Jump to content

Recommended Posts

Posted

 

Microsoft Office 2016/2019/365 Application Template

## Expanded settings for the Microsoft Office 2016/2019/365 Application Templates 'Access', 'Excel', 'OneDrive', 'OneNote', 'Outlook', 'PowerPoint', 'Project', 'Publisher', 'Shared', 'Visio', and 'Word':
#
[IncludeRegistryTrees]
HKCU\Software\Microsoft\Office\16.0\Access
HKCU\Software\Microsoft\Office\16.0\Common
HKCU\Software\Microsoft\Office\16.0\Excel
HKCU\Software\Microsoft\Office\16.0\FirstRun
HKCU\Software\Microsoft\Office\16.0\Groove
HKCU\Software\Microsoft\Office\16.0\Lync
HKCU\Software\Microsoft\Office\16.0\MAPI
HKCU\Software\Microsoft\Office\16.0\Microsoft Office 2016
HKCU\Software\Microsoft\Office\16.0\MS Project
HKCU\Software\Microsoft\Office\16.0\OneNote
HKCU\Software\Microsoft\Office\16.0\Outlook
HKCU\Software\Microsoft\Office\16.0\PowerPoint
HKCU\Software\Microsoft\Office\16.0\Project
HKCU\Software\Microsoft\Office\16.0\Publisher
HKCU\Software\Microsoft\Office\16.0\Registration
HKCU\Software\Microsoft\Office\16.0\SyncCenter
HKCU\Software\Microsoft\Office\16.0\SyncProc
HKCU\Software\Microsoft\Office\16.0\User Settings
HKCU\Software\Microsoft\Office\16.0\Visio
HKCU\Software\Microsoft\Office\16.0\Word
HKCU\Software\Microsoft\Office\16.0\Workspaces
HKCU\Software\Microsoft\Office\Access
HKCU\Software\Microsoft\Office\Common
HKCU\Software\Microsoft\Office\Excel
HKCU\Software\Microsoft\Office\OneNote
HKCU\Software\Microsoft\Office\Outlook
HKCU\Software\Microsoft\Office\PowerPoint
HKCU\Software\Microsoft\Office\Visio
HKCU\Software\Microsoft\Office\Word
HKCU\Software\Microsoft\Shared Tools\Proofing Tools
HKCU\Software\Microsoft\VBA
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
HKCU\SOFTWARE\Microsoft\VSTO
HKCU\Software\Microsoft\AuthCookies
HKCU\Software\Microsoft\Windows NT\CurrentVersion\TokenBroker

[IncludeIndividualRegistryValues]
HKCU\Software\Microsoft\Exchange\Client\Options\PickLogonProfile

[IncludeFolderTrees]
<AppData>\Microsoft\Access
<AppData>\Microsoft\AddIns
<AppData>\Microsoft\Bibliography
<AppData>\Microsoft\Excel
<AppData>\Microsoft\MS Project
<AppData>\Microsoft\Office
<AppData>\Microsoft\Office\16.0\Lync
<AppData>\Microsoft\OneNote
<AppData>\Microsoft\Outlook
<AppData>\Microsoft\Powerpoint
<AppData>\Microsoft\Proof
<AppData>\Microsoft\Publisher
<AppData>\Microsoft\Publisher Building Blocks
<AppData>\Microsoft\Signatures
<AppData>\Microsoft\Spelling
<AppData>\Microsoft\Templates
<AppData>\Microsoft\UProof
<AppData>\Microsoft\Visio
<AppData>\Microsoft\Word
<LocalAppData>\Microsoft\Office\ONetConfig
# added 
<LocalAppData>\Microsoft\Office\ONetConfig
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
<LocalAppData>\Microsoft\IdentityCache
<LocalAppData>\Microsoft\OneAuth
<LocalAppData>\Microsoft\TokenBroker


