Merge pull request #228267 from Heidilohr/work-fileshare-bullet

v-stsavell · web-flow · commit a085127d5690 · 2023-03-22T16:41:14.000-05:00
Removing contradictory bullet point.
diff --git a/articles/virtual-desktop/app-attach-file-share.md b/articles/virtual-desktop/app-attach-file-share.md
@@ -1,16 +1,16 @@
 ---
-title: Create a file share for MSIX app attach
+title: Set up a file share for MSIX app attach
 titleSuffix: Azure Virtual Desktop
 description: How to set up a file share for MSIX app attach for Azure Virtual Desktop.
 author: Heidilohr
 ms.topic: how-to
-ms.date: 12/07/2022
+ms.date: 03/22/2023
 ms.author: helohr
 manager: femila
 ---
-# Create a file share for MSIX app attach
+# Set up a file share for MSIX app attach
 
-When a user in a host pool accesses MSIX images, they must be stored in a network share with read-only permissions. In the how-to, you'll learn the steps needed to set up a file share for MSIX app attach.
+For a user to access MSIX images, the images must be stored on a network share. In this article, you'll learn how to set up a file share for MSIX app attach.
 
 MSIX app attach doesn't have dependencies on the type of storage fabric the file share uses. The considerations for the MSIX app attach share are same as the considerations for an FSLogix share. To learn more about storage requirements, see [Storage options for FSLogix profile containers in Azure Virtual Desktop](store-fslogix-profile.md).
 
@@ -45,26 +45,27 @@ Here are some other things we recommend you do to optimize MSIX app attach perfo
    
     - `<MSIXAppAttachFileShare\>\*.VHD`
     - `<MSIXAppAttachFileShare\>\*.VHDX`
+    - `<MSIXAppAttachFileShare>.CIM`
+
+- If you're using Azure Files, exclude the following locations from antivirus scans:
+    
     - `\\storageaccount.file.core.windows.net\share*.VHD`
     - `\\storageaccount.file.core.windows.net\share*.VHDX`
-    - `<MSIXAppAttachFileShare>.CIM`
     - `\\storageaccount.file.core.windows.net\share**.CIM`
 
 - Separate the storage fabrics for MSIX app attach from FSLogix profile containers.
-- All VM system accounts and user accounts must have read-only permissions to access the file share.
 - Any disaster recovery plans for Azure Virtual Desktop must include replicating the MSIX app attach file share in your secondary failover location. To learn more about disaster recovery, see [Set up a business continuity and disaster recovery plan](disaster-recovery.md). You'll also need to ensure your file share path is accessible in the secondary location. You can use [Distributed File System (DFS) Namespaces](/windows-server/storage/dfs-namespaces/dfs-overview) to provide a single share name across different file shares. 
 
-## File share creation
+## Configure file share permissions when using Azure Files
 
-The setup process for MSIX app attach file share is largely the same as [the setup process for FSLogix profile file shares](create-host-pools-user-profile.md). However, you'll need to assign users different permissions. MSIX app attach requires read-only permissions to access the file share.
+The setup process for MSIX app attach file share is largely the same as [the setup process for FSLogix profile file shares](create-host-pools-user-profile.md). However, you'll need to assign different permissions. MSIX app attach requires read-only permissions using the computer account of each session host to access the file share.
 
-If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session hosts VMs both storage account role-based access permissions and file share New Technology File System (NTFS) permissions on the share.
+When you store your MSIX applications in Azure Files, you must assign all session host VMs both storage account role-based access permissions and file share New Technology File System (NTFS) permissions on the share.
 
 | Azure object                      | Required role                                     | Role function                                  |
 |-----------------------------------|--------------------------------------------------|-----------------------------------------------|
-| Session hosts (VM computer objects)| Storage File Data SMB Share Reader        | Allows for read access to Azure File Share over SMB  |
-| Admins on File Share              | Storage File Data SMB Share Elevated Contributor | Full control                                  |
-| Users on File Share               | Storage File Data SMB Share Contributor          | Read and Execute, Read, List folder contents  |
+| Session hosts (VM computer objects)| [Storage File Data SMB Share Reader](../role-based-access-control/built-in-roles.md#storage-file-data-smb-share-reader)        | Allows for read access to Azure File Share over SMB  |
+| Admins on File Share              | [Storage File Data SMB Share Elevated Contributor](../role-based-access-control/built-in-roles.md#storage-file-data-smb-share-elevated-contributor) | Allows for read, write, delete, and modify ACLs on files and directories in Azure File Shares                                  |
 
 To assign session hosts VMs permissions for the storage account and file share:
 
@@ -80,7 +81,7 @@ To assign session hosts VMs permissions for the storage account and file share:
 
 6. Join the storage account to AD DS by following the instructions in [Part one: enable AD DS authentication for your Azure file shares](../storage/files/storage-files-identity-ad-ds-enable.md#option-one-recommended-use-azfileshybrid-powershell-module).
 
-7. Assign the synced AD DS group the Storage File Data SMB Share Reader role on the storage account .
+7. Assign the synced AD DS group the Storage File Data SMB Share Reader role on the storage account.
 
 8. Mount the file share to any session host by following the instructions in [Part two: assign share-level permissions to an identity](../storage/files/storage-files-identity-ad-ds-assign-permissions.md).
 
