Issue and Background
As we move Citrix Virtual Apps and Desktops\Service (CVAD\S) workloads to Windows Server 2019 we notice quite a few outcomes that are “different” and (who would think) do not work in this OS. One of the interesting gotchas discovered is an unexpected behavior of Microsoft 365 Apps for Enterprise (formerly Office 365 ProPlus) during the activation process; if the Office app is launched as a published app activation is impossible. Interestingly, this issue affects Microsoft’s own RDS implementations as well.
- OS: Windows Server 2019 (any edition, latest updates).
- Microsoft 365 Apps for Enterprise activation is failing when a published app (e.g., Word) is launched.
- Activation works with no issues if done in the published desktop.
- Affects Microsoft 365 native authentication as well as third parties such as Okta.
- Office 2016 and older builds of Office 365 activate with no issues.
- This does not affect Windows 10 OS.
So, what is happening here: the newest Office on the newest server OS cannot activate even using Microsoft’s native activation process?
The issue lies in the authentication process. Microsoft used Azure Active Directory Authentication Library (ADAL) framework-based authentication for older builds such as Office 2016. However, with modern builds, Office uses Web Account Manager (WAM) for sign-in workflows for activation. Surprisingly, there is a bug in Windows Server 2019 that breaks the WAM process for published apps. It is a known issue that “Microsoft is working on fixing it” since June 2020.
Here is what should be expected when launching Microsoft Word for the first time (native MS and Okta):
Authentication Experience with Microsoft as IdP:
Authentication Experience with Okta as IdP:
Trying to activate a seamless published Microsoft Word app will result in an email prompt followed by a complete “freeze” of your Word app.
Citrix has released an official CTX article for this issue. However, it only includes half of the workaround and does not provide sufficient details.
To date, the only available fix is a work around that suppresses Web Account Manager (WAM) and reverts Office 365 back to Azure Active Directory Authentication Library (ADAL). This is a ‘per user’ fix and requires adding the following registry keys:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity "DisableADALatopWAMOverride"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity "DisableAADWAM"=dword:00000001
The above can be accomplished using Group Policy Preference (in a GPO):
Or even better with Citrix WEM:
These tips will save significant time during the deployment of Office on Windows Server 2019.