web Client.

M365 Waffle

  1. Open the Microsoft 365 Admin Panel
  2. Expand Settings
  3. Click on Org Settings
  4. Select Organisation Profile
  5. Click on Custom app launcher tiles

M365 - Organisation Profile

  1. Click + Add a custom title.
  2. Please type in the name of your Desktop; in my example, it is Contoso Desktop.
  3. For the URL of the website, type in: https://rdweb.wvd.microsoft.com/arm/webclient/index.html
  4. Type in a URL of the icon you want the App Launcher to have (Make sure this is a location that you have access to and can manage (i.e. even sitting on your website or Azure Storage account as long as it's publically available)).
  5. Add a description (such as Contoso Desktop, used for Line of Business Applications)
  6. M365 - Custom App Launcher
  7. Click Save
  8. M365 - Custom App Launcher
  9. Log out of your Admin account and log into an account with an Exchange license attached to it. It may take some time for the Custom App Launcher to display.
  10. Once the Custom App Launcher has displayed, your users can pin it to the launcher, so it is always right on top.
  11. Click on your Azure Virtual Desktop launcher, and you should be redirected to the Azure Virtual Desktop Web client!
  12. M365 Waffle - App Launcher

Just some notes on additional testing:

  • I attempted copying the Azure Virtual Desktop RDP file (C:\Users\%UserAccount%\AppData\Local\rdclientwpf) to my website to access directly however received an error, even opening up the RDP file directly failed, to test the Remote Desktop client.
  • I had some success opening that RDP up with the Remote Desktop application directly using 'Open With' C:\Users\%UserAccount%\AppData\Local\Apps\Remote Desktop\msrdcw.exe, instead of the default Remote Desktop Connection client locally.
  • This will add it for all M365 users, if you want to restrict it to Users/Groups, I would look at testing and creating an App Registration.

At this stage, having a launcher to the Web Client is the best bet vs a shortcut directly to the RDP file as you don't have to worry about users having the Remote Desktop agent installed when working remotely.

· 7 min read

One of the models of Cloud governance and cost in Microsoft Azure is 'Pay As You Go', ie. Pay for what you need when you need it.

The Azure Resource Manager fabrics allow you to scale up and down resources when you need it, whether built-in to the Azure portal or through various other automation mechanisms.

For Azure Virtual Desktop, this means ensuring that session hosts (Virtual Machines) are available for users to connect to consume their services when they need it the most, whether first thing in the morning or late hours of the evening.

One of the technologies that can help with this is: Start VM on Connect(Start VM on Connect allows users to start the virtual machine from a deallocated state).

You no longer need to create a Custom Role for Start VM on Connect - a built-in role now exists named: Desktop Virtualization Power On Contributor - once that role is assigned to the Azure Virtual Desktop application, you can skip straight to Configure

  • Imagine a 9 AM -> 5 PM Monday to Friday business; during the day, Azure Virtual Desktop is available, however anything out of these hours (through Scheduled Shutdowns or Azure Automation Runbooks etc.), the session hosts are shut down to reduce operational costs.
  • A business user gets some urgent work on Saturday morning and then tries to connect to Azure Virtual Desktop resources to complete the work; because they were turned off outside of business hours, they can't connect and then have to ring IT support to get resources started (the alternative would be to leave Virtual Machines running, which may or may not be needed).
  • Using 'Start Virtual Machine on Connect', the moment that the user attempts to connect a Virtual Machine is started.
  • Then it allows the users to log in and do their work without a call to IT, overall saving money, as the hosts are only started when they are first needed. The feature will also only turn on additional VMs (if available) when the first VM reaches the session limit.

This is a host-level setting, so setting 'Start VM on Connect' will affect all session hosts in the host pool. Therefore, you cannot target specific Virtual Machines in a session host at this stage. This is now supported for both Personal and Pooled session hosts!

As of 03/07/21 (NZ date format - DD/MM/YY): The Start VM on Connect feature is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Follow the guide below to implement; the Microsoft documentation is pretty good but hoping this might fill in a few gaps for people.

