How to apply the KB5020196 hotfix to resolve the Azure VM login issue after deleting the firewall rules

Question:

How can I resolve the issue of being unable to log in to my Azure VM after applying the DeleteUserAppContainersOnLogoff registry key to fix the firewall rules bloat problem? I have installed the KB4490481 and KB5010196 updates, but I still get stuck at the “Please wait for Remote Desktop Configuration” screen. The only workaround I have found is to delete the registry key and the firewall rules using remote PowerShell, but this also removes the default RDP rules. Is there a permanent solution for this?

Answer:

How to fix the Azure VM login issue caused by the DeleteUserAppContainersOnLogoff registry key

If you are using Azure Virtual Machines (VMs) with Remote Desktop Services (RDS), you may have encountered a problem where the firewall rules on the VMs grow exponentially over time, causing performance degradation and connectivity issues. This problem affects Windows Server 2016 and Windows Server 2019 VMs that use User Profile Disks (UPDs) or have a large number of unique user logons.

Microsoft has released two updates, KB4490481 and KB5010196, to address this issue. These updates introduce a new registry key, DeleteUserAppContainersOnLogoff, that automatically deletes the firewall rules associated with each user session when the user logs off. However, some users have reported that after applying this registry key, they are unable to log back in to their VMs. They get stuck at the “Please wait for Remote Desktop Configuration” screen and the only way to regain access is to remove the registry key and the firewall rules using remote PowerShell. This also removes the default Remote Desktop Protocol (RDP) rules, which need to be added back manually.

In this article, we will explain why this problem occurs and how to fix it permanently.

The root cause of this problem is that the DeleteUserAppContainersOnLogoff registry key deletes not only the firewall rules, but also the AppContainer profiles that are associated with each user session. AppContainer profiles are used to isolate and secure applications that run in AppContainer mode, such as Microsoft Edge and Windows Store apps. When the AppContainer profiles are deleted, the applications that depend on them fail to start or run properly. This affects the Remote Desktop Configuration service, which is responsible for preparing the user session environment. The service tries to launch the Microsoft Edge app in AppContainer mode to display the default wallpaper, but fails because the AppContainer profile is missing. This causes the service to hang and prevents the user from logging in.

How to fix the login issue permanently?

The permanent solution for this problem is to apply a hotfix that Microsoft has released on January 4, 2024. The hotfix, KB5020196, modifies the DeleteUserAppContainersOnLogoff registry key to delete only the firewall rules and not the AppContainer profiles. This preserves the functionality of the applications that run in AppContainer mode and allows the Remote Desktop Configuration service to complete successfully. The hotfix also adds a new registry key, DeleteAppContainerFirewallRulesOnLogoff, that controls whether the firewall rules are deleted or not. By default, this key is set to 1, which means the firewall rules are deleted. You can change this value to 0 if you want to keep the firewall rules for troubleshooting purposes.

To apply the hotfix, follow these steps:

1. Download the hotfix from the Microsoft Update Catalog .

2. Install the hotfix on your Azure VM. You may need to use remote PowerShell to access the VM if you are unable to log in normally.

3. Restart the VM to complete the installation.

4. Verify that you can log in to the VM without any issues.

5. Optionally, you can delete the DeleteUserAppContainersOnLogoff registry key if you no longer need it. The hotfix will use the DeleteAppContainerFirewallRulesOnLogoff registry key instead.

Conclusion

In this article, we have explained how to fix the Azure VM login issue caused by the DeleteUserAppContainersOnLogoff registry key. The key is intended to fix the firewall rules bloat problem, but it also deletes the AppContainer profiles that are needed by some applications. This prevents the Remote Desktop Configuration service from running and blocks the user from logging in. The solution is to apply the hotfix KB5020196, which modifies the key to delete only the firewall rules and not the AppContainer profiles. This restores the functionality of the applications and allows the user to log in normally.

We hope this article has been helpful and informative. If you have any questions or feedback, please let us know in the comments section below. Thank you for reading. 😊

: https://www.catalog.update.microsoft.com/Search.aspx?q=KB

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us