May 312021
 
Office 365 Logo

After you Deploy Remote Desktop Services (RDS) for employee remote access and Install Office 365 in a Remote Desktop Services Environment, your next step will be to configure it by deploying Group Policy Objects to configure Office 365 in a Remote Desktop Services Environment.

By deploying a Group Policy Objects to configure Office 365, you’ll be able to configure Office 365 for first time use, activate the product, roll out pre-defined configuration, and even automatically configure Outlook mail profiles.

Following these steps will help you provide a zero-configuration experience for your end users so that everything is up and running for them when they connect the first time. I will also provide a number of GPO settings which will enhance the user experience.

What’s Required

To Configure Microsoft Office 365 on a Remote Desktop Services Server, you’ll need:

  • A Remote Desktop Services Server (Configured and Running)
  • Microsoft 365 Apps for Enterprise (formerly named as Office 365 ProPlus)
  • Office 365 Installed with SCA (Shared Computer Activation, as per “Install Office 365 in a Remote Desktop Services Environment“)
  • Microsoft 365 Apps for Enterprise ADMX GPO Administrative Templates (Download here)

Shared Computer Activation

In order to properly configure and activate Office 365 in a Remote Desktop Services Environment, you will need to Install Office 365 with Shared Computer Activation. You can read my guide by clicking on the link.

Configure Office 365

Once you’re ready to go, you can begin configuration.

To make things as simple as possible and centrally manage every aspect of your O365 deployment, we want to configure everything via GPO (Group Policy Objects). This will allow us to configure everything including “first run configuration” and roll out a standardized configuration to users.

In order to modify GPOs, you’ll need to either launch the Group Policy Management MMC from a domain controller, or Install RSAT (Remote Server Administration Tools) on Windows 10 to use the MMC from your local computer or workstation.

You’ll probably want to create an OU (Organizational Unit) inside of Active Directory for your RDS farm, and then create a new Group Policy Object and apply it to that OU. In that new GPO, we’ll be configuring the following:

We’ll be configuring the following “Computer Configuration” items:

  1. Microsoft Office – Licensing Configuration
  2. Microsoft Office – Update Configuration
  3. Microsoft OneDrive – Known Folders, Use OneDrive Files On-Demand
  4. Windows – Group Policy Loopback Processing Mode

We’ll also be configuring the following “User Configuration” items:

  1. Microsoft Office – First Run Configuration
  2. Microsoft Office – Block Personal Microsoft Account Sign-in
  3. Microsoft Office – Subscription/Licensing Activation
  4. Microsoft Outlook – Disable E-Mail Account Configuration
  5. Microsoft Outlook – Exchange account profile configuration
  6. Microsoft Outlook – Disable Cached Exchange Mode

Let’s start!

Microsoft Office – Licensing Configuration

Since we’re using SCA (Shared Computer Activation) for licensing, we need to specify where to store the users activation tokens. You may have configured a special location for these, or may just store them with your user profiles.

First we need to activate Shared Computer Activation. Navigate to:

Computer Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Licensing Settings

And set “Use shared computer activation” to Enabled.

Next we’ll set “Specify the location to save the licensing token used by shared computer activation” to the location where you’d like to store the activation tokens. As an example, to store to the User Profile share, I’d use the following:

\\PROFILE-SERVER\UserProfiles$\%USERNAME%

Microsoft Office – Update Configuration

Because this is a Remote Desktop Services server, we want automatic updating disabled since IT will manage the updates.

We’ll want to disable updated by navigating to:

Computer Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Updates

And set “Enable Automatic Updates” to Disabled.

We’ll also set “Hide option to enable or disable updates” to Enabled to hide it from the users.

Microsoft OneDrive – Known Folders, Use OneDrive Files On-Demand

There’s some basic configuration for OneDrive that we’ll want to configure as we don’t want our users profile folders being copied or redirected to OneDrive, and we also want OneDrive to be used with Files On-Demand so that users OneDrive contents aren’t cached/copied to the RDS Server.

We’ll navigate over to:

Computer Configuration -> Policies -> Administrative Templates -> OneDrive

And set the following GPO objects:

  • “Prevent users from moving their Windows known folders to OneDrive” to Enabled
  • “Prevent users from redirecting their Windows known folders to their PC” to Enabled
  • “Prompt users to move Windows known folders to OneDrive” to Disabled
  • “Use OneDrive Files On-Demand” to Enabled

We’ve new configured OneDrive for RDS Users.

Windows – Group Policy Loopback Processing Mode

Since we’ll be applying the above “Computer Configuration” GPO settings to users when they log on to the RDS Server, we’ll need to activate Loopback Processing of Group Policy (click the link for more information). This will allow use to have the “Computer Configuration” applied during User Logon and have higher precedence over their existing User Settings.

