VMware Horizon Community
rc_IT832
Contributor
Contributor
Jump to solution

Reg key not applying after being set in UEM

We have 5-8 users who have recently started getting the "There was a problem acquiring a personal certificate required to sign in" message when trying to log into skype in their vdi session. Microsoft told us to fix the issue we needed to add the following reg key to enable modern authentication: HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\lync. I have set the condition in UEM that it only applies to users in a specific security group which i am a part of. The problem is when i log into my vdi session it does not add the \lync folder/subkey in the registry. Not sure why uem is not injecting these reg keys

1 Solution

Accepted Solutions
rc_IT832
Contributor
Contributor
Jump to solution

7 Replies
ijdemes
Expert
Expert
Jump to solution

Non-admin users don't have permissions on HKCU\Software\Policies.

What happens when you replace this with the following?

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync]

"EnableWAM"=dword:00000000


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com
DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi rc_IT832,

I just checked whether the Office 2016/2019/365 ADMX templates define a policy setting for that EnableWAM value, but that does not seem to be the case. Otherwise, you could have set it using DEM's ADMX-based settings feature, but no such luck.

Searching for EnableWAM, I arrived at https://support.microsoft.com/en-hk/help/4508931/sso-no-longer-works-if-adal-and-adfs-are-used-in-sk.... If that page describes the issue that you're trying to solve, maybe you can try the third option:

Add the DisableADALatopWAM key to this subkey:
HKEY_CURRENT_USER\SOFTWARE​\Microsoft\Office\16.0\Common\Identity


Name: DisableADALatopWAM

Type: DWORD (32 Bit)

Value: 1

That non-policy HKCU location can be written to by non-admin users.

Reply
0 Kudos
rc_IT832
Contributor
Contributor
Jump to solution

I am able to see the path when i am logged in with a non admin account on my non vdi desktop. Yes, i have the DisableADALatopWAM key already set there

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi rc_IT832,

I am able to see the path when i am logged in with a non admin account on my non vdi desktop.

By "see", do you mean that as a non-admin you can add a registry value under that HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync key?

Reply
0 Kudos
rc_IT832
Contributor
Contributor
Jump to solution

I mean I can see this key already in the registry of a non vdi desktop: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync key

However i dont have rights to add anything. In my vdi session i see : HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\

Just don't see the lync folder /subkey while viewing the registry in the vdi session

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee
Jump to solution

Hi rc_IT832,

I mean I can see this key already in the registry of a non vdi desktop: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync key

However i dont have rights to add anything.

Sure, as a non-admin user you have permission to read that key, but not to modify or add values to it. That's exactly why DEM can't set that value via predefined settings or Registry Settings.

DEM's ADMX-based Settings feature would be able to apply it, but as I mentioned previously it does not seem to be an "official" policy settings in the Office ADMX templates. I can hack up an unsupported ADMX template with just this setting, if you'd like to try that?

rc_IT832
Contributor
Contributor
Jump to solution

We were able to fix the issue, turns out MS support gave me the wrong reg key.

https://support.microsoft.com/en-us/help/4508931/sso-no-longer-works-if-adal-and-adfs-are-used-in-sk...