Azure Virtual Desktop topics

AVD Environment- FSLogix Profile Login Failure – Write Protected Error

Ravi3472 — Sat, 18 Apr 2026 02:49:33 GMT

Hi,

We are currently facing an issue with FSLogix user profiles in our environment and would appreciate your assistance in identifying and resolving the problem.

Issue Description:
Users are unable to log in successfully, and we are encountering the following error message:

"No Create access → The media is write protected."

Environment Details:

Session Hosts: Microsoft Entra joined
Users: Hybrid identities
Profile Storage: Azure File Share
Authentication Method: Identity-based access using Microsoft Entra Kerberos

Configuration Details:

We have assigned the FSLogix user group the role "Storage File Data SMB Share Contributor" on the Azure file share.
Registry entry for Kerberose Ticket is also created.
NTFS permissions have been configured via Azure Portal (Manage Access), granting Modify permissions to the FSLogix profile users on the file share folder.
We can see that user profiles and corresponding VHDX files are being created successfully during login attempts.

Problem Statement:
Despite the successful creation of profiles and VHDX files, users are still unable to log in, and the error mentioned above persists.

We would like your guidance on:

Possible causes for the "write protected" error despite correct role and NTFS permissions.
Any additional configurations or validations required for FSLogix with Entra Kerberos authentication.
Recommended troubleshooting steps or logs we should review to isolate the issue.

Please let us know if you need any additional logs, screenshots, or configuration details from our end.

Looking forward to your support.

Best regards,
Ravi Yadav

Graphic issue on single session host personal avd

Sriselvam92 — Fri, 03 Apr 2026 02:31:11 GMT

We recently deployed single session host with azure gallery image(windows1125H2enterprise+m365apps) and random users are facing graphic issue on the avd,screen fully get blue line unable to see anything on the display,how to resolve this?

Uninstalling Remote Desktop client closes users' Windows App connections

shaaric — Wed, 01 Apr 2026 13:46:21 GMT

We have our users working from Windows App now to meet the 3/27 out of support date. We are beginning to uninstall the Remote Desktop from their laptops and are finding it closes active Windows App connections on uninstall (of Remote Desktop). That is less than ideal. Looking to see if any way around that, but wondered if others had seen the same?

Feature request: allow setting web client features from direct-launch-url

laurens2305 — Thu, 26 Mar 2026 16:59:14 GMT

We use the "direct launch URL" feature of the AVD web client to deep link users to a session desktop (https://learn.microsoft.com/en-us/windows-app/direct-launch-urls?tabs=avd). One of the reason we use the web client is because we use AVD in exam halls on Chromebooks in kiosk-mode. The ChromeOS kiosk-mode only supports websites.

Students are faced with a connection dialog in which they can toggle IME and Special Keys. The students have to enable IME, but since these are university-owned devices, they do not know and just click "Connect".

We would like to be able to configure these client options automatically. For example, as query parameters in the direct-launch-url.

Ideally, we would also skip the "Connect" dialog entirely and just go strait into the session once the direct-launch-url is loaded.

Azure Virtual Desktop(AVD) - Enable Cloud Kerberos for storage accounts question

curious7 — Sun, 15 Mar 2026 09:55:10 GMT

I need to enable Cloud Kerberos for storage accounts used for AVD host pool. I am thinking of following the following instruction. Is that correct steps and is that all that is required?:-

After enabling AADKERB on the storage account :-

1a. Find the AADKERB Service Principal
Use Azure CLI to log into correct tenant
az login –tenant <tenantName>

1b. Find the AADKERB Service Principal
Look up by display name pattern
az ad sp list --filter "startswith(displayName,'[Storage Account]')" --query "[?contains(displayName,'<storageAccountName>')].{id:id,appId:appId,name:displayName}" -o table

1c. Grant Admin Consent
The AADKERB SP requires the following delegated permissions on Microsoft Graph:
openid
profile
User.Read ← This is often overlooked but required
Get the Microsoft Graph SP ID
$graphSpId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].id" -o tsv)
Get the AADKERB SP ID
$aadkerbSpId=<from step 1a>
Check existing grants
az rest --method GET --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId eq '$aadkerbSpId' and resourceId eq '$graphSpId'"
Create or update the grant
az rest --method POST --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" --body "{
"clientId": "$aadkerbSpId",
"consentType": "AllPrincipals",
"resourceId": "$graphSpId",
"scope": "openid profile User.Read"
}"

Windows App - RDP channel crashes when printing on a redirected canon printer

ChrisDub — Mon, 09 Mar 2026 08:06:22 GMT

Hey team,

I would like to know, if anyone else struggles with the following scenario:

A canon printer is installed on a local client.

