This blog post is about excluding users from FSLogix for Intune-only Managed AVD. I got a question about this via a comment on another post. That post is about how to configure FSLogix for Entra Joined AVD hosts. Furthermore, it also explains how to set NTFS permissions for a storage account that is not domain-joined.
After that, the next challenge appeared. How do you exclude users from FSLogix when you don’t have GPO’s?
The local group membership profile in Intune doesn’t work on an AVD multi-session OS:
So, how about remediations? Remediations do work on an AVD Multi Session OS.
Remediations work! For now, the scripts only support local accounts. I exclude the LAPS account configured via Intune. That’s the account I use to log on to the machines.
So, this is the script for detection:
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\FSLogixExclude_Detect.log" -Append $Groups = @( "FSLogix ODFC Exclude List" "FSLogix Profile Exclude List" ) $AdminToExclude = "YourAdminUser" $Count = 0 foreach ($Group in $Groups){ Write-Output "Checking group $Group" $Query = net localgroup $($Group) $Members = $Query[6..($Query.Length-3)] if ($Members -notcontains $AdminToExclude) { Write-Output "User: $AdminToExclude is not member, adding to count" $Count++ } } if ($Count -ge 1) { Write-Output "User: $AdminToExclude need to be added to the exclude groups" Exit 1 } else { Write-Output "User: $AdminToExclude is already member of both groups" } Stop-Transcript
And, this is the script for remediation:
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\FSLogixExclude_Remediate.log" -Append $Groups = @( "FSLogix ODFC Exclude List" "FSLogix Profile Exclude List" ) $AdminToExclude = "YourAdminUser" foreach ($Group in $Groups){ Write-Output "Checking group $Group" $Query = net localgroup $($Group) $Members = $Query[6..($Query.Length-3)] if ($Members -notcontains $AdminToExclude) { Write-Output "User: $AdminToExclude is not member, adding to group" net localgroup $Group $AdminToExclude /add } } Stop-Transcript
I also put the scripts on Github. If I change them in the future, you can find the latest version here:
Detect Script
Remediate Script
The scripts create a transcript in the Intune Management Extension folder in program data:
The log shows whether the account was added or not:
After that, when you open computer management, you see the excluded account:
And, that is how to Excluding Users from FSLogix for Intune Managed AVD!
And a true challenge for SMB customers that dont have access to remediations 🙁
Hi Oliver,
You can also wrap the remediation script in a Win32App. Then also SMB customers can use this script. It is a lot more finicky so to speak.
Regards,
Niels
Hi Niels
Did you build a AVD solution that have 4k user multiplied host pools and fslogix?
My question is how many storage accounts and azure files share did you use for that if the requirement is that user could have ass to multiple l host pools on different resource groups
Hi David,
I did, but I can’t see how the desktop resolution is a factor in the FSLogix profiles? Could you elaborate on that?
It depends on the number of users you have and what applications they are using. If you have a large number of concurrent users (1500+) you could use multiple storage accounts to share the load. You could also choose to use Profile and Office containers on different storage accounts. This option is only if it is explicitly needed to use the Office container. Normally, I don’t deploy the Office container in FSLogix.
Hope this helps!
Niels
HI, Thanks for the script.
I would like to include only an Azure group from the FSlogix, Do you have anything I could sample off if I want to use it to enable only a group.
Hi Ayo,
I don’t know if that is possible. Unfortunately, I don’t have an example at the moment.
Kind regards,
Niels