Azure Virtual Desktop your account is configured to prevent you from using this device
Connections to Azure AD-joined VMs
Is this page helpful?
Yes
No
Any additional feedback?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy. Show
Submit
Thank you. In this articleImportant This content applies to Azure Virtual Desktop with Azure Resource Manager Azure Virtual Desktop objects. Use this article to resolve issues with connections to Azure Active Directory (Azure AD)-joined VMs in Azure Virtual Desktop. 19 Replies· · ·
Serrano
OP
Jim3994
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Under the user properties in AD is there a list of computers that they are able to login to? That sounds like the error message that windows gives for that
0
· · ·
Pimiento
OP
BillB13
Jun 14, 2017 at 18:49 UTC
They're set to all computers.
0
· · ·
Pure Capsaicin
OP
Rod-IT
Jun 14, 2017 at 18:50 UTC
Active Directory & GPO expert
52 Best Answers
203 Helpful Votes
Standard users cannot join machines to the domain, but this is only done once, are you saying they have issues logging in thereafter? If so what DNS do the clients use?
0
· · ·
Serrano
OP
Rob Sitze
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
1. Start -> Administrative Tools -> Active Directory Users and Computers
1
· · ·
Pimiento
OP
BillB13
Jun 14, 2017 at 18:52 UTC
Already done that. Set to all computers.
0
· · ·
Serrano
OP
Jim3994
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
look atthe local security policy. it is security settings -> local policy -> user rights assignment, then check where it says"allow log on locally"and make sure it isn't just set to domain admins.
1
· · ·
Serrano
OP
Jim3994
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
just re-read and saw about being grayed out.. https://blogs.msdn.microsoft.com/alross/2011/04/26/security-policy-settings-greyed-out
0
· · ·
Pimiento
OP
BillB13
Jun 14, 2017 at 18:57 UTC
Already joined PCs to the domain as the admin, not trying to as the user. The DNS is the DC.
0
· · ·
Serrano
OP
Rob Sitze
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
I noticed you said no internet connection. Does this mean your Server 2012 R2 has not received any updates since the clean install? Is that true for the Win 10 clients as well? Just a theory, but since Windows 10 came out after Server 2012 R2, if no updates then GP might be failing on the newer client OS's. Toss this theory out if you've updated them all . . . .
1
· · ·
Pure Capsaicin
OP
Rod-IT
Jun 14, 2017 at 19:03 UTC
Active Directory & GPO expert
52 Best Answers
203 Helpful Votes
Do the clients have any other DNS settings? Can you show us the actual error please?
0
· · ·
Serrano
OP
Rob Sitze
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
One the client computers, check the local Groups - this should have been done automatically during the join to domain process but you never know: Administrators group must have Domain Admins listed. Users group must have Domain Users listed.
0
· · ·
Habanero
OP
L0ST_0NE
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Please do an ipconfig/all on one of the computers having issues and post the output.
0
· · ·
Pimiento
OP
BillB13
Jun 14, 2017 at 19:13 UTC
Thank you for that. I was able to get in and now able to edit GPO settings. Now, I'm just trying figure out what settings. The password options didn't help.
1
· · ·
Pimiento
OP
BillB13
Jun 14, 2017 at 19:14 UTC
We manually update them. But that might be something to look at too.
0
· · ·
Pimiento
OP
BillB13
Jun 14, 2017 at 19:25 UTC
There's no other DNS settings other than the DC. The actual message is Your account is configured to prevent you from using this PC. Please try another PC.
0
· · ·
Pimiento
OP
BillB13
Jun 14, 2017 at 19:26 UTC
I can't post an IPCONFIG /ALL as this is a closed room. I can tell you what settings are if you're looking for something specific.
0
· · ·
Pure Capsaicin
OP
Rod-IT
Jun 14, 2017 at 19:26 UTC
Active Directory & GPO expert
52 Best Answers
203 Helpful Votes
Are all machines from the same image?
1
· · ·
Pure Capsaicin
OP
Rod-IT
Jun 14, 2017 at 19:31 UTC
Active Directory & GPO expert
52 Best Answers
203 Helpful Votes
Is the PCs event logs full, if they are set to a specific file size and not allowed to overwrite, then a user will get this error, an admin can login even when that is full otherwise no one would be able to get in, clear the event logs and try again, if you get an error accessing the event logs, then something is corrupt and you will need to clear them all.
1
· · ·
Mace
OP
Justin1250
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Active Directory & GPO expert
439 Best Answers
858 Helpful Votes
1 How-to
Set your User rights assignment in the default domain GPO. It sounds like Domain Users got removed from log on locally assignment. Or they are being denied.
