Configuring the OneDrive sync app basics for Windows devices

This week is all about configuring the OneDrive sync app basics for Windows devices. The main component for accessing OneDrive for Business content on Windows devices, is the OneDrive sync app. By default the OneDrive sync app is available on Windows devices and installed per user. In this post I’ll have a look at the installation of the OneDrive sync app and the basic configuration that I think that should be applied to get the best user experience. All by using Microsoft Intune for managing the Windows devices. I’ll end this post by having a quick look at the configuration on the Windows device.

OneDrive sync app installation

The first thing that should be addressed is the installation of the OneDrive sync app. By default, the OneDrive sync app is available on Windows devices and installs per user. That means that the OneDrive sync app will be installed in the %localappdata% directory, for each user that signs in on the Windows device. That’s not always the most optimal method for addressing the OneDrive sync app installation, as it also often means that during the initial sign in of the user, an update of the OneDrive sync app will be downloaded and installed. To address that, especially on shared and multi-user devices, I like to install the OneDrive sync app with the per-machine installation option. That effectively means that the OneDrive sync app will be installed in the %Program Files% directory (keep in mind that it’s a 32-bit app) and that will make sure that all profiles on the Windows device will use the same OneDrive binaries. Besides the installation location, the behavior of OneDrive is similar.

To make sure that the OneDrive sync app is up-to-date during the initial sign in of to user – to make sure that the different available policies will apply immediately an that conditional access will work – the OneDrive sync app should be up-to-date after provisioning the device. Ideally during the Out-of-the-Box experience (OOBE), with or without using Windows Autopilot. That can be achieved by using a simple PowerShell script, of which an example is shown below.

#Download OneDrive per-machine installer
$downloadLocation = "https://go.microsoft.com/fwlink/?linkid=844652"
$downloadDestination = "$($env:TEMP)\OneDriveSetup.exe"
$webClient = New-Object System.Net.WebClient
$webClient.DownloadFile($downloadLocation, $downloadDestination)

#Run OneDrive per-machine installer
$installProcess = Start-Process $downloadDestination -ArgumentList "/allusers" -WindowStyle Hidden -PassThru
$installProcess.WaitForExit()

That script will download the latest version of OneDriveSetup.exe and will install it with the per-machine installation option. To make sure that it will be installed during the OOBE, wrap it as a Win32 app. As a detection method simply use the installation directory (as the directory will change) of the OneDrive sync app. The reason to go for a Win32 app is simple: a Win32 app will be installed and tracked during the Enrollment Status Page (ESP) and that will make sure that the OneDrive sync app is up-to-date before the user signs in to the Windows device.

Note: For further tuning the initial sign in of the user, have a look at this section of a post by Ben Whitmore.

OneDrive sync app basic configurations

The second thing that should be addressed is the configuration of the OneDrive sync app. The idea of configuring the OneDrive sync app on the Windows device, is to make sure that the user can be productive as fast as possible without any user interaction. The following settings are my preferred configurations that should be performed to achieve that goal. The list also contains some settings to limit potential data loss, which might not apply to all organizations. All of these settings are now available as a part of the Administrative Templates that are available in Microsoft Intune. As these settings are configured via Administrative Templates, the configurations are eventually done by using registry key values (device settings at HKLM\SOFTWARE\Policies\Microsoft\OneDrive and user settings at HCU\SOFTWARE\Policies\Microsoft\OneDrive). To configure Administrative Templates, simply open the Microsoft Endpoint Manager admin center portal, navigate to Device > Configuration profiles and create a new profile.

Silently sign in users to the OneDrive sync client with their Windows credentials – This setting is a must for every organization, as it’s used, on (hybrid) Azure AD joined devices, to set up the OneDrive sync app for the user that signs in on the Windows device.

When using the following configuration, the OneDrive sync app will be automatically (and silently) set up for the user that signs in on the Windows device, without the need for the user to provide credentials. That configuration will set the registry key value SilentAccountConfig to 1.

  • Setting type: Device
  • Setting value: Enabled

Silently move Windows known folders to OneDrive – This setting is strongly advised for every organization, as it’s used to set up the redirection of the known folders (Documents, Pictures, and Desktop) of the user to OneDrive.

