Jun 20 2019 06:01 AM
Jun 20 2019 06:01 AM
First, we are in a hybrid mode and we use ADFS for SSO. What we need/want for our users is for OneDrive to get setup without any user interaction on a new computer. They should not have to click any "Next" or "OK" or enter any email/username or password. When they sign on to a new Windows 10 computer, it needs to auto setup/configure OneDrive with the user's email, password, create the OneDrive - <organization> under their user profile, and sync default files/folders with no user interaction. Can this be done? Thanks.
Jun 20 2019 10:04 AM - edited Jun 20 2019 10:04 AM
Hi, Vasil Thanks for the quick reply. Yes, I know about that doc, and have tried everything in it. The GPO works as far as setting the registry, etc, and silently logs in AFTER the first time use. It's the first time use setup we wish to automate. The only auto thing I can do during this first time use setup, is use PowerShell to pre-populate the users email address. But the user still has to click Next, fill in their password on the SSO screen, and continue clicking the rest of the way through the setup. That's what we're trying to avoid. Another thing I've noticed, is that it looks like the credentials in the credential manager, and the OneDrive - <organization>, aren't created until the last click of the setup.@Vasil Michev
Jun 25 2019 01:46 PM
Ok, one other thing I'm leaning toward: We use Azure AD Connect but do not have Hybrid Azure AD Join configured. We sync computers, but they aren't Azure AD Registered until we do something requiring an O365 login and sync, such as setting up OneDrive. Could this by my issue?
Jun 26 2019 07:30 AM
Jun 26 2019 09:07 AM
@ChrisShearing I've tried both 19.043.0304.007 and 19.086.0502.006 of OneDriveSetup.exe. Neither start the auto setup of OneDrive. Since we have OneDrive updating automatically, after any manual OneDrive setup, the OneDrive.exe version is 19.086.0502.006
Jun 26 2019 03:15 PM
Update: I added registry settings to my test client and to the ADFS servers, via GPO, to manually set a SCP. After AD Connect synchronized the system, my test computer showed up in Azure as Hybrid Azure AD Joined. However, silent OneDrive setup still does not work.
Jul 01 2019 02:56 PM
Since we have a smattering of 1709, 1803 and 1809 systems in my test environment, I manually removed some from Azure as I got double entries for the first test Hybrid Azure AD join. The rest I removed before trying to join them. Most no longer show in Azure AD, as they won't re-register and they won't join. A couple did Hybrid Azure AD join, though (and now I can't un-join them, either deleting them from Azure AD or running the dsregcmd /leave command. They always come back). The rest won't join, or register. Ran additional tests on the 1809, as that version is suppose to remove the Azure AD registered entry before joining. However, that doesn't seem to work either. So far, we haven't got one thing to work right while trying to setup silent sign in to OneDrive.
Jul 23 2019 12:54 PM - edited Jul 24 2019 01:18 PMSolution
Ok, finally got OneDrive to work correctly, whether the device is showing in Azure AD, or not. The fix is, in addition to setting the Admin Template settings to what MS says, is also to set HKCU\Software\Microsoft\OneDrive\EnableADAL to a data value of 2. OneDrive creates it with a data value of 1. Once I changed it to 2 (any number other than 1 may work), OneDrive immediately started working correctly. No more user prompts, interruptions, or failures. It just loads and syncs. As a side note, I started running OneDriveSetup.exe with the /allusers switch to only have one installation of OneDrive.exe. The /allusers switch puts it under a new program files (x86)\Microsoft OneDrive folder. Just be aware that if you do the /allusers, anyone with OneDrive already installed and working, will get a Sign in error. All they need to do is click the "OK" button and it resigns them in. This is a one-time resign in.
Nov 04 2019 11:48 AM
OneDrive silent/auto login update: I haven't been able to push the GPO to any other users in the organization, until today. Unfortunately, it no longer works. I believe the issue is that we moved away from ADFS, and now go through BIG-IP. Azure AD Connect still runs on our DC, and is fully functional. This is the note from Microsoft's site: "If you federate your on-premises Active Directory with Azure AD, you must use AD FS to enable this feature." Anyway, if anyone has had this issue, I'd appreciate knowing what you did to fix it. Thanks.
Nov 05 2019 01:15 AM
You could switch over to Pass-Through Authentication for Office365/OneDrive
Microsoft perform the authentication via the Azure AD Connect client installed on premise instead of ADFS, works with SSO,
We've not had any issues after switching,
Nov 19 2019 01:23 PM
@ChrisShearing Thanks for the information. We have now removed federation from our tenant, but are still using password-hash. Anyway, even moving away from federation did not fix the issue of no silent first-time login into OneDrive. I doubt we'll be able to change over to pass-through anytime soon, though, so cannot try your solution.
Nov 22 2019 08:19 AM