John Twilley Posted June 10 Posted June 10 Microsoft Office 2016/2019/365 Application Template ## Expanded settings for the Microsoft Office 2016/2019/365 Application Templates 'Access', 'Excel', 'OneDrive', 'OneNote', 'Outlook', 'PowerPoint', 'Project', 'Publisher', 'Shared', 'Visio', and 'Word': # [IncludeRegistryTrees] HKCU\Software\Microsoft\Office\16.0\Access HKCU\Software\Microsoft\Office\16.0\Common HKCU\Software\Microsoft\Office\16.0\Excel HKCU\Software\Microsoft\Office\16.0\FirstRun HKCU\Software\Microsoft\Office\16.0\Groove HKCU\Software\Microsoft\Office\16.0\Lync HKCU\Software\Microsoft\Office\16.0\MAPI HKCU\Software\Microsoft\Office\16.0\Microsoft Office 2016 HKCU\Software\Microsoft\Office\16.0\MS Project HKCU\Software\Microsoft\Office\16.0\OneNote HKCU\Software\Microsoft\Office\16.0\Outlook HKCU\Software\Microsoft\Office\16.0\PowerPoint HKCU\Software\Microsoft\Office\16.0\Project HKCU\Software\Microsoft\Office\16.0\Publisher HKCU\Software\Microsoft\Office\16.0\Registration HKCU\Software\Microsoft\Office\16.0\SyncCenter HKCU\Software\Microsoft\Office\16.0\SyncProc HKCU\Software\Microsoft\Office\16.0\User Settings HKCU\Software\Microsoft\Office\16.0\Visio HKCU\Software\Microsoft\Office\16.0\Word HKCU\Software\Microsoft\Office\16.0\Workspaces HKCU\Software\Microsoft\Office\Access HKCU\Software\Microsoft\Office\Common HKCU\Software\Microsoft\Office\Excel HKCU\Software\Microsoft\Office\OneNote HKCU\Software\Microsoft\Office\Outlook HKCU\Software\Microsoft\Office\PowerPoint HKCU\Software\Microsoft\Office\Visio HKCU\Software\Microsoft\Office\Word HKCU\Software\Microsoft\Shared Tools\Proofing Tools HKCU\Software\Microsoft\VBA HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles HKCU\SOFTWARE\Microsoft\VSTO HKCU\Software\Microsoft\AuthCookies HKCU\Software\Microsoft\Windows NT\CurrentVersion\TokenBroker [IncludeIndividualRegistryValues] HKCU\Software\Microsoft\Exchange\Client\Options\PickLogonProfile [IncludeFolderTrees] <AppData>\Microsoft\Access <AppData>\Microsoft\AddIns <AppData>\Microsoft\Bibliography <AppData>\Microsoft\Excel <AppData>\Microsoft\MS Project <AppData>\Microsoft\Office <AppData>\Microsoft\Office\16.0\Lync <AppData>\Microsoft\OneNote <AppData>\Microsoft\Outlook <AppData>\Microsoft\Powerpoint <AppData>\Microsoft\Proof <AppData>\Microsoft\Publisher <AppData>\Microsoft\Publisher Building Blocks <AppData>\Microsoft\Signatures <AppData>\Microsoft\Spelling <AppData>\Microsoft\Templates <AppData>\Microsoft\UProof <AppData>\Microsoft\Visio <AppData>\Microsoft\Word <LocalAppData>\Microsoft\Office\ONetConfig # added <LocalAppData>\Microsoft\Office\ONetConfig <LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy <LocalAppData>\Microsoft\IdentityCache <LocalAppData>\Microsoft\OneAuth <LocalAppData>\Microsoft\TokenBroker [IncludeFiles] <LocalAppData>\Microsoft\Office\Access.officeUI <LocalAppData>\Microsoft\Office\Excel.officeUI <LocalAppData>\Microsoft\Office\MSProject.officeUI <LocalAppData>\Microsoft\Office\olkaddritem.officeUI <LocalAppData>\Microsoft\Office\olkapptitem.officeUI <LocalAppData>\Microsoft\Office\olkdlstitem.officeUI <LocalAppData>\Microsoft\Office\olkexplorer.officeUI <LocalAppData>\Microsoft\Office\olklogitem.officeUI <LocalAppData>\Microsoft\Office\olkmailitem.officeUI <LocalAppData>\Microsoft\Office\olkmailread.officeUI <LocalAppData>\Microsoft\Office\olkmmsedit.officeUI <LocalAppData>\Microsoft\Office\olkmmsread.officeUI <LocalAppData>\Microsoft\Office\olkmreqread.officeUI <LocalAppData>\Microsoft\Office\olkmreqsend.officeUI <LocalAppData>\Microsoft\Office\olkpostitem.officeUI <LocalAppData>\Microsoft\Office\olkpostread.officeUI <LocalAppData>\Microsoft\Office\olkreportitem.officeUI <LocalAppData>\Microsoft\Office\olkresenditem.officeUI <LocalAppData>\Microsoft\Office\olkrespcounter.officeUI <LocalAppData>\Microsoft\Office\olkresponseread.officeUI <LocalAppData>\Microsoft\Office\olkresponsesend.officeUI <LocalAppData>\Microsoft\Office\olkrssitem.officeUI <LocalAppData>\Microsoft\Office\olkshareitem.officeUI <LocalAppData>\Microsoft\Office\olkshareread.officeUI <LocalAppData>\Microsoft\Office\olksmsedit.officeUI <LocalAppData>\Microsoft\Office\olksmsread.officeUI <LocalAppData>\Microsoft\Office\olktaskitem.officeUI <LocalAppData>\Microsoft\Office\OneNote.officeUI <LocalAppData>\Microsoft\Office\Powerpoint.officeUI <LocalAppData>\Microsoft\Office\Publisher.officeUI <LocalAppData>\Microsoft\Office\Visio.officeUI <LocalAppData>\Microsoft\Office\Word.officeUI [ExcludeFolderTrees] <AppData>\Microsoft\Templates\LiveContent <LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState [ExcludeIndividualRegistryValues] # To prevent the O365 Viewer Mode from replicating (Only if you use this feature) HKCU\Software\Microsoft\Office\16.0\Common\autoorgidgetkey HKCU\Software\Microsoft\Office\16.0\Common\Licensing\viewermode HKCU\Software\Microsoft\Office\16.0\Common\SignIn\SignInOptions HKCU\Software\Microsoft\Office\16.0\Common\Identity\DisableADALatopWAMOverride HKCU\Software\Microsoft\Office\16.0\Common\Identity\DisableAADWAM [ExcludeRegistryTrees] # To help reduce the size of the registry by 10 MB HKCU\Software\Microsoft\Office\16.0\Common\ExperimentConfigs HKCU\Software\Microsoft\Office\16.0\Common\Experiment HKCU\Software\Microsoft\Office\16.0\Common\ExperimentEcs HKCU\Software\Microsoft\Office\16.0\Common\ExperimentTas [ExcludeFiles] # Exclude XLSB Auto-Backup files as they create 100+ MB Zip - adding just the file excludes from ALL FOLDERS above. *.xlsb *.xar *.bak 2
tonyflan1 Posted August 22 Posted August 22 Many Thanks for these. Does this fix constant sign-in requests to O365 apps when you use the shared licence activation for instant clone machines and RDS please? Since moving to an O365 version that includes device based activation we seem to be seeing sign-ins all the time on fresh instant clone sessions. Regards
StephenWagner7 Posted August 22 Posted August 22 4 hours ago, tonyflan1 said: Many Thanks for these. Does this fix constant sign-in requests to O365 apps when you use the shared licence activation for instant clone machines and RDS please? Since moving to an O365 version that includes device based activation we seem to be seeing sign-ins all the time on fresh instant clone sessions. Regards O365 only supports user based licensing/activation, you cannot use device based activation. When using Microsoft 365 with Instant Clones, here's two main considerations: Shared Computer Activation - You must enable SCA, which will generate activation tokens that can roam with the user. If using FSLogix, they'll be contained inside of the profile container. If using something else, you'll want to save these to a location that is persistent. User Sign In - When accessing O365 applications, there's usually 2 authentications or sign-ins. User Sign In - This is the user signing in to the application, loading preferences, etc. User Based Authentication - This is O365 activating the users license itself. For both of these, especially number 2, organizations usually struggle when implementing this. If you have SSO configured, using either Seamless SSO, or Azure Hybrid Join with PRT, then the login AND activation should be automatic and transparent to the user. *PLEASE NOTE: If you require MFA, then the user will be prompted to complete the MFA. Sometimes the MFA prompt confuses administrators in to thinking SSO (and auto logon) is broken, when it's actually prompting because of MFA requirement. If you DO NOT have SSO configured, then the user will have to manually logon and the credentials will be stored in the users Credential Manager in Windows. If you have a profile persistent solution, these credentials should be saved, and the user shouldn't be prompted again for a very very long time. *PLEASE NOTE: If you aren't doing SSO with Azure/Entra ID, you'll need to make sure you add the "BlockAADWorkplaceJoin" registry key (I'd recommend configuring a GPO, or using DEM) to the base image to stop it from attempting Hybrid Domain Join, and/or Azure AD Registration, or you'll end up with issues, as well as a bunch of stale devices on Azure. You should also omit the OU from replication to Azure/Entra. In both cases above, you'll