Friday, 24 April 2020

Windows Virtual Desktop - AD join account requirements

It took me a while to figure out why my customer deployment of a WVD host pool would not work. Everything looked normal to me. The problem was that the VMs could be created but could not be joined to the domain (remember all Windows Virtual Desktops must be domain joined). Eventually I tracked down the problem to the domain-join account. This made me look more closely at the requirements for this account, so here we go.

What is the WVD domain-join account? 

This account has to be entered during the provisioning of a WVD host pool.

One of the required items is the AD domain join UPN. This is the account that will be used to join the VMs to your on-premises Active Directory. If you look at the tooltip you will see the following text:

"UPN of an Active Directory user that has permissions and will be used to join the virtual machines to your domain. For example, A local user account with this name will be created on each virtual machine. Do not enter a user who has MFA enabled. See for invalid usernames".

There are a few takeways here.
  • the account must have permissions to join AD (this is obvious)
  • a local account is actually created on each VM
  • the account cannot be MFA enabled
  • take note of the URL for invalid usernames (see next section)

Requirement #1: MFA cannot be enabled on the WVD AD join account. 

(tip: you should create a service account for this).

Invalid usernames

The official WVD docs don't tell us much about the requirements for this account.

"Enter the user principal name and password. This account must be the domain account that will join the virtual machines to the Active Directory domain. This same username and password will be created on the virtual machines as a local account. You can reset these local accounts later".

However there are some specific requirements around invalid usernames, which are actually enforced by Azure (this was my problem). You can find them in the Azure VMs FAQ docs 

These are the blacklisted usernames. There are a number of popular contenders in there.

Requirement #2: the username cannot be one of the blacklisted usernames.


You will find the password requirements in the same doc

Requirement #3: in general the password must be complex with a minimum of 12 characters.

I hope this helps you when implementing WVD. Until next time.....

No comments:

Post a comment