Oct 12 2017 12:48 PM
Oct 12 2017 12:48 PM
Hi ,
In reference to :
(Preview) Silently configure OneDrive using Windows 10 or domain credentials
I have a few questions;
The article states that "This policy lets you configure the OneDrive sync client silently using the primary Windows account on Windows 10, and domain credentials on Windows 7 and later."
What is a primary windows account on windows 10? I have a Win 10 and i sign in using a domain account.
I created the registries for EnableADAL and SilentAccountConfig , restarted the sync client and also the machine.
This does not sign me in to my account automatically. Is there something i am missing?
I noticed a few things after adding the registries;
1.Theres a new file added under C:\Users\username\AppData\Local\Microsoft\OneDrive\settings called PreSignInSettingsConfig.json
2..Everytime i launch the onedrive app and the sign in screen appears; it creates a new update file at:
C:\Users\username\AppData\Local\Microsoft\OneDrive\setup\logs and the contents of the file say its trying to refer to the .json file mentioned in 1.
I am not sure what i am doing wrong, any help would be appreaciated.
Nov 21 2017 05:25 AM
Nov 21 2017 05:25 AM
@Avian 1 I forgot the link sorry, https://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp
Nov 21 2017 10:59 PM - edited Dec 03 2017 10:51 PM
Priyank
Whenever user enter his UPN on any office 365 site(OWA/SP/OneDrive), it redirects to siteminder to validate authentication and then validate and logged in automatically. I think here is the problem, after installing Onedrive, it is not automatically logging so probably not getting any endpoint.
I am attaching fiddler screenshot for your reference.
Can you please share the screenshot of your machine registry if possible? I want to compare with my registry,may be I am missing something
Let me know what else I need to check.
Dec 14 2017 06:56 AM
After setting the ADAL registry key as noted in the original deployment article, and setting the silentaccountconfig reg key, I can ONLY get this to work if my domain users perform "Add a work or school account" first.
If I remove the work account from this domain computer, the silentconfig of onedrive is now broken, and useless.
The entire feature is actually useless if all users need to manually perform the "add work account" process. This process so far.... is not actually silent until we can truly simply use the domain credential, or if there is a way to automate the "add work account" process.
Jan 25 2018 11:01 AM
We were advised that the version of OneDriveSetup.exe must be at least 17.3.7073.1013 or later (10/26/2017) in order for the silent configuration to work. We have been upgrading the OneDriveSetup.exe in C:\Windows\SysWOW64 in order to force this to work, and it has. We are searching for more effective ways to include the updated setup in our image.
Jan 25 2018 04:25 PM
Jan 25 2018 06:30 PM - edited Jan 25 2018 11:28 PM
Hi Tom
Just changes in the registry and copy the OnedriveSetup.exe in C:\Windows\SysWOW64 not working, I might be missing some steps.
Can you please share the steps to which you implement?
I am using latest client Build. 17.3.1076.1026.
Avian
Jan 26 2018 07:19 AM - edited Jan 26 2018 07:21 AM
We are using two group policies, one for computer, and one for user settings.
The User policy sets the "default location for the OneDrive folder," and includes the tenant GUID of our OneDrive. It also "prevents users from changing the location of their OneDrive folder" (which also includes the tenant GUID). This policy also contains a preference to set the EnableADAL registry value (DWORD:0x1) in HKCU\Software\Microsoft\OneDrive.
The Computer policy sets the "Silently configure OneDrive using the primary Windows account," sets the "Allow synching OneDrive Accounts for only specific organizations" (includes the tenant GUID), and also sets the "maximum size of a user's OneDrive" (and also includes the tenant GUID).
You should check the version of the OneDrive policy templates you are using to ensure they are also as recent as the OneDriveSetup.exe. Earlier versions did not incorporate the tenantGUID in the policy editor.
Jan 29 2018 06:19 AM
Jaffer, absolutely. Along with a place to store files, OneDrive provides easier access, co-authoring and versioning typically not found on file shares.
Jan 29 2018 05:57 PM
Jan 30 2018 10:41 AM
Thanks for clarification Justin.
I will wait once OneDrive Silent Aithentication start supporting MFA.