We’ll navigate to the following:

Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy

And set “Configure user Group Policy loopback processing mode” to Enabled, and “Mode” to Merge.

Microsoft Office – First Run Configuration

As most of you know, when running Microsoft Office 365 for the first time, there are numerous windows, movies, and wizards for the first time run. We want to disable all of this so it appears that Office is pre-configured to the user, this will allow them to just log on and start working.

We’ll head over to:

User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> First Run

And set the following items:

  • “Disable First Run Movie” to Enabled
  • “Disable Office First Run on application boot” to Enabled

Microsoft Office – Block Personal Microsoft Account Sign-in

Since we’re paying for and want the user to use their Microsoft 365 account and not their personal, we’ll stop them from being able to add personal Microsoft Accounts to Office 365.

Head over to:

User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> Miscellaneous

And set “Block signing into Office” to Enabled, and then set the additional option to “Organization ID only”

Microsoft Office – Subscription/Licensing Activation

Earlier in the post we configured Office 365 to use SCA, now we’ll need to configure how it’s activated. We don’t want the activation window being shown to the user, nor the requirement for it to be configured, so we’ll configure Office 365 to automatically active using SSO (Single Sign On).

Navigate to:

User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> Subscription Activation

And then set “Automatically activate Office with federated organization credentials” to Enabled.

Microsoft Outlook – Disable E-Mail Account Configuration

We’ll be configuring the e-mail profiles for the users so that no initial configuration will be needed. Again, just another step to let them log in and get to work right away.

Inside of:

User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> E-mail

And we’ll set the following:

  • “Prevent Office 365 E-mail accounts from being configured within a simplified Interface” to Disabled
  • “Prevent Outlook from interacting with the account settings detection service” to Enabled

Microsoft Outlook – Exchange account profile configuration

We’ll want your users Outlook Profile to be auto-configured for their Exchange account so we’ll need to configure the following setting.

Navigate to:

User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Exchange

And set “Automatically configure profile based on Active Directory Primary SMTP address” to Enabled.

After setting this, it will automatically add the Exchange Account when they open Outlook and they’ll be ready to go! Note, that there is an additional setting with a similar name appended with “One time Only”. Using the One time Only will not try to apply the configuration on all subsequent Outlook runs.

Microsoft Outlook – Disable Cached Exchange Mode

Since we’ll have numerous users using the RDS server or servers, we don’t want users cached Outlook mailboxes (OST files) stored on the RDS server. We can stop this by disabling Exchange caching.

Navigate to:

User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Exchange -> Cached Exchange Mode

And we’ll set the two following settings:

  • “Cached Exchange Mode (File | Cached Exchange Mode)” to Disabled
  • “Use Cached Exchange Mode for new and existing Outlook profiles” to Disabled

  27 Responses to “Configure Office 365 in a Remote Desktop Services Environment”

  1. […] reading this blog post and deploying Office 365, you can head over to my guide on how to Configure Office 365 in a Remote Desktop Services Environment to pre-configure Office and it’s applications for when your users log […]

  2. […] Please note that special steps are required when you install Office 365 in a Remote Desktop Services Environment, and configure office 365 in a Remote Desktop Services environment. […]

  3. Hi Stephen, nice posts. Thank you for sharing.

    Just one doubt, does the RDS server need Internet access?

    I have read some Microsoft docs stating Internet is required but we don’t want to enable internet access for RDS servers.

    Regards.

  4. Hi Liber,

    Internet access shouldn’t be required unless you want to access it from the internet.

    You will need Internet Access for the following:
    -Windows Updates
    -RDS Licensing (however there may be a call-in service)
    -Accessing RDS from the Internet
    -Any software (and updates) you’re running that require Internet Access

    Hope this helps,

    Stephen

  5. Where do we get a template for the Group Policy Computer Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 (Machine)?

  6. Hi Shawn,

    You can download them from here: https://www.microsoft.com/en-us/download/details.aspx?id=49030

    Cheers,
    Stephen

  7. Does the installation of the Microsoft 365 Apps for Enterprise ADMX GPO Administrative Templates require a certain domain functional level? I installed them on my main DC, still do not see them.

  8. Hi Moises,

    As long as you have permission to add the GPO ADMX templates to your AD GPO central store, you should be good to go. If you added it to the SYSVOL GPO store, it may take time to replicate to all your domain controllers.

    Cheers,
    Stephen

  9. Does the GPO covered on this page only need to be applied to the OU in which the RDS Computer objects sit, or should it also be applied to the OU where the User objects are as well?

  10. Hi Nick,

    Since we are using loop back processing I think you should be good applying this to the RDS servers only.

    Cheers!

  11. This and the Shared Computer Activation guide helped me resolve an unpleasant surprise within an hour. Thanks Stephen!

