OneDrive Silent Setup And Protecting Your Users

At first it was interesting but a bit of a pain, uploading ADMX files with specific version numbers. Then Administrative Templates came along and made it a bit easier. Fast-forward to March 2020, with Intune Service Release 2003, and an all new Administrative Templates interface has arrived.

Intune is without a doubt one of my favorite parts of the M365 ecosystem (rivaled by Azure Dynamic Groups) so I want to walk you through how to silently and seamlessly enable OneDrive for your users and automatically protect their documents on their local machines.

If you’ve done any sort of end-user support, the ‘help, I accidentally deleted a document on my desktop’ or ‘my laptop has died and I’ve lost some really important work’ tickets are unfortunately common. In on-prem type environments (more common in larger enterprises), the solution to this was folder redirection – have a big storage server that user profile data can be redirected to in order to prevent data loss.

How do you address the issue when there is no storage server available? After all, Microsoft 365 is a great platform to move to a serverless environment. Or perhaps you are wanting to remove that capex cost from a hardware refresh? The answer to this is OneDrive Known Folder Move.

Known Folder Move (KFM) does exactly what it says on the label – mostly. It moves a user’s know libraries, namely their Desktop, Documents, and Pictures into OneDrive. It works by redirecting where Windows 10 stores that data and moving across any existing data the user may have.

At this stage, it does not move directories a user has manually created in other areas such as the root of the operating system or other disks, nor does it move the Downloads, AppData or Videos folder for various reasons.

It can be enabled manually through the OneDrive settings menu, automatically through Group Policy or via Intune. This post is specific to Intune (because Cloud first!) as well how to silently enable OneDrive for the user.

OneDrive Context Menu, Windows 10 1909

Step 1 – Prepare

To begin, login to Azure Active Directory by going to aad.portal.azure.com and navigating to Azure Active Directory > Properties, taking note of the Directory ID listed there. This is your unique tenancy ID and will be needed later.

Step 2 – Create

Next, login to the Intune portal by visiting either https://devicemanagement.microsoft.com or by going to the Azure dashboard and selecting Intune.

Navigate to Devices then Configuration Profiles, select Create Profile and populate the following details (below), then select Create.

  • Platform: Windows 10 and later
  • Profile: Administrative Templates
Intune 2003 Profile Creation

Step 3 – Identify

Name and detail your profile accordingly then press Next. When creating profiles, always assume that the next person who sees it will have no understanding of why the policy exists and what it does.

Properly name your profiles, people!

Step 4 – Define

For those who have worked with Group Policy before, this may seem familiar: it’s the new look interface for Administrative Templates launched in March 2020. Start by navigating to Computer Configuration > All Settings.

In the search bar, enter OneDrive to filter the results. At the time of pulication, there is a bug with the interface where you can’t navigate to the OneDrive configuration options through the hierarchy.

Intune 2003’s shiny new Administrative Templates

The settings you configure are entirely up to you, however I recommend the following at minimum:

  • Prevent users from redirecting their Windows known folders to their PC
    • Ideal to stop users reversing the changes we apply through Intune policy
  • Prompt users to move Windows known folders to OneDrive,
    • This kicks in only if the silent move fails and will provide valuable troubleshooting information to assist
  • Require users to confirm large delete operations
    • Does what it says on the box: helps users think twice before deleting valuable data.
  • Silently move Windows known folders to OneDrive,
    • Redirects the users Desktop, Documents and Pictures library as mentioned
  • Silently sign in users to the OneDrive sync client with their Windows credentials
    • This is normally their Azure AD credentials if the device is AAD joined & Intune managed.
  • Use OneDrive Files On-Demand
    • Prevents users from downloading more data than they have storage capacity for on their device by only downloading the data the user accesses.

You will notice when configuring certain settings, you may be required to provide the Tenant ID or a Value. This is the same Directory ID mentioned in Step 1.

When in doubt, the policy
explains what it does

Step 5 – Define.. again.

Switch to the User Configuration tree and select All Settings, again filtering by OneDrive.

Intune 2003’s new Administrative Templates

I suggest configuring the following settings:

  • Disable the tutorial that appears at the end of the OneDrive Setup
    • Commonly I have found users skip this tutorial as they see it as an annoyance. It is better to communicate the features of OneDrive through other methods such as short video tutorials
  • Prevent users from changing the location of their OneDrive folder
    • Provides a standardized environment that is easier to support and prevents users from doing odd things such as redirecting it to removable storage or other cloud storage accounts.
  • Prevent users from syncing personal OneDrive accounts
    • Should be enabled alongside other policies to prevent users syncing personal Microsoft accounts to work devices, preventing confusion around software ownership and defining a security boundary.
  • Show OneDrive Sign In
    • The aim of this is to silently enable KFM

One you are done with your configuration, select Next.

Step 6 – Finishing Steps

Complete your Scope Tags and Assignments as necessary then press Next. I recommend defining a specific group used for company-wide corporate device management. This simplifies management across Intune configuration and compliance profiles as well as standardises application deployment. At Stage 5, Review + Create, ensure your settings are correct and select Create to complete the setup.

Save yourself the trouble and define your scopes correctly from the beginning

Success!

The policy will be deployed immediately to new devices and within 24 hours to preexisting configured devices. Users will see the following notifications in the Notifications Menu if the silent setup is completed successfully. If the user is enabled but has not yet completed Windows Hello for Business registration, they’ll also be prompted to complete it again.

Success!

A Word of Caution

Known Folder Move is still bound by the same limitations as any other file or folder in the sync client, files over 15GB or with unique characters alongside other limitations still apply. Differential sync support for all files is also yet to be generally available.

This can cause issues for files such as Outlook PST’s or Myob MYOX files stored in the Documents directory. Symptoms can include errors regarding the file being open in another application (such is the case for Myob when OneDrive attempts to upload the latest copy of the MYOX file) or running out of storage space with multiple versions of the same PST file.

Final Thoughts

OneDrive Known Folder Move does have risks and the odd teething issue associated, however there are also risks in taking no action, whether that be accidental data loss or physical damage to a device.

The new interface has made what was a difficult and time-consuming path of PowerShell scripts and ADMX files into a relatively straight forward deployment process that requires little ongoing maintenance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: