Ask Learn
Preview
Please sign in to use this experience.
Sign inThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article helps troubleshoot issues you're having when configuring the Azure Virtual Desktop session host virtual machines (VMs).
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop service with the product team and active community members.
Follow these instructions if you're having issues joining virtual machines (VMs) to the domain.
There was a typo made when the credentials were entered in the Azure Resource Manager template interface fixes.
Take one of the following actions to resolve the issue:
The account used to complete the domain join might have multifactor authentication (MFA).
Take one of the following actions to resolve the issue:
The account being used doesn't have permissions to join VMs to the domain due to compliance and regulations.
Take one of the following actions to resolve.
VMs are on a virtual network that's not associated with the virtual network where the domain is located.
Create virtual network peering between the virtual network where VMs were provisioned and the virtual network where the domain controller (DC) is running. See Create a virtual network peering - Resource Manager, different subscriptions.
When using Microsoft Entra Domain Services, the virtual network doesn't have its Domain Name System (DNS) server settings updated to point to the managed domain controllers.
To update the DNS settings for the virtual network containing Microsoft Entra Domain Services, see Update DNS settings for the Azure virtual network.
The network interface's DNS server settings don't point to the appropriate DNS server on the virtual network.
Take one of the following actions to resolve the issue by following the steps in Change DNS servers:
You attempt to reuse a computer account (hostname), have applied Windows updates released on and after October 11, 2022, and the user account provided for the domain doesn't have sufficient permissions to reuse computer accounts.
Take one of the following actions to resolve the issue:
For more information on the permissions changes for computer account reuse, see KB5020276 - Netjoin: Domain join hardening changes.
The recommended way to provision VMs is using the Azure portal creation template. The template automatically installs the Azure Virtual Desktop Agent and Azure Virtual Desktop Agent Boot Loader.
Follow these instructions to confirm the components are installed and to check for error messages.
Credentials provided during input for the Azure Resource Manager template were incorrect or permissions were insufficient.
Manually add the missing components to the VMs using Create a host pool with PowerShell.
PowerShell DSC was able to start and execute but failed to complete as it can't sign in to Azure Virtual Desktop and obtain needed information.
Confirm the items in the following list.
PowerShell DSC was able to execute but couldn't connect to Azure Virtual Desktop.
Confirm the items in the following list.
When the Azure Virtual Desktop Agent is first installed on session host VMs (either manually or through the Azure Resource Manager template and PowerShell DSC), it provides a registration token. The following section covers troubleshooting issues that apply to the Azure Virtual Desktop Agent and the token.
The agent isn't able to update itself to a new version.
Follow these instructions to manually update the agent:
Registration token has expired.
Follow these instructions to fix the agent registry error:
Remove-AzWvdRegistrationInfo
.New-AzWvdRegistrationInfo
cmdlet to generate a new token.-ExpirationTime
parameter is set to three days.RDAgentBootLoader service has been stopped.
Launch Task Manager. If the Service tab reports a stopped status for RDAgentBootLoader service, start the service.
Port 443 might be closed.
Follow these instructions to open port 443:
Confirm port 443 is open by downloading the PSPing tool from Sysinternal tools.
Install PSPing on the session host VM where the agent is running.
Open the command prompt as an administrator and run the following command:
psping rdbroker.wvdselfhost.microsoft.com:443
Confirm that PSPing received information back from the RDBroker
:
PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
TCP connect to <IP Address>:443:
5 iterations (warmup 1) ping test:
Connecting to <IP Address>:443 (warmup): from 172.20.17.140:60649: 2.00ms
Connecting to <IP Address>:443: from 172.20.17.140:60650: 3.83ms
Connecting to <IP Address>:443: from 172.20.17.140:60652: 2.21ms
Connecting to <IP Address>:443: from 172.20.17.140:60653: 2.14ms
Connecting to <IP Address>:443: from 172.20.17.140:60654: 2.12ms
TCP connect statistics for <IP Address>:443:
Sent = 4, Received = 4, Lost = 0 (0% loss),
Minimum = 2.12ms, Maximum = 3.83ms, Average = 2.58ms
There are three main ways to install or enable the side-by-side stack on session host pool VMs:
If you're having issues with the Azure Virtual Desktop side-by-side stack, type the qwinsta
command from the command prompt to confirm that the side-by-side stack is installed or enabled.
The output of qwinsta
will list rdp-sxs
in the output if the side-by-side stack is installed and enabled.
Examine the registry entries listed and confirm that their values match. If registry keys are missing or values are mismatched, make sure you're running a supported operating system. If you are, follow the instructions in Register session hosts to a host pool for how to reinstall the side-by-side stack.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\rds-sxs
fEnableWinstation
DWORD
1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettings
SessionDirectoryListener
rdp-sxs
The side-by-side stack isn't installed on the session host VM.
Follow these instructions to install the side-by-side stack on the session host VM:
There are known circumstances that can cause the side-by-side stack to malfunction:
The instructions in this section can help you uninstall the Azure Virtual Desktop side-by-side stack. Once you uninstall the side-by-side stack, follow the steps to register session hosts to a host pool to reinstall the side-by-side stack.
The VM used to run remediation must be on the same subnet and domain as the VM with the malfunctioning side-by-side stack.
Follow these instructions to run remediation from the same subnet and domain:
Connect with standard Remote Desktop Protocol (RDP) to the VM from where fix will be applied.
Start a command prompt as local administrator, and then navigate to folder where PsExec was unzipped.
From the command prompt, use the following command where <VMname>
is the hostname name of the VM with the malfunctioning side-by-side stack. If this is the first time you have run PsExec, you'll also need to accept the PsExec License Agreement to continue by selecting Agree.
psexec.exe \\<VMname> cmd
After the command prompt session opens on the VM with the malfunctioning side-by-side stack, run the following command and confirm that an entry named rdp-sxs
is available. If not, a side-by-side stack doesn't exist on the VM so the issue isn't tied to the side-by-side stack.
qwinsta
Run the following command, which will list Microsoft components installed on the VM with the malfunctioning side-by-side stack.
wmic product get name
Run the following command with product names from the preceding step, for example:
wmic product where name="<Remote Desktop Services Infrastructure Agent>" call uninstall
Uninstall all products that start with Remote Desktop.
After all Azure Virtual Desktop components have been uninstalled, restart the VM that had the malfunctioning side-by-side stack (either with Azure portal or from the PsExec tool). You can then reinstall the side-by-side stack by following the steps to register session hosts to a host pool.
If you sign in to Windows 10 Enterprise multi-session using an administrative account, you might receive a notification that says, "Remote Desktop licensing mode isn't configured, Remote Desktop Services will stop working in X days. On the Connection Broker server, use Server Manager to specify the Remote Desktop licensing mode."
If the time limit expires, the following error message will appear:
The remote session was disconnected because there are no Remote Desktop client access licenses available for this computer.
If you see either of these messages, it means the image doesn't have the latest Windows updates installed or you're setting the Remote Desktop licensing mode through group policy. Follow the steps in the next sections to check the group policy setting, identify the version of Windows 10 Enterprise multi-session, and install the corresponding update.
Note
Azure Virtual Desktop only requires a Remote Desktop Services (RDS) client access license (CAL) when your host pool contains Windows Server session hosts. For more information on configuring an RDS CAL, see License your RDS deployment with client access licenses.
Check the group policy setting by opening the Group Policy Editor in the VM and navigating to Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing > Set the Remote Desktop licensing mode. If the group policy setting is Enabled, change it to Disabled. If it's already disabled, then leave it as-is.
Note
If you set group policy through your domain, disable this setting on policies that target these Windows 10 Enterprise multi-session VMs.
To check which version of Windows 10 Enterprise multi-session you have:
Sign in with your admin account.
Enter About into the search bar next to the Start menu.
Select About your PC.
Check the number next to Version. The number should be either 1809 or 1903, as shown in the following image.
Now that you know your version number, skip ahead to the relevant section.
If your version number says 1809, install the KB4516077 update.
Redeploy the host operating system with the latest version of the Windows 10, version 1903 image from the Azure Gallery.
If your users see the following error:
We couldn't connect to the remote PC because of a security error. If this keeps happening, ask your admin or tech support for help.
Validate any existing policies that change default RDP permissions. One policy that might cause this error to appear is the Allow log on through Remote Desktop Services security policy.
For more information about this policy, see Allow log on through Remote Desktop Services.
Golden images must not include the Azure Virtual Desktop agent. You can install the agent only after you deploy the golden image.
Please sign in to use this experience.
Sign in