harlee
Contributor
Contributor

DEM Teams - MFA - login every time

Jump to solution

We have been using the per-machine installer version of Teams and DEM to capture the settings. However we have never successfully been able to capture the user logins so the user has to log in each time they open a new non-persistent session.

For Teams we use Duo MFA push to log in.

If we capture the whole profile the settings persist so somewhere we are missing a setting to capture in DEM.

Any suggestions would be welcome here as I am at my wits end with this program.

Current DEM settings are as follows ( we do not use DirectFlex):

[IncludeFolderTrees]

<LocalAppData>\Microsoft\IdentityCache

<LocalAppData>\Microsoft\Teams

<LocalAppData>\Microsoft\TeamsMeetingAddin

<LocalAppData>\Microsoft\TeamsPresenceAddin

<LocalAppData>\SquirrelTemp

<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

<AppData>\Microsoft\Teams

<AppData>\Microsoft Teams

<AppData>\Teams

[IncludeRegistryTrees]

HKCU\Software\Microsoft\Office\Teams

[ExcludeFolderTrees]

<AppData>\Teams\logs

<AppData>\Microsoft Teams\logs

<AppData>\Microsoft\Teams\media-stack

<AppData>\Microsoft\Teams\Service Worker

<AppData>\Microsoft\Teams\Application Cache

<AppData>\Microsoft\Teams\Cache

<AppData>\Microsoft\Teams\tmp

<AppData>\Microsoft\Teams\meeting-addin\Cache

<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState

<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp

[ExcludeFiles]

<AppData>\Microsoft\Teams\*.txt

<AppData>\Microsoft\Teams\lockfile

<LocalAppData>\SquirrelTemp\SquirrelSetup.log

0 Kudos
66 Replies
RachelW
Enthusiast
Enthusiast

HI @GTO455 ,

Well, that is what I found as well; Teams profile in DEM doesn't work that great. However, I do not have a large profile, it just consistently asks me to enter my password when I grab a new desktop. FSLogix worked beautifully however my FSLogix files are 30+ GB for each person.  How large are yours?  Is there a way to shrink that and minimize the amount of "stuff" being saved?

0 Kudos
Automatt1c
Enthusiast
Enthusiast

Sorry i should of included more detail, I hadn't had much time to follow up.

The configuration i posted was the contents of the actual Teams.ini File in the DEM configuration share. 

That is different than what you put in the import/ export script. The ini file includes details from all the configuration tabs in the manager.

Do you have the directflex enable or or are you processing the requests on logon? 

We would probably need more info on your DEM manager settings and the GPO's your are using. It's also possible you have conflicting Applications.
Are you using shared computer activation for 0365? 

 

My profile for about 2k users typically sit around 10mb-30mb as the largest for teams profile. Which is still kinda larger than i would like but i assume it could get a little glitchy cleaning up any more of the profile.

0 Kudos
GTO455
Enthusiast
Enthusiast

Hi @RachelW ,

 

We use O365 Containers in our FSLogix profile, and our mail files can get pretty large, so sizes can range anywhere from 30 MB to 15 GB per user.

I am by no means a Teams "expert" so I'm not sure how one would shrink stuff.

You could see what is taking up space by creating a couple of FSLogix profiles and then mounting the file in Windows. Its a VHD file that can be mounted in disk manager on a Windows system.

0 Kudos
RachelW
Enthusiast
Enthusiast

HI @GTO455 ,

So do you have a Profile and Office VHD file for each user?  I found that in order to NOT be prompted for my Teams password I had to have both. 

0 Kudos
GTO455
Enthusiast
Enthusiast

Nope, just one VHD for O365 Containers. The rest of the users profile is saved in DEM.

0 Kudos
RachelW
Enthusiast
Enthusiast

I do not currently have directflex enabled for Teams.  Should I?

I setup my Teams.ini file like you outlined above and so far Teams is logging in automatically.  Hopefully it will stay that way.  

0 Kudos
Automatt1c
Enthusiast
Enthusiast

I wouldn't personally,  it depends on the application. If it integrates with the OS or starts at login then you usually don't.
that's good to hear that its working! 

