We had an issue today where a user got locked out of the RemoteApp that they would normally access without issue. They got an error message that read:
As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts. Wait a while before trying again, or contact your system administrator or technical support.
It reported error code 0xd07 and looked something like this:
The solution was to remove the user from the application group that included the RemoteApp, using the Remove-RdsAppGroupUser command. You'll need to do this from a PowerShell session (see here for more).
If this doesn't work, here's a few more things to try:
Log into the master image of the VM where the RemoteApp is running, locate the user's profile and rename it to something like [username].old.
Alternatively, you can try and manually unlock a remote access client. See here for more. This fix is about two-thirds down the page.
If you encounter an issue with a Windows Virtual Desktop app, try the following:
Remove and re-install the Remote Desktop client. Delete the app from Apps and Features in Windows 10. To install, download the client here (in most cases, select the 64 bit version).
Upgrade the Remote Desktop client. Open the client and see if there is a message to upgrade. If so, follow the prompts.
Multiple Remote Desktop clients. Sometimes we find multiple versions of the Remote Desktop client and they can contend with each other. The cleanest way to resolve this is to remove both and then re-install using the link in the first bullet point.
User unable to log-in. A user's session can hang and prevent subsequent logins. To fix this, log into the WVD VM (via an RDP session through Azure) and kill the user's session (right click in the tool tray, select Task Manager, then Users, select the user, right-click and select End session).
Adding a new user to a WVD app is really easy. Start by establishing a connection with the WVD tenant:
Add the user to the app group with the command: Add-RdsAppGroupUser [tenant-name] [host-group-name] [app-group] -UserPrincipalName [user-name]. To remove a user, use the Remove-RdsAppGroupUser command
To confirm that they are added correctly, you can list all users assigned to the app group: Get-RdsAppGroupUser [tenant-name] [host-group-name] [app-group]
Issues
If you get User is not authorized to query the management service when running Add-RdsAppGroupUser then get an RDS owner on the tenant to run the following command:
This will provide access to all host-pools / app-groups on the tenant.
If you are unable to run the Add-RdsAccount command successfully, it could mean you need to be added as a TenantCreator or that you need to install and import the libraries you need to run this. To do this run the following commands before the Add-RdsAccount command:
Install-Module -Name Microsoft.RDInfra.RDPowerShell, and then
There are a few things you need to do before you can access a Windows Virtual Desktop app for the first time. The following are instructions for users. [Will soon provide pre-requisites that IT need to rollout before the steps below can be done]
Part 1: Enable Self-Service Password Reset
As a preliminary step before moving to IRIS in the cloud, everyone that needs access will need to reset their Office 365 password. Once self-service password reset is turned on for the tenant, this is a really simple thing a user can do themselves. The added bonus is that they can use this feature to reset their password anytime you may need to (like if they have forgotten it or they want to change it for some other reason).
To use self-service password reset, you'll need to register. To do this go to https://aka.ms/ssprsetup and follow the instructions.
Then, to reset your password, there are 2 ways of doing this:
1) If you are logged in to your PC, go to https://account.activedirectory.windowsazure.com/ChangePassword.aspx and follow the instructions. 2) If you are not logged in, start up your PC and you'll notice a new link underneath the PIN entry box that says I forgot my PIN. Click on this to continue the process to reset your password.
All users will need to compete the above before they can access the WVD app.
Part 2: Verify you can access your WVD app
Perform the following steps:
Type Remote Desktop into the search bar in the tool tray at the bottom of the screen. Hit Enter to run. Note that it is the red icon, not the Remote Desktop Connection
Click the Let’s Get Started button. Remote Desktop will now search for remote applications you have access to.
If you see a prompt to update Remote Desktop, please get in touch with Charlie Mac who will update the software on your behalf.
Click on the icon for your WVD app.
Enter your Office 365 credentials when asked. Make sure that your username is correct and that you being asked to enter your password. Note that if you are asked to enter your PIN or use Face ID, you’ll need to select More Options and select the option that enables you to enter your password. Note that PIN or Face ID do not work at this stage.
After a bit, you should see the login screen for your WVD app.
Deploying a new app on Windows Virtual Desktop (WVD) consists essentially of three steps: 1) Install the app on the VM that hosts the master WVD image, 2) publish the app, 3) assign users to the app.
Install the app on the master WVD image
Take a backup of the target VM – login to Azure and search for Backup Centre. Initiate backup from here. It may take a couple of hours to complete.
Login to the VM as local admin and over RDP – locate the VM, select Connect and then RDP to download the connection file. Run this and enter the local admin account credentials to connect.
Install the software you want to publish on the VM.
Publish the app
Open a Powershell console as an administrator on the VM hosting the master WVD image
Run Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" – to initiate session
Obtain the app alias by running the following to get a list of those available - Get-RdsStartMenuApp Corpapps [host group] [app-group]
If this returns an error (can’t find module), go ahead and install the modules needed using Install-Module -Name Microsoft.RDInfra.RDPowerShell
Publish the app you just installed using New-RdsRemoteApp [tenant-name][host-group] [app-group] -Name [name you want to give the app] -AppAlias [the app alias you got from step 3]
Assign users
To publish a remote app to a user, run the following Powershell command. This can be done on any PC connected to the internet: Add-RdsAppGroupUser [tenant-name] [host-group] [app-group] -UserPrincipalName [username]
Other useful commands
Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com – to connect PS to WVD
Get-RdsAppGroupUser [tenant-name] [host-pool-name] [app-group] – get a list of users that are offered apps in the app group as remote apps
Get-RdsAppGroup -TenantName [tenant-name] -HostPoolName [host-pool-name] – gets all app groups in the host pool
Remove-RdsRemoteApp [tenant-name] [host-pool-name] [app-group] -Name "[name you gave the app]” -AppAlias [alias that was obtained in step 3 above] – remove app from the app group
The backup policy we apply in most cases (ie our default policy):
Backup schedule commencing 2000hrs (local time)
Instant restore retained for 2 days
Daily backup retained for 30 days
Weekly backup made on Sunday and retained for 12 weeks
Monthly backup, week based, made on the first Sunday of the month and retained for 60 months
Yearly backup, week based, made in January on the first Sunday and retained for 10 years.
This is in excess of what most organisations need, but in most cases when it comes to backing up, it's good to over do it.
Create a recovery point
Just in case things don't work out when you recover the backup, you'll have something to recover back to.