When using the following configuration, the known folders will automatically (and silently) redirected to OneDrive without user interaction. Besides that, the user receives a notification after the folders have been successfully redirected. That configuration will set the registry key value KFMSilentOptIn to {{yourTenantId}} and KFMSilentOptInWithNotification to 1.

  • Setting type: Device
  • Setting value: Enabled
  • Tenant ID: {{yourTenantId}}
  • Show notification to users after folders have been redirected: Yes

Prevent users from redirecting their Windows known folders to their PC – This setting is strongly advised for every organization (especially in combination with the previous setting), as it’s used to prevent the user from redirecting the known folders (Documents, Pictures, and Desktop) back to the Windows device.

When using the following configuration, the user is prevented from redirecting the known folders back to the Windows device. It forces users to keep their known folders redirected to OneDrive. That configuration will set the registry key value KFMBlockOptOut to 1.

  • Setting type: Device
  • Setting value: Enabled

Use OneDrive Files On-Demand – This setting is strongly advised for every organization, as it’s used to configure OneDrive Files On-Demand. Files On-Demand will help organizations with saving storage space on the Windows device and minimizes the network impact of the OneDrive sync.

When using the following configuration, Files On-Demand is automatically configured for the user. The user will see online-only files in File Explorer, by default, and de file contents don’t download until a file is opened. That configuration will set the registry key value FilesOnDemandEnabled to 1.

  • Setting type: Device
  • Setting value: Enabled

Set the sync client update ring – This setting is strongly advised for every organization, as it’s used to configure the update ring for the OneDrive sync app. It enables the administrator to choose one of the following update rings.

  • Enterprise: In this ring the user gets new features, bug fixes, and performance improvements last.
  • Production: In this ring the user gets the latest features as they become available. This is the default.
  • Insider: In this ring the user receives builds that let them preview new features coming to OneDrive.

When using the following configuration, the update ring will be configured to the production ring and the OneDrive sync app will get the latest features as they come available. That configuration will set the registry key value GPOSetUpdateRing to 5 (Insider=4, Enterprise=0)

  • Setting type: Device
  • Setting value: Enabled
  • Update ring: Production

Allow syncing OneDrive accounts for only specific organizations – This setting is advised for organizations in specific scenarios, as it’s used to prevent the user from uploading files to other organizations by whitelisting allowed organizations.

When using the following configuration, the user will be prevented from adding an account of a different organization. The user receives an error if they attempt to add an account from an organization that is not whitelisted. When a user is already syncing files from another organization, the files stop syncing. That configuration will set the registry key AllowTenantList with a value of {{yourTenantId}} to {{yourTenantId}}.

  • Setting type: Device
  • Setting value: Enabled
  • Tenant ID: {{yourTenantId}}

Prevent users from syncing personal OneDrive accounts – This setting is advised for organizations in specific scenarios, as it’s used to prevent the user from uploading files to their personal OneDrive account.

When using the following configuration, the user will be prevented from adding a personal OneDrive account. When the user is already syncing files from a personal OneDrive, the files stop syncing. That configuration will set the registry key value of DisablePersonalSync to 1.

  • Setting type: User
  • Setting value: Enabled

End-user experience

Now let’s end this post by having a quick look at the end-user experience after applying these configurations. Let’s start by having a look a the last two settings that can be used to prevent easily “losing” data to personal and other organizational accounts. When the user will try to add a personal account, the user will be provided with a message as shown in Figure 8 (below on the left). When the user will try to add another work account, the user will be provided with a message as shown in Figure 9 (below on the right).

The experience of the other more common OneDrive sync app configurations is shown below in Figure 10. OneDrive is automatically configured (see number 1), the known folders are automatically moved to OneDrive (see number 2), the files are on-demand available (see also number 2) and the user is notified about the successful configurations (see number 3).

From an administrator perspective there are also some interesting registry and file locations to look at. To see that the per-machine installation worked as expected, a OneDrive folder should exist in the %ProgramFiles% directory (keep in mind that it’s a 32-bit app). And to see that the device configurations are applied, the corresponding registry keys should be available in HKLM\SOFTWARE\Policies\Microsoft\OneDrive. The user configurations should be available in HCU\SOFTWARE\Policies\Microsoft\OneDrive.

More information

For more information about configuring OneDrive for Business for Windows devices, refer to the following docs:

Accessing SharePoint and OneDrive content on unmanaged devices

This week is all about accessing SharePoint sites and OneDrive accounts on unmanaged devices. More specifically, limiting access to SharePoint and OneDrive content on unmanaged devices. Configuring (limited) access to SharePoint sites and OneDrive accounts starts by using conditional access. For applying conditional access to SharePoint sites and OneDrive accounts, the Office 365 SharePoint Online cloud app, or the recently introduced Office 365 (preview) cloud app can be used. The first cloud app is applicable to all services that depend on SharePoint Online (including OneDrive and Teams). The second cloud app is applicable to all productivity and collaboration services of Office 365. An all-in-one app. However, both of these cloud apps don’t provide really granularity to only apply specific behavior for accessing specific SharePoint sites, or OneDrive accounts. In this post I’ll focus on the Use app enforced restrictions session control and the options that it provides for differentiating between SharePoint sites and OneDrive accounts. About three years ago, I did a post on the basic configurations options of that sessions control.

The Use app enforced restrictions session control can be used to require Azure AD to pass device information to the SharePoint Online. That enables SharePoint Online to know whether the connection was initiated from a managed device. In this case a managed device is an Intune managed and compliant device, or a hybrid Azure AD joined device. SharePoint Online can use that information to provide a limited experience to unmanaged devices. Adjusting the experience can be achieved by using the Unmanaged devices access control in SharePoint Online. In this post I’ll have a look at the standard and advanced configuration options of that access control (including a brief look at the future). I’ll end by having a look at the end-user experience.

SharePoint unmanaged devices standard configuration

The Unmanaged devices access control in SharePoint Online can be used to provide full or limited access on unmanaged devices. It’s even possible to completely block access on unmanaged devices. Limiting the access on unmanaged devices allows the end-user to remain productive while minimizing the risk of accidental data loss. With limited access, users, on unmanaged devices, will have browser-only access with no ability to download, print, or sync files. It won’t be possible to access content through apps, including the Microsoft Office desktop apps. This does require the use of modern authentication. An additional reason to block legacy authentication.

The Unmanaged devices access control standard configuration is available via the SharePoint admin center. This access control can be configured for the complete organization by following the next two steps.

  1. Open the SharePoint admin center and navigate to Policies > Access control > Unmanaged devices
  2. On the Unmanaged devices blade, select the experience for the end-user on unmanaged device by choosing between full access, limited access and block access.

When configuring the Unmanaged devices access control with a limited or blocked experience, by following the mentioned steps, the Apps that don’t use modern authentication access control will automatically change to blocked. The main reason for that is that those apps can’t enforce a limited or blocked experience. Also, these configuration will automatically create corresponding conditional access policies.

SharePoint unmanaged devices advanced configuration

The advanced configuration options of the Unmanaged devices access control in SharePoint Online are only available via PowerShell. The standard configuration via the SharePoint admin center can only configure the access control organization-wide, while PowerShell enables the administrator to configure the access control on site-level. That includes OneDrive accounts. That enables the administrator to configure a limited or blocked experience for specific SharePoint sites and OneDrive accounts. That can be achieved by using the Set-SPOTenant cmdlet for organization-wide configurations, or by using Set-SPOSite cmdlet for site-level configurations. Those cmdlets contain the ConditionalAccessPolicy parameter that can be used to configure the Unmanaged devices access control. That parameter can be used with one of the following values:

  • AllowFullAccess – This value will make sure that the configuration of Allow full access from desktop apps, mobile apps, and the web is applied to the tenant or site. This is the default configuration and allows full access for unmanaged devices.
  • AllowLimitedAccess – This value will make sure that the configuration of Allow limited, web-only access is applied to the tenant or site. This is the limiting configuration that will only allow web access and doesn’t allow the user to print, download or synchronize for unmanaged devices.
  • BlockAccess – This value will make sure that the configuration of Block access is applied to the tenant or site. This will completely block access for unmanaged devices.
  • ProtectionLevel – This value is a preview feature that can be used for configuring authentication tags.

For configuring the Unmanaged devices access control for specific SharePoint sites or OneDrive accounts, the Set-SPOSite cmdlet can be used in combination with the ConditionalAccessPolicy parameter and the Identity parameter. The latter parameter is used for specifying the specific SharePoint site or OneDrive account. An example is shown below.