 

I only use DEM for everything. we use OST files on a high speed File Share. It's not recommended but we have users with 50gb plus OST files and nearly impossible to manage otherwise. That only caching 1 month of email!

0 Kudos
RachelW
Enthusiast
Enthusiast

Hello @Automatt1c ,

So Teams WAS auto-logging in when I logged into a new virtual/Horizon desktop.  About 2 weeks it started prompting me again to enter my password and nothing changed (that I know of). UGH....

0 Kudos
Automatt1c
Enthusiast
Enthusiast

You are not the only one. I started having a bunch of issues around March as well. I had to add these registry keys to Disable WAM and have it fall back to ADAL. Since our external domain is different from internal. We cannot do SSO. 

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]

"DisableADALatopWAMOverride"=dword:00000001
"DisableADALatopWAM"=dword:00000001
"DisableAADWAM"=dword:00000001

 

THe only benefit i see to using WAM is if you have all the SSO options properly configured and enabled. otherwise you will just run into more issues.

 

 

0 Kudos
Hoodsie2018
Enthusiast
Enthusiast

Did you ever get this to work? I'm blown away how hard it is to get a VDI solution for teams where user settings are retained, it auto-logs in, and doesn't cache much else to keep them small in size. this thread looks like it required a tech cert to understand. DEM, UEM, Flex, DirectFlex, XML, GPOs, etc. 


Technology was supposed to make life easier. Back in the day you just needed a registry key to tell something to auto-logon and what folders & files to save or cache. 

0 Kudos
TomH201110141
Enthusiast
Enthusiast

I haven't read the whole thread but there are some things to consider when running teams in a non-persistant environment.

 

1. Pre-Installation step for Teams. Set a special Reg-Key that Teams knows to get installed in VDI:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teams]
"IsWVDEnvironment"=dword:00000001

 

2. Install Teams (folders are just an example but the options are important): 

msiexec /i C:\Users\Administrator\Desktop\Teams_windows_x64.msi /l*v C:\Users\Administrator\Desktop\Teamslog.txt OPTIONS="noAutoStart=true" ALLUSER=1 ALLUSERS=1 

 

3. Delete Cache Folder %appdata%\Microsoft\Teams after Installation with PowerShell:

Get-ChildItem "C:\Users\*\AppData\Roaming\Microsoft\Teams\*" -Directory|Where name -in ('application cache','blob_storage','databases','GPUcache','IndexedDB','Local Storage','tmp') | ForEach{Remove-Item $_.FullName -Recurse -Force -WhatIf}


Get-ChildItem -Path "C:\Users\$env:UserName\AppData\Roaming\Microsoft\Teams" -Directory|Where{$_ -in ('application cache','blob_storage','databases','GPUcache','IndexedDB','Local Storage','tmp','Cache','')}|ForEach{Remove-Item $_.FullName -Recurse -Force}

 

And last but not least my DEM-Config. With this Config I get a small Teams Archive without the need to re-login every time.

 

[IncludeRegistryTrees]
HKCU\Software\Microsoft\Office\Teams

[IncludeFolderTrees]
<LocalAppData>\Microsoft\IdentityCache
<LocalAppData>\Microsoft\Teams
<LocalAppData>\Microsoft\TeamsMeetingAddin
<LocalAppData>\Microsoft\TeamsPresenceAddin
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
<LocalAppData>\SquirrelTemp
<AppData>\Microsoft\Teams


[ExcludeFolderTrees]
<AppData>\Teams\logs
<AppData>\Microsoft Teams\logs
<AppData>\Microsoft\Teams\media-stack
<AppData>\Microsoft\Teams\Service Worker
<AppData>\Microsoft\Teams\Application Cache
<AppData>\Microsoft\Teams\Cache
<AppData>\Microsoft\Teams\tmp
<AppData>\Microsoft\Teams\meeting-addin\Cache
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp

[ExcludeFiles]
<AppData>\Microsoft\Teams\lockfile
<AppData>\Microsoft\Teams\storage.json
<AppData>\Microsoft\Teams\*.txt

 

I hope that helps!?

GTO455
Enthusiast
Enthusiast

Ahhhh Teams... Good times... The language it is written in is Electron, and it is garbage. Supposedly it is being rewritten. We will see. 

Yes, we got it to work, but with every new version released, it's always fun to see what works, and what used to work is now broken.

We use FSLogix instead of writables so there is no need to create profile for it in UEM, (and if you do, it will create huge profiles that aren't necessary).

Here are the notes I have for my installation on my master image. We have a different tenancy than most, so take the following with a grain of salt.

Download the latest .msi installer from Microsoft. https://docs.microsoft.com/en-us/microsoftteams/msi-deployment

Install it using the following switches: msiexec /i <path-to-teams-msi> OPTIONS="noAutoStart=True" ALLUSER=1 ALLUSERS=1

This is for a non-persistent (instant clone) setup, the Teams desktop app must be installed "per-machine" on the golden image.


Note 1:

When installing on Windows 10 using ALLUSER=1 property, MSI will return error:
Installation has failed. “Cannot install for all users when a VDI environment is not detected.”

To resolve this, the Teams installer needs ”HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA” registry key to be created on a target and then the install will complete successfully. Remove it after installation or Teams will not be optimized for VMware Horizon


Note 2:

Add the following keys to block the reoccurring MDM enrollment.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\autoWorkplaceJoin=dword:00000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\BlockAADWorkplaceJoin=dword:00000001


Note 3:

When troubleshooting Teams, close Teams and delete everything under "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Teams" and have the user restart Teams

 

Note 4:

If Teams fails to start, verify this key is not in the master image. If it is, remove it. This was a suggested setting from Microsoft, but it does not work and causes connection failures.

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Teams]

"CloudType"=dword:3


Note 5:

Disable HWA in Teams

User settings for Teams are saved in a JSON file desktop-config.json:
%APPDATA%\Microsoft\Teams\desktop-config.json

Search for DisableGPU in the file, and change the setting from “disableGpu”:false to “disableGpu”:true.

0 Kudos
Hoodsie2018
Enthusiast
Enthusiast

 

Thanks for the reply. Some follow-up:

  • We aren't using Citrix. I assume then PortICA isn't required?
  • What are those MDM keys for? Is there an article? We don't use any extra MDM at this time other than what's built into M365/O365.
  • Never heard of CloudType being used. I guess I'll check for that. Any article about it? 
  • the GPU stuff, does that impact performance of screen, video and audio calls? 

Sounds like DEM just shouldn't be used? The comment above seems to have a solution. If I can just use DEM and avoid yet another tool to manage like FSLogix that'd be preferred, but don't want huge directories for Teams. 

 

 


@GTO455 wrote:

Ahhhh Teams... Good times... The language it is written in is Electron, and it is garbage. Supposedly it is being rewritten. We will see. 

Yes, we got it to work, but with every new version released, it's always fun to see what works, and what used to work is now broken.

We use FSLogix instead of writables so there is no need to create profile for it in UEM, (and if you do, it will create huge profiles that aren't necessary).

Here are the notes I have for my installation on my master image. We have a different tenancy than most, so take the following with a grain of salt.

Download the latest .msi installer from Microsoft. https://docs.microsoft.com/en-us/microsoftteams/msi-deployment

Install it using the following switches: msiexec /i <path-to-teams-msi> OPTIONS="noAutoStart=True" ALLUSER=1 ALLUSERS=1

This is for a non-persistent (instant clone) setup, the Teams desktop app must be installed "per-machine" on the golden image.


Note 1:

When installing on Windows 10 using ALLUSER=1 property, MSI will return error:
Installation has failed. “Cannot install for all users when a VDI environment is not detected.”

To resolve this, the Teams installer needs ”HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA” registry key to be created on a target and then the install will complete successfully. Remove it after installation or Teams will not be optimized for VMware Horizon


Note 2:

Add the following keys to block the reoccurring MDM enrollment.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\autoWorkplaceJoin=dword:00000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\BlockAADWorkplaceJoin=dword:00000001


Note 3:

When troubleshooting Teams, close Teams and delete everything under "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Teams" and have the user restart Teams

 

Note 4:

If Teams fails to start, verify this key is not in the master image. If it is, remove it. This was a suggested setting from Microsoft, but it does not work and causes connection failures.