0
This topic has been locked by an administrator and is no longer open for commenting. To continue this discussion, please ask a new question. Pre-requisitesIf you want to join an Active Directory domain, you will need domain join credentials and connectivity to a domain controller. This could be an Azure VM running either in the same VNet or in another VNet with the appropriate network rules in place, or a domain controller running on-premise if you have ExpressRoute or a VPN between your site and your Azure VNet. More recently, Azure AD join has been rolled out to AVD. There aren't any pre-requisites as such for this, however there are a few extra steps along the way which are required for users to be permitted to log on to an AzureAD joined host. For both options, your users need to be in Active Directory and synced to Azure AD. At some point in the future this requirement will be dropped for Azure AD joined hosts, supporting cloud-only user accounts. LicensingAVD can run a few different versions of Windows, each has its own licensing requirement:
Create the Host PoolOur first step is creating the host pool. Open the Azure portal and head to Azure Virtual Desktop > Host pools and click on Create. Fill out the basic details and move on to Virtual Machines.For production environment I'd recommend making a new resource group for this. If you're going with AzureAD joined, there are some settings we need to apply to all host VMs a bit later one which are easier if we can just apply them at the resource group level and let inheritance take place. Generally I set Host pool type to Pooled - this will allow multiple users to log on to each host, vs dedicating a host to a user. There are two load balancing algorithms to choose from:
Finally max session limit - if you are using depth-first load balancing, or plan to use auto-scaling, you'll need to put a number in here which denotes the maximum concurrent sessions you want on each host. Configure your host pool virtual machines.Moving on to the next page, Virtual Machines. Here we will configure the resource group, VM name prefix, location and availability options for our VMs. Select the image you want from the gallery (you can upload a custom image and select that here, but I will cover that in a future post), along with the VM size you wish to use, and the number of VMs. When considering the size of the VM you want to use - I tend to go for multiple smaller VMs over one or two huge VMs as it makes it easier to take a host VM down for maintenance without vastly reducing the availability. Another factor to consider with sizing is what kind of load you are expecting, and how much you want to watch the budget. With multiple, smaller VMs you can shut down most of your host pool overnight to save costs, and boot them back up when the workload is predicted to be higher. With the 'Start on connect' feature you can even turn ALL the host pool off, and it will boot up a VM automatically when a user tries to connect. Scrolling down, fill out the network details and domain join type. If you are joining an AD domain you'll need the UPN and password for an account which can create computer objects in the domain. If you're joining Azure AD, you can also enroll the VMs with Intune if you like. Finally, set the VM local administrator account credentials, and complete the setup process. Once it's spent a while deploying the host pool servers, you should then be able to click on the host pool and see an overview screen like below. The host pool overview screen.Login to Windows virtual machine in Azure using Azure Active Directory authenticationOrganizations can now improve the security of Windows virtual machines (VMs) in Azure by integrating with Azure Active Directory (AD) authentication. You can now use Azure AD as a core authentication platform to RDP into a Windows Server 2019 Datacenter edition and later or Windows 10 1809 and later. Additionally, you will be able to centrally control and enforce Azure RBAC and Conditional Access policies that allow or deny access to the VMs. This article shows you how to create and configure a Windows VM and login with Azure AD based authentication. There are many security benefits of using Azure AD based authentication to login to Windows VMs in Azure, including:
AssumptionsThe following represent the assumptions when considering to deploy Azure Virtual Desktop.
PrerequisitesThe following represent the prerequisites before deploying Azure Virtual Desktop.
Cloud native:
Hybrid:
Platform componentsActive DirectoryMicrosoft Windows Server Active Directory Domain Services (AD DS) and Azure Active Directory (AAD) maintain records of information required to identify services, users and other resources on the network. A domain is a security boundary that exists within AD, and all user accounts are based on domain membership. Previously, AVD required session host virtual machines (the virtual desktops) to be domain-joined to an AD DS domain to manage the machines computer object and provide policy and authentication. AVD session hosts can now be joined to Azure Active Directory natively (without AD DS hybrid join) and can be managed by Intune, this includes delivery of security policy. Note that with this option, Intune policy support is limited to policies targeted to the O/S scope and not the user scope with multi-session AVD session hosts, and only local profiles are available. Due to current limitations, the pattern currently recommends deploying AVD with Active Directory Domain services to ensure there is full security policy scope for users and the operating system itself, and the user experience is not impacted. See Using Azure Virtual Desktop multi-session with Microsoft Endpoint Manager. Depending on the Active Directory architecture chosen – hybrid or cloud native, AVD can be configured to domain-join an existing on-premises AD DS domain (over VPN or ExpressRoute), or a cloud-only Azure AD Domain Services (PaaS) that is hosted in Azure. The following table outlines the environment specific infrastructure configurations and considerations for Active Directory services for the solution. Active Directory Design Decisions for the solution
The following figure outlines a suggested AD DS OU Structure with proposed OUs to accommodate the Virtual Desktop and hybrid joined devices. Group policiesGroup policies provide a user experience tailored to the needs and security requirements of an organisation. Policies are created and managed using the Group Policy Management Console (GPMC). Group policy is still required for session hosts when using pooled-random multi-session hosts, which is currently not supported with Intune. The following tables describe the Group Policy design decisions for the solution.
