Forum Discussion
AVD with FSLogix - profiles not loading
I also thought it might be GPO so was doing some testing. I verified the userid can browse to the profile share fine from an on-prem computer as well as a Citrix desktop (so should not be user GPO or profile share permissions). I moved the AVD desktop to the same OU as a desktop that can access the profile share, and in that OU it had the same issue, so I don't think it's computer GPO either.
The FSLogix logs are where I find the error regarding connecting to the profile share - "Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced."
Are you using any network restrictions on the storage account for FS Logix profiles? Could be you are using vNet restriction in the network settings on the file share in the storage account - or this was something another person in your organisation implemented to fix the Azure Policy recommendation (also Azure Secure Score recommendation) to block public access to storage account, but did not configure correctly. :)
Hi Chris,
On the storage acct, we have public network access disabled but a private endpoint setup. It is in DNS and reachable from the network.
The file share shows identity-based access configured, default share level permissions disabled, SMB multichannel enabled, and security set at maximum compatibility.
Is that what I should be looking for in response to your question? If anything else, please let me know what to check.
Yes, when using private endpoint with private DNS resolver, the AVD session hosts should be able to reach your domain controllers for DNS, and your domain controllers should have Azure DNS server IP as forwarder in DNS management configuration (assuming your domain controllers are hosted in Azure also, otherwise you need private DNS resolver forwarding).
I believe if you enable public access to the share, it will work. That way to can test if the issue is related to private DNS for the private endpoint of the storage account is not resolved correctly :)
Thanks for the suggestion. I tried setting networking on the private endpoint to allow public access but still did not get my profile. 😢
I was on the phone with Microsoft yesterday and they had me set the share-level permissions for the storage account to enabled (something I tried before w/o success). On my next login, my profile loaded. So we thought it was fixed, but then I logged off, waited a couple minutes and logged in again and had no profile. Same for logging in the remainder of that day and today. Guess it was just one of those 1 in 20 logins that happens to work. I still have MS support stumped (ticket has been open for a month).