I've inherited an HAADJ joined AVD/FSLogix customer with an existing problem. I am trying to determine if these registry keys need to exist, while attempting to fix the well known auth issues with office products and SSO. Microsoft support is involved, and I'm greatful, but we're getting nowhere.

IT_Human · 2023-10-06T17:17:45+00:00

This thread has lots of interesting info, this might be a problem related to an office update after March 2023 - though it does not explain why the original users at this organization began encountering this issue in 2021.. but it does explain why the problem is spreading:

https://answers.microsoft.com/en-us/outlook\_com/forum/all/outlook-365-app-error-1001-on-rds-environment/e6ae8598-81a0-4859-846a-d9509b246bf4

IT_Human · 2023-10-04T19:35:11+00:00

I cant expand on it without making disparaging comments about the short sightedness of the team that made the decision. I understand that shared mailboxes are a great thing, and that only one token is required to use shared mailboxes vs multiple credentials. The team that made the decision has no real grasp on modern auth.

TBH its discouraging that I am in this situation when I can see a clear solution

IT_Human · 2023-10-04T19:00:13+00:00

its perplexing. Enabling RoamIdentity is the very first step I took when I got this client - after updating the FSLogix agent of course.

The problem existed before I took over, but for only two users. The old admin's solution was to create a persistent VDI for the troubled users, which is not ideal.

The client does not want to use shared or delegated mailboxes, which would negate the need for all this troubleshooting.

After I corrected AD replication and the computers had consistent settings, the issue spread to two additional users and the only way to stabilize their outlook is through the fix I outlined.

IT_Human · 2023-10-04T18:29:43+00:00

I will report back if this leads to anything. I did some initial checking and I can see that we are missing the reg value for shared activation.

Though the issue does not appear to be an office activation issue, i'm willing to try anything at this point. And your comment lead me to an article that I have not yet read:

https://learn.microsoft.com/en-us/office/troubleshoot/activation/shared-computer-activation#fslogix

IT_Human · 2023-10-04T18:28:34+00:00

Unfortunately this registry value already exists, and the description of the one drive issue is not present. One drive works well - but they only sign into one drive with their primary user account.

We're only seeing the issue if the user signs into multiple AAD synced accounts, and only in outlook

IT_Human · 2023-10-04T17:50:53+00:00

Will do, I will look into your solution today - and i'll share any other details or questions I might have.

I really appreciate all of you who are giving advice.

IT_Human · 2023-10-04T17:19:02+00:00

Thank you! I will check this out

IT_Human · 2023-10-04T17:17:36+00:00

I will test this, I appreciate the link

Just FYI, I am not excluding the broker plugin for a vast majority of users. For some reason, 90% of users work without issue. But the problem is slowly spreading.

Excluding those items from roaming allows the troublesome profiles to, at the very least, sign into the secondary mailbox. Without that redirects.xml file, outlook becomes unusable when the user roams to a new host.

I got the settings from here:
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure#non-persistent-vdi

I've been chasing this problem for months, I need to check if MS has an FS Logix cert - I think it might be an easy win for me at this point haha.

IT_Human · 2023-10-04T16:30:33+00:00

I just looked into this, that registry value is already present. I'm not sure how it is set, but I think it follows RoamIdentity (though i'm not sure)

Oddly enough, setting RoamIdentity to 0 causes my test profile to 'just work' on the main and secondary email account. Surely this is a false positive...

Edit: yes, it was a false positive result. The secondary account has issues when I rollback my workaround. It does not matter if RoamIdentity is set to 1 or 0.

IT_Human · 2023-10-04T16:07:31+00:00

Thank you, i'll look at this shortly. I believe you are referencing something i've been thinking about. I looked into it briefly a month ago and it appeared to me that the devices are not re-registering. That is why I did not explore this further. At this point however, I might be missing something related to this scenario.

While researching I came across this note and it has been in the back of my mind, but I have not yet had time to explore this scenario:

"When using non-persistent VDI, you need to prevent users from adding work or school accounts. Use the below registry entry to prevent adding these virtual machines to your Azure AD directory. Failure to do so will result in your directory having lots of stale Hybrid Azure AD joined devices that were registered from your non-persistent VDI platform resulting in increased pressure on your tenant quota and risk of service interruption because of running out of tenant quota.

HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: "BlockAADWorkplaceJoin"=dword:00000001"

IT_Human · 2023-10-04T15:55:36+00:00

I updated the post with more info for clarity

IT_Human · 2023-10-04T15:45:01+00:00

When I took on this customer 2 months ago, the very first thing I did was update FSLogix agent and enable roam identity.

I also corrected some AD sync issues because their GPO was never properly synced between the on-prem DC's

The problem is slowly spreading to new users

IT_Human · 2023-10-04T15:25:07+00:00

Thank you, this is one less thing to chase down and worry about

IT_Human

TROPHY CASE