OneDrive for Business | Known folder silently redirection not work

Microsoft

Hi Everyone,

 

Recently, one of my customers meet the issue on "Silent move Windows Known folders to OneDrive".

When we configure the correct registry in local machine as following KB, the policy will not work as expected. And we have no redirection policy or <Prohibit User from manually redirecting Profile Folders> policy in Group Policy Result. 

Official Document: https://docs.microsoft.com/en-us/onedrive/use-group-policy#silently-move-windows-known-folders-to-on...

 

The root cause is that the silent KFM function will be only triggered in the first time. It is supposed to avoid repeating request when we open the OneDrive every time. It has a corresponding registry <KfmIsDoneSilentOptIn> in “Computer\HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Business1”.

 

Here is the solution.
1. Step1. Delete registry key from below path:

Path: Computer\HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Business1
Key: KfmIsDoneSilentOptIn: 2

2. Close the OneDrive and open it again
3. You will see that the notification on “Silent KFM” automatically start to work again.

27 Replies

@WilsonSu  I am glad you have made it past this error in my case we are stuck in the looping error:  your IT department wants you to backup your important folders:

 

@WilsonSu So we are trying to achieve the same thing using group policy, we have moved all the personal folders back to the C drive, (they were on a windows server), checking the 'Shell folders' & 'user shell folders' registry keys and there are no values containing a server path.

Still no redirect, just the warning that the administrator has enforced a policy.

 

We have destroyed the OneDrive Registry key completely and re-launched OneDrive, the personal folders fail to move/backup.

We have the same problem on many PCs but we can't work out what setting/registry key is stopping this work. 

@Mario Pastora It seems that your domain has configured group policy to redirect your three known folder to other location rather than default one. Then it will show this error message. You could check the registry on your local to confirm. (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders)

@msmyth 

The issue might be still related to the conflict of Known Folder redirection in Group Policy. Here are two conflict policies in my experience as below.

The first path of the GPO is “User Config -> Policies -> Administrative Templates -> Desktop -> Prohibit User from manually redirecting Profile Folders”.

The second path of the GPO is “User Configuration -> Policies -> Windows Settings -> Folder Redirection -> Desktop/Documents/Pictures”.

 

Another point is that KFM GPO needs to input your <tenant ID> and only be available in OneDrive for Business. Otherwise, to confirm whether it is the conflict of GPO cause this issue, you could try to use a PC to manually backup your known folders in settings to see whether it has error message. 

Thanks so much, In fact we were able to find which GPO had us cornered and in fact we were redirecting the Documents folder to a local network drive letter. once we disabled that we were able to move on and made it past to a new issue which prevents us from enabling Silent Sign On. Whenever a Windows 10 user's profile gets recreated OneDrive will get stuck complaining that this folder already exists and won't make it past unless you right click on OneDrive blue icon break OneDrive and then Launch OneDrive from the user's profile and Sign in manually only then the OneDrive stays.. has anyone else experience this? perhaps knows a work around to this?

@Mario Pastora It should be related to another registry key as following.

You could check or change the registry key <SilentBussinessConfigCompleted> to 0 in <Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive>. Then the silently sign on will be triggerred again when you restart the computer. 

 

clipboard_image_0.png

Well it was the "Prohibit User from manually redirecting Profile Folders" Group Policy, I had removed the setting at the same time that someone else applied a duplicate group policy to deploy some other settings for another project that still had this set!

 

GPO changed and hey-presto all now working as it should

Testing it out as we speak... @WilsonSu I shall report that it works fine for the user's profile for which we deleted the profile for prior. But when I go try to sign in with a user that has never logged in before to that PC I keep getting this error Login was either interrupted or unsuccessful. Please try logging in again. Code: 0x8004deb4 (RETRY or CANCEL) when I click on Retry it just say We can't sync your "OneDrive - Company name" folder Sorry, we can't add your "oneDrive - mycompany" folder right now Please try again. Do I have to do this at each new user that tries to sign in? individually?

<SilentBussinessConfigCompleted> to 0 in <Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive

@Mario Pastora 

Nope, this key will automatcially become 1 once the GPO works at the first time. But it is related to the User key, so it is 0 by default with new user account. For the error code, you'd better check the Azure hybird or device Azure AD joined. Because Silent Sign On GPO should work with Device Azure hybird, so if you run <dsregcmd /status> in cmd and the Azure AD joined is 'no', you will definitely meet this issue.

 

How to confirm whether Azure AD joined is the cause?

Let's open a browser and access office 365. If the browser could automatically sign in with the current account (no need to input accout and password), the OneDrive silent sign in should also work.

@WilsonSu  Thanks, this explains the riddle we are currently experiencing. I haven't tested the feature with my Azure AD domain joined devices. Will try that soon. Thanks again.

@WilsonSu 

 

Ah! That helps my dilemma. I'm trying to do the NON Silent redirection, and it's not working. I have, as near as I can tell, everything set correctly. I checked everything else in this thread, no problems there, but the <dsregcmd /status> shows No!

