Nov 21 2019 01:45 PM - edited Nov 21 2019 01:46 PM
Having an issue where user of WVD Windows 10 Multi-session have issues moving between hosts. Essentially first login on a host is fine, when the user moves to a new host outlook eventually says "need password" however the modern authentication prompts are never presented to the user.
Anyone have any insight? Perhaps Something with AzureFiles / FSlogix?
Thanks in advance.
Apr 02 2020 01:50 PM
Pioneering (early adopting) isn't easy, frustrating at times. We just need Microsoft's help to clarify things so we can move forward with further adoption.
Apr 02 2020 01:55 PM
With the Office 365 Container GPO setting for FSLogix, does the VHD Location need to be a different path than the Profile Container? ie. /fslogixshare/o365 vs. /fslogixshare/profile ? We had them pointed at the same share, but, did not seem to create a 365 container.
Apr 02 2020 01:58 PM
Apr 02 2020 01:58 PM - edited Apr 02 2020 02:00 PM
Case with FS Logix Team:
120032624003833
Case with Office Team:
19016551
The latest response from our T3 Escalation engineer from the Office team was:
"After multiple crits last week regarding AAD registration and FSLogix, only solution I’ve found for WVD is to be domain joined only then reset everyone’s FSLogix profile(rename?) so it doesn’t get registered again with used device ID when user signs in.
These are the reg keys we used for WVDs :
[HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin]
"BlockAADWorkplaceJoin"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WorkplaceJoin]
"autoWorkplaceJoin"=dword:00000000"
We did have this in place, deleted all profile containers, and it worked. However, after a few days we had the appx errors. From what our MS engineer said, the Azure AD Broker package is not supported with WVD/Multi-Session Windows 10 so the login script that we had in place to register the Azure AD Broker Appx package was not a supported configuration (although it did work).
We are also engaged with a WVD architect and our Partner Technology Strategist who is working to get more eyes on this internally. We have a call again with them tomorrow. Unfortunately, it might be too late as we've been told that the solution might be ripped out and replaced with traditional RDS VM's in Azure due to all of this.
Key take-aways for me:
1. Azure ADDS and WVD are no good when Office is used unless the registry key and the login script are in place.
2. Use traditional AD Hybrid (with Azure AD Connect) and Hybrid Azure AD join/Seamless SSO with WVD.
This isn't a FS Logix problem. It's a modern auth/device registration problem. The profile just keeps the token in place with the deviceid from the "original" session host. With no Hybrid Azure AD Join/Seamless SSO, the token breaks and Outlook cannot figure out how to reprompt/generate a new token with the new deviceid.
Apr 02 2020 02:01 PM
Apr 02 2020 02:03 PM
@Deanbostedor I think your comments are spot on, and it's really disappointing that these REQUIREMENTS are not listed in Microsoft's documentation. But persistent desktops, so far, are working really well.
Apr 02 2020 02:04 PM
@FinTechSean Yes you need different paths for the 2 different containers. We split the profiles also at the recommendation of the O365 team (while they consulted with FSLogix team) but it did not resolve the issue. So far, no benefit that I can see to using the split profile option.
Apr 02 2020 02:06 PM
@Rob Blankers That stinks. I was holding out hope! :) On the performance front, I gave up and went up to DS16s hosts, for even fewer users. Considering switching to persistent desktops.
Apr 02 2020 02:10 PM
@FinTechSean Ouch those are some big VMs... the persistent desktop option is more expensive but so far much better for users. And the cost per-VM is much less if using the 'personal' option. Check the WVD area on Azure pricing site... it wasn't as bad as I expected, and if we keep this config we'll use reserved instances to cut costs even more.
I definitely still believe WVD will be a great solution, just working through the bugs... It's a great value for a completely hosted VDI environment.
Apr 02 2020 02:10 PM
We also tried to split the O365 container from the profile container with no luck.
@FinTechSean - Do you have Azure AD Connect in place? If so, have you configured Hybrid Azure AD join so that the session hosts are showing in your Azure AD directory? If you have done this AND configured seamless SSO, your issue should be cleared up. Important note - you will need to delete the existing session hosts out of Azure AD if they are showing as "registered" and then delete user profiles (in that order).
Apr 02 2020 02:18 PM
Yes, Azure AD Connect. Hybrid AD Join yes, Azure AD -> Devices -> shows the WVD hosts as 'Azure AD registered' under join type. You'll see several per machine, basically one per person who has logged into that host via WVD. There is also an InTune registration once per host, with an Owner of whoever first logged into that host.
Seamless SSO in place (however, I've been meaning to take a pass through the link posted in here earlier to confirm nothing was missed).
So:
- Confirm all Seamless SSO steps were completed
- Drain Mode all Hosts in a pool, and shut them down?
- Delete all session hosts from Azure AD Device list (including Intune MDM registrations?)
- Delete all user profiles (from the FSLogix Storage container? or from the hosts themselves as well?)
- Restart Hosts
Sound like it is worth a try? @Rob Blankers - am I wasting my time? Should I just go persistent?? :)
Apr 02 2020 02:26 PM
Apr 02 2020 03:57 PM
Looking at this thread more closely there could be several issues, we'll have to focus on one for now.
The issue that @FinTechSean is describing is very likely related due to the "registered" vs. "Hybrid Azure AD" status. I think @Deanbostedor is spot on.
If I look at our internal selfhost all VMs are in a "Hybrid Azure AD" state and SSO is working in Windows 10 Enterprise multi-session (including Outlook). I can ask our Azure AD team what could result in the "registered" state. That will have to be corrected followed by a FSLogix profile reset.
Apr 02 2020 04:03 PM
that must be my problem as well.
Apr 02 2020 05:32 PM - edited Apr 02 2020 05:41 PM
There are two ways of preventing this:
Registering is supposed to be done against another tenant (e.g. user has AADJ device from CompanyA and is registering to the tenant of CompanyB). Registering to the same tenant as the device is AD joined to will cause issues, most likely the ones described in this thread.
VMs can get to this state when a user selects the "use this account everywhere" prompt from an Office app, this can be done by standard (non-admin) users. I'm exploring options to see what we can do to prevent this from happening on Win10 Enterprise multi-session.
Apr 03 2020 10:15 AM
But is this solved.
I almost have the same issue. All machines or hybride joined but we use ADFS on-premise for authentication with MFA.
User logons the first time and gets the popup and save password. After logout and session is logout and not disconnected (user log back in and gets a corrupted ost or gets the popup again to logon)
Is there a doc to solve the problem because we want to go live. This can be a show stopper to WVD with does corrupted ost and Outlook popup for logon continuously.
Apr 03 2020 10:26 AM
@cvanaxel it's difficult to determine whether this is the same issue based on the limited information. Do you have a customer support case opened?
I'm working on documentation to describe the issue listed in my previous replies and test the workaround before changing the win10 multi-session image that can be found in the Azure gallery.
Apr 03 2020 10:30 AM
Apr 03 2020 10:32 AM
@cvanaxel How do your VMs show in Azure AD? Are they similar (Aure AD registered) like the screenshots shown in recent replies in this thread?
Apr 03 2020 10:38 AM