There’s something common between AVD and eG Enterprise. Can you take a wild guess? Listening on open TCP ports is an extremely bad practice for cloud architectures, as it exposes products and services to accepting incoming messages from malicious parties. This is something eG Innovations avoids in our own products (see details). This is also a best practice adopted by Microsoft for Azure Virtual Desktops (AVD). Within their “Reverse Connect” technologies, you can run a VM without keeping any inbound ports open. This means that the VMs on AVD are not exposed to the Internet directly. Show
Azure Virtual Desktop uses reverse connect transport for establishing the remote session and for carrying RDP traffic. Unlike the on-premises Remote Desktop Services (RDS) deployments, reverse connect transport doesn’t use a TCP listener to receive incoming RDP connections. Instead it uses outbound connectivity to the Azure Virtual Desktop infrastructure over the HTTPS connection. Microsoft’s own documentation covers how this is done; see Understanding Azure Virtual Desktop network connectivity – Azure | Microsoft Docs. Ryan Mangan has also covered the security benefits of this approach on A Deep Dive In to Windows Virtual Desktop – Reverse Connect – Ryan Mangan’s IT Blog (ryanmangansitblog.com) and WVD Reverse Connect – The Fish Tank Analogy – Ryan Mangan’s IT Blog (ryanmangansitblog.com).  But how do I get the real client IP of an AVD user?So, Reverse Connect is awesome… But it does obfuscate some very basic information about your end users, such as their real client IP. Whilst this information can be obtained via agents on the end-users’ endpoints, many administrators prefer to avoid this approach, particularly MSPs or organizations providing BYOD and DaaS-like services. The client IP information is available, but most monitoring tools aren’t monitoring parts of the AVD deployment where they can capture information such as the true Client IP. If you are monitoring an Azure AVD deployment, you really need to monitor all the components of the deployment beyond just hosts and VMs, i.e., the components, as detailed in the AVD requirements, such as:
Beyond this, many eG Enterprise customers chose to add in proactive synthetic monitoring and testing, i.e., scheduled robot users. monitor essential components, such as the AVD Broker and Azure Active Directory (AD). eG Enterprise provides a domain-specific model to capture the information available from the AVD Broker and it is here that the administrator can obtain access to a user’s real client IP, location, etc. This is essential information for both troubleshooting and auditing the systems that are being accessed by authorized users. AVD (was WVD) user forums are littered with IT admins asking this very basic question – “Is there a way to retrieve the client IP of each WVD session?”, “Why can’t I see the client-side IP address?”, etc. Users fully understand the reasons the IP isn’t available via the on-premises mechanisms they use; they simply want a way to access this key information. One eloquent user summed up his problem recently on the Microsoft community forums:
The eG Enterprise Solution – How to access the client IP for AVD sessions within a few simple clicks
Learn moreLet’s see how to start with AVD Troubleshooting Options Tips Tricks. I have seen many scenarios where I was not able to connect to the WVD host pool (VM) and host pools are not appearing. Since I’m new to AVD, I didn’t know how to start AVD Troubleshooting. You can use a PowerShell script to collect all the logs for Azure Virtual Desktop Troubleshooting. Robert Viktor Klemencz @ Microsoft build this tool and shared it with the community. More details about AVD-Collect are below the section of the post. In this post, I’m trying to help to AVD community to begin the troubleshooting process. WVD is GA’d Generally Available World Wide with App Attach Feature? The following posts provide more detailed troubleshooting steps.
IntroductionThere could be many ways to perform AVD troubleshooting. However, I’m going to share my experience in this blog. These are random tips to troubleshoot AVD issues. The AVD Error codes are available in Microsoft documentation here. What are the AVD Troubleshooting Options?
