Multiple user errors daily in Citrix LTSR 1912cu5 with Microsoft Teams

[openthatchest]

PREFACE:

Microsoft teams is awful, and I wish we didn't have to use it, but here we are and I need to get to the bottom of this. Everyone's pissy about teams never working for them, so they all just use the web client for the time being. However, our endgoal is to have the application working flawlessly. And due to not running a fully persistent setup, proxy settings, white/blacklists for websites, outright security policies, Azure itself, we can't figure out what the root of our problem is with so many symptoms.

 

CURRENT ACTION: 

As of the moment, we have implemented a script that purges all files that are not in a folder (out of seeing errors with "desktop-config.json" "preauth.json" "settings.json" "storage.json" at multiple points in the logs) within \AppData\Roaming\Microsoft\Teams. The folder is being synced by FSLogix, our main idea being that we want the Thin Clients to store userdata and files on our servers instead. However, This event happens before the system shuts down for the night, making teams effectivley launch as if it was the first time it's launched every day. This method has solved around 80% of the cases we have experienced, preventing them before they happen.

The other action we are currently taking is manually going and running a script to purge the files similar to the nightly purge. This is done system by system, user by user, and cannot continue if we want to get things done in our department.

The files that are currently wiped is attached in the photo.

 

MOVING FORWARD:
I am likely not able to share log files from teams, but my list of running theories starts here from them:

WAM fails to log in the user, sets "WAM fallback error" to true, and then sets itself to use ADAL, only occasionally launching the app. Not sure if this correlates specifically with our firewall, but I don't believe it's likely. 

The error code produced is almost always "80070003", which I have not managed to find documentation for.

 

Note: I am obviously at my job and wouldn't be playing with software and virtualization like this otherwise. It might be a moment before I reply, and keep in mind I am not going to be able to share a good bit of information about the issue as it's not my issue to disclose the company is facing. 

Thank you all for any and all help in the years I have been here, active or not. 

[WkdPaul]

Teams on VDIs is a HUGE pain, here's my questions ;

 

- are you guys using the machine wide installer ?

- have you blocked the "Allow my organization to manage my device” in the registry ?

 

From the tests we did, you don't really have a choice to have Teams data be in each user profile and not on the machine (even with the "machine wide installer"). We're using FSlogix for the user profiles so that this stuff follows them regardless of the VM they login. It's still buggy but blocking the "Allow my organization to manage my device” fix most of the problems we had ... but we still have regular issues and have to wipe whole profiles from time to time.

 

If you have profile management, you should also add the Teams folders to the profile container.

[openthatchest]

We are currently using the machine wide installer, under both /ALLUSER and /ALLUSERS. 

However, I have not seen that registry yet. What's the path for it? I currently have a broken instance, so I'd like to test this out. 

Thank you again.

 

[WkdPaul]

14 minutes ago, openthatchest said:

We are currently using the machine wide installer, under both /ALLUSER and /ALLUSERS. 

However, I have not seen that registry yet. What's the path for it? I currently have a broken instance, so I'd like to test this out. 

Thank you again.

 

 

the registry path ;

HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin

 

Key (dword);

“BlockAADWorkplaceJoin”

 

Value 1

 

That'll block the "Allow my organization to manage my device” setting in the background.

 

We have that in the MS Office GPO for anyone that logs into our VDI farm (we're using AVD, not Citrix).

[openthatchest]

We do have permissions that require that to be set to false, unfortunately. Will test it on some dev environments however. Thank you.