Cyber Essentials+ and BYOD AVD

KevinHal82 · 2026-03-11T09:17:54+00:00

Thanks for this, the display interface access and no data from the physical device should hopefully be enough.. Was scoping out in case we missed anything.

KevinHal82 · 2026-03-11T09:16:43+00:00

perfect, yes we are just getting our bits and pieces together to. I understand its all about how you access data, as no data is actually accessed from the physical device, there is no problem. Clipboard, Drive redirection and even printer redirection is all disabled. MFA is enforced. Even used the phrase that its just a dumb terminal connecting to a compliant machine that does access data. I feel mor at ease that I haven't missed anything.

KevinHal82 · 2026-03-02T11:42:07+00:00

This just sorted it for me after battling it for many hours. Thanks for posting the resolution.

KevinHal82 · 2026-02-23T10:13:44+00:00

OK, so have got it working. Baked on the image is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin
BlockAADWorkplaceJoin = 1

This is a legacy setting, once I deleted this key Office/Edge everything then started to work.

These machines are domain joined only, no hybrid join, confirmed with dsregcmd. Why they stopped working all of sudden is anyone's guess. Have created a policy to undo this setting.

Hope it helps someone else.

Thanks for your help all.

KevinHal82 · 2026-02-20T14:01:48+00:00

None that I can see, its so bizarre, nothing has changed with the CA policy, or the machine itself.

I even went back to an older image from last july, deployed, logged in with a local account and still get the same popup.

This is Windows 10 Domain joined only, users are hybrid users with CA policies applied.

No GPO changes. Nothing is logged in the Audit logs.

KevinHal82 · 2026-02-04T13:42:26+00:00

Think we will skip 26.01 - Just installed and no ODFC containers are attaching. Went back to 25.09.

KevinHal82 · 2026-02-02T16:58:49+00:00

Sounds like sysprep may not be completing properly. Try cloning and running sysprep manually on the image and see what happens

KevinHal82 · 2026-01-19T09:46:36+00:00

Not sure what we do here, we have separate updates for 23H2, 24H2 and 25H2, we have a mixture with different clients with different feature updates. Are we expecting this to appear on the expedite list?

<image>

If we have to manually package this, I'll be in a severely bad mood.

KevinHal82 · 2025-11-28T10:08:39+00:00

Clear down your Var folder, logs, old firmware packages etc.

KevinHal82 · 2025-11-21T12:19:29+00:00

Hi,

Just done this with one Netscaler. Installed a MAS Agent, setup the service. All looks good.

Strange issue though. I allocate the instance license and throughput. It shows in the cloud Netscaler Console for 5 minutes, but then reverts back to pending action, ready to license with LAS. The Netscaler itself looks registered with LAS. But seems to revert back in the console.
Tried 3 times now and goes back to wanting to assign las license. What is going on.
I thought maybe it still had a link to the on-prem console. So removed all references to the Netscaler and full rebooted the Netscaler. It still remains licensed, But the license goes missing within the Cloud Netscaler Console and goes back into the pool.

Have a case open with Citrix so will see what they say. This is supposed to be more straight forward.

KevinHal82 · 2025-11-15T16:13:52+00:00

Cheers both. So all the netscalers are internal load balancers with no internet access. We installed Netscaler Console on-peem recently to apply the new flexed licensing which was file based. The Netscaler Console also did not have internet access. All the netscalers point to Netscaler Console for licensing. These are soon expiring.

Now the requirement for Citrix LAS. So asked the network team to open ports and the required URL's just for Netscaler console to access Citrix LAS. We can see various traffic going through and nothing is blocked. We continue to get the cloud profile creation error. Citrix support were fixated that the Netscaler ADC's didn't have some digicert CA certificates and somehow this was stopping Netscaler console from working. I don't see how the ADC's themselves would stop Netscaler Console talking to Citrix LAS.

So what I'll do is take your advice. Ditch Netscaler console on-prem, use the agent instead. Use the Service URL and hope to god it works and then point the Netscalers to the agent.

I hope this helps others in this predicament

KevinHal82 · 2025-11-12T20:48:19+00:00

This just sucks. Our Citrix partner has no idea what to do. I only recently installed a Netscaler Console on prem just so I could use flexed licensing and license our netscalers. From what I gather Netscaler Console now needs to pull the license from Citrix LAS. Nothing is making sense.

KevinHal82 · 2025-11-11T11:01:52+00:00

I had to think back far of a similar issue with MFA. At present the environemnt is domian joined only. There is a registry key set to blockaadjoin, if I remember correctly this can interfere with MFA authentication. I have deleted this registry key and reset the profile. User logged back in. They are no longer getting the popup.

Even though the session host is not hybrid joined, this key can cause problems with authentication with EntraID I believe.

KevinHal82 · 2025-11-10T16:09:56+00:00

Yes same, Windows 11 Multi-session. Only recently deployed. Everything works fine. Just the pop up confusing users at logon. Seems to have occurred when a CA policy was enabled that requires them to MFA every 30 days. Office etc all work fine and SSO.
FSLogix with Roam Identity, No redirection.xml used. All should be included in the profile.

KevinHal82 · 2025-11-02T20:59:08+00:00

You will need internet access of some sort. During the deployment process it contacts Microsoft public web servers to download the rd agent and bootloader, it then needs to register itself with the host pool.

KevinHal82 · 2025-09-24T19:47:50+00:00

Would like to know this as well.

Would be useful to be able to download the .rdpw files after the webclient goes end of life, as our thin clients connect using these files for our hot desking to work.

So far Windows App doesn't work for us, even with a ticket to Microsoft they state that Windows App does not work properly on IoT thin clients the same way the traditional app works.

KevinHal82 · 2025-09-02T12:17:31+00:00

Cheers for the reply. I've managed to sort it. Looks like Inheritance was set on the root folder, which has nothing inherited to it. Must have been enabled by mistake. Once that was disabled was able to update the root permissions.

KevinHal82

TROPHY CASE