Oops, we couldn’t connect to “Session Desktop” – We couldn’t connect to the gateway because of an error. If this keeps happening, ask your admin or tech support for help. Reconnect / Cancel – “Can’t log in to HostPool” AVD Troubleshooting Tips. Azure VM Run Commands – AVD TroubleshootingWhat are RUN Commands? Run Command uses the VM agent to run PowerShell scripts within an Azure Windows VM. More details about Azure Windows VM Run commands are here. NOTE! – You can’t connect to Azure Windows VM because AVD host pool VMs don’t have public IP and RDP ports enabled for external connectivity. Run PowerShell CommandsThe most useful run command found for AVD troubleshooting is RunPowerShellScript.The helps to execute a PowerShell script or any other PS commands. As you can see in the following, I’m trying to get the list of Group Policies applied to that VM. AVD Qwinsta CommandThe command Qwinsta will help to understand whether the RD client is working fine on the VM or not. If it’s not that is the problem with the AVD host pool. We could get connection or gateway errors when the AVD RD Client is not listening. PS C:\Users\ACNWinENTImage> qwinstaSESSIONNAME USERNAME ID STATE TYPE DEVICE services 0 Discconsole 1 Conn>rdp-tcp#1 ACNWinENTImage 2 Active31c5ce94259d4... 65536 Listenrdp-tcp 65537 Listen Check Event Logs Using Run Commands – RemoteDesktopServicesYou can also run a Powershell command as mentioned below to get the Remote Desktop Services logs. More details about PowerShell commands to collect event logs are available in Microsoft docs. Get-EventLog -logname RemoteDesktopServices NOTE! – Also, you can try to get the AVD related event logs from Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational. AVD Log Collector PowerShell ScriptYou can use the following script to collect all the logs for Azure Virtual Desktop Troubleshooting. More details about AVD-Collect are below the section of the post. Robert Viktor Klemencz @ Microsoft is the owner of the script and all credits to him. You can download the AVD Collector Script from here -> https://aka.ms/avd-collect “Core” (suitable for troubleshooting issues that do not involve Profiles or Teams or MSIX App Attach)• Collects core troubleshooting data without including Profiles/FSLogix/OneDrive or Teams or MSIXAA or Smart Card related data • Runs Diagnostics. Diagnostics results will be logged • Skips Core and all scenario-based data collection and runs Diagnostics only (regardless if any other parameters have been specified) The default scenario is “Core”. Available command line parameters (to preselect the desired scenario)"-Core" - Collects Core data + Runs Diagnostics "-Profiles" - Collects all Core data + Profiles/FSLogix/OneDrive data + Runs Diagnostics "-Teams" - Collects all Core data + Teams data + Runs Diagnostics "-MSIXAA" - Collects all Core data + MSIX App Attach data + Runs Diagnostics "-MSRA" - Collects all Core data + Remote Assistance data + Runs Diagnostics "-SCard" - Collects all Core data + Smart Card/RDGW data + Runs Diagnostics "-DiagOnly" - The script will skip all data collection and will only run the diagnostics part (even if other parameters have been included). "-AcceptEula" - Silently accepts the Microsoft Diagnostic Tools End User License AgreementUsage example with parameters: To collect only Core data (excluding Profiles/FSLogix/OneDrive, Teams, MSIX App Attach, MSRA, Smart Card): To collect Core + Profiles + MSIX App Attach data To collect Core + Profiles data To run Diagnostics without collecting Core or scenario-based data If you are missing any of the data that the script should normally collect (see “Data being collected”), check the content of “_AVD-Collect-Log.txt” and “_AVD-Collect-Errors.txt” files for more information. Some data may not be present during data collection and thus not picked up by the script. This should be visible in one of the two text files. PowerShell ExecutionPolicyIf the script does not start, complaining about execution restrictions, then in an elevated PowerShell console run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Processand verify with “Get-ExecutionPolicy -List” that no ExecutionPolicy with higher precedence is blocking the execution of this script. After that run the AVD-Collect script again. Once the script has started, please read the “IMPORTANT NOTICE” message and confirm if you agree to continue with the data collection. Depending on the amount of data that needs to be collected, the script may need to run for a few minutes. Please wait until the script finishes collecting all the data. ==================== Data being collectedThe collected data is stored in a subfolder under the same folder where the script is located and at the end of the data collection, the results are archived into a .zip file. No data is automatically uploaded to Microsoft. Data collected in the “Core” scenario: • Log