Home
Microsoft

Previews for Silent Sync Account Configuration and Bandwidth Throttling for OneDrive

At Ignite, we announced two new features for IT Administrators. The first was Silent Sync Account Configuration for OneDrive which will allow you to silently configure OneDrive using Windows 10 or domain credentials for Windows 7 and Windows 8 on the first run.  The second was the ability to let you set the maximum download throughput rate for computers running the OneDrive sync client. Both of these features are now in preview.

 

Silent Sync Account Configuration

 

Important: If you enable this setting, ADAL (Azure Active Directory Authentication Library) must be enabled or the account configuration will fail. Download and open EnableADAL.reg to enable ADAL and restart the sync client.

 

This policy lets you configure the OneDrive sync client silently using the primary Windows account on Windows 10, and domain credentials on Windows 7 and later.

 

If you enable this setting, OneDrive.exe will attempt to sign in to the work or school account using these credentials. It will check the available disk space before syncing, and if it is large, OneDrive will prompt the user to choose their folders. The threshold for which the user is prompted can be configured using DiskSpaceCheckThresholdMB. OneDrive will attempt to sign in on every account on the computer and once successful, that account will no longer attempt silent configuration.

 

If you enable this setting and the user is using the previous OneDrive for Business sync client, the new sync client will attempt to take over syncing. The new sync client will attempt to import the user's sync settings from the previous sync client.

 

If you disable this setting, OneDrive will not attempt to automatically sign in users.

 

[HKLM\SOFTWARE\Policies\Microsoft\OneDrive]

"SilentAccountConfig"=dword:00000001

 

This policy can be used with DiskSpaceCheckThresholdMB as well as DefaultRootDir.

 

Please let us know if you have feedback on this feature or encounter any issues. Right-click the OneDrive icon in the notification area and click "Report a problem." Please tag any feedback with "SilentConfig" so that your feedback will be sent directly to engineers working on this feature.

 

Configure the maximum OneDrive size for downloading all files automatically   

 

This setting is used in conjunction with SilentAccountConfig. Any user who has a OneDrive that's larger than the specified threshold (in MB) will be prompted to choose the folders they would like to sync before the OneDrive sync client (OneDrive.exe) downloads the files.

 

[HKLM\SOFTWARE\Policies\Microsoft\OneDrive\DiskSpaceCheckThresholdMB]

Example: "1111-2222-3333-4444" = dword:0005000

(where "1111-2222-3333-4444" is the Tenant ID and 0005000 sets a threshold of 5000MB)

 

How to set the maximum download throughput that OneDrive.exe uses   

This policy lets you set the maximum download throughput rate in kilobytes (KB)/sec for computers running the OneDrive sync client. The minimum rate is 50 KB/sec and the maximum rate is 100,000 KB/sec. The lower the download throughput rate that you configure, the longer computers running OneDrive.exe will take to download files. 

 

By default, the download throughput rate is unlimited and can be configured by the user directly in the sync client. If you enable this setting, computers affected by this policy will use the maximum download throughput rate that you specify, and the users will not be able to change the download rate in sync client settings themselves. Note, that OneDrive.exe must be restarted on users’ devices to apply the configuration specified in this setting. If you disable this setting, users can configure the maximum download rate for their computer by opening sync client settings and clicking the Network tab. 

 

We recommend that you use this setting in cases where Files On-Demand is NOT enabled and where strict traffic restrictions are required, such as when you initially deploy the sync client in your organization or enable syncing of team sites. We don't recommend that you use this setting on an ongoing basis because it will decrease sync client performance and negatively impact the user experience. 

 

Enabling this policy sets the following registry key value to a number from 50 through 100,000. For example:

 

[HKCU\SOFTWARE\Policies\Microsoft\OneDrive] "DownloadBandwidthLimit"=dword:00000032

 

The above registry key sets the download throughput rate limit to 50KB/sec, using the hexadecimal value for 50, which is 00000032.

 

All the computer configuration policies can be found under Computer Configuration\Policies\Administrative Templates\OneDrive.