 

I do have Azure AD Sync setup, but /dsregcmd /status shows no.

 

In poking around, I found this article, which I didn't see linked from any of the OneDrive KFM articles: https://www.cloudsupport.help/hc/en-us/articles/115000286908-Connect-domain-joined-devices-to-Azure... 

 

Is this activity required to get KFM to work? Silent or otherwise? (I was actually going for "otherwise" meaning the prompted Known Folder Move). 

 

        == John ==

@JGwinner 

Hi John, it depends on which GPO you are using. For KFM related policies, it doesn't need <domain-joined device>. But <silently sign on> policy in OneDrive needs device Azure joined.

 

Non silent redirection is corresponding to this GPO <Prompt users to move Windows known folders to OneDrive>, and you also need to check whether you have other GPOs which has conflict with KFM redirection. The normal symptom on this policy is that each time you start the device, it will pop up an interface to ask users "Start Backup".

 

However, you could try to manually open "Manage Backup" in your OneDrive settings to see whether it could be activated first. Then you could know whether it has some other policies conflicted with it.

@WilsonSu 

 

As far as I know, I have all of the GPO's set, the registry keys are in evidence, but the popup never comes up.

 

I don't get the "Start backup" popup.

 

So, to get the silent sign on, we need to make the devices both domain joined and azure joined? I thought SSO was enough.

 

Is there a GPO that can force the devices to join Azure?

 

 

@JGwinner 

Another thing to check is whether your OneDrive application has been the latest version and "Backup" tab has been shown in the 'settings' interface. If it is, the most of possibility is some conflicts between other GPOs.

 

To get the silent sign on, it is better to make the devices both domain joined and azure joined. Or you could also log in O365 by <Access work or school account> in system setting. Then you will automatically log in in next restart.

 

For Device Azure joined, you could refer to following document.

https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan

@WilsonSu Thanks, someone split this to another topic.

 

On the Azure Joined point, this is not mentioned anywhere in the docs. Is this a new requirement?

 

There were no GPO conflicts. All the keys are set properly.

 

It is the latest version. 

 

"Settings" doesn't show up as the icon just sits there, doing nothing. 

 

        == John ==

@JGwinner 

 

For silent sign on, refer to following Document.

https://docs.microsoft.com/en-us/onedrive/use-group-policy#SilentAccountConfig

<users who are signed in on a PC that's joined to Azure AD can set up the sync client without entering their account credentials. >

 

For KFM policies, it doesn't need Device Azure joined. But in your side, "Settings" doesn't show up 'Backup' as a icon as following screenshot. It means that this feature is not activated in this computer.

I assume whether you have enable <Prevent users from redirecting their Windows known folders to their PC>

[HKLM\SOFTWARE\Policies\Microsoft\OneDrive]"KFMBlockOptOut"="dword:00000001"

 

However, first of all, you could try to use registry to activate it first, then test from GPO side.

https://docs.microsoft.com/en-us/onedrive/use-group-policy#prompt-users-to-move-windows-known-folder...

 

OneDriveSettings.png

@WilsonSu I don't necessarily want silent sign on. (I've had to say this like 5 times. Now, ask me again if I have the most recent version, that seems to be asked repeatedly also).

 

I have followed that document.

 

I just want that prompt to come up.

 

The part about Azure AD is mentioned AFTER the prompt for KFM.

 

I've followed all of the prereq's that are listed for KFM, but the prompt never comes up.

 

If people have to manually go hunting for the OneDrive icon and log in, it's hardly something that "Your IT department" has required. It's clearly from a practical standpoint, totally optional, which isn't the intent.

 

In fact, the planning document (PPT) mentions that it's desirable to use the prompted form of KFM move to minimize burst bandwidth.

 

The requirement for Azure AD is only mentioned for silent folder move, which wasn't what we were trying to do.

 

The icons for OneDrive won't come up, because it's not logged in, and there's no prompt to make you log in. So that part doesn't apply. No, I didn't have GPO that "conflicted" I strictly followed the planning doc.

 

Again, we were trying to do the PROMPTED move. Azure AD is not listed as a requirement for the Prompted Move.

 

So either the docs are broken, or one drive is broken. 

 

Which is it? What do we do to fix that?

@JGwinner 

Please refer to above response‘s screenshot. If you could not find 'Backup' tab in OneDrive settings, GPO is not taking effect. You need to try local registry for testing first. 

 

As the Doc I provided on last response, you could try registry on <Prompt KFM> first in your local device to see whether these KFM policies working in the device. Then go further to see GPOs.

@WilsonSu 

The OneDrive icon never shows a logged in status.

 

GPO is taking effect. (Please quit contradicting me. Would you like to see the RegEdit screenshots showing the keys are in the registry and set?)

 

Give me a list of registry keys to check, for the GPO, and I'll double check them.

 

What about Azure Dir Sync and SSO?

 

The user is logging in with an account that is setup within Azure Active Directory, and I do have SSO configured. Yet the prompt never comes up.