The Case of the Missing PowerBI Credentials

I migrated a user from AWS Workspaces to AVD to improve performance on POwerBI queries. The migration did indeed significantly increase performance but it also introduced an odd issue: When opening the PowerBI Desktop file the Snowflake credentials store in the file “could not be decrypted.” Every. Time. This behavior was not seen on AWS.

Most Googling on this topic talked about clearing caches and re-entering credentials but none of that worked. There was also an interesting consistency to the issue. It would happen the first time it was opened after a login, every time, but subsequent opens in the same AVD session would work correctly. I started to focus on what was different between AWS and AVD

  • Client OS – Windows 11 vs. Windows Server with Desktop Experience
  • FSLogix profile containers
  • Domain join (AWS) vs Entra join (AVD)
  • Access protocol (PCoIP vs AVD)

I also zoomed in on the error being that the credentials “could not be decrypted” which implied to me there was some sort of data corruption or missing private key. Data missing from a profile and prior experience with the technology made me point to FSLogix. More research indicated that PowerBI credentials are encrypted using the data protection API (DPAPI) which I had never heard of. Googling that technology pointed me to a policy setting I had never seen mentioned in another article LoadAadCredKeyFromProfile from the RemoteDesktop CSP. This policy setting is required if you are using FSLogix with Entra joined VMs. It allows the loading of DPAPI keys from the profile. I created an Intune configuration profile and pointed it to a dynamic device group with my AVD session hosts in it. Problem solved.

Leave a Reply

Your email address will not be published. Required fields are marked *