Set-SPOSite -Identity <SpecificSiteOrOneDriveAccount> -ConditionalAccessPolicy AllowLimitedAccess

When using the ConditionalAccessPolicy parameter, it enables the administrator to apply even more restrictions. It enables the administrator to combine the limited access with also removing the ability to edit files and the ability to copy and paste from files. That can be achieved by using the AllowEditing parameter with the value $false (default is $true). An example is shown below.

Set-SPOSite -Identity <SpecificSiteOrOneDriveAccount> -ConditionalAccessPolicy AllowLimitedAccess -AllowEditing $false

Besides limiting the editing abilities for the user, it’s also possible to further limit the preview functionality. That can be achieved by using the LimitedAccessFileType parameter. That parameter can be used with one of the following values:

  • OfficeOnlineFilesOnly – This value will make sure that users can only preview Office files in the browser. This limiting configuration increases security on unmanaged devices, but may decrease user productivity.
  • WebPreviewableFiles – This value value will make sure that users can preview Office files and other file types (such as PDF files and images) in the browser. This is the default configuration and is optimized for user productivity on unmanaged devices, but offers less security for files that aren’t Office files. 
  • OtherFiles – This value will make sure that users can download files that can’t be previewed (such as .zip and .exe) in the browser. This option offers less security on unmanaged devices.

The LimitedAccessFileType parameter enables the administrator to limit the preview functionality, by using one of the three mentioned values. An example is shown below.

Set-SPOSite -Identity <SpecificSiteOrOneDriveAccount> -ConditionalAccessPolicy AllowLimitedAccess -AllowEditing $false -LimitedAccessFileType WebPreviewableFiles

Note: Keep in mind that the site-level configuration will only work as expected when it’s more restrictive than the organization-wide configuration.

Conditional access configuration

The conditional access configuration is required to make sure that Azure AD will pass the device information to the SharePoint Online. That can be achieved by using the Use app enforced restrictions session control. This configuration can be used next to other conditional access policy that use grant controls to make sure that for example MFA is also always required for access to SharePoint Online or OneDrive for Business on unmanaged devices. That in combination with the limited configuration can provide the organization with the required level of access control on unmanaged devices. For this post the focus is on the Use app enforced restrictions session control. That session control can be configured by following the next seven steps.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Security > Conditional access Policies to open the Conditional Access | Policies blade
  2. On the Conditional Access | Policies blade, click New policy to open the New blade
  3. On the New blade and provide a unique name
  4. Select Users and groups to configure the assigned users of this conditional access policy
  5. Select Cloud apps or user actions and select Office 365 SharePoint Online as the assigned app of this conditional access policy
  6. Select Conditions > Client apps and select Browser as the applicable client app of this conditional access policy
  7. Select Session and select Use app enforced restrictions to make sure that the configured limited experience will be applicable to this session

What the future brings

Before having a look at the end-user experience, it might be good to briefly mention that the near future will bring some more possibilities. While writing this post new MFA and other granular policies for SharePoint sites and OneDrive are introduced by using a new user action in conditional access. The Accessing secured app data user action. That user action is already configurable in conditional access by using this url for configuring the conditional access policy. It enables the administrator to configure a few protection levels for data. Those protection levels can be added to SharePoint sites and OneDrive accounts and can be assigned with different conditional access policies. That eventually might provide the administrator with a more granular control over the access to the data in the different locations. Jan Bakker already wrote some more details about that functionality at his blog. More about that subject in the future.

End-user experience

The mentioned configurations enable the administrator to provide different limited experiences to different SharePoint sites and OneDrive accounts. Let’s bring these configurations together to provide a limited experience for accessing OneDrive on unmanaged devices and by blocking access to specific SharePoint sites on unmanaged devices. Below in Figure 3 is an example of the end-user experience when opening a Word document in OneDrive on an unmanaged device, when limited access is configured with web previewable files and no editing options. That will enable the user to only preview the document in the browser. Below in Figure 4 is an example of the end-user experience when opening a TXT-file in OneDrive on an unmanaged device and when the same limited configurations apply. That will block the user from accessing the file.

Below in Figure 5 is an example of the end-user experience when accessing a SharePoint site when that specific site is blocked on unmanaged devices. That will provide the user with the message that the access is denied for untrusted devices, due to organizational policies.

More information

For more information about conditional access, SharePoint Online and OneDrive for Business, refer to the following docs: