AVD Bicep deployment with ADD joined

Copper Contributor

Hi,

I’m trying to deploy AVD as ADD joined using bicep but it failed with the following error:

 

Vincent_Lapointe_4-1638936338966.png

Any idea?

 

I follow steps found on the following links to make most of my deployment.

Ref : https://rozemuller.com/avd-automation-cocktail-avd-with-bicep-and-azure-cli/

Ref: https://tighetec.co.uk/2021/07/07/deploy-azure-virtual-desktop-with-project-bicep/

 

And I did the following changes  to make sure it is ADD joined

 

  • Create vm with systemAssigned identity,

      Vincent_Lapointe_0-1638936338948.png

 

  • Add the vm dscExtension extension with addjoin = true,

      Vincent_Lapointe_1-1638936338956.png

 

  • Add the vm AADLoginForWindows extension,

      Vincent_Lapointe_2-1638936338960.png

 

  • Create the hostpool with the custom RDP property: targetisaadjoined:i:1

     Vincent_Lapointe_3-1638936338964.png

 

The deployment succeeds without any error.

 

When I log in the rdweb client, I see my workspace and desktop session. Everything is fine so far!

Vincent_Lapointe_9-1638936498624.png

 

However, when I start my session, I get the following error:

Vincent_Lapointe_4-1638936338966.png

 

I did some investigation with the log analytics and found more info on the connection error :

 

“”” {"Code":-2147467259,"CodeSymbolic":"ConnectionFailedAdErrorNoSuchMember","Time":"2021-12-07T19:15:30.5520000Z", "Message":"Failed to add user = ≤AzureAD\\myemail@address.com≥ to group = Remote Desktop Users. Reason:  Win32.ERROR_NO_SUCH_MEMBER","ServiceError":false,"Source":"RDAgent"}”””

 

How to fix that?

 

Some notes: 

  • my user has the Virtual Machine User Login role (at the subscription level)

Vincent_Lapointe_5-1638936338967.png

 

  • my user is assigned to the application group

Vincent_Lapointe_6-1638936338967.png

 

  • Session host seems good:

Vincent_Lapointe_7-1638936338968.png

 

  • If I execute the dsregcmd command on my vm, I get the following :

Vincent_Lapointe_8-1638936338969.png

Note that I see the following error from the log:

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Device Name : vm-hsc001-vm-1

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

DeviceId : 03f9ab7d-bd7a-47ab-b007-3e79f4221544
Thumbprint : 7D61C32D0EA9F0894FA0641A8F58A5BFD5E8D0B8
DeviceCertificateValidity : [ 2021-11-29 19:31:13.000 UTC -- 2031-11-29 20:01:13.000 UTC ]
KeyContainerId : e503e151-aa77-4e99-8b50-73d9549ad6b0
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : FAILED. Error:8007013d

 

  • When I deploy my host pool manually without bicep, the same user could log in the desktop session without any error.

Any idea? Where should I look for?

 

Thank you.

 

Regards,

 

5 Replies
Hi Johan,
THank you for your answer.

It is not MFA considering that I can log in, with the same set of users, on other AVD session pool that also has AAD-joined enabled.

Regards,

When I'm using a standard image like the "win10-21h2-avd-g2" or "20h1-evd-g2" SKU, I don't have the issue anymore.

 

is there any good practice or known rules to follow when creating a custom image to make sure it is working in AVD?

 

My custom build was prepared from the win10-21h2-avd-g2 image. Nothing special has been done to it except installing few software and generalize it with sysprep

    (.\sysprep.exe /generalize /shutdown /oobe /mode:vm)

 

Regards,

 

@Vincent_Lapointe I had the same error and it was coming from the user/password.

 

When you connect to the AVD client, you need to use the LOCAL username/password, not the DOMAIN username/password. Your username must be in the flavor of "localuser" and not "domainuser (at) domain".

 

Let me know if this helps

Cheers

Guillaume

Thank you @Guillaume1197 

 

It doesnt seem to help.