harlee
Contributor
Contributor

DEM Teams - MFA - login every time

Jump to solution

We have been using the per-machine installer version of Teams and DEM to capture the settings. However we have never successfully been able to capture the user logins so the user has to log in each time they open a new non-persistent session.

For Teams we use Duo MFA push to log in.

If we capture the whole profile the settings persist so somewhere we are missing a setting to capture in DEM.

Any suggestions would be welcome here as I am at my wits end with this program.

Current DEM settings are as follows ( we do not use DirectFlex):

[IncludeFolderTrees]

<LocalAppData>\Microsoft\IdentityCache

<LocalAppData>\Microsoft\Teams

<LocalAppData>\Microsoft\TeamsMeetingAddin

<LocalAppData>\Microsoft\TeamsPresenceAddin

<LocalAppData>\SquirrelTemp

<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

<AppData>\Microsoft\Teams

<AppData>\Microsoft Teams

<AppData>\Teams

[IncludeRegistryTrees]

HKCU\Software\Microsoft\Office\Teams

[ExcludeFolderTrees]

<AppData>\Teams\logs

<AppData>\Microsoft Teams\logs

<AppData>\Microsoft\Teams\media-stack

<AppData>\Microsoft\Teams\Service Worker

<AppData>\Microsoft\Teams\Application Cache

<AppData>\Microsoft\Teams\Cache

<AppData>\Microsoft\Teams\tmp

<AppData>\Microsoft\Teams\meeting-addin\Cache

<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState

<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp

[ExcludeFiles]

<AppData>\Microsoft\Teams\*.txt

<AppData>\Microsoft\Teams\lockfile

<LocalAppData>\SquirrelTemp\SquirrelSetup.log

0 Kudos
66 Replies
Lieven
Hot Shot
Hot Shot

@RachelW 

 

 

0 Kudos
RachelW
Enthusiast
Enthusiast

Hi @Lieven

I must have done something wrong or did not install all the parts.  I do not see this at all on my Horizon deskop:

local_ Folder

When a user signs in and a FSLogix Profile container is connected and used by that user, you will see two additional folders in the C:\Users directory:

  • A \<username> folder (or some variation)
  • A local_<username> folder

Additionally, I do not see an FSLogix folder in my AppDate\Local folder on my desktop (Location The redirections.xml file resides in the profile container in the <ProfileRoot>\AppData\Local\FSLogix folder)

I also checked my shares and only have the LARGE ODFC file under my Office share.  There is nothing under my Profile share on my server.

What did I miss?

0 Kudos
Lieven
Hot Shot
Hot Shot

@RachelW 

Start of with checking

  • All the settings in your FSlogix GPO
  • FSlogix shares you created and specifically the access rights to them

 

0 Kudos
RachelW
Enthusiast
Enthusiast

Hi @Lieven,

So I did not have the registry entries for the Profile container just the office container so now I have the local_username folder and also see the FSLogix folder in my AppData\Local folder.

Now back to the redirections.xml file...

1) Location The redirections.xml file resides in the profile container in the <ProfileRoot>\AppData\Local\FSLogix folder. So this would appear on my horizon desktop, correct?

2) Distribution The admin can use the built-in distribution capabilities of the FSLogix agent, or any other mechanism, to place the file into the profile container. To use the built-in copy mechanism, use the RedirXMLSourceFolder setting. I am guessing this is another registry entry...? If so, is it under FSLogix\profile section?

Reading about the RedirXMLSourceFolder registry entry..it looks like that points to a server\share and gets copied from there to te local profile.  So is that Server\share the same one I setup for FSLogix Office and Profie containers?  Would it be placed in the Profile Container/share?

0 Kudos
RachelW
Enthusiast
Enthusiast

Hi @Lieven,

So I was able to discover the redirections.xml file lives in the fslogix profile share and have added that there.  Additionally, I added the RedirXMLSourceFolder entry to the registry.  I included the lines you had listed in this post in my redirections.xml file (displayed below) and apparently something in there is preventing Teams from auto launching.

