Implementing OneDrive On A Per User Basis (Not Computer Basis)

By -

Introduction

This should provide you with a way to control the switch from Network Folder Redirection to OneDrive KFM backup/sync that is targeted on per user basis rather than OneDrive KFM being attempted for any user logging onto that device subsequently.

When it comes to Intune Configuration Profiles or Group Policies, they typical split into user policies (HKCU registry branch) and computer policies (HKLM registry branch). 

For implementing policies relating to OneDrive, the settings which relate to the automated set-up of OneDrive login and Known Folder Move are held under computer policies. Those are chiefly:
  • Silently move Windows known folders to OneDrive
  • Silently sign in users to the OneDrive sync app with their Windows credentials
Because those settings are set on a computer basis, once those settings are configured on a workstation it will result in OneDrive attempting seamless-sign-on and configuring KFM for any other logins to that device (subject to the accounts being licenced in M365). 

I hear you ask, 'what's the problem, surely backing up the Desktop, Documents and Pictures folders to OneDrive by default is a good thing?!' Well, I agree, but in certain cases you may not want invoke that on every user logon to the device.

A Use Case 

This scenario required control on who was in scope of implementing KFM. The setup summary was as follows:
  • Hybrid Azure AD Joined and Intune Managed Laptops
  • Documents and Pictures folder set-up using Network Folder Redirection to point to a UNC Path e.g. \\servername\%username%\documents
  • OneDrive was signed in, but KFM disabled
Now with network folder redirection in place, implementing KFM is not supported. It will work in this scenario but can result in undesired consequences. 

For example, OneDrive will attempt to move (not copy) the files from the network location to the OneDrive KFM location e.g. C:\Users\John.Smith\OneDrive - Organisation Name\Documents\. This could result in a couple of different outcomes, depending on the user configuration during the time of login and subsequently the time which OneDrive will attempt to implement KFM:
  1. If you have line of sight to your UNC path at the point of login, OneDrive KFM will attempt to move your files from your network folder and to your local OneDrive folder. It will then start syncing those to your OneDrive folder.  So it's downloading your files locally first, and then uploading them to OneDrive. Incidentally this can cause concern as the files appear deleted from the network drive and depending on the amount of files you have and network connection, the download of the files can take a long time to complete, and then you have the upload to OneDrive. 
  2. If you have NO line of sight to your UNC path, OneDrive will still implement KFM, but because it's unable to move your files, your Desktop and Documents and Pictures will not include any of the files from your network folder. So KFM would be implemented, but your files remain in your network location.

Requirements

The requirement and plan was to use third party tool for migrating the data from the users network drive to users OneDrive, meaning there was no need to move the files using the built-in OneDrive KFM functionality. 



The following pieces were needed for the client-side set-up as part of migrating the users files in the background:
  • Remove network folder redirection for a user's Documents and Pictures folders
  • Set the Desktop, Documents and Pictures folder paths to the users OneDrive path
  • Toast notification that the files are now stored in OneDrive


Script Approach

I created a PowerShell script to achieve the requirements above. As the devices are managed in Intune, I packaged the PowerShell script as a Win32 app and deployed under the context of the users.

You can download the files from here – https://github.com/benjaminjamesowens/OneDriveKFMPerUser

The script will carry out the following:
  • Check whether the paths for Documents, Pictures point to a UNC path (if they don't the script will not continue).  You can include the Desktop in the script if you wish.
  • Sets the Documents and Pictures folder to point to the OneDrive path using Shell32 (meaning no need to logoff and logon for the change to be reflected in file explorer.
  • Records the registry values of the Desktop, Documents and Pictures folders before and after
  • Attempts to upload a log of the before and after, along with a PowerShell transcript file to a network location.
  • Displays a Toast Notification that the change has been completed.
  • Creates a tag/detection file so that Intune can detect that the package has completed.
The script also includes a function to move the files from the previous source to the target, however I have commented out those sections, as I used a third-party tool to migrate the data in the background.

