Home | Design | Features | Get Started | Parameters | Scope | Zero Trust Framework
If you are utilizing the Template Spec UI to deploy the Azure Virtual Desktop hostpool and are trying to reference existing Key Vault secrets, you may not be able to list the existing secrets in the UI. There can be two reasons:
- The key vault network firewall blocks public network access and you are not running the template spec or blue-button deployment from a machine that is able to access the Virtual Network where the key vault private endpoint is attached. Fix this by running the deployment from a jump host inside your azure environment.
- The user account logged into the Azure Portal when running the template spec or blue-button deployment does not have the rights granted by the Key Vault Secrets User role. Fix this issue by granting the user this role on the key vault.
You receive an error similar to the following:
{
"status": "Failed",
"error": {
"code": "RoleAssignmentUpdateNotPermitted",
"message": "Tenant ID, application ID, principal ID, and scope are not allowed to be updated."
}
}You may have orphaned role assignments.
Fix this issue by running the following PowerShell commands from the Cloud Shell.
$orphanedRoleAssignments = Get-AzRoleAssignment | Where-object -Property Displayname -eq $null
if ($orphanedRoleAssignments.Count -eq 0) {
Write-Output "No orphaned role assignments found. Exiting."
exit 0
}
Write-Output "Total number of orphaned role assignments: $($orphanedRoleAssignments.Count)"
$orphanCounter = 0
foreach ($assignment in $orphanedRoleAssignments) {
$orphanCounter++
Write-Output "Attempting to remove item number $orphanCounter for RoleAssignmentName: $($assignment.RoleAssignmentName) | RoleAssignmentId: $($assignment.RoleAssignmentId) | ObjectId: $($assignment.ObjectId) | RoleDefinitionName: $($assignment.RoleDefinitionName) | Scope: $($assignment.Scope)"
Remove-AzRoleAssignment -ObjectId $assignment.ObjectId -RoleDefinitionName $assignment.RoleDefinitionName -Scope $assignment.Scope
Write-Output "Successfully removed item number $orphanCounter"
}If you need to redeploy this solution due to an error or to add resources, be sure the virtual machines (aka session hosts) are turned on. For "pooled" host pools, you must disable scaling as well. If the virtual machines are shutdown, the deployment will fail since virtual machine extensions cannot be updated when virtual machines are in a shutdown state.
If you existing deployment resource groups, you should delete the virtual machine in this resource group in order to ensure a fresh virtual machine is used to run the deployment scripts leveraged by this solution.
[WinError 193] %1 is not a valid Win32 application ... missing tolower
Corrupt Bizep Install
Reinstall Bicep by following the steps at Bicep Installation
The Session Host deployment failed and after digging into the deployment you find that the 'AVDAgentInstallandConfig' DSC extension failed.
This may be due to an issue with the file name (or Url) specified in the 'avdAgentsDSCPackage' parameter of the deployment.
Complete these steps to determine if this is the issue.
-
Review the inputs of your failed deployment at the root level. Look for and save the value of the 'avdAgentsDSCPackage' parameter to Notepad. Keep Notepad Open.
-
Follow the standard portal instructions from Add session hosts to a host pool to the Review + create tab, but do not click Create.
-
Select Download a template for automation.
-
Select the Parameters link on the Template screen.
-
Search for the artifactsLocation parameter and then copy the contents to Notepad below the entry from Step 1.
-
Compare the values and note if the value is incorrect. Update the 'avdAgentsDSCPackage' parameter value in your parameters file or use this new value in the AVD Agent DSC Package text box on the Session Hosts pane of the template spec (or blue-button deployment).
