Forum Discussion

Vincent_Lapointe's avatar
Vincent_Lapointe
Copper Contributor
Dec 08, 2021

AVD Bicep deployment with ADD joined

Hi,

I’m trying to deploy AVD as ADD joined using bicep but it failed with the following error:

 

Any idea?

 

I follow steps found on the following links to make most of my deployment.

Ref : https://rozemuller.com/avd-automation-cocktail-avd-with-bicep-and-azure-cli/

Ref: https://tighetec.co.uk/2021/07/07/deploy-azure-virtual-desktop-with-project-bicep/

 

And I did the following changes  to make sure it is ADD joined

 

  • Create vm with systemAssigned identity,

      

 

  • Add the vm dscExtension extension with addjoin = true,

      

 

  • Add the vm AADLoginForWindows extension,

      

 

  • Create the hostpool with the custom RDP property: targetisaadjoined:i:1

     

 

The deployment succeeds without any error.

 

When I log in the rdweb client, I see my workspace and desktop session. Everything is fine so far!

 

However, when I start my session, I get the following error:

 

I did some investigation with the log analytics and found more info on the connection error :

 

“”” {"Code":-2147467259,"CodeSymbolic":"ConnectionFailedAdErrorNoSuchMember","Time":"2021-12-07T19:15:30.5520000Z", "Message":"Failed to add user = ≤AzureAD\\myemail@address.com≥ to group = Remote Desktop Users. Reason:  Win32.ERROR_NO_SUCH_MEMBER","ServiceError":false,"Source":"RDAgent"}”””

 

How to fix that?

 

Some notes: 

  • my user has the Virtual Machine User Login role (at the subscription level)

 

  • my user is assigned to the application group

 

  • Session host seems good:

 

  • If I execute the dsregcmd command on my vm, I get the following :

Note that I see the following error from the log:

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Device Name : vm-hsc001-vm-1

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

DeviceId : 03f9ab7d-bd7a-47ab-b007-3e79f4221544
Thumbprint : 7D61C32D0EA9F0894FA0641A8F58A5BFD5E8D0B8
DeviceCertificateValidity : [ 2021-11-29 19:31:13.000 UTC -- 2031-11-29 20:01:13.000 UTC ]
KeyContainerId : e503e151-aa77-4e99-8b50-73d9549ad6b0
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : FAILED. Error:8007013d

 

  • When I deploy my host pool manually without bicep, the same user could log in the desktop session without any error.

Any idea? Where should I look for?

 

Thank you.

 

Regards,

 

    • Vincent_Lapointe's avatar
      Vincent_Lapointe
      Copper Contributor
      Hi Johan,
      THank you for your answer.

      It is not MFA considering that I can log in, with the same set of users, on other AVD session pool that also has AAD-joined enabled.

      Regards,
      • Vincent_Lapointe's avatar
        Vincent_Lapointe
        Copper Contributor

        When I'm using a standard image like the "win10-21h2-avd-g2" or "20h1-evd-g2" SKU, I don't have the issue anymore.

         

        is there any good practice or known rules to follow when creating a custom image to make sure it is working in AVD?

         

        My custom build was prepared from the win10-21h2-avd-g2 image. Nothing special has been done to it except installing few software and generalize it with sysprep

            (.\sysprep.exe /generalize /shutdown /oobe /mode:vm)

         

        Regards,

         

Resources