AVD Bicep deployment with ADD joined

Copper Contributor


I’m trying to deploy AVD as ADD joined using bicep but it failed with the following error:



Any idea?


I follow steps found on the following links to make most of my deployment.

Ref : https://rozemuller.com/avd-automation-cocktail-avd-with-bicep-and-azure-cli/

Ref: https://tighetec.co.uk/2021/07/07/deploy-azure-virtual-desktop-with-project-bicep/


And I did the following changes  to make sure it is ADD joined


  • Create vm with systemAssigned identity,



  • Add the vm dscExtension extension with addjoin = true,



  • Add the vm AADLoginForWindows extension,



  • Create the hostpool with the custom RDP property: targetisaadjoined:i:1



The deployment succeeds without any error.


When I log in the rdweb client, I see my workspace and desktop session. Everything is fine so far!



However, when I start my session, I get the following error:



I did some investigation with the log analytics and found more info on the connection error :


“”” {"Code":-2147467259,"CodeSymbolic":"ConnectionFailedAdErrorNoSuchMember","Time":"2021-12-07T19:15:30.5520000Z", "Message":"Failed to add user = ≤AzureAD\\myemail@address.com≥ to group = Remote Desktop Users. Reason:  Win32.ERROR_NO_SUCH_MEMBER","ServiceError":false,"Source":"RDAgent"}”””


How to fix that?


Some notes: 

  • my user has the Virtual Machine User Login role (at the subscription level)



  • my user is assigned to the application group



  • Session host seems good:



  • If I execute the dsregcmd command on my vm, I get the following :


Note that I see the following error from the log:

| Device State |

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Device Name : vm-hsc001-vm-1

| Device Details |

DeviceId : 03f9ab7d-bd7a-47ab-b007-3e79f4221544
Thumbprint : 7D61C32D0EA9F0894FA0641A8F58A5BFD5E8D0B8
DeviceCertificateValidity : [ 2021-11-29 19:31:13.000 UTC -- 2031-11-29 20:01:13.000 UTC ]
KeyContainerId : e503e151-aa77-4e99-8b50-73d9549ad6b0
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : FAILED. Error:8007013d


  • When I deploy my host pool manually without bicep, the same user could log in the desktop session without any error.

Any idea? Where should I look for?


Thank you.




5 Replies
Hi Johan,
THank you for your answer.

It is not MFA considering that I can log in, with the same set of users, on other AVD session pool that also has AAD-joined enabled.


When I'm using a standard image like the "win10-21h2-avd-g2" or "20h1-evd-g2" SKU, I don't have the issue anymore.


is there any good practice or known rules to follow when creating a custom image to make sure it is working in AVD?


My custom build was prepared from the win10-21h2-avd-g2 image. Nothing special has been done to it except installing few software and generalize it with sysprep

    (.\sysprep.exe /generalize /shutdown /oobe /mode:vm)




@Vincent_Lapointe I had the same error and it was coming from the user/password.


When you connect to the AVD client, you need to use the LOCAL username/password, not the DOMAIN username/password. Your username must be in the flavor of "localuser" and not "domainuser (at) domain".


Let me know if this helps



Thank you @Guillaume1197 


It doesnt seem to help.