[IncludeFiles]
<LocalAppData>\Microsoft\Office\Access.officeUI
<LocalAppData>\Microsoft\Office\Excel.officeUI
<LocalAppData>\Microsoft\Office\MSProject.officeUI
<LocalAppData>\Microsoft\Office\olkaddritem.officeUI
<LocalAppData>\Microsoft\Office\olkapptitem.officeUI
<LocalAppData>\Microsoft\Office\olkdlstitem.officeUI
<LocalAppData>\Microsoft\Office\olkexplorer.officeUI
<LocalAppData>\Microsoft\Office\olklogitem.officeUI
<LocalAppData>\Microsoft\Office\olkmailitem.officeUI
<LocalAppData>\Microsoft\Office\olkmailread.officeUI
<LocalAppData>\Microsoft\Office\olkmmsedit.officeUI
<LocalAppData>\Microsoft\Office\olkmmsread.officeUI
<LocalAppData>\Microsoft\Office\olkmreqread.officeUI
<LocalAppData>\Microsoft\Office\olkmreqsend.officeUI
<LocalAppData>\Microsoft\Office\olkpostitem.officeUI
<LocalAppData>\Microsoft\Office\olkpostread.officeUI
<LocalAppData>\Microsoft\Office\olkreportitem.officeUI
<LocalAppData>\Microsoft\Office\olkresenditem.officeUI
<LocalAppData>\Microsoft\Office\olkrespcounter.officeUI
<LocalAppData>\Microsoft\Office\olkresponseread.officeUI
<LocalAppData>\Microsoft\Office\olkresponsesend.officeUI
<LocalAppData>\Microsoft\Office\olkrssitem.officeUI
<LocalAppData>\Microsoft\Office\olkshareitem.officeUI
<LocalAppData>\Microsoft\Office\olkshareread.officeUI
<LocalAppData>\Microsoft\Office\olksmsedit.officeUI
<LocalAppData>\Microsoft\Office\olksmsread.officeUI
<LocalAppData>\Microsoft\Office\olktaskitem.officeUI
<LocalAppData>\Microsoft\Office\OneNote.officeUI
<LocalAppData>\Microsoft\Office\Powerpoint.officeUI
<LocalAppData>\Microsoft\Office\Publisher.officeUI
<LocalAppData>\Microsoft\Office\Visio.officeUI
<LocalAppData>\Microsoft\Office\Word.officeUI

[ExcludeFolderTrees]
<AppData>\Microsoft\Templates\LiveContent
<LocalAppData>\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState
 

[ExcludeIndividualRegistryValues]
# To prevent the O365 Viewer Mode from replicating (Only if you use this feature)
HKCU\Software\Microsoft\Office\16.0\Common\autoorgidgetkey
HKCU\Software\Microsoft\Office\16.0\Common\Licensing\viewermode
HKCU\Software\Microsoft\Office\16.0\Common\SignIn\SignInOptions
HKCU\Software\Microsoft\Office\16.0\Common\Identity\DisableADALatopWAMOverride
HKCU\Software\Microsoft\Office\16.0\Common\Identity\DisableAADWAM


[ExcludeRegistryTrees]
# To help reduce the size of the registry by 10 MB
HKCU\Software\Microsoft\Office\16.0\Common\ExperimentConfigs
HKCU\Software\Microsoft\Office\16.0\Common\Experiment
HKCU\Software\Microsoft\Office\16.0\Common\ExperimentEcs
HKCU\Software\Microsoft\Office\16.0\Common\ExperimentTas

[ExcludeFiles]
# Exclude XLSB Auto-Backup files as they create 100+ MB Zip - adding just the file excludes from ALL FOLDERS above.
*.xlsb
*.xar
*.bak

  • Like 2
  • 2 months later...
Posted

Many Thanks for these.

Does this fix constant sign-in requests to O365 apps when you use the shared licence activation for instant clone machines and RDS please?

Since moving to an O365 version that includes device based activation we seem to be seeing sign-ins all the time on fresh instant clone sessions.

Regards

Posted
4 hours ago, tonyflan1 said:

Many Thanks for these.

Does this fix constant sign-in requests to O365 apps when you use the shared licence activation for instant clone machines and RDS please?

Since moving to an O365 version that includes device based activation we seem to be seeing sign-ins all the time on fresh instant clone sessions.

Regards

O365 only supports user based licensing/activation, you cannot use device based activation.

When using Microsoft 365 with Instant Clones, here's two main considerations:

  1. Shared Computer Activation - You must enable SCA, which will generate activation tokens that can roam with the user. If using FSLogix, they'll be contained inside of the profile container. If using something else, you'll want to save these to a location that is persistent.
  2. User Sign In - When accessing O365 applications, there's usually 2 authentications or sign-ins.
    1. User Sign In - This is the user signing in to the application, loading preferences, etc.
    2. User Based Authentication - This is O365 activating the users license itself.

For both of these, especially number 2, organizations usually struggle when implementing this.

If you have SSO configured, using either Seamless SSO, or Azure Hybrid Join with PRT, then the login AND activation should be automatic and transparent to the user.

*PLEASE NOTE: If you require MFA, then the user will be prompted to complete the MFA. Sometimes the MFA prompt confuses administrators in to thinking SSO (and auto logon) is broken, when it's actually prompting because of MFA requirement.

If you DO NOT have SSO configured, then the user will have to manually logon and the credentials will be stored in the users Credential Manager in Windows. If you have a profile persistent solution, these credentials should be saved, and the user shouldn't be prompted again for a very very long time.

*PLEASE NOTE: If you aren't doing SSO with Azure/Entra ID, you'll need to make sure you add the "BlockAADWorkplaceJoin" registry key (I'd recommend configuring a GPO, or using DEM) to the base image to stop it from attempting Hybrid Domain Join, and/or Azure AD Registration, or you'll end up with issues, as well as a bunch of stale devices on Azure. You should also omit the OU from replication to Azure/Entra.

In both cases above, you'll need to make sure you also don't sync and/or delete the "Identity" Key in the registry as well, as it contains machine specific information.

 

Additional note for Windows 11 - I've seen some customer deploy Windows 11 improperly attaching a vTPM to the base image, and then yanking it before deploying, which has caused some weird issues. These issues we resolved by deploying the Windows 11 base images properly without a vTPM (using WinPE and ADK). A vTPM should never be removed from a Windows 11 instance once attached.

 

A few blog posts I've written on the topic:

Deploy, Install, and Configure Microsoft Office 365 in a VDI Environment - The Tech Journal (stephenwagner.com)

Understanding Microsoft Azure AD SSO with VDI - The Tech Journal (stephenwagner.com)

Stephen Wagner (President, Digitally Accurate Inc.)

VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa Tech Insider, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC

Check out my Tech Blog: https://www.StephenWagner.com

Posted

Thanks for the info Stephen.

Re - Shared Computer Activation - You must enable SCA, which will generate activation tokens that can roam with the user. If using FSLogix, they'll be contained inside of the profile container. If using something else, you'll want to save these to a location that is persistent.

Can you possibly clarify the basic DEM settings needed that a will back up a profile with the settings to 'roam with the user'  as I am still getting password pop ups for the office logon against my MS user id on new instant clone sessions (using SCA).

I do have instant clone machines that use an App Vol writable disk with no dem agent and they seem to be ok as their profile is being saved to writable disk, so that suggests a DEM setting isn't being captured and the rest of the sign in is happy.

Kind Regards

Posted
1 hour ago, tonyflan1 said:

Thanks for the info Stephen.

Re - Shared Computer Activation - You must enable SCA, which will generate activation tokens that can roam with the user. If using FSLogix, they'll be contained inside of the profile container. If using something else, you'll want to save these to a location that is persistent.

Can you possibly clarify the basic DEM settings needed that a will back up a profile with the settings to 'roam with the user'  as I am still getting password pop ups for the office logon against my MS user id on new instant clone sessions (using SCA).

I do have instant clone machines that use an App Vol writable disk with no dem agent and they seem to be ok as their profile is being saved to writable disk, so that suggests a DEM setting isn't being captured and the rest of the sign in is happy.

Kind Regards

Did you use the XML ODT, GPO, or DEM to configure the SCA token path? Can you confirm you also have SCA enabled?

Stephen Wagner (President, Digitally Accurate Inc.)

VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa Tech Insider, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC

Check out my Tech Blog: https://www.StephenWagner.com

Posted

Hi Stephen,

The settings I used are configured in the Office install XML file as below - 

<Display Level="None" AcceptEULA="True" />
<Property Name="SharedComputerLicensing" Value="1" />

We see a registry key value of - 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration with the  SharedComputerLicensing with a setting of 1#

and the DEM setting for O365 we have in the DEM console and has been there since the previous version of O365 is -

[IncludeFolderTrees]
<LocalAppData>\Microsoft\Office\16.0\Licensing
<LocalAppData>\Microsoft\Microsoft\Credentials

 

Do I need to add? - 

add a string value of SCLCacheOverride, and set the value to 1. Also, add a string value of SCLCacheOverrideDirectory and set the value to the path of the folder to save the licensing token.

