VMware Horizon Community
TomH201110141
Enthusiast
Enthusiast

DEM template for Office 365 is insufficient

Hello Community,

I working now since three days on the problem, that Oulook always asks for the account password. The password dialog is initialted by C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe.

I tried real a lot to monitor which changes are made when I give Outlook the account password - but no luck until now.

The DEM-Profiler doesn't want to profile Outlook because it tells, that there is already a template. Is there any hidden switch to start the Application Profiler which allows to profile Outlook?

For testing purposes I created a Office365 template which captures everything in the user profile:

[IncludeFolderTrees]
<AppData>
<LocalAppData>

[IncludeRegistryTrees]
HKCU\Software\

Using this template results in a big zip-file but outlook doesn't ask again for the password. This is no solution but it tells me, that the built-in template for "Shared Settings" and/or Outlook is insufficient.

Which part of the user-profile does the DEM do not capture?

Labels (1)
19 Replies
TechMassey
Hot Shot
Hot Shot

What your running into is Shared Computer Activation. DEM doesn't need to capture the license token from O365 as Outlook should be using integrated windows authentication to identify the user UPN and assigned O365 license. 

However, in a non-persistent environment there a couple extra steps. Please review this Techzone Article, is does mention 'Horizon 7' but it applies to Horizon 8. 

Best Practices for Delivering Microsoft Office 365 in VMware Horizon 7 | VMware


Please help out! If you find this post helpful and/or the correct answer. Mark it! It helps recgonize contributions to the VMTN community and well me too 🙂
TomH201110141
Enthusiast
Enthusiast

I think that the shared computer activation is not the problem, because the activation is still active. My problem is that users are always need to give their password.


@TechMassey wrote:

DEM doesn't need to capture the license token from O365 as Outlook should be using integrated windows authentication to identify the user UPN and assigned O365 license.

 


You mean I need to exclude some files (the license token files?) - which ones are they?

 

Best Practices for Delivering Microsoft Office 365 in VMware Horizon 7 | VMware


I know this Tech Zone article very good ... I don't know what could be wrong?

I think the most important is the value in the configuration.xml: 

<Property Name="SharedComputerLicensing" Value="1" />

 

Reply
0 Kudos
Dan-White
Contributor
Contributor

This thread is a little old but do you happen to be using Workspace One Access with TrueSSO? I am having the same issue when we use WS1 Access. The user token you get with TrueSSO is not enough to satisfy the O365 SSO requirements. 

You can test this theory by RDPing to your image and testing O365 activation. Similarly, you can bypass SW1 Access and got direct to the UAG's. 

I have an open case with VMware right now to try and resolve this issue.

Reply
0 Kudos
TomH201110141
Enthusiast
Enthusiast

I think I found a solution. I need to disable Modern-Authentication for O365.

It can be done with the following keys:

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]

"DisableADALatopWAMOverride"=dword:00000001
"DisableAADWAM"=dword:00000001

 

BUT ... it is something that Microsoft does not recommend:

https://docs.microsoft.com/en-us/office365/troubleshoot/administration/disabling-adal-wam-not-recomm...

I strongly suspect that this is because my instant clones are not "Hybrid Azure AD" joined, but only AD-joined. I think this is definitely worth another test to include them in our Azure AD.

Or does someone has another idea?

 

Reply
0 Kudos
Dan-White
Contributor
Contributor

I actually found a solution for this. You need to enable Azure Seamless SSO (Azure AD Connect: Seamless Single Sign-On - quickstart - Microsoft Entra | Microsoft Docs). It's a mechanism for older operating systems that still works with Windows 10/11. After I enabled Azure Seamless SSO, Office is activating when the user uses a TrueSSO token. The TrueSSO user token doesn't have enough data to satisfy the M365 login requirements.

Hope the helps someone in the future.

MasonLivingston
Contributor
Contributor

I've been fighting this nightmare for years and that Trusted Site and regedit seem to have been the missing piece.  It's unreal DEM is so **bleep**ty at this.

