AVD disconnects SSL_ERR_HANDSHAKE_FAILED (519)

Hi Bobby,

Thanks for the detailed post this is definitely a frustrating one to track down since SSL_ERR_HANDSHAKE_FAILED (519) can come from a few different places. Given you're running Dell ThinOS 10 2511 with AVD package 3.3.384, let me walk you through the most likely culprits and what to check.

What's Actually Happening

Error 519 is a TLS handshake failure meaning the thin client and the AVD gateway couldn't agree on or complete a secure connection. This can be intermittent (which matches your "occasionally" description) and usually points to one of these three causes:

1. SSL/TLS Inspection Interfering with AVD Traffic

This is the #1 cause of intermittent SSL handshake failures with AVD in enterprise environments. If you have a firewall, proxy, Zscaler, or any network security appliance doing TLS/SSL deep packet inspection (DPI) on AVD traffic, it will break the connection — not always, but enough to be noticeable.

Microsoft's official guidance is explicit on this:

"Don't use TLS inspection. In Azure Virtual Desktop, traffic is encrypted in transit by default."

https://learn.microsoft.com/en-us/azure/virtual-desktop/proxy-server-support

https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop

Action: Check with your network team whether AVD endpoints are being SSL-inspected. If so, add a bypass rule for all required AVD FQDNs:

https://learn.microsoft.com/en-us/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure

2. Outdated or Missing Root CA Certificates on the ThinOS Device

AVD gateways use Microsoft-issued certificates. If the thin client doesn't have the right Root CA or Intermediate CA certificates in its trust store, the handshake fails intermittently (especially after a cert rotation). This is a known pain point with thin clients.

ThinOS 10 2511 actually introduced built-in support for managing SSL certificates via Wyse Management Suite:

"From ThinOS 10.x 2511, it supports installing SSL certificates in the browser. Uploaded certificates are recognized by supported browsers, eliminating trust errors."

Action: Use WMS to push the DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 to your devices. You can export these from any Windows machine that connects successfully to AVD.

https://www.dell.com/support/manuals/en-in/manuals/wyse-thinos-maintenance/thinos_10.x_rn

3. ThinOS/AVD Package Version — Known Session Crash Issues

Dell has had a history of AVD client bugs on ThinOS causing session disconnects. While the 3.3.384 package (shipped with ThinOS 10 2511) is the latest, it's worth confirming you're fully up to date, as patches can be released mid-cycle:

"On 11/13/2025 both the T9 and T10 updates to the Microsoft AVD Package were posted on support addressing: Fixed the issue where the AVD session stops responding and crashes after you sign in."

https://www.dell.com/community/en/conversations/wyse-thinos/connection-issue-with-thinos-connecting-to-avd/69020a090227ab24c372e6d8

Action: Log a case with Dell Support referencing your ThinOS version and the SSL_ERR_HANDSHAKE_FAILED (519) error. They can confirm whether a patch is in flight for your specific build. In parallel, pull ThinOS logs via WMS (Troubleshooting > Request Log File) and look in:

for disconnect codes and timing around the SSL failure.

Recommended Checklist

• Verify that AVD FQDNs are excluded from SSL/TLS inspection at the firewall/proxy level
• Confirm the thin clients have valid and up-to-date Root CA certificates via WMS
• Check if the issue only happens on certain network paths (e.g., wired vs. Wi-Fi, on-site vs. remote)
• Test from a Windows PC on the same network — if Windows works fine, the issue is client-side on ThinOS
• Review ThinOS wlogd logs for the exact disconnect code alongside the 519 error

Thanks,

Manish.

Hello @Bobby Gross

I wanted to check if my last answer made sense. I would be happy to provide further assistance or explain anything in more detail and please accept as Yes and vote positively if the answer is helpful, so you can help others in the community.