Some users unable to connect to Azure Virtual Desktop host via Windows App

Question

Some users unable to connect to Azure Virtual Desktop host via Windows App

Daniel Monroe 15

We currently have an AVD host pool of 3 session hosts joined to an Entra Domain Services domain. Some of our users are able to connect successfully by entering their AD credentials in the login prompt after clicking Connect. Others never receive the login prompt. Connections through the web client are working, so we have ruled out any permissions or specific AD authentication issues. Connection through the Windows App also succeeds on fresh machines. The issue only occurs with existing Windows installations that have signed in to organization accounts before installing Windows App. These machines are all Entra Registered and not Entra Joined.

We suspect there is some kind of token being passed by those users' workstations. This appears to be confirmed by the Entra sign-in logs. See below.

User's image

Under Authentication Details, the sign-in attempts show Authentication method: Previously satisfied and Result detail: First factor requirement satisfied by claim in the token. See below.

User's image

Unfortunately, Entra-only authentication is not an option for this implementation and we must stick with Entra Domain Services for these session hosts. Any help and insight would be greatly appreciated!

Markapuram Sudheer Reddy 2,050 Reputation points Microsoft External Staff Moderator

2025-03-25T21:52:25.7033333+00:00

Hi Daniel Monroe,

Please confirm does any Conditional Access policies applied to the any users.

Have any users reported any specific error messages or behaviors when attempting to connect via the Windows App.

Can you give us more information on what people with existing Windows installations that have signed in to organization accounts before installing Windows App are facing.
Daniel Monroe 15 Reputation points

2025-03-25T21:57:08.9133333+00:00

Hello @Markapuram Sudheer Reddy ,

There are no Conditional Access policies in place.

The error that appears in Windows App reads "Connection attempt timed out. Please try again." This happens after they click Connect next to the name of the host pool. No login prompt comes up, and therefore the connection times out. Other users are able to see the login prompt, enter their AD credentials, and connect to the session hosts.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-03-26T16:00:14.9866667+00:00
This issue appears to be related to token-based silent authentication happening due to prior account sign-ins on those devices. The Windows App is silently authenticating using a cached token from an Entra ID sign-in instead of prompting for credentials, and this token does not satisfy the authentication requirements for AAD DS which backs your AVD host pool.

Could you kindly confirm once by doing the following on one of the affected machines-

Open Credential Manager (Control Panel > Credential Manager > Windows Credentials).

Look for MicrosoftOffice16_Data:ADAL Token Cache or any Generic credentials related to WindowsApps, AVD, or Azure.

Also try running- dsregcmd /status and and review the SSO State and Device State.

you can try to sign out of the Windows App entirely and clear its cache. Delete folder contents- %LocalAppData%\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\LocalState

Second workaround is using web client which you already mentioned works

Give it a try and let me know how it goes.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-03-27T06:00:36.4666667+00:00

Following up on this Daniel, did you get a chance to checkout the steps which I suggested?
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-03-28T09:40:35.5733333+00:00

Following up on this Daniel, hope your issue is resolved.
Daniel Monroe 15 Reputation points

2025-03-28T14:26:54.4466667+00:00

Hi Arko,We tried the suggested steps and still no luck. The affected machines that are unable to connect are all Entra Registered and not Entra Joined. That being said, we have had other users with success on both Entra Registered and Entra Joined machines.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-03-31T11:37:45.82+00:00

Hi Daniel Monroe, thanks for the clarity. Based on the evidence provided by you so far, you're encountering a silent token-based authentication which is taking place due to prior Entra ID account sign-ins on the affected machines. Since these machines are Entra Registered (not Entra Joined) and have signed into work accounts before, the Windows App is attempting to authenticate using a cached Primary Refresh Token (PRT) — bypassing the usual AD credential prompt. Your sign-in logs confirm this with below pointers-

Authentication method which previously satisfied

and your result detail where first factor requirement satisfied by claim in the token.

