Forum Discussion

tomgow's avatar
tomgow
Copper Contributor
May 07, 2025

AVD with FSLogix - profiles not loading

Setup AVD with FSLogix several months back and profiles had been loading fine. About a month ago, profiles stopped loading and the logs show "Account restrictions are preventing this user from signin...
AVD
FSLogix
FSLogix issues
Group Policy
Windows App
Kidd_Ip's avatar
Kidd_Ip
MVP
May 08, 2025

Any clue from GPO setting, NTFS & Share permissions even FSLogix logs?

tomgow's avatar
tomgow
Copper Contributor
May 08, 2025

I also thought it might be GPO so was doing some testing. I verified the userid can browse to the profile share fine from an on-prem computer as well as a Citrix desktop (so should not be user GPO or profile share permissions). I moved the AVD desktop to the same OU as a desktop that can access the profile share, and in that OU it had the same issue, so I don't think it's computer GPO either.

The FSLogix logs are where I find the error regarding connecting to the profile share - "Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced."

  • Chris_toffer0707's avatar
    Chris_toffer0707
    Iron Contributor
    May 09, 2025

    Are you using any network restrictions on the storage account for FS Logix profiles? Could be you are using vNet restriction in the network settings on the file share in the storage account - or this was something another person in your organisation implemented to fix the Azure Policy recommendation (also Azure Secure Score recommendation) to block public access to storage account, but did not configure correctly. :) 

    • tomgow's avatar
      tomgow
      Copper Contributor
      May 09, 2025

      Hi Chris,

      On the storage acct, we have public network access disabled but a private endpoint setup. It is in DNS and reachable from the network.

      The file share shows identity-based access configured, default share level permissions disabled, SMB multichannel enabled, and security set at maximum compatibility.

      Is that what I should be looking for in response to your question?  If anything else, please let me know what to check.

      • Chris_toffer0707's avatar
        Chris_toffer0707
        Iron Contributor
        May 13, 2025

        Yes, when using private endpoint with private DNS resolver, the AVD session hosts should be able to reach your domain controllers for DNS, and your domain controllers should have Azure DNS server IP as forwarder  in DNS management configuration (assuming your domain controllers are hosted in Azure also, otherwise you need private DNS resolver forwarding).

         

        I believe if you enable public access to the share, it will work. That way to can test if the issue is related to private DNS for the private endpoint of the storage account is not resolved correctly :) 

Resources