Feb 13 2018 10:24 AM
@Justin Holloman wrote:
Hi Avian,
I think I have confirmed that the silent config is not compatible with MFA. I was playing around with this all day and couldn't get it to work. Then I turned off MFA on my test account and just like that the silent config started working. Unfortunately, that means I won't be able to use this feature in my org, as MFA is a requirement. Hope this helps shed some light on your troubles.
Justin
Justin,
Try whitelisting your work's public IP address in your MFA policy. That should allow the feature to work as MFA would essentially be off inside your network due to the whitelist. MFA would still be required when users log in while outside your network though.
I just started looking into the silent config feature myself so haven't even started testing it yet. However, we already have whitelisting for MFA setup and it works great. Instances where MFA can get in the way are no longer an issue, so long as the user or device is in the building.
Hope this helps.
Feb 14 2018 04:22 PM
Feb 15 2018 07:24 AM
Feb 27 2018 07:17 AM
Anyone made some progress?
Feb 27 2018 10:16 AM
Feb 27 2018 11:25 PM
Does anybody know, what microsoft means with the primary Windows account in the setting "Silently configure OneDrive using the primary Windows account"?
The name of that setting was "Silently configure OneDrive using Windows 10 or domain credentials" - so do they still support using domain credentials?
I'm not able to get this setting working - we use Azure AD Connect to put our local domain users to Azure AD and Office365.
Feb 28 2018 12:06 AM
I'm on the exact same page you'r stuck at.
Our config:
ADFS internal, Netscaler as WAP external
Internal clients have recieve internal ADFS IP from DNS
STS is in trusted zone
I got the population working by starting:
"C:\Program Files\internet explorer\iexplore.exe" odopen://sync?useremail=<email>
because using %LocalAppdata%\Microsoft\OneDrive\OneDrive.exe odopen://sync?useremail=<email> does not populate
Still users are required to hit the login button.... that's where i'm stuck
Feb 28 2018 01:38 AM
What i got sofar, SSO working
Got adsync running sso enabled for Office..
Computer\Policies\Administrative Templates\Onedrive
Allow syncing OneDrive accounts for only specific organizations |
||
State |
Enabled |
|
Tenant GUID |
<removed> |
|
Enable OneDrive Files On-Demand |
||
State |
Enabled |
|
Prevent OneDrive from generating network traffic until the user signs in to OneDrive |
||
State |
Enabled |
|
Silently configure OneDrive using the primary Windows account |
||
State |
Enabled |
|
The maximum size of a user's OneDrive for Business before they will be prompted to choose which folders are downloaded |
||
State |
Enabled |
|
Tenant Path |
<removed> |
|
Value |
50000 |
|
User\Policies\Administrative Templates\Onedrive
Coauthoring and in-app sharing for Office files |
|
State |
Enabled |
Delay updating OneDrive.exe until the second release wave |
|
State |
Enabled |
Prevent users from changing the location of their OneDrive folder |
|
State |
Enabled |
Tenant Path |
<removed> |
Value |
1 |
Prevent users from synchronizing personal OneDrive accounts |
|
State |
Enabled |
Prevent users from using the remote file fetch feature to access files on the computer |
|
State |
Enabled |
Set the default location for the OneDrive folder |
|
State |
Enabled |
Tenant Path |
<removed> |
Value |
%UserProfile% |
Users can choose how to handle Office files in conflict |
|
State |
Enabled |
Sts-adfs in trusted zone. EnableADAL off (0)
Configuration in ADFS
"/adfs/services/trust/13/windowstransport": Enabled
However this is only internal, external this is disabled
The users use a different UPN Suffix than the Domain Name.
The email address is populated, When I start Onedrive with:
"C:\Program Files\internet explorer\iexplore.exe" odopen://sync?useremail=<email>
The email address is not populated, When I start Onedrive with:
%LocalAppdata%\Microsoft\OneDrive\OneDrive.exe odopen://sync?useremail=<email>
However, still the users need to hit the Login button. Anyone stuck, feel free to duplicate my settings and try to fix the Login automation.
Mar 09 2018 12:24 AM - edited Mar 11 2018 04:24 AM
Hi,
anyone have the idea why the GPO not applied on the registry?
I tried to run gpresult /H result.html and seems the gpo applied to the machine. but not applied in registry.
Mar 12 2018 02:32 AM
Does anybody know if we need an Azure AD Sync with an ADFS infrastructure or if Azure AD Sync with Password Sync will work as well? I'm still not able to get this working ...