OneDrive + AVD + FSLogix = Password Prompts

I recently setup a few AVD pools for internal and customer use. I was running into an issue where OneDrive login would not persist across logins. After every sign in to the session host I had to re-authenticate. Then I built another pool that was even worse – Office activation wouldn’t stick either.

If you have ever gone done the Google rabbit hole of WAM, ADAL, Office Shared Computer Activation, License Token roaming and so on and so on… my hats off, I’ve been there too. It’s not cool. But I found a solution for my use case.

Office Troubles

Why were the two clusters different with one not having Office stick either? Azure AD. The internal use pool is Hybrid Joined Windows 11 with an “on-prem” AD and AAD Connect syncing up computer objects. The customer pool is Windows 10 with AD join to AAD DS. There is no Hybrid Join in AAD DS. The Office SSO was working because of the PRT that the Hybrid join gets you. That token is generated on each login and does the job.

What About OneDrive?

OneDrive doesn’t seem to use the Hybrid Join PRT for authentication. Instead it uses the older (but not as old as ADAL) WAM subsystem to store credentials. Turns out Microsoft, in their infinite wisdom, has seen fit to make the new default setting in FSLogix to not roam these WAM tokens in the profile. They refer to it as the “preferred setting.” I don’t know in what world it would be preferred to lose all semblance of login persistence and auth to 5+ apps every day… BUT, that’s why I don’t work at Microsoft.

The Fix

HKEY_LOCAL_MACHINE\SOFTWARE\FSLogix\Profiles

DWORD – RoamIdentity

Value – 1

Profit?!!?

UPDATE: The Caveat

This is well noted in the documentation but I’ll note it here as well: Do Not Use RoamIdentity if you are using Intune to manage your AVD session hosts. It will break things. Badly.