Forum Widgets
Latest Discussions
Problems with FSLogix 3.26 - W11 MU - 10 users per Vm
Scenario Overview We are documenting a recurring intermittent Denial of Service (DoS) regarding user profiles in an AVD multi-session environment using Azure Files Premium (SMB). The issue consistently surfaces after updating to the FSLogix 3.26 branch (v3.26.126.19110). Root Cause Analysis (Failure Logs) Through deep log analysis, we identified a "driver poisoning" pattern unique to version 3.26: SMB/Kerberos Handshake Sensitivity: Under varying storage response times (latency spikes of ~350ms vs. the usual ~40ms), version 3.26 triggers an intermittent 1326 error (Logon failure: unknown user name or bad password). Driver Execution Flow Corruption: Unlike previous versions, after this initial network/authentication glitch, the 3.26 driver fails to release execution threads or volume handles properly. Catastrophic Failure (Error 267): The system attempts to access the SecuredProfileRegData path within the mounted VHDX, but the driver returns Event ID 26: "0x10b - The directory name is invalid". Unrecoverable "Zombie" State: Once Error 267 occurs, the VM becomes "poisoned." It blocks all subsequent login attempts and even prevents a clean uninstallation of the agent (MSI Error 0x80070643 due to files being "in use"), necessitating a full VM reboot or redeployment. Has anyone else been through this? My first step was to go back to Agent Version 2506 (2210 Hotfix 4) Evidence of Success with Version 2506 (2210 Hotfix 4) After performing a clean deployment and reverting to version 3.25.626.21064, metrics from April 24, 2026, show absolute stability on the same infrastructure: Consistent Logon Times: Average profile load time of 1.6 seconds across multiple concurrent users Storage Efficiency: FindFile response times remained stable between 39ms and 45ms, with the agent successfully retrying any momentary delays. Error Resilience: Unlike v3.26, if this version encounters an authentication glitch (e.g., on a local service account), it bypasses the error and remains functional, allowing domain users to log in without collateral blockages. Concurrency Support: Seamlessly managed over 20 simultaneously mounted volumes without pointer collisions or kernel hangs.Dynamic hostpool scaling not working
We have set up an AVD dynamic host pool for testing. The scaling plan properly ensures that a host is created when needed. However, the host is no longer removed even after the rampdown. We observe that the total sessions counter gets stuck. If I log in with a user and then log out properly, the current sessions in the host pool overview are updated quickly. But, if I then go to Manage, Session Hosts, the total sessions on that host remain at 1. Only when I put the host in drain mode are the actual sessions updated. Still hosts are not removed. Anyone seen this before?Dynamic hostpool sessions not updating
We have created a dynamic host pool in a test environment. We see that new hosts are being created based on the scaling plan. However, these are no longer being deleted. When we look at the status, we see that there are no active sessions, but when we zoom in on the session hosts, it shows that there is a session on two of the three hosts. The latter is incorrect, but it is likely the reason why scaling down is not taking place. Does anyone recognize this? Is there possibly a solution for this? Small addition: If I log in with a user and then log out properly, the current sessions in the host pool overview are updated quickly. However, if I then go to Manage, Session Hosts, the total sessions on that host remain at 1. When I now put the host in drinamode, only then are the actual sessions updated.
AVD Environment- FSLogix Profile Login Failure – Write Protected Error
Hi, We are currently facing an issue with FSLogix user profiles in our environment and would appreciate your assistance in identifying and resolving the problem. Issue Description: Users are unable to log in successfully, and we are encountering the following error message: "No Create access → The media is write protected." Environment Details: Session Hosts: Microsoft Entra joined Users: Hybrid identities Profile Storage: Azure File Share Authentication Method: Identity-based access using Microsoft Entra Kerberos Configuration Details: We have assigned the FSLogix user group the role "Storage File Data SMB Share Contributor" on the Azure file share. Registry entry for Kerberose Ticket is also created. NTFS permissions have been configured via Azure Portal (Manage Access), granting Modify permissions to the FSLogix profile users on the file share folder. We can see that user profiles and corresponding VHDX files are being created successfully during login attempts. Problem Statement: Despite the successful creation of profiles and VHDX files, users are still unable to log in, and the error mentioned above persists. We would like your guidance on: Possible causes for the "write protected" error despite correct role and NTFS permissions. Any additional configurations or validations required for FSLogix with Entra Kerberos authentication. Recommended troubleshooting steps or logs we should review to isolate the issue. Please let us know if you need any additional logs, screenshots, or configuration details from our end. Looking forward to your support. Best regards, Ravi YadavUninstalling Remote Desktop client closes users' Windows App connections
We have our users working from Windows App now to meet the 3/27 out of support date. We are beginning to uninstall the Remote Desktop from their laptops and are finding it closes active Windows App connections on uninstall (of Remote Desktop). That is less than ideal. Looking to see if any way around that, but wondered if others had seen the same?
