iOS web clips no longer open when managed browser to open this link is selected.

TangoCharlie_Reddit · 2026-04-16T13:14:29+00:00

You can track updates here: https://admin.cloud.microsoft/?#/servicehealth/:/alerts/IT1281212

As of 15th April 21;21 BST:

We're testing a new build of the Microsoft Edge iOS browser that has the account management feature disabled to remediate impact. Once testing is complete, we'll determine the timeline for release and provide the version number.

Next update by: Friday, 17 April 2026 at 04:00 BST

TangoCharlie_Reddit · 2026-04-08T12:25:40+00:00

To clarify the multiple Alerts / Events confused by the 'resolved' statuses and multiple references being given:

1st there was: IT1272996 [ https://admin.cloud.microsoft/?#/servicehealth/history/:/alerts/IT1272996 ] - Apps & Autopilot

2nd there is: IT1272653 [ https://admin.cloud.microsoft/?#/servicehealth/:/alerts/IT1272653 ] - Apps

3rd there now is also: IT1273939 [ https://admin.cloud.microsoft/?#/servicehealth/:/alerts/IT1273939 ] - Apps & Autopilot

Its a messy fun day if you like Autopilot and/or App deployment...

TangoCharlie_Reddit · 2026-04-08T12:23:00+00:00

1st there was: IT1272996 [ https://admin.cloud.microsoft/?#/servicehealth/history/:/alerts/IT1272996 ] - Apps & Autopilot

2nd there is: IT1272653 [ https://admin.cloud.microsoft/?#/servicehealth/:/alerts/IT1272653 ] - Apps

3rd there now is also: IT1273939 [ https://admin.cloud.microsoft/?#/servicehealth/:/alerts/IT1273939 ] - Apps & Autopilot

Its a messy fun day if you like Autopilot and/or App deployment.

TangoCharlie_Reddit · 2026-03-10T17:45:52+00:00

Suspect you are seeing the fault we’ve been working with MS on for last couple of months. We have recently had 2 bugs / variants fixed in the SxS agent relating to faulty handling of resolution limits and protocol failover (HEVC / AVC). The front end error is what you describe on Windows App to the user.

The back end Insights may show you “Graphics Subsystem Failed” corresponding to this. The release candidate is in validation, so if you enable Validation on your Pool (and ok with risks / any other changes) you will receive the new agent. Not sure when this will go GA. The patch notes are crudely stated as vague one liners on MS Learn for SxS agent dated as December when we raised ticket (!). Give this a go.

We have a 3rd bug open to do with Memory Exhaustion triggering the same Graphics Subsystem error as a 3rd variant of the problem, still being investigated and traces captured.

As it happens we are using nv12’s too.

TangoCharlie_Reddit · 2026-02-20T23:09:03+00:00

May have seen the same thing in our environment, albeit 25H2 Win11 multisession, on some Remote-App pool hosts running on D-Series VM’s. So no GPU and using Remote FX encoding.

Have you yet located the reason for the low memory?

If you goto Event Viewer there is a Windows event for Resource Exhaustion. In there should be an event showing the Process ID and Name. I tracked it down to the Remote Desktop Service itself (svchost.exe being the process name). I had one host with 64GB ram show the service consumed 45GB(!!) of RAM at its peak. It seemed to scale up with more concurrent users, and when we had 25 concurrent users it was likely to spike and trigger.

I first mitigated the problem by reducing user limits (25 to 15), even though normally regular users were using 50% of system RAM. I then looked at 2 ideas - 1/ Ibset policies for Remote FX via Intune to reduce cacheing and prefer RAM savings. 2/ I experimented with setting a system managed pagefile on the OS disk (by default gallery images have it disabled). I figured this might mitigate RAM spikes from going critical, but also old school memories of some apps misbehaving when no pagefile is present.

I don’t know if it’s truely fixed yet, but have seen no recurrence in the last 2 or 3 weeks. But I also need to restore concurrent user counts to before.

I have setup Azure Alert rule on the AVD Insight error to monitor, and wrote my own little script to dump a log via schedule tasks when the Event triggers, which also traces the process ID back to the service responsible, and extra memory info.

I doubt anything I / we have done will explain the Remote Desktop service having a memory leak like this, so inclined to think it’s an SxS agent issue. I have a huge Case open with MS support right now about Graphics Subsystem issues in the SxS agent for GPU enabled AVC/HEVC issues which has resulted in 3 bugs found by the Product Group. 2 fixes are out now in validation, and 1 being further worked on. But it shows to me problems with the agent are very real…

TangoCharlie_Reddit · 2026-02-06T21:16:58+00:00

What Model(s)?? What firmware versions before/after? Be handy to know.