Create a Custom Role for "Windows Virtual Desktop"

For the "Windows Virtual Desktop" service principal (this should already exist, it is an inbuilt SPN created by the Azure infrastructure, it is currently called Windows Virtual Desktop but expect this name to be updated in the future) to have the ability to Start a Virtual Machine, we first need to give it rights. You could give it Contributor or Virtual Machine Contributor rights but want to go with the least privileged to create a custom role.

  1. Log in to the Azure Portal
  2. Navigate to the Subscription (you can only currently create custom roles at a subscription level) that your session hosts exist in
  3. Look for the Subscription ID (copy this, we will need it later on, usually found on the Overview window of the Subscription)
  4. Download the AVD-StartVMOnConnect JSON file below and save it to a location you can edit.
AVD-StartVMOnConnect.json
{
"properties": {
"roleName": "AVD-StartVMOnConnect",
"description": "Custom role, designed to allow 'Windows/Azure Virtual Desktop' rights to Start session hosts.",
"assignableScopes": [
"/subscriptions/<SubscriptionID>"
],
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}

  1. Open up the JSON file (this is the Custom Role we are creating, as you can see, we are only allowing the ability to Read a Virtual Machine and Start it)

  2. Replace the: with your subscription ID, created earlier and save the JSON file.

  3. AVD-StartVMOnConnect Custom Role.

  4. Click on Access Control (IAM) on the left-hand side blade

  5. Click Add

  6. Click Add Custom Role

  7. AVD-StartVMOnConnect Custom Role

  8. Name your Custom Role Name something meaningful, for example, AVD-StartVMOnConnect.

  9. Add a meaningful Description; for example, mine is:

    Created: 03/07/21

    Created by: Luke Murray

    Created for: Custom role, designed to allow 'Windows/Azure Virtual Desktop' rights to Start session hosts.

  10. For: Baseline permissions, select Start from JSON

    Select the JSON file you downloaded and edited earlier

  11. AVD-StartVMOnConnect Custom Role

  12. Click on Next

  13. Verify the permissions are as below (if they aren't, you may need the redownload or check the JSON file for syntax issues - I recommend downloading Visual Studio Code):

  14. AVD-StartVMOnConnect Custom Role

  15. Click Next

  16. We used the subscription property to select the assignable scope (i.e. the scope is where this role will be available for you to assign access to), but now using the Azure Portal, we can select a specific Resource Group to limit the roles access, please be careful with doing this, especially if you are planning on expanding out your Azure Virtual Desktop infrastructure in the future as you may forget that this role may not be available in other resource groups. I am going to leave mine at the Subscription level and click Next

  17. Here we can verify and save the changed JSON file (if you want for future reference) and click Next to review your configuration.

  18. Click Create to create your Custom Role!

  19. AVD-StartVMOnConnect Custom Role

Assign your Custom Role

Now that you have created your custom role for Azure Virtual Desktop, it is now time to assign it, and this is where you can assign and lock down the role; in my case, I only have one Resource Group where my session hosts sit in, so going to assign it a Resource Group level, but feel free to assign this at a subscription level.

  1. Log in to the Azure Portal
  2. Navigate to the Resource Group (or Subscription) that has your Azure Virtual Desktop session hosts
  3. Click on Access Control (IAM) in the left-hand side blade
  4. Click on + Add
  5. Click on Add role assignment
  6. Select the Role you created earlier (i.e. AVD-StartVMOnConnect)
  7. Specify the 'Windows Virtual Desktop' service principal and select Save
  8. AVD-StartVMOnConnect Custom Role
  9. If you want, you can click on Role Assignments to verify your role has been assigned:
  10. AVD-StartVMOnConnect Custom Role

Configure Start VM on Connect

  1. Log in to the Azure Portal
  2. Navigate to your Host Pool
  3. Click on Properties
  4. Select 'Yes' to Start VM on Connect
  5. Click Save
  6. Azure Virtual Desktop - Start VM on Connect
  7. Congratulations, you have now set up Azure Virtual Desktop - Start VM on Connect; next time someone connects to a turned-off Azure Virtual Desktop session host, the Virtual Machines will now automatically start the users will get a prompt like below:
  8. Azure Virtual Desktop - Start VM on Connect
  9. Azure Virtual Desktop - Start VM on Connect
  10. Before finally prompting for their login credentials!

