Hi team,

We have recently started noticing internet connection issues within AVD.

We use netskope on AVD and all user traffic to the internet goes through it.

We have multiple users logging into the AVD farm.

The scenario of the issue is that: Let's say there are four people log into a host.

1st user logs in at 7:15am

2nd user logs in at 7:45am

3rd user logs in at 8am

4th user logs in at 8:15am

If the 1st user goes on idle or disconnects, everyone on the session host cannot get internet connectivity, until I log off the 1st user and then internet connection is restored for everyone.

Im wondering if anyone has come across this behaviour in a multi user host using netskope.

I did see this article from netskope/limitation but unsure if it relates to my issue.

Also we do not enable NPA enabled on AVD

https://docs.netskope.com/en/netskope-client-for-virtual-desktop-infrastructure-vdi

How are you guys handling Windows Updates for multi-session AVD hosts in Azure Gov?

As far as I’m aware:

• Intune Update Rings aren’t supported
• Azure Update Manager also isn’t supported in Azure Gov

Right now, doing updates manually feels like a huge operational headache. I could probably automate parts of it with Run Command / PowerShell scripts, but it still feels pretty clunky for production-scale management.

We’re also not looking to bring in third-party tooling just for patching (I know solutions like Nerdio exist, but purchasing additional software isn’t currently on the table).

Curious what others in Azure Gov.....

Issue Details:

I'm unable to re-produce the issue on my systems, however we've had a handful of users who report when their PC wakes up from sleep AND they reconnect to an existing AVD session they're faced with this Please Wait screen, such as below.

The only way to resolve is by either:

1. An admin force logging them off via Entra Portal
2. The session times out after x hours - we have inactive/disconnected session timeouts set to 3 hours.

https://preview.redd.it/vevhyyp3zp0h1.png?width=1302&format=png&auto=webp&s=b64a5712cad0cb0b54c17fd9e7d6d97c01364d99

Environment Details:

- Windows 11 25H2 Multi-Session AVD Host Pool, Premium SSD OS Disk

- FSLogix Latest Version, profiles stored on NetApp Premium Storage

- Hosts are Hybrid AD Joined (Clients are mostly Hybrid AD joined as well, but had this happen on non-AD joined client workstations as well)

- Not specific to 1 host; this happened on multiple hosts in the pool

- Users are connecting via Windows App

Things Tried (But does not fix):

- Rebooting user's system

- Logging off / back into Windows App

- Tried changing VM SKU from D-Series v4 to v5, and v6

- Event Viewer or FSLogix logs do not show any relevant or helpful information

- We also have a mix of users in a 23H2 pool; does not have this issue, same GPO's and Host Pool RDP settings

Current Work-Around:

- Going into Power Settings and changing Put the Computer to Sleep to: Never

Looking for some ideas

See AVD Hybrid in action

https://youtu.be/sdTKhxZ3Q\_8

Let me know if you have any questions on it 👍☺️👍

Hi all,

I manage AVD in house without a 3rd party software (nerdio or hydra). I am in the middle of making a workbook for our service desk support team which captures as much detail of a users session as possible.

It’s looking pretty good so far but wanted to see if anyone has created something similar that you can share on what you have inside the workbook that I may have missed. Once mine is complete I can share it with you all.

Many thanks

PS I will share some screen shots soon of my work in progress.

Hello everyone!

We're a very small and fairly recent M365 full-cloud MSP. All of our customers are M365 SMB similar to us. We recently acquired and assembled for very cheap, piece by piece, something which is probably quite mundane but which looks like a Behemoth to us who never had more than a NAS and cheap laptops: a DELL PowerEdge R640 server, with 92 cores, 768GB DDR, 40TB of U.2 SSD storage, running ProxMox (PVE). On the side, we're currently building a smaller R640 server to run incremental backups through ProxMox backup (PBS).

Looking to put this server to good use, we decided to explore VDI and thin clients, and aimed our sights at starting with us for a test case. While I have in the past used Windows Server with AD DS to open local sessions, this is about as much as I know on the subject. Our goal here would be:
- to be able to run parallel Windows user sessions on our server for our staff
- both on-premise or from home
- using our Entra credentials
- and exploring the possibility of ditching our old laptops for thin clients, perhaps at some point in the future
- maybe exploring the possibility, once we master this technology, to rent Windows VMs to some of our customers for RDS application

Admittedly, this train of thought took us to a whole new world, which we had carefully avoided so far and which we understand very little about. Azure OPEX costs, FSLogix, Azure Arc, and so on. So far, we came to the conclusion that:
- what existed for Windows VDI which didn't require Citrix or some other 3rd-party were : Windows 365, AVD running an Azure pool hosted over at Microsoft, AVD running an Azure Local (Azure HCI Stack) on our server. We're interested in the latter, which yields quite a few immediate questions. Any and all help to any question will be received with much joy and gratitude, as Microsoft certainly isn't fighting its best fight rendering this VDI tech accessible to total noobs such as us. Or we might just be a little dense, which is certainly a possibility, lol. Questions are:

1°) Hardware: While what we see as the meanest/baddest piece of equipment we own is probably a pretty weak, run-of-the-mill server going by industry standards, we're certain a well-domesticated 92-core 768-GB machine could be running quite a few parallel instances of Windows 11. Do you know how many we could hope for? IS there a calculator of some sorts you trust for such estimates?

2°) ProxMox: We fell into the ProxMox rabbithole, having never used any type 1 hypervisor so far. Perhaps this is not the smartest choice, and we should really opt for a Hyper-V server instead. Could anyone with experience with both in the context of Windows VDI chime in on that?

3°) Azure Local recurring costs: As we understand it (because the pricing looks like an unholy clusterfuck to us), Azure Local presents us with its own costs. Which can be opted as a per vCore basis (9€/month a pop), or otherwise (using an online price calculator which I can't seem to use). Another way about it, considering our server has 92 cores, would be Azure Hybrid Benefits waving off any Azure Local costs, but we're unsure as to how we could enable this.

4°) Azure Arc: We have absolutely no comprehension whatsoever of whatever Azure Arc might be. While the Microsoft documentation seems to indicate it doesn't concern us in the scope of Azure Local...

Microsoft official page on Azure Virtual Desktop

...we seem to run into the evocation of Azure Arc pretty much anywhere offering us installation procedures for what we're trying to achieve. Such as here. In the end, we're not sure whether we need Azure Arc or not, but it seems to come with a price tag we're OK to pay (.01€/hour/vCore), if it's absolutely required.

5°) FSLogix: Another concept we regularly stumble upon is FSLogix. While I originally thought this was something of an "SMB/CIFS optimizer" for FileServer in Azure user sessions, it seems to be much more. To the point where certain posts and videos led me to believe, perhaps errouneously, that FSLogix now working (in preview) with Entra ID since a few months, meant we wouldn't need Domain Services (which we don't really mind) nor switching from an ENTRA-joined to a Hybrid infrastructure (which we do mind, and which terrifies us without bounds).

6°) Entra DS: If FSLogix playing nice and allowing us to use Entra ID (through ENTRA-joined VMs) on Azure Local is not an option and I was deceived in my hopes, at an extra cost, Entra DS seems like a way to maintain a full-cloud infrastructure. Is this what I should do? Does Entra DS provide me with a REAL domain controller I can use to suit our purpose, or is it simply a glorified LDAP, to be used for strictly for Kerberos authentication on legacy SSO applications?

7°) AD DS (on-prem or in VM): If neither FSLogix nor Entra DS can save us from it, we are willing to transition from an M365 infra to a hybrid infra. But we do feel this is going backwards and opposing the general trend and zeitgeist. If we were to do this, what would be the best way to sync our Entra down on a local AD? Entra Cloud Sync or Entra Connect?

8°) Nerdio: We were advised, through different channels, to look into Nerdio to drive our costs down when using Entra Local. Does anyone have experience with that? I set up a meeting with them, and should receive an explanation from them directly as to what they could help us with cost-wise.

9°) Anything I'm not considering yet: I'm sure I'm still missing a lot from the big picture, and will gladly receive any and all input from anybody with expertise or first-hand experience with running Windows VDI on an on-prem server for a full-cloud small org.

