09-19-2018 12:54 AM
09-19-2018 12:54 AM
We decided to implement KFM but had a few issues along the way. This Microsoft website is very good for getting KFM up and running, but doesn't provide any troubleshooting if you run into issues. As KFM is a new technology, there also isn't much available on the internet at the moment so thought I would share our experience and troubleshooting tips so far.
The first problem we hit is we had Folder Redirection enabled in Group Policy. So when KFM tried to take over it couldn't. Switching off Folder Redirection is well documented elsewhere, but we had the issue that, even with it turned off, it left a ghost behind in our GP. So we recommend, if you are going to enable FR, always put it in a separate policy and set it to "redirect the folder back to the local userprofile location when the policy is removed". That way, when you revoke the FR policy, everything goes back to how it was pre-FR.
The second issue we hit with KFM was error 0x80070005 (access denied). This was for two reasons - the FR ghosting in GP and also because we had "Prohibit user from manually redirecting profile folders" set to ENABLED in Group Policy. This can be found in Group Policy under User Config > Policies > Admin Templates > Desktop. I posted about this a couple of weeks ago here. When you think about it, it's an obvious conflict for KFM, but isn't documented anywhere.
The third issue was KFM wouldn't silently configure. In our test environment, with a blank GP, KFM enabled and silently configured without user interaction, But, when we added the same GP settings into our master GP in the live environment, KFM enabled but wouldn't silently configure - it kept prompting the users with the "Your IT department wants you to protect your important folders" prompt and they had to click "Start Protection". We couldn't figure this one out so raised a ticket via our O365 Admin portal to Microsoft. At first they tried to tell us it wasn't possible to silently configure KFM (even though it says otherwise on their own website here) then when they went to the link, they closed the ticket with the response "the issue you are facing is beyond the area of expertise of our support services team". So it seems Microsoft aren't fully versed yet about how to support KFM. We therefore systematically went through every GP setting we had configured, and re-tested KFM after disabling each one. Turns out, it was due to a shortcut GP had been configured to put on the desktop (this is found under User Configuration > Preferences > Windows Settings > Shortcuts). When we removed this shortcut GP setting, KFM enabled and silently configured.
All of the above took days of troubleshooting so posting this int he hope it saves everyone else some time.
11-30-2018 01:20 AM
12-04-2018 02:41 AM
Thanks for a very well written post on the "trials and tribulations" of your OD4B roll-out.
I've had problems with KFM as well, but ultimately did all the redirection manually.
Will continue to test using your experience to get Silent Configuration working though, to see if we can roll it out differently to new devices.