Troubleshoot Cloud PC Azure Network Connection Error
In this post, let’s learn how effectively you can troubleshoot Windows 365 Cloud PC Azure network connection error. Troubleshooting network connection errors on Windows 365 Cloud PC involves a systematic approach to diagnose and resolve issues affecting connectivity.
Windows 365 provisioning failures may occur if the Desired State Configuration (DSC) extension isn’t signed and the PowerShell Execution policy is set to Allsigned in the Group Policy Object (GPO). Other potential causes of connection errors include resource issues on your Cloud PC and network configuration settings. In such cases, reviewing network configuration settings can help.
Windows 365 Cloud PC leverages Azure network connections for its operations. However, users may sometimes encounter network connection errors. The Azure network connection (ANC) periodically checks your environment to ensure all requirements are met and are in a healthy state.
If any check fails, error messages can be seen in the Microsoft Intune admin center. An Azure network connection (ANC) is an object in the Intune admin center that provides Cloud PC provisioning profiles with the required information to connect to network-based resources.
ANCs are used when a Cloud PC is initially provisioned, and when Windows 365 periodically checks the connection to the on-premises infrastructure to ensure the best end-user experience.
Supported Checks for Azure Network Connection
There are two kinds of ANCs based on their join type. Both let you manage traffic and Cloud PC access to network-based resources, but they have different connectivity requirements. You will get the details of running checks in the Azure Network Connection tab.
When a Cloud PC is provisioned, the information in the ANC is used by the provisioning policy to provide the Cloud PC. It performs the following checks depending on the join type, Microsoft Entra ID or Hybrid Microsoft Entra Join.
- DNS can resolve Active Directory domain: Resolve the provided Active Directory domain name.
- Active directory domain join: A domain join using the credentials, domain, and OU provided.
- Endpoint connectivity: Connectivity to the required URL/endpoints.
- Microsoft Entra device sync (warning): Device ID sync is enabled on the Microsoft Entra tenant, and the computer object is being synced within 90 minutes.
- Azure subnet IP address usage: Sufficient IP addresses are available in the provided Azure subnet.
- Azure tenant readiness: The defined Azure subscription is enabled and ready for use. No Azure policy restrictions are blocking Windows 365 resources from being created.
- Azure virtual network readiness: The defined vNet is in a Windows 365 supported region.
- First party app permissions exist on Azure subscription: Sufficient permissions exist on the Azure subscription.
- First party app permissions exist on Azure resource group: Sufficient permissions exist on the Azure resource group.
- First party app permissions exist on Azure virtual network: Sufficient permissions exist on the Azure vNet.
- Environment and configuration is ready: Underlying infrastructure is ready for provisioning to succeed.
- Intune enrollment restrictions allow Windows enrollment: Verify that Intune enrollment restrictions are configured to allow Windows enrollment.
- Localization language package readiness: Verify that the operating system and Microsoft 365 language packages are reachable. Also verify that the localization package download link is reachable.
- UDP connection check: Network configuration allows the use of UDP direct connection (STUN).
- Single sign-on configuration: Determine if the network is properly configured for single sign-on to Microsoft Entra hybrid joined Cloud PCs by ensuring a Kerberos Server object exists.
Cloud PC Azure Network Connection Checks Failed
In the Azure network connection tab, every ANC created displays a status that helps you determine if new Cloud PCs can be expected to provision successfully and that existing end-users have an optimal Cloud PC experience.
- Checks successful with warnings: All critical health checks passed. However, at least one non-critical check may have issues.
- Checks failed: One or more required checks failed. An ANC can’t be used if it’s in a failed state. You’ll have to resolve the underlying issue and Retry the health checks.
Every failed ANC or success with a warning error state includes the technical details behind the failure. Select the View Details link for each failed check to view more information on the failure.
A required DSC script cannot be accessed or run.
During provisioning, some PowerShell DSC scripts are executed on the Cloud PC. We were unable to either download these DSC scripts or execute them. Please ensure your vNet has unrestricted access to the required endpoints, and that PowerShell is not blocked in your environment or Group Policy.
Possible Solutions to Fix Cloud PC Azure Network Connection Error Unable to Run DSC Script
There could be several reasons why you are unable to run a DSC script. Here are some possible solutions for resolution or validating the steps for troubleshooting:
Review the applied configuration or Group Policy on the OU where you are moving your Cloud PC to ensure the policy is not blocking. It is recommended to initiate the testing by excluding the Group policy from OUs to check your experience.
The next step would be to block Group Policy object inheritance over the OU isolated for Cloud PC provisioning. You can perform the action by opening Group policy management, Expanding the Forest and domain, right-clicking over the OU, and selecting Block Inheritance.
Ensure the VNET has access to the URLs/ports defined for Windows 365 Services allowed, You must allow traffic in your network configuration to the service URLs and ports to support provisioning and management of Cloud PCs and for remote connectivity with Cloud PCs. You can refer to more details in this article, Network Requirements for Windows 365.
Ensure the Powershell execution policy setup in your environment is not blocking or preventing the running of PowerShell scripts; it is recommended to set the execution policy to Remote Signed for Cloud PC provisioning or reset the PowerShell Execution to Unrestricted.
Azure network connection (ANC) might also fail with the error: An internal error occurred. The virtual machine deployment timed out. If the PowerShell Execution set to AllSigned, If it is, either remove the GPO or reset the PowerShell Execution to Unrestricted.
To see the effective execution policy for your PowerShell session use Get-ExecutionPolicy
with no parameters. Here you can find more details on Configure PowerShell Execution Policy With Intune.
Windows PowerShell Desired State Configuration (DSC) depends on WinRM. If the WinRM isn’t enabled or allowed by default. You can set up the default configuration for remote management with the command winrm quickconfig.
Retry Azure Network Connection Health Check
After you have fixed the underlying issue, Retry the health check to rerun the tests. To retry the health check, you must have the Intune Administrator, Windows 365 Administrator, or Global Administrator role.
To manually trigger a full health check, in the Microsoft Intune admin center, select Devices > Windows 365 (under Provisioning) > Azure network connection > select an Azure network connection. Click on Retry.
The Azure network connection was successfully retried. The Connection checks were successful for some time. In the Azure network connection tab, every ANC created displays a status that helps you determine if new Cloud PCs can be expected to provision successfully and that existing end-users have an optimal Cloud PC experience.
- Running checks: The health checks are currently running. The ANC list view automatically refreshes every five minutes. Wait for the checks to complete before attempting to assign them to a provisioning policy.
- Checks successful: All health checks passed. The ANC is ready for use.
No comments:
Post a Comment