Good point…that’s why the product teams are still working towards an Azure AD Native solution

Cloud GPO video will be ready next week, stay tuned!

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

LOL Thanks!

You are probably not running the Command properly, Watch this 👉 kzbin.info/www/bejne/r3vUhX2eZ7martE at 11:45 I talk about the cloud only method

​ @AzureAcademy I went back and set NTFS permissions and used the Powershell "run command" on the operations tab with your 100%cloud scripts and it Worked! I cannot thank you enough, I am an intern with absolutely no certifications and through your videos, I have learned so much about Virtual desktops.

Awesome, that’s why I do this…thanks! 👍👍

Due to the multiple groups that could have different levels of admin roles like local server admins vs. Azure admins, vs. Azure AD admins and how permissions are granted this method MIGHT give more access then folks should have…which is why I brought it up. But good thought!

👍☺️👍 thanks!

They would be prompted for credentials…which they wouldn’t have. The only valid creds are the storage account key. Look for the cloud GPO video next week

OST files are a toss up. If you have HUGE OST files, because you allow such long retention of your emails AND you need regular access to the OST files…you may be better off using the Office profiles with the OST and the outlook indexing and searching. But in general, I don’t suggest it in AVD

Are your session hosts on windows 11 22h2? Marcel has an extra reg key that you need to add so the creds don’t disappear

@@AzureAcademy I have same issue using Windows 10 Multi session 21h2

strange...I haven't had that experience...what does the FSLogix logs show?

its 21H2 I statyed away fro 22H2 because of sysprep issues.

got it

Thanks for watching!

Thanks for watching, the Cloud GPO video will be ready next week, stay tuned!

Thanks for watching, and glad I could help. On the clean up, I do not. There are too many variables that different customers think about to nail it down. Best thing I recommend is that you create a script with your criteria and run that when you do your profile maintenance.

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Will be this Tuesday

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Here ya go 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c

the extra RegKey is needed on Win 11 22H2 because of a bug in Credential Guard that deletes the entry from Credential manager. a fix is in the works. Yes you can also use Defender best practices with this...and there are also several defender AV exclusions you should include as well...read this 👉learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-virtual-desktop-fslogix#antivirus-exclusions

Great point

If by normal you mean Azure files standard…YES. In Azure stack…not sure, I don’t have a stack environment to test…but I think so. Demo I showed was in Azure AD Join.

@@AzureAcademy No i meant On-prem file share 😃

​@@AzureAcademy Us younglings in the HCI space, would like to be masters some day.

You can’t use this exact method to an on prem share because there isn’t an access key…however if you granted permissions to the computers instead of the users and users the access as computer object reg key I think it could work

Is that a request for HCI videos? If so…tell me what you want to learn?

Which join type are your hosts using? Also are your users synced from Active Directory to the cloud Or are you using cloud only users? Do you have line of sight to your domain controller Are you using Entra ID Kerberos?

If you use this method you don’t give permissions in the storage account, The access key does it for you. You don’t join the storage account to the domain And you don’t sync users HOWEVER, I haven’t tried this in an AD managed environment. But since you already have to sync users…I would generally recommend managing FSLogix the traditional way too. But you can try it and let me know

Thanks for watching, the Cloud GPO video will be ready next week

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Yes…and rotating the keys is a good practice…so you can run the updates script on your existing session hosts or build from the updated script

You’re welcome! Answers: you would only use this for cloud users. Synced users will use Entra ID Kerberos or AD Authentication. And YES you can use both methods at once…but on different shares. You can add the script into your image but I generally discourage that so you can use your image with more solutions

@@AzureAcademy Thank you. God bless you

Amen!

No…in general users access the file share in the user context. The method I showed in this video changes the default behavior to access in the system context

according to the docs...the REG_SZ is NOT correct...good catch, it should be a DWORD. The REAL question here is...how did that happen? I set up my environments with the GPO or Intune Policies 😲😲 I will have to go back and check...thanks again! learn.microsoft.com/en-us/fslogix/tutorial-configure-profile-containers#profile-container-configuration

@@AzureAcademy I have also been wondering how that slipped through :) Even though, this video is a ground breaker!

Thanks!

will be uploaded next week, stay tuned!

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

@@AzureAcademy another interesting feature.

👍👍

I don’t think that will work…but if you can try it and make it work…I’ll make a video on it and give you the credit! ☺️

The only reason I wouldn’t use that approach is that it locks your golden image to a single pool and file share. I prefer to use one golden image for everything, and then customize at the time of deployment for that workload, but your approach could definitely work too

There are so many things that might be wrong in that case I suggest opening a support ticket so they can look at the authentication packets

Custom script extension is just a way to run PowerShell or a cmd script…so yes you can easily do that

the Cloud GPO video will be ready next week,

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Did you enable the policy to allow FSLogix to run as computer account?

Which reg keys are you talking about? Which join type are your hosts using? Are the users cloud only or synced

There is no way to alert from the Azure level if a .vhd in a file share is getting full. My preferred approach is to use dynamic disks and make the disk size very large, this way I don’t have to do maintenance except on a few disks who near the limit. Also the cost of FSLogix depends on the file share you have. If Azure files premium, the cost comes from the size of the file share, not the disks. What do you have?

