Forum Discussion
AVD Bicep deployment with ADD joined
Hi,
I’m trying to deploy AVD as ADD joined using bicep but it failed with the following error:
Any idea?
I follow steps found on the following links to make most of my deployment.
Ref : https://rozemuller.com/avd-automation-cocktail-avd-with-bicep-and-azure-cli/
Ref: https://tighetec.co.uk/2021/07/07/deploy-azure-virtual-desktop-with-project-bicep/
And I did the following changes to make sure it is ADD joined
- Create vm with systemAssigned identity,
- Add the vm dscExtension extension with addjoin = true,
- Add the vm AADLoginForWindows extension,
- Create the hostpool with the custom RDP property: targetisaadjoined:i:1
The deployment succeeds without any error.
When I log in the rdweb client, I see my workspace and desktop session. Everything is fine so far!
However, when I start my session, I get the following error:
I did some investigation with the log analytics and found more info on the connection error :
“”” {"Code":-2147467259,"CodeSymbolic":"ConnectionFailedAdErrorNoSuchMember","Time":"2021-12-07T19:15:30.5520000Z", "Message":"Failed to add user = ≤AzureAD\\myemail@address.com≥ to group = Remote Desktop Users. Reason: Win32.ERROR_NO_SUCH_MEMBER","ServiceError":false,"Source":"RDAgent"}”””
How to fix that?
Some notes:
- my user has the Virtual Machine User Login role (at the subscription level)
- my user is assigned to the application group
- Session host seems good:
- If I execute the dsregcmd command on my vm, I get the following :
Note that I see the following error from the log:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Device Name : vm-hsc001-vm-1
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceId : 03f9ab7d-bd7a-47ab-b007-3e79f4221544
Thumbprint : 7D61C32D0EA9F0894FA0641A8F58A5BFD5E8D0B8
DeviceCertificateValidity : [ 2021-11-29 19:31:13.000 UTC -- 2031-11-29 20:01:13.000 UTC ]
KeyContainerId : e503e151-aa77-4e99-8b50-73d9549ad6b0
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : FAILED. Error:8007013d
- When I deploy my host pool manually without bicep, the same user could log in the desktop session without any error.
Any idea? Where should I look for?
Thank you.
Regards,
- Johan_VanneuvilleIron ContributorMFA could be causing this.
Check this link: https://docs.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm- Vincent_LapointeCopper ContributorHi Johan,
THank you for your answer.
It is not MFA considering that I can log in, with the same set of users, on other AVD session pool that also has AAD-joined enabled.
Regards,- Vincent_LapointeCopper Contributor
When I'm using a standard image like the "win10-21h2-avd-g2" or "20h1-evd-g2" SKU, I don't have the issue anymore.
is there any good practice or known rules to follow when creating a custom image to make sure it is working in AVD?
My custom build was prepared from the win10-21h2-avd-g2 image. Nothing special has been done to it except installing few software and generalize it with sysprep
(.\sysprep.exe /generalize /shutdown /oobe /mode:vm)
Regards,