We had an issue today where a user got locked out of the RemoteApp that they would normally access without issue. They got an error message that read:

As a security precaution, the user account has been locked because there were too many logon attempts or password change attempts. Wait a while before trying again, or contact your system administrator or technical support.

It reported error code 0xd07 and looked something like this:

The solution was to remove the user from the application group that included the RemoteApp, using the Remove-RdsAppGroupUser command. You'll need to do this from a PowerShell session (see here for more).

If this doesn't work, here's a few more things to try:

  • Log into the master image of the VM where the RemoteApp is running, locate the user's profile and rename it to something like [username].old.
  • Alternatively, you can try and manually unlock a remote access client. See here for more. This fix is about two-thirds down the page.

If you encounter an issue with a Windows Virtual Desktop app, try the following:

  • Remove and re-install the Remote Desktop client. Delete the app from Apps and Features in Windows 10. To install, download the client here (in most cases, select the 64 bit version).
  • Upgrade the Remote Desktop client. Open the client and see if there is a message to upgrade. If so, follow the prompts.
  • Multiple Remote Desktop clients. Sometimes we find multiple versions of the Remote Desktop client and they can contend with each other. The cleanest way to resolve this is to remove both and then re-install using the link in the first bullet point.
  • User unable to log-in. A user's session can hang and prevent subsequent logins. To fix this, log into the WVD VM (via an RDP session through Azure) and kill the user's session (right click in the tool tray, select Task Manager, then Users, select the user, right-click and select End session).

Adding a new user to a WVD app is really easy. Start by establishing a connection with the WVD tenant:

  1. Start a Powershell console as an Administrator
  2. Connect to the WVD tenant using: Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com – note you will need to login as a tenant administrator. Tenant admins can be created using https://docs.microsoft.com/en-us/azure/virtual-desktop/virtual-desktop-fall-2019/tenant-setup-azure-active-directory
  3. Add the user to the app group with the command: Add-RdsAppGroupUser [tenant-name] [host-group-name] [app-group] -UserPrincipalName [user-name]. To remove a user, use the Remove-RdsAppGroupUser command
  4. To confirm that they are added correctly, you can list all users assigned to the app group: Get-RdsAppGroupUser [tenant-name] [host-group-name] [app-group]

Issues

If you get User is not authorized to query the management service when running Add-RdsAppGroupUser then get an RDS owner on the tenant to run the following command:

New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -SignInName "[user-name]" -TenantGroupName "Default Tenant Group" -TenantName "[tenant-name]"

This will provide access to all host-pools / app-groups on the tenant.

If you are unable to run the Add-RdsAccount command successfully, it could mean you need to be added as a TenantCreator or that you need to install and import the libraries you need to run this. To do this run the following commands before the Add-RdsAccount command:

  1. Install-Module -Name Microsoft.RDInfra.RDPowerShell, and then
  2. Import-Module -Name Microsoft.RDInfra.RDPowerShell

See https://docs.microsoft.com/en-gb/powershell/windows-virtual-desktop/overview for more details.

There are a few things you need to do before you can access a Windows Virtual Desktop app for the first time. The following are instructions for users. [Will soon provide pre-requisites that IT need to rollout before the steps below can be done]

Part 1: Enable Self-Service Password Reset

As a preliminary step before moving to IRIS in the cloud, everyone that needs access will need to reset their Office 365 password. Once self-service password reset is turned on for the tenant, this is a really simple thing a user can do themselves. The added bonus is that they can use this feature to reset their password anytime you may need to (like if they have forgotten it or they want to change it for some other reason).


To use self-service password reset, you'll need to register. To do this go to https://aka.ms/ssprsetup and follow the instructions.


Then, to reset your password, there are 2 ways of doing this:


1) If you are logged in to your PC, go to https://account.activedirectory.windowsazure.com/ChangePassword.aspx and follow the instructions.
2) If you are not logged in, start up your PC and you'll notice a new link underneath the PIN entry box that says I forgot my PIN. Click on this to continue the process to reset your password.

All users will need to compete the above before they can access the WVD app.

