Now that the Azure side is configured to allow SSO for office apps, we will proceed with making group policy changes for OneDrive. In this policy, we will harden OneDrive app and restrict users from making changes. The policy also enables the known folder move that redirects Desktop, Documents and pictures to OneDrive as well as using windows credentials to automatically sign into the app without user input.
Requirement: Obtain the OneDrive ADMX file and place it in policy definition folder in order to view the settings in administrative template.
Goal: Modify and set group policies for OneDrive application for on premise workstation. Configure to lock down settings and prevent users from edits. Policies will enable SSO and allow domain users sign in without any manual input. It will also redirect local Desktop, documents and picture to OneDrive. Of course, with any deployment of policy, I recommend creating a security group and filter the policy to that test group first.
Computer configuration:
Policies > Administrative Templates > OneDrive
| Allow syncing OneDrive accounts for only specific organizations | Enabled- The tenant ID can be found Azure AD overview blade. |
| Enable automatic upload bandwidth management for OneDrive [optional] | Enabled – upload data in the background only when unused bandwidth is available. |
| Hide the “Deleted files are removed everywhere” reminder [optional] | Enabled |
| Prevent the sync app from generating network traffic until users sign in | Disabled- This setting lets you block the OneDrive sync app (OneDrive.exe) from generating network traffic (checking for updates, etc.) until users sign in to the sync app or start syncing files to the computer. If you disable or do not configure this setting, the OneDrive sync app will start automatically when users sign in to Windows. |
| Prevent users from redirecting their Windows known folders to their PC | Enabled This setting forces users to keep their Documents, Pictures, and Desktop folders directed to OneDrive and prevent users from saving to local user profile. |
| Prevent users from syncing libraries and folders shared from other organizations [optional] | Enabled If you enable this setting, users will not be able to start syncing a OneDrive for Business or SharePoint library or folder that was shared from an external organization. Any shared libraries or folders already being synced will stop syncing. |
| Require users to confirm large delete operations [optional] | Enabled |
| Set the sync app update ring [optional] | Enabled [Deferred] |
| Silently move Windows known folders to OneDrive | Enabled- This setting lets you redirect known folders to OneDrive without any user interaction. The folders targeted are [Desktop, Documents and Pictures] |
| Silently sign in users to the OneDrive sync app with their Windows credentials | Enabled- If you enable this feature, OneDrive.exe will attempt to silently (without user interaction) sign-in to the work or school user account that was used to sign into Windows. For azure joined devices** **From the microsoft article on silent sign in, it requires devices to be hybrid joined. Believe it or not, it works on devices that were not hybrid joined in a production environment. To guarantee that SSO will work, configuring hybrid join on AD Connect is a safe bet. |
| Use OneDrive Files On-Demand | Enabled- When you turn on Files On-Demand, you’ll still view all your files as online-only files in File Explorer, but they won’t take up space. When you’re connected to the Internet, you’ll be able to use the files like every other file on your device. Files are downloaded when you being to edit the file. |
Preferences > windows setting > registry
Create a registry key to start OneDrive at user log in. The path depends on how OneDrive is installed. Since we will be deploying x64 bit version of OneDrive using per machine installation, the path will be [C:\Program Files\Microsoft OneDrive\OneDrive.exe]. Per machine installations allows any users logged into the workstation to get synced to OneDrive.
Value data: %userprofile%\AppData\Local\Microsoft\OneDrive\OneDrive.exe [If OneDrive is install per user] Value data: C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe [If OneDrive is install per machine for 32Bit bit with onedrivesetup.exe /allusers switch]
Properties
| Action | Update |
| Hive | HKEY_LOCAL_MACHINE |
| Key path | SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Value name | Onedrive |
| Value type | REG_SZ |
| Value data | C:\Program Files\Microsoft OneDrive\OneDrive.exe |
Options
| Stop processing items on this extension if an error occurs on this item | No |
| Remove this item when it is no longer applied | No |
| Apply once and do not reapply | No |
User configuration:
Policies > administrative templates > OneDrive
| Policy | Setting | Comment |
| Allow users to choose how to handle Office file sync conflicts [optional] | Enabled | This setting specifies what happens when there’s a conflict between Office file versions during sync. By default, users can decide if they want to merge changes or keep both copies. |
| Coauthor and share in Office desktop apps [Optional] | Enabled | This setting lets multiple users use the Office 365 ProPlus, Office 2019, or Office 2016 desktop apps to simultaneously edit an Office file stored in OneDrive. It also lets users share files from the Office desktop apps. |
| Disable the tutorial that appears at the end of OneDrive Setup [optional] | Enabled | |
| Prevent users from changing the location of their OneDrive folder | Enabled | This setting lets you block users from changing the location of their OneDrive – {organization name} folder during setup of the OneDrive sync app. |
| Prevent users from syncing personal OneDrive accounts | Enabled |
Windows Components/Internet Explorer/Internet Control Panel/Security Page
| Site to Zone Assignment List |
| Enter the zone assignments here. https://autologon.microsoftazuread-sso.com 1 https://aadg.windows.net.nsatc.net 1 https://enterpriseregistration.windows.net 1 https://login.microsoftonline.com 1 https://device.login.microsoftonline.com 1 |
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
| Allow updates to status bar via script | Enabled |
| Status bar updates via script- Enable | Enabled |
> Immediate Task <
Control Panel > scheduled Task > Immediate task (Window 7) **Optional, this depends on certain environments. Quick access did not point to %userprofile%/desktop folder like I wanted so I had to run a PowerShell to reset quick access column if Onedrive.exe file is present.
