Azure Virtual Desktop Multi-session Windows 11 21H2 CU 2022-09 breaks SSO with AD

Question

Azure Virtual Desktop Multi-session Windows 11 21H2 CU 2022-09 breaks SSO with AD

Maarten van den Berg 1

When adding the standard Windows 11 (21H2 22000.978) to Hostpool (AAD joined) we have SSO to our AD resources because of Azure AD Connect. However, when updating tot KB5017383 2022-09 CU, the update adds AAD SSO (we have set up the AAD Kerberos object within our AD) and works. This breaks SSO with AD.
Similarly, deploying W11 22H2 (preview) and setting this up with AAD SSO, the SSO with AD breaks.

Is this a known issue? Are there workarounds?

Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2022-10-10T13:05:41.807+00:00

@Maarten van den Berg

Are you performing this task on AAD join devices or hybrid Azure AD join devices. Because for AAD join all devices are in workgroup.
I am not sure how is SSO with AD breaks. Because for AD SSO devices should be on-premise AD joined.
Maarten van den Berg 1 Reputation point

2022-10-11T20:08:05.863+00:00

Aditionally tried the W1 22H2 version (non preview, since yesterday available). Non multisession and multisession do still differ as mentioned earlier with 1 correction: DFS over AAD does not work anywhere (but is to be expected).

2 answers

Your answer

Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2022-10-10T13:05:41.807+00:00

@Maarten van den Berg

Are you performing this task on AAD join devices or hybrid Azure AD join devices. Because for AAD join all devices are in workgroup.
I am not sure how is SSO with AD breaks. Because for AD SSO devices should be on-premise AD joined.
Maarten van den Berg 1 Reputation point

2022-10-11T20:08:05.863+00:00

Aditionally tried the W1 22H2 version (non preview, since yesterday available). Non multisession and multisession do still differ as mentioned earlier with 1 correction: DFS over AAD does not work anywhere (but is to be expected).

Answer 1

This is the answer from workstation. From the W11 22H2(Preview) multisession for AVD is beneath that again....

A bit further in troubleshooting learns that placing the CloudKerberosTicketRetrievalEnabled =1 within registry on homesystem allows access to some DFS shares as follows:

DFS shares hosted on AD Servers work on W11 22H2 single system
DFS shares hosted on AD Servers do not work on W11 22H2(preview) multisession system
DFS shares hosted on Azure Files with AD authentication do not work on any of these two testing systems
The shares themselves straight from Azure Files with AD authentication also do not work on any of these two testing systems
DFS shares hosted on Azure Files with AAD authentication do work on both of these two testing systems
The shares themselves straight from Azure Files with AAD authentication do work on both of these two testing systems

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

         AzureAdJoined : YES  
      EnterpriseJoined : NO  
          DomainJoined : NO  
       Virtual Desktop : NOT SET  
           Device Name : LP-H0DX693

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

              DeviceId : is there  
            Thumbprint : is there

DeviceCertificateValidity : [ 2022-02-15 10:03:26.000 UTC -- 2032-02-15 10:33:26.000 UTC ]
KeyContainerId : is there
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+

            TenantName : Innovam  
              TenantId : is there  
           AuthCodeUrl : https://login.microsoftonline.com/is there/oauth2/authorize  
        AccessTokenUrl : https://login.microsoftonline.com/is there/oauth2/token  
                MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc  
             MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx  
      MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance  
           SettingsUrl : is there  
        JoinSrvVersion : 2.0  
            JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/  
             JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net  
         KeySrvVersion : 1.0  
             KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/  
              KeySrvId : urn:ms-drs:enterpriseregistration.windows.net  
    WebAuthNSrvVersion : 1.0  
        WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/is there/  
         WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net  
DeviceManagementSrvVer : 1.0  
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/is there/  
 DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

                NgcSet : NO  
       WorkplaceJoined : NO  
         WamDefaultSet : YES  
   WamDefaultAuthority : organizations  
          WamDefaultId : https://login.microsoft.com  
        WamDefaultGUID : {is there} (AzureAd)

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

            AzureAdPrt : YES  
  AzureAdPrtUpdateTime : 2022-10-10 12:41:28.000 UTC  
  AzureAdPrtExpiryTime : 2022-10-24 12:41:27.000 UTC  
   AzureAdPrtAuthority : https://login.microsoftonline.com/is there  
         EnterprisePrt : NO  
EnterprisePrtAuthority :   
             OnPremTgt : YES  
              CloudTgt : YES  
     KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

    AadRecoveryEnabled : NO  
Executing Account Name : INNOVAM\MBR, ******@innovam.nl  
           KeySignTest : PASSED  

    DisplayNameUpdated : Managed by MDM  
      OsVersionUpdated : Managed by MDM  
       HostNameUpdated : YES  

  Last HostName Update : SUCCESS  
           Client Time : 2022-10-09 08:38:41.000 UTC  
            Request ID : fb5002ac-d7f4-435d-928f-c647e0ef97e8  
           Server Time : 10-09-2022 8:38:42Z  
           HTTP Status : 200  
        Server Message : The attribute 'hostnames' value(s) were successfully updated