 

Additional Group Policies to control OneDrive Sync can be found here

 

Questions? Feedback? Feel free to drop in your questions below

 

33 Comments
New Contributor

Are there CSPs for OneDrive for these settings?  Custom ADMX backed CSPs aren't possible since these settings are in a restricted part of the registry.  We'll be migrating all of our users to AAD only joined W10 PCs starting next month and want to use these settings.

We’re getting more and more «cloud only» customers. I really hope there’s a CSP coming really soon so we can push this out with Intune...

Microsoft

Greg/Lasse,

 

No CSP's yet as we are still in preview. I will bring it back to the engineering team for awareness. I encourage you to add it to onedrive.uservoice.com so it can get upvoted as well for awareness.

Occasional Visitor

Thank you for your reply Stephen,

 

I've submitted this to uservoice now: https://onedrive.uservoice.com/forums/262982-onedrive/suggestions/32026432-onedrive-csp-for-mdm-mana...

Occasional Contributor

I have added it to the uservoice but something which is painful is when users are changing computers, all the sharepoint libraries are to be synced "manually"again (You have to go in the browser in each libraires you were syncing before and click on Sync...) https://onedrive.uservoice.com/forums/262982-onedrive/suggestions/32029009-changing-computer

Valued Contributor

Is there anything else that needs to happen before auto login works? Can I just take an imaged machine, run the ADAL reg update on it, and restart the client, long as it's joined to my domain and they have an account it will try to login? I just tried and it never did try to login, think I might be missing a step? 

Regular Visitor

 

 

This policy lets you configure the OneDrive sync client silently using the primary Windows account on Windows 10, and domain credentials on Windows 7 and later.

 

 

With Windows 10, what exactly is the "primary Windows account"? If the machine is Active Directory domain joined, is this the logged on user?

 

Occasional Contributor

Has anybody gotten /silentConfig working?

 

I think I have everything in place - ADAL, SilentAccountConfig, DiskSpaceCheckThresholdMB, client (.7076.), and I'm still getting prompted for sign-in and folders.

Regular Visitor

James - no its not working for me. I've tried on Win7 and Win10 but no luck. 

Valued Contributor

No luck with my few tries of getting it to work. Not sure what we could be missing

Occasional Contributor

Not working for me either.  MS Ignite demos made it look super easy.  Guess it was just smoke and mirrors.

Valued Contributor

Something tells me the version of client we have doesn't have the bits in it for this to work right, probably need a later version. 

Occasional Visitor

I have the SilentConfig working fine. However, the DiskSpaceCheckThresholdMB isn't working... Everytime it syncs on that first run it prompts me to choose which folders I want to sync... I have the GPO fully configured.

Regular Visitor
Not working for me. I'm using Windows 10 1709 (Education), OneDrive v17.3.7076.1026. All required Reg / GPO's are in place. We sync via AADSync if that matters.
Occasional Visitor

So I figured this one out and it's not good for my environment. 

SilentConfig

Windows 7- worked no problem on my test Win7 Vm's, it used the Domain Creds to log in. 

Windows10- It does not work with the Domain Creds. It uses the Windows WORK account which will not work for me since our computers are joined to Active Directory and if we have to tell every user to add a WORK ACCOUNT to their profile it completely defeats the "SilentConfig".

 

Onedrive Team, Can you guys please make it that it looks at Domain Credentials in Windows10 too?

 

Thanks,

-Bruce

Occasional Visitor
Bruce, I had a similar issue to you. I had to set up Hybrid AD and Azure AD to get this working. https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devi... I'm only working in a test environment at the moment as we aren't using Onedrive or O365 fully yet so I am finding myself following instructions that seem to assume a fully integrated deployment for new features to work. Thanks Ivan
Occasional Visitor

what machine does  EnableADAL.reg need to be run on?  (Azure DCs, Local DCs, all workstations, etc ...?)

Occasional Visitor

James Mika,

 Enableadal has to be done on the client machine. I have done enable Adam on all Corp computers using GPO.  If you don't know how I can show you step by step on how to.

