Start / Configure FSLogix on Azure Fileshare

Configure FSLogix on Azure Fileshare

Before you perform these steps, you must complete the previous step to install the FSLogix GPO settings on the domain controller.

We will configure the FSLogix to store the VHDX-files on an Azure Fileshare removing the need for a Fileserver!

In this step, you will:

Create an Azure Storage Account
Create an Azure Fileshare on that Account
Join the Storage account into your AD
Assign permissions
Configure FSLogix GPO’s to store it on the Azure Fileshare

We will do as much as possible with Powershell to speed things up.

IMPORTANT
These steps need to be executed on a machine that is part of the target domein.
So most ideal would be the AdVM!

Prep the AdVM

RDP to your AdVM
Launch a Powershell console as Administrator
Download the AzFilesHybrid module using this Powershell script:

$ErrorActionPreference = "Stop"
if (!(Test-Path "c:\temp")) {
    New-Item "c:\temp" -ItemType Directory
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://github.com/Azure-Samples/azure-files-samples/releases/download/v0.2.0/AzFilesHybrid.zip" -OutFile c:\temp\AzFilesHybrid.zip -UseBasicParsing

Expand-Archive -Path c:\temp\AzFilesHybrid.zip -DestinationPath C:\temp\AzFilesHybrid\

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force

Set-Location C:\temp\AzFilesHybrid
.\CopyToPSPath.ps1

Import the AzFilesHybrid module using this command

Import-Module -name AzFilesHybrid

Important: You will get an warning that you need PowershellGet 1.6.0+
You will need to install it, and restart your Powershell window

PowershellGet Warning

Restart your Powershell console as Administrator
Import the AzFilesHybrid module using this command

Import-Module -name AzFilesHybrid

Important: You will get another warning that you need Azure Powershell 2.8.0+ and Az.Storage 2.0.0+
You will need to install it, and restart your Powershell window
Powershell AZ Warning

Restart your Powershell console as Administrator
Import the AzFilesHybrid module using this command

This should not give any warnings anymore at this point

Import-Module -name AzFilesHybrid

Connect-AzAccount

If you have multiple subscriptions, and need to change the default subscription, run this cmdlet:

Get-AzSubscription | Out-GridView -PassThru | Select-AzSubscription

We are going to create a Storage Account with an Azure Fileshare in the wvd-workshop-infra-rg resource group.
This can be done using this script:

$resourceGroup = Get-AzResourceGroup "wvd-workshop-infra-rg"

$UniqueString = ([Guid]::NewGuid()).Guid.Substring(0,8)
$storageAccountName = ("wvdworkshop{0}sa" -f $UniqueString)
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup.ResourceGroupName -Name $storageAccountName -Location westeurope -SkuName Standard_LRS -Kind StorageV2 -EnableLargeFileShare

$key = (Get-AzStorageAccountKey -ResourceGroupName $resourceGroup.ResourceGroupName -AccountName $storageAccountName)[0].value

$ctx = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $key
New-AzStorageShare -Name "wvdprofiles" -Context $ctx

Now we can join the Storage Account into the domain in a seperate OU: WVD Storage
Again, we’re going to use a script to do this:

$dc = (Get-ADDomain).DistinguishedName
$ouName = "WVD Storage"
$path = ("OU={0},{1}" -f $ouName, $dc)
$ouObject = ""
try {$ouObject = Get-ADOrganizationalUnit -Identity $path } catch {}
if (($null -eq $ouObject) -or ($ouObject -eq "")) {
    New-ADOrganizationalUnit -Name $ouName -Path $dc
}

join-AzStorageaccountForAuth -ResourceGroupName $resourceGroup.ResourceGroupName -Name $storageAccount.StorageAccountName -DomainAccountType "ComputerAccount" -OrganizationalUnitDistinguishedName $path

Next, we will assign the needed “Share” permissions on the Storage Account.
This is needed to give the users and admins to use/manage the Fileshare from within the WVD environment.
This script will give our Admin accounts Elevated Share Contributor permissions, and all our WVD Users Share Contributor permissions

$scope = $storageAccount.Id

$fileShareContributorRole = Get-AzRoleDefinition | Where-Object {$_.Name -eq "Storage File Data SMB Share Contributor"} 
$fileShareAdminRole = Get-AzRoleDefinition | Where-Object {$_.Name -eq "Storage File Data SMB Share Elevated Contributor"} 

$WVDWorkshopFullDesktopUsers = Get-AzADGroup -DisplayName WVDWorkshopFullDesktopUsers
$WVDWorkshopRemoteAppUsers = Get-AzADGroup -DisplayName WVDWorkshopRemoteAppUsers

$WVDWorkshopAdmins = Get-AzADGroup -DisplayName WVDWorkshopAdmins

New-AzRoleAssignment -ObjectId $WVDWorkshopFullDesktopUsers.Id -RoleDefinitionId $fileShareContributorRole.Id -Scope $scope
New-AzRoleAssignment -ObjectId $WVDWorkshopRemoteAppUsers.Id -RoleDefinitionId $fileShareContributorRole.Id -Scope $scope

New-AzRoleAssignment -ObjectId $WVDWorkshopAdmins.Id -RoleDefinitionId $fileShareAdminRole.Id -Scope $scope

Access the share as a AdminUserxxx account.

$myDomain = (Get-ADDomain).NetBIOSName
$Username = "{0}\adminuser001" -f $myDomain
$Password = "Micha&BartForProctorsOfTheYear2020"

$cred = New-Object System.Management.Automation.PSCredential($Username, (ConvertTo-SecureString $Password -AsPlainText -Force))
$filesharepath = "\\{0}.file.core.windows.net\wvdprofiles" -f $storageAccountName
New-PSDrive -Name "S" -Root $filesharepath -Persist -PSProvider "FileSystem" -Credential $cred

explorer s:

Create a new folder on the S-drive: FSLogix-Profiles
Change permissions on the folder to this Best Practice from FSLogix:

User Account	Folder	Permissions
Users	This Folder Only	Modify
Creator/Owner	Subfolders and Files Only	Modify
Administrators	This Folder, Subfolders, and files	Full Control
Domain Admins	This Folder, Subfolders, and files	Full Control

Change the FSLogix policy (as seen in the previous step) and point the FSLogix share to the new Azure Fileshare
This will be something like \\wvdworkshopdc144eaesa.file.core.windows.net\wvdprofiles\FSLogix-Profiles
You get the path from the variables from the powershell scripts:

Write-Host ("{0}\FSLogix-Profiles" -f $filesharepath)

Test the setup by signin in with the Testusers (demouserxxx)