I’ve moved on to a new AVD setup. I went with full cloud: Entra Joined, Intune managed and page blobs for FSLogix. Fantastic.
I started to run into the same issue I had in a previous post where I talked about the roamIdentity FSLogix issue. There is a HUGE warning on the Microsoft site that you cannot roam WAM tokens when you are using Intune so turning that on was not an option.
The AAD Operational log was full of errors saying it was unable to retrieve a PRT which makes sense, if it can’t get a token, I’m going to have to login everywhere. It was also displaying this error:
“Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access”
This sent me down a Conditional Access, Legacy Method etc etc rabbit hole. No dice.
Eventually I noticed that the Windows App on Windows didn’t trigger the problem but logging in from a Mac or the Web client made it happen immediately. This set off a bulb in my head: The Windows machine was Entra Joined.
The fix was to enable Entra Single Sign on in the RDP properties and follow the PowerShell instructions in this article:
Bingo Bango – Logins from any OS now not only didn’t have the problem, they didn’t prompt for in-session password authentication.