The OneDrive for Business team has made a number of changes to support automatic configuration of OneDrive, including support for automatically signing in, configuring known folder migration, enabling offline files, and more. But since the OneDrive client is configured via GPO and not MDM policies, that meant using some rather nasty-looking custom OMA-URI policies in Intune. Nicola Suter published a good blog last year that talked about how to do that.
With the Administrative Templates support in Intune now generally available, it’s even easier to do this as you no longer need to use custom OMA-URIs. Instead, the policies are available directly in the Intune portal. Just create a new device configuration profile, choose “Windows 10 and later” for the supported platform, and “Administrative Templates” as the profile type. From there, you can search for the options that you want to configure. Here are the options that I configured to set this up:
Those are the four settings that you need (although you might choose to set more):
- Use OneDrive Files On-Demand. You don’t want to wait for all the actual content to sync to the device (and you probably don’t want to take up the disk space either), so this tells OneDrive to keep the data in the cloud and just set up the file and folder structure – files you try to open will be downloaded on demand.
- Silently sign in users to the OneDrive sync client with their Windows credentials. When using Azure AD Join or Hybrid Azure AD Join, the Azure AD user token is already available and can be used to automatically sign into OneDrive for Business – no need to type in e-mail addresses (UPNs) and passwords.
- Silently move Windows known folders to OneDrive. This makes sure that the Documents, Desktop, and Pictures folders are automatically synced to OneDrive. For new devices being deployed with Windows Autopilot, there’s nothing to migrate, so this just makes sure that the files synced from the cloud show up in the right place. (If you are applying this policy to an existing device, be aware that some file types cannot currently be migrated automatically. See the OneDrive documentation for more details.)
You’ll also need to fill in your Azure AD tenant ID (available from the Azure portal, see the properties of the tenant).
- Prevent users from redirecting their Windows known folders to their PC. This keeps them from undoing the known folder move by clicking the “Stop protecting” button in OneDrive.
That’s all you need from a settings perspective – deploy those settings to your Windows Autopilot devices. You might want to consider one additional thing though: forcing the OneDrive client to upgrade and use a per-machine installation. The version built into Windows 10 may not be new enough to support all of these features, so the user might otherwise see it pop up until it self-updates to the required version. By forcing it to upgrade before the user signs in, you can avoid that. See the sample described in my earlier blog that talks about doing this via an MSI-delivered PowerShell script. With that in place to do the per-machine installation before the user signs in, the whole process is completed automated. The end result: