@DAsnow 

With the Office 365 Container GPO setting for FSLogix, does the VHD Location need to be a different path than the Profile Container? ie. /fslogixshare/o365 vs. /fslogixshare/profile ? We had them pointed at the same share, but, did not seem to create a 365 container.

It would appear as 2 VHD files on an Office, the other the Profile VHD@FinTechSean 

Case with FS Logix Team:

120032624003833

Case with Office Team: 

19016551

The latest response from our T3 Escalation engineer from the Office team was:

"After multiple crits last week regarding AAD registration and FSLogix, only solution I’ve found for WVD is to be domain joined only then reset everyone’s FSLogix profile(rename?) so it doesn’t get registered again with used device ID when user signs in.

These are the reg keys we used for WVDs :

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin​]
"BlockAADWorkplaceJoin"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WorkplaceJoin​]
"autoWorkplaceJoin"=dword:00000000"


We did have this in place, deleted all profile containers, and it worked.  However, after a few days we had the appx errors.  From what our MS engineer said, the Azure AD Broker package is not supported with WVD/Multi-Session Windows 10 so the login script that we had in place to register the Azure AD Broker Appx package was not a supported configuration (although it did work).

We are also engaged with a WVD architect and our Partner Technology Strategist who is working to get more eyes on this internally.  We have a call again with them tomorrow.  Unfortunately, it might be too late as we've been told that the solution might be ripped out and replaced with traditional RDS VM's in Azure due to all of this.

Key take-aways for me:
1.  Azure ADDS and WVD are no good when Office is used unless the registry key and the login script are in place.
2.  Use traditional AD Hybrid (with Azure AD Connect) and Hybrid Azure AD join/Seamless SSO with WVD.

This isn't a FS Logix problem.  It's a modern auth/device registration problem.  The profile just keeps the token in place with the deviceid from the "original" session host.  With no Hybrid Azure AD Join/Seamless SSO, the token breaks and Outlook cannot figure out how to reprompt/generate a new token with the new deviceid.

@Deanbostedor  I think your comments are spot on, and it's really disappointing that these REQUIREMENTS are not listed in Microsoft's documentation.  But persistent desktops, so far, are working really well.

@FinTechSean Yes you need different paths for the 2 different containers.  We split the profiles also at the recommendation of the O365 team (while they consulted with FSLogix team) but it did not resolve the issue.  So far, no benefit that I can see to using the split profile option.

@Rob Blankers That stinks. I was holding out hope! :) On the performance front, I gave up and went up to DS16s hosts, for even fewer users. Considering switching to persistent desktops.

@FinTechSean Ouch those are some big VMs... the persistent desktop option is more expensive but so far much better for users.  And the cost per-VM is much less if using the 'personal' option.  Check the WVD area on Azure pricing site... it wasn't as bad as I expected, and if we keep this config we'll use reserved instances to cut costs even more.  

I definitely still believe WVD will be a great solution, just working through the bugs...  It's a great value for a completely hosted VDI environment.

@FinTechSean 

@Rob Blankers 

We also tried to split the O365 container from the profile container with no luck.  

@FinTechSean  - Do you have Azure AD Connect in place?  If so, have you configured Hybrid Azure AD join so that the session hosts are showing in your Azure AD directory?  If you have done this AND configured seamless SSO, your issue should be cleared up.  Important note - you will need to delete the existing session hosts out of Azure AD if they are showing as "registered" and then delete user profiles (in that order).

@Deanbostedor 

Yes, Azure AD Connect. Hybrid AD Join yes, Azure AD -> Devices -> shows the WVD hosts as 'Azure AD registered' under join type. You'll see several per machine, basically one per person who has logged into that host via WVD. There is also an InTune registration once per host, with an Owner of whoever first logged into that host.

Seamless SSO in place (however, I've been meaning to take a pass through the link posted in here earlier to confirm nothing was missed).

So:

- Confirm all Seamless SSO steps were completed

- Drain Mode all Hosts in a pool, and shut them down?

- Delete all session hosts from Azure AD Device list (including Intune MDM registrations?)

- Delete all user profiles (from the FSLogix Storage container? or from the hosts themselves as well?)

- Restart Hosts

Sound like it is worth a try?  @Rob Blankers  - am I wasting my time? Should I just go persistent?? :)

Looking at this thread more closely there could be several issues, we'll have to focus on one for now. 

The issue that @FinTechSean is describing is very likely related due to the "registered" vs. "Hybrid Azure AD" status. I think @Deanbostedor is spot on. 

If I look at our internal selfhost all VMs are in a "Hybrid Azure AD" state and SSO is working in Windows 10 Enterprise multi-session (including Outlook). I can ask our Azure AD team what could result in the "registered" state. That will have to be corrected followed by a FSLogix profile reset. 

that must be my problem as well.

There are two ways of preventing this: 

1. For AD joined VMs, follow this guidance on how to prevent the VMs from being registered
2. Configure hybrid Azure Active Directory join for managed domains <- preferred 

Registering is supposed to be done against another tenant (e.g. user has AADJ device from CompanyA and is registering to the tenant of CompanyB). Registering to the same tenant as the device is AD joined to will cause issues, most likely the ones described in this thread. 

VMs can get to this state when a user selects the "use this account everywhere" prompt from an Office app, this can be done by standard (non-admin) users. I'm exploring options to see what we can do to prevent this from happening on Win10 Enterprise multi-session.

@cvanaxel it's difficult to determine whether this is the same issue based on the limited information. Do you have a customer support case opened? 

I'm working on documentation to describe the issue listed in my previous replies and test the workaround before changing the win10 multi-session image that can be found in the Azure gallery. 

@cvanaxel How do your VMs show in Azure AD? Are they similar (Aure AD registered) like the screenshots shown in recent replies in this thread?