· 14 min read

If you are running Azure Virtual Desktop, you want to get the most performance and stability out of them as possible, to reduce cost and increase user experience.

These are a few recommended policies and optimisations to apply to your Azure Virtual Desktop setup. These are in no particular order; they are just recommendations.

Configure Timezone Redirection

Timezone redirection will allow you to pass through the time from the local device to the Azure Virtual Desktop host. This is useful to keep the consistent time between the device you are connecting from and the session host, and by default, the timezone in Azure is UTC.

  1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
  2. Expand your domain and Group Policy Objects.
  3. Right-click the GPO that you created for the group policy settings and select Edit.
  4. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection.
  5. Enable the setting Allow time zone redirection.
  6. Close the Group Policy Management console; as this is a Computer-based policy, it may take up to 90 minutes to take effect unless the session hosts are restarted to force it to pick up the policy sooner.

Configure Session Time Limit Policies

You can use this policy to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. Unfortunately, this means that sessions users sessions may remain open for an extended period of time, taking up usable resources.

When configuring these, take into consideration a users normal work time, the time they have for lunch etc., the sweet spot to disconnect their session is not during their lunch break, but after they have finished for the day, usually 8-12 hours is recommended, but is dependant on how Azure Virtual Desktop is used.

  1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
  2. Expand your domain and Group Policy Objects.
  3. Right-click the GPO that you created for the group policy settings and select Edit.
  4. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits.
  5. Configure the below settings per your organisation policies:
  • Set time limit for active but idle Remote Desktop Services sessions
  • This policy allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.
  • Set time limit for active Remote Desktop Services sessions
  • This policy allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected.
  • Set time limit for disconnected sessions
  • This policy allows you to configure a time limit for disconnected Terminal Services sessions.
  • End session when time limits are reached
  • This policy allows you to specify whether to terminate a timed-out Terminal Services session instead of disconnecting it.
  • Set a time limit for log off of RemoteApp sessions
  • This policy allows you to specify how long a user's RemoteApp session will remain in a disconnected state after closing all RemoteApp programs before the session is logged off from the RD Session Host server.
  • Close the Group Policy Management console; as this is a Computer-based policy, it may take up to 90 minutes to take effect unless the session hosts are restarted to force it to pick up the policy sooner.

Reference: Taken from: https://kb.parallels.com/en/123638

DeleteUserAppContainersOnLogoff

Back in March 2019, there were issues with slow server performance caused by numerous Windows Firewall Rules getting created on user login. A patch was released; however, to enable this 'fix', a registry key needs to be set. You could eventually run into host performance/hang issues if this key is not configured. See: https://support.microsoft.com/en-us/help/4490481

  1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
  2. Expand your domain and Group Policy Objects.
  3. Right-click the GPO that you created for the group policy settings and select Edit.
  4. In the Group Policy Management Editor, navigate to Computer Configuration > Preferences> Windows Settings > Registry.
  5. Right-click in the window and select New, Registry Item
  6. Select Update as the Action
  7. Make sure HKEY_LOCAL_MACHINE is set to Hive
  8. Enter in the following for the Key Path: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
  9. For the Value name type: DeleteUserAppContainersOnLogoff
  10. Change the Value type to REG_DWORD
  11. Put: '1' to enable the option and click Apply
  12. Close the Group Policy Management console. As this is a Computer-based policy, it may take up to 90 minutes to take effect unless the session hosts are restarted to force it to pick up the policy sooner.

