Share via

FSLogix Profile Container Issue in Azure Virtual Desktop Environment

Sean Wu 0 Reputation points
2025-10-24T20:27:04.05+00:00

Hi,

I had to ask AI to summary my issue:

Environment Details:

  • Azure Virtual Desktop (AVD) session hosts: Azure AD joined (not domain-joined).
  • Storage backend: Azure Files with Microsoft Entra Kerberos enabled.
  • FSLogix profile containers configured to use Azure Files SMB share.

Problem:

  • FSLogix profile containers fail to mount.
  • SMB access to Azure Files share (<storageaccount>.file.core.windows.net\profiles) fails with:
  • Kerberos tickets are not issued (klist shows Cached Tickets: (0)).
  • AVD hosts fall back to NTLM, which Azure Files does not support for identity-based access.

Root Cause Analysis:

  1. Azure AD Kerberos not active on AVD hosts

   * dsregcmd /status shows:

   * Registry key HKLM\SOFTWARE\Microsoft\AzureADKerberos\Enabled = 1 was added manually, but feature did not activate.

   * Intune policy for Azure AD Kerberos could not apply because AVD VMs were not enrolled in Intune.

  1. Intune Enrollment Issues

   * AVD VMs did not appear in Intune → OMA-URI policy for Kerberos could not apply.

   * DeviceEligible : NO in dsregcmd /status confirmed enrollment was blocked.

   * Task Scheduler service was disabled by baseline → dsregcmd /join failed with 0x80041326.

  1. Network and Permissions

   * Port 445 connectivity verified (Test-NetConnection succeeded).

   * DNS resolution verified (nslookup succeeded).

   * IAM roles correctly assigned:

     * Storage File Data SMB Share Contributor for AVD user group and session hosts.

   * Microsoft Entra Kerberos enabled on storage account.

Actions Taken:

  • Enabled Microsoft Entra Kerberos on storage account.
  • Verified RBAC roles for users and session hosts.
  • Attempted registry-based activation of Azure AD Kerberos.
  • Tried Intune OMA-URI policy but blocked by lack of enrollment.
  • Attempted manual re-join (dsregcmd /join) but failed due to Task Scheduler disabled.
  • Restarted VMs after registry changes → No effect.
  • Confirmed FSLogix requires Kerberos for Azure Files SMB access.

Current State:

  • AVD hosts are Azure AD joined only.
  • Azure AD Kerberos feature is not active.
  • FSLogix profile containers cannot mount because Kerberos tickets are not issued.
  • Intune enrollment and policy application blocked by Task Scheduler service disabled.
  • One VM became unbootable after join attempts; recovery in progress.

Assistance Needed:

  • Confirm supported method to enable Azure AD Kerberos on Azure AD joined AVD hosts without domain join.
  • Guidance on enforcing Azure AD Kerberos policy when Intune enrollment is blocked by Task Scheduler.
  • Any alternative approach for FSLogix profile containers with Azure Files in cloud-only environments.

text

AzureAdJoined : YES

text

System error 86: The specified network password is not correctEnvironment Details:
Azure Virtual Desktop
Azure Virtual Desktop

A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jilakara Hemalatha 13,425 Reputation points Microsoft External Staff Moderator
    2025-10-24T23:32:36.3766667+00:00

    Hi

    Thanks for reaching out. Please find the guidance regarding Azure AD Kerberos and FSLogix profile containers in cloud-only AVD environments below:

    Confirm supported method to enable Azure AD Kerberos on Azure AD joined AVD hosts without domain join.

    Microsoft Entra Kerberos is not supported for pure cloud-only environments with Entra ID joined AVD hosts and cloud-only user accounts. This feature requires hybrid identities (user accounts synced from on-premises Active Directory to Entra ID via Microsoft Entra Connect) to generate Kerberos tickets for Azure Files SMB access. Without hybrid sync, the Entra Kerberos feature cannot activate, even with manual registry changes.

    We noticed that you attempted to enable Azure AD Kerberos by adding the registry key:

    HKLM\SOFTWARE\Microsoft\AzureADKerberos\Enabled = 1

    Please note that this method is not supported and will not activate the feature. The only supported way to enable Azure AD Kerberos on Azure AD joined AVD hosts is through Intune policy:

    OMA-URI: ./Device/Vendor/MSFT/Kerberos/CloudKerberosTicketRetrievalEnabled Value: 1

    This requires the session hosts to be enrolled in Intune and the Task Scheduler service enabled for policy execution.

    Reference: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cintune#prerequisites

    Guidance on enforcing Azure AD Kerberos policy when Intune enrollment is blocked by Task Scheduler.

    The Task Scheduler service must be enabled on the AVD session hosts to allow successful Intune enrollment and policy application. If Task Scheduler is disabled (for example, by a baseline security policy), it prevents the execution of key commands like dsregcmd /join and blocks device enrollment. You should re-enable Task Scheduler either manually or through Group Policy to proceed with enrollment and policy deployment.

    • please check service is running or not: Get-Service Schedule
    • To start the service: Start-Service -Name Schedule

    Any alternative approach for FSLogix profile containers with Azure Files in cloud-only environments.

    If Intune enrollment or hybrid join is not feasible, FSLogix profile containers cannot currently access Azure Files with Azure AD Kerberos authentication. Alternatives include:

    • Using hybrid Azure AD joined or domain-joined session hosts where Kerberos authentication can be fully enabled.
    • Leveraging other profile storage solutions such as Azure NetApp Files or Azure Blob Storage combined with alternate profile management strategies that do not require Kerberos tickets.
    • Temporarily use key-based authentication (storage account key or SAS) for FSLogix profile containers.

    Reference: https://learn.microsoft.com/en-us/fslogix/how-to-configure-profile-container-entra-id-hybrid

    To better understand could you please clarify the following:

    1. Are your AVD session hosts purely cloud-only (Azure AD joined), or is there any hybrid AD DS connectivity configured?
    2. Could you confirm if the Task Scheduler service can be re-enabled via Group Policy or manually?
    3. Have there been any recent changes to your environment setup that might be affecting Intune enrollment?

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.