![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 52%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EID%3C/text%3E%3C/svg%3E)
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 79%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3END%3C/text%3E%3C/svg%3E)
Hey Ioannis, it looks like your host‐pool deployment is getting all the way to the VM creation but then the PowerShell DSC extension can’t pull down its config ZIP from the WVD storage endpoint:
The DSC Extension failed to execute: Error downloading … Unable to connect to the remote server.
That almost always means the VM can’t reach https://wvdportalstorageblob.blob.core.windows.net over HTTPS. Here’s how you can troubleshoot and fix it:
- Validate outbound connectivity
- On the VM run:
Test-NetConnection wvdportalstorageblob.blob.core.windows.net -Port 443 - If it fails, you know traffic on 443 is blocked somewhere.
- On the VM run:
- Check DNS resolution
- On the VM run:
nslookup wvdportalstorageblob.blob.core.windows.net - Ensure it resolves to a public IP and you’re not accidentally hitting a private DNS zone.
- On the VM run:
- Review NSG outbound rules
- Make sure there’s an outbound rule that allows TCP/443 to “Internet” or at least to the Storage service tag.
- Examine route tables (UDRs)
- If you’ve assigned a custom route table, confirm there’s a valid default route (0.0.0.0/0) to your internet egress (NAT gateway, firewall, internet).
- Inspect any firewalls or proxies
- If you’re using Azure Firewall, on‐prem proxy, or a network virtual appliance, check that it’s not blocking or inspecting that storage endpoint.
- Some firewalls require you to explicitly allow the FQDN or the storage account’s service tag.
Once you restore 443 connectivity to that blob endpoint, you can:
- Hit Redeploy on the failed extension in the portal
- OR Remove & reapply the Microsoft.Powershell.DSC extension via PowerShell/ARM
Let me know if that gets you past this error!
Reference docs:
- Troubleshoot the DSC VM extension on Windows VMs – https://aka.ms/vmExtensionDSCWindowsTroubleshoot
- Understand outbound network dependencies for Azure VMs – https://learn.microsoft.com/azure/virtual-network/troubleshoot-outbound-connection-problems
- Create and manage Azure Virtual Desktop host pools – https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-portal
Feel free to share the results of your Test-NetConnection/nslookup or any custom NSG/UDR details if you’re still stuck.
Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.