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

  Auto Detect Settings : YES  
Auto-Configuration URL :   
     Proxy Server List :   
     Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

           Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

        IsDeviceJoined : YES  
         IsUserAzureAD : YES  
         PolicyEnabled : NO  
      PostLogonEnabled : YES  
        DeviceEligible : YES  
    SessionIsNotRemote : YES  
        CertEnrollment : none  
          PreReqResult : WillNotProvision

For more information, please visit https://www.microsoft.com/aadjerrors

The W1122H2(Preview) multisession:

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

         AzureAdJoined : YES  
      EnterpriseJoined : NO  
          DomainJoined : NO  
       Virtual Desktop : NOT SET  
           Device Name : AZ-WVD-W11P-1

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

              DeviceId : is there  
            Thumbprint : is there

DeviceCertificateValidity : [ 2022-10-08 16:38:05.000 UTC -- 2032-10-08 17:08:05.000 UTC ]
KeyContainerId : is there
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+

            TenantName : Innovam  
              TenantId : is there  
           AuthCodeUrl : https://login.microsoftonline.com/is there/oauth2/authorize  
        AccessTokenUrl : https://login.microsoftonline.com/is there/oauth2/token  
                MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc  
             MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx  
      MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance  
           SettingsUrl : is there  
        JoinSrvVersion : 2.0  
            JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/  
             JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net  
         KeySrvVersion : 1.0  
             KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/  
              KeySrvId : urn:ms-drs:enterpriseregistration.windows.net  
    WebAuthNSrvVersion : 1.0  
        WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/is there/  
         WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net  
DeviceManagementSrvVer : 1.0  
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/is there/  
 DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

                NgcSet : NO  
       WorkplaceJoined : NO  
         WamDefaultSet : YES  
   WamDefaultAuthority : organizations  
          WamDefaultId : https://login.microsoft.com  
        WamDefaultGUID : {is there} (AzureAd)

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

            AzureAdPrt : YES  
  AzureAdPrtUpdateTime : 2022-10-10 13:17:09.000 UTC  
  AzureAdPrtExpiryTime : 2022-10-24 13:17:08.000 UTC  
   AzureAdPrtAuthority : https://login.microsoftonline.com/is there  
         EnterprisePrt : NO  
EnterprisePrtAuthority :   
             OnPremTgt : YES  
              CloudTgt : YES  
     KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

    AadRecoveryEnabled : NO  
Executing Account Name : INNOVAM\MBR, ******@innovam.nl  
           KeySignTest : PASSED  

    DisplayNameUpdated : Managed by MDM  
      OsVersionUpdated : Managed by MDM  
       HostNameUpdated : YES  

  Last HostName Update : NONE

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

  Auto Detect Settings : YES  
Auto-Configuration URL :   
     Proxy Server List :   
     Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

           Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

        IsDeviceJoined : YES  
         IsUserAzureAD : YES  
         PolicyEnabled : YES  
      PostLogonEnabled : YES  
        DeviceEligible : NO  
    SessionIsNotRemote : NO  
        CertEnrollment : none  
          PreReqResult : WillNotProvision

For more information, please visit https://www.microsoft.com/aadjerrors

Daniel Rademeyer 0 Reputation points

2023-04-02T10:59:00.4833333+00:00

Deploy your on-prem CA Root cert via Intune and target only a User group on the Multi-Session and place it in Personal.
Daniel Rademeyer 0 Reputation points

2023-04-02T11:09:22.8233333+00:00

I've also setup Key Trust and then the Root Cert, also make sure if you've configured WHFB via the Security part in Intune (Not the old User based one) that you select the Cert option for Auth, don't have the portal open now but think its the 3rd one from the bottom. Target the Multi-Session Device Group...

Please remember that MS makes this very clear, with Intune and Multi-Session you can't mix policies and targets. Device based settings must target a Device group and User based settings (User) at the end of it, you must target a user group. Multi-Session is basically multiple individual device environments so what one users got (like the root cert) will not be available to others.

Maybe worth just testing the root cert manual import for one user and see if this resolves your issue.

Also, for Win11 MS 22h2 you must convert Key and Cert Trust to Cloud Trust and if you've used Cert before its a massive pain because you have to reset the WHFB Cert Container on all devices. Apparently they can't run together but I can't see why not. The other option is to go ADFS and I personally think that's a stupid idea and Microsoft really need to sort this shit out. The give with one hand and then slap you with the other! The whole point of this is to remove the anchor to on-prem but then they want you to add more on-prem services to make cloud only work, insane right!

Answer 2

Sandeep G-MSFT 20,906 Microsoft Employee Moderator

@Maarten van den Berg

As we discussed on phone, this issue is resolved by latest patches released by Microsoft recently.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Azure Virtual Desktop Multi-session Windows 11 21H2 CU 2022-09 breaks SSO with AD

2 answers

Your answer