Share via

VM has reported a failure when processing extension 'Microsoft.PowerShell.DSC' (publisher 'Microsoft.Powershell' and type 'DSC'). Error message: 'The DSC Extension failed to execute: Error downloading https://wvdportalstorageblob.blob.core.windows.net/gal

Srinivasan TR 0 Reputation points
2026-04-29T07:06:57.3133333+00:00

i am trying to configure AVD service , using vm . am getting this error everytime. I have already created NSG outpound port as 443, but still is showing this error .can help on this to resolve

Azure Virtual Desktop
Azure Virtual Desktop

A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jilakara Hemalatha 13,425 Reputation points Microsoft External Staff Moderator
    2026-04-29T07:41:06.1333333+00:00

    Hello Srinivasan,

    Thank you for reaching out Q/A. Based on our analysis, the failure is occurring during the execution of the Microsoft.PowerShell.DSC extension as part of the Azure Virtual Desktop (AVD) session host deployment. The extension is attempting to download the required configuration package from the Azure Storage endpoint (wvdportalstorageblob.blob.core.windows.net), but the connection is not being established successfully.

    The error message “Unable to connect to the remote server” indicates that the virtual machine is currently unable to reach the required external endpoint. This is a known behavior and is typically related to outbound connectivity or DNS resolution issues, rather than a problem with the extension itself.

    Although outbound port 443 has been allowed, successful communication also depends on access to the required destination endpoints. The deployment can fail if outbound traffic is restricted by NSG, firewall, proxy, or routing configurations, if there is no valid outbound internet path from the subnet, or if DNS resolution is not functioning correctly.

    As per Microsoft guidance, AVD session host VMs must be able to access Azure Storage and other required service endpoints during provisioning. If the VM cannot reach these endpoints, the DSC extension retries multiple times and eventually fails, resulting in the deployment failure.

    To resolve this, we recommend validating the following:

    • Ensure outbound HTTPS (port 443) access to *.blob.core.windows.net and other required AVD service endpoints
    • Confirm that the subnet has a valid outbound path (via NAT Gateway, Azure Firewall, or public internet access)
    • Verify DNS resolution for the required endpoints from within the VM
    • Review NSG, firewall, proxy, and routing (UDR) configurations to ensure traffic is not being blocked

    Additionally, you may use the built-in AVD URL validation tool available on the session host to verify connectivity to all required endpoints, which can help quickly identify any blocked URLs.

    For further troubleshooting, you can review the DSC extension logs available on the VM at: C:\WindowsAzure\Logs\Plugins\Microsoft.Powershell.DSC\<version>\DSC.log

    These logs can provide more detailed insight into whether the failure is due to DNS resolution issues, connection timeouts, or blocked traffic.

    For reference, you may review the following Microsoft documentations:

    Required FQDNs and endpoints for Azure Virtual Desktop

    Check access to required FQDNs and endpoints for Azure Virtual Desktop

    https://learn.microsoft.com/en-us/answers/questions/1335191/trying-to-deploy-avd-but-the-operations-fails-with

    Hope this helps! Please let me know if you have any queries in comments.

    Was this answer helpful?

    1 person found this answer helpful.
  2. Q&A Assist
    2026-04-29T07:07:16.3+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error indicates that the PowerShell DSC VM extension on the session host VM cannot download its configuration package from the specified HTTPS URL. This is a connectivity issue from the VM to the storage endpoint, not an inbound/RDP/NSG-3389 issue.

    Use these steps to troubleshoot and resolve:

    1. Verify the extension failure details on the VM
      • From Azure CLI, list the extensions and confirm the DSC extension is in a failed state: 
             az vm extension list --resource-group <rg-name> --vm-name <vm-name> -o table
      • On the VM, check the DSC extension status and logs:
        • Status file: C:\Packages\Plugins\Microsoft.Powershell.DSC\<version>\Status\0.status
        • Logs: C:\WindowsAzure\Logs\Plugins\Microsoft.Powershell.DSC\<version>
      • The detailed error in these files will confirm that the failure is during download of the configuration ZIP from the blob URL.
    2. Confirm outbound connectivity from the VM
      • The DSC extension requires the VM to reach:
        • Azure control plane (for extension coordination), and
        • The storage endpoint hosting the configuration package (the wvdportalstorageblob.blob.core.windows.net URL in the error).
      • Ensure there is no outbound-deny NSG rule or firewall rule blocking HTTPS (TCP 443) from the VM to the internet or to Azure Storage endpoints.
      • If using a custom DNS, proxy, or firewall appliance, verify that:
        • The VM can resolve *.blob.core.windows.net.
        • HTTPS to that endpoint is allowed.
    3. Validate NSG and any other network security
      • Check the subnet and NIC NSGs:
        • Confirm there is an outbound rule allowing TCP 443 to internet/AzureStorage.
        • Ensure there is no higher-priority deny rule that overrides the allow rule.
      • If the environment uses Azure Firewall or another NVA, confirm rules allow outbound HTTPS to blob.core.windows.net.
    4. Check the configuration package URL and SAS
      • The DSC extension downloads a ZIP from a URL (often with a SAS token) defined in its settings.
      • Common issues:
        • SAS token expired.
        • URL typo or container/blob deleted or moved.
      • Regenerate the SAS URL for the configuration package, update the DSC extension settings (or the AVD template/ARM/Bicep that deploys it), and redeploy the extension.
    5. Retry the extension after fixing connectivity
      • After confirming outbound connectivity and a valid configuration URL:
        • Remove the failed DSC extension instance.
        • Reapply the AVD deployment or re-add the Microsoft.Powershell.DSC extension with corrected settings.
      • Monitor status again via: 
             Get-AzVM -ResourceGroupName <rg-name> -Name <vm-name> -Status
        and by checking the extension status/log paths above.
    6. If the VM was created from an image with old extensions
      • If the session host VM was created from a generalized/specialized image that already had extensions on it, stale extension binaries and status files can cause inconsistent behavior.
      • In such cases, remove existing extensions from the source VM before imaging, or remove/reinstall the DSC extension on the new VM so it starts clean.

    If, after ensuring outbound HTTPS to blob.core.windows.net and fixing the configuration URL/SAS, the DSC extension still fails, collect the logs from C:\WindowsAzure\Logs\Plugins\Microsoft.Powershell.DSC\<version> and the status file under C:\Packages\Plugins\Microsoft.Powershell.DSC\<version>\Status and use them to open an Azure support case.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.