Forum Discussion
Window 11 enterprise Entra id Joined Session host
Hello Everyone, I hope someone can help me with the issue. We have an AVD environment with domain joined personal pools, everything works well. Now we want to deploy a personal pool with entra id...
It sounds like you're dealing with a frustrating issue regarding Entra ID-joined session hosts in your AVD setup. Based on what you’ve described, here are a few things you might want to try:
Windows Hello for Business:
It’s true that for Entra ID joined VMs, Windows Hello is often recommended. However, if you're sticking to username/password login, ensuring that "targetisaadjoined:i:1" is correctly configured across all Conditional Access policies should help.
Authentication Methods:
It’s worth double-checking whether your MFA settings or other conditional access policies are conflicting with the username/password method. Sometimes, Conditional Access can enforce more stringent policies for Entra ID-joined VMs.
User Role:
You've already added the Virtual Machine User Login role, which is great. Just ensure that this role is correctly propagated to all session hosts.
PKU2U Settings:
Since you mentioned the PKU2U authentication requests are enabled on both the session host and the local PC, I would recommend verifying once again that there’s no mismatch in their configurations.
Windows Hello for Business:
It’s true that for Entra ID joined VMs, Windows Hello is often recommended. However, if you're sticking to username/password login, ensuring that "targetisaadjoined:i:1" is correctly configured across all Conditional Access policies should help.
Authentication Methods:
It’s worth double-checking whether your MFA settings or other conditional access policies are conflicting with the username/password method. Sometimes, Conditional Access can enforce more stringent policies for Entra ID-joined VMs.
User Role:
You've already added the Virtual Machine User Login role, which is great. Just ensure that this role is correctly propagated to all session hosts.
PKU2U Settings:
Since you mentioned the PKU2U authentication requests are enabled on both the session host and the local PC, I would recommend verifying once again that there’s no mismatch in their configurations.
- We set "targetisaadjoined:i:1" in the pool settings. What do you mean this: "However, if you're sticking to username/password login, ensuring that "targetisaadjoined:i:1" is correctly configured across all Conditional Access policies should help." Is it something in the conditional access policy I should check?
- I tried to look at MFA, "Window virtual machine sign-in" app is excluded.
- the PKU2U is enabled and I can see it in the AVD client.
But the error still exists. I'm curious why it did let me signed in then it kicked me off after 5-10 seconds (whenever I reboot the session host). Then showed that error.
Thanks,