Forum Discussion
OneDrive for Business | Known folder silently redirection not work
Another thing to check is whether your OneDrive application has been the latest version and "Backup" tab has been shown in the 'settings' interface. If it is, the most of possibility is some conflicts between other GPOs.
To get the silent sign on, it is better to make the devices both domain joined and azure joined. Or you could also log in O365 by <Access work or school account> in system setting. Then you will automatically log in in next restart.
For Device Azure joined, you could refer to following document.
https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan
WilsonSu Thanks, someone split this to another topic.
On the Azure Joined point, this is not mentioned anywhere in the docs. Is this a new requirement?
There were no GPO conflicts. All the keys are set properly.
It is the latest version.
"Settings" doesn't show up as the icon just sits there, doing nothing.
== John ==
- JGwinnerTrioOct 24, 2019Copper Contributor
Thank you for sticking with it!
WilsonSu wrote:Then, let me give you the exact scenario on silent sign-on GPO without PC Azure joined. The devices do not Azure AD joined, but AD joined. When a new user just on board, you could ask them to login <School and Work Account> in the system with their O365 (Azure AD) account. After restart, the auto-sign in GPO could work. (However, this step is not easier than login OneDrive directly)
Understood, both of those scenarios do work, but again, the user might not do it, then we have a security risk (as there's no telling where their documents are going).
This is an ISO company, so we're sensitive to procedure that can be subverted.
WilsonSu wrote:Otherwise, you could also make GPO which lets OneDrive become auto start application when to start PC. Then it will pop up login interface which ask user login when they first use PCs.
Actually, it doesn't, or at least on none of our machines. OneDrive does autostart, but it shows "not logged in". If someone logs in at least once, it will auto-logon and do the redirection, but if no one logs in, it just sits there.
Unless there's a GPO that wasn't documented, but I went through all of them.
Thanks for trying to help. We'll just have to do sneakernet.
== John ==
- WilsonSuOct 24, 2019Microsoft
Ohh, it is a billing question. I am not sure about that, but I know F1/E3/E5, when you grant these three licenses to an account in your O365 AAD user, the account will auto-generate an OneDrive for business on this account. <Please mention it is never pointing to personal OneDrive.>
Then, let me give you the exact scenario on silent sign-on GPO without PC Azure joined. The devices do not Azure AD joined, but AD joined. When a new user just on board, you could ask them to login <School and Work Account> in the system with their O365 (Azure AD) account. After restart, the auto-sign in GPO could work. (However, this step is not easier than login OneDrive directly) Otherwise, you could also make GPO which lets OneDrive become auto start application when to start PC. Then it will pop up login interface which ask user login when they first use PCs.
- JGwinnerTrioOct 24, 2019Copper ContributorThe whole idea with GPO is to set things up automatically.
In many cases, there are no users already logged in.
Think of a brand new employee sitting down, starting their first day. They don't know what to do!
IF you are telling me that OneDrive requires a user to log in, that would be one thing, but the documentation implies that auto login will work via SSO. So, even though we have Active Directory, we also need Azure Active Directory joining? The documentation implies that you don't need AAD if you have AD.
>>it needs PC Azure joined<<
Ok. I can move on from there. But WHICH Azure AD do we have to purchase? Or will the free one work?
This has been asked about 3,4 times, and still no answer. I was told to post a note here or in MSDN about which Azure AD we need.
Sorry for switching accounts earlier, that was my client Azure Admin account.
== John == - WilsonSuOct 24, 2019Microsoft
Sorry for the bad experience.
The issue is on the sequence. I should suggest you open an O365 ticket in the first place. Then you could do the GPO configuration with the support engineer in the right understanding.
From my perspective, this GPO <Known folder silently redirection> as the title is based on the users have logged in their OneDrive for Business on their desktop. Or this GPO has no impact on anything. I checked the comments you left before in here, all in all, you should solve the <Silent Sign in>. As my former reply, it needs PC Azure joined. Meanwhile, please mention that it is OneDrive for Business, the users should log in to your tenant accounts' OneDrive, not personal. (In the process, you also input your tenant id, it could only match the corresponding users in this tenant.) After the users logging in their OneDrive, KFM GPO could take effect.
In short, the symptom you met now is not only related to this OneDrive GPO, but the whole structure designed and some prerequisites for KFM GPO. I would suggest opening an O365 ticket to advise.
- JGwinnerTrioOct 23, 2019Copper Contributor
The "Backup" tab won't show up because no one is logged in. This is a basic cart before the horse.
THAT is the problem. Nothing is triggering OneDrive to log in.