Reply
0 Kudos
lgruembel
Contributor
Contributor

Hello,

I am currently also looking for a solution to this problem.

But unfortunately, disabling "Modern Autentication" is not an option, as "Basic authentication" will be decaitvered on 01.10.2022 for Exchange Online. https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic...

We are using the following for the customer at the moment:
non-persistent Windows Server 2019 with RDS role
VMware DEM 2111 (10.5)
Azure AD Connect with Password Hash Sync and SSO
Microsoft Office LTSC Standard 2021 with SPLA Licensing

Since backing up all user information as described in your first post also fixed the problem, I strongly assume that only certain folders or registry entries still need to be backed up.

What is also strange in my case is that the login works sporadically in all applications (Outlook, Teams, OneDrive), then sometimes only in Outlook and sometimes in none of the Microsoft applications.

 

I have attached my DEM configuration. We use AppData redirection

Reply
0 Kudos
Dan-White
Contributor
Contributor

Just yesterday I gave up trying to get DEM working for Office and switched to FSLigix Containers for O365. That seems to have resolved our intermittent issues, especially for OneDrive. We are still using DEM for all other applications.

Reply
0 Kudos
lgruembel
Contributor
Contributor

Hey,

after houres of try and error i just found a working configuration.

I have attached my DEM configuration. We use AppData redirection.

Reply
0 Kudos
Jubish-Jose
Hot Shot
Hot Shot

@TomH201110141 

If I remember correctly, we ran into some issues with Outlook on instant clones + DEM + FSLogix (probably the password thing itself) and have set the exact same registry keys and its working fine for a long time. I'm aware that MS doesn't recommend that though. 


-- If you find this reply helpful, please consider accepting it as a solution.
Reply
0 Kudos
TomH201110141
Enthusiast
Enthusiast

@Jubish-Jose 

Yes, we now do a hybrid join for the VMs into Azure and the problem with the password is gone. It's the best way to solve this problem. Only the Azure sync is not seamless, because the join is triggered by a task from Azure AD Connect each half hour only.

Reply
0 Kudos
lansti
Hot Shot
Hot Shot

We are connecting our users directly to exchange in the cloud.
I'm working with FsLogix in my Lab.

But, I'm running this config file, and it works for us as we speak...
there are some "baloontips" i.e that shows up every time, but i assume that they will disappear when we start using FsLogix.
Outlook Configfile is 39kb.

[IncludeRegistryTrees]
HKCU\Software\Microsoft\Office\16.0\Outlook
HKCU\Software\Microsoft\Office\16.0\MAPI
HKCU\Software\Microsoft\Office\Outlook
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

[IncludeIndividualRegistryValues]
HKCU\Software\Microsoft\Exchange\Client\Options\PickLogonProfile

[IncludeFolderTrees]
<AppData>\Microsoft\Outlook
<AppData>\Microsoft\Signatures

[IncludeFiles]
<LocalAppData>\Microsoft\Office\olkexplorer.officeUI
<LocalAppData>\Microsoft\Office\olkaddritem.officeUI
<LocalAppData>\Microsoft\Office\olkapptitem.officeUI
<LocalAppData>\Microsoft\Office\olkdlstitem.officeUI
<LocalAppData>\Microsoft\Office\olklogitem.officeUI
<LocalAppData>\Microsoft\Office\olkmailitem.officeUI
<LocalAppData>\Microsoft\Office\olkmailread.officeUI
<LocalAppData>\Microsoft\Office\olkmmsedit.officeUI
<LocalAppData>\Microsoft\Office\olkmmsread.officeUI
<LocalAppData>\Microsoft\Office\olkmreqread.officeUI
<LocalAppData>\Microsoft\Office\olkmreqsend.officeUI
<LocalAppData>\Microsoft\Office\olkpostitem.officeUI
<LocalAppData>\Microsoft\Office\olkpostread.officeUI
<LocalAppData>\Microsoft\Office\olkreportitem.officeUI
<LocalAppData>\Microsoft\Office\olkresenditem.officeUI
<LocalAppData>\Microsoft\Office\olkrespcounter.officeUI
<LocalAppData>\Microsoft\Office\olkresponseread.officeUI
<LocalAppData>\Microsoft\Office\olkresponsesend.officeUI
<LocalAppData>\Microsoft\Office\olkrssitem.officeUI
<LocalAppData>\Microsoft\Office\olkshareitem.officeUI
<LocalAppData>\Microsoft\Office\olkshareread.officeUI
<LocalAppData>\Microsoft\Office\olksmsedit.officeUI
<LocalAppData>\Microsoft\Office\olksmsread.officeUI
<LocalAppData>\Microsoft\Office\olktaskitem.officeUI

