macOS: SSO no longer fully functional on AVD (Win11 25H2)
Hello everyone, Since updating our Test Azure Virtual Desktop Session Hosts from Windows 11 23h2 to 25H2 (26200.7462) , we've been experiencing an SSO issue that exclusively affects macOS clients. Symptoms For macOS users (Windows App), the following issues occur: Example Teams Teams shows the user as "Unknown User" Chat and collaboration features fail to load Error message: "You need to sign in again. This may be a requirement from your IT department or Teams, or the result of a password update. - Sign in" After clicking "Sign in," only a window appears with "Continue with sign-in" (no PW/MFA prompt) After this, all other applications work without further authentication Technical Details macOS Device: AppleM4 Pro macOS Tahoe 26.2 Installed WindowsApp version: 11.3.2 (2848) dsregcmd /status: No errors detected PRT is active and was updated for sign-in Entra Sign-In Logs: Error code: 9002341 EventLog on Session Host (AAD-Operational): Event ID: 1098 Error: 0xCAA2000C The request requires user interaction. Code: interaction_required Description: AADSTS9002341: User is required to permit SSO. Event ID: 1097 Error: 0xCAA90056 Renew token by the primary refresh token failed. Logged at RefreshTokenRequest.cpp, line: 148, method: RefreshTokenRequest::AcquireToken. Observations Affects: Both managed (internal) and unmanaged (external) macOS devices Does NOT affect: Windows clients connecting via Windows App Interesting: If a macOS user starts the session (with the error) and then reconnects on a Windows device, authentication works automatically there Workaround The issue can be resolved for macOS clients by removing the "DE" flag from "Automatic app sign-in" in the following file: C:\Windows\System32\IntegratedServicesRegionPolicySet.json Questions Is this a known issue? Has anyone experienced similar issues with macOS clients after the 25H2 update? Why does this issue only occur with macOS clients? Why does SSO only work after removing the "DE" flag for macOS devices, and why are Windows devices not affected? I would appreciate any insights or confirmation of this issue! Thank you and greetings FT_1macOS Remote Desktop client app - automatic logon (no credential prompt)
Sorry if this isn't a good place to post this question. But I'm trying to locate the right place for macOS RDClient feedback now that https://support.microsoft.com/en-us/topic/uservoice-pages-430e1a78-e016-472a-a10f-dc2a3df3450a. I am trying to automate the launch of RD Client without prompting for a credential. The macOS RD client (GUI) allows storing passwords securely in the macOS Keychain and will use them to automatically log on when double-clicked from the bookmarks. On Windows, I understand there is a way to use a little-known "password 51:b:<myEncryptedPassword>" attribute to pass an encrypted string as a password from the .RDP file. AFAICT there is no way to completely automate the RDP logon without password prompt on MacOS, for the following reasons: - No way to pass a password credential (encrypted or otherwise) via https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-uri - No way to control the RDClient app via AppleScript - Bookmarks within app support saving credentials in Keychain, but there's no way to initiate a connection to a 'bookmark' via the URL scheme (bookmarks are stored in a totally separate SQLite database, and password is not contained within) - https://github.com/PowerShell/PowerShell/pull/9199, so the hidden `password 51:b:myEncryptedPassword` attribute does not work. - No way to save an .RDP file or any shortcut/alias that includes the password (this would be bad for security even if it were possible!) Anyone got an ideas here?