Delete user Apps

Configure RDP Shortpath

RDP Shortpath is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between Remote Desktop Client and Session host. RDP uses this transport to deliver Remote Desktop and RemoteApp while offering better reliability and consistent latency. RDP Shortpath establishes the direct connectivity between Remote Desktop client and Session Host. Direct connectivity reduces the dependency on the Azure Virtual Desktop gateways, improves the connection's reliability, and increases the bandwidth available for each user session. You can read more about it here: Azure Virtual Desktop RDP Shortpath.

  1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
  2. Expand your domain and Group Policy Objects.
  3. Right-click the GPO that you created for the group policy settings and select Edit.
  4. In the Group Policy Management Editor, navigate to Computer Configuration > Preferences> Windows Settings > Registry.
  5. Right-click in the window and select New, Registry Item
  6. Select Update as the Action
  7. Make sure HKEY_LOCAL_MACHINE is set to Hive
  8. Enter in the following for the Key Path: SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
  9. For the Value name type: fUseUdpPortRedirector
  10. Change the Value type to REG_DWORD
  11. Put: '1' to enable the option and click Apply
  12. Right-click in the window and select New, Registry Item
  13. Select Update as the Action
  14. Make sure HKEY_LOCAL_MACHINE is set to Hive
  15. Enter in the following for the Key Path: SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
  16. For the Value name type: UdpPortNumber
  17. Change the Value type to REG_DWORD
  18. Put: '3390' as the UDP report and click Apply
  19. Close the Group Policy Management console. Restart the session hosts.

Virtual-Desktop-Optimization-Tool

Automatically apply a range of optimisations for pooled and personal Azure Desktop hosts, this is a good resource to add to your initial image creation builds.

Virtual-Desktop-Optimization-Tool

Implement Windows Defender FSLogix exclusions

Make sure to configure antivirus exclusions for FSLogix Profiles.

For a list of exclusions, along with a PowerShell script to implement them, please refer to the following Microsoft documentation: FSLogix for the enterprise

Implement FSLogix Profile Exclusions

By default, FSLogix will capture a lot of user profile data, including Teams Cache, Chrome cache and save it to the profile VHD/VHDX; this causes profile size bloat and can decrease the performance of your applications.

It is recommended to implement exclusions to reduce storing user profile data that you don't need.

  1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
  2. Expand your domain and Group Policy Objects.
  3. Right-click the GPO that you created for the group policy settings and select Edit.
  4. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > FSLogix > Profile Containers > Advanced
  5. Enable the setting Provide RedirXML file to customize directions.
  6. Point the path to a UNC path that is accessible to all session hosts that contains are 'redirections.xml' file. This just needs the folder; it will automatically pick up the redirections.xml file.
  7. Close the Group Policy Management console. As this is a Computer-based policy, it may take up to 90 minutes to take effect unless the session hosts are restarted to force it to pick up the policy sooner.

An example redirections.xml can be found here:

redirections.xml

<?xml version="1.0" encoding="UTF-8"?>
<FrxProfileFolderRedirection ExcludeCommonFolders="0">

<Excludes>
<Exclude>AppData\Local\Google\Chrome\User Data\Default\Cache\</Exclude>
<Exclude>AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images\</Exclude>
<Exclude>AppData\Roaming\Google\Chrome\UserData\Default\Code Cache\js</Exclude>
<Exclude>AppData\Local\Google\Chrome\UserData\Default\Code Cache\js</Exclude>
<Exclude>AppData\Local\Mozilla\Firefox</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\Terminal Server Client</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\Edge SxS\User Data\Default\Cache</Exclude>
<Exclude>AppData\Roaming\Adobe\Flash Player\AssetCache</Exclude>
<Exclude>AppData\Roaming\Adobe\Flash Player\NativeCache</Exclude>
<Exclude>AppData\Roaming\Microsoft\Teams\Cache</Exclude>
<Exclude>AppData\Roaming\Microsoft\Teams\Service Worker\CacheStorage</Exclude>
<Exclude>Desktop</Exclude>
<Exclude>Documents</Exclude>
<Exclude>Downloads</Exclude>
<Exclude>Musics</Exclude>
<Exclude>Pictures</Exclude>
<Exclude>Videos</Exclude>
</Excludes>

<Includes>
<Include Copy="3">AppData\LocalLow\Sun\Java\Deployment\security</Include>
<Include>AppData\Roaming\Google\Chrome\User Data\Default\Extensions</Include>
</Includes>

</FrxProfileFolderRedirection>

Note: Make sure you test and adjust this for your own environment. The Desktop/Documents have been excluded as the assumption is these are redirected or covered by OneDrive.

DeleteUserAppContainersOnLogoff

Back in March 2019, there were issues with slow server performance caused by numerous Windows Firewall Rules getting created on user login. A patch was released; however, to enable this 'fix', a registry key needs to be set. You could eventually run into host performance/hang issues if this key is not configured. See: https://support.microsoft.com/en-us/help/4490481

  1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
  2. Expand your domain and Group Policy Objects.

Implement Storage Sense

On Windows 10, Storage sense is a built-in tool designed to free up space automatically. When it's enabled, the feature monitors your device. When it's running low on space, it deletes temporary files, empties the Recycle Bin, cleans up the Downloads folder, removes previous installation files, and more to make space to install new updates or store more important data. Storage Sense can also help dehydrate files that are available locally and do not need to be stored locally anymore, helping to reduce profile space and OneDrive processing.

Note: If you find that Storage Sense is missing, it is because it is mainly a client setting and may be missing from the Windows Server; you can copy the PolicyDefinitions folder from an Azure Virtual Desktop host to your domains Central Store, i.e. in my case \\luke.geek.nz\SYSVOL\luke.geek.nz\Policies\PolicyDefinitions. Or just look for StorageSense.admx and StorageSense.adml and copy it (the ADML goes in the language directory, i.e. en-US).

  1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
  2. Expand your domain and Group Policy Objects.
  3. Right-click the GPO that you created for the group policy settings and select Edit.
  4. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > System > Storage Sense.
  5. Enable the setting Allow Storage Sense.
  6. Enable the setting Configure Storage Sense Cloud Content dehydration threshold
  7. Now we can provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it back to Files on Demand, for example, 30 days since it was last accessed.
  8. Enable the setting Configure Storage Storage Downloads cleanup threshold
  9. Type in a minimum number of days, that files sit in the Downloads before before Storage sense will delete it.
  10. Close the Group Policy Management console. As this is a Computer-based policy, it may take up to 90 minutes to take effect unless the session hosts are restarted to force it to pick up the policy sooner.

Storage Sense - Group Policy

Configure Microsoft Teams Optimisations

You can run Microsoft Teams in Azure Virtual Desktop. To do so, you need to install as a Machine installer and set the WVD environment variable.

Install as Machine:

msiexec /i Teams_windows_x64 /l*v teams_install.log ALLUSER=1

Set IsWVDEnvironment key:

  1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
  2. Expand your domain and Group Policy Objects.
  3. Right-click the GPO that you created for the group policy settings and select Edit.
  4. In the Group Policy Management Editor, navigate to Computer Configuration > Preferences> Windows Settings > Registry.
  5. Right-click in the window and select New, Registry Item
  6. Select Update as the Action
  7. Make sure HKEY_LOCAL_MACHINE is set to Hive
  8. Enter in the following for the Key Path: SOFTWARE\Microsoft\Teams
  9. For the Value name type: IsWVDEnvironment
  10. Change the Value type to REG_DWORD
  11. Put: '1' to enable the option and click Apply
  12. Close the Group Policy Management console. Restart the session hosts.

