How can I achieve seamless SSO?

Sometime last year I achieved seamless SSO in our corporate environment with the following tools:

• Windows 10 Clients
  • IE11 (by adding some URLs to the intranet/trusted zones)
  • Chrome (with some trickery on ADFS to get this working)
  • and generally adding the whr parameter to bookmarks deployed via GPO
• Azure AD Connect
• ADFS onPrem with 2012 R2 (domain is generally on 2012 R2 level)

but with the latest changes over last couple of months, this setup stopped working. I need some guidance as I no longer know what the absolute best way to deploy seamless SSO is. These are the tools at my disposal:

• Windows 10 v1709 onPrem domain joined/AAD hybrid joined devices
• (I'd like it work with all 3 browsers preferably) 
  • Chrome
  • Edge
  • IE11
• Proper setup UPN for all users
• MFA active on all users
  • except for onPrem IP-Range
• Windows Server 2012 R2 onPrem
  • if 2016 is a requirement for this, I'll happily upgrade somehow
• Azure AD Connect
• SCCM (latest), incl. Hybrid AAD Joined Devices - but Windows 10 is mostly managed by SCCM and not Intune.

I have no requirement for authentication to happen onPrem, I just did it because it allowed for true SSO back then.

I basically NEVER want an authentication prompt, neither username or password, within my corporate environment. As in, a freshly deployed machine with a brand new user account automatically signs into www.office.com on the very first try, no fuss 😉

Please tell me this is still somehow possibly.