Personalisation and profile managementUser profiles and personalisation enable users to configure an application or desktop setting and have that setting retained the next time they login or roam to another computer. This is extremely important when using a virtual desktop, as the local Windows profile is generally always not present for each new virtual desktop login, this can impede the user performance as it can increase user login times and cause issues with applications missing configuration on virtual desktop sessions. Each user group, regardless of the required level of personalisation, should have a profile that determines how the user’s settings will or will not persist across sessions. Part of the profile configuration includes folder redirection to better optimise the profile. Microsoft includes several standard options for user profiles, or personalisation. Alternatively, technologies such as Microsoft UE-V and FSLogix, can be used to address user profile and personalisation requirements. If no user profile is configured, a desktop local profile is used, which is seldom optimal. Microsoft provide the following profile management solutions:
FSLogix considerationsFSLogix provides various functionality and advanced profile configurations that can further optimise the virtual desktop experience:
The following table describes the Profile Management design decisions for the solution.
The following table describes Personalisation and Profile Management design decisions for the solution. These settings will be configured via ADMX Group Policy. Note, settings not specifically called out assume the default configuration.
The following table includes FSLogix Office 365 Container Configuration.
Resource Tags can be applied to objects within Azure to organise them into categories. Using Tags, resources can be retrieved from multiple Resource Groups. Tags enable simplified management and Azure billing capability. A Resource Tag is comprised of a Key and a Value. Both are defined by an administrator. The following tables describe the Azure Resource Tags design decisions for the solution.
1. Managing identity and devicesUsers always sign into their AVD sessions using their Azure AD credentials, so it’s vital that you protect this identity. You’ll also need to consider which devices they’ll be using to connect to their sessions. You can protect your users’ ID and control the devices they can use to access the virtual desktops in two ways – by enabling multi-factor authentication (MFA) for users in Azure AD, then by using Conditional Access to apply MFA for the Azure WVD client itself. This mitigates risk and significantly improves overall AVD security.
For further guidance, these Microsoft tutorials explain how to setup MFA and Conditional Access when using Azure Virtual Desktop. This video from The Azure Academy also provides useful guidance about setting up MFA and conditional access. 2. Protecting session host virtual machines from external threatsHaving protected the identity of the users accessing the AVD service, it is important to protect the session hosts themselves including your operating system, applications and network. Use Network Security Groups and firewallsThe virtual machines and virtual network deployed as part of your AVD deployment are key endpoints and securing these determines the overall effectiveness of your security. The inbound and outbound networking rules and regulation of your overall network traffic to the virtual machines affects their exposure to external threats and hackers. You should at least configure a Network Security Group (NSG) and attach it to the subnets that your Azure Virtual Desktop session hosts are deployed in to protect them. NSGs can contain multiple inbound and outbound security rules. As described in Microsoft’s article, Network Security Groups, these enable you to filter traffic by source and destination IP address, port, and protocol. Therefore, your NSG should contain the outbound rules required for Azure WVD and detailed in this Required URL list. An NSG is free and is simply an access control list (ACL), it is not intelligent like a Firewall. However, if you need application rules and web filtering, you can configure all the AVD traffic to go through a firewall using a route table. This could be your own, on-premise firewall if you’re connecting to your Azure environment across a site-to-site VPN or a network virtual appliance (NVA) in Azure. There are a range of third-party solutions in Azure Marketplace or Azure Firewall, which provides managed, cloud-based network security and is a fully stateful firewall service. See the following video from The Azure Academy on AVD network security using VNet, NSGs and Azure Firewall as well as this Microsoft article for more information on using Azure Firewall to protect AVD deployments. Protect against operating system, application and software vulnerabilitiesIdentifying malicious software and software vulnerabilities within your operating system (OS) and applications is the key to proactive, preventive security measures to keep your Azure Virtual Desktop environment safe. Enabling end point security for your session host virtual machines (VMs) protects your overall AVD deployment from malicious software. Tools like Windows Defender and ATP (Advanced Threat Protection) proactively address OS and application-level vulnerabilities, identifying problem spots through vulnerability assessments for server operating systems. Read the deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment to configure your VMs for optimal protection and performance. Apply patches and security updatesRegular patches and security updates to your OS and applications ensure that your Azure WVD environment is well protected. You can regularly replace the session hosts using a new patched image as we describe in our blog post, Eight tips on how to manage Azure Virtual Desktop (WVD) . This also lets you update or add any new applications. Alternatively, as the following Microsoft article explains you can use Microsoft Endpoint Configuration Manager to configure automatic updates for Windows 10 on your AVD session hosts. Contact us for a free discussion with our certified Azure Virtual Desktop consultants for further guidance on all the security features that come with AVD. AVD - Book your free consultation |