Forum Discussion

DAsnow's avatar
DAsnow
Copper Contributor
Nov 21, 2019
Solved

Outlook login issues with WVD - FSLogix

Having an issue where user of WVD Windows 10 Multi-session have issues moving between hosts. Essentially first login on a host is fine, when the user moves to a new host outlook eventually says "need...
  • Doug_Coombs's avatar
    Doug_Coombs
    Nov 22, 2019

    DAsnow this scenario isn't ringing a bell in terms of a common scenario, probably best to contact support on this.

Deanbostedor's avatar
Deanbostedor
Brass Contributor
Mar 15, 2020

Tom_A_MSFT 
The command to register the AAD Broker plugin works but does not persist after logoff/logon.  Additionally, all new profiles need this command to be ran.  We have implemented a login script that runs the AAD Broker plugin registration command which is keeping Modern Auth working for all users at this point but we cannot seem to get to the root cause.  We have engaged Microsoft support and our partner resources but the issue doesn't seem to be able to be replicated with a standard gallery image.  

I'm suspicious of FSLogix.  I'm going to test disabling FS Logix and see if local profiles do not have the issue.  However, we've simply set everything up per MS documentation on our Win 10 multi-session image, installed Office in shared activation mode per the WVD documentation, then snapshot, sysprep, and re-deployed using the WVD deployment template and our custom/sysprep image.  We've also gone back to the bare basics in terms of the FS Logix GPO after tinkering with various settings.  

I will update this thread as we learn more but any new information would certainly be appreciated.  I'll just state the obvious here but turning off modern authentication through the registry is not an option for our MFA enabled accounts.

I've also found a past issue where FSLogix was having issues with edge and the solution was to register the appx package for edge. 
Article on FSLogix forum here:
https://social.msdn.microsoft.com/Forums/windowsserver/en-US/d18184fe-a703-44e8-a4d3-f824ed10eeb6/edge-disappears-after-november-2019-updates?forum=FSLogix#3ae4fa02-dba2-4790-9655-d81efeef52f3
I'm not sure if anyone else has noticed additional appx package issues.  We also see a black screen at login for users due to app readiness service.  We are also seeing failures for some of these additional appx packages (which can be temporarily fixed by registering again in PowerShell).

Faulting application path:

ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe
microsoft.windowscommunicationsapps_16005.11029.20108.0_x64__8wekyb3d8bbwe
Microsoft.WindowsStore_11811.1001.18.0_x64__8wekyb3d8bbwe



Rob Blankers's avatar
Rob Blankers
Brass Contributor
Mar 25, 2020

Deanbostedor I'm having the exact issue you described and also believe it's an FSLogix problem.  Have you made any progress troubleshooting? I've gone through the same steps you described. 

 

I can easily reproduce the issue when using the FSLogix profile service and logging in to the brokered WVD service with the Remote Desktop app, but if I login to the WVD hosts directly using MSTSC, and get a local profile, the issue cannot be reproduced.

  • Deanbostedor's avatar
    Deanbostedor
    Brass Contributor
    Mar 26, 2020

    Rob Blankers - Quick question - 

    Are you using Azure Active Directory Domain Services?

    I've found that when the users first launch Outlook or OneDrive, they are prompted to register the device (this is by default).  When they do this, the Windows 10 session host is workplace joined/Registered to them in Azure AD.  However, when they move to new hosts they are never asked to register the new Windows 10 session host.  It appears that after a length of time, they need to authenticate while being on the original host that they workplace joined or they start receiving the "need password".  If I put the other hosts in drain mode and log them in, they can authenticate again.

    Could you try this and let me know if you see the same behavior?

    • Rob Blankers's avatar
      Rob Blankers
      Brass Contributor
      Mar 26, 2020

      Deanbostedor 

       

      We're not using AADDS.  Premises-based AD with AD Connect syncing the entire tenant, using password hash.  I also have a Sev B ticket open on this.  It was opened as Sev A and I spent all night (literally) on the phone with O365 and FSLogix teams yesterday.  First they suggested that we 'split' the profile into Windows profile and O365 profile containers.  That didn't make any difference and I was able to confirm by signing in/out of a WVD session 5 or 6 times until it broke again.

       

      Then we modified our FSLogix GPO to enable "Use Shared Computer Activation"

      --Computer Config\Admin Templates\Microsoft Office 2016 (Machine)/Licensing Settings\Use shared computer activation = Enabled--

       

      So far this appears to work but like you said, could take days to validate.  Also, for about 10% of our users when they logged in to WVD after this change, they were presented a screen that said 'Signing Out' which never went away.  Had a fairly tough time killing their sessions, in some cases requiring a host restart.  We moved them to a different host pool to resolve without impacting active sessions on their host.  Not sure, but these users may have had disconnected sessions already and one of our changes really sent them into a death spiral.

       

      Still have our case open at Sev B and I won't be closing it for at least a week.  Hope we get this figured out soon, with my entire workforce going remote in a really short time, it's been a difficult time to manage IT Infrastructure!!  Love the WVD service though, really a lifesaver for us right now.

       

      • FinTechSean's avatar
        FinTechSean
        Brass Contributor
        Mar 31, 2020

        Rob Blankers Have you seen any need password issues since making that GPO change? "

        Use Shared Computer Activation"

        --Computer Config\Admin Templates\Microsoft Office 2016 (Machine)/Licensing Settings\Use shared computer activation = Enabled--"

    • FinTechSean's avatar
      FinTechSean
      Brass Contributor
      Mar 26, 2020
      Yup, still having same problem here. The sign out/sign in with a different account thing I posted above usually solves it. However, that doesn’t seem very scalable 🙂
  • Deanbostedor's avatar
    Deanbostedor
    Brass Contributor
    Mar 26, 2020

    Rob Blankers - We currently have a Sev B ticket open and the FSLogix team is looking into it.

     

    We rebuilt the entire host pool using a method given to us directly from a WVD Architect.  We configured a new profile UNC path and the issue is back 3-4 days later.  We went from 60+ registered Appx packages to maybe a dozen or more.  The strange thing now is that the Azure AD Broker plugin is registered but we're seeing the following Azure AD Broker error in the event viewer (see screenshot):

    Error: 0xCAA5001C Token broker operation failed.
    Operation name: GetTokenSilently, Error: -2147024893 (0x80070003), Description: The system cannot find the path specified.

    The system cannot find the path specified.

    Logged at webaccountprocessor.cpp, line: 593, method: AAD::Core::WebAccountProcessor::ReportOperationError.