Start / Configure FSLogix on Azure Fileshare
Configure FSLogix on Azure Fileshare
Before you perform these steps, you must complete the previous step to install the FSLogix GPO settings on the domain controller.
We will configure the FSLogix to store the VHDX-files on an Azure Fileshare removing the need for a Fileserver!
In this step, you will:
- Create an Azure Storage Account
- Create an Azure Fileshare on that Account
- Join the Storage account into your AD
- Assign permissions
- Configure FSLogix GPO’s to store it on the Azure Fileshare
We will do as much as possible with Powershell to speed things up.
IMPORTANT
These steps need to be executed on a machine that is part of the target domein.
So most ideal would be the AdVM!
Prep the AdVM
-
RDP to your AdVM
-
Launch a Powershell console as Administrator
-
Download the AzFilesHybrid module using this Powershell script:
$ErrorActionPreference = "Stop"
if (!(Test-Path "c:\temp")) {
New-Item "c:\temp" -ItemType Directory
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://github.com/Azure-Samples/azure-files-samples/releases/download/v0.2.0/AzFilesHybrid.zip" -OutFile c:\temp\AzFilesHybrid.zip -UseBasicParsing
Expand-Archive -Path c:\temp\AzFilesHybrid.zip -DestinationPath C:\temp\AzFilesHybrid\
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force
Set-Location C:\temp\AzFilesHybrid
.\CopyToPSPath.ps1
- Import the AzFilesHybrid module using this command
Import-Module -name AzFilesHybrid
Important: You will get an warning that you need PowershellGet 1.6.0+
You will need to install it, and restart your Powershell window
-
Restart your Powershell console as Administrator
-
Import the AzFilesHybrid module using this command
Import-Module -name AzFilesHybrid
Important: You will get another warning that you need Azure Powershell 2.8.0+ and Az.Storage 2.0.0+
You will need to install it, and restart your Powershell window
-
Restart your Powershell console as Administrator
-
Import the AzFilesHybrid module using this command
This should not give any warnings anymore at this point
Import-Module -name AzFilesHybrid
- Sign in and connect to Azure using the admin account
Connect-AzAccount
- If you have multiple subscriptions, and need to change the default subscription, run this cmdlet:
Get-AzSubscription | Out-GridView -PassThru | Select-AzSubscription
- We are going to create a Storage Account with an Azure Fileshare in the wvd-workshop-infra-rg resource group.
This can be done using this script:
$resourceGroup = Get-AzResourceGroup "wvd-workshop-infra-rg"
$UniqueString = ([Guid]::NewGuid()).Guid.Substring(0,8)
$storageAccountName = ("wvdworkshop{0}sa" -f $UniqueString)
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup.ResourceGroupName -Name $storageAccountName -Location westeurope -SkuName Standard_LRS -Kind StorageV2 -EnableLargeFileShare
$key = (Get-AzStorageAccountKey -ResourceGroupName $resourceGroup.ResourceGroupName -AccountName $storageAccountName)[0].value
$ctx = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $key
New-AzStorageShare -Name "wvdprofiles" -Context $ctx
- Now we can join the Storage Account into the domain in a seperate OU: WVD Storage
Again, we’re going to use a script to do this:
$dc = (Get-ADDomain).DistinguishedName
$ouName = "WVD Storage"
$path = ("OU={0},{1}" -f $ouName, $dc)
$ouObject = ""
try {$ouObject = Get-ADOrganizationalUnit -Identity $path } catch {}
if (($null -eq $ouObject) -or ($ouObject -eq "")) {
New-ADOrganizationalUnit -Name $ouName -Path $dc
}
join-AzStorageaccountForAuth -ResourceGroupName $resourceGroup.ResourceGroupName -Name $storageAccount.StorageAccountName -DomainAccountType "ComputerAccount" -OrganizationalUnitDistinguishedName $path
- Next, we will assign the needed “Share” permissions on the Storage Account.
This is needed to give the users and admins to use/manage the Fileshare from within the WVD environment.
This script will give our Admin accounts Elevated Share Contributor permissions, and all our WVD Users Share Contributor permissions
$scope = $storageAccount.Id
$fileShareContributorRole = Get-AzRoleDefinition | Where-Object {$_.Name -eq "Storage File Data SMB Share Contributor"}
$fileShareAdminRole = Get-AzRoleDefinition | Where-Object {$_.Name -eq "Storage File Data SMB Share Elevated Contributor"}
$WVDWorkshopFullDesktopUsers = Get-AzADGroup -DisplayName WVDWorkshopFullDesktopUsers
$WVDWorkshopRemoteAppUsers = Get-AzADGroup -DisplayName WVDWorkshopRemoteAppUsers
$WVDWorkshopAdmins = Get-AzADGroup -DisplayName WVDWorkshopAdmins
New-AzRoleAssignment -ObjectId $WVDWorkshopFullDesktopUsers.Id -RoleDefinitionId $fileShareContributorRole.Id -Scope $scope
New-AzRoleAssignment -ObjectId $WVDWorkshopRemoteAppUsers.Id -RoleDefinitionId $fileShareContributorRole.Id -Scope $scope
New-AzRoleAssignment -ObjectId $WVDWorkshopAdmins.Id -RoleDefinitionId $fileShareAdminRole.Id -Scope $scope
- Access the share as a AdminUserxxx account.
$myDomain = (Get-ADDomain).NetBIOSName
$Username = "{0}\adminuser001" -f $myDomain
$Password = "Micha&BartForProctorsOfTheYear2020"
$cred = New-Object System.Management.Automation.PSCredential($Username, (ConvertTo-SecureString $Password -AsPlainText -Force))
$filesharepath = "\\{0}.file.core.windows.net\wvdprofiles" -f $storageAccountName
New-PSDrive -Name "S" -Root $filesharepath -Persist -PSProvider "FileSystem" -Credential $cred
explorer s:
-
Create a new folder on the S-drive: FSLogix-Profiles
-
Change permissions on the folder to this Best Practice from FSLogix:
User Account | Folder | Permissions |
---|---|---|
Users | This Folder Only | Modify |
Creator/Owner | Subfolders and Files Only | Modify |
Administrators | This Folder, Subfolders, and files | Full Control |
Domain Admins | This Folder, Subfolders, and files | Full Control |
- Change the FSLogix policy (as seen in the previous step) and point the FSLogix share to the new Azure Fileshare
This will be something like \\wvdworkshopdc144eaesa.file.core.windows.net\wvdprofiles\FSLogix-Profiles
You get the path from the variables from the powershell scripts:
Write-Host ("{0}\FSLogix-Profiles" -f $filesharepath)
- Test the setup by signin in with the Testusers (demouserxxx)