Share via

Users unable to connect to AVD via Windows App

MichaelB-2136 250 Reputation points
2026-04-13T14:28:02.1333333+00:00

I've had two users affected in the last few days, one kicked off mid work day just now

Error code:0x3000008

Extended error code:0x0

When using the web portal it lets them sign in and connect but we need them using Windows app for functionality.

There are no new conditional access policies that could be preventing access, usually works ok.

Entra Sign in logs show: Sign-in error code 500121

UPDATE - The user kicked out mid session managed to reconnect 10 mins later, but original user still affected..

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ankit Yadav 14,005 Reputation points Microsoft External Staff Moderator
    2026-04-13T16:30:48.32+00:00

    Hello MichaelB,

    Error 0x3000008 in the Windows App indicates a client‑side connection or session establishment failure, but it is not considered as a specific known service incident or platform bug. The fact that users can sign in and connect successfully through the web client suggests that core Azure Virtual Desktop resources are reachable and that authentication itself is generally working as expected.

    A few important clarifications and supported troubleshooting areas to consider:

    • Conditional Access and sign‑in evaluation: Conditional Access is evaluated differently depending on the client type. While the Windows App and web client both authenticate through Microsoft Entra ID, they may present different client signals during policy evaluation.
    • If Entra ID sign‑in logs show Conditional Access being evaluated or applied during Windows App sign‑in attempts, those results should be reviewed carefully. Any policy changes should be based solely on observed sign‑in evaluation results rather than assumed causes.
    • Windows App behavior and client health: Outdated or corrupted Windows App installations can lead to intermittent connectivity or feed-related issues. Ensuring the Windows App is fully up to date, resetting app data, and re‑adding the AVD workspace are all supported remediation steps. Uninstalling older Remote Desktop clients before reinstalling the Windows App is also consistent with Microsoft guidance.
    • Network and endpoint validation: Microsoft explicitly requires that all Azure Virtual Desktop endpoints and FQDNs are reachable from client networks. Differences between browsers and the Windows App can expose network, proxy, or SSL inspection issues that may not appear when testing via the web client. These checks are particularly relevant when behavior is intermittent or user‑specific.
    • Transient reconnection behavior: Users may occasionally be able to reconnect successfully without changes due to transient connectivity or service routing conditions. This behavior alone does not indicate a confirmed service incident. However, repeated or persistent failures for the same user warrant deeper client‑side and network review.

    Next steps if the issue persists

    • If the problem continues for a specific user
    • Verify Windows App version consistency across affected and unaffected users.
    • Review Entra ID sign‑in logs for Conditional Access evaluation differences specific to the Windows App.
    • Confirm required Azure Virtual Desktop endpoints are reachable without modification or inspection.

    References:

    0 comments
  2. Chen Tran 9,575 Reputation points Independent Advisor
    2026-04-13T16:01:17.57+00:00

    Hello MichealB,

    Thank you for posting question on Microsoft Windows Forum!

    Based on the issue description as well as the provided error code 0x3000008 in the AVD Windows App which might indicate an intermittent connection/authentication failure during the secure session handshake (SSL/TLS or credential verification). The fact of the matter is that one user reconnected after 10 minutes suggests transient service or network instability.

    The suggestion here is to update the AVD Windows App to make sure that users are running the latest version of the AVD client. Older builds are more prone to handshake failures.

    Also, since you mentioned one user is still affected while another recovered, there is likely a corrupted local token or workspace cache. You can consider to reset the Windows App or clear cached credentials by having the affected user Unsubscribe from the workspace and then re-add it. This forces a fresh fetch of the .rdp file parameters from the Gateway. For more information https://learn.microsoft.com/en-us/windows-app/troubleshoot-basic?tabs=windows

    Another point worth mentioning here is to check if a Sign-in frequency policy is being triggered. The Windows App handles re-authentication differently than the browser. If the app's refresh token has expired or is being "silently" blocked, it can cause a mid-session drop. You can check the Microsoft Entra sign-in logs specifically for the "Windows App" client ID. Looking for "Interrupted" or "UserActionRequired" statuses. Asking the "still affected" user to try connecting from a different network (like a mobile hotspot). If it works, it might be a local UDP/Firewall issue. If it still fails, it is probably a local client cache or Entra ID registration issue on that specific machine.

    You can consult the following articles for more information regarding your concerns.

    Hope the above information is helpful! If it is. Free feel to hit "Accepted" for benefitting others in community having the same issue too.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.