Forum Discussion
AVD with FSLogix - profiles not loading
Setup AVD with FSLogix several months back and profiles had been loading fine. About a month ago, profiles stopped loading and the logs show "Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced." This is in regards to connecting to the profile share path. If I manually try to go to that path, I receive the same error. The accounts do have a password, so it shouldn't be anything to do with a blank password. There are no sign-in time restrictions enforced on these accounts. What's left is a "policy restriction", which is kind of vague.
Things I've tried:
- update to latest FSLogix
- verify permissions on profile storage
- enabled these in local policy:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
‘Accounts: Limit local account use of blank passwords to console logon only‘ = disabled
Computer Configuration > Administrative Templates > System > Credentials Delegation
‘Restrict delegation of credentials to remote servers‘ = disabled
I have a ticket open with MS support for 3 weeks now, but thus far they've been completely useless.
16 Replies
Did you checked your storage space ?
Can you try to create a new storage and map profiles there ? Is it working?
The current storage actually works when manually mapping to it (it prompts to authenticate again). Once storage is mapped, I can add folders and files. There's something about that initial connection that fails - like it needs that second authentication and isn't getting it.
Additional info:
Profiles are stored on an Azure file share.
The storage account is AD joined.
As a test, I redirected the profile to store on the local D drive of the AVD (via registry setting) and it worked fine.
When connected to the AVD and the profile fails to load from the Azure file share, I can map a drive to and access that same file share if I choose the option 'login as a different user' and re-enter my same login credentials. (if i don't re-enter credentials, it will fail with the account restrictions error.)
Could you share your configuration for permissions both in Azure and NTFS on the Azure File Share.
Users needs to have the Storage File Data SMB Share Contributor in Azure on the storage account , and "create folders" permissions on the folder of the fslogix container.
Also I can not read of the discussions if users are synced from Active Directory to Entra ID and the group membership of Storage File Data SMB Share Contributor is granted to the users via a group?We have a group called AVD Users and that group does have 'Storage File Data SMB Share Contributor' access on the storage account. On the file share, that group has modify access to 'this folder only'. My regular account and the people that use the virtual desktops are in the AVD Users group.
Are the FSLogix profiles in an Azure File share? If so, is the storage account where the Azure File share resides, joined to AD domain? Maybe someone has deleted or moved the storage account object in AD. You could try rejoining the storage account to the domain if you've confirmed NTFS and share permissions are correct.
Thank you for the suggestion. It is an Azure file share and the account is AD joined. I have since verified all settings are correct (as far as what's on the setup guide). My manager setup the account so I will check with him on rejoining it to the domain.
Any clue from GPO setting, NTFS & Share permissions even FSLogix logs?
I also thought it might be GPO so was doing some testing. I verified the userid can browse to the profile share fine from an on-prem computer as well as a Citrix desktop (so should not be user GPO or profile share permissions). I moved the AVD desktop to the same OU as a desktop that can access the profile share, and in that OU it had the same issue, so I don't think it's computer GPO either.
The FSLogix logs are where I find the error regarding connecting to the profile share - "Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced."
Are you using any network restrictions on the storage account for FS Logix profiles? Could be you are using vNet restriction in the network settings on the file share in the storage account - or this was something another person in your organisation implemented to fix the Azure Policy recommendation (also Azure Secure Score recommendation) to block public access to storage account, but did not configure correctly. :)