need to make sure you also don't sync and/or delete the "Identity" Key in the registry as well, as it contains machine specific information. Additional note for Windows 11 - I've seen some customer deploy Windows 11 improperly attaching a vTPM to the base image, and then yanking it before deploying, which has caused some weird issues. These issues we resolved by deploying the Windows 11 base images properly without a vTPM (using WinPE and ADK). A vTPM should never be removed from a Windows 11 instance once attached. A few blog posts I've written on the topic: Deploy, Install, and Configure Microsoft Office 365 in a VDI Environment - The Tech Journal (stephenwagner.com) Understanding Microsoft Azure AD SSO with VDI - The Tech Journal (stephenwagner.com) Stephen Wagner (President, Digitally Accurate Inc.) VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa Tech Insider, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC Check out my Tech Blog: https://www.StephenWagner.com
tonyflan1 Posted August 22 Posted August 22 Thanks for the info Stephen. Re - Shared Computer Activation - You must enable SCA, which will generate activation tokens that can roam with the user. If using FSLogix, they'll be contained inside of the profile container. If using something else, you'll want to save these to a location that is persistent. Can you possibly clarify the basic DEM settings needed that a will back up a profile with the settings to 'roam with the user' as I am still getting password pop ups for the office logon against my MS user id on new instant clone sessions (using SCA). I do have instant clone machines that use an App Vol writable disk with no dem agent and they seem to be ok as their profile is being saved to writable disk, so that suggests a DEM setting isn't being captured and the rest of the sign in is happy. Kind Regards
StephenWagner7 Posted August 22 Posted August 22 1 hour ago, tonyflan1 said: Thanks for the info Stephen. Re - Shared Computer Activation - You must enable SCA, which will generate activation tokens that can roam with the user. If using FSLogix, they'll be contained inside of the profile container. If using something else, you'll want to save these to a location that is persistent. Can you possibly clarify the basic DEM settings needed that a will back up a profile with the settings to 'roam with the user' as I am still getting password pop ups for the office logon against my MS user id on new instant clone sessions (using SCA). I do have instant clone machines that use an App Vol writable disk with no dem agent and they seem to be ok as their profile is being saved to writable disk, so that suggests a DEM setting isn't being captured and the rest of the sign in is happy. Kind Regards Did you use the XML ODT, GPO, or DEM to configure the SCA token path? Can you confirm you also have SCA enabled? Stephen Wagner (President, Digitally Accurate Inc.) VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa Tech Insider, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC Check out my Tech Blog: https://www.StephenWagner.com
tonyflan1 Posted August 23 Posted August 23 Hi Stephen, The settings I used are configured in the Office install XML file as below - <Display Level="None" AcceptEULA="True" /> <Property Name="SharedComputerLicensing" Value="1" /> We see a registry key value of - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration with the SharedComputerLicensing with a setting of 1# and the DEM setting for O365 we have in the DEM console and has been there since the previous version of O365 is - [IncludeFolderTrees] <LocalAppData>\Microsoft\Office\16.0\Licensing <LocalAppData>\Microsoft\Microsoft\Credentials Do I need to add? - add a string value of SCLCacheOverride, and set the value to 1. Also, add a string value of SCLCacheOverrideDirectory and set the value to the path of the folder to save the licensing token.
tonyflan1 Posted August 23 Posted August 23 I Still see a 'password' requirement for my sign in account when starting Outlook and the MS Office 'email address' sign-in when I start Word?
StephenWagner7 Posted August 23 Posted August 23 40 minutes ago, tonyflan1 said: I Still see a 'password' requirement for my sign in account when starting Outlook and the MS Office 'email address' sign-in when I start Word? A few questions I have: Are you licensed for Microsoft 365 E3/E5, or Microsoft 365 Business Premium? Do you have Azure Seamless SSO, Azure SSO with PRT (Hybrid Joining), or no Azure SSO at all? Do you have an MFA requirement for users on Azure? Are you using DEM only, and/or FSLogix? Stephen Wagner (President, Digitally Accurate Inc.) VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa Tech Insider, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC Check out my Tech Blog: https://www.StephenWagner.com
tonyflan1 Posted August 23 Posted August 23 Hi Stephen, These are my responses, maybe I should be raising this with O365 support? Are you licensed for Microsoft 365 E3/E5, or Microsoft 365 Business Premium? E3 Do you have Azure Seamless SSO, Azure SSO with PRT (Hybrid Joining), or no Azure SSO at all? Seamless SSO Do you have an MFA requirement for users on Azure? We do use MFA requirements for external auth into our organisation but this issue is being seen on access to the VDI's that don't need to employ MFA for access to the VDI. Are you using DEM only, and/or FSLogix? This is a DEM setup.
StephenWagner7 Posted August 23 Posted August 23 One other quick question.... I want to verify your Seamless SSO deployment is functioning, on an Instant Clone, can you go to Office.com, check if you're signed on? If not, can you click signon, and let me know if it signs you in, or if you get prompted? Stephen Wagner (President, Digitally Accurate Inc.) VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa Tech Insider, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC Check out my Tech Blog: https://www.StephenWagner.com
tonyflan1 Posted August 27 Posted August 27 Hi Stephen, I have fixed these issues now with the DEM settings in this post provided by John. I did think it was DEM related because I wasn't getting any issues with a non DEM machine setup instant clone with a writable disk (app volume) which was saving profile data on the local profile. Sorry, these were the settings I thought I had sent you on Friday for my environment. Thanks for all your help. Are you licensed for Microsoft 365 E3/E5, or Microsoft 365 Business Premium? E3 Do you have Azure Seamless SSO, Azure SSO with PRT (Hybrid Joining), or no Azure SSO at all? Seamless SSO Do you have an MFA requirement for users on Azure? We do use MFA requirements for external auth into our organisation but this issue is being seen on access to the VDI's that don't need to employ MFA for access to the VDI. Are you using DEM only, and/or FSLogix? This is a DEM setup.
kricky1 Posted September 10 Posted September 10 In the continuity of this discussion. Can anyone help me out with the Microsoft E3 vs E5 in a detailed manner.
DanielP Posted September 17 Posted September 17 Hello All, Currently we issue the same problem than @tonyflan1 had, i am glad for him he can resolve his problem :). Since few weeks, some users say us they have to logon on M365 each time they connect on VDI desktops. these last weeks, i spent many times for troubleshoot. but i still not able to find the problem, but i suspect DEM even i did not make any change since few monthes. Below my configuration : Horizon View 8 (2303.1) , DEM 2303.1, Appvolume 2303.1 (only for package like M365 and so on, Writable volume not used) We use DEM with of course "import/export" config at logon and redirection folder too. Instant clone used SCA registries on the VDI goldimage, of course GPOs for Horizon agent and DEM flex engine, VDI desktops were never joined to Azure, we always have used seamless sso, and so without problem since the begining (summer 2023) I was inspired by @StephenWagner7's excellent tutorial, thanks for that! i tried to apply the exact import/export DEM config proposed above by @John Twilley, thx to him too. But still the same problem, users are still prompted for M365 each time they execute word/excel or outlook on VDI desktops As i said early we never have used "writable volume", but for this problem, i tried to disable DEM and activate writable volume instead for my account for example, and it seems to resolve my problem of repetitive prompt login for M365, but it works very well for word or excel, but outlook crashes ! , i think it's related to writable volume 😞 So i deduce the problem is DEM side, why now ? i don't know, maybe some last cumulative update or M365 version brings some changes, or something like that. Any suggestions or tips would be appreciated. Thank you for your help Best regards Daniel
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now