Install the Remote Desktop WebRTC Redirector

  1. The Remote Desktop WebRTC Redirector onto the Sessions Hosts: https://learn.microsoft.com/en-us/azure/virtual-desktop/teams-on-AVD#install-the-teams-websocket-service

Configure Auto Close Apps on Logoff

When users may go to logoff, open applications may halt or prolong the logoff process and prompts for users to close applications, this can leave to sessions being left connected, if a user hits logoff or shutdown and walks away. To stop the prompt about open Applications we need to set a registry key - this is not an 'optimisation' to be treated lightly, as it won't ask users to double check some of the apps they have open, as soon as they hit the logoff button - that it is, any open apps will be closed!

  1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
  2. Expand your domain and Group Policy Objects.
  3. Right-click the GPO that you created for the group policy settings and select Edit.
  4. In the Group Policy Management Editor, navigate to User Configuration > Preferences> Windows Settings > Registry.
  5. Right-click in the window and select New, Registry Item
  6. Select Update as the Action
  7. Make sure HKEY_CURRENT_USER is set to Hive
  8. Enter in the following for the Key Path: Control Panel\Desktop
  9. For the Value name type: AutoEndTasks
  10. Change the Value type to REG_SZ
  11. Put: '1' to enable the option and click Apply
  12. Close the Group Policy Management console. Restart the session hosts.

This is a user-based policy, so will take effect on next logon.

Hide the Shutdown button

This is not so much of an optimization, but it is one of my favourite group policy configurations, something I implement in server base policies; it prevents that "Oops!" moment when someone clicks Shutdown on a server, especially with multi-session VDI machines, this just removes the shortcuts to shutdown and restart the server from the Start Menu.

Note: You can still restart and shut down the server from the Command Prompt with the 'shutdown' command.

  1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
  2. Expand your domain and Group Policy Objects.
  3. Right-click the GPO that you created for the group policy settings and select Edit.
  4. In the Group Policy Management Editor, navigate to User Configuration > Policies > Administrative Templates > Start Menu and Taskbar
  5. Enable the setting Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands.
  6. Close the Group Policy Management console; as this is a User-based policy, it should take effect on the next user login.

· 9 min read

If you have a few Azure Virtual Desktop machines, you need some way to keep user persistence's and application customisations, which would usually be stored in the user profile locally across multiple machines (or even the same machine if using Ephemeral OS), this is where FSLogix Profile Containers can assist.

We are going to implement FSLogix using an Azure File Share, to store the profiles.

I am going to assume you already have an Azure Virtual Desktop farm (and Azure ADDS), if not you can check out my guide here.

This article will be based on the Azure Virtual Desktop farm created in a previous article, however, you can just still along and replace the resource names and groups with your own.

Setup Storage Account

  1. Log in to the Azure Portal
  2. Click on Create a resource
  3. Type in Storage Account and press Enter to search
  4. Select Storage account
  5. FSLogix - Azure Storage Account
  6. Click Create
  7. If you already have a Resource Group, then select it, if not you can create a new resource group. I am going to put my resources user profiles in the same resource group as my utility server: aad_infra (this is just personal preference, keeping the session hosts in their own resource groups).
  8. Type in a Storage Account Name (the name needs to be globally unique across all of Azure, the field can contain only lowercase letters and numbers. Name must be between 3 and 24 characters.), in my case I have gone with: fslogixprofileslgnz.
  9. Select your Region (the same region you have your Azure Virtual Desktop session hosts and Virtual Network)
  10. Select Standard performance (Microsoft have recommendations, based on users on what Tier to select - https://learn.microsoft.com/en-us/azure/virtual-desktop/store-fslogix-profile)
  11. For Redundancy, I am going to select LRS storage (I haven't built have any redundancy in my Azure Virtual Desktop farm).
  12. Note: Just a heads up, don't select Geo-Redundant if you are looking to create File Shares on this Storage account over 100TiB, it is only supported in LRS. If you do need this kind of large file size, I recommend using a completely different storage account from the one you are using for user profiles. My screenshot below has GRS, just ignore it!
  13. FSLogix - Azure Storage Account
  14. Click Next: Advanced
  15. Leave everything as default and select Next: Networking
  16. Now we need to configure a Private Endpoint for the Azure storage account to add onto the Virtual Network directly.
  17. Select Private endpoint and click + Add Private endpoint
  18. Verify that your Location is correct and type in a Name for your Private Endpoint service, in my case: fslogixprofileslgnzPE
  19. Select the drop-down for Storage sub-resource and select file
  20. Select your Virtual Network and subnet (I will be selecting my main resource subnet of aadds-subnet, where the Azure Virtual Desktop hosts are)
  21. Click Ok
  22. FSLogix - Azure Storage Account
  23. Select Next: Data Protection
  24. Untick the Enable soft delete for Blogs and Container's (we will only be using Azure Files in this storage account)
  25. Soft delete allows you to quickly recover a deleted file-share, even though we can backup the Azure Fileshare, my recommendation would be to leave this on for additional protection and '7' days is enough for me.
  26. FSLogix - Azure Storage Account
  27. Select Review + Create
  28. Validate your configuration and select Create

Configure Storage Account

  1. Once your storage account has been created, go to it.

  2. Navigate down the left-hand side Blade and select: Networking

    Make sure: Selected networks are selected and the Private Endpoint connection is displaying.

  3. FSLogix - Azure Storage Account

  4. FSLogix - Azure Storage Account

  5. Now its time to join the Storage account to Microsoft Entra ID Domain Services, on the left-hand side Blade, click on Configuration (under Settings)

  6. Navigate to: Identity-based access for file shares

  7. Select Enabled

  8. Click Save

  9. FSLogix - Azure Storage Account

  10. Now its time to create the File Share, On the left-hand side Blade, navigate to File Shares (under Data Storage)

  11. Select + File Share

  12. Give this File share a name: fslogixprofiles

  13. Even though you don't need to have a Quota (the Fileshare will grow), I will add one in stop any surprises and make sure that I have an ongoing task to review and optimize the profiles

  14. Because user profiles are generally a lot of read/write activity, select Transaction Optimized (take a look at the https://azure.microsoft.com/en-us/pricing/details/storage/files/ )

  15. Click Create

  16. FSLogix - File Share

  17. One last thing we can do on the Storage Account is enable backups for your Azure File Share - https://learn.microsoft.com/en-us/azure/backup/backup-afs?WT.mc_id=AZ-MVP-5004796

Configure File Share

Now that the Microsoft Entra ID rights have been assigned and the File Share has been created, we now need to set up the NTFS permissions on the FSLogix share.

  1. Navigate to File Shares (under Data Storage)

  2. Click on your file-share

  3. Click on Properties

  4. Copy the URL

  5. FSLogix - File Share

  6. Remove http and replace the forward slashes with backslashes so it looks like this: \\fslogixprofileslgnz.file.core.windows.net\fslogixprofiles

  7. Using a user that is a member of the 'AVD Admins' group and can log into the Azure Virtual Desktop farm (it’s a good chance to test connectivity to the Storage account through the private endpoint from your Azure Virtual Desktop session host)

  8. Open Computer

  9. Select the Computer Tab and select Map network drive

  10. FSLogix - Mapped Drive

  11. Select a drive letter that isn't in use and paste in the UNC path created earlier (step 6).

  12. FSLogix - Mapped Drive

  13. Hopefully, you should successfully have mapped a drive!

  14. Once the drive is mapped, open up a Command Prompt

    Note: Don't run the Command Prompt as Administrator, as this runs in a separate context and doesn't have permissions to the mapped drive.

  15. Run the following command to set the necessary NTFS permissions (change the Drive mapping and AVD Users group to your own group):

    icacls z: /grant "AVD Users":(M)

    icacls z: /grant "Creator Owner":(OI)(CI)(IO)(M)

    icacls z: /remove "Authenticated Users"

    icacls z: /remove "Builtin\Users"
  16. FSLogix - Security Permissions

  17. The permissions should look similar to:

  18. FSLogix - Security Permissions

Configure FSLogix policies

Now that you have successfully created a Storage Account and granted it the proper permissions, we now need to configure Group Policy for FSLogix.