Cloud GPO video will be ready next week, stay tuned, thanks for watching

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

No, FSLogix doesn’t speak Azure yet so a managed ID doesn’t translate from the users

The issue is user context i explain it and show in exact step by step multiple ways to execute this correctly 👉 kzbin.info/www/bejne/r3vUhX2eZ7martE and go to Time 11:45 for the 100% cloud info Please let me know you are successful

as i said, i followed everything exactly as you described :). did it once in the portal with "run command", and once with "psexec -s". unfortunately it still doesn't work for me...@@AzureAcademy

Then you are missing something 🥰 seriously…if you did the process correctly, then you should be able to log on with an admin account, then use PSExec to elevate your cmd. And check for the key…if it is not there you missed something in the process

You are probably not running the Command in the system context Watch this for the EXACT steps at about 11 minutes kzbin.info/www/bejne/eJC1Y3WfarikjNEsi=DO6kr7O-t3OWwqio

Yes, you could do this for MSIX App Attach as well. If I remember, that’s just the session, hosts that need access to the file share

Thanks for watching, the Cloud GPO video will be ready next week

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Watch my latest video for the possible issues and fixes you need kzbin.info/www/bejne/oqelmn-gbNR0fZY

Yes you can use private endpoint with FSLogix file share, as far as I know the credential manager has 2 layers, user and computer The user layer is locked down per user and the computer is secured by SYSTEM rights, which is beyond normal Admin. Just like running the script to set all this up, needs to be run in the SYSTEM context, not a user or admin. As for a tool to lock down credential manager…none that I know of. AND since a local admin CAN elevate to SYSTEM if they know how…this is why I warned you in the video about considering IF you should use this method because your local admins COULD access the file share and the profiles

@@AzureAcademy is it possible for Cred manager use the TPM chip to store and access the keys, every time it's needed, and what is shown in cred manager is an encrypted key?

Not that I know of.

Make sure you are running the Command in the computer system context Watch this for how at 11:45 kzbin.info/www/bejne/r3vUhX2eZ7martEsi=JlAsxoFpGliuG022

@@AzureAcademy Thanks a lot, It worked like a charm.

Awesome

You got it

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

The issue is that you are running the script as a user not running the script as SYSTEM. To run as SYSTEM you can either run it as a custom script extension or in the VM run Command blade powershell script or run it with sysinternsls PSExec.exe

In Marcel’s blog he mentioned windows version 22H2 needing another reg key for LsaCfgFlags which will fix the credential manager

@@AzureAcademy update: troubleshooted the issue with Marcel. The script which is provided has small correction which Marcel will do. The other catch is to run the script as system context i was running the script in user context. To run the script is system context one option can be to leverage run command from the portal.

Oh…yeah needs to be in system context otherwise it registers the creds as YOU instead of the computer

I believe the answer is in how you are running the script. You are not in the system context. I show multiple ways to do this here: kzbin.info/www/bejne/r3vUhX2eZ7martEsi=npJK-SOQsWHoJAvy at 11:45

@@AzureAcademy I ensured I ran the script yesterday using psexe.exe. All worked well in the afternoon through multiple logins of both admin and standard users. Today, after powering up the session host again, I get "The User Profile Service service failed the sign-in. User profile cannot be loaded." I can't seem to find the reason.

Is there anything in the windows event viewer? Also is there anything in the Azure Files activity logs for the login failure?

@@AzureAcademy nothing in Azure Files activity logs. Event Viewer indicates Error 1508 "Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights." and "The configuration registry database is corrupt." (for every user tried), but when the script is run all works.

after you reboot, when people can’t log in, RDP in with an admin account. Then check the credential manager like I showed…is the correct entry for the file share present?

Already done 👉 kzbin.info/www/bejne/qabZdXtjrrN_bpo

@@AzureAcademy Missed this... Thanks!!

Cool

Wouldn’t work. The Azure AD user has no rights in the file share so mapping the permissions to credential manager wouldn’t work. And in order to make it work you need Azure AD Kerberos…which requires synced users

@@AzureAcademy I didn't mention it but I meant that you could first use the "Connect" PS script with the storage key to mount a drive to the Azure File share, then add Azure AD user/group permissions at the root as needed. Then, the rest of what I mentioned before. I'll need to read up more on the need for syncing for Azure AD kerberos auth, thanks for that detail.

Here is my video on Azure AD Kerberos kzbin.info/www/bejne/qabZdXtjrrN_bpo

Yes you can do this with Azure AD joined VMs and Synced Users

Without a domain controller the VMs must be Azure AD Joined and the users will function as cloud only users. YES this will work ☺️

well thank you sir! love your content@@AzureAcademy

Thanks! Very Appreciated 😁

Many have told me about this issue…turns out that they were NOT executing the script in the system context. Watch this starting at 11:45 for the right ways kzbin.info/www/bejne/r3vUhX2eZ7martEsi=v1JMaUOQvk1vxrPu

I believe the issue is that you are not running the Command with the proper elevated permissions watch this for the exact steps kzbin.info/www/bejne/r3vUhX2eZ7martEsi=V9WHVXiojak9awDf at 11:45

@@AzureAcademy The real problem was that the storage account key was not added in the system context. Like you said ;) Executed the script on the VM via Azure and it worked. Thank you so much!