This indicates the client is reusing a token instead of prompting for credentials. This silent token, while valid for Entra ID-based resources, does not satisfy the authentication requirements for Entra Domain Services (AAD DS) that your AVD host pool is joined to. As a result, the connection attempt silently fails after skipping the credential prompt, leading to the timeout error you're seeing.

Kindly check out below two options and let me know

Option1- Force Windows App to Prompt for Credentials i.e. sign out of the Windows App completely and delete this folder: %LocalAppData%\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\LocalState

Open credential manager under control panel and look for and remove any entries related to - MicrosoftOffice16_Data:ADAL Token Cache or Azure, WindowsApps, or AVD.

And try launching Windows App with credentials prompt. If you're using a shortcut or script, you can add: msrdcw.exe /PromptForCredentials

This should force the client to prompt the user rather than silently reuse a cached token.

Option 2- Reset Entra Registration (last option)

If option 1 doesn’t helps, then disconnect the account from Settings > Accounts > Access work or school and run the following command in an elevated Command Prompt: dsregcmd /leave . Reboot the device and reinstall the Windows App and re-add the workspace. Once all this is done, verify using

dsregcmd /status

As you already noted, the web client works fine since it doesn't leverage the same silent auth behavior. Please let me know if my above two suggested options resolve your issue. Thanks
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-01T13:53:43.89+00:00

Hello Daniel, Hope your query is resolved
Daniel Monroe 15 Reputation points

2025-04-01T17:02:03.7666667+00:00

Hi Arko,

Our users are currently using Windows App and note the Remote Desktop app. It is my understanding the Remote Desktop app is being retired in favor of Windows App, so we want to make sure our users are covered for the foreseeable future. Therefore, we do not have a directory at the path %LocalAppData%\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe. Is there an equivalent directory for the Windows App, as well as an equivalent argument we can pass to the Windows App to prompt for credentials?
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-02T07:10:08.5433333+00:00

You're right, the classic Remote Desktop UWP app (Microsoft.RemoteDesktop_8wekyb3d8bbwe) is being retired in favor of the newer Windows App (Remote Desktop Modern), and it follows a different storage and behavior model.

Is there an equivalent directory for the Windows App?

In that case, look in here- %LocalAppData%\Packages\RemoteDesktopModern_8wekyb3d8bbwe\

Goto %LocalAppData%\Packages in File Explorer and look for a folder that starts with RemoteDesktopModern_. Inside that folder, you should see sub folders like LocalState, TokenCache, and RemoteResources where user/workspace metadata is stored.

Note- If the Windows App is installed via MSI or enterprise deployment, the path may not be in Packages\RemoteDesktopModern_...

If you're trying to reset the user session or force a credential prompt, you can sign out of the Windows App and then delete the contents of the LocalState folder. At this time, the Windows App does not support a command-line argument to force a credential prompt.
Use sign-out + token cleanup + dsregcmd /leave as a workaround to trigger credential re-prompt.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-03T12:18:38.18+00:00

Following up on this. Kindly confirm if the above suggestion was useful in resolving your query.
Zack Shaffer 40 Reputation points

2025-04-03T19:04:52.2966667+00:00

This has started happening to users in my org in the past few days as well.

They do not have any credentials for the accounts in Credential Manager, and there is no such "Microsoft.RemoteDesktop" folder in their %LocalAppData%\Packages\

It's not an account issue or an issue with the host pool, as we can use their account to connect to the host pool through the windows app on a different PC just fine.

