CA-Microsoft-WVD_ARM-Workshop

Start / Configure FSLogix on Azure Fileshare

Configure FSLogix on Azure Fileshare

Before you perform these steps, you must complete the previous step to install the FSLogix GPO settings on the domain controller.

We will configure the FSLogix to store the VHDX-files on an Azure Fileshare removing the need for a Fileserver!

In this step, you will:

  • Create an Azure Storage Account
  • Create an Azure Fileshare on that Account
  • Join the Storage account into your AD
  • Assign permissions
  • Configure FSLogix GPO’s to store it on the Azure Fileshare

We will do as much as possible with Powershell to speed things up.

IMPORTANT
These steps need to be executed on a machine that is part of the target domein.
So most ideal would be the AdVM!

Prep the AdVM

  • RDP to your AdVM

  • Launch a Powershell console as Administrator

  • Download the AzFilesHybrid module using this Powershell script:

$ErrorActionPreference = "Stop"
if (!(Test-Path "c:\temp")) {
    New-Item "c:\temp" -ItemType Directory
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://github.com/Azure-Samples/azure-files-samples/releases/download/v0.2.0/AzFilesHybrid.zip" -OutFile c:\temp\AzFilesHybrid.zip -UseBasicParsing

Expand-Archive -Path c:\temp\AzFilesHybrid.zip -DestinationPath C:\temp\AzFilesHybrid\

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force

Set-Location C:\temp\AzFilesHybrid
.\CopyToPSPath.ps1
  • Import the AzFilesHybrid module using this command
Import-Module -name AzFilesHybrid

Important: You will get an warning that you need PowershellGet 1.6.0+
You will need to install it, and restart your Powershell window

PowershellGet Warning

  • Restart your Powershell console as Administrator

  • Import the AzFilesHybrid module using this command

Import-Module -name AzFilesHybrid

Important: You will get another warning that you need Azure Powershell 2.8.0+ and Az.Storage 2.0.0+
You will need to install it, and restart your Powershell window
Powershell AZ Warning

  • Restart your Powershell console as Administrator

  • Import the AzFilesHybrid module using this command

This should not give any warnings anymore at this point

Import-Module -name AzFilesHybrid
  • Sign in and connect to Azure using the admin account
Connect-AzAccount
  • If you have multiple subscriptions, and need to change the default subscription, run this cmdlet:
Get-AzSubscription | Out-GridView -PassThru | Select-AzSubscription
  • We are going to create a Storage Account with an Azure Fileshare in the wvd-workshop-infra-rg resource group.
    This can be done using this script:
$resourceGroup = Get-AzResourceGroup "wvd-workshop-infra-rg"

$UniqueString = ([Guid]::NewGuid()).Guid.Substring(0,8)
$storageAccountName = ("wvdworkshop{0}sa" -f $UniqueString)
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup.ResourceGroupName -Name $storageAccountName -Location westeurope -SkuName Standard_LRS -Kind StorageV2 -EnableLargeFileShare

$key = (Get-AzStorageAccountKey -ResourceGroupName $resourceGroup.ResourceGroupName -AccountName $storageAccountName)[0].value

$ctx = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $key
New-AzStorageShare -Name "wvdprofiles" -Context $ctx
  • Now we can join the Storage Account into the domain in a seperate OU: WVD Storage
    Again, we’re going to use a script to do this:
$dc = (Get-ADDomain).DistinguishedName
$ouName = "WVD Storage"
$path = ("OU={0},{1}" -f $ouName, $dc)
$ouObject = ""
try {$ouObject = Get-ADOrganizationalUnit -Identity $path } catch {}
if (($null -eq $ouObject) -or ($ouObject -eq "")) {
    New-ADOrganizationalUnit -Name $ouName -Path $dc
}

join-AzStorageaccountForAuth -ResourceGroupName $resourceGroup.ResourceGroupName -Name $storageAccount.StorageAccountName -DomainAccountType "ComputerAccount" -OrganizationalUnitDistinguishedName $path
  • Next, we will assign the needed “Share” permissions on the Storage Account.
    This is needed to give the users and admins to use/manage the Fileshare from within the WVD environment.
    This script will give our Admin accounts Elevated Share Contributor permissions, and all our WVD Users Share Contributor permissions
$scope = $storageAccount.Id

$fileShareContributorRole = Get-AzRoleDefinition | Where-Object {$_.Name -eq "Storage File Data SMB Share Contributor"} 
$fileShareAdminRole = Get-AzRoleDefinition | Where-Object {$_.Name -eq "Storage File Data SMB Share Elevated Contributor"} 

$WVDWorkshopFullDesktopUsers = Get-AzADGroup -DisplayName WVDWorkshopFullDesktopUsers
$WVDWorkshopRemoteAppUsers = Get-AzADGroup -DisplayName WVDWorkshopRemoteAppUsers

$WVDWorkshopAdmins = Get-AzADGroup -DisplayName WVDWorkshopAdmins

New-AzRoleAssignment -ObjectId $WVDWorkshopFullDesktopUsers.Id -RoleDefinitionId $fileShareContributorRole.Id -Scope $scope
New-AzRoleAssignment -ObjectId $WVDWorkshopRemoteAppUsers.Id -RoleDefinitionId $fileShareContributorRole.Id -Scope $scope

New-AzRoleAssignment -ObjectId $WVDWorkshopAdmins.Id -RoleDefinitionId $fileShareAdminRole.Id -Scope $scope
  • Access the share as a AdminUserxxx account.
$myDomain = (Get-ADDomain).NetBIOSName
$Username = "{0}\adminuser001" -f $myDomain
$Password = "Micha&BartForProctorsOfTheYear2020"

$cred = New-Object System.Management.Automation.PSCredential($Username, (ConvertTo-SecureString $Password -AsPlainText -Force))
$filesharepath = "\\{0}.file.core.windows.net\wvdprofiles" -f $storageAccountName
New-PSDrive -Name "S" -Root $filesharepath -Persist -PSProvider "FileSystem" -Credential $cred

explorer s:
  • Create a new folder on the S-drive: FSLogix-Profiles

  • Change permissions on the folder to this Best Practice from FSLogix:

User Account Folder Permissions
Users This Folder Only Modify
Creator/Owner Subfolders and Files Only Modify
Administrators This Folder, Subfolders, and files Full Control
Domain Admins This Folder, Subfolders, and files Full Control
  • Change the FSLogix policy (as seen in the previous step) and point the FSLogix share to the new Azure Fileshare
    This will be something like \\wvdworkshopdc144eaesa.file.core.windows.net\wvdprofiles\FSLogix-Profiles
    You get the path from the variables from the powershell scripts:
Write-Host ("{0}\FSLogix-Profiles" -f $filesharepath)
  • Test the setup by signin in with the Testusers (demouserxxx)