Troubleshoot the Remote Desktop client for Windows when connecting to Azure Virtual Desktop

Article
04/18/2023

This article describes issues you may experience with the Remote Desktop client for Windows when connecting to Azure Virtual Desktop and how to fix them.

General

In this section you'll find troubleshooting guidance for general issues with the Remote Desktop client.

You don't see the expected resources

If you don't see the remote resources you're expecting to see in the app, check the account you're using. If you've already signed in with a different account than the one you want to use for Azure Virtual Desktop, you should first sign out, then sign in again with the correct account. If you're using the Remote Desktop Web client, you can use an InPrivate browser window to try a different account.

If you're using the correct account, make sure your application group is associated with a workspace.

Your account is configured to prevent you from using this device

If you come across an error saying Your account is configured to prevent you from using this device. For more information, contact your system administrator, ensure the user account was given the Virtual Machine User Login role on the VMs.

The user name or password is incorrect

If you can't sign in and keep receiving an error message that says your credentials are incorrect, first make sure you're using the right credentials. If you keep seeing error messages, check to make sure you've fulfilled the following requirements:

Have you assigned the Virtual Machine User Login role-based access control (RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multifactor authentication requirements for the Azure Windows VM sign-in cloud application?

If you've answered no to either of those questions, you'll need to reconfigure your multifactor authentication. To reconfigure your multifactor authentication, follow the instructions in Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access.

Important

VM sign-ins don't support per-user enabled or enforced Microsoft Entra multifactor authentication. If you try to sign in with multifactor authentication on a VM, you won't be able to sign in and will receive an error message.

If you have integrated Microsoft Entra logs with Azure Monitor logs to access your Microsoft Entra sign-in logs through Log Analytics, you can see if you've enabled multifactor authentication and which Conditional Access policy is triggering the event. The events shown are non-interactive user login events for the VM, which means the IP address will appear to come from the external IP address from which your VM accesses Microsoft Entra ID.

You can access your sign-in logs by running the following Kusto query:

let UPN = "userupn";
AADNonInteractiveUserSignInLogs
| where UserPrincipalName == UPN
| where AppId == "372140e0-b3b7-4226-8ef9-d57986796201"
| project ['Time']=(TimeGenerated), UserPrincipalName, AuthenticationRequirement, ['MFA Result']=ResultDescription, Status, ConditionalAccessPolicies, DeviceDetail, ['Virtual Machine IP']=IPAddress, ['Cloud App']=ResourceDisplayName
| order by ['Time'] desc

Retrieve and open client logs

You might need the client logs when investigating a problem.

To retrieve the client logs:

Ensure no sessions are active and the client process isn't running in the background by right-clicking on the Remote Desktop icon in the system tray and selecting Disconnect all sessions.
Open File Explorer.
Navigate to the %temp%\DiagOutputDir\RdClientAutoTrace folder.

The logs are in the .ETL file format. You can convert these to .CSV or .XML to make them easily readable by using the tracerpt command. Find the name of the file you want to convert and make a note of it.

To convert the .ETL file to .CSV, open PowerShell and run the following, replacing the value for $filename with the name of the file you want to convert (without the extension) and $outputFolder with the directory in which to create the .CSV file.
```
$filename = "<filename>"
$outputFolder = "C:\Temp"
cd $env:TEMP\DiagOutputDir\RdClientAutoTrace
tracerpt "$filename.etl" -o "$outputFolder\$filename.csv" -of csv
```
To convert the .ETL file to .XML, open Command Prompt or PowerShell and run the following, replacing <filename> with the name of the file you want to convert and $outputFolder with the directory in which to create the .XML file.
```
$filename = "<filename>"
$outputFolder = "C:\Temp"
cd $env:TEMP\DiagOutputDir\RdClientAutoTrace
tracerpt "$filename.etl" -o "$outputFolder\$filename.xml"
```

Client stops responding or can't be opened

If the Remote Desktop client for Windows or Azure Virtual Desktop Store app for Windows stops responding or can't be opened, you may need to reset user data. If you can open the client, you can reset user data from the About menu, or if you can't open the client, you can reset user data from the command line. The default settings for the client will be restored and you'll be unsubscribed from all workspaces.

To reset user data from the client:

Open the Remote Desktop app on your device.
Select the three dots at the top right-hand corner to show the menu, then select About.
In the section Reset user data, select Reset. To confirm you want to reset your user data, select Continue.

To reset user data from the command line:

Open PowerShell.
Change the directory to where the Remote Desktop client is installed, by default this is C:\Program Files\Remote Desktop.
Run the following command to reset user data. You'll be prompted to confirm you want to reset your user data.
```
.\msrdcw.exe /reset
```
You can also add the /f option, where your user data will be reset without confirmation:
```
.\msrdcw.exe /reset /f
```

Your administrator may have ended your session

You see the error message Your administrator may have ended your session. Try connecting again. If this does not work, ask your administrator or technical support for help, when the policy setting Allow users to connect remotely using Remote Desktop Services has been set to disabled.

To configure the policy to enable users to connect again depending on whether your session hosts are managed with Group Policy or Intune.

For Group Policy:

Open the Group Policy Management Console (GPMC) for session hosts managed with Active Directory or the Local Group Policy Editor console and edit the policy that targets your session hosts.
Browse to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
Set the policy setting Allow users to connect remotely using Remote Desktop Services to Enabled.

For Intune:

Open the Settings catalog.
Browse to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
Set the policy setting Allow users to connect remotely using Remote Desktop Services to Enabled.

Authentication and identity

In this section you'll find troubleshooting guidance for authentication and identity issues with the Remote Desktop client.

The logon attempt failed

If you come across an error saying The logon attempt failed on the Windows Security credential prompt, verify the following:

You're using a device that is Microsoft Entra joined or Microsoft Entra hybrid joined to the same Microsoft Entra tenant as the session host.
The PKU2U protocol is enabled on both the local PC and the session host.
Per-user multifactor authentication is disabled for the user account as it's not supported for Microsoft Entra joined VMs.

If you come across an error saying The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator, you have Conditional Access policies restricting access. Follow the instructions in Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access to enforce Microsoft Entra multifactor authentication for your Microsoft Entra joined VMs.

A specified logon session does not exist. It may already have been terminated.

If you come across an error that says, An authentication error occurred. A specified logon session does not exist. It may already have been terminated, verify that you properly created and configured the Kerberos server object when configuring single sign-on.

Authentication issues while using an N SKU of Windows

Authentication issues can happen because you're using an N SKU of Windows on your local device without the Media Feature Pack. For more information and to learn how to install the Media Feature Pack, see Media Feature Pack list for Windows N editions.

Authentication issues when TLS 1.2 not enabled

Authentication issues can happen when your local Windows device doesn't have TLS 1.2 enabled. To enable TLS 1.2, you need to set the following registry values:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

Value Name Type Value Data

DisabledByDefault DWORD 0

Enabled DWORD 1
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

Value Name Type Value Data

DisabledByDefault DWORD 0

Enabled DWORD 1
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

Value Name Type Value Data

SystemDefaultTlsVersions DWORD 1

SchUseStrongCrypto DWORD 1

Value Name	Type	Value Data
DisabledByDefault	DWORD	0
Enabled	DWORD	1

Value Name	Type	Value Data
DisabledByDefault	DWORD	0
Enabled	DWORD	1

Value Name	Type	Value Data
SystemDefaultTlsVersions	DWORD	1
SchUseStrongCrypto	DWORD	1

You can configure these registry values by opening PowerShell as an administrator and running the following commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWORD' -Force

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWORD' -Force

New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWORD' -Force

Issue isn't listed here

If your issue isn't listed here, see Troubleshooting overview, feedback, and support for Azure Virtual Desktop for information about how to open an Azure support case for Azure Virtual Desktop.

Share via