Forum Discussion
Outlook login issues with WVD - FSLogix
DAsnow this scenario isn't ringing a bell in terms of a common scenario, probably best to contact support on this.
But is this solved.
I almost have the same issue. All machines or hybride joined but we use ADFS on-premise for authentication with MFA.
User logons the first time and gets the popup and save password. After logout and session is logout and not disconnected (user log back in and gets a corrupted ost or gets the popup again to logon)
Is there a doc to solve the problem because we want to go live. This can be a show stopper to WVD with does corrupted ost and Outlook popup for logon continuously.
PieterWigleven
FinTechSean
DAsnow
benjamink9
Just got confirmation directly from our Microsoft Partner Technology Strategist and Sr. Cloud Solution Architect with collaboration with the FS Logix, WVD, and Office team. This IS an issue. It's being call a "defect" in Office where it's registering session hosts to Azure AD. When users get moved to other hosts, the token breaks because it contains the deviceID of the first registered session host in the FS Logix profile.
The workaround/fix is to:
A: Implement Hybrid Azure AD join/Seamless SSO and BLOCK device registration through registry settings for Hybrid AD environments (I have registry settings above).
B: For Azure ADDS environments, block device registration in registry (no option for Hybrid Azure AD Join/Seamless SSO at the moment. A login script may be required if the Azure AD Broker plugin stops working (see my posts much earlier in the thread).
Engineering is working on a fix on the Office/OneDrive side of things. In the meantime, you must implement the fix and recreate all FSLogix profiles.
- Is it really required to recreate the FSLogix Profiles??
They are QUITE big and its huge penalty when it syncs OL Profiles etc.. And people lose their settings - cant i some how via a Script fix / remove the defect and just relogin to the user?
I have implemented the BlockAADWorkplaceJoin in registry ..- No, for each profile, do a 'dsregcmd /status'. If it says "Workplace joined: Yes", run WPJCleanUp in the user's session. That'll quit the session from Azure AD. Then all you have to do is disconnect from Teams, and sign back into Teams and Outlook.
Christian_Pedersen Let me investigate options to manually remove and get back to this thread.
Christian Pedersen The only supported way is by having an end-user go into "Settings/Accounts/Access work or school" and remove the entry created. We don't have a script that allows automation.
- This is very interesting, I'am in the same situation with outlook sign in issues on new rds plattform with 2019 and latest 365 office suite. Work for a while, but suddenlty some users cant login to outlook, event viewer has alot of aadtokenbrokerplugin error on the rds host where user are logged on.
We dont use seamless sso/adsync or adfs becausse there are users from many different 365 tenants. Open case with Ms Support, but for now they just messing around with the wrong things.- Tom_A_MSFT
Microsoft
carliv if you are getting AADBroker plug in errors in the event viewer can you try a couple things to help identify the issue?
1. From PowerShell check if AADBroker plug in is registered by running this command, note this is a per user install so you will need to have user experiencing this issue try this:
Get-AppxPackage Microsoft.AAD.BrokerPlugin
2. If it returns no output, issue is the AADBroker plug in isn't registered. Now see if you can force registration, again from user session:
Add-AppxPackage -Register "C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown
3. I suspect when you run the second command it may hang and never progress past "Initializing"
4. If #3 is true, then the AppXSvc is having an issue. To resolve you'll need to do the following as admin on the VM experiencing the issue:
- Go to TaskManager>Services, find AppxSvc, note processID
- Rt. Click AppxSvc> Go to Details>End Task
- Once AppxSvc is in stopped state, again from TaskManager>Services>AppxSvc Rt.Click>Start
5. Now have user run the registration command again:
Add-AppxPackage -Register "C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown
If it succeeds we know the AppxSvc was blocking. This should at least workaround the issue. Let me know if this works and the OS version of the VM you are experiencing the issue on. - Also, once you implement these, you have to delete all of the user profiles as there is no way in the multi-session Windows to "un-workplace join". Fun stuff, eh?
- Hi Carlinge,
I resolved this exact case with Microsoft last week. The issue is a defect in Office which "workplace joins" the session hosts by default. This causes a token to be created associated to the session host where Office is initially setup and cannot work as users move around to other session hosts.
The fix is to enter these registry keys for all session hosts (I pushed out through GPO and it works fine)
[HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin]
"BlockAADWorkplaceJoin"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WorkplaceJoin]
"autoWorkplaceJoin"=dword:00000000
Also, if you have an issue after doing this, it may be that the appx package for the AAD Token Broker plugin is not working. You can get this working again by implementing a login script that does the following:
Add-AppxPackage -Register "C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode
I have my case numbers in one of the previous post if your MS Support person would like to reference.
- So there is no solution for ADFS authentication?
I cant use Seamless SSO unfortunately. We use or on-premise AD connect server and it is still windows 2008. 😞 So we use an ADFS server.
