@WilsonSu 

 

The "Backup" tab won't show up because no one is logged in. This is a basic cart before the horse.

 

THAT is the problem. Nothing is triggering OneDrive to log in.

 

---

@WilsonSu wrote:

@JGwinner 

Please refer to above response‘s screenshot. If you could not find 'Backup' tab in OneDrive settings, GPO is not taking effect. You need to try local registry for testing first.

 

As the Doc I provided on last response, you could try registry on <Prompt KFM> first in your local device to see whether these KFM policies working in the device. Then go further to see GPOs.

---

Again (we keep going in circles) the GPO's are being applied correctly, and the registry keys are there.

 

Let me tell you what happened. We gave up on Microsoft. I had a junior developer run around and just have everyone right click on the icon and log in manually.

 

This is crazy.

 

The whole idea behind SSO, AAD Sync, and OneDrive was that when a person logs in to the desktop, it seamlessly stores the files in the cloud.

 

This way, we can mandate that documents are backed up.

 

Right now, the user can just click out of it, or forget to click on the icon and log in.

 

The other way to do this would be to use Folder Redirection to a file server, and setup Azure Files on the file server, but that seems laborious, and the user can't get to them quite as easy from off-prem.

 

Other documented articles and GitHub issues show that the login should occur automatically, but there was some confusion on the level of AAD required. They said the auto-login would work, but having to both AAD join and AD join the machine seemed redundant. I expected to find out what version of AAD was needed (free, P1, etc), not be told I need to send a guy around via SneakerNet to make sure it's all done.

 

It's funny ... I thought we'd outgrown Sneaker net :)

 

        == John ==

 

 

@JGwinnerTrio 

 

Sorry for the bad experience.

 

The issue is on the sequence. I should suggest you open an O365 ticket in the first place. Then you could do the GPO configuration with the support engineer in the right understanding.

 

From my perspective, this GPO <Known folder silently redirection> as the title is based on the users have logged in their OneDrive for Business on their desktop. Or this GPO has no impact on anything. I checked the comments you left before in here, all in all, you should solve the <Silent Sign in>. As my former reply, it needs PC Azure joined. Meanwhile, please mention that it is OneDrive for Business, the users should log in to your tenant accounts' OneDrive, not personal. (In the process, you also input your tenant id, it could only match the corresponding users in this tenant.)  After the users logging in their OneDrive, KFM GPO could take effect. 

 

In short, the symptom you met now is not only related to this OneDrive GPO, but the whole structure designed and some prerequisites for KFM GPO. I would suggest opening an O365 ticket to advise.

The whole idea with GPO is to set things up automatically.

In many cases, there are no users already logged in.

Think of a brand new employee sitting down, starting their first day. They don't know what to do!

IF you are telling me that OneDrive requires a user to log in, that would be one thing, but the documentation implies that auto login will work via SSO. So, even though we have Active Directory, we also need Azure Active Directory joining? The documentation implies that you don't need AAD if you have AD.

>>it needs PC Azure joined<<

Ok. I can move on from there. But WHICH Azure AD do we have to purchase? Or will the free one work?

This has been asked about 3,4 times, and still no answer. I was told to post a note here or in MSDN about which Azure AD we need.

Sorry for switching accounts earlier, that was my client Azure Admin account.

== John ==

@JGwinnerTrio 

 

Ohh, it is a billing question. I am not sure about that, but I know F1/E3/E5, when you grant these three licenses to an account in your O365 AAD user, the account will auto-generate an OneDrive for business on this account. <Please mention it is never pointing to personal OneDrive.>

 

Then, let me give you the exact scenario on silent sign-on GPO without PC Azure joined. The devices do not Azure AD joined, but AD joined. When a new user just on board, you could ask them to login <School and Work Account> in the system with their O365 (Azure AD) account. After restart, the auto-sign in GPO could work. (However, this step is not easier than login OneDrive directly) Otherwise, you could also make GPO which lets OneDrive become auto start application when to start PC. Then it will pop up login interface which ask user login when they first use PCs. 

@WilsonSu 

Thank you for sticking with it!

 

 

---

@WilsonSu wrote:

 

Then, let me give you the exact scenario on silent sign-on GPO without PC Azure joined. The devices do not Azure AD joined, but AD joined. When a new user just on board, you could ask them to login <School and Work Account> in the system with their O365 (Azure AD) account. After restart, the auto-sign in GPO could work. (However, this step is not easier than login OneDrive directly)

---

Understood, both of those scenarios do work, but again, the user might not do it, then we have a security risk (as there's no telling where their documents are going).

 

This is an ISO company, so we're sensitive to procedure that can be subverted.

 

---

@WilsonSu wrote:

Otherwise, you could also make GPO which lets OneDrive become auto start application when to start PC. Then it will pop up login interface which ask user login when they first use PCs. 

---

 

Actually, it doesn't, or at least on none of our machines. OneDrive does autostart, but it shows "not logged in". If someone logs in at least once, it will auto-logon and do the redirection, but if no one logs in, it just sits there.

 

Unless there's a GPO that wasn't documented, but I went through all of them.

 

Thanks for trying to help. We'll just have to do sneakernet.

 

        == John ==

@WilsonSu
I know this is a old post but hoping someone has seen this in the pass.

I am have a similar issue.
KFM is mworking perfectly for computers that are joined to an onprem AD Domain.

For computers that are Azure Hybrid AD joined KFM does not work.

dsregcmd /status shows AzureADLoined: Yes. However, accessing O365 does not auto sign-in.

I have disabled "Silently sign in users to OneDrive sync app with their WIndows credentials" however OneDrive does not open for users to sign-in.

Any thought of what I am overlooking or what the issue might be?

Thanks,

@NAMGuy Some ideas for your reference:

a. KFM and silent sign in are two different functions. First of all, we need to ensure that the account login successfully, then KFM could be triggered no matter manual or registry key/GPO.

 

b. OneDrive auto sign in needs the 'Silently sign in users to OneDrive sync app with their WIndows credentials' policy. However, as you disabled it, you need to sign out OneDrive in the machines first. Because OneDrive could store the credential, if we do not sign out, the OneDrive keeps using this credential until password changed.

c. If we sign out the account, but still fail on sign in OneDrive with pop-up windows. It should be an Identity issue. Somehow the authentication process fail.