We have tried signing out of the Windows App entirely and signing back in.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-04T05:44:19.4633333+00:00

Hi Zack Shaffer, when users are on Entra Registered (but not Entra Joined) devices and have previously signed in to a work account, the Windows App (Remote Desktop Modern) can attempt silent token-based authentication using a cached Primary Refresh Token (PRT), instead of prompting for credentials. This behavior can cause the connection to fail silently or timeout especially in environments where Entra Domain Services (AAD DS) is backing the AVD host pool, and NTLM/Kerberos credentials are expected. Windows App signs in silently using cached tokens from previous account sign-in and this behavior works fine on other PCs because the auth context differs (e.g. fresh login, no PRT, different device registration state).
Daniel Monroe 15 Reputation points

2025-04-04T14:14:41.1166667+00:00

Hi Arko, our experience sounds like it is identical to @Zack Shaffer . We don't have any folders that start with RemoteDesktopModern_. Based on what you said, it seems like removal of the Primary Refresh Token could fix the issue, but we can't find any way to do this with the Windows App.

There is a folder with Windows365 in the name, though its LocalState folder is already empty (see below).

There are no TokenCache or RemoteResources folders, though there is a LocalCache folder with a ResourceCache folder inside (see below).
Daniel Monroe 15 Reputation points

2025-05-13T18:15:28.3566667+00:00

Hello, I had some communication from Microsoft, but my ticket was closed without resolution and I have attempted several times to get this re-opened. There has been no progress in getting this issue resolved. My emails with the support engineers have gone unanswered. Any help would be appreciated.
kobulloc-MSFT 26,801 Reputation points Microsoft Employee Moderator

2025-05-13T20:44:54.4233333+00:00

Hello, @Daniel Monroe ! I'll reach out directly to get caught up on the status of your ticket.
Christian Gamwo 5 Reputation points

2025-05-15T08:44:16.1866667+00:00
Hello,

Glad to know that i'm not the only having this issue.

On my side i get the prompt to login to the resource/Workspace but when i sign in I get "The credentials that were used to connect xxxx-xxxx-xxxx-xxxx did not work. Please enter new credentials".

We know for a fact the credentials are working because they work on the Windows Apps registration when it loads the workspaces and also on the Windows Apps web version. Using Remote Desktop app also work.

This happens on all Azure AD join /Intune managed devices of the same tenant, oddly enough it works on personal computer.

I checked all CA polices, but none of them can cause such things to happen.

I truly hope Microsoft have a workaround or a fix seeing that the current Remote Desktop app is reaching end of support in a few days.

@kobulloc msft please, your urgent assistance would greatly be appreciated.

Regards

Christian
Thomas Barbay 0 Reputation points

2025-05-30T13:28:00.98+00:00

Hello,

We have the same issue here, randomly some users are not able to connect to AVD through Windows App. It's working with web access.

We don't have any folder named "Microsoft.RemoteDesktop" in "%LocalAppData%\Packages".

Our client devices are Microsoft Entra Joined and Windows App is deployed through Intune as a "Microsoft Store app (new)" and up to date.

Right now the only solution is to reboot the client or reset the Windows App in Windows Settings.
kobulloc-MSFT 26,801 Reputation points Microsoft Employee Moderator

2025-05-31T00:33:10.57+00:00

If you need immediate assistance, please start a new thread so that someone can assist you (and reference this thread for tracking).

It looks like in this instance, there was some troubleshooting that proved to be inconclusive.

1 answer

Your answer

Markapuram Sudheer Reddy 2,050 Reputation points Microsoft External Staff Moderator

2025-03-25T21:52:25.7033333+00:00

Hi Daniel Monroe,

Please confirm does any Conditional Access policies applied to the any users.

Have any users reported any specific error messages or behaviors when attempting to connect via the Windows App.

Can you give us more information on what people with existing Windows installations that have signed in to organization accounts before installing Windows App are facing.
Daniel Monroe 15 Reputation points

2025-03-25T21:57:08.9133333+00:00

Hello @Markapuram Sudheer Reddy ,

There are no Conditional Access policies in place.

The error that appears in Windows App reads "Connection attempt timed out. Please try again." This happens after they click Connect next to the name of the host pool. No login prompt comes up, and therefore the connection times out. Other users are able to see the login prompt, enter their AD credentials, and connect to the session hosts.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-03-26T16:00:14.9866667+00:00

This issue appears to be related to token-based silent authentication happening due to prior account sign-ins on those devices. The Windows App is silently authenticating using a cached token from an Entra ID sign-in instead of prompting for credentials, and this token does not satisfy the authentication requirements for AAD DS which backs your AVD host pool.

