Hi all, we have been dogged by this problem for a few months now. We are using Citrix PVS to provision windows 10 desktops and we have conditional access in place. Somewhere around 5%-10% of users will log into a non-persistent windows 10 20H2 desktop which has been AAD hybrid-joined, they will be able to use Office and Teams desktop apps, but they are lacking the Primary Refresh Token (azureADPRT= NO in dsregcmd /status). When they try and visit a site configured with Azure SSO they get the dreaded “you can’t get there from here” failure message for conditional access, because this PRT is missing. Logging out and picking up a new desktop sometimes fixes it but often it will take them several logoffs to fix.
We have a ticket open with Microsoft and we believe we are doing all the right things according to their documentation and have got some trusted third parties to validate our practices as well:
-We do a dsregcmd /LEAVE on the gold image before sealing it
-Desktops have the SYSTEM account configured with our proxy details and perform a dsregcmd /join on startup, which is apparently successful
-we have added a longer “settlementperiodbeforeuse” on the delivery groups in question to make sure everything has time to run/work
-We use FSlogix profile containers and exclude all of %localappdata%\Packages and %localappdata%\TokenBroker
-We delete the following reg entries at logoff to ensure they are not roamed in the user profile
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AAD
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin
-we use Zscaler “one click” configuration for Microsoft 365, but…
-Important URLs are explicitly added to our proxy bypass list anyway
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com
-We have AAD Connect syncing the OUs with these machines
-We are federated with ADFS on-prem, we have never used device authentication in ADFS so we see a few errors in the AAD event log about this but 90%+ of users are working so it seems like a red herring.
-We have tried tinkering with the timing of the dsregcmd /join and are confident all network connectivity is available by the time it runs.
Has anyone had any experience of getting this to work reliably?
All opinions welcome!!