<?xml version=”1.0? encoding=”UTF-8??>

<FrxProfileFolderRedirection ExcludeCommonFolders=”###VALUE###”>

<Excludes>
<Exclude Copy="0">$Recycle.Bin</Exclude>
<Exclude Copy="0">AppData\Local\Google</Exclude>
<Exclude Copy="0">AppData\Local\SquirrelTemp</Exclude>
<Exclude Copy="0">AppData\Local\OneDrive\cache</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\OneNote\16.0\cache</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\Office\SolutionPackages</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\Office\16.0\Lync\Tracing</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\Teams\Current\Locales</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\Teams\Packages\SquirrelTemp</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\Teams\current\resources\locales</Exclude>
<Exclude Copy="0">AppData\Local\Apps\2.0</Exclude>
</Excludes>

</FrxProfileFolderRedirection>

If I want to prevent a line from "running" in the redirections.xml file, how do I do that?

Thank you!

 

0 Kudos
RachelW
Enthusiast
Enthusiast

Hi @Lieven,

Latest update: I logged into a Horizon desktop today without Office or Profile container files (office.vhd or profile.vhd) and with the redirections.xml file (below) in the profile container share.  Here is what happened:

1) 1st login creates a profile.vhd and office.vhd file

2) Teams started but needed to login (which is normal). Username was already there just needed to click Sign in and then type in my password

3) No errors

4) Logged out of the desktop

5) Logged in to a desktop again. Received an error message on the screen: "We can't sign into your account" with the options to Sign Out (which logs me off the desktop) or Cancel (see attached file)

6) Teams did NOT auto launch this time

What is in my redirections.xml fie that is causing this error and preventing Teams from auto launching??  I am not familiar with this file and need some help interpreting what is happening with this file. If I remove the redirections.xml file from my share on the server and delete my profile and office container file, Teams launches fine however those two files are VERY LARGE.

Here is what I have in my redirections.xml file:

<?xml version=”1.0? encoding=”UTF-8??>

<FrxProfileFolderRedirection ExcludeCommonFolders=”###VALUE###”>

<Excludes>
<Exclude Copy="0">$Recycle.Bin</Exclude>
<Exclude Copy="0">AppData\Local\Google</Exclude>
<!--<Exclude Copy="0">AppData\Local\SquirrelTemp</Exclude>-->
<!--<Exclude Copy="0">AppData\Local\OneDrive\cache</Exclude>-->
<Exclude Copy="0">AppData\Local\Microsoft\OneNote\16.0\cache</Exclude>
<Exclude Copy="0">AppData\Microsoft\Teams\Cache</Exclude>
<Exclude Copy="0">AppData\Microsoft\Teams\Service Worker\CacheStorage</Exclude>
<Exclude Copy="0">AppData>\Roaming\Microsoft\Teams\Cache</Exclude>
<Exclude Copy="0">AppData>\Roaming\Microsoft\Teams\media-stack</Exclude>
<Exclude Copy="0">AppData>\Roaming\Microsoft\Teams\meeting-addin\Cache</Exclude>
<Exclude Copy="0">AppData>\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState</Exclude>
<Exclude Copy="0">AppData>\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp</Exclude>
<!--<Exclude Copy="0">AppData\Local\Microsoft\Office\SolutionPackages</Exclude>-->
<Exclude Copy="0">AppData\Local\Microsoft\Office\16.0\Lync\Tracing</Exclude>
<!--<Exclude Copy="0">AppData\Local\Microsoft\Teams\Current\Locales</Exclude>-->
<!--<Exclude Copy="0">AppData\Local\Microsoft\Teams\Packages\SquirrelTemp</Exclude>-->
<!--<Exclude Copy="0">AppData\Local\Microsoft\Teams\current\resources\locales</Exclude>-->
<!--<Exclude Copy="0">AppData\Local\Apps\2.0</Exclude>-->
</Excludes>

</FrxProfileFolderRedirection>

0 Kudos
Automatt1c
Enthusiast
Enthusiast

Here is my Teams, config everything works properly, autologin, and the profile is quite small around 13MB(though that is one of my largest DEM profile a long with Chrome). I do not use FSLogix

I think i have teams setup to open for everyone at startup, there is a registry key you can set or change

i do have the majority of the cache files set to clear out to save space and login time but teams does take a bit longer to fully bring up the conversations then if your were saving more cache files. 

for MFA and auto-login : these were absolutely needed.