Prep and Packaging in Intune

To create the package for Intune, you will need to carry out a few tasks in the script:
  • Navigate to the Declarations section of the script and modify the values for your log file name and upload location 
  • Amend the Toast Notification text at the bottom of the Execution section of the script
  • Amend the PNG that is displayed as part of the toast notification
  • Package the amended script using IntuneWinAppUtil.exe - you can see an example MakeApp.cmd for that
  • Create the Win32 App in Intune and set the values using the file IntuneDetails.txt

Summary

This should provide you with a way to control the switch from Network Folder Redirection to OneDrive KFM backup/sync that is targeted on per user basis rather than OneDrive KFM being attempted for any user logging onto that device subsequently. Please let me know if you have any comments or questions.

 

Comments

  1. Mr Feet13 October 2022 at 12:25

    This is a great utility, however how does this work for users who are new to the organisation or have previously had this process run but have hot-desked on to a new workstation with a new profile? The user will have been excluded from the folder redirection GPO and as we cannot set a policy via Intune/GPO to enable KFM targeted at a user, the if statement on line 463 will cause the script to exit. KFM won't be implemented leaving the user with documents stored on the local machine.

    Would it be best to comment out this if statement so it in effect performs KFM on all users unless it's been run previously?

    ReplyDelete
    Replies
    1. Ben Owens27 October 2022 at 09:21

      You could either tweak the script to include more scenarios, or comment out the lines you don't want to take effect.

      Delete

Post a Comment

Popular posts from this blog

Assigning Windows 10/11 Enterprise Subscription Activation Licences to Hybrid Azure AD Joined Devices

By -
Image
Introduction Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to Windows 10 Enterprise automatically if they are subscribed to Windows 10 Enterprise E3 or E5. The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. It’s important to note that the Windows 10 Enterprise subscription activation is designed to “step-up” a device from Windows 10 Pro to Windows 10 Enterprise. Therefore, your device is required to have a Windows 10 Pro license activated as a baseline. For Windows 10 Enterprise Subscription Activation to function, there a several prerequisites which need to be in place. This blog is aimed for organisations which have Active Directory on premises an
Read more

Autopilot Hybrid Azure AD Join with Customised First Login Status

By -
Image
Introduction This is my flavour of deploying a customised HAADJ progress status, building on work by Joymalya Basu Roy's detailed article - https://joymalya.com/autopilot-hybrid-azure-ad-join-reworked-with-joy/ . The differences in my version are: Not using Active Setup to run the HAADJ retry process or Splash Screen as I found this didn't work as expected and I didn't want to add a registry item to affect all future logins with a reboot from the HAADJ process. Running the processes under the context of the SYSTEM account, but displaying status to the interactive user. Avoid the HAADJ process running again after the initial success. This provides a customised first login status which prevents the user from using the devices until Hybrid Azure AD Join from the Autopilot process. It's use is primarily for when the User ESP is configured to be skipped. Files This is my version of customised HAADJ which is built on work and guidance in blogs/articles from Michael Niehaus, S
Read more

Upgrade Samsung Galaxy Ace 2 (I8160) to Android Jelly Bean

By -
Image
There has been talk of Samsung working on an Android build of Jelly Bean for the Samsung Galaxy Ace 2 (I8160) for quite some time. A couple of leaked versions of the build have been available since the end of February and during March, but these contained various bugs as you might expect. On April 2nd, an official release was available on www.sammobile.com and available for install using KIES or OTA, but only for Portuguese customers on the TMN network.  This was curious as this network didn't actually sell the phone.  It could be a way of getting the early adopters to test this version before the big operators like Telefonica and Vodafone build and release a version themselves. There are many online guides on how to manually download the firmware and apply it to your device, but if you make the direct jump from Gingerbread (2.3) to Jelly Bean (4.1.2) you will likely have RAM issues. The gingerbread versions only allocated around 500MB for RAM whereas Jelly Bean needs more
Read more