fileso C:\Packages\Plugins\Microsoft.Powershell.DSC\\Status\o C:\Packages\Plugins\Microsoft.Compute.JsonADDomainExtension\\Status\o C:\Packages\Plugins\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\\Status\o C:\Program Files\Microsoft RDInfra\AgentInstall.txto C:\Program Files\Microsoft RDInfra\GenevaInstall.txto C:\Program Files\Microsoft RDInfra\SXSStackInstall.txto C:\Program Files\Microsoft RDInfra\WVDAgentManagerInstall.txto C:\Users\AgentInstall.txto C:\Users\AgentBootLoaderInstall.txto C:\Windows\debug\NetSetup.logo C:\Windows\Temp\ScriptLog.logo C:\WindowsAzure\Logs\WaAppAgent.logo C:\WindowsAzure\Logs\MonitoringAgent.logo C:\WindowsAzure\Logs\Plugins\• Geneva Scheduled Task information• “set MON” output (Monitoring Agent)• Local group membership informationo Remote Desktop Users• Registry keyso HKEY_CURRENT_USER\Control Panel\Internationalo HKEY_CURRENT_USER\Keyboard Layouto HKEY_CURRENT_USER\SOFTWARE\Microsoft\RdClientRadco HKEY_CURRENT_USER\SOFTWARE\Microsoft\Remote Desktopo HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure\DSCo HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSRDC\Policieso HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDPo HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RDAgentBootLoadero HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RDInfraAgento HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RDMonitoringAgento HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WVDAgentManagero HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Cliento HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameterso HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policieso HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runo HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reportingo HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Servero HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptographyo HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegationo HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Serviceso HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoino HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControlo HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptographyo HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsao HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviderso HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Servero HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RdAgento HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDAgentBootLoadero HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WVDAgento HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WVDAgentManagero HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermServiceo HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpServiceo HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRMo HKEY_LOCAL_MACHINE\SYSTEM\Keyboard Layout• Event Logso Applicationo Microsoft-Windows-CAPI2/Operationalo Microsoft-Windows-DSC/Operationalo Microsoft-Windows-PowerShell/Operationalo Microsoft-Windows-RemoteDesktopServiceso Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV/Admino Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV/Operationalo Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admino Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operationalo Microsoft-Windows-TaskScheduler/Operationalo Microsoft-Windows-TerminalServices-LocalSessionManager/Admino Microsoft-Windows-TerminalServices-LocalSessionManager/Operationalo Microsoft-Windows-TerminalServices-PnPDevices/Admino Microsoft-Windows-TerminalServices-PnPDevices/Operationalo Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admino Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operationalo Microsoft-Windows-WinINet-Config/ProxyConfigChangedo Microsoft-Windows-WinRM/Operationalo Microsoft-WindowsAzure-Diagnostics/Bootstrappero Microsoft-WindowsAzure-Diagnostics/GuestAgento Microsoft-WindowsAzure-Diagnostics/Heartbeato Microsoft-WindowsAzure-Diagnostics/Runtimeo Microsoft-WindowsAzure-Status/GuestAgento Microsoft-WindowsAzure-Status/Pluginso Securityo System• “gpresult /h” and “gpresult /r /v” output• “fltmc filters” output• Details of the running processes and services• Networking information (firewall rules, ipconfig /all, profiles, netstat -anob, proxy configuration)• “Qwinsta /counter” output• PowerShell version• “Get-Hotfix” output• “Get-DscConfiguration” and “Get-DscConfigurationStatus” output• File versions of the currently running binaries• File information about the AVD desktop client binaries (“msrdc.exe” and “msrdcw.exe”)• File versions of key binaries:o Windows\System32*.dllo Windows\System32*.exeo Windows\System32*.syso Windows\System32\drivers*.sys• Basic system information• .NET Framework information• Msinfo32 output (in .nfo and .txt format)• WinRM configuration information• Certificate My store information• Certificate