I recently switched my PC from Windows to Linux and want to use my M365 Cloud PC. Are there any plans from Microsoft to release a Linux native Windows App? If not, is anyone accessing their Cloud PC / Shared VDI via Linux?

I am aware there is a Webapp, but I really liked the "native" feel of the Windows App on Windows.

W11 multi-session image with office apps. Outlook will get stuck at "trying to connect" and teams constantly says "we couldn't authenticate you". Reboot of machine usually fixes, sometimes comes back a day later, sometimes 5-6 days. I had to schedule a weekly reboot on sundays to try to mitigate this.

The host is 23H2 and I know it needs to be updated but I'm in a pinch right now with usage being 24x7 so I can't bring things down for any length of time.

Has anyone seen this and have any sort of fix?

Hi all. What’s everyone take on best practices for redirections and keeping profile sizes low. I’ve got users hitting 50-55gb. What would you recommend, especially for Outlook mailboxes and cache mode options. I don’t want to hinder outlook performance but with 40 users ad growing their fxlogics storage (v1) is hitting 2TB. I’d like to move them to v2 but clean this alll up and get shrinking.

Thanks in advance.

Hi everyone,

I'm battling a frustrating intermittent Kerberos issue with AVD and FSLogix profiles on Azure Files (AD DS integrated), and Microsoft Support is currently spinning their wheels ...

We recently ran the Microsoft script to update our Azure Files AD computer object to AES-256 to comply with the recent April 2026 Kerberos Hardening (CVE-2026-20833 / RC4 deprecation). Since then, we've had random FSLogix mount failures.

The Symptoms

• Users randomly fail to mount profiles with FSLogix Error: [ERROR:000004f1] FindFile failed... (The system cannot contact a domain controller to service the authentication request.)
• The weird workaround: If a VM is failing, rebooting it and immediately logging in via RDP with an Admin account "warms up" the Kerberos cache. Subsequent standard users connecting via the AVD Windows App to that same host will work perfectly for the rest of the day.
• Running klist -li 0x3e7 purge to clear the SYSTEM cache sometimes allows it to pull a fresh ticket and recover, pointing to a "DC Roulette" issue where some DCs hand out bad tickets or reject the request.

The Hard Evidence & Troubleshooting

We bypassed FSLogix to test raw SMB/Kerberos and found the following:

1. Manual Ticket Request Fails: Running klist get cifs/name.file.core.windows.net on a failing AVD returns:Error calling API LsaCallAuthenticationPackage... 0x6fb klist failed with 0xc000018b/-1073741429: The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.
2. VM Trust is 100% Healthy: Test-ComputerSecureChannel is True. The DC Event Logs (Event 4768) show the AVD VM successfully getting a TGT using AES-256 (0x12).
3. The Drop (Event 4769): When the VM asks the DC for the service ticket to the Azure Files share, the DC throws Failure Code 0x6 (KDC_ERR_C_PRINCIPAL_UNKNOWN) and Ticket Encryption Type 0xFFFFFFFF.
4. Encryption Attributes are Correct: * Azure Files Object (msDS-SupportedEncryptionTypes): 16 (AES-256)
   • AVD Session Hosts: 24
   • Domain Controllers: 28
5. The Basics are Covered: No duplicate SPNs (setspn -Q). AD Replication is perfectly healthy across all DCs (repadmin /showrepl). Line of sight is fine.

Our Theory

Since the VM trust is fine and AD replication is healthy, we suspect the AES-256 script we ran successfully updated the attributes, but caused a Key Version Number (KVNO) / Password hash mismatch between the Azure Files storage account backend and the AD DS computer object. When the AVD asks a DC for a ticket, the DC uses a mismatched key and throws the trust error.

My Questions

1. Has anyone else experienced this exact 0xc000018b / 0x6 error specifically after running the Azure Files AES-256 rotation scripts?
2. Before I pull the trigger in production, has running Update-AzStorageAccountADObjectPassword permanently fixed this KVNO sync issue for you, or did it break things further?
3. Is there a deeper KDC caching issue at play here with the April 2026 patches?