<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
<LocalAppData>\Microsoft\IdentityCache

------------------------------------------

[IncludeFolderTrees]
<AppData>\Microsoft\Teams
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
<LocalAppData>\Microsoft\IdentityCache

[IncludeRegistryTrees]
HKCU\Software\Microsoft\Office\Teams\

[ExcludeFolderTrees]
<AppData>\Microsoft\Teams\Application Cache\Cache
<AppData>\Microsoft\Teams\Cache
<AppData>\Microsoft\Teams\tmp
<AppData>\Microsoft\Teams\GPUCache\
<AppData>\Teams\logs
<AppData>\Microsoft\Teams\meeting-addin
<AppData>\Microsoft\Teams\media-stack
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp
<AppData>\Microsoft\Teams\Service Worker\CacheStorage


[Metadata]
DirectFlexPath=*%ProgramFiles%\Microsoft\Teams\current\Teams.exe

[DeleteFiles]
<LocalAppData>\Microsoft\TeamsMeetingAddin
<LocalAppData>\Microsoft\Teams
<AppData>\Microsoft\Teams\Service Worker\CacheStorage

[Immidio Flex]
This file was created using VMware DEM Management Console version 9.11.0.932.
Use only with VMware DEM.

0 Kudos
RachelW
Enthusiast
Enthusiast

Hello @Automatt1c,

I have Teams autostarting for everyone but NOT auto logging in?  Does Teams Auto-login for your users?  If so, what did you set to get it that way?

Also, I do not have any of the AppData directories on the desktop that you listed below.  Mine are all in with AppData\Local or AppData\Roaming.

Thank you. 

0 Kudos
Automatt1c
Enthusiast
Enthusiast

Yes, autologin for all users. at least after they logged in the first time.

I think those other directories are hidden system folders and not shown with the typical show hidden folders option. They are absolutely needed. 
Just try my whole config and see how it works for you. 

 

Make sure you setup teams to autolaunch when you install it in the image/appstack. Mine is in an appstack.

its everything below -------------------------

0 Kudos
Automatt1c
Enthusiast
Enthusiast

So i forgot that you are using Duo MFA. We are using that to login to Horizon but we excluded that for Office 365 on VDI machines. We had a horrible time with DUO MFA and office365. it was prompting for every o365 app and was just a mess. 

there is not much reason to have MFA on VDI and o365 on top of that.

 

 

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi @RachelW,

I can't provide any help on what settings to manage exactly, but it sounds like @Automatt1c got that covered.

I did want to respond to the following, though:

I do not have any of the AppData directories on the desktop that you listed below. Mine are all in with AppData\Local or AppData\Roaming.

DEM config files use folder tokens to reference user profile folders. The <AppData> and <LocalAppData> folder tokens correspond with the Windows env vars %APPDATA% and %LOCALAPPDATA%, so C:\Users\username\AppData\Roaming and C:\Users\username\AppData\Local, respectively.

0 Kudos
RachelW
Enthusiast
Enthusiast

Hi @Automatt1c ,

I just checked with our security person and we are NOT using MFA with our VDI environment.

0 Kudos
RachelW
Enthusiast
Enthusiast

HI @DEMdev ,

I guess what I meant was under AppData I only have Local, Roaming and LocalLow.  Some of the directories listed in @Automatt1c 's UEM config for Teams lists directories at the root of appdata, not inside any of the 3 directories listed above. 