Feature request: allow setting web client features from direct-launch-url
We use the "direct launch URL" feature of the AVD web client to deep link users to a session desktop (https://learn.microsoft.com/en-us/windows-app/direct-launch-urls?tabs=avd). One of the reason we use the web client is because we use AVD in exam halls on Chromebooks in kiosk-mode. The ChromeOS kiosk-mode only supports websites. Students are faced with a connection dialog in which they can toggle IME and Special Keys. The students have to enable IME, but since these are university-owned devices, they do not know and just click "Connect". We would like to be able to configure these client options automatically. For example, as query parameters in the direct-launch-url. Ideally, we would also skip the "Connect" dialog entirely and just go strait into the session once the direct-launch-url is loaded.
Azure Virtual Desktop(AVD) - Enable Cloud Kerberos for storage accounts question
I need to enable Cloud Kerberos for storage accounts used for AVD host pool. I am thinking of following the following instruction. Is that correct steps and is that all that is required?:- After enabling AADKERB on the storage account :- 1a. Find the AADKERB Service Principal Use Azure CLI to log into correct tenant az login –tenant <tenantName> 1b. Find the AADKERB Service Principal Look up by display name pattern az ad sp list --filter "startswith(displayName,'[Storage Account]')" --query "[?contains(displayName,'<storageAccountName>')].{id:id,appId:appId,name:displayName}" -o table 1c. Grant Admin Consent The AADKERB SP requires the following delegated permissions on Microsoft Graph: openid profile User.Read ← This is often overlooked but required Get the Microsoft Graph SP ID $graphSpId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].id" -o tsv) Get the AADKERB SP ID $aadkerbSpId=<from step 1a> Check existing grants az rest --method GET --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId eq '$aadkerbSpId' and resourceId eq '$graphSpId'" Create or update the grant az rest --method POST --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" --body "{ "clientId": "$aadkerbSpId", "consentType": "AllPrincipals", "resourceId": "$graphSpId", "scope": "openid profile User.Read" }"
Windows App - RDP channel crashes when printing on a redirected canon printer
Hey team, I would like to know, if anyone else struggles with the following scenario: A canon printer is installed on a local client. The user is working in the AVD environment. The printers are redirected into the AVD-Session via "printer redirect". Since the users are migrating to the new "Windows App", the AVD session breaks as soon as the user is printing on a redirected Canon-Printer. When printing on another printer, there is no issue. Also: With the "Microsoft-Remotedesktop" Application, everything works as it should. A Microsoft ticket is already raised. I would like to know if there are other environments, which are encountering the same issue.WindowsAppRuntime 1.4 Failures in AVD Multi-Session – Event ID 404 Production Case
We recently experienced a production issue in an Azure Virtual Desktop multi-session environment that initially looked random — but turned out to be a shared framework instability amplified by scale. Environment: AVD multi-session host pools FSLogix profile containers MSIX App Attach Intune-managed Clean golden image Everything looked healthy. Yet packaged applications started failing across multiple host pools. Symptoms observed Users reported: Error 0x80070005 AppXDeploymentServer Event ID 404 WindowsAppRuntime 1.4 marked as NeedsRemediation Failures persisted after: Reboots Host redeployments Image rebuild This was not: A profile corruption issue An App Attach packaging issue An Intune deployment failure What actually broke Under session churn conditions (logoff / new session / runtime re-validation), WindowsAppRuntime 1.4 entered a NeedsRemediation state. Event Viewer showed: AppXDeploymentServer Event ID 404 HRESULT 0x80070005 Runtime file creation failure under WindowsApps Multi-session did not cause the issue. It amplified it. Shared framework registration timing under concurrent sessions made a rare condition systemic. Why multi-session exposed it In single-session environments, runtime inconsistencies remain isolated. In multi-session: Shared framework dependencies are reused Concurrent validation occurs Host pools recycle under load Registration timing becomes critical What would be a rare edge case became recurring instability. Remediation approach Instead of periodic polling, we moved to event-driven self-healing. Detection trigger: AppXDeploymentServer Event ID 404 Remediation logic: Restart AppXSVC Re-provision WindowsAppRuntime 1.4 Prevent concurrent duplicate execution Log execution We implemented a Scheduled Task: Monitoring Operational log Triggering immediately on Event ID 404 Running under SYSTEM Deployed via Intune Win32 package Detection logic validating task presence This converted reactive troubleshooting into automated correction across host pools. Architectural takeaway Multi-session environments amplify shared dependency weaknesses. WindowsAppRuntime is not “just another component” — it is a platform dependency. If the runtime layer drifts, everything layered above it collapses: MSIX App Attach Packaged apps Registration consistency Self-healing must be part of AVD design. For the structured technical case study (including deployment pattern and remediation logic), full write-up here: https://modernendpoint.tech/avd-multi-session-failure-analysis/ Has anyone else observed WindowsAppRuntime 1.4 entering a NeedsRemediation state under multi-session load? Curious if others saw correlation with specific Windows updates. — Menahem Suissa Modern Endpoint Architect
