OneDrive KFM (Known Folder Move) allows you to redirect common Windows folders (Desktop, Documents and Pictures) to the users personal OneDrive. OneDrive Known Folder Move is the modern replacement for the well known folder redirection group policy. The deployment with Microsoft Intune allows you to trigger or automate the OneDrive KFM configuration for your end users.
There is already a PowerShell script solution available from Per Larsen to configure Onedrive KFM but I wanted to deploy a solution with native ADMX-Backend policies. This solution additionally provides more reporting in the Intune console because we have the opportunity to review every single setting status and its configuration (actually you cannot view an uploaded PowerShell script in the Intune dashboard).
This post is based on a great article from Oliver Kieselbach about “Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive“. I used his blog to play around with the admx ingestion.
If you are not familiar with the deployment of admx-backend policies and admx ingestion, here are some great resources:
- https://blogs.technet.microsoft.com/senthilkumar/2018/05/21/intune-deploying-admx-backed-policies-using-microsoft-intune/
- https://www.petervanderwoude.nl/post/deep-dive-configuring-windows-10-admx-backed-policies/
Prerequisites
To automatically deploy OneDrive Known Folder Move the following prerequisites must be met:
- OneDrive sync client with build 18.111.0603.0004 or greater https://docs.microsoft.com/en-us/onedrive/redirect-known-folders#about-the-known-folder-move-group-policy-objects
- Azure AD Joined or Hybrid Azure AD Joined Windows 10 Device Running Windows 10 1709 or later
ADMX Ingestion
To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there’s a folder with the current OneDrive build, in my case it was “18.162.0812.0001”. Inside there’s a folder named “adm” which contains the (admx and adml) policy definitions.
If you don’t have a Windows 10 client with a recent OneDrive version available, you can find the admx file on my GitHub repository.
In Microsoft Intune create a new device configuration profile, as profile type chose custom, afterwards add the admx ingestion policy as follow:
| Name | ADMX Ingestion |
| Description | OneDrive for Business admx, build 18.162.0812.0001 |
| OMA-URI | ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDriveNGSC/Policy/OneDriveAdmx |
| Data type | String |
| Value | Original content of the OneDrive admx file mentioned above or found on my GitHub account. |
Configure SilentAccountConfig
With SilentAccountConfig enabled OneDrive for Business gets automatically configured with the current user account who’s signing in to Windows.
Important: ADAL is now enabled automatically when use this policy or the registry key so you don’t have to download and enable it separately.
| Name | SilentAccountConfig |
| Description | Silently configure OneDrive using the primary Windows account |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/SilentAccountConfig |
| Data type | String |
| Value | <enabled/> |
Configure OneDrive Known Folder Move
As there are multiple configuration options to enable OneDrive for Business Known Folder Move I describe the option to silently redirect the folders and the option to prompt the user first.
For both options we need to acquire the tenant ID of the Azure Active Directory tenant. You can find your tenant ID in the Azure Portal in the Active Directory Application section and then choose Properties / Directory ID.
Enable OneDrive KFM without user consent
| Name | KFMOptInNoWizard |
| Description | Silently redirect Windows known folders to OneDrive |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/KFMOptInNoWizard |
| Data type | String |
| Value | <enabled/><data id=”KFMOptInNoWizard_TextBox” value=”%Insert Your Azure Tenant ID FromAbove%”/><data id=”KFMOptInNoWizard_Dropdown” value=”%Choose between 0/1%”/>
0 = Don’t display any notification 1 = Display a notification after KFM setup has completed |
Please make sure to use straight quotation marks to include the above values. Otherwise you could experience some remediation error failures in Intune.
User Experience
- Desktop folder is now redirected to OneDrive For Business
- Document folder is now redirected to OneDrive For Business
- Picture folder is now redirected to OneDrive For Business
- If the notification option is enabled, the user receives a toast notification that his folders are protected and synced with OneDrive
Enable OneDrive KFM with user consent
| Name | KFMOptInWithWizard |
| Description | Prompt users to move Windows known folders to OneDrive |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/KFMOptInWithWizard |
| Data type | String |
| Value | <enabled/><data id=”KFMOptInWithWizard_TextBox” value=”%InsertYourAzureTenantID%”/> |
Please make sure to use straight quotation marks to include the above values. Otherwise you could experience some remediation error failures in Intune.
User Experience
- As soon as the user is automatically signed in to OneDrive he receives a notification to protect his common Windows folders
- If the user dismisses the notification it will pop up again after a few minutes. This happens until he enables OneDrive KFM protection
- If the user starts the protection a confirmation dialog appears
Prevent users from redirecting their Windows known folders (back) to their PC
If you want to prevent that users redirect their folders back to a local drive, you can add this option to your existing OneDrive KFM configuration:
| Name | KFMBlockOptOut |
| Description | Prevent users from redirecting their Windows known folders to their PC |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/KFMBlockOptOut |
| Data type | String |
| Value | <enabled/> |
- A user accesses the OneDrive Sync Client settings
- The user wants to update his protected folders
- The option to stop folder protection is not shown and a hint shows that the setting is controlled by the organization
Enable Files On Demand
By default OneDrive Files on Demand is enabled, if you want to enforce this setting you can use the following OMA-URI:
| Name | FilesOnDemandEnabled |
| Description | Enable OneDrive Files On-Demand |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/FilesOnDemandEnabled |
| Data type | String |
| Value | <enabled/> |
Thank you for reading this blogpost. If you have any questions or feedback just let me know. Happy Known-Folder-Moving,