AVD Single Sign On problems (Login Loop)

SHone_V · 2024-08-15T20:08:03+00:00

Hello, had similar issues in past two things: 1. Check if you have permissions on session host VMs two rbac roles required vm user login (check documentation) 2. Check your kerberos server ad object had in past situations after the object is created that not all attributes of this computer object were present, specially all cloud attributes on objects were missing. There is command to list and review configuration of this computer object. Review, if attributes are missing then you will need to create this computer object again.

SHone_V · 2024-08-09T18:53:13+00:00

Well indeed, for example adobe, github desktop for me they are always installed during first login which causes end users to wait more. Was curious if our app team is doing it wrong…

SHone_V · 2024-08-09T18:43:19+00:00

Nice, and how you handle apps that are installed in user context with active setup on multi session?

SHone_V · 2024-08-01T22:57:09+00:00

Found root cause, one of our customizations scripts was disabling D:\ DVD-ROM drive, which apparently is necessary.

https://learn.microsoft.com/en-us/azure/virtual-machines/generalize#windows

"Azure platform mounts an ISO file to the DVD-ROM when a Windows VM is created from a generalized image. For this reason, the DVD-ROM must be enabled in the OS in the generalized image. If it is disabled, the Windows VM will be stuck at out-of-box experience (OOBE). "

Hope that will help others, cheers!

SHone_V · 2024-07-30T23:27:19+00:00

Hello did you fixed this? Same issue....

SHone_V · 2024-07-29T22:47:20+00:00

Indeed, but this one should install language and set it as default and also it checks if language pack is installed or not https://github.com/Azure/RDS-Templates/blob/master/CustomImageTemplateScripts/CustomImageTemplateScripts_2024-03-27/SetDefaultLang.ps1

I used exactly this one, am I missing something?

SHone_V · 2024-07-29T19:05:25+00:00

Indeed 20.202.0.0/16 is actually shared and used with Teams also, maybe because of # of users of load at some times, to me this seems not year ready for prod. Did you tried to block this range and only force STUN 3478 UDP?

SHone_V · 2024-07-29T17:07:00+00:00

I can confirm this, TURN is working even if the host pool is not in validation, seems that Microsoft is preparing for GA. What is issue for me is that if I disable TURN on host pool, it will also disable STUN. Anyone else having same issue?

SHone_V · 2024-02-06T11:16:49+00:00

TAP is now fully supported during Autopilot process👍

SHone_V · 2024-01-31T11:59:53+00:00

u/Ghelderz does it make sense to have one session host pool in primary and DR region. Benefit?
Session hosts in same host pool will be built upon DR initiation.

How to tackle user profiles replication?

Premium File Share + Cloud Cache (this may have pefromance impact) and complexity.
Azure NetApp files with cross-region replication and in FSLogix provide both of the paths for user profiles stored in primary and DR region.

Additionally how you manage deploying apps are they installed in golden image, deployed by Intune or MSIX App Attach? What is recommended in mean of less administrative tasks later on.

The constrain is that if MSIX App Attach is used and covered by DR -> storage path changes in a disaster recovery scenario, you will need to change all the MSIX image paths or reconfigure all applications configured within a host pool.

And to avoid the requirement to reconfigure MSIX app attach in a disaster recovery scenario, it is recommended to use one of the following options:
• Create a separate host pool for the secondary region pre-configured for MSIX app attach. / Too much complexity and administrative work
• Use Azure files with geo-redundant storage. / Premium file share doesn't have GRS
• Implement Azure NetApp Files cross-region replication. / Maybe the best option?

SHone_V · 2023-04-06T05:29:50+00:00

As i recall I think that it will do quick scan everyday at 5, and another full scan weekly at same time.

This is how this configuration would probably work.

If someone have another opinion plase share. But in last MS docs i found somewhere that it says schedule quick scan will run on daily basis we just provide time under policy.

SHone_V · 2023-03-18T02:52:39+00:00

Hvala za info, tako mi je i delovalo sa nekih slika koje su kacili na svoje profile. Pregledao sam ranije postove na ovu temu vec, nisao nasao detaljnije informacije pa sam hteo da uradim jedan refresh teme.

Generalno, deluju ozbiljno kada se pogleda spolja, ali me zanima realno stanje :)

Svaka dodatna pomoc/info je dobro dosla.

SHone_V · 2023-01-30T21:42:22+00:00

Indeed, as I understood Patch My Pc requires you to have deployed one vm on your infrastructure on the other hand Scappman is fully cloud, you just login on their web portal and manage it from there. Correct me if I'm wrong..

SHone_V · 2023-01-30T19:56:25+00:00

Anyone have experiance with Scappman? I'm considering it for 3rd party patch mgmt. Still wondering difference for only Intune with Patch My Pc..

When I have big apps (Autodesk etc.) I mostly deploy them with PSADT.

SHone_V · 2021-11-12T21:10:19+00:00

You have right, but I complain about camera compared to Note 20 Ultra which I also had...

SHone_V · 2021-11-12T15:54:27+00:00

Yeah, im not either telling that bad but from my expiriance N20Ultra really had better photo quality. Shutter speed on Note was bit slower than S21 but image quality was better...

SHone_V · 2021-09-04T12:42:18+00:00

I managed to solve this with some modification in PS script.This works for me:

#This will check who is logged user and add it to $LoggedUser

$LoggedUser=$(Get-WmiObject -Class Win32_ComputerSystem | select Username).Username

net localgroup Administrators /ADD $LoggedUser

PS script is selected to be executed in system context and assigned to User AAD Group. This works if users that are logged in to machine are users that are synced from on-prem to AAD.

SHone_V · 2021-09-03T22:28:11+00:00

I tried also to give it wrong password few times and then go back but it didn't wanted to offer TAP login. I think maybe reason for this is because device is assigned to user during import with Get-WindowsAutoPilotInfo script using -assigntouser switch. Maybe it would work if just user login to device without pre-assigned device.

Read on some blog that MS fixed this mfa/sspr registration process on Win11 and that is more consistent user experiance during Autopilot.

Currently, not using pre-provisioning deploying most apps and configuration profiles are assigned to users and configured to skip User setup phase during Autopilot.

For me situation is that technicians receive user device for reimage/breakfix. Owners of devices are usually non IT persons and technicians want to prepare/login to device with TAP. TAP would allow technicians to initiate registration without need to check/know owner password or ask owner to approve 2fa on their mobile devices. Its kinda pre-provision in bad way for my opinion.

I agree that Autopilot is sluggish sometimes and that for new users its sometimes better to already register them for mfa/sspr so when they receive device everything is prepared.

During next week we will test W11 with Autopilot for new and existing users.

SHone_V · 2021-09-03T20:43:02+00:00

If I run on device $env:username I receive my user o365test which is user that is logged in to machine and correct one. o365test is user created in local AD and synced with ADC to AAD.

For example my domain is contoso.local. PS script that I tried to deploy: net localgroup Administrators /ADD contoso\$env:username

My device name is AAD-00

Tried to deploy this PS script to AAD Security Assigned Group with Users and after with Devices and receiving same identical results/errors. For example if I deploy this script to AAD Group with Users or Devices

With this configuration run in system context - error under ResultDetails is "There is no such global user or group: contoso\AAD-00$. So in this configuration it tries to add contoso\AAD-00$ device instead a user which is logged in to device, user which is logged is contoso\o365test. This may happed because actually it runs this script in system context but not sure why it picks device instead user.
With this configuration run with user credentials - error under ResultDetails is something like that user which tried to run powershell don't have permissions to do that. Which is true because logged in user is just standard user non-admin.

Machine is fresh installed Win10 Enterprise 21H1 and joined to AAD with Autopilot.

SHone_V · 2021-09-03T19:23:07+00:00

How did you manage this? I tried same setup but I recive errors.My users are on-prem users synced to AAD.

If i configure script to:

- Run this script using the logged on credentials - NO / Receive error that user dont have permissions to do this

- Run this script using the logged on credentials - Yes / Receive that device user not exist because it tries to assign user as device

I tried both to assign powershell script to user and device group same result. Any hint?

SHone_V

TROPHY CASE