Excluding Users from FSLogix for Intune Managed AVD

This blog post is about excluding users from FSLogix for Intune-only Managed AVD. I got a question about this via a comment on another post. That post is about how to configure FSLogix for Entra Joined AVD hosts. Furthermore, it also explains how to set NTFS permissions for a storage account that is not domain-joined.

After that, the next challenge appeared. How do you exclude users from FSLogix when you don’t have GPO’s?

The local group membership profile in Intune doesn’t work on an AVD multi-session OS:

So, how about remediations? Remediations do work on an AVD Multi Session OS.

Remediations work! For now, the scripts only support local accounts. I exclude the LAPS account configured via Intune. That’s the account I use to log on to the machines.

So, this is the script for detection:

Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\FSLogixExclude_Detect.log" -Append

$Groups = @(
    "FSLogix ODFC Exclude List"
    "FSLogix Profile Exclude List"
)

$AdminToExclude = "YourAdminUser"

$Count = 0

foreach ($Group in $Groups){

    Write-Output "Checking group $Group"

    $Query = net localgroup $($Group)

    $Members = $Query[6..($Query.Length-3)]

    if ($Members -notcontains $AdminToExclude) {
        Write-Output "User: $AdminToExclude is not member, adding to count"
        $Count++
    }

}

if ($Count -ge 1) {
    Write-Output "User: $AdminToExclude need to be added to the exclude groups"
    Exit 1
}
else {
    Write-Output "User: $AdminToExclude is already member of both groups"
}

Stop-Transcript

And, this is the script for remediation:

Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\FSLogixExclude_Remediate.log" -Append

$Groups = @(
    "FSLogix ODFC Exclude List"
    "FSLogix Profile Exclude List"
)

$AdminToExclude = "YourAdminUser"

foreach ($Group in $Groups){

    Write-Output "Checking group $Group"

    $Query = net localgroup $($Group)

    $Members = $Query[6..($Query.Length-3)]

    if ($Members -notcontains $AdminToExclude) {
        Write-Output "User: $AdminToExclude is not member, adding to group"
        
        net localgroup $Group $AdminToExclude /add

    }

}

Stop-Transcript

I also put the scripts on Github. If I change them in the future, you can find the latest version here:

Detect Script

Remediate Script

The scripts create a transcript in the Intune Management Extension folder in program data:

The log shows whether the account was added or not:

After that, when you open computer management, you see the excluded account:

And, that is how to Excluding Users from FSLogix for Intune Managed AVD!

6 thoughts on “Excluding Users from FSLogix for Intune Managed AVD”

    • Hi Oliver,

      You can also wrap the remediation script in a Win32App. Then also SMB customers can use this script. It is a lot more finicky so to speak.

      Regards,
      Niels

      Reply
  1. Hi Niels

    Did you build a AVD solution that have 4k user multiplied host pools and fslogix?

    My question is how many storage accounts and azure files share did you use for that if the requirement is that user could have ass to multiple l host pools on different resource groups

    Reply
    • Hi David,

      I did, but I can’t see how the desktop resolution is a factor in the FSLogix profiles? Could you elaborate on that?

      It depends on the number of users you have and what applications they are using. If you have a large number of concurrent users (1500+) you could use multiple storage accounts to share the load. You could also choose to use Profile and Office containers on different storage accounts. This option is only if it is explicitly needed to use the Office container. Normally, I don’t deploy the Office container in FSLogix.

      Hope this helps!
      Niels

      Reply
  2. HI, Thanks for the script.

    I would like to include only an Azure group from the FSlogix, Do you have anything I could sample off if I want to use it to enable only a group.

    Reply

Leave a Comment