This blog post is about excluding users from FSLogix for Intune-only Managed AVD. I got a question about this via a comment on another post. That post is about how to configure FSLogix for Entra Joined AVD hosts. Furthermore, it also explains how to set NTFS permissions for a storage account that is not domain-joined.
After that, the next challenge appeared. How do you exclude users from FSLogix when you don’t have GPO’s?
The local group membership profile in Intune doesn’t work on an AVD multi-session OS:
So, how about remediations? Remediations do work on an AVD Multi Session OS.
Remediations work! For now, the scripts only support local accounts. I exclude the LAPS account configured via Intune. That’s the account I use to log on to the machines.
So, this is the script for detection:
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\FSLogixExclude_Detect.log" -Append $Groups = @( "FSLogix ODFC Exclude List" "FSLogix Profile Exclude List" ) $AdminToExclude = "YourAdminUser" $Count = 0 foreach ($Group in $Groups){ Write-Output "Checking group $Group" $Query = net localgroup $($Group) $Members = $Query[6..($Query.Length-3)] if ($Members -notcontains $AdminToExclude) { Write-Output "User: $AdminToExclude is not member, adding to count" $Count++ } } if ($Count -ge 1) { Write-Output "User: $AdminToExclude need to be added to the exclude groups" Exit 1 } else { Write-Output "User: $AdminToExclude is already member of both groups" } Stop-Transcript
And, this is the script for remediation:
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\FSLogixExclude_Remediate.log" -Append $Groups = @( "FSLogix ODFC Exclude List" "FSLogix Profile Exclude List" ) $AdminToExclude = "YourAdminUser" foreach ($Group in $Groups){ Write-Output "Checking group $Group" $Query = net localgroup $($Group) $Members = $Query[6..($Query.Length-3)] if ($Members -notcontains $AdminToExclude) { Write-Output "User: $AdminToExclude is not member, adding to group" net localgroup $Group $AdminToExclude /add } } Stop-Transcript
I also put the scripts on Github. If I change them in the future, you can find the latest version here:
Detect Script
Remediate Script
The scripts create a transcript in the Intune Management Extension folder in program data:
The log shows whether the account was added or not:
After that, when you open computer management, you see the excluded account:
And, that is how to Excluding Users from FSLogix for Intune Managed AVD!
And a true challenge for SMB customers that dont have access to remediations 🙁
Hi Oliver,
You can also wrap the remediation script in a Win32App. Then also SMB customers can use this script. It is a lot more finicky so to speak.
Regards,
Niels