  1. Connect to your Microsoft Entra ID Utility server, that has Group Policy management installed using an account in the: AAD DC Administrators group
  2. Download the latest FSLogix Agent - https://aka.ms/fslogix_download onto the Utility server
  3. Extract the FSLogix agent zip file to a folder
  4. Now we will create a Central Store to manage the Group Policy consistently
  5. On your Utility server, browse to C:\Windows (If you are primarily using Azure Virtual Desktop, it may be best to copy the PolicyDefinitions folder from an Azure Virtual Desktop session host to make sure you can edit all the latest Windows 10 policies)
  6. Copy the PolicyDefinitions folder
  7. Copy the PolicyDefinitions folder to your Policies folder on your domain: \luke.geek.nz\SYSVOL\luke.geek.nz\Policies
    (replace luke.geek.nz, with your ADDS DNS name)
  8. FSLogix - Group Policy
  9. Go to your extracted FSLogix folder and copy:
    • fslogix.admx to: \luke.geek.nz\SYSVOL\luke.geek.nz\Policies\PolicyDefinitions\
    • fslogix.adml to: \luke.geek.nz\SYSVOL\luke.geek.nz\Policies\PolicyDefinitions\en-US\
  10. This will allow us to use Group Policy to manage FSLogix using Group Policy, Open Group Policy Management
  11. Navigate to your Hosts OU
  12. Right-click the OU and select: Create a GPO in this domain, and Link it here…
  13. Name it according to your naming standards (this is a Computer-based policy) - in my example, I am using: AVD_ComputerPolicy
  14. Click Ok
  15. FSLogix - Group Policy
  16. Right-click the GPO you have just created and select Edit…
  17. Because this is a Computer-based policy, to speed up processing, right-click the Policy heading and select Properties
  18. Tick: Disable User Configuration Settings
  19. Confirm that you want to do it and select Yes
  20. Click Apply
  21. While you have the screen open, click on Comment, and add in some details about the GPO for future reference then click Apply and Ok
  22. FSLogix - Group Policy
  23. Now it's time to actually configure the FSLogix Group Policy settings.
  24. Navigate to: Computer Configuration\Policies\Administrative Templates\FSLogix\Profile Containers
  25. Open up Enabled and select: Enabled and Apply
  26. Open: VHD Location and copy in your Profiles UNC share (for example, mine is: [\\fslogixprofileslgnz.file.core.windows.net\fslogixprofiles) click Ok
  27. Select: Delete local profile when FSLofix profile should apply, click Enabled and check to Delete local profile when FSLogix Profile should apply (don't blindly follow this, I am making the assumption this is a new farm, with no user-based profile stored on it. You may need to create a separate GPO to test this setting on, or you could lose valuable data).
  28. Open: Set Outlook cached mode on successful container attach to Enabled.
  29. Now in Group Policy Management console, click on Container and Directory Naming and select Virtual Disk type
  30. Click Enabled and change the Option to VHDX, click Ok
  31. Click on: Swap directory name components setting and click Enabled, check the swap directory name components and click Apply
  32. Restart the Azure Virtual Desktop session hosts to pick up the new policies.
  33. You have now set up FSLogix profiles! If you map the drive you should see your user profile folders!
  34. FSLogix - Mapped Profiles

· One min read

When connecting to Azure Virtual Desktop, you may get a "We couldn't connect because there are currently no available resources. Try again later or contact tech support for help if this keeps happening."

We couldn&#39;t connect because there are currently no available resources.

Check your Max Session Count

On your Azure Virtual Desktop Host Pool, check your Max Session Count, which hasn't been exceeded.

In my screenshot below, even one connection to my Azure Virtual Desktop farm couldn't connect; this was fixed when I raised this.

Host Pool - Max Session Count

Check your Host Pool sessions are available

Check your Azure Virtual Desktop Host pool; Session Hosts are:

  • Available
  • Not in Drain Mode

Host Pool - Host Pool Status