WilsonSu wrote:Please refer to above response‘s screenshot. If you could not find 'Backup' tab in OneDrive settings, GPO is not taking effect. You need to try local registry for testing first.
As the Doc I provided on last response, you could try registry on <Prompt KFM> first in your local device to see whether these KFM policies working in the device. Then go further to see GPOs.
Again (we keep going in circles) the GPO's are being applied correctly, and the registry keys are there.
Let me tell you what happened. We gave up on Microsoft. I had a junior developer run around and just have everyone right click on the icon and log in manually.
This is crazy.
The whole idea behind SSO, AAD Sync, and OneDrive was that when a person logs in to the desktop, it seamlessly stores the files in the cloud.
This way, we can mandate that documents are backed up.
Right now, the user can just click out of it, or forget to click on the icon and log in.
The other way to do this would be to use Folder Redirection to a file server, and setup Azure Files on the file server, but that seems laborious, and the user can't get to them quite as easy from off-prem.
Other documented articles and GitHub issues show that the login should occur automatically, but there was some confusion on the level of AAD required. They said the auto-login would work, but having to both AAD join and AD join the machine seemed redundant. I expected to find out what version of AAD was needed (free, P1, etc), not be told I need to send a guy around via SneakerNet to make sure it's all done.
It's funny ... I thought we'd outgrown Sneaker net 🙂
== John ==
- WilsonSuOct 09, 2019Microsoft
[HKLM\SOFTWARE\Policies\Microsoft\OneDrive]"KFMOptInWithWizard"="1111-2222-3333-4444"
(number is your tenant ID, only the users in this tenant could take effect)
https://docs.microsoft.com/en-us/onedrive/use-group-policy#KFMOptInWithWizard
By default, it should have no registry inside this location until you have configured other OneDrive GPOs or key.
KFM is not related to Azure Dir Sync and SSO. Normally, if the GPO take effect, when you sign in your O365 account in the devices' OneDrive, it will pop up the start backup interface.
- JGwinnerOct 07, 2019Copper Contributor
The OneDrive icon never shows a logged in status.
GPO is taking effect. (Please quit contradicting me. Would you like to see the RegEdit screenshots showing the keys are in the registry and set?)
Give me a list of registry keys to check, for the GPO, and I'll double check them.
What about Azure Dir Sync and SSO?
The user is logging in with an account that is setup within Azure Active Directory, and I do have SSO configured. Yet the prompt never comes up.
- WilsonSuOct 07, 2019Microsoft
Please refer to above response‘s screenshot. If you could not find 'Backup' tab in OneDrive settings, GPO is not taking effect. You need to try local registry for testing first.
As the Doc I provided on last response, you could try registry on <Prompt KFM> first in your local device to see whether these KFM policies working in the device. Then go further to see GPOs.
- JGwinnerOct 07, 2019Copper Contributor
WilsonSu I don't necessarily want silent sign on. (I've had to say this like 5 times. Now, ask me again if I have the most recent version, that seems to be asked repeatedly also).
I have followed that document.
I just want that prompt to come up.
The part about Azure AD is mentioned AFTER the prompt for KFM.
I've followed all of the prereq's that are listed for KFM, but the prompt never comes up.
If people have to manually go hunting for the OneDrive icon and log in, it's hardly something that "Your IT department" has required. It's clearly from a practical standpoint, totally optional, which isn't the intent.
In fact, the planning document (PPT) mentions that it's desirable to use the prompted form of KFM move to minimize burst bandwidth.
The requirement for Azure AD is only mentioned for silent folder move, which wasn't what we were trying to do.
The icons for OneDrive won't come up, because it's not logged in, and there's no prompt to make you log in. So that part doesn't apply. No, I didn't have GPO that "conflicted" I strictly followed the planning doc.
Again, we were trying to do the PROMPTED move. Azure AD is not listed as a requirement for the Prompted Move.
So either the docs are broken, or one drive is broken.
Which is it? What do we do to fix that?
- WilsonSuOct 07, 2019Microsoft
For silent sign on, refer to following Document.
https://docs.microsoft.com/en-us/onedrive/use-group-policy#SilentAccountConfig
<users who are signed in on a PC that's joined to Azure AD can set up the sync client without entering their account credentials. >
For KFM policies, it doesn't need Device Azure joined. But in your side, "Settings" doesn't show up 'Backup' as a icon as following screenshot. It means that this feature is not activated in this computer.
I assume whether you have enable <Prevent users from redirecting their Windows known folders to their PC>
[HKLM\SOFTWARE\Policies\Microsoft\OneDrive]"KFMBlockOptOut"="dword:00000001"
However, first of all, you could try to use registry to activate it first, then test from GPO side.