Posted

I Still see a 'password' requirement for my sign in account when starting Outlook image.png.38a8ecb71a44c2048392bc166b04ea66.png

and the MS Office 'email address' sign-in when I start Word?

image.png.3afcda423ebf9c68449697dc7a14e2d1.png

Posted
40 minutes ago, tonyflan1 said:

I Still see a 'password' requirement for my sign in account when starting Outlook image.png.38a8ecb71a44c2048392bc166b04ea66.png

and the MS Office 'email address' sign-in when I start Word?

image.png.3afcda423ebf9c68449697dc7a14e2d1.png

A few questions I have:

  1. Are you licensed for Microsoft 365 E3/E5, or Microsoft 365 Business Premium?
  2. Do you have Azure Seamless SSO, Azure SSO with PRT (Hybrid Joining), or no Azure SSO at all?
  3. Do you have an MFA requirement for users on Azure?
  4. Are you using DEM only, and/or FSLogix? 

Stephen Wagner (President, Digitally Accurate Inc.)

VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa Tech Insider, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC

Check out my Tech Blog: https://www.StephenWagner.com

Posted

Hi Stephen,

These are my responses, maybe I should be raising this with O365 support?

Are you licensed for Microsoft 365 E3/E5, or Microsoft 365 Business Premium?

E3


Do you have Azure Seamless SSO, Azure SSO with PRT (Hybrid Joining), or no Azure SSO at all?

Seamless SSO


Do you have an MFA requirement for users on Azure?

We do use MFA requirements for external auth into our organisation but this issue is being seen on access to the VDI's that don't need to employ MFA for access to the VDI.


Are you using DEM only, and/or FSLogix? 

This is a DEM setup.

Posted

One other quick question.... I want to verify your Seamless SSO deployment is functioning, on an Instant Clone, can you go to Office.com, check if you're signed on?

If not, can you click signon, and let me know if it signs you in, or if you get prompted?

Stephen Wagner (President, Digitally Accurate Inc.)

VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa Tech Insider, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC

Check out my Tech Blog: https://www.StephenWagner.com

Posted

Hi Stephen,

I have fixed these issues now with the DEM settings in this post provided by John. I did think it was DEM related because I wasn't getting any issues with a non DEM machine setup instant clone with a writable disk (app volume) which was saving profile data on the local profile.

Sorry, these were the settings I thought I had sent you on Friday for my environment. Thanks for all your help.

Are you licensed for Microsoft 365 E3/E5, or Microsoft 365 Business Premium?

E3


Do you have Azure Seamless SSO, Azure SSO with PRT (Hybrid Joining), or no Azure SSO at all?

Seamless SSO


Do you have an MFA requirement for users on Azure?

We do use MFA requirements for external auth into our organisation but this issue is being seen on access to the VDI's that don't need to employ MFA for access to the VDI.


Are you using DEM only, and/or FSLogix? 

This is a DEM setup.

  • 2 weeks later...
Posted

Hello All,

Currently we issue the same problem than @tonyflan1 had, i am glad for him he can resolve his problem :).

Since few weeks, some users say us they have to logon on M365 each time they connect on VDI desktops.

these last weeks, i spent many times for troubleshoot. but i still not able to find the problem, but i suspect DEM even i did not make any change since few monthes.

Below my configuration :

Horizon View 8 (2303.1) , DEM 2303.1,  Appvolume 2303.1 (only for package like M365 and so on, Writable volume not used)

We use DEM with of course "import/export" config at logon and redirection folder too.

Instant clone used

SCA registries on the VDI goldimage, of course GPOs for Horizon agent and DEM flex engine, 

VDI desktops were never joined to Azure, we always have used seamless sso, and so without problem since the begining (summer 2023)

 

I was inspired by @StephenWagner7's excellent tutorial, thanks for that!

i tried to apply the exact import/export DEM config  proposed above by @John Twilley, thx to him too.

But still the same problem, users are still prompted for M365 each time they execute word/excel or outlook on VDI desktops

As i said early we never have used "writable volume", but for this problem, i tried to disable DEM and activate writable volume instead  for my account for example, and it seems to resolve my problem of repetitive prompt login for M365, but it works very well for word or excel, but outlook crashes ! , i think it's related to writable volume 😞

So  i deduce the problem is DEM side, why now ? i don't know, maybe some last cumulative update or M365 version brings some changes, or something like that.

Any suggestions or tips would be appreciated.

Thank you for your help

Best regards

Daniel

 

 

 

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...