 

Occasional Contributor

I've enabled both registry settings, but the EnableADAL won't push from GPO.  As soon as I manually add the registry setting to the client computer it starts working.  Just not with GPO.  Any ideas?

image.png

Occasional Contributor

Never mind.  I found that my GPO was linked to a computer OU.  I added a new policy with just the hkey_current_user key and linked it to the domain users group and it applied fine.

Regular Visitor

@Jeremy Friesen,

 

Cool that you got it working.  Could you describe your config?  Which OS are you using and are you using AADSync or ADFS?

 

Thanks,

Graham 

Occasional Contributor
  1. Win 10 Pro 1703 and 1709 connected to a domain
  2. ADConnect running on a server to connect user's domain info to AzureAD with Office 365 Premium
  3. Client registry setting: HKCU\SOFTWARE\Microsoft\OneDrive\EnableADAL=1 (dword)
  4. Client registry setting: HKLM\SOFTWARE\Policies\Microsoft\OneDrive\SilentAccountConfig=1 (dword)    (Probably not needed with the group policy setting below, but I'm not positive.  One of the settings I left enabled because I didn't want to mess up what finally started working....)
  5. Download and install the latest OneDrive client
    1. After install you can find the latest OneDrive admx/adml group policy files on the client at %LocalAppData%\Microsoft\OneDrive\-build-version-\adm\OneDrive.admx
    2. Copy those files to your domain server.
  6. Group Policy Settings to enable in: Computer Config\Admin templates\OneDrive\
    1. Enable OneDrive Files On-Demand
    2. Silently configure OneDrive using the primary Windows account
    3. Optionally: The maximum size of a user's OneDrive for Business before they will be prompted to choose which folders are downloaded

I reimaged a test computer back to base 1703 Win 10 after getting this to work and the first, second, third time I logged in nothing happened.  I manually ran the OneDrive update tasks is Task Manager (mine had 3 tasks and I ran them all).  Then I rebooted and OneDrive fired up successfully.  I'd assume that step is just for impatient folks like me.

Sorry if I missed anything.

Regular Visitor

Thanks for taking the time to write that up :)

 

Oh well, that's basically identical to our config so God knows what the problem is.  I've tried various accounts and none of them automatically sign-in.

 

I did notice that the version of the OneDrive client appears to change depending on who is logged on.  If a new user logs on the version is always 17.3.6816.0313 and once the update task is run it's upgraded to 17.3.7076.1026 but when a new user logs in the version that appears in appwiz.cpl is the 17.3.6816.0313.  I suspect it doesn't make any difference either way.

Occasional Contributor

Graham

As I understand - OneDrive is installed per user.  So each user MIGHT need to run that task before it would upgrade and auto configure would work.  Please check that info, though. 

There were a lot of improvements to the client between the two versions you listed.  You might be on to something according to these release notes.  https://support.office.com/en-us/article/New-OneDrive-sync-client-release-notes-845dcf18-f921-435e-b...

Occasional Visitor

Hi Stephen,

 

I know that OnDemandFiles is not available for WS2012 R2 or WS2016 but is this setting: "DiskSpaceCheckThresholdMB"?

It would tremendously help in getting OneDrive 4 B deployed in the Enterprise....

 

Thanks for letting me know.

Occasional Visitor

This Microsoft article is very helpful:

https://support.office.com/en-us/article/Use-Group-Policy-to-control-OneDrive-sync-client-settings-0...

 

Please remember... the User's Information is not setup and configured on 'virgin' computers.  Thus, HKCU is not ready for the EnableADAL.reg settings in the specific registry for the User as they are signing into the workstation.

 

We have OneDrive setup to automatically install silently & automatically configure the User's information... below are the four registry entries exported that we pushed by GPO:

--- This one is required ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive]
"SilentAccountConfig"=dword:00000001

 

--- This one is required and specific to your organization ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive\AllowTenantList]
"8deb1d4d-d0a4-4d04-xxxx-f7076cbxxxxx"=""

 

--- This one is optional, it checks the disk space... currently set to 500GB ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive\DiskSpaceCheckThresholdMB]
"8deb1d4d-d0a4-4d04-xxxx-f7076cbxxxxx"=dword:00500000

 

--- This one is the Most Important.  It creates the OneDriveADAL in the HKCU section of the registry ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneDriveADAL"="powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -Command \"& {Set-ItemProperty -Path HKCU:\\\\Software\\Microsoft\\OneDrive -Name EnableADAL -Type DWord -Value 00000001 -Force}\""

 

Please be aware that the exported keys are not typed exactly the same way as it is entered into the GPO Manager.  This is how the Most Important key is setup in the Computer Configuration section.