thumbprint information• DxDiag output in .txt format with no WHQL check• “dsregcmd /status” output• The content of the “C:\Users\%username%\AppData\Local\Temp\DiagOutputDir\RdClientAutoTrace” folder (available on devices used as source clients to connect to AVD hosts) from the past 5 days, containing:o AVD remote desktop client connection ETL traceso AVD remote desktop client application ETL traceso AVD remote desktop client upgrade log (MSI.log)• Convert existing .tsf files on AVD hosts from under “C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Monitoring\Tables” into .csv files and collect the resulting .csv files• “route print” output• “Azure Instance Metadata service endpoint” request info• api/health and api/health status• Output of “Test-DscConfiguration -Detailed”• Output of “C:\Program Files\NVIDIA Corporation\NVSMI\nvidia-smi.exe” (if the NVIDIA GPU drivers are already installed on the machine)• Output of “C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe”• Remote Desktop License Server database information (if RDLS role is installed – for Server OS deployments): o Win32_TSLicenseKeyPack under ‘_RDS*_rdls_LicenseKeyPacks.html’ o Win32_TSIssuedLicense under ‘_RDS*_rdls_IssuedLicenses.html’ Data collected additionally to the “Core” dataset, depending on the selected scenario or command line parameter(s) used: • Log fileso C:\ProgramData\FSLogix\Logso %appdata%\Microsoft\Teams\logs.txto %userprofile%\Downloads\MSTeams Diagnostics Log DATE_TIME.txto %userprofile%\Downloads\MSTeams Diagnostics Log DATE_TIME_calling.txto %userprofile%\Downloads\MSTeams Diagnostics Log DATE_TIME_cdl.txto %userprofile%\Downloads\MSTeams Diagnostics Log DATE_TIME_cdlWorker.txto %userprofile%\Downloads\MSTeams Diagnostics Log DATE_TIME_chatListData.txto %userprofile%\Downloads\MSTeams Diagnostics Log DATE_TIME_sync.txto %userprofile%\Downloads\MSTeams Diagnostics Log DATE_TIME_vdi_partner.txt• Registry keyso HKEY_CURRENT_USER\SOFTWARE\Microsoft\Officeo HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDriveo HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Officeo HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDriveo HKEY_LOCAL_MACHINE\SOFTWARE\FSLogixo HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListo HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Searcho HKEY_LOCAL_MACHINE\SOFTWARE\Policies\FSLogixo HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensionso HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Pathso HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processeso HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensionso HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Pathso HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processeso HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teamso HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistanceo HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDWebRTCSvc• Event Logso Microsoft-FSLogix-Apps/Admino Microsoft-FSLogix-Apps/Operationalo Microsoft-Windows-AppXDeploymentServer/Operationalo Microsoft-Windows-Kerberos-KDCProxy/Operationalo Microsoft-Windows-RemoteAssistance/Admino Microsoft-Windows-RemoteAssistance/Operationalo Microsoft-Windows-SmartCard-Audit/Authenticationo Microsoft-Windows-SmartCard-DeviceEnum/Operationalo Microsoft-Windows-SmartCard-TPM-VCard-Module/Admino Microsoft-Windows-SmartCard-TPM-VCard-Module/Operationalo Microsoft-Windows-SMBClient/Connectivityo Microsoft-Windows-SMBClient/Operationalo Microsoft-Windows-SMBClient/Securityo Microsoft-Windows-SMBServer/Connectivityo Microsoft-Windows-SMBServer/Operationalo Microsoft-Windows-SMBServer/Securityo Microsoft-Windows-User Profile Service/Operationalo Microsoft-Windows-VHDMP/Operational• FSLogix tool outputo frx list-redirectso frx list-ruleso frx version• Local group membership informationo FSLogix ODFC Exclude Listo FSLogix ODFC Include Listo FSLogix Profile Exclude Listo FSLogix Profile Include List• Local group membership informationo Distributed COM Userso Offer Remote Assistance Helpers• “certutil -scinfo -silent” output• RD Gateway information when ran on the KDC Proxy server and the RD Gateway role is present o Server Settings, Resource Authorization Policy, Connection Authorization Policy ======== AVD-DiagAVD-Collect also performs diagnostics for some common known issues, regardless of the selected scenario.Based on your requirements, you may want to skip specific data collection or run diagnostics only. See the scenario descriptions above. New diagnostics checks may be added in each new release, so make sure to always use the latest version of the script. Important Notes: Version 210730.16 of the script can perform the following diagnostics: • Brief check of the system the script is running on (from AVD point of view): FQDN, OS, OS Build, OS SKU, VM Size, VM Locationo Check if the VM is part of an AVD host pool: SessionHostPool name, Ring, Geographyo Check if the running OS is supported when the VM is part of an AVD host poolo Check for last machine boot uptime, with an extra notification if it occurred >= 25 hours agoo Check for the number of vCPUs available on the machineo Check for “LmCompatibilityLevel” registry key valueo Check for Time Zone Redirection policy configuration• Check for GPU configuration when using NV* or NC* VM series (checks required policy configuration and lists available video controllers and their driver versions)• Check for Azure AD-join configuration• Check the status of key services: RdAgent, RDAgentBootLoader, WVDAgent (Win7 only), WVDAgentManager (Win7 only), TermService, SessionEnv, UmRdpService, AppReadiness, AppXSvc, WinRM, frxsvc, frxdrv, frxccds, OneDrive Updater Service, msi server (Windows Installer)• Check for current and previous AVD Agent and Stack versions and their installation dates (Windows 10 and Server OS hosts)• Check for the following registry keys:o HKLM\SOFTWARE\Microsoft\RDInfraAgent\IsRegisteredo HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fQueryUserConfigFromDCo HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnectionso HKLM\SYSTEM\Setup\OOBEInProgresso HKLM\SOFTWARE\FSLogix\Profiles\RedirXMLSourceFolder• Check for all available RD listeners and their configuration: fEnableWinStation, fReverseConnectMode, ReverseConnectionListener• Check for API/health and API/health availability• Check for the Screen Capture Protection policy configuration• Check for Session Time Limit policy settings• Check for device and resource redirection policy configuration• Check for camera and microphone privacy settings (general and desktop apps)• Check for required URLs• Check for proxy configuration• Check for basic Test-NetConnection reply• Check for Process crashes that occurred within the last 5 days• Check for SSL/TLS configuration• Check if the Remote Desktop Session Host role is installed on the VM when running a Server OS• Check if reg key “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware” is enabled on Server OS• Check for FSLogix best practice settings for enterprises• Check for FSLogix registry key “HKLM\SOFTWARE\FSLogix\Profiles\NoProfileContainingFolder”• Check if the FSLogix storage location defined under ‘VHDLocations’ is reachable (Test-NetConnection), for Profile and Office containers• Check for “frxsvc” service recovery settings• Check for Cloud Cache “CCDLocations” registry key for Profile and Office Container• Check the availability and value of the “CleanupInvalidSessions” registry key when FSLogix is present on the system• Check for the presence of the recommended Windows Defender Antivirus exclusion values when FSLogix is present on the system• Check OneDrive configuration/requirements when FSLogix is present on the system• Check media optimization configuration for Teams when Teams is present on the system• Check for the Multimedia Redirection for AVD configuration (MsMmrHostMri installation only)• Check the availability and value of the reg key: ‘DeleteUserAppContainersOnLogoff’ for firewall rules bloating scenarios• Check WinRM configuration / requirementso Presence of “WinRMRemoteWMIUsers__” groupo IPv4Filter and IPv6Filter valueso Presence of firewall rules for ports 5985 and 5986• Check for RDP ShortPath configuration (Windows 10 and Server OS hosts)• Check for AVD agent issues over the past 5 days: o “INVALID_REGISTRATION_TOKEN” (Event 3277)o “INVALID_FORM” (Event 3277)o “InstallationHealthCheckFailedException” (Event 3277)o “ENDPOINT_NOT_FOUND” (Event 3277)o “NAME_ALREADY_REGISTERED” (Event 3277)o “InstallMsiException” (Event 3277)o “DownloadMsiException” (Event 3277)o “Transport received an exception” (Event 3019)o “RD Gateway Url” (Event 3703)o “MissingMethodException” (Event 3389)o “SessionHost unhealthy” (Event 0)o “IMDS not accessible” (Event 0)o “Monitoring Agent Launcher file path was NOT located” (Event 0)o “NOT ALL required URLs are accessible!” (Event 0)o “Unable to connect to the remote server” (Event 0)o “Unhandled status [ConnectFailure] returned for url” (Event 0)o “System.ComponentModel.Win32Exception (0x80004005)”• Check for MSIX App Attach issues over the past 5 days:o “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider”o “MountDisk: Error occured during mount”o “SysNtfyLogoff: Package deregistration for MSIX app attach failed during user logoff”o “Failed to get the minimum OS version supported for app attach: System.AggregateException: One or more errors occurred”o “AppAttachStageAsync: Failed to get packages to staging”o “DeregisterPackages: Failed to get packages to deregister”o “InnerRestException: Error accessing virtual disk”• Check for FSLogix issues over the past 5 days:o “Failed to open virtual disk” (Event 26 – FSLogix-Apps/Operational)o “FindFile failed for path” (Event 26 – FSLogix-Apps/Operational)o “LoadProfile