Implementing OneDrive On A Per User Basis (Not Computer Basis)

Introduction

This should provide you with a way to control the switch from Network Folder Redirection to OneDrive KFM backup/sync that is targeted on per user basis rather than OneDrive KFM being attempted for any user logging onto that device subsequently.

When it comes to Intune Configuration Profiles or Group Policies, they typical split into user policies (HKCU registry branch) and computer policies (HKLM registry branch). 

For implementing policies relating to OneDrive, the settings which relate to the automated set-up of OneDrive login and Known Folder Move are held under computer policies. Those are chiefly:
  • Silently move Windows known folders to OneDrive
  • Silently sign in users to the OneDrive sync app with their Windows credentials
Because those settings are set on a computer basis, once those settings are configured on a workstation it will result in OneDrive attempting seamless-sign-on and configuring KFM for any other logins to that device (subject to the accounts being licenced in M365). 

I hear you ask, 'what's the problem, surely backing up the Desktop, Documents and Pictures folders to OneDrive by default is a good thing?!' Well, I agree, but in certain cases you may not want invoke that on every user logon to the device.

A Use Case 

This scenario required control on who was in scope of implementing KFM. The setup summary was as follows:
  • Hybrid Azure AD Joined and Intune Managed Laptops
  • Documents and Pictures folder set-up using Network Folder Redirection to point to a UNC Path e.g. \\servername\%username%\documents
  • OneDrive was signed in, but KFM disabled
Now with network folder redirection in place, implementing KFM is not supported. It will work in this scenario but can result in undesired consequences. 

For example, OneDrive will attempt to move (not copy) the files from the network location to the OneDrive KFM location e.g. C:\Users\John.Smith\OneDrive - Organisation Name\Documents\. This could result in a couple of different outcomes, depending on the user configuration during the time of login and subsequently the time which OneDrive will attempt to implement KFM:
  1. If you have line of sight to your UNC path at the point of login, OneDrive KFM will attempt to move your files from your network folder and to your local OneDrive folder. It will then start syncing those to your OneDrive folder.  So it's downloading your files locally first, and then uploading them to OneDrive. Incidentally this can cause concern as the files appear deleted from the network drive and depending on the amount of files you have and network connection, the download of the files can take a long time to complete, and then you have the upload to OneDrive. 
  2. If you have NO line of sight to your UNC path, OneDrive will still implement KFM, but because it's unable to move your files, your Desktop and Documents and Pictures will not include any of the files from your network folder. So KFM would be implemented, but your files remain in your network location.

Requirements

The requirement and plan was to use third party tool for migrating the data from the users network drive to users OneDrive, meaning there was no need to move the files using the built-in OneDrive KFM functionality. 



The following pieces were needed for the client-side set-up as part of migrating the users files in the background:
  • Remove network folder redirection for a user's Documents and Pictures folders
  • Set the Desktop, Documents and Pictures folder paths to the users OneDrive path
  • Toast notification that the files are now stored in OneDrive


Script Approach

I created a PowerShell script to achieve the requirements above. As the devices are managed in Intune, I packaged the PowerShell script as a Win32 app and deployed under the context of the users.

You can download the files from here – https://github.com/benjaminjamesowens/OneDriveKFMPerUser

The script will carry out the following:
  • Check whether the paths for Documents, Pictures point to a UNC path (if they don't the script will not continue).  You can include the Desktop in the script if you wish.
  • Sets the Documents and Pictures folder to point to the OneDrive path using Shell32 (meaning no need to logoff and logon for the change to be reflected in file explorer.
  • Records the registry values of the Desktop, Documents and Pictures folders before and after
  • Attempts to upload a log of the before and after, along with a PowerShell transcript file to a network location.
  • Displays a Toast Notification that the change has been completed.
  • Creates a tag/detection file so that Intune can detect that the package has completed.
The script also includes a function to move the files from the previous source to the target, however I have commented out those sections, as I used a third-party tool to migrate the data in the background.

Prep and Packaging in Intune

To create the package for Intune, you will need to carry out a few tasks in the script:
  • Navigate to the Declarations section of the script and modify the values for your log file name and upload location 
  • Amend the Toast Notification text at the bottom of the Execution section of the script
  • Amend the PNG that is displayed as part of the toast notification
  • Package the amended script using IntuneWinAppUtil.exe - you can see an example MakeApp.cmd for that
  • Create the Win32 App in Intune and set the values using the file IntuneDetails.txt

Summary

This should provide you with a way to control the switch from Network Folder Redirection to OneDrive KFM backup/sync that is targeted on per user basis rather than OneDrive KFM being attempted for any user logging onto that device subsequently. Please let me know if you have any comments or questions.

 

Comments

  1. This is a great utility, however how does this work for users who are new to the organisation or have previously had this process run but have hot-desked on to a new workstation with a new profile? The user will have been excluded from the folder redirection GPO and as we cannot set a policy via Intune/GPO to enable KFM targeted at a user, the if statement on line 463 will cause the script to exit. KFM won't be implemented leaving the user with documents stored on the local machine.

    Would it be best to comment out this if statement so it in effect performs KFM on all users unless it's been run previously?

    ReplyDelete
    Replies
    1. You could either tweak the script to include more scenarios, or comment out the lines you don't want to take effect.

      Delete

Post a Comment

Popular posts from this blog

Assigning Windows 10/11 Enterprise Subscription Activation Licences to Hybrid Azure AD Joined Devices

Power Automate: Get first item in output

De-selectable radio buttons - Power Apps