Application Management and Patching
Elevating FSlogix App Masking in AVD with Liquit
Overview of FSLogix App Masking with Microsoft Entra
I really appreciate the FSLogix App Masking feature within the Microsoft FSLogix suite, which works exceptionally well on Azure Virtual Desktop (AVD) session hosts when integrated with Microsoft Entra. But what happens if they are combined with Microsoft Entra alone?
Given that FSLogix has some App Masking limitations, such as the inability to use Microsoft Entra groups when session hosts are joined to Microsoft Entra only, what are the available options? This blog will explain how to use FSLogix App Masking and Microsoft Entra groups with AVD session hosts that are joined to Microsoft Entra only, utilizing Liquit’s capabilities. To do that, we’ll start with a brief overview of FSLogix App Masking.
Benefits of FSLogix App Masking with Microsoft Entra Integration
FSLogix App Masking allows you to tailor user experiences by hiding specific items—such as files, folders, registry keys, registry values, printers, or fonts—from individual users or user groups. It also gives you the flexibility to define registry values in a unique way for any users applying the “specify value” rule.
These rule sets can be conveniently assigned to users, groups, or other entities via the Rule Editor. You also have the option to test these rule sets on a test system before implementing them in a production environment. To use FSLogix App Masking, you will need:
- FSLogix Apps (Core Product) installed on the Azure Virtual Desktop Session hosts where the applications need to be masked.
- Rules created by the FSLogix Apps Rule Editor.
- To install the applications to be masked on the Azure Virtual Desktop Session hosts.
Liquit can handle this through automated deployment or as a Custom Script Extension. You have the green light to use FSLogix if you have the licenses mentioned in the following list:
- Microsoft 365 E3/E5
- Microsoft 365 A3/A5/ Student Use Benefits
- Microsoft 365 F1/F3
- Microsoft 365 Business
- Windows 10 Enterprise E3/E5
- Windows 10 Education A3/A5
- Windows 10 VDA per user
- Remote Desktop Services (RDS) Client Access License (CAL)
- Remote Desktop Services (RDS) Subscriber Access License (SAL)
- Azure Virtual Desktop per-user access license
In the Azure Marketplace, Windows 10 and 11 multi-session SKUs come with the FSLogix agent pre-installed by default. This eliminates the need to go through the process of installing or updating FSLogix on virtual machines, allowing you to immediately benefit from its excellent features.
FSLogix is now synchronized with Windows and follows the Microsoft “Patch Tuesday” release schedule. That means whenever a new version of FSLogix becomes available, it will be released on the same day as Windows updates. As a result, the Azure Marketplace images for Windows multi-session will consistently feature the most up-to-date version of FSLogix.
Of course, it is still an option to use FSLogix App Masking in other Windows 10, 11 or Server SKU(s). FSLogix must be installed manually on the session host virtual machines (VMs) or as part of an automated deployment or golden image. The latest version of FSLogix can be downloaded via the following link https://aka.ms/fslogix_download.
An even better option would be the Liquit agent installation as part of Infrastructure-as-Code (IaC), which involves automating the provisioning and configuration of the Liquit agent on infrastructure resources. Liquit can then ensure application sets are installed with all necessary settings and the latest available version with one Liquit deployment. There are many ways Liquit can help your organization and bring advantages to your image processing strategy, which I described in this previous blogs.
Enhancing PDF Processing with FSLogix App Masking and Microsoft Integration
By default, Foxit PDF Reader will be made available to all users for opening PDF files. But some select groups will prefer a different application such as Adobe Acrobat Reader DC.
The first step is to create a rule using the FSLogix Apps Rule Editor installed on a Test VM. If a user is a member of a Microsoft Entra Security Group, these rule sets will make use of environment variables that we can create with Liquit Workspace.
The second step involves uploading the rule sets to Liquit Workspace and using them in a Liquit Deployment to make them available on Azure Virtual Desktop session hosts.
The third step is to create two Liquit packages for the FSLogix App Masking of Adobe Acrobat Reader and Foxit PDF Reader. This will be executed at Liquit Logon with a Filter on the Action set that will check if environment variables exist. There is also a filter on the package that will check if the user is a Microsoft Entra security group member.
Adobe Acrobat Reader DC
Actions:
Filter on Action:
Filters:
Foxit PDF Reader
Actions:
Filter on Action:
Filters:
Lastly, we make the right PDF Viewer available in the Liquit Workspace and settings for the File Association (User Based) for .PDF based on the membership of the Security group. The File Association will be set at Liquit Logon.
Adobe Acrobat Reader DC
Foxit PDF Reader
How Does the Result Look?
Below is a short demo to show how it looks when different users login on a multi-session host.
Step-by-Step Guide: Configuring FSLogix App Masking with Microsoft Entra
With this solution in place, the IT department can overcome the FSLogix limitation of not supporting Microsoft Entra groups when session hosts are joined to Microsoft Entra only. This approach is what we call Elevating FSLogix App Masking in AVD with a Liquit touch.
To learn more about how you Elevate FSlogix App Masking in AVD with Liquit, reach out to one of our official Liquit partners here.