Deploy OneDrive KFM with Microsoft Intune OMA-URI

OneDrive KFM (Known Folder Move) allows you to redirect common Windows folders (Desktop, Documents and Pictures) to the users personal OneDrive. OneDrive Known Folder Move is the modern replacement for the well known folder redirection group policy. The deployment with Microsoft Intune allows you to trigger or automate the OneDrive KFM configuration for your end users.

There is already a PowerShell script solution available from Per Larsen to configure Onedrive KFM but I wanted to deploy a solution with native ADMX-Backend policies.  This solution additionally provides more reporting in the Intune console because we have the opportunity to review every single setting status and its configuration (actually you cannot view an uploaded PowerShell script in the Intune dashboard). 

This post is based on a great article from Oliver Kieselbach about  "Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive". I used his blog to play around with the admx ingestion.

If you are not familiar with the deployment of admx-backend policies and admx ingestion, here are some great resources:

Prerequisites

To automatically deploy OneDrive Known Folder Move the following prerequisites must be met:

ADMX Ingestion

To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build, in my case it was "18.162.0812.0001". Inside there's a folder named "adm" which contains the (admx and adml) policy definitions.

If you don't have a Windows 10 client with a recent OneDrive version available, you can find the admx file on my GitHub repository.

In Microsoft Intune create a new device configuration profile, as profile type chose custom, afterwards add the admx ingestion policy as follow:

NameADMX Ingestion
DescriptionOneDrive for Business admx, build 18.162.0812.0001
OMA-URI ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDriveNGSC/Policy/OneDriveAdmx
Data typeString
ValueOriginal content of the OneDrive admx file mentioned above or found on my GitHub account.
Intune-Policy
Azure Intune Portal Policy Configuration

Configure SilentAccountConfig

With SilentAccountConfig enabled OneDrive for Business gets automatically configured with the current user account who's signing in to Windows. 

Important: ADAL is now enabled automatically when use this policy or the registry key so you don't have to download and enable it separately.

See full Microsoft Docs article
NameSilentAccountConfig
DescriptionSilently configure OneDrive using the primary Windows account
OMA-URI ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/SilentAccountConfig
Data typeString
Value<enabled/>

Configure OneDrive Known Folder Move

As there are multiple configuration options to enable OneDrive for Business Known Folder Move I describe the option to silently redirect the folders and the option to prompt the user first.

For both options we need to acquire the tenant ID of the Azure Active Directory tenant. You can find your tenant ID in the Azure Portal in the Active Directory Application section and then choose Properties / Directory ID.

DirectoryID
Obtain the Azure AD directory ID from the Azure Portal

Enable OneDrive KFM without user consent

NameKFMOptInNoWizard
DescriptionSilently redirect Windows known folders to OneDrive
OMA-URI./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/KFMOptInNoWizard
Data typeString
Value

 <enabled/><data id="KFMOptInNoWizard_TextBox" value="%Insert Your Azure Tenant ID FromAbove%"/><data id="KFMOptInNoWizard_Dropdown" value="%Choose between 0/1%"/>

0 = Don't display any notification 

1 = Display a notification after KFM setup has completed

Please make sure to use straight quotation marks to include the above values. Otherwise you could experience some remediation error failures in Intune.

User Experience

  • Desktop folder is now redirected to OneDrive For Business
  • Document folder is now redirected to OneDrive For Business
  • Picture folder is now redirected to OneDrive For Business
  • If the notification option is enabled, the user receives a toast notification that his folders are protected and synced with OneDrive
KFMOptInNoWizard
Windows File Explorer with OneDrive Known Folder Move enabled
 
KFMOptInNoWizard_NotificationEnabled
End user notification after OneDrive Known Folder Move is enabled

Enable OneDrive KFM with user consent

NameKFMOptInWithWizard
DescriptionPrompt users to move Windows known folders to OneDrive
OMA-URI./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/KFMOptInWithWizard
Data typeString
Value

<enabled/><data id="KFMOptInWithWizard_TextBox" value="%InsertYourAzureTenantID%"/>

Please make sure to use straight quotation marks to include the above values. Otherwise you could experience some remediation error failures in Intune.

User Experience

  • As soon as the user is automatically signed in to OneDrive he receives a notification to protect his common Windows folders
  • If the user dismisses the notification it will pop up again after a few minutes. This happens until he enables OneDrive KFM protection
  • If the user starts the protection a confirmation dialog appears
OneDrive Known Folder Move
End user prompt to move his files to OneDrive for Business


KFMOptInWithWizard2
Confirmation and sync progress after the user started the OneDrive for Business Known Folder Move process

Prevent users from redirecting their Windows known folders (back) to their PC

If you want to prevent that users redirect their folders back to a local drive, you can add this option to your existing OneDrive KFM configuration:

Name KFMBlockOptOut
Description Prevent users from redirecting their Windows known folders to their PC
OMA-URI./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/KFMBlockOptOut
Data typeString
Value <enabled/>

User Experience

  • A user accesses the OneDrive Sync Client settings
  • The user wants to update his protected folders
  • The option to stop folder protection is not shown and a hint shows that the setting is controlled by the organization
KFMBlockOptOut
The option to disable Known Folder Protection is not available

Enable Files On Demand

By default OneDrive Files on Demand is enabled, if you want to enforce this setting you can use the following OMA-URI:

NameFilesOnDemandEnabled
DescriptionEnable OneDrive Files On-Demand
OMA-URI./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/FilesOnDemandEnabled
Data typeString
Value

<enabled/>

Thank you for reading this blogpost. If you have any questions or feedback just let me know. Happy Known-Folder-Moving,

-Nicola-

 

Nicola

The guy behind this blog. Combining work sports and social life.

 

19 thoughts on “Deploy OneDrive KFM with Microsoft Intune OMA-URI

    1. Hi Beat,
      Currently there‘s no option available to specify a custom location within the policies and the known folders will be placed at the root of your OneDrive. But you could submit your idea to the microsoft uservoice!

    1. Hi Ronald,
      I just tested the case when removing the documents folder for you. If a user deletes the documents folder in his OneDrive from the file explorer he receives a notification that the files won't be moved into the local recycle bin.
      Afterwards the documents folder "move" is gone and won't be applied during the next policy refresh. The user needs to restore the files from his OneDrive Online.
      Then the user needs to manually enable folder protection within OneDrive settings for the deleted (documents) folder. The restored files remain within the OneDrive folder.
      I hope this clarifies your question, if not, just let me know.

      Best regards,
      Nicola

  1. I tried all the above steps but I'm getting some remediation failed errors on the intune portal.

    OneDriveAdmx is coming up with Remediation Failed -2016281112 When I Click on the setting it comes up with setting error code 0x87d1fde8

    KFMOptInNoWizard is also coming up with the same remediation and error code as above.

    I copied the ADMX text from the github

    Do you have any suggestions? Thank you!!

    1. Hi Jonathan, could you tell me which Windows 10 build & OneDrive Version you are using? Then I can try to repro your issue.

  2. I'm getting remediation failed with OneDriveAdmx and KFMOptInNoWizard -2016281112 with an error code 0x87d1fde8. I added my tenant and value of 1 for the notification. Any suggestions

    1. To enable the KFMOptInNoWizard config the SilentAccountConfig and OneDriveAdmx must be successfully enabled first, have you double checked that?

  3. Hi Nicola,
    I'm unable to get the KFMOptInNoWizard or the KFMOptInWithWizard settings to deploy as you've written. Intune shows the an "0x87d1fde8 remediation failed" error for this setting only. All the other settings have been successfully applied. Have you been able to deploy this OK?

        1. I did my tests and this post with the OneDrive Version: 18.111.0603.0004. I'll try to repro the issue with your version within the next days. I'll keep you updated.

          1. I got the same error as some other users but i found out that this issue is caused by incorrect double quotes.
            This happens sometimes when you copy a string with double quotes from a website.
            If you correct those double quotes in, for example, Notepad and copy the correct value in Intune the setting is successfully applied

          2. Thank you Ronald,
            I just did a repro and it's definitely the "straight" quote issue. WordPress messes them up. I'll place a hint into the post about that.

      1. Hi Nicola,

        I get the same issue as Dan.

        Both the KMBlockOptOut and SilentAccountConfig successfully deploy to the client but the KMOptInNoWizard (or KMOptInWizard) fails. Remediation failed -2016281112 with error code 0x87d1fde8in intune portal.

        clientside in the DeviceManagement-Enterprise-Diag event log I get error 810 and 404 with unspecified error. Can see the configuration details in the 810 error with correct tenant id etc.

        Windows 1803 17134.286
        Onedrive 18.151.0729.0012

        Thanks

        Jason

        1. Hi Jason,
          please make sure that you use straight "" quotation marks within the OMA-URI values. Would you please give me feedback if this solves your problem?
          Cheers, Nicola

          1. Yes, thanks it was the straight quotes issue. Didn't work on the first test machine but worked on a new machine fine. Thanks for posting this - great feature for the modern workplace! cheers Jason

  4. Great post.

    When trying to ingest the ADMX file as documented, I receive an error within the DeviceManagement-Enterprise-Diagnostics-Provider log file. I am using your Github hosted ADMX file for the String Value.

    Error ID 454:
    MDM ConfigurationManager: Command failure status. Configuraton Source ID: (1BA86B31-D9D0-4D34-9201-BC5D52526FF8), Enrollment Type: (MDMFull), CSP Name: (Policy), Command Type: (SetProperty: Format or Type change), Result: (./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDriveNGSC/Policy/OneDriveAdmx).

    Error ID 454:
    MDM ConfigurationManager: Command failure status. Configuraton Source ID: (1BA86B31-D9D0-4D34-9201-BC5D52526FF8), Enrollment Type: (MDMFull), CSP Name: (Policy), Command Type: (Clear: first phase of Delete), Result: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDriveNGSC/Policy/OneDriveAdmx).

    1. Hey Brian, could you tell me which Windows 10 build & OneDrive Version you are using? You can find the "original" OneDrive Admx under the following path: %LocalAppData%\Microsoft\OneDrive.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.