FSLogix profile disk disconnected after 10 hours

Introduction

Today is a day when you had to work late, and then this. You’re working and suddenly your profile is no longer fully functional. After logging out and back in, everything works again, but what was going on?

Or you are a developer and have a personal VDI. In the evening, you close the session window and want to continue working in the same place the next day. But in the morning, after logging in, your session behaves differently. The start menu is no longer correctly available. All applications with a login to Microsoft Entra Id, i.e. Teams, Edge, Outlook or OneDrive, require a login. What’s going on?

We worked on a ticket with Microsoft Support for a customer over a long period of time. After more than half a year, we have now closed the ticket. It is my personal opinion that the deployment scenario is potentially becoming more and more common. My aim with this post is to raise awareness of the problem and to help you find a quick solution if you have the same scenario.

Initial situation

We were testing personal VDI, which are Microsoft Entra Id only joined. The user logs in with the hybrid identity and the operating system is also prepared for this. We use a Microsoft Entra Id joined storage account to store the profile disks. All in all, a supported scenario.

The user can log in and gets a profile, so far everything works.

https://learn.microsoft.com/en-us/azure/virtual-desktop/authentication

https://learn.microsoft.com/en-us/azure/virtual-desktop/azure-ad-joined-session-hosts

https://learn.microsoft.com/en-us/azure/virtual-desktop/create-profile-container-azure-ad

The customer has decided that users who receive a personal VDI can have their session disconnected for up to 4 days before the user is logged out. This allows users to use their VDI virtually like Windows 365.

For a better user experience, we have enabled single sign-on. (SSO) However, the users were set to lock the session after 5 minutes, which in this constellation meant that the session would be disconnected.

https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on#disconnection-when-the-session-is-locked

The domain service has a default configuration of the maximum service ticket lifetime of 10 hours.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket#default-values

Adding this time is not recommended. Best practice is to leave this at the 10 hours.

Symptom

While testing the personal VDI, the IT users gave the first feedback that something might be wrong with the profile. The IT users started the session and tested it, and then returned to other work. After 5 minutes, the session was disconnected. Hours could pass before the next test, often not until the evening or the next day. In retrospect, it is clear that this interruption then lasted at least 10 hours.

After logging on to the existing session, the symptoms appeared:

  • Start menu was not functional
  • You had to log in to the Microsoft applications again, but the apps still didn’t work properly
  • Links on the desktop had disappeared
  • Applications in the task list were without icons

The FSLogix log also showed that an error “Failed to read WindowsSessionID…) occurred, and later the disk could not reconnect when I logged on to the session again.

You can also find entries in the event log:

After the login

If you display the tokens after logging in, you will see the following (command executed: klist):

User with the error:

User without error:

After 10 hours

More than ten hours later, the output looks like this (Executed command: klist):

User with the error:

User without error:

Workaround

The first suggestion from Microsoft was to increase the maximum service ticket lifetime, even though the article advises against this. We have ruled this out.

However, there are two workarounds that work:

  • Configuring FSLogix to associate the profile with the Storage Access Key (Setting: AccessNetworkAsComputerObject) from the service
  • Script that regularly renews the tickets

The solution with the Storage Access Key requires that no user can work as an administrator on the system, which cannot be ruled out with personal VDI. You can find good instructions at Marcel Meurer: https://blog.itprocloud.de/Using-FSLogix-file-shares-with-Azure-AD-cloud-identities-in-Azure-Virtual-Desktop-AVD/

We have tested the script and it works. The only thing left to do is to run the script regularly in the user context.

Solution

The behavior is as expected. Unfortunately, a solution is not in sight at the moment, but the problem is in the backlog.

If the scenario also affects you, something can certainly be done besides implementing one of the workarounds. You could also open a ticket with Microsoft and point out that it is a known problem and that you have the same use case or the same problem. The more customers report the problem, the higher the likelihood that the problem will be solved more quickly, and not just a workaround will make the rounds.

Conclusion

Why don’t we have this with all users? As the customer also wanted to log in with Microsoft Entra Id Only users for the multi-user session hosts, we had to work with the storage account for these systems. For security reasons, we wanted to do without it on the personal VDI.

We have not implemented the workaround as only the personal VDIs are affected so far. OneDrive was configured for the users, we now back up the complete profile with a backup of the VM. If we want to get rid of the storage access keys, then we would also have the problem with other users, and then we would probably have to implement the workaround. But I hope that either Microsoft will solve the problem due to high customer feedback, or that it will solve itself when we no longer need hybrid users to store FSLogix on a storage account.