Could you kindly confirm once by doing the following on one of the affected machines-

Open Credential Manager (Control Panel > Credential Manager > Windows Credentials).

Look for MicrosoftOffice16_Data:ADAL Token Cache or any Generic credentials related to WindowsApps, AVD, or Azure.

Also try running- dsregcmd /status and and review the SSO State and Device State.

you can try to sign out of the Windows App entirely and clear its cache. Delete folder contents- %LocalAppData%\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\LocalState

Second workaround is using web client which you already mentioned works

Give it a try and let me know how it goes.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-03-27T06:00:36.4666667+00:00

Following up on this Daniel, did you get a chance to checkout the steps which I suggested?
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-03-28T09:40:35.5733333+00:00

Following up on this Daniel, hope your issue is resolved.
Daniel Monroe 15 Reputation points

2025-03-28T14:26:54.4466667+00:00

Hi Arko,We tried the suggested steps and still no luck. The affected machines that are unable to connect are all Entra Registered and not Entra Joined. That being said, we have had other users with success on both Entra Registered and Entra Joined machines.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-01T13:53:43.89+00:00

Hello Daniel, Hope your query is resolved
Daniel Monroe 15 Reputation points

2025-04-01T17:02:03.7666667+00:00

Hi Arko,

Our users are currently using Windows App and note the Remote Desktop app. It is my understanding the Remote Desktop app is being retired in favor of Windows App, so we want to make sure our users are covered for the foreseeable future. Therefore, we do not have a directory at the path %LocalAppData%\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe. Is there an equivalent directory for the Windows App, as well as an equivalent argument we can pass to the Windows App to prompt for credentials?
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-02T07:10:08.5433333+00:00

You're right, the classic Remote Desktop UWP app (Microsoft.RemoteDesktop_8wekyb3d8bbwe) is being retired in favor of the newer Windows App (Remote Desktop Modern), and it follows a different storage and behavior model.

Is there an equivalent directory for the Windows App?

In that case, look in here- %LocalAppData%\Packages\RemoteDesktopModern_8wekyb3d8bbwe\

Goto %LocalAppData%\Packages in File Explorer and look for a folder that starts with RemoteDesktopModern_. Inside that folder, you should see sub folders like LocalState, TokenCache, and RemoteResources where user/workspace metadata is stored.

Note- If the Windows App is installed via MSI or enterprise deployment, the path may not be in Packages\RemoteDesktopModern_...

If you're trying to reset the user session or force a credential prompt, you can sign out of the Windows App and then delete the contents of the LocalState folder. At this time, the Windows App does not support a command-line argument to force a credential prompt.
Use sign-out + token cleanup + dsregcmd /leave as a workaround to trigger credential re-prompt.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-03T12:18:38.18+00:00

Following up on this. Kindly confirm if the above suggestion was useful in resolving your query.
Zack Shaffer 40 Reputation points

2025-04-03T19:04:52.2966667+00:00

This has started happening to users in my org in the past few days as well.

They do not have any credentials for the accounts in Credential Manager, and there is no such "Microsoft.RemoteDesktop" folder in their %LocalAppData%\Packages\

It's not an account issue or an issue with the host pool, as we can use their account to connect to the host pool through the windows app on a different PC just fine.

We have tried signing out of the Windows App entirely and signing back in.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-04T05:44:19.4633333+00:00

Hi Zack Shaffer, when users are on Entra Registered (but not Entra Joined) devices and have previously signed in to a work account, the Windows App (Remote Desktop Modern) can attempt silent token-based authentication using a cached Primary Refresh Token (PRT), instead of prompting for credentials. This behavior can cause the connection to fail silently or timeout especially in environments where Entra Domain Services (AAD DS) is backing the AVD host pool, and NTLM/Kerberos credentials are expected. Windows App signs in silently using cached tokens from previous account sign-in and this behavior works fine on other PCs because the auth context differs (e.g. fresh login, no PRT, different device registration state).
Daniel Monroe 15 Reputation points

2025-04-04T14:14:41.1166667+00:00

Hi Arko, our experience sounds like it is identical to @Zack Shaffer . We don't have any folders that start with RemoteDesktopModern_. Based on what you said, it seems like removal of the Primary Refresh Token could fix the issue, but we can't find any way to do this with the Windows App.

There is a folder with Windows365 in the name, though its LocalState folder is already empty (see below).

There are no TokenCache or RemoteResources folders, though there is a LocalCache folder with a ResourceCache folder inside (see below).
Daniel Monroe 15 Reputation points

2025-05-13T18:15:28.3566667+00:00

Hello, I had some communication from Microsoft, but my ticket was closed without resolution and I have attempted several times to get this re-opened. There has been no progress in getting this issue resolved. My emails with the support engineers have gone unanswered. Any help would be appreciated.
kobulloc-MSFT 26,801 Reputation points Microsoft Employee Moderator

2025-05-13T20:44:54.4233333+00:00

Hello, @Daniel Monroe ! I'll reach out directly to get caught up on the status of your ticket.
Christian Gamwo 5 Reputation points

2025-05-15T08:44:16.1866667+00:00

Hello,

Glad to know that i'm not the only having this issue.

On my side i get the prompt to login to the resource/Workspace but when i sign in I get "The credentials that were used to connect xxxx-xxxx-xxxx-xxxx did not work. Please enter new credentials".

We know for a fact the credentials are working because they work on the Windows Apps registration when it loads the workspaces and also on the Windows Apps web version. Using Remote Desktop app also work.

This happens on all Azure AD join /Intune managed devices of the same tenant, oddly enough it works on personal computer.

I checked all CA polices, but none of them can cause such things to happen.

I truly hope Microsoft have a workaround or a fix seeing that the current Remote Desktop app is reaching end of support in a few days.

@kobulloc msft please, your urgent assistance would greatly be appreciated.

Regards

Christian
Thomas Barbay 0 Reputation points

2025-05-30T13:28:00.98+00:00

Hello,

We have the same issue here, randomly some users are not able to connect to AVD through Windows App. It's working with web access.

We don't have any folder named "Microsoft.RemoteDesktop" in "%LocalAppData%\Packages".

Our client devices are Microsoft Entra Joined and Windows App is deployed through Intune as a "Microsoft Store app (new)" and up to date.

Right now the only solution is to reboot the client or reset the Windows App in Windows Settings.
kobulloc-MSFT 26,801 Reputation points Microsoft Employee Moderator

2025-05-31T00:33:10.57+00:00

If you need immediate assistance, please start a new thread so that someone can assist you (and reference this thread for tracking).

It looks like in this instance, there was some troubleshooting that proved to be inconclusive.

Answer 1

Christian Gamwo 5

Hello,

After months of troubleshooting, we successfully resolved our authentication issue yesterday.

The problem stemmed from Windows applications on all Azure AD-joined computers attempting to authenticate against an on-premises Active Directory that was decommissioned two years ago.

To address this, we modified the RDP properties on the host pools as follows: Navigate to Settings > RDP Properties > Advanced, then add the following value:

;enablerdsaadauth:i:1

After saving the changes, authentication is now correctly routed through Microsoft Entra.

This simple adjustment resolved the issue for us, and I hope it proves useful for others facing similar challenges.

kobulloc-MSFT 26,801 Reputation points Microsoft Employee Moderator

2025-06-06T15:13:58.4433333+00:00

Thank you very much for adding your resolution, @Christian Gamwo !

Share via

Some users unable to connect to Azure Virtual Desktop host via Windows App

1 answer

Your answer