Task:
| Name | Reset-QuickAccess |
| Author | Blue929.com\Admin |
| Description | |
| Run only when user is logged on | InteractiveToken |
| UserId | %LogonDomain%\%LogonUser% |
| Run with highest privileges | LeastPrivilege |
| Hidden | No |
| Configure for | 1.2 |
| Enabled | Yes |
Actions:
| 1. Start a program | ||
| Program/script | c:\windows\system32\windowspowershell\v1.0\powershell.exe | |
| Arguments | -ExecutionPolicy Bypass -noprofile -command ” & \\dc2\SYSVOL\BLUE29.COM\scripts\reset-QuickAccess.ps1“ |
| Stop if the computer ceases to be idle | No |
| Restart if the idle state resumes | No |
| Start the task only if the computer is on AC power | No |
| Stop if the computer switches to battery power | No |
| Allow task to be run on demand | No |
| Run task as soon as possible after a scheduled start is missed | Yes |
| Stop task if it runs longer than | Immediately |
| If the running task does not end when requested, force it to stop | No |
| If the task is not scheduled to run again, delete it after | Immediately |
| If the task is already running, then the following rule applies | IgnoreNew |
| Stop processing items on this extension if an error occurs on this item | No |
| Run in logged-on user’s security context (user policy option) | No |
| Remove this item when it is no longer applied | No |
| Apply once and do not reapply | Yes |
Item-level targeting: File Match
| Attribute | Value |
| bool | AND |
| not | 0 |
| path | C:\Program Files\Microsoft OneDrive\OneDrive.exe |
| type | EXISTS |
| folder | 0 |
> Reset-QuickAccess Script <
## back up original file that has the quick access panel settings for user
copy-item -Path “$env:APPDATA\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms” -Destination “$env:LOCALAPPDATA\temp”
##resets the users quick access panel to [desktop, downloads, documents pictures] default
remove-item -path $env:APPDATA\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms -Force
Result:
Now that the policies are configured and SSO is configured, it is time to test it on a workstation.
On a test machine, get the onedrive executable file and store it in c:\temp. Open cmd Navigate to C:\temp Execute OneDriveSetup.exe /allusers Sign out and sign back in The user should automatically get signed into the application and the folders [Desktop, documents, pictures] should be synced.
**second cloud icon that is crossed out points to OneDrive-personal that redirects users to company domain Onedrive-Blue929.com. There is no harm if the icon appears.
Under file explorer, there should just be one OneDrive path and it will always redirect users to their company files. The second icon does not stay and disappears after log in.
If the test works, you can finally package and deploy OneDrive to your on-premises workstation with MECM, PDQ deploy or other various tools!
**Troubleshoot and Tips
- OneDrive will pick up shortcut link outside of %public% folder. To avoid syncing duplicated shortcuts when signing into multiple computers, change shortcut to %public% folder (All user desktops).
- From testing, SSO breaks if OneDrive gets reinstalled the second time. The user has to manually sign in once after they log into the machine. This is the only downside. In order to get OneDrive to run without ANY user input, rebuilding the user’s profile is one option.
- If planning on reinstalling OneDrive for troubleshooting reason, sign the user out out of the application before uninstall. Delete OneDrive folder under %userprofile% [optional]
- To test policies and SSO – Reset the policies applied to test machine:
- Remove User config :
HKEY_CURRENT_USER\Software\Microsoft\onedrive
HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive
- If manual sign in triggers a 1001 error- close onedrive and sign in again
- For hybrid join environment-
check azureadPRT and make sure sso state has no issue with dsregcmd /status or /debug [The computer must be in a OU which gets sync under ad connect hybrid join scope]
If PRT issue –
dsregcmd /leave
dsregcmd /join
Source:
Release notes for OneDrive:
Troubleshoot SSO with dsregcmd
https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd
SSO setup option- PRT or seamless SSO setup
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-sso
Azure Seamless SSO
https://lazyadmin.nl/it/setting-up-single-sign-on-sso-with-azure-ad-connect/
https://learn.microsoft.com/en-us/sharepoint/use-silent-account-configuration
Steven's Event Log 