Best regards
Lansti
Reply
0 Kudos
Markus_Hartmann
Contributor
Contributor

Dear Tom,

can you share some more details on this? As it seems you are running the only working solution, which is also supported from Microsoft side (not disabling ADAL or WAM).

Thanks and best regards Markus

Reply
0 Kudos
lgruembel
Contributor
Contributor

Hello Markus,

 

i posted a working solution in my last post. The Key is to properly save the "Modern Authentication" from Microsoft 365. This is done through the "Shares Settings.ini" in my ZIP file from my last post. This configuration works for manually logged in M365 user (Modern Auth), for Azure AD SSO logged in users (Modern Auth), and for on prem Exchange logins (Basic Auth). FSlogic is not needed with this configuration's.

 

Microsoft Office\Shared Settings.ini

======= 

[IncludeRegistryTrees]
HKCU\Software\Microsoft\Office\16.0\Common
HKCU\Software\Microsoft\Office\16.0\FirstRun
HKCU\Software\Microsoft\Office\16.0\Microsoft Office 2016
HKCU\Software\Microsoft\Office\16.0\Registration
HKCU\Software\Microsoft\Office\16.0\User Settings
HKCU\Software\Microsoft\Office\Common
HKCU\Software\Microsoft\Shared Tools\Proofing Tools
HKCU\Software\Microsoft\VBA
HKCU\SOFTWARE\Microsoft\VSTO
HKCU\Software\Microsoft\AuthCookies
HKCU\Software\Microsoft\Windows NT\CurrentVersion\TokenBroker

# Ausgeklammert, da die AppData Folder Redirection aktivert ist
[IncludeFolderTrees]
#<AppData>\Microsoft\AddIns
#<AppData>\Microsoft\Bibliography
#<AppData>\Microsoft\Office
#<AppData>\Microsoft\Proof
#<AppData>\Microsoft\Spelling
#<AppData>\Microsoft\Templates
#<AppData>\Microsoft\UProof
<LocalAppData>\Microsoft\Office\ONetConfig
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
<LocalAppData>\Microsoft\IdentityCache
<LocalAppData>\Microsoft\OneAuth
<LocalAppData>\Microsoft\TokenBroker

[ExcludeFolderTrees]
#<AppData>\Microsoft\Templates\LiveContent
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp

Reply
0 Kudos
Markus_Hartmann
Contributor
Contributor

thanks! i will test with theese settings 🙂

 
 

 

 

Reply
0 Kudos
milan187
Contributor
Contributor

Ours is sporadic, can you confirm if your DEM capture works with multiple accounts added to Outlook (not delegated)?

I just added your lines to our Shared settings but we are still having issues.

 

Reply
0 Kudos
lgruembel
Contributor
Contributor

Hello, i don't tested this. But it should work.

Please check the settings in the ZIP file from one of my last posts, if you have the correct settings in the other files.

milan187
Contributor
Contributor

We had to remove this line from exclusions

 

<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp

 

 

NLAVOIE
Contributor
Contributor

Yes, same here, thank you very much. I removed this line and it's working like a charm, even for Teams. 

Reply
0 Kudos