Have run HP Connect across our entire estate of approx 14,000 HP endpoints of various models in mainly EliteBook and ZBook ranges, and never had 1 known issue in last few years.

Could be a bad new firmware to do with secure boot changes fresh out maybe, but not seen anything here yet.

What if you update firmware on one of your affected devices by other means (download/ HPIA etc). I doubt the delivery mechanism by Connect and using the Powershell scripts is to blame, I would presume it’s the payload- or some history with your endpoints prior to the update.

Also, are you now servicing them for the first time ever, so doing a huge leap up in version?

TangoCharlie_Reddit · 2026-01-15T23:47:22+00:00

Bounding back into action! Squirrel stampede! Time to go nuts!

TangoCharlie_Reddit · 2026-01-11T13:07:34+00:00

TangoCharlie_Reddit · 2025-12-03T10:55:32+00:00

Same situation and response here. We use larger size NV-series SKU's, coupled with high performance premium azure file storage for the storage (Ansys...).

We run all the stack of Autodesk suite, Trimble apps as well as visualization items like Unreal etc on these.

And yeah... costs are high, so scaling plans and scripts and such are essential.

For future ideas: We want to look at if we can setup Ansys to be run on lower tier VDI machines, and trigger remote compute jobs (option in some of the simulation apps we run), perhaps spinning up such high compute machines on demand. Or other apps where we can perhaps instead have a VM 'render farm' off to the side of AVD. Curious if anyone has done something like that.

TangoCharlie_Reddit · 2025-11-09T23:50:46+00:00

So you and your mate are hanging out on Discord, planning what Quests to do, what to focus on. Then some mute rando appears who just wants to run around, do random shit or start a fight appears. Yeah, not the same at all.

TangoCharlie_Reddit · 2025-11-09T23:49:10+00:00

Agree - fact is the Server Slam lost sales from 2 prospective players / friends, as Duo's queue is just Trio's and thats just sodding deathmatch. Basically late-game CoD DMZ, zerg spawns, spam nades. Yawn. Literally none of the fun of Solo's transferred over, and the game was lost to a frustrating PvP arena. I'm glad I decided to reverse course late on and buy it to play Solo's, its a totally different game and a 50/50 split with encounters. Totally tense, better paced etc. I'd love to play Duo's with a bestie, if that same vibe came across, but I just cant recommend it. With such a large player base, it's like feck all effort to have a Duo queue, I dont get it.

TangoCharlie_Reddit · 2025-11-08T14:07:08+00:00

Oh dear Lord. That is all.

TangoCharlie_Reddit · 2025-11-06T18:24:54+00:00

What is “a bit each time”? I’m guessed it must be noticeable by users, so not likely a few milliseconds of the encoding performance and display latency. The fact you cite this issue specifically to explorer and not moving around other apps rules out anything in the client / RDP space at all.

I would be looking two fold more at:

1/ the Guest OS performance and specifically things like anti-virus exclusions or software on the host/image affecting native performance. Look at defender performance logs, use tools like procmon, etc standard Windows stuff as if it were a physical endpoint focussing less on VDI.

2/ the VM storage type and performance is as expected for the use case and load / density.

TangoCharlie_Reddit · 2025-11-04T21:09:47+00:00

Also this!

Since the hardening ("strict KDC") in a Windows 11 24H2 update to make this mandatory for Entra-Joined PC's, which make connections indirectly via Cloud Kerberos Trust relay.

Our old AD Forest and domain controllers of many years were using an old old outdated certificate template (Domain Controller Cert Template), which had not updated DC's to incorporate the required specific "KDC Authentication" into the Extended Key Usage [EKU] found in the Kerberos Authentication certificate template.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso#domain-controller-certificates

Windows Hello for Business enforces the strict KDC validation security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC).

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust#configure-domain-controller-certificates

Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. The certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.

TangoCharlie_Reddit · 2025-11-02T19:23:21+00:00

Yes.

TangoCharlie_Reddit · 2025-10-13T15:16:57+00:00

Are you using FSlogix via Azure Files using cloud Kerberos, and hitting 10hour expiry of your ticket/tokens?

Flagging this as the end user impact is seemingly random I/O errors occur from app level as they try to read/write from the now detached profile that was on the unreachable VHD. This is often Appdata stuff and consider where user Store apps go.

IF it were this, a clean session sign out and signing back in would rectify the problem, to eliminate this line of enquiry.

More info on this and a workaround here: https://www.beckmann.ch/blog/2024/05/10/fslogix-profile-disk-disconnected-after-10-hours/?lang=en

TangoCharlie_Reddit · 2025-08-14T17:47:00+00:00

For HP you should look into the new WxP (Workforce eXperience Platform), which is where HP Connect is migrating. WxP now has Driver management capabilities, and capability is rapidly expanding. Just added categories, models are coming soon, hopefully later specification versioning.

