Recently I’ve been dealing with a patricianly strange and annoying issue with Windows 11 23H2 running on a VMware/Omissa Horizon VDI environment using Instant Clone Desktop Pools and FSLogix Profile Containers.
Occasionally (sometimes multiple times a day) parts of the desktop shell appear to become somewhat unresponsive and end-users are unable to click anything, this is more noticeable within file explorer where the options on the right click context menus and the address/command bar cannot be selected.
After searching high and low on the Internet I was surprised to find very little on this issue and wondered if it was something only related to the environment I was supporting, however I came across a thread on the Omnissa community forums by Stephen Wagner which seems to detail most of the same symptoms. https://community.omnissa.com/forums/topic/69009-osot-issues-windows-11-23h2/
Hat’s off to Stephen as he’s done a lot of testing on this issue and from some initial testing it looks specific to Windows 11 23H2 when Instant Clones are using Seamless SSO as opposed to Azure AD/Entra ID SSO with Primary Refresh Tokens.
For those not familiar, Seamless SSO is the legacy way of being able to automatically signs users in to Microsoft Could services and applications when they are on corporate devices connected to a corporate network. Azure AD SSO with Primary Refresh Tokens works once devices are registered with Azure AD/Entra ID either hybrid joined or fully cloud-joined and is generally preferred for Windows 10 and above. In the case of Horizon Instant Clones this mean these VMs must be hybrid-joined to Azure AD/Entra ID.
Is there a fix?
There is no official fix from Microsoft at this stage and I’m not sure why the SSO configuration would cause such as weird issue but there are a couple of workarounds.
- Move from Seamless SSO to Azure AD/Entra ID SSO (Requires Hybrid Joining Instant Clone VMs)
- Upgrade or build a new golden image VM with Windows 11 24H2 (This doesn’t appear to be affected)
- Revert to the old Windows 10 File Explorer (Still works as of 24H2)
Note: To move to Windows 11 24H2 you will need to be Horizon 2406 or later, however you can deploy the 2406 agent whilst using previous Connection Server versions such as 2312.
In the environment I was supporting I didn’t want to go down the route of using the old Windows 10 file explorer shell as it is currently unsupported by Microsoft and could potentially stop working in future so I simply opted to upgrade our existing gold image VMs to Windows 11 24H2 and are currently monitoring things (Fingers crossed)
On a side note, the environment did use Azure AD/Entra ID SSO on instant clone pools at one point, however I had to revert back to Seamless SSO to the delays with machines getting a Primary Refresh Token and causing SSO failures for end-users. Horizon 2406 and later has introduced some improvements with this so I’ll likely be testing this again.