failed” (Event 26 – FSLogix-Apps/Operational) o “The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server” (Event 4 – System) The script generates a *_AVD-Diag.txt and a *_AVD-Diag.html output file with the results of the above checks. Additional output files may be generated if process crashes or AVD Agent or MSIX App Attach issues have been identified. ========== Tool OwnerRobert Viktor Klemencz @ Microsoft Customer Service and Support Group PoliciesI have seen group policies are creating trouble with VMs in the AVD host pool. Evaluate the group policies applied to the OU where the AVD VMs are part of. I have seen scenarios removal of some of the group policies helped to regain access to VMs in the host pool. So, the group policies are one of the main AVD troubleshooting steps. Don’t apply all the security policies to the VMs without testing them thoroughly. PowerShell Command-letsThe AVD troubleshooting with Powershell command-lets is another useful way to resolve the issue. Make sure you have all the required PowerShell modules installed and imported onto the machine before starting the AVD troubleshooting. ##Install & Import AzureAD ModuleInstall-Module -Name AzureAD Import-Module -Name AzureAD ##Install & Import RD - WVD Module Install-Module -Name Microsoft.RDInfra.RDPowerShell Import-Module -Name Microsoft.RDInfra.RDPowerShell ## Login with Azure AD Account Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com Rds Diagnostic ActivitiesMake sure you have appropriate access to Azure AD and AVD Tenant before running the following PowerShell commands. Use the following command commands to: Get-RdsDiagnosticActivities -UserName “[email protected]” -TenantName $tenant -Detailed“ The output with failures – This error was because of GPO policies! I had to remove the security-related group policies to get the WVD VM connectivity issue fixed. AVD Event LogsAVD RD Application troubleshooting can be done via event viewer. You can follow event log path: ActivityId: be333145-645e-4767-9df7-13a7246f0000ActivityType : ConnectionStartTime : 8/16/2019 6:08:12 PMEndTime : 8/16/2019 6:08:16 PM UserName : [email protected] RoleInstances : rdwebclient;mrs-eus2r1c002-Outcome : Failure Status : CompletedDetails : {[ClientOS, Win32 IE 11.0], [ClientVersion, 1.0.19.2], [ClientType, HTML], [PredecessorConnectionId, ]…}LastHeartbeatTime : 8/16/2019 6:08:16 PMCheckpoints : {OnClientDisconnected}Errors : {Microsoft.RDInfra.Diagnostics.Common.DiagnosticsErrorInfo}ActivityId: a802a7c4-f6e6-40ee-86a5-c58e78160000ActivityType : ConnectionStartTime : 8/16/2019 6:07:59 PMEndTime : 8/16/2019 6:08:03 PMUserName : [email protected] RoleInstances : rdwebclient;mrs-eus2r1c002-Outcome : Failure Status : CompletedDetails : {[ClientOS, Win32 IE 11.0], [ClientVersion, 1.0.19.2], [ClientType, HTML], [PredecessorConnectionId, ]…}LastHeartbeatTime : 8/16/2019 6:08:03 PMCheckpoints : {OnClientDisconnected}Errors : {Microsoft.RDInfra.Diagnostics.Common.DiagnosticsErrorInfo} Event Viewer (EventVwr)-> Application and Service Logs > Microsoft > Windows> RemoteDesktopServices-RdpCoreTS/Operational Sample AVD Event LogsDisconnect trace:CUMRDPConnection Disconnect trace:'calling spGfxPlugin->PreDisconnect()' in CUMRDPConnection::PreDisconnect at 4983 err=[0xb], Error code:0xB Interface method called: PreDisconnect(11) Interface method called: SetErrorInfo(0xb) Interface method called: DisconnectNotify Interface method called: GetServerAutoReconnectInfo The disconnect reason is 11 Channel rdpdr has been closed between the server and the client on transport tunnel: 0. Channel cliprdr has been closed between the server and the client on transport tunnel: 0. Channel rail has been closed between the server and the client on transport tunnel: 0. Channel railenc has been closed between the server and the client on transport tunnel: 0. 'WINHTTP_CALLBACK_STATUS_REQUEST_ERROR WebSocket operation 'WINHTTP_WEB_SOCKET_RECEIVE_OPERATION'' in CHttpIoRequestWinHttp::StatusCallback at 2257 err=[0x2efe] Websocket WINHTTP_CALLBACK_STATUS_REQUEST_ERROR 'Forcing Websocket shutdown.' in CHttpIoRequestWinHttp::Shutdown at 1048 err=[0x0] 'Closing Websocket Handle=0x160ef360' in CHttpIoRequestWinHttp::Shutdown at 1058 err=[0x0] WSSSTATETRANSITION: An error was encountered when transitioning from WSStateDisconnecting in response to WSSGenericEvent (error code 0x80072EFE). 'WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING called Handle=0x6f4fef98' in CHttpIoRequestWinHttp::StatusCallback at 2063 err=[0x0] 'Handle closing - stream type: 3' in CHttpIoRequestWinHttp::ContinueProcessingCallback at 2926 err=[0x0]Interface method called: OnDisconnected(server initiated) ResourcesAuthorAnoop is Microsoft MVP! He is a Solution Architect on enterprise client management with over 17 years of experience (calculation done in 2018). He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc..… |
