Manage FSLogix groups on Azure AD joined AVD session hosts
FSLogix can be used to redirect user profiles to an Azure file share. This is something you want for normal users, but not for administrators. To prevent this, you need to add the local administrators to the FSLogix exclude groups and add Everyone to the FSLogix include groups.
The FSLogix groups are created when the FSLogix agent is installed. This agent is already installed on the Windows 10/11 enterprise multi-session images. The user profile will be redirected by FSLogix even if you are member of the local Administrators group. Please read the information below carefully before applying my remediation script to configure the FSLogix groups. |
It’s important to know what options we have for configuring the FSLogix groups on Microsoft Entra joined AVD session hosts with a Windows 10/11 Enterprise multi-user session image.
Only on Microsoft Entra hybrid joined hosts you can work with group policies. The best option on Microsoft Entra joined hosts is to use Microsoft Intune to push configuration settings.
Unfortunately, not every option is available due to limitations of the Windows 10/11 enterprise multi-user image. This image type does not support the use of a custom configuration profile to configure local groups, even if you go for the build-in Administrators group.
Also Endpoint security account protection in Intune does not support configuring custom local groups like the FSLogix groups. Even if it did, this policy type cannot be applied on a Windows 10/11 enterprise multi-session image.
Start implementing!
First you want to manage the members of the local administrators group on a host. By default the SID’s from the Global Administrator and Microsoft Entra Joined Device Local Administrator are added to the local administrators group on all Microsoft Entra joined devices. Every user that has a direct or a eligible active assignment to one of those roles can login as administrator on a Microsoft Entra joined device.
To manage local administrators, you can use Local Administrator settings in Microsoft Entra ID. Unfortunately, this will set the local administrator for all Microsoft Entra joined devices. Besides that, it’s securitywise not recommended to use this method. It’s much safer to use Privileged Identity Management and assign the eligible Microsoft Entra joined device local administrator role to administrators. Now you can give temporary administrator access on Azure AD joiend devices. |
I am going to use a proactive remediation script to configure the FSLogix groups. The script will gather all members of the Administrators group and add those to the FSLogix exclude groups. After that it will assign Everyone to the FSLogix include groups.
Add the script by selecting the detection and remediation script. Let it run as system in 64-bit PowerShell.
The script ran and the FSLogix groups are configured. The SID’s in the groups below are from the Global Administrator- and Microsoft Entra joined device local administrator role. The following groups should be modified: FSLogix profile Include- and Exlude list and FSLogix ODFC Include- and Exclude list.
Test if it works by logging in as an administrator on a session host. Go to your virtual machine that acts as a host, select Connect and download the RDP file. Edit the RDP file and disable Network Level Authentication to reach it from an untrusted environment. The virtual machine must be reachable in some way, for example over the internal network or it has a public IP address assigned.
If all went well you will get the login screen. Use AzureAD\administrator_username@organization.com to login and see that you will get a local profile on the session host.