This is my first AVD deployment and I found something I thought to question and confirm.

Right now I have 3 users, and they come on in the morning and leave at night. Fully logged off.

Every morning when they log on they get a session number. And the session number keeps going up. We've had em on for a week now and today they are at session number 77-79. (We have tech users who also jump in and out during the day).

Does this go on infinitely? What happens when I have 100 users going?

I was assuming that once a user is totally logged off, the session number is available for someone else. Does it just always go higher and higher? That's ringing alarm bells. Does this point to something in wrong in my deployment?

Hey all,

With the NVIDIA v3 series VMs going away in September and the fact that v5 series VMs are seemingly NEVER available when you need them (at least for us in East US 2), has anyone worked with, had real world experience with any of the AMD GPU VM options Azure offers? Running software like Soldworks, Ansys Suite, Adobe Suite, Autodesk Suite, Vectorworks, many others. I havent had any experience in real production with these GPUs to see if they hold up / work as well as the NVIDIA GPU VMs do.

Anyone with any experience?

Thank you

We hit a similar issue recently in a Windows 11 multi-session AVD setup. The VMs looked healthy, but users randomly got black screens and profiles stayed stuck in “Pending”.

In our case it was mainly FSLogix profile locking + storage latency during peak sign-ins.

A few things worth checking:

• FSLogix logs on affected hosts
• Stale/disconnected sessions
• SMB/storage latency
• AV exclusions for FSLogix
• Host resource spikes during login hours

Rebooting usually clears it temporarily because the profile locks finally release.

Hi,

Strange issue, we have Entraid joined session hosts. Session login for new sessions fine, however when a user locks the AVD session, comes back to unlock it, it sticks on Welcome for 30+ seconds. Happening to many users.

Thought it may be drive mappings but they are all active. Nothing in the event log, FSLogix process log show unlocking happening in 1 second.

Bit of a loss, any ideas?

Thanks

Hello,Recently, we have been facing multiple black screen issues reported by users while trying to log in to AVD. We could not identify any issues with the VM itself.

In a few instances, we also noticed that many user profiles were showing a Pending status.

As a temporary workaround, stopping and starting the server clears the pending status for the user profiles.

Any advice.

Hi,

Is anyone having any passkey issues recently?

Our users need to connect to AVD before they can access anything.

So load Windows App > Log in with passkey = OK

Session hosts = Entra Joined Win 11

Profile loads up, can log into portal.azure.com as it has Windows Hello and can seamless sign into apps. But, if the user needs to reauthenticate accessing a privileged resource, the passkey prompt no longer does passes down to the host PC. Previously it prompts for Android/IOS Scan or Passkey. (Using Edge).

We just get a popup that shows 'Use your security key with login.microsoft.com" and nothing popsup. I see a bunch of 1060 errors in the WebAuthN Operational Log, not much else to go on.

Using latest Windows App and web browser version using Edge.

Errors:

WebAuthN error at: WebAuthNAuthenticatorRemoteRpcDVCException

TransactionId: {8fb22ea1-e4c4-459a-95a2-0b7cde4d832a}

Error: 0x80070032. The request is not supported.

Advanced options:

audiocapturemode:i:0;audiomode:i:0;enablecredsspsupport:i:1;enablerdsaadauth:i:1;videoplaybackmode:i:1;devicestoredirect:s:;drivestoredirect:s:;redirectclipboard:i:0;redirectcomports:i:0;redirectprinters:i:0;redirectsmartcards:i:1;redirectwebauthn:i:1;usbdevicestoredirect:s:;use multimon:i:1;autoreconnection enabled:i:1;bandwidthautodetect:i:1;networkautodetect:i:1;compression:i:1;camerastoredirect:s:;dynamic resolution:i:1;singlemoninwindowedmode:i:1

- WebAuthn redirection blocked by policy (fDisableWebAuthn=1): False

- Bluetooth Support Service disabled (bthserv): False

- UmRdpService disabled: False

Firewall logs look OK.

Seems to be a little hit and miss, but getting worse?