  12. Thanks for the guide and the tips for configuration. However, on a 2022 server where I imported the .admx and .adml files, I don’t show a OneDrive setting referenced at Computer Configuration -> Policies -> Administrative Templates -> OneDrive. All other configuration items are there, just not the one for OneDrive. Any ideas on where that setting went?

  13. Hey Michael,

    Great question. Unfortunately the OneDrive ADMX aren’t included with the M365 ADMX templates.

    To get the OneDrive ADMX templates, you have to extract them from a workstation that has OneDrive installed. I can’t remember off the top of my head which directory it’ll be in, but maybe try searching for the admx extension.

    Then copy these to your domain controller or your domain’s central store.

    I have no idea why they didn’t include these with the M365 ADMX lol.

    Cheers,
    Stephen

  14. Hi Stephen and thank you for your interesting website.

    We use Outllok 365 in a RDS environment with shared profile.

    This works almost fine but, unfortunately, from time to time, a user has an error popup when starting Outlook telling “Cannot start Microsoft Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The information store could not be opened.”
    When that happens, the only thing we can do is delete the profile of the user (delete his folder from the server where are stored the shared profiles, which is also the broker for us). And even that action does not work everytime.

    I have tried to find something on Google about that and it seems we are not the only one with exactly the same issue. But no solution found so far…
    Have you already had this issue ? Do you have any idea ?

    Thanks for any help.

  15. Hi Marc,

    Actually, I have seen this issue before (it was with other issues as well). In our case we couldn’t find/troubleshoot the specific thing that was causing it, but to resolve it, we redeployed the RDS server from scratch using best practices.

    In our case, the existing server wasn’t configured properly. The previous admin’s didn’t put the server in to “install mode” when installing applications like Office, performing Office updates, installing applications, etc. Additionally, the base profile template was modified and had security descriptors pointing to an admin account, which caused all fresh profiles to contain odd items that we feel contributed to the issue.

    I’d recommend redeploying your RDS server, make sure applications (and updates) are installed in “install mode”, and make sure you don’t modify the base profile. This should clear up the issues. Keep in mind you’ll probably need to recreate all the profiles as well after redeploying the RDS servers.

    Cheers,
    Stephen

  16. Thank you for your quick reply !
    I will check what you suggest.

  17. Hi,
    Thanks for the article! We were able to test with an account on one host over 10 times without a subsequent login prompt. However, when we added a second host it opened up Word/Excel, etc. with no issues but Outlook 365 has the “Need Password” prompt at the bottom and it isn’t accessible.

  18. Hi Tracey,

    Where are you storing the users activation token? Does the other host have access to it?

    Cheers,
    Stephen

  19. We setup a shared location on a file server and I checked permissions…the AD group with the farm hosts had share permissions but not security permissions. I added that group with Modify permissions and rebooted the host after confirming I could see the correct settings on that folder and the tokens. However, that folder and its two tokens have yesterday’s date. Outlook still behaves the same.

  20. Hi Tracey,

    The tokens will only be “modified” when they expire and need to be renewed.

  21. Ok thanks. I logged back into the original host and Outlook works fine. Not sure what we are missing.

  22. It sounds like the second host may not know where to look. Or there could be some issues with your profile portability solution and identity.

  23. We are using a combination of FSLogix and the built-in registry entries above. FSLogix didn’t seem to be working on its own so we started adding your keys.

  24. Hi, is anyone experiencing issues lately with Office licensing on RDS?

    https://support.microsoft.com/en-gb/office/error-something-went-wrong-1001-signing-in-to-microsoft-365-desktop-applications-6f63238d-d83c-437c-a929-de72fe819793

    It looks like some folders and registry settings don’t need to be redirected

  25. Hi Stephen,

    Great post. Very easy to follow. I have a follow-up question about cached exchange mode (which I will admit I have never been a fan of, so I am biased). I have a 2019 terminal server (running RDS) it’s got a bunch of large OST files filling up the disk – 250GB disk and around 100GB is OST files. There is a GPO that forces CEM on for essentially everyone everywhere. I’d like to exclude this server but am concerned about what it might break. Most of the search results I get are pretty ancient. Would you be able to point me to some documentation regarding best practices? I’d also appreciate your thoughts on this.

    Anyone who wants to comment is welcome. Just looking for some solid advice.

    Cheers,
    Shawn

  26. Hi Stephen,

    I have followed Your guide, and it seems to work for me. I just wonder if it is correct, that it’s still necessary to enter the password three times, the first time a user opens Outlook on the RDS Server, or have I done something wrong?

    Regards,
    Jacob

  27. Hi Jacob,

    You should not be receiving 3 login prompts. If your environment is configured properly, users should not be prompted for credentials at all.

    I would review your AD UPNs to confirm they match Azure, as well as check SSO settings, and Azure SSO.

    Cheers,
    Stephen

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)