Share via

Deploy a Windows base VMSS that connects each VM to an Azure Files share

Hrishikesh Joshi 21 Reputation points
2025-06-16T15:09:04.68+00:00

Scenario:

We have created a PowerShell script that maps a drive letter (e.g., Z:) to an Azure File Share and stores the credentials using cmdkey.

This script runs perfectly when executed manually via RDP or through Task Scheduler set to "Run at Startup."

The script adds the storage account credentials to Windows Credential Manager, and the drive mapping works reliably after a reboot in manually configured environments.

Problem:

After generalizing the source VM with Sysprep, the Credential Manager data is wiped.

During VMSS scale-out, the newly created instances:

Do not map the drive on first boot.

  Have the Task Scheduler configured correctly, but it only maps the drive **after a manual restart** of the instance.
  
  We also tried using **Azure Custom Script Extension** and **VM Applications** to run the mapping script at startup, but:
  
     These extensions run under `NT AUTHORITY\SYSTEM`, which cannot store or retrieve credentials from the user context.
     
        As a result, the script fails to access the Azure File Share.

Question:

What is the Microsoft-recommended way to persistently map an Azure File Share on Windows VMSS instances during or after scale-out, considering:

Sysprep wipes the Credential Manager.

  Scripts run under `SYSTEM` context via VM extensions.
  
  Are there best practices or alternate approaches (e.g., using Managed Identities, automation accounts, etc.) for securely and reliably mapping Azure File Shares in a VMSS environment?

Any guidance or examples would be greatly appreciated.

Thank you!

Azure Virtual Machine Scale Sets
Azure Virtual Machine Scale Sets
Azure compute resources that are used to create and manage groups of heterogeneous load-balanced virtual machines.
448 questions
Accepted answer
  1. Siva Pavuluri 490 Reputation points Microsoft External Staff Moderator
    2025-06-17T03:07:34.19+00:00

    Hi Hrishikesh Joshi,

    Microsoft recommends using Azure AD authentication and Managed Identities for secure and scalable access to Azure File Shares—especially in Virtual Machine Scale Set (VMSS) scenarios where credential persistence can be problematic.

    Azure Files supports Azure AD authentication, enabling access control based on Azure AD identities rather than relying on stored passwords or access keys.

    You can use either system-assigned or user-assigned Managed Identities with your VMSS instances to authenticate to Azure Files, eliminating the need to store credentials in the Windows Credential Manager. For detailed steps, refer to: Configure managed identities with scale sets

    Since Sysprep wipes Credential Manager data, it is recommended to automate the drive mapping process using a startup script that runs in the user context rather than under the SYSTEM account. You can do this by:

    • Deploying the script using Azure Custom Script Extension, ensuring it runs under a user account.
    • Using Task Scheduler to trigger the script at user login instead of at system startup.

    Please refer the below documents:
    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable
    https://learn.microsoft.com/en-us/samples/azure/azure-quickstart-templates/vmss-azure-files-linux/
    https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows

    If the answer is helpful, please click "Accept Answer" and "Upvote it" as it can be helpful to others in the community.

    Thank You.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.