 

Hive: HKEY_LOCAL_MACHINE

Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Value name: OneDriveADAL

Value Type: REG_SZ

Value data: powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -Command "& {Set-ItemProperty -Path HKCU:\\Software\Microsoft\OneDrive -Name EnableADAL -Type DWord -Value '00000001' -Force}"

 

It took sometime to get this setup for our oganization.  We had been inquiring with our MS rep since September 2017... got the "Preview" in early October 2017... and had it operational by early November 2017.

 

I hope this helps all of you IT Enterprise Administrators!

Regular Visitor

So far I was able to get this working with manually setting the registry keys. Presumeably it should work when setting them by GPO just as @Alan Rocha mentions.

 

Environment:

  • Windows 10 1607
  • Domain joined PC and domain user account
  • Office 365 enterprise license
  • Hybrid AD
  • OneDrive 17.3.7076.1026 - previous versions do NOT work

Steps Followed:

  1. Set the SilentAccountConfig and EnableADAL keys
  2. Unlink the PC (in case OneDrive was previously configured)
  3. Close OneDrive
  4. Launch OneDrive (either from Start Menu or command line)
  5. You should see a grey OneDrive icon appear for a few seconds followed by a blue “up to date” icon. Then a ribbon should appear saying you are now syncing OneDrive...

The above steps worked the first time. However, once configured silently the first time, OneDrive will not silently configure again. This is because an additional DWORD [HKEY_Current_User\Software\Microsoft\OneDrive\SilentBusinessConfigCompleted] is set to "1". This DWORD will keep the silent config from working again on the same PC. So you will either need to set it to "0" or delete it.

Occasional Visitor

Just confirming, this only works for Azure AD joined devices or domain joined? What about for Windows 10 BYOD that are AAD registered? Can we configure anything in Intune so policies could be applied and lets the user sign in automatically after registering and enrolling in MDM?

Visitor

Hi everyone,

             I'm a classroom support technician working in Higher Ed.  I create a Windows 10 image for deployment to about a hundred classroom stations, and we're working on getting O365 and OneDrive for Business to silently license and configure themselves for each new user of our PCs.  We've had success with the Device Based Activation for O365, but the OneDrive For Business app is still being a real pain.  I keep coming back to this forum looking for more info - and thank you all so much for the fabulous detail in your posts so far!  I'm wondering today if we're all talking about OneDrive for Business, and not the OneDrive personal "modern app" that comes with Windows 10?  Several of you have mentioned OneDriveSetup.exe, and I noted the version requirement of at least 17.3.7076.1026 (thank you SO MUCH for that info), but as far as I can tell the OneDrive for Business app on our Start Menu, which comes bundled with O365, uses Groove.exe (16.0.9001.2138 as of Feb. 2018) found at C:\Program Files (x86)\Microsoft Office\root\Office2016\

             Even if I download the latest version of the OneDriveSetup.exe listed above I can't get silent configuration to work, but I wanted to make sure folks were aware of this difference between the executables.  Our setup is virtually identical to what Erica described above - domain PCs and user accounts, hybrid AD, etc.  Working with our Systems team now to try and determine if there is some Hybrid AD feature we still have yet to enable that might resolve this for us.

Occasional Visitor

The entire Silent configuration here is a joke. AT BEST you can get it to sign the user in, but then the user has to select what files to sync. IF THE USER HAS TO ANYTHING, IT ISN'T SILENT.

 

Not to mention the blatent disregard for giving us the ability to specify document libraries we'd like to sync. Sure, let me just tell all my users to take time out of their day to navigate to a web portal, click a Sync button, and select folders. 