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Teams]

"CloudType"=dword:3


Note 5:

Disable HWA in Teams

User settings for Teams are saved in a JSON file desktop-config.json:
%APPDATA%\Microsoft\Teams\desktop-config.json

Search for DisableGPU in the file, and change the setting from “disableGpu”:false to “disableGpu”:true.


 

0 Kudos
Hoodsie2018
Enthusiast
Enthusiast

Thanks as well. 

  • Been trying to find reference to IsWVDEnvironment for non-azure environments like Horizon or Citrix and can't. Isn't that for Microsoft's Virtual Desktop setups or everyone? Would love to read up on it. 
  • the noAutoStart=true switch, does that get blown away after clearing out users' Teams settings? We don't want Teams running the first time a user logs in unless they start Teams intentionally. 
  • I'll give your DEM settings a try (conditions = my account only first), but I'm surprised at this one being excluded: <AppData>\Microsoft\Teams\Cache. I've seen other posts say there are critical files in there for the auto-login feature. Any thoughts on it? that folder also is the largest of all of them so I'd love it if we don't need it. 

@TomH201110141 wrote:

I haven't read the whole thread but there are some things to consider when running teams in a non-persistant environment.

 

1. Pre-Installation step for Teams. Set a special Reg-Key that Teams knows to get installed in VDI:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teams]
"IsWVDEnvironment"=dword:00000001

 

2. Install Teams (folders are just an example but the options are important): 

msiexec /i C:\Users\Administrator\Desktop\Teams_windows_x64.msi /l*v C:\Users\Administrator\Desktop\Teamslog.txt OPTIONS="noAutoStart=true" ALLUSER=1 ALLUSERS=1 

 

3. Delete Cache Folder %appdata%\Microsoft\Teams after Installation with PowerShell:

Get-ChildItem "C:\Users\*\AppData\Roaming\Microsoft\Teams\*" -Directory|Where name -in ('application cache','blob_storage','databases','GPUcache','IndexedDB','Local Storage','tmp') | ForEach{Remove-Item $_.FullName -Recurse -Force -WhatIf}


Get-ChildItem -Path "C:\Users\$env:UserName\AppData\Roaming\Microsoft\Teams" -Directory|Where{$_ -in ('application cache','blob_storage','databases','GPUcache','IndexedDB','Local Storage','tmp','Cache','')}|ForEach{Remove-Item $_.FullName -Recurse -Force}

 

And last but not least my DEM-Config. With this Config I get a small Teams Archive without the need to re-login every time.

 

[IncludeRegistryTrees]
HKCU\Software\Microsoft\Office\Teams

[IncludeFolderTrees]
<LocalAppData>\Microsoft\IdentityCache
<LocalAppData>\Microsoft\Teams
<LocalAppData>\Microsoft\TeamsMeetingAddin
<LocalAppData>\Microsoft\TeamsPresenceAddin
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
<LocalAppData>\SquirrelTemp
<AppData>\Microsoft\Teams


[ExcludeFolderTrees]
<AppData>\Teams\logs
<AppData>\Microsoft Teams\logs
<AppData>\Microsoft\Teams\media-stack
<AppData>\Microsoft\Teams\Service Worker
<AppData>\Microsoft\Teams\Application Cache
<AppData>\Microsoft\Teams\Cache
<AppData>\Microsoft\Teams\tmp
<AppData>\Microsoft\Teams\meeting-addin\Cache
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp

[ExcludeFiles]
<AppData>\Microsoft\Teams\lockfile
<AppData>\Microsoft\Teams\storage.json
<AppData>\Microsoft\Teams\*.txt

 

I hope that helps!?


 

0 Kudos
TomH201110141
Enthusiast
Enthusiast

Yes, we are just using DEM and it works very good.

You can optimize Teams to bypass the load from the VDI machine to the client machine. Since Horizon 8.3 (2106) it works also with Linux and Mac. Look here: https://techzone.vmware.com/resource/microsoft-teams-optimization-vmware-horizon

But look at the limitations for optimizations: https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#known-issues-and-limitations


Note 5:

Disable HWA in Teams

User settings for Teams are saved in a JSON file desktop-config.json:
%APPDATA%\Microsoft\Teams\desktop-config.json

Search for DisableGPU in the file, and change the setting from “disableGpu”:false to “disableGpu”:true.



