question

AntonioVergine-3665 avatar image
0 Votes"
AntonioVergine-3665 asked AntonioVergine-3665 edited

Error adding hosts to pool (Microsoft.Powershell.DSC fails)

Adding a host to an existing pool or creating a pool and hosts from scratch, as I always did, today gives me an error:

193202-image.png



The error detail says:

 {
     "status": "Failed",
     "error": {
         "code": "VMExtensionProvisioningError",
         "message": "VM has reported a failure when processing extension 'Microsoft.PowerShell.DSC'. Error message: “DSC Configuration 'AddSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource  failed to execute Set-TargetResource functionality with error message: Some error occurred in DSC ExecuteRdAgentInstallClient SetScript:
     
 Exception             : System.InvalidOperationException: This command cannot be run due to the error: Access is denied.
                            at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
 TargetObject          : 
 CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
 FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
 ErrorDetails          : 
 InvocationInfo        : System.Management.Automation.InvocationInfo
 ScriptStackTrace      : at RunMsiWithRetry, C:\Packages\Plugins\Microsoft.Powershell.DSC\2.83.2.0\DSCWork\Configuration_03-30-2022.0\Functions.ps1: line 391
                         at InstallRDAgents, C:\Packages\Plugins\Microsoft.Powershell.DSC\2.83.2.0\DSCWork\Configuration_03-30-2022.0\Functions.ps1: line 478
                         at <ScriptBlock>, C:\Packages\Plugins\Microsoft.Powershell.DSC\2.83.2.0\DSCWork\Configuration_03-30-2022.0\Script-SetupSessionHost.ps1: line 57
                         at <ScriptBlock>, <No file>: line 15
                         at ScriptExecutionHelper, C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DscResources\MSFT_ScriptResource\MSFT_ScriptResource.psm1: line 317
                         at Set-TargetResource, C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DscResources\MSFT_ScriptResource\MSFT_ScriptResource.psm1: line 153
 PipelineIterationInfo : {}
 PSMessageDetails      : 
   The SendConfigurationApply function did not succeed.”
    
 More information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot "
     }
 }


What can i do?

azure-virtual-desktop
image.png (39.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AntonioVergine-3665 avatar image
0 Votes"
AntonioVergine-3665 answered AntonioVergine-3665 edited

I found the source of the problem. It was due to an "Attack Surface Reduction" Group Policy we added recently in our on-premises AD.
I suspect it blocks some configuration powershell that the VM needs in order to connect to the host pool, because the failing error is related to the powershell Script-SetupSessionHost.ps1 on the newly created VM.

The ASR rule was suggested by Microsoft on their site security.microsoft.com and it is one of the following (we have to check the exact one):

198743-image.png

When we disable the group policy, we don't get the error. When we enable back the policy, we get the error again.


image.png (37.1 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.