VMware Horizon Community
bjohn
Hot Shot
Hot Shot

Instant clone issue

We are having a strange issue when testing instant clones. Occasionally, when you login to an IC, windows cannot seem to determine who the logged in user is and is failing WIA, thereby prompting us for windows credentials to our Intranet, OneDrive, Outlook etc.

OneDrive and Outlook are setup to sign-in automatically thru GPO (using ADFS)

Has anyone seen this behavior? I'm not quite sure how to troubleshoot.
Thank You

Reply
0 Kudos
3 Replies
domdsouza
Enthusiast
Enthusiast

We've seen a similar issue and I'm assuming you are doing a Hybrid Azure AD join? When a user logs in, they get a primary refresh token (prt) from Azure AD. If there was one captured during the instant clone process, it can cause issues. There is a scheduled task that performs this action. As part of the gold image build process, we delete this scheduled task, and re-create it after the machine is built and joined to the domain as a post-install process.

One way to find out if this is the issue, have the user do a CTRL+ALT+DELETE and lock their machine, and then unlock it again. Restart Outlook, Teams or whatever is failing. 

Reply
0 Kudos
bjohn
Hot Shot
Hot Shot

@domdsouza Yes, I believe we are Hybrid Azure AD and the master image was joined to the domain at one time (not currently).

I'm not an expert on Azure, but I can see the IC in the azure portal and it says Azure AD registered.

I have tried locking and unlocking and that seems to work sometimes, but not consistent. Would you be able to provide the script you are using?

Thank You

Reply
0 Kudos
domdsouza
Enthusiast
Enthusiast

It has been discussed in this thread with some sample scripts that I posted.

https://communities.vmware.com/t5/Dynamic-Environment-Manager/Hybrid-AD-Join-as-a-DEM-startup-task-o...

 

Reply
0 Kudos