When we are doing modern management of Windows 10 devices with AzureAD then sometimes we are missing the easy way from group policies preferences, but in Intune we have the Intune Management extension previous known as Project Sidecar. In basic it is just a way to run a powershell script on a Intune managed devices once.
To silently configure OneDrive for Business there is some pre-requirements
- The device needs to be AzureAD joined or hybrid AzureAD joined
- You need to run the latest version of OneDrive for business to ensure that it is working correctly
- The user need a OneDrive for Business license
We only need to set to regkeys to get this working – but there is no native way of manipulation with the registre database in Windows – so we just do it with powershell.
The 3 regkeys we need to add is:
HKCU:\SOFTWARE\Microsoft\OneDrive\EnableADAL
This one will enable ADAL for OneDrive for business, this needs to be set in the user context.
HKLM:\SOFTWARE\Policies\Microsoft\OneDrive\SilentAccountConfig
This one will enable Silent Account Configuration for OneDrive for business, this needs to be set in the computer context.
HKLM:\SOFTWARE\Policies\Microsoft\OneDrive\FilesOnDemandEnabled
This one will enable files on demand – this will only work on Windows 10 1709, this needs to be set in the computer context.
In a Windows 10 devices that is AzureAD joined and Intune managed – the Intune Management Extension is the easy way to setup OneDrive for Business with Silent Account Configuration.
Start by creating two powershell scripts – one for the HKCU and one for the HKLM.
EnableADAL on Onedrive.ps1 :
$registryPath = "HKCU:\SOFTWARE\Microsoft\OneDrive"
$Name = "EnableADAL"
$value = "1"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}
ELSE {
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}
and EnableAutoConfig on Onedrive.ps1 :
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive"
$Name = "SilentAccountConfig"
$value = "1"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}
ELSE {
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive"
$Name = "FilesOnDemandEnabled"
$value = "1"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}
ELSE {
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null}
How to setup it up in Intune:
Start the Intune Portal in Azure – https://portal.azure.com
- Click Device configuration
- Click PowerShell scripts
- Click Add
- Name : OneDrive Enable ADAL
- Script location: Browse and import the “EnableADAL on Onedrive.ps1″ script
- Click Configure
- Click Run this script using the logged on credentials = Yes
- Name : Onedrive – Enable AutoConfig
- Script location: Browse and import the “EnableAutoConfig on Onedrive.ps1” script
How does this look from the client side:
The user is logging in at the device first time after AzureAD join
OneDrive for Business client is prompting the end user “You are now syncing” on this PC
Because File On-Demand is enabled OneDrive for Business is total silent configured
In OneDrive settings – Settings blade you can see that File On-Demand is enabled on this PC
In settings – account blade of the OneDrive for Business you can see that the logged on user to the Windows 10 Device is linked to this PC
Read more at:
Use Group Policy to control OneDrive sync client settings
(Preview) Silently configure OneDrive using Windows 10 or domain credentials
Previews for Silent Sync Account Configuration and Bandwidth Throttling for OneDrive
Learn about OneDrive Files On-Demand
Cloud First 
Hi, if we configure silentconfig it works but after reboot of the machine we see the sign in page and it gets stuck, complete sign in with work or school account. Amy suggestions? Also i notifed silentconfig is still in preview
Yes the silentconfig is in preview – I have not seen that, do you have OneDrive with a lot of data?
Hello,
Is this feature available yet? Also, you mentioned this only works on Azure AD joined / hybrid devices. Are there other options to get it to work on Azure AD registered devices not joined?
Yes it is avalible. Hybrid is domain joined + AzureAD registrered device
Thank you for the response. Do you know of options for just an AzureAD registered device? (Without hybrid or joining a device)
Hey, great post. I’ve been testing this and best I can tell this only works if its the first time a user logs in. Is there anyway to make this work for existing users? Thanks!
Fantastic been unable to find this for ages. Any word on a similar silent login for the windows store?
Windows store has SSO when AzureAD joined or HybridJoined
Will this auto sign you into any office 365 apps installed on the machine?
I’d love for users, who all have o365 accounts and are domain connected, to be able to launch an o365 app that we have deployed with shared computer license to each domain computer.
If they launch they would be auto logged in, instead as of now, they get prompted to activate office.
It is only for OneDrive 4 Business. For O365 application and the senario you are describing you can use sharedactivation for O365.
Yes, that’s what I’m currently using but it’s still prompting for office sign in. Trying to avoid that, since the domain sign should already authenticate the o365 account. It’s for school district so trying to avoid multiple sign in for kids.
Thanks
And the devices are hybrid joined to AzureAD?
Thanks for the Post Larsen, Can we use the same approach to fix the OneDrive DefaultRootDir from C:\Users\UserPRofile to a Fix location like C:\SyncFiles. Specifically for Azure AD Joined Computer. Your response will be appreciated.
When you configure scripts now, it needs an assignment…..I had issues with this but the autoconfig script needed user group and the switch to NO for use credentials.
looks like recent OneDrive client have ADAL enabled by default so the script for the user shouldn’t be necessary anymore.
Regards
Stefan
Hello Larson, I was wondering if you could help me I’m quite new to this. I used your script as a base but changed it slightly so that I could alter some other registry settings. I tested the script locally and it worked fine. When i deploy the script via Intune it shows as succeeded but the script doesn’t appear in the scripts location and no registry settings have changed. Is the anyway I can find out why?
Ensure you’re not referencing Wow6432Node in your key location. This had me scratching my head for a while until I realised that this doesn’t need to be referenced and the OS handles this “view” by default. i.e “HKLM:\SOFTWARE\Wow6432Node\MyVendor…” is incorrect, even if the key does exist there when viewing it. The correct location would be “”HKLM:\SOFTWARE\MyVendor…” as Windows handles the “Wow6432Node” requirement natively.
If you do leave that in the location, the keys and values are never added when running as SYSTEM I found.
Is there a script for auto mapping sharepoint folders where the user as access on onedrive for having documents access like a shared folders? Actually I’m doing it manually but it was better if I can ad and remove sync folder when users have the right to access it on longon.
Hello,
With the latest addition of Administrative templates I’m able to replace these two scripts (used them in the past, thanks for that). I am now looking for a way to enable desktop and documents sync. Do you know how I could do this?
Hi. It is not in the ADMX based policy in Intune at the moment. I use this one : https://osddeployment.dk/2018/10/25/how-to-use-admx-based-onedrive-policy-in-intune-for-known-folder-move/
How can you do this if you dont have Intune yet? were rolling out o365 and one drive, but intune will be rolled out to mobile devices not laptops or PC’s for another year yet in our company.
You, can hybrid join you windows devices and do the settings with GPO
A couple years late, however I did have a question around Intune and OneDrive. How can we make the personal OneDrive unavailable without breaking the Business one? That gap doesn’t make much sense to me as it seems to have a rather obvious potential for data leakage.