The user is working in the AVD environment.

The printers are redirected into the AVD-Session via "printer redirect".

Since the users are migrating to the new "Windows App", the AVD session breaks as soon as the user is printing on a redirected Canon-Printer.

When printing on another printer, there is no issue.

Also: With the "Microsoft-Remotedesktop" Application, everything works as it should.

A Microsoft ticket is already raised.

I would like to know if there are other environments, which are encountering the same issue.

WindowsAppRuntime 1.4 Failures in AVD Multi-Session – Event ID 404 Production Case

Menahem — Mon, 23 Feb 2026 04:54:46 GMT

We recently experienced a production issue in an Azure Virtual Desktop multi-session environment that initially looked random — but turned out to be a shared framework instability amplified by scale.

Environment:

AVD multi-session host pools
FSLogix profile containers
MSIX App Attach
Intune-managed
Clean golden image

Everything looked healthy.

Yet packaged applications started failing across multiple host pools.

Symptoms observed

Users reported:

Error 0x80070005
AppXDeploymentServer Event ID 404
WindowsAppRuntime 1.4 marked as NeedsRemediation
Failures persisted after:

Reboots
Host redeployments
Image rebuild

This was not:

A profile corruption issue
An App Attach packaging issue
An Intune deployment failure

What actually broke

Under session churn conditions (logoff / new session / runtime re-validation), WindowsAppRuntime 1.4 entered a NeedsRemediation state.

Event Viewer showed:

AppXDeploymentServer Event ID 404
HRESULT 0x80070005
Runtime file creation failure under WindowsApps

Multi-session did not cause the issue.

It amplified it.

Shared framework registration timing under concurrent sessions made a rare condition systemic.

Why multi-session exposed it

In single-session environments, runtime inconsistencies remain isolated.

In multi-session:

Shared framework dependencies are reused
Concurrent validation occurs
Host pools recycle under load
Registration timing becomes critical

What would be a rare edge case became recurring instability.

Remediation approach

Instead of periodic polling, we moved to event-driven self-healing.

Detection trigger:

AppXDeploymentServer Event ID 404

Remediation logic:

Restart AppXSVC
Re-provision WindowsAppRuntime 1.4
Prevent concurrent duplicate execution
Log execution

We implemented a Scheduled Task:

Monitoring Operational log
Triggering immediately on Event ID 404
Running under SYSTEM
Deployed via Intune Win32 package
Detection logic validating task presence

This converted reactive troubleshooting into automated correction across host pools.

Architectural takeaway

Multi-session environments amplify shared dependency weaknesses.

WindowsAppRuntime is not “just another component” — it is a platform dependency.

If the runtime layer drifts, everything layered above it collapses:

MSIX App Attach
Packaged apps
Registration consistency

Self-healing must be part of AVD design.

For the structured technical case study (including deployment pattern and remediation logic), full write-up here:

https://modernendpoint.tech/avd-multi-session-failure-analysis/

Has anyone else observed WindowsAppRuntime 1.4 entering a NeedsRemediation state under multi-session load?

Curious if others saw correlation with specific Windows updates.

—
Menahem Suissa
Modern Endpoint Architect

SSL_ERR_CREDENTIAL_PROMPT_FAILED_WITH_CO_E_SERVER_EXEC_FAILURE (15623)

Dfalz01 — Tue, 17 Feb 2026 17:33:15 GMT

Need help with the following issues on AVD. What could be causing these issues?? My users seem to get the error when they try to sign on.

Improper AVD Host Decommissioning – A Practical Governance Framework

Menahem — Tue, 17 Feb 2026 16:11:12 GMT

Hi everyone,

After working with multiple production Azure Virtual Desktop environments, I noticed a recurring issue that rarely gets documented properly:

Improper host decommissioning.

Scaling out AVD is easy.

Scaling down safely is where environments silently drift.

Common issues I’ve seen in the field:

Session hosts deleted before drain completion

Orphaned Entra ID device objects

Intune-managed device records left behind

Stale registration tokens

FSLogix containers remaining locked

Defender onboarding objects not cleaned

Host pool inconsistencies over time

The problem is not technical complexity.

It’s lifecycle governance.

So I built a structured approach to host decommissioning focused on:

Drain validation

Active session verification

Controlled removal from host pool

VM deletion sequencing

Identity cleanup validation

Registration token rotation

Logging and execution safety

I’ve published a practical framework here:

The framework is fully documented and includes validation logic and logging.

https://github.com/modernendpoint/AVD-Host-Decommission-Framework

The goal is simple:

Not just removing a VM —

but preserving platform integrity.

I’m curious:

How are you handling host lifecycle management in your AVD environments?

Fully automated?

Manual?

Integrated with scaling plans?

Identity cleanup included?

Would love to hear how others approach this.

Menahem Suissa

AVD | Intune | Identity-Driven Architecture

macOS: SSO no longer fully functional on AVD (Win11 25H2)

FT_1 — Thu, 12 Feb 2026 10:57:27 GMT

Hello everyone,

Since updating our Test Azure Virtual Desktop Session Hosts from Windows 11 23h2 to 25H2 (26200.7462) , we've been experiencing an SSO issue that exclusively affects macOS clients.

Symptoms

For macOS users (Windows App), the following issues occur:

Example Teams

Teams shows the user as "Unknown User"
Chat and collaboration features fail to load
Error message: "You need to sign in again. This may be a requirement from your IT department or Teams, or the result of a password update. - Sign in"
After clicking "Sign in," only a window appears with "Continue with sign-in" (no PW/MFA prompt)
After this, all other applications work without further authentication

Technical Details

macOS Device:

AppleM4 Pro
macOS Tahoe 26.2

Installed WindowsApp version:

11.3.2 (2848)

dsregcmd /status:

No errors detected
PRT is active and was updated for sign-in

Entra Sign-In Logs:

Error code: 9002341

EventLog on Session Host (AAD-Operational):

Event ID: 1098 Error: 0xCAA2000C The request requires user interaction. Code: interaction_required Description: AADSTS9002341: User is required to permit SSO. Event ID: 1097 Error: 0xCAA90056 Renew token by the primary refresh token failed. Logged at RefreshTokenRequest.cpp, line: 148, method: RefreshTokenRequest::AcquireToken.

Observations

Affects: Both managed (internal) and unmanaged (external) macOS devices
Does NOT affect: Windows clients connecting via Windows App
Interesting: If a macOS user starts the session (with the error) and then reconnects on a Windows device, authentication works automatically there

Workaround

The issue can be resolved for macOS clients by removing the "DE" flag from "Automatic app sign-in" in the following file:

C:\Windows\System32\IntegratedServicesRegionPolicySet.json

Questions

Is this a known issue?
Has anyone experienced similar issues with macOS clients after the 25H2 update?
Why does this issue only occur with macOS clients?
Why does SSO only work after removing the "DE" flag for macOS devices, and why are Windows devices not affected?

I would appreciate any insights or confirmation of this issue!

Thank you and greetings FT_1

Azure’s Default Outbound Access Changes: Guidance for Azure Virtual Desktop Customers

Kathryn_Jakubek — Wed, 11 Feb 2026 22:31:27 GMT

After March 31, 2026, newly created Azure Virtual Networks (VNets) will no longer have default outbound internet access (DOA) enabled by default. Azure Virtual Desktop customers must configure outbound connectivity explicitly when setting up new VNets. This post explains what’s changing, who’s impacted, and the recommended actions, including Private Subnets.

What is Default Outbound Access (DOA)?

Default Outbound Access is Azure’s legacy behavior that allowed all resources in a virtual network to reach the public internet without configuring a specific internet egress path. This allowed telemetry, Windows activation, updates, and other service dependencies to reach external endpoints even when no explicit outbound connectivity method was configured.

What’s changing?

After March 31, 2026, as detailed in Azure’s communications, Azure will no longer enable DOA by default for new virtual networks. Instead, the VNet will be configured for Private Subnet option, allowing you to designate subnets without internet access for improved isolation and compliance. These changes encourage more intentional, secure network configurations while offering flexibility for different workload needs. Disabling Private Subnet option will allow administrators to restore DOA capabilities to the VNet, although Microsoft strongly recommends using NAT Gateway to provide outbound Internet access for session hosts.

Impact on Azure Virtual Desktop Customers

For Azure Virtual Desktop deployments created after March 31, 2026, outbound internet access must be explicitly configured, otherwise deployment and connectivity of the Session Hosts will fail. Existing VNets remain unaffected and will continue to use the configured internet access method.

What You Should Do

To prepare for Azure’s Default Outbound Access changes and ensure your Azure Virtual Desktop deployments remain secure and functional.

Recommendations

Update deployment plans to ensure either an explicit NAT, such as a NAT Gateway or Default Outbound access (not recommended) is enabled by disabling the Private Subnet option.
Test connectivity to ensure all services dependent on outbound access continue to function as expected.

Supported Outbound Access Methods

To maintain connectivity, choose one of these supported methods:

NAT Gateway (recommended)

Note: Direct RDP Shortpath (UDP over STUN) cannot be established through a NAT Gateway because its symmetric NAT policy prevents direct UDP connectivity over public networks.

Azure Standard Load Balancer

Public IP address on a VM

Azure Firewall or third-party Network Virtual Appliance (NVA). Note, it is not recommended to route RDP or other long-lived connections through Azure Firewall or any other network virtual appliance which allows for automatic scale-in. A direct method such as NAT Gateway should be used.

More information about the pros and cons of each method can be found at Default Outbound Access.

Resources:

Quick FAQ

Does this affect existing VNets? No. Only VNets created after March 31, 2026, are affected. Existing VNets will continue to operate as normal.

What if I do nothing on a new VNet? Host pool deployment will fail, and connectivity will fail because the VNet does not have internet access. Configure NAT Gateway or another supported method before starting a host pool deployment.

Why do Azure Virtual Desktop session hosts need outbound internet access? Many Azure Virtual Desktop functions depend on the session host having outbound access to Microsoft services. Without configuring NAT Gateway or another supported method of explicit outbound for the VNet, Azure Virtual Desktop will not deploy or function correctly.

What are the required endpoints? Please see https://learn.microsoft.com/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure for a list of the endpoints required.

Why might peer-to-peer connectivity using STUN-based UDP hole punching not work when using NAT Gateway? NAT Gateway uses a type of network address translation that does not support cone symmetric NAT behavior. This can prevent STUN (Simple Traversal Underneath NAT) based UDP hole punching, commonly used for establishing peer-to-peer connections, from working as expected. If your application relies on reliable UDP connectivity between peers, STUN may revert to TURN (Traversal Using Relays around NAT) in some instances. TURN relays traffic between endpoints, ensuring consistent connectivity even when direct peer-to-peer paths are blocked. This helps maintain smooth real-time experiences for your users.

What explicit outbound options support STUN? Azure Standard Load Balancer supports UDP over STUN.

How do I configure Azure Firewall? For additional security you can configure Azure Firewall using these instructions: https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop?context=/azure/virtual-desktop/context/context

. It is strongly recommended that a direct method of access is used for RDP and other long-lived connections such as VPN or Secure Web Gateway tunnels. This is due to devices such as Azure firewall scaling in when load is low which can disrupt connectivity.

Wrap-up

Azure’s change reinforces intentional networking for better security. By planning explicit egress, Azure Virtual Desktop customers can stay compliant and keep session hosts reliably connected.

Your computer was unable to connect to the remote computer

cadminimum — Wed, 11 Feb 2026 18:03:11 GMT

I'm Having this AVD issue with a new workspace that was setup. It's a SessionDesktop application with a hostpool. The Web version of the client works fine, can connect and open RDP session but the Windows App will not work either on-prem or off-prem showing the error in the title when attempting to launch the session. I have tried playing with every setting I can find from RDP Properties, to Network ones, RDP shortpath, Entra SSO, Cred SSP, etc. Even if there was some sort of on-prem network issue it should still work when off-prem and it doesn't. But the web client works fine so I can't figure out what would cause this. The Application is just "SessionDesktop" and has no configurable parameters other than Display Name. The Host Pool has a private endpoint and when attempting to launch from the Windows App I can see some traffic going through our firewalls between the app and the PE as well as a few FQND's like windows365.microsoft.com, xxx.rdweb-g-us-r0-wvd.microsoft.com, xxx.afdfp-rdgateway-r0.wvd.microsoft.com etc... It's all 443 traffic though, no 3389 or 3390.

Entra logs show successful auth to Windows App and Conditional Access Policy result is Success with Grant Controls Satisfied and Session Controls Enforced.

I have the Windows App version 2.0.918.0 with Client version 1.2.6876.0 which should be the latest at the time of this writing. I tried the old deprecated RemoteDesktop app and it does the same thing.

One other thing I tried was downloading the. rdpw file from the web client and adding a bunch of parameters to the RDP advanced config like gatewayusagemethod, gatewaybrokeringtype, wvd endpoint pool etc. as they don't seem to be in there by default but it had no effect. I suspect those properties should be dynamically added at runtime rather than baked in to the config.

Any help would be appreciated.

Thanks.

Issues with FSLogix Profiles on Win11 25H2 Multiuser sessionhost's

marc_kuhn — Mon, 02 Feb 2026 17:39:04 GMT

Hey guys

we have currently lot of issues with AVD and FSLogix 26.01. There seems to be an issue that the profile container isnt't unmounted correctly. We have lot's of users who are not able to login correctly because the profile can't be mounted because its already in use by another process.

I'm currently looking what could cause that. We use a Azure files storage were i don't see any issues. It looks like a process within the userprofile is blocking the unload of the profile.

Should i be able to see in the logs of FSLogix which process is causing this. Or what is a effective way to troubleshoot that?

Thanks for any help

Best regards

Marc

RemoteApp for Word/Excel with Google Drive

Luke227 — Fri, 30 Jan 2026 17:24:58 GMT

I want to set up RemoteApp so users can use Word and Excel remotely. At the same time, I want them to be able to access and save files directly from Google Drive within those apps.

We currently only have 3 users who need this, but we plan to expand in the future.

What’s the best way to do this? Do I need a specific setup, plugin, or service to make Google Drive work seamlessly with Word/Excel in a RemoteApp environment?

AVD Remote published Application Disconnection

johnsAVD — Fri, 30 Jan 2026 17:14:19 GMT

Is anyone aware of any known issues with AVD Remote Applications?

We’re experiencing random disconnections across all Remote App users, with error details in insight point to StackCrash . The January 2026 update and OBB fix patches have already been applied, but the problem persists.

ServiceRDStackStackCrash (-1073741819)

Need Help: Shortpath Drops & RDstack error in AVD

Dfalz01 — Thu, 29 Jan 2026 19:31:13 GMT

I’m seeing persistent AVD connection issues and would appreciate guidance.

Frequent ShortpathTransportNetworkDrop (68) and ShortpathNetworkDrop (16644) errors
GetInputDeviceHandlesError (4463)
US based users and hostpool/sessionhost
Users experience instability and degraded performance

Seamless SSO According to MS Support

RobYoung — Tue, 13 Jan 2026 21:13:46 GMT

I am in the process of setting up a POC for AVD and followed all the instructions that I have found for enabling Seamless SSO for AVD. We are currently running in hybrid mode and I have created a server 2025 with latest patches. When I attempt to sign in via web or windows app, I signin to the web interface or the app and I am presented with the desktops. I launch a desktop and it prompts me for a user and pass (the user is pre-populated)

My understanding is that this should not happen. It should seamlessly signin (This would cause issues with our users not using passwords) I contacted Microsoft support and they state that this is by design. They stated this is how it operates in their lab.

Can someone clarify, if I sign into Windows app or the web, that my authentication should seamlessly sign me into the AVD server I have published?

Thanks

Ubuntu as session host

dhab — Wed, 07 Jan 2026 08:58:53 GMT

Hi all,
I understand there is no native solution for running an ubuntu vm as a session host. I didn't find any image in the marketplace for this.
I found this GitHub project that proposes a solution. Does anyone actually uses this or any other solutions?

Thanks in advance

Azure Virtual Desktop not functioning

RebeccaBroos — Tue, 23 Dec 2025 08:39:02 GMT

Hi, we are experiencing issues with the Azure Desktop Client. Users are able to login, but no desktops appear and there's no user information displayed either. It was working fine yesterday.

This is what it looks like now.

Azure Virtual Desktop (Pooled) – Sessions ending unexpectedly and users stuck across session hosts

StormShadow007 — Tue, 16 Dec 2025 22:47:32 GMT

Hi,

We are currently investigating an issue in an Azure Virtual Desktop (AVD) environment where users are intermittently disconnected during sign-in or are unable to reconnect to their sessions.

Environment:
Azure Virtual Desktop
Host pool: Pooled
OS: Windows 10 / Windows 11 Enterprise multi-session
FSLogix enabled
Client: Windows App (Remote Desktop)

Error message seen by users:
"Your Remote Desktop Services session has ended.
The administrator has ended the session, an error occurred while the connection was being established, or a network problem occurred."

What we are seeing:
Users fail to connect or get disconnected shortly after login.
Session hosts appear healthy and powered on.
No admin-initiated logoff is taking place.
Rebooting the affected session host sometimes resolves the issue, but only temporarily.

Actions already taken:
Restarted AVD agent services on the session hosts.
Placed affected hosts in drain mode.
Rebooted the VMs.

What we suspect:
Some users may still have active or disconnected sessions on previous session hosts, possibly combined with FSLogix profile locks, which could be preventing new sessions from starting correctly.

Questions:
What is the recommended way to identify which users are logged into which session hosts across a pooled host pool?
Are there best practices using the Azure Portal or PowerShell to detect and clean up stuck or disconnected sessions?
Has anyone seen similar behavior in pooled AVD environments with Windows 10/11 and FSLogix enabled?

Any advice or pointers would be appreciated.

Thanks.