You do not necessarily have to deactivate it if you are using a GPU. You should test this.


Note 2:

Add the following keys to block the reoccurring MDM enrollment.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\autoWorkplaceJoin=dword:00000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\BlockAADWorkplaceJoin=dword:00000001

It can fix login-issues. I always add this keys but not only for MS Teams, for the complete Office 365 stuff.

0 Kudos
Hoodsie2018
Enthusiast
Enthusiast

Thank you. I wonder if disabling GPU HWA can be done via gpo or DEM instead of editing inside everyone's json file. 

 

 

 


@TomH201110141 wrote:

Yes, we are just using DEM and it works very good.

You can optimize Teams to bypass the load from the VDI machine to the client machine. Since Horizon 8.3 (2106) it works also with Linux and Mac. Look here: https://techzone.vmware.com/resource/microsoft-teams-optimization-vmware-horizon

But look at the limitations for optimizations: https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#known-issues-and-limitations


Note 5:

Disable HWA in Teams

User settings for Teams are saved in a JSON file desktop-config.json:
%APPDATA%\Microsoft\Teams\desktop-config.json

Search for DisableGPU in the file, and change the setting from “disableGpu”:false to “disableGpu”:true.



You do not necessarily have to deactivate it if you are using a GPU. You should test this.


Note 2:

Add the following keys to block the reoccurring MDM enrollment.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\autoWorkplaceJoin=dword:00000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\BlockAADWorkplaceJoin=dword:00000001

It can fix login-issues. I always add this keys but not only for MS Teams, for the complete Office 365 stuff.


 

0 Kudos
TomH201110141
Enthusiast
Enthusiast

  • the noAutoStart=true switch, does that get blown away after clearing out users' Teams settings? We don't want Teams running the first time a user logs in unless they start Teams intentionally. 

To disable the autostart I delete on the master the following key:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run]
"Teams"=-

AND I use a ADMX based setting in DEM (User Environment):

TomH201110141_1-1637080463583.png

 


I'll give your DEM settings a try (conditions = my account only first), but I'm surprised at this one being excluded: <AppData>\Microsoft\Teams\Cache. I've seen other posts say there are critical files in there for the auto-login feature. Any thoughts on it? that folder also is the largest of all of them so I'd love it if we don't need it. 

I don't need that folder. I works for us and we don't have login issues.

0 Kudos
GTO455
Enthusiast
Enthusiast
  • The Citrix registry key has nothing to do with Citrix. It was an error that I got while trying to install Teams. I Googled the error and found the resolution here. (Look under the Installation with AppLayering section). However, if the key remains after Teams is installed, you will find that Teams will not be optimized for VMware Horizon. More on that here.
  • The MDM keys I found while searching for issues with auto enrollment on this site. I quickly searched for the post, but couldn't find it.
  • The CloudType registry key is based on your tenancy. It can be found on this page, (it's the same page I linked in my earlier post with the links to the Teams downloads)
  • I normally don't use the GPU setting-only in cases where users are complaining about video performance in Teams. Since it is a json file, I couldn't find  way to set it for all users on the master image. Info on the GPU setting is also in the reddit post I linked above.
  • For DEM & Teams, I just did some testing and found that since we were using FSLogix, and it kept the users' information when they logged out, there was no need for a separate profile in DEM. It was (in this case) redundant.
0 Kudos
Hoodsie2018
Enthusiast
Enthusiast

Do you have DirectFlex checked for your Teams config in DEM? Mine is checked and Export Moment set to use global settings. Then executables are:

C:\Program Files (x86)\Microsoft\Teams\update.exe
C:\Program Files (x86)\Microsoft\Teams\current\Teams.exe

Tags (1)
0 Kudos
TomH201110141
Enthusiast
Enthusiast

@Hoodsie2018 wrote:

Do you have DirectFlex checked for your Teams config in DEM? Mine is checked and Export Moment set to use global settings. Then executables are:

C:\Program Files (x86)\Microsoft\Teams\update.exe
C:\Program Files (x86)\Microsoft\Teams\current\Teams.exe


Yes, DirectFlex is enabled with global settings.

TomH201110141_0-1637081628326.png

 

0 Kudos