Deploying FSLogix Profiles in an Azure Virtual Desktop (AVD) environment without Active Directory Domain Services (ADDS) can be challenging. Microsoft Entra ID, formerly known as Azure Active Directory, doesn't natively support Kerberos authentication, which FSLogix depends on for accessing profile containers stored in file shares. However, with the right configuration using Nerdio and some automation scripts, it's entirely feasible to implement FSLogix in an Entra-only environment.
In this guide, we'll walk through a complete, keyword-rich, step-by-step process to configure FSLogix Profiles using Microsoft Entra ID and Nerdio Manager for Enterprise (NME or NMM).
Why FSLogix in AVD with Entra ID-Only?
As organizations migrate fully to the cloud, many opt to forego on-premises infrastructure, including ADDS. However, user profile management still requires efficient handling. FSLogix remains the go-to solution for managing roaming profiles in AVD—offering fast sign-ins and consistent user experiences. When paired with Entra ID and Nerdio, administrators can configure and automate FSLogix deployments seamlessly.
Key Requirements Before You Start
Ensure the following are in place before you begin:
Access to Nerdio Manager for Enterprise (NMM or NME)
A Master/Base Image for AVD
Proper permissions in both Nerdio and Azure
A basic understanding of scripting and scheduled tasks in Windows
Step 1: Create a Storage Account for FSLogix
Start by provisioning a Storage Account in the same Azure region as your AVD deployment.
Go to Azure Portal > Storage Accounts
Select Premium File Shares (recommended for FSLogix performance)
Under Networking, enable "Selected networks and IP addresses" to limit access to only your virtual network.
Create a new File Share under Data Storage > File shares
Choose SMB protocol
Allocate adequate storage for user profiles
Step 2: Gather Necessary Access Information
After creating the file share, collect the following credentials for later use:
FQDN: yourstorageaccount.file.core.windows.net
Username: localhost\yourstorageaccount
Password: Your Storage Account Access Key
Step 3: Configure FSLogix Settings in Nerdio
To configure FSLogix inside Nerdio:
- Follow this NME KB: FSLogix Settings and Configuration – Nerdio Manager for Enterprise
- Input your storage path (e.g., \\yourstorageaccount.file.core.windows.net\profiles)
- Use Microsoft’s recommended configurations:
- Enable AccessNetworkAsComputerObject
- Set VHDCompactDisk = 1 to avoid profile bloat
These settings will link Nerdio with your FSLogix file share securely.
Step 4: Automate Credential Injection with PowerShell
To access the storage securely, credentials must be injected into each AVD host. This is done through a PowerShell script that stores access credentials and disables Credential Guard if needed (especially for Windows 11 22H2).
Create a script named FSLogixFullEntra.ps1 in the Master Image:
start-transcript c:\temp\FslFullEntra.txt$fileServer="yourstorageaccount.file.core.windows.net"$profileShare="\\$($fileServer)\profiles"$user="localhost\yourstorageaccount"$secret="YourStorageAccountKey"New-Item -Path "HKLM:\Software\Policies\Microsoft" -Name "AzureADAccount" -ErrorAction IgnoreNew-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\AzureADAccount" -Name "LoadCredKeyFromProfile" -Value 1 -forcecmdkey.exe /add:$fileServer /user:$($user) /pass:$($secret)New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 0 -forceremove-item c:\windows\scripts\FSLogixFullEntra.ps1write-host "The script has finished."stop-transcript
Place this file under C:\Windows\Scripts\ in your master image.
Step 5: Schedule the Script Execution via Nerdio
To ensure automation, trigger the script during host provisioning. Use Nerdio to deploy this scheduled task:Start-transcript c:\temp\nerdioscript.txt$TaskName = " FSLogixFullEntraTask"$ScriptPath = "C:\Windows\Scripts\FSLogixFullEntra.ps1"$TriggerTime = (Get-Date).AddMinutes(1)$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -File `"$ScriptPath`""$Trigger = New-ScheduledTaskTrigger -Once -At $TriggerTime$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount$Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -Description "Runs FsLogix prerequisite script as SYSTEM"Register-ScheduledTask -TaskName $TaskName -InputObject $Task -ForceStop-transcript
This ensures the host will execute the credential injection automatically after deployment.
Step 6: Final Automation Touches
- Leverage Scripted actions to fully automate the process
- Consider using Nerdio Secure Variables for the passing through the storage account access key
- Ensure your host provisioning template in Nerdio includes the script path
- After script execution, it self-deletes, removing any sensitive access keys from disk
- If you rotate access keys, update the script in the master image and redeploy your hosts
How to Verify the Setup
Once deployed:
- Check FSLogix logs (C:\ProgramData\FSLogix\Logs) on the AVD host
- Ensure .vhdx files are created in the file share
- Test profile persistence by customizing desktop background or saving files
Conclusion
Setting up FSLogix with Microsoft Entra ID and Nerdio in a cloud-only AVD environment might sound daunting, but with the right approach, it's manageable and scalable. By automating access credential injection and using Nerdio for host management, you ensure a streamlined deployment process that supports full-cloud, secure, and persistent user profiles.
Whether you're managing a small team or scaling enterprise-wide, this configuration enhances performance, security, and user experience across your Azure Virtual Desktop infrastructure.
If you want to know more about Nerdio or seek to improve the efficency of your organisation through the use of Nerdio please contact Fabs Solutions.Click Here To Return To Blog