Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
FSLogix profiles can also be stored on Azure Files with Active Directory Domain Services or Azure Active Directory Domain Services. Per FSLogix documentation (https://learn.microsoft.com/en-us/azure/virtual-desktop/fslogix-profile-container-configure-azure-files-active-directory), the requirements below need to be met. Once completed, the same NTFS permissions as outlined in the previous chapter need to be applied.
Host pool where the session hosts are joined to an AD DS domain or Azure AD DS managed domain, and users are assigned.
A security group in your domain that contains the users who will use FSLogix Profile Containers. If you’re using AD DS, it must be synchronized to Azure AD.
You Azure subscription must allow you to create a storage account and add role assignments.
A domain account to join computers to the domain and open an elevated PowerShell prompt.
The subscription ID of your Azure subscription where your storage account will be.
A computer joined to your domain for installing and running PowerShell modules that will join the storage account to your domain. This device must be running a supported version of Windows. Alternatively, you can use a session host.
You are eligible to access FSLogix Profile Container, Office 365 Container, Application Masking, and Java Redirection tools if you have one of the following licenses:
Microsoft 365 E3/E5
Microsoft 365 A3/A5/ Student Use Benefits
Microsoft 365 F1/F3
Microsoft 365 Business
Windows 10 Enterprise E3/E5
Windows 10 Education A3/A5
Windows 10 VDA per user
Remote Desktop Services (RDS) Client Access License (CAL)
Remote Desktop Services (RDS) Subscriber Access License (SAL)
FSLogix solutions may be used in any public or private data center if a user has the necessary license.
For more information, see: https://docs.microsoft.com/en-us/fslogix/overview.
Please ensure that FSLogix Office or Profile Container is not configured by GPO on the server(s) as this will cause conflicts with the settings specified in the Parallels RAS Console or Management Portal.
For FSLogix Profile Container to work properly, configure your antivirus to exclude the following objects, as per Microsoft’s recommendations:
Files:
%TEMP%\*\*.VHD
%TEMP%\*\*.VHDX
%Windir%\TEMP\*\*.VHD
%Windir%\TEMP\*\*.VHDX
\\server-name\share-name\*\*.VHD
\\server-name\share-name\*\*.VHD.lock
\\server-name\share-name\*\*.VHD.meta
\\server-name\share-name\*\*.VHD.metadata
\\server-name\share-name\*\*.VHDX
\\server-name\share-name\*\*.VHDX.lock
\\server-name\share-name\*\*.VHDX.meta
\\server-name\share-name\*\*.VHDX.metadata
Note: Antivirus exclusions for Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) can be set via Parallels RAS optimizations (Windows Defender ATP category). See this KB for more info: https://kb.parallels.com/en/125071.
FSLogix profiles can also be stored directly on Azure Page Blobs. When using Azure Page Blobs, it is strongly recommended to store sensitive Azure credentials inside Windows Credential Manager. This prevents exposing sensitive Azure credentials to users with access to the session host registry. Chapter 3 explains how to leverage Azure Page Blobs and provides guidance on how to use Credential Manager to securely store the required Azure credentials. When deciding on the storage type and location, make sure to perform a cost calculation up front as there can be a significant cost difference between various storage solutions in Azure.
Profile Containers store user information in VHD(X) files. These files are stored in a network location. Profile Containers and Office Containers can automatically create the folders and files needed. To avoid security issues, user permissions must be created to allow users to create and use a profile, while not allowing access to other users’ profiles.
Per FSLogix documentation (https://docs.microsoft.com/en-us/fslogix/configure-per-user-per-group-ht), the following is recommended:
User account | Folder | Permissions |
---|---|---|
Users
This Folder Only
Modify
Creator/Owner
Subfolders and Files Only
Modify
Administrator (optional)
This Folder, Subfolders and Files
Full Control