Excluding Users from FSLogix for Intune Managed AVD

This blog post is about excluding users from FSLogix for Intune-only Managed AVD. I got a question about this via a comment on another post. That post is about how to configure FSLogix for Entra Joined AVD hosts. Furthermore, it also explains how to set NTFS permissions for a storage account that is not domain-joined.

After that, the next challenge appeared. How do you exclude users from FSLogix when you don’t have GPO’s?

The local group membership profile in Intune doesn’t work on an AVD multi-session OS:

So, how about remediations? Remediations do work on an AVD Multi Session OS.

Remediations work! For now, the scripts only support local accounts. I exclude the LAPS account configured via Intune. That’s the account I use to log on to the machines.

So, this is the script for detection:

Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\FSLogixExclude_Detect.log" -Append

$Groups = @(
    "FSLogix ODFC Exclude List"
    "FSLogix Profile Exclude List"
)

$AdminToExclude = "YourAdminUser"

$Count = 0

foreach ($Group in $Groups){

    Write-Output "Checking group $Group"

    $Query = net localgroup $($Group)

    $Members = $Query[6..($Query.Length-3)]

    if ($Members -notcontains $AdminToExclude) {
        Write-Output "User: $AdminToExclude is not member, adding to count"
        $Count++
    }

}

if ($Count -ge 1) {
    Write-Output "User: $AdminToExclude need to be added to the exclude groups"
    Exit 1
}
else {
    Write-Output "User: $AdminToExclude is already member of both groups"
}

Stop-Transcript

And, this is the script for remediation:

Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\FSLogixExclude_Remediate.log" -Append

$Groups = @(
    "FSLogix ODFC Exclude List"
    "FSLogix Profile Exclude List"
)

$AdminToExclude = "YourAdminUser"

foreach ($Group in $Groups){

    Write-Output "Checking group $Group"

    $Query = net localgroup $($Group)

    $Members = $Query[6..($Query.Length-3)]

    if ($Members -notcontains $AdminToExclude) {
        Write-Output "User: $AdminToExclude is not member, adding to group"
        
        net localgroup $Group $AdminToExclude /add

    }

}

Stop-Transcript

I also put the scripts on Github. If I change them in the future, you can find the latest version here:

Detect Script

Remediate Script

The scripts create a transcript in the Intune Management Extension folder in program data:

The log shows whether the account was added or not:

After that, when you open computer management, you see the excluded account:

And, that is how to Excluding Users from FSLogix for Intune Managed AVD!

2 thoughts on “Excluding Users from FSLogix for Intune Managed AVD”

    • Hi Oliver,

      You can also wrap the remediation script in a Win32App. Then also SMB customers can use this script. It is a lot more finicky so to speak.

      Regards,
      Niels

      Reply

Leave a Comment