Microsoft 365 Apps Sign-in from Windows Server 2019

I’m in the process of migrating my Citrix Virtual Apps environment from Windows Server 2012 R2 to Windows Server 2019. After I moved a few users to the new Virtual Delivery Agents, I almost instantly noticed Microsoft 365 Apps (until now known as Office 365 ProPlus) sign-in did not work. My environment is configured with Single sign-on (SSO) and ADFS, so the users should never be prompted for a sign-in – but they where. And the biggest issue was that when they entered their e-mail address, the sign-in box turned into a blank white box.

Since my SSO is working just fine from the old Windows Server 2012 R2 VDA servers, and any GPOs are the same in both environments, I knew something was up with Server 2019. According to this blog post from Microsoft, there should be no compatibility issues. But in fact there are.

After some research, I found out that Microsoft is since build 16.0.7967 of Microsoft 365 Apps using WAM (Web Account Manager) as the sign-in method, instead of the old ADAL (Azure Active Directory Authentication Library) method. Despite it should work on Server 2019, it doesn’t. As for now, I’m not sure if it’s a general issue or something connected to my specific environment.

Anyhow, I found a few blog posts (for instance this post) on how to disable WAM using the registry. Just make a GPP adding the following registry key to all users:

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"DisableADALatopWAMOverride"=dword:00000001

That did the trick for me, i.e. no more sign-in box at all! If that doesn’t help, add the following registry key as well:

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"DisableAADWAM"=dword:00000001

Edit 2022-05-11: Since the latest version of Microsoft 365 Apps, even more keys must be added for the sign-in to work (refer to this Citrix article):

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity]
"DisableMSAWAM"=dword:00000001

Remember – this is not a supported or preferred solution. It’s a dirty workaround, and the main issue should be solved as soon as possible.

11 thoughts on “Microsoft 365 Apps Sign-in from Windows Server 2019”

  1. Thanks it works nice… I have the same issue for Skype and MS Teams… and those regkeys are not fixing it for Skype or Teams… but it does fix it for office.
    Any clue of how this can be fixed?? 🙂

  2. We have this EXACT same problem, and I will try those REG entries. Did you ever find an answer to the TEAMS question, as it is doing the same thing (SSO doesn’t seem to work)…

    Thanks!

    1. I did never investigate Teams any further as we are not running Teams in our terminal server environment – just some Office applications.
      Perhaps you need to somehow disable ADAL for Teams specifically.

    2. Just a follow up to my previous post, we also had to include following folder to sync into our profile management solution (citrix):

      “AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy”

      For now it seems to work, hope Microsoft itself will fix this in the future.

  3. Facing the same issue now with SSO on newest 365, 2019 RDS. Is this still the only solution as WAM doesn’t appear to work in traditional AD joined RDS?

    1. Yes, we are still using this work around in our 2019 environment with the latest Office. I’m a bit surprised MS hasn’t fixed it yet…

  4. Thanks for the article! This solution also helped us in a Windows server 2019 environment. I assume Microsoft hasn’t solved the problem yet? Does anyone have more information about this? On Microsoft’s site? I can’t find anything about it.

  5. MS still hasn’t fixed this, case with MS could not resolve either. 2019 RDS with UPD profiles. The 2 registry keys were working for me previous now even with the addition of the 3rd Citrix recommends it does not fix it. Seamless SSO works if I shut off 2FA for the RDS servers but i’d rather not do that. Frustrating!

Leave a Reply

Your email address will not be published. Required fields are marked *