 

This whole thing is less than half baked and not even remotely ready for deployment at scale 

 

 

Visitor

I don't know if this will help you Darren, but there's a GPO for setting the maximum size a OneDrive can be before prompting the user which folders to sync - setting it to 500,000MB (500GB) is the limit I think, and that should prevent the prompt from coming up.  There's another GPO to prevent users from changing the default OneDrive folder location on the PC (it defaults to the %USERPROFILE% folder, so like C:\BobSmith\OneDrive). Once the drive is synced users should be able to just copy their \Documents folder (or other libraries) to the OneDrive folder on their local PC if they want all that to sync, I would imagine.  I can't verify this as we have yet to get silent config working, but it might help you.  :-)

Occasional Visitor

Thanks Ryan, this helps but only slightly.

 

I'm mostly concerned with deployment the Document Libraries and at this time I cannot find a supported way to do this.

 

It appears that the data is stored in 2 places

%localappdata%\Microsoft\OneDrive\settings\Business1\<ScopeIdGuid>.ini 

 

and in the registry under

HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Business1\ScopeIdToMountPointPathCache 

REG_SZ <ScopeIdGuid> <Path to sync location>

 

It _looks_ like the values in the registry control the sync engine while the values in the <ScopeIdGuid>.ini control the Nav Pane in Windows Explorer.

 

However, Fiddlering the web requests, I cannot figure out how to get the <ScopeIdGuid> itself. It doesn't appear in any of the web requests.

 

The next best option would be to replicate what happens when the user clicks the Sync button on a document library. It uses the odopen:// protocol route with a bunch of parameters, meaning we could feasibly run Powershell as a logon script like this:

 

Start-Process "odopen://sync/?
userId=<UserGuid>
siteId=<SiteGuid>
webId=<WebGuid>
listId=<ListGuid>
userEmail=<upn>
webUrl=<url>
isSiteAdmin=0
onPrem=0"

The SiteId can be found programtically using 

$context = New-Object Microsoft.SharePoint.Client.ClientContext("https://tenant.sharepoint.com/teams/eric")
$context.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($credential.UserName,$credential.Password)
$site = $context.Site
$context.Load($site)
$context.ExecuteQuery()
$site.Id

Courtesy of https://sharepoint.stackexchange.com/questions/192281/how-to-get-site-id-or-site-url-for-sharepoint-...

 

 

However at this moment I can't figure out how to programatically determine the WebId and ListId parameters. The call doesn't work without them.

Occasional Visitor

Hey guys, I was confused about some of the prerequisites to get this working, and reached out to microsoft. Turns out you do need to be in an hybrid Azure AD environment for this to work. I don't know if anyone else was confused about that, but I sure was. Here is the email I received from Microsoft support abut getting this silent config set up:

 

 

Thank you contacting Microsoft,

I checked for the issue and below are few steps provided by our senior resources.

There are 3 points to this

First you have to prep your AD environment so that domain joined Windows 10 devices know where to look for your tenant. To do this I needed to create a Service Connection Point using the Initialize-ADSyncDomainJoinedComputerSync PowerShell on the AD Connect server.

https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devi...

Next you need to synchronise the OU or OUs that contain the devices you would like to auto register in Azure AD. I did this by modifying synchronization options in AD Connect. After it has synchronised the changes check Azure AD for the device, it should show as Hybrid Azure AD Joined.

Finally, you roll this out by setting Register domain joined computers as devices through GPO against the devices you are joining.

Restart your test device and log on with your domain credentials. To verify check the User Device Registration event log.

If the other settings that apply to OneDrive Silently Configure are in place the OneDrive client should now automatically log on.

However, there was one last thing I needed to do to get it working! As I had logged onto the machine before I made these changes I needed to reset a registry key, as Silently Configure will only try once. HKCU\Software\Microsoft\OneDrive\ClientEverSignedIn change from 1 to 0.

I hope you find this helpful, I had to learn all this by myself.

 

So it looks like Azure Connect has to be able to sync a list of windows 10 devices on your domain to Azure AD which then automatically registers those devices to your tenant which THEN allows you to automatically configure those devices OneDrive accounts because the devices has already been registered.