Awesome!

Not that I know of because of the system context, and that FSLogix works at the OS level. That’s why at the end I said the product team is still working on Azure AD improvements

No, if it worked the profile would show up right away. Check the cmdkey for the storage account credentials…remember they should be in the system account. I show multiple ways to do this process in this video 👉 kzbin.info/www/bejne/r3vUhX2eZ7martEsi=AFQ10p6Su_APu--f

@@AzureAcademy I was able to sync the Azure Files but after that I was not able to access to session host. DomainTrustCheck and DomainJoinedCheck Failed in Health Status.

Usually that is because the passwords are out of sync update the password in powershell and try again

Thanks for watching, the Cloud GPO video will be ready next week, stay tuned!

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

I haven’t run into that error…check to be sure the credential manager still has the data in it Also have you looked at the FSLogix logs or is that where you saw this error message?

@@AzureAcademy Thanks, I have checked and yes , still there. I can browse to the share without username and password prompt.. Error message from fslogix is: [ERROR:00000057] FindFile failed for path: \\acwwfslogix.file.core.windows.net\fslogixuserprofiles\AVDTES2_S-1-12-1-772530151-1232695167-1584538045-2811400153\Profile*.VHDX (The parameter is incorrect.) [10:32:56.832][tid:00000c60.000012dc][INFO] Configuration setting not found: SOFTWARE\FSLogix\Profiles\VHDNamePattern. Using default: Profile_%username% [10:32:56.847][tid:00000c60.000012dc][ERROR:00000057] No Create access: \\acwwfslogix.file.core.windows.net\fslogixuserprofiles\AVDTES2_S-1-12-1-772530151-1232695167-1584538045-2811400153-test (The parameter is incorrect.) [10:32:56.847][tid:00000c60.000012dc][INFO] Status set to 6: Cannot retrieve virtual disk location

@@AzureAcademyI got the same errors and these errors came from the Fslogix profile log. I have the same error and the credential manager clears the credentials after logoff estart. I used Windows 10 versions 22H2 and 22H1 and also I tried the LsaCfgFlags registry but it did not work. I have also tried to change the storage account network setting and that solved the issue of failing to find the path. but I still get "the parameter is incorrect" or "Username and password incorrect", knowing I can map the Fslogix drive using the key without issue on the session

Did the creds in credential manager disappear?

I haven’t scene or heard of that issue happening outside of windows 11 22h2, and the LSACfgFlags regkey fixes it…not sure what’s up with that. I’d suggest contacting support

Thanks, should be done by next week

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Thanks for watching ☺️. Yes you can use blob storage as well, but it doesn’t scale in performance like SMB file shares.

​@@AzureAcademy Was not aware of that ;)

👍👍

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

I have also found Marcel's blog and added the registry keys so it doesn't forget the credentials and it is still not working

Marcel has a note in his blog for anyone using version 22 H2 there is another registry key for LSACFGflags you need to enter, which will stop the credential manager from wiping out your creds

@Azure Academy yes, tried that as well and didn't work

What version of windows are you using?

@@AzureAcademy windows 11 multisession 22h2 fen 2

Find out tomorrow at 9 am EST

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Yes it does, that’s what I showed in the video

@@AzureAcademy Thanks for the advice

anytime!

Stay tuned, Thanks for watching, the Cloud GPO video will be ready next week

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

kzbin.info/www/bejne/p5m9fKuAm5J8o7csi=5k59SqlcxLlG6X6a let me know what you think

Next week…stay tuned

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Thanks!

Thanks for watching, the Cloud GPO video will be ready next week, stay tuned!

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Thanks for watching, the Cloud GPO video will be ready next week

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Here ya go! kzbin.info/www/bejne/p5m9fKuAm5J8o7csi=1Ofuh5FeKyKVu48s

Thanks for watching, the Cloud GPO video will be ready next week

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

@@AzureAcademy what a Legend! I’ll check it out right away.

What did you think?

@@AzureAcademy I showed it my InTune colleague and it blew her away. It’s on our roadmap to start migrating policies over. At the moment we’re focusing on moving away from the MMA and and over to the AMA agent. Might be a good idea for a video as it’s a little tricky with the data collection rules.

Thanks!

Here ya go kzbin.info/www/bejne/i3qblZ-BnduCopIsi=gCihKO4BbL80d6yO

Thanks for watching, Will be ready by next week

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Next week, stay tuned

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Working on it, thanks

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

the Cloud GPO video will be ready next week,

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Thanks for watching, the Cloud GPO video will be ready next week

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Thanks for watching, the Cloud GPO video will be ready next week

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️

Next week, stay tuned

Here is the video I promised on Cloud GPOs 👉 kzbin.info/www/bejne/p5m9fKuAm5J8o7c Let me know what you think ☺️