Merge pull request #9371 from MicrosoftDocs/main

Simonx Xu · web-flow · commit 03c660661b0e · 2025-07-18T02:08:18.000+08:00
Auto push to live 2025-07-17 18:08:10
diff --git a/support/azure/azure-storage/files/file-sync/file-sync-troubleshoot-managed-identities.md b/support/azure/azure-storage/files/file-sync/file-sync-troubleshoot-managed-identities.md
@@ -3,7 +3,7 @@ title: Troubleshoot Azure File Sync managed identity issues
 description: Troubleshoot common issues when your Azure File Sync deployment is configured to use managed identities.
 ms.service: azure-file-storage
 ms.topic: troubleshooting
-ms.date: 06/09/2025
+ms.date: 07/16/2025
 author: khdownie
 ms.author: kendownie
 ---
@@ -169,6 +169,25 @@ Set-AzStorageSyncServerEndpointPermission -ResourceGroupName <string> -StorageSy
 > [!NOTE]
 > The `-Name` parameter is the name of the server endpoint. It's a GUID, not the friendly name that's displayed in the Azure portal. To get the server endpoint name, run the [Get-AzStorageSyncServerEndpoint](/powershell/module/az.storagesync/get-azstoragesyncserverendpoint) cmdlet.
 
+
+### Sync Session fails with ECS_E_AUTH_IDENTITY_NOT_FOUND error
+
+The `ECS_E_AUTH_IDENTITY_NOT_FOUND` error occurs when the server's managed identity used to communicate with the Azure File Sync service has changed, but the Azure File Sync service is still expecting the previous identity. This can result in authentication failures.
+
+You can identify this issue by checking for **Event ID 9530** in the **Telemetry** event log within **Event Viewer**. This event indicates that the managed identity's `applicationId` has changed.
+
+Common scenarios that can trigger this issue include:
+- Azure Arc resource deletion and recreation
+- Toggling the system-assigned managed identity on an Azure VM off and then back on
+
+When the managed identity changes, the File Sync agent will attempt to use the new identity, but the Azure File Sync service is still configured to authorize the previous one. This mismatch causes requests to fail with the `ECS_E_AUTH_IDENTITY_NOT_FOUND` error.
+
+To resolve this issue, run the following PowerShell command:
+
+```powershell
+Set-AzStorageSyncServer -ResourceGroupName <ResourceGroupName> -StorageSyncServiceName <StorageSyncServiceName> -Identity
+```
+
 ### Test-NetworkConnectivity cmdlet fails with error 0x80190193 (HTTP_E_STATUS_FORBIDDEN)
 
 This issue occurs when the managed identity for the registered server doesn't have access to an Azure file share.
diff --git a/support/azure/azure-storage/files/file-sync/file-sync-troubleshoot.md b/support/azure/azure-storage/files/file-sync/file-sync-troubleshoot.md
@@ -4,7 +4,7 @@ description: Troubleshoot common issues that you might encounter with Azure File
 author: khdownie
 ms.service: azure-file-storage
 ms.topic: troubleshooting
-ms.date: 01/13/2025
+ms.date: 07/16/2025
 ms.author: kendownie
 ms.custom: sap:File Sync
 ---
@@ -89,7 +89,7 @@ To run AFSDiag, perform the steps below:
 
 ## Storage Sync Agent service (FileSyncSvc) fails to start
 
-After installing or upgrading the Azure File Sync agent (v17.3 or later), you may experience one of the following symptoms:
+After installing or upgrading the Azure File Sync agent (v18 or later), you might experience one of the following symptoms:
 
 - The Storage Sync Agent service (FileSyncSvc) fails to start with the following error: 
 
@@ -110,12 +110,33 @@ After installing or upgrading the Azure File Sync agent (v17.3 or later), you ma
   Exception occurred while configuring MitigationRedirection policy. This could indicate that required windows updates not installed on the computer.
   ```
 
-This issue occurs because the Azure File Sync agent has a dependency on a Windows security feature and updates for this security feature are not installed.
+These issues occur because the Azure File Sync agent has a dependency on a Windows security feature and updates for this security feature aren't installed.
 
 To resolve this issue, verify your Windows Server has the following updates installed:
-- Windows Server 2012 R2: [KB5021653](https://support.microsoft.com/topic/kb5021653-out-of-band-update-for-windows-server-2012-r2-november-17-2022-8e6ec2e9-6373-46d7-95bc-852f992fd1ff)
-- Windows Server 2016: [KB5040562](https://support.microsoft.com/topic/kb5040562-servicing-stack-update-for-windows-10-version-1607-and-server-2016-july-9-2024-281c97b9-c566-417e-8406-a84efd30f70c)
-- Windows Server 2019: [KB5005112](https://support.microsoft.com/topic/kb5005112-servicing-stack-update-for-windows-10-version-1809-august-10-2021-df6a9e0d-8012-41f4-ae74-b79f1c1940b2) and [KB5040430](https://support.microsoft.com/topic/july-9-2024-kb5040430-os-build-17763-6054-0bb10c24-db8c-47eb-8fa9-9ebc06afa4e7)
+- Windows Server 2016 [Microsoft Update Catalog](https://catalog.update.microsoft.com/Search.aspx?q=cumulative%20windows%20server%202016) (latest cumulative update)
+- Windows Server 2019 [Microsoft Update Catalog](https://catalog.update.microsoft.com/Search.aspx?q=cumulative%20windows%20server%202019) (latest cumulative update)
+  - Cumulative updates are released monthly. To deploy the latest update, users can either use Windows Update or manually download it from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). If installing manually, users should review the associated KB article to ensure all prerequisites are met.​ ​​If the Windows Updates aren't installed prior to installing the Azure File Sync agent, the Storage Sync Agent service (FileSyncSvc) will fail to start.
+    
+## Auto Update not upgrading ‘to be expired’ or expired Azure File Sync Agent
+
+If Auto Update isn't upgrading your ‘to be expired’ or expired Azure File Sync agent, check if the agent expiration information is properly applied to the server. The expiration metadata is required for Auto Update to function as expected.
+
+To verify whether the `AgentExpirationDate` is set, run the following command from an elevated PowerShell session:
+
+```powershell
+Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"
+Get-StorageSyncServer
+```
+If the `AgentExpirationDate` value isn't set or is empty, there might be a networking issue preventing the server from receiving expiration data. To test network connectivity, run the following command:
+
+```powershell
+Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"
+Test-StorageSyncNetworkConnectivity
+```
+If network connectivity issues are reported, you can manually update the agent by downloading it from the [Microsoft Update Catalog](https://catalog.update.microsoft.com/Search.aspx?q=azure%20file%20sync).
+After downloading the appropriate agent version, refer to the specific **Knowledge Base** article listed in the catalog for step-by-step installation instructions.
+
+If connectivity issues aren't found and the `AgentExpirationDate` is still not set, contact Azure File Sync support for further assistance.
 
 ## High memory usage on the server
 