Maybe I am misunderstanding what is being written in the posts. 🙂

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi @RachelW,

Some of the directories listed in @Automatt1c 's UEM config for Teams lists directories at the root of appdata,
> not inside any of the 3 directories listed above.

That's because the entries in the DEM config file don't directly refer to folders, but use DEM's folder tokens.

So, <AppData>\Teams\logs references the Teams\logs folder under C:\Users\username\AppData\Roaming and <LocalAppData>\Microsoft\TeamsMeetingAddin references Microsoft\TeamsMeetingAddin under C:\Users\username\AppData\Local.

0 Kudos
RachelW
Enthusiast
Enthusiast

@Automatt1c ,

I am finally getting around to trying your whole configuration.  I added everything including the lines below; the lines below showed as RED.

 

[Metadata]
DirectFlexPath=*%ProgramFiles%\Microsoft\Teams\current\Teams.exe

[DeleteFiles]
<LocalAppData>\Microsoft\TeamsMeetingAddin
<LocalAppData>\Microsoft\Teams
<AppData>\Microsoft\Teams\Service Worker\CacheStorage

[Immidio Flex]
This file was created using VMware DEM Management Console version 9.11.0.932.
Use only with VMware DEM.

Why would these lines show up in RED?  I am guessing because those "commands" are not available in my DEM...??

UPDATE: So I saved the UEM configuration with the entries you had except for the ones above (since they showed up in RED) and I am still being prompted to login to Teams each time a login to a Horizon desktop.  Something with my setup is clearly not the same as your setup.

0 Kudos
GTO455
Enthusiast
Enthusiast

We use FSLogix as well, and also had a profile set up in DEM for Teams too. I found the Archive files in DEM for Teams getting pretty large after a week even with FSLogix, so make sure you check your disk usage.

I decided to remove it in DEM and now just have everything saved in their FSLogix profile without any adverse affects.

You may also want to consider adding these registry keys to your master image to prevent users having to log into Teams with every VDI session. I got them from someone in this community, but I don't remember who.

Microsoft confirmed the first registry key, but wouldn't commit to the second one. Both seem to work and not cause any harm, so I left them both in my master image.

Add the following keys to block the reoccurring MDM enrollment.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\autoWorkplaceJoin=dword:00000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\BlockAADWorkplaceJoin=dword:00000001

0 Kudos
RachelW
Enthusiast
Enthusiast

@GTO455 ,

This is great!  Thank you for the registry entries - I had heard about them but did not know what they were specifically.  i will give them a try. 

I had setup FSLogix and honestly that worked GREAT with Teams not prompting for a login EVERYTIME a user grabs a new Horizon desktop.  My problem is we have about 600+ users in Horizon and the FSLogix profile for one user was at least 3 GB which is not really an option for us.  Is there any way to shrink that file so not as much "stuff" (for lack of a better word) is being saved to it?  Kind of like what can be done with application configuration in UEM?

UPDATE: I just checked my registry and discovered the registry keys ARE indeed in there so that is clearly not working for me. 😞

0 Kudos
GTO455
Enthusiast
Enthusiast

Hi @RachelW,

I really don't know. I have the same problem, which is why I added the Teams profile in DEM, hoping it would shrink the size of the Teams FSLogix profile, but it didn't.

What I ended up with was a huge Teams zip file in DEM and a large FSLogix profile. Since the Teams file in DEM was not providing any value, I just removed it.

I have heard of people running scripts on their FSLogix volumes to clean/defrag them, but I haven't gotten around to doing any research into it. If you find a way let me know!

0 Kudos
RachelW
Enthusiast
Enthusiast

Hi @GTO455 ,

What does you UEM profile look like for Teams?

0 Kudos
GTO455
Enthusiast
Enthusiast

Hi @RachelW ,

That's just it, I don't have a MS Teams profile in DEM anymore, I retired it.

I tried it out by downloading it from the VMware Marketplace, and had it running for a few weeks where it grew to a ridiculous size, so I retired it. FSLogix in combination with the registry settings I posted earlier seem to be working fine for us (for now).

0 Kudos