TomH201110141
Enthusiast
Enthusiast

DEM template for Office 365 is insufficient

Hello Community,

I working now since three days on the problem, that Oulook always asks for the account password. The password dialog is initialted by C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe.

I tried real a lot to monitor which changes are made when I give Outlook the account password - but no luck until now.

The DEM-Profiler doesn't want to profile Outlook because it tells, that there is already a template. Is there any hidden switch to start the Application Profiler which allows to profile Outlook?

For testing purposes I created a Office365 template which captures everything in the user profile:

[IncludeFolderTrees]
<AppData>
<LocalAppData>

[IncludeRegistryTrees]
HKCU\Software\

Using this template results in a big zip-file but outlook doesn't ask again for the password. This is no solution but it tells me, that the built-in template for "Shared Settings" and/or Outlook is insufficient.

Which part of the user-profile does the DEM do not capture?

Labels (1)
0 Kudos
5 Replies
TechMassey
Hot Shot
Hot Shot

What your running into is Shared Computer Activation. DEM doesn't need to capture the license token from O365 as Outlook should be using integrated windows authentication to identify the user UPN and assigned O365 license. 

However, in a non-persistent environment there a couple extra steps. Please review this Techzone Article, is does mention 'Horizon 7' but it applies to Horizon 8. 

Best Practices for Delivering Microsoft Office 365 in VMware Horizon 7 | VMware


Please help out! If you find this post helpful and/or the correct answer. Mark it! It helps recgonize contributions to the VMTN community and well me too 🙂
TomH201110141
Enthusiast
Enthusiast

I think that the shared computer activation is not the problem, because the activation is still active. My problem is that users are always need to give their password.


@TechMassey wrote:

DEM doesn't need to capture the license token from O365 as Outlook should be using integrated windows authentication to identify the user UPN and assigned O365 license.

 


You mean I need to exclude some files (the license token files?) - which ones are they?

 

Best Practices for Delivering Microsoft Office 365 in VMware Horizon 7 | VMware


I know this Tech Zone article very good ... I don't know what could be wrong?

I think the most important is the value in the configuration.xml: 

<Property Name="SharedComputerLicensing" Value="1" />

 

0 Kudos
Dan-White
Contributor
Contributor

This thread is a little old but do you happen to be using Workspace One Access with TrueSSO? I am having the same issue when we use WS1 Access. The user token you get with TrueSSO is not enough to satisfy the O365 SSO requirements. 

You can test this theory by RDPing to your image and testing O365 activation. Similarly, you can bypass SW1 Access and got direct to the UAG's. 

I have an open case with VMware right now to try and resolve this issue.

0 Kudos
TomH201110141
Enthusiast
Enthusiast

I think I found a solution. I need to disable Modern-Authentication for O365.

It can be done with the following keys:

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]

"DisableADALatopWAMOverride"=dword:00000001
"DisableAADWAM"=dword:00000001

 

BUT ... it is something that Microsoft does not recommend:

https://docs.microsoft.com/en-us/office365/troubleshoot/administration/disabling-adal-wam-not-recomm...

I strongly suspect that this is because my instant clones are not "Hybrid Azure AD" joined, but only AD-joined. I think this is definitely worth another test to include them in our Azure AD.

Or does someone has another idea?

 

0 Kudos
Dan-White
Contributor
Contributor

I actually found a solution for this. You need to enable Azure Seamless SSO (Azure AD Connect: Seamless Single Sign-On - quickstart - Microsoft Entra | Microsoft Docs). It's a mechanism for older operating systems that still works with Windows 10/11. After I enabled Azure Seamless SSO, Office is activating when the user uses a TrueSSO token. The TrueSSO user token doesn't have enough data to satisfy the M365 login requirements.

Hope the helps someone in the future.

0 Kudos