Part 2: Verify you can access your WVD app

Perform the following steps:

  1. Type Remote Desktop into the search bar in the tool tray at the bottom of the screen. Hit Enter to run. Note that it is the red icon, not the Remote Desktop Connection
  2. Click the Let’s Get Started button. Remote Desktop will now search for remote applications you have access to.
  3. If you see a prompt to update Remote Desktop, please get in touch with Charlie Mac who will update the software on your behalf.
  4. Click on the icon for your WVD app.
  5. Enter your Office 365 credentials when asked. Make sure that your username is correct and that you being asked to enter your password. Note that if you are asked to enter your PIN or use Face ID, you’ll need to select More Options and select the option that enables you to enter your password. Note that PIN or Face ID do not work at this stage.
  6. After a bit, you should see the login screen for your WVD app.

Deploying a new app on Windows Virtual Desktop (WVD) consists essentially of three steps: 1) Install the app on the VM that hosts the master WVD image, 2) publish the app, 3) assign users to the app.

Install the app on the master WVD image

  1. Take a backup of the target VM – login to Azure and search for Backup Centre. Initiate backup from here. It may take a couple of hours to complete.
  2. Login to the VM as local admin and over RDP – locate the VM, select Connect and then RDP to download the connection file. Run this and enter the local admin account credentials to connect.
  3. Install the software you want to publish on the VM.

Publish the app

  1. Open a Powershell console as an administrator on the VM hosting the master WVD image
  2. Run Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" – to initiate session
  3. Obtain the app alias by running the following to get a list of those available - Get-RdsStartMenuApp Corpapps [host group] [app-group]
  4. If this returns an error (can’t find module), go ahead and install the modules needed using Install-Module -Name Microsoft.RDInfra.RDPowerShell
  5. Publish the app you just installed using New-RdsRemoteApp [tenant-name][host-group] [app-group] -Name [name you want to give the app] -AppAlias [the app alias you got from step 3]

Assign users

To publish a remote app to a user, run the following Powershell command. This can be done on any PC connected to the internet: Add-RdsAppGroupUser [tenant-name] [host-group] [app-group] -UserPrincipalName [username]

Other useful commands

  • Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com – to connect PS to WVD
  • Get-RdsAppGroupUser [tenant-name] [host-pool-name] [app-group] – get a list of users that are offered apps in the app group as remote apps
  • Get-RdsAppGroup -TenantName [tenant-name] -HostPoolName [host-pool-name] – gets all app groups in the host pool
  • Remove-RdsRemoteApp [tenant-name] [host-pool-name] [app-group] -Name "[name you gave the app]” -AppAlias [alias that was obtained in step 3 above] – remove app from the app group

The backup policy we apply in most cases (ie our default policy):

  • Backup schedule commencing 2000hrs (local time)
  • Instant restore retained for 2 days
  • Daily backup retained for 30 days
  • Weekly backup made on Sunday and retained for 12 weeks
  • Monthly backup, week based, made on the first Sunday of the month and retained for 60 months
  • Yearly backup, week based, made in January on the first Sunday and retained for 10 years.

This is in excess of what most organisations need, but in most cases when it comes to backing up, it's good to over do it.

Create a recovery point

Just in case things don't work out when you recover the backup, you'll have something to recover back to.

  1. Log into the Azure portal
  2. Search for Backup Center
  3. Select the virtual machine you wish to create the recovery point for. Do this by selecting Backup instances in the left hand blade
  4. Create the recovery point
    1. Select the virtual machine to backup.  Click Backup now (so we have a restore point if needed). 
    1. Retention of backup defaults to 1 month
    1. You can monitor the progress – select Backup Jobs under Monitoring (left blade).
    1. Cutting this backup may take a few hours, or longer.

Recover the desired backup

Stop the virtual machine you want to recover.  This may take a few mins once initiated.

Initiate the recovery – this will create a backup as well at the time recovery is initiated

  1. Select Backup instances in the left hand blade
  2. Select the virtual machine.  Click Restore VM.
  3. Select restore point (from list of backups)
  4. Select Replace existing and then a staging location for the data
  5. Click Restore.  The process is usually done within an hour.
  6. Restart the virtual machine.