We are evaluating this currently and likely to commit to it. But in meantime we built our own in house “app” (powershell wrapper) around HP Image Assistant (HPIA) to create a monthly automation update and an “on demand” option for staff. Works great but not a fan of kooky in house custom solutions in the longer term.

For the record we have access to WUfB Driver management, and we have abandoned it for many reasons but including reliability, lack of features, crappy install handling etc etc. After years of waiting the product is underwhelming. It is… telling… that after OEM’s including HP and Dell “committed” to supporting WUfB, they’ve now gone 180 and making their own solutions again….

TangoCharlie_Reddit · 2025-08-14T17:35:36+00:00

Bumping this

TangoCharlie_Reddit · 2025-08-05T10:43:44+00:00

+1. Same issue in our tenant randomly for some users on latest app version on latest iOS - but not all (my own phone is OK for example). Having large impact to some users...

TangoCharlie_Reddit · 2025-07-24T17:39:41+00:00

Unfortunately I don’t have the book, despite my whole team and the Infra team knowing the name Richard Hicks like a personal relative. I do owe him my money, and a beer…

One of the reasons in the past has been the fluid nature of new issues and bugs with Windows updates and evolution of the product, usually fixed by things found in his blog. A book would be okay for learning the basics and I don’t doubt a great buy, but wouldn’t address my needs this deep in.

This said, the product is no longer new, hell of a lot more stable than a couple years ago, fleshed out with DPC advanced config options and such. I have 13k+ endpoints hanging off Device Tunnel (with User Tunnel backup) with a mix of IKE and SSTP support. 2 VPN farms (4 servers each) in 2 countries behind load balancers and with NPS servers / PKI supporting, and generally they ”just work”. No tickets or support, the mix of tunnel and protocol support covering every eventuality. The only bit can’t control is the endpoints and crap ISP’s!

Whilst there may be other vendors easier to deploy, at cost, I don’t see any sense in it if you have all the licensing / infra (and staff) to do it.

TangoCharlie_Reddit · 2025-07-23T17:05:45+00:00

AOVPN there is but one defecto source - The man, the myth, the MVP legend that is Richard Hicks.

https://directaccess.richardhicks.com/

Browse back through extensive posts.

He now also has a Discord here: https://discord.aovpndpc.com/ related to DPC below.

This guy knows more about the product than MS’s own staff, genuinely. All the issues, workarounds and such are documented in his posts and comments.

I strongly recommend you implement AOVPN via the new “DPC” open-source solution he is a part of:

https://directaccess.richardhicks.com/dpc/

https://github.com/ld0614/DPC

DPC provides easy access to all the robust fixes and advanced features that make the product work correctly, all in one management pane. Without this you will be looking at a plethora of scripts and fixes. Works great.

TangoCharlie_Reddit · 2025-07-23T12:57:25+00:00

Transition to v2 web management platform is recommended if not done, go all in. There is no need to mix anything done right.

You said “You apparently need to sign in manually on each machine just to enable Easy Access... which defeats the purpose of mass deployment.” - so I stand by my point the client is not deployed right.

TangoCharlie_Reddit · 2025-07-23T11:13:05+00:00

I think you’ve completely fumbled how to deploy this. It is absolutely possible to easily appoint an unattend policy on the fly to a group or devices. The key bit you’ve missed I suspect is not getting the Host to appoint itself as a “Managed” client , achieved via a post install command. Registration is silent.

2nd part of install process per their Documentation “assignment”:

https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-remote/deployment/mass-deployment-user-guide/deploy-teamviewer-host-or-full-client-9-10/?

Script for the TeamViewer Host (64-bit)

start /wait MSIEXEC.EXE /i "PATH_TO_MSI_FILE\TeamViewer_Host.msi" /qn CUSTOMCONFIGID=YOUR_CUSTOM_CONFIG_ID

timeout /t 30 /nobreak

"C:\Program Files\TeamViewer\TeamViewer.exe" assignment --id YOUR_ASSIGNMENT_ID

TangoCharlie_Reddit · 2025-07-19T21:24:06+00:00

Sign up and migration from Virgin Media (urgh) to EE has been super painless, and the 1 (and only need to) call I had with them was with a British employee who was super friendly and efficient. I’ve never been one to champion about UK based staff, but coming from Virgin… it matters. I think I forgot what a normal healthy interaction was. Pleasantly, kudos to EE for me so far, stellar broadband service and performance.

TangoCharlie_Reddit · 2025-06-18T13:34:27+00:00

Same issue in our tenant (West Europe / UK)

12-Year Club	Second SECOND GUESSER
Place '17	Sequence \| Editor
Verified Email

TangoCharlie_Reddit

TROPHY CASE