Known Folder Move: Part 2 – Group Policy settings

In my last post, I discussed the preparations and process of migrating to OneDrive with Known Folder Move (KFM). Today, I’ll walk you through the corresponding Group Policy settings.

Computer Policies ^

You can find the relevant Group Policies here: Computer Config | Admin Templates | OneDrive.

Block file downloads when users are low on disk space – Enabled – 2500 (this allows you to ensure that users can’t download any more files after this free space threshold is crossed)

Block file downloads when users are low on disk space

Prevent users from redirecting their Windows known folders to their PC – Enabled – (this ensures that once directed into OneDrive, users can’t change the known folders back to local or other network locations, essentially removing the protection provided)

Prevent users from redirecting their Windows known folders to this PC

Prevent users from redirecting their Windows known folders to this PC

Prompt users to move Windows known folders to OneDrive – Enabled – supply Tenant ID (this prompts users to perform a backup of these folders into OneDrive; we also enable the GPO to do this silently, but this setting provides fallback in case the silent mode fails for any reason, such as Folder Redirection still being active)

Prompt users to move Windows known folders to OneDrive

Prompt users to move Windows known folders to OneDrive

Silently move Windows known folders to OneDrive – Enabled – supply tenant ID (this attempts to silently move the folders and allows you the option to provide users with a notification once completed)

Silently move Windows known folders to OneDrive

Silently move Windows known folders to OneDrive

Silently sign in users to the OneDrive sync app with their Windows credentials – Enabled – (this allows you to ensure that users are signed into OneDrive without any interaction, if possible)

Silently sign in users to the OneDrive sync app with their Windows credentials

Silently sign in users to the OneDrive sync app with their Windows credentials

Use OneDrive Files On-Demand – Enabled – (if your OS supports it, this ensures that files are only downloaded as users require them, rather than downloading the entire cache as soon as users log in and potentially causing network strain; this requires Windows Server 2019 or Windows 10 1709 and above)

Use OneDrive Files On Demand

Use OneDrive Files On-Demand

Warn users who are low on disk space – Enabled – 5000 (this allows you to provide a warning threshold when users are starting to run low on disk space, ahead of the next threshold, which actually blocks file downloads)

Warn users who are low on disk space

Warn users who are low on disk space

User policies ^

The user polices can be found here: User Config | Admin Templates | OneDrive.

Prevent users from changing the location of their OneDrive folder – Enabled – provide Tenant ID, and set value to 1 (this stops users from changing the location of the OneDrive folder during setup)

Prevent users from changing the location of the OneDrive folder

Prevent users from changing the location of the OneDrive folder

Disable the tutorial that appears at the end of OneDrive setup – Enabled – (this is optional as some users may benefit from it; however, we chose to disable the tutorial to create a seamless transition for the user)

Disable the tutorial that appears at the end of OneDrive setup

Disable the tutorial that appears at the end of OneDrive setup

Prevent users from syncing personal OneDrive accounts – Enabled – (this stops users from signing in to their personal OneDrive accounts in addition to the enterprise account)

Prevent users from syncing personal OneDrive accounts

Prevent users from syncing personal OneDrive accounts

It’s slightly annoying that some of these settings apply on a computer basis, but if you have, for instance, administrative and/or service accounts that are logging on to these devices, they will only connect to OneDrive if the Office 365 tenant has been configured to allow these accounts access. Therefore, on an Office 365 level, you can control whether these GPOs actually apply to particular users on the devices.

User session ^

After this next set of Group Policies are applied, when users log in, they will be silently signed into OneDrive, and the KFM process will begin.

KFM works by redirecting the folders to the OneDrive Sync Client location. After KFM has run successfully, you can see the new redirections in place in the user’s Registry.

Redirections

Redirections

It’s interesting to note the two GUIDs at the top of this list that redirect to the Pictures and Documents locations. These GUIDs deal with the redirection of the folders within the User’s Files shortcut that can be optionally placed on the desktop (see below). Why these folders require a different entry in the Registry to redirect correctly isn’t clear.

User’s Files

User’s Files

If the process is successful, and you’ve configured notifications to be shown in Group Policy, the following dialog will be presented to the user.

Success

Success

If you choose not to show a notification, the entire process will be invisible to the user.

The process normally takes a couple of minutes after logon has completed to start performing the synchronization. If users are signing in to a new machine or have had their profile removed, their desktop icons and the contents of their Documents and Pictures folders should be restored at this point.

Troubleshooting possible issues ^

If the process is unsuccessful, there are two main reasons: lack of disk space or active Folder Redirection policies. If the process is unsuccessful, the user will be prompted to complete the process until it can be completed.

If low disk space is the culprit, a dialog similar to that below will be displayed (the dialog varies across different OneDrive Sync Client versions).

Space required on your C:\ drive

Space required on your C:\ drive

The disk space issue must be resolved before the KFM process can continue.

If the problem is caused by an active Folder Redirection policy, the user will again be prompted and this time will see an error similar to that shown below.

Your IT administrator has set a policy that prvents changes to known folders. Please remove this policy and try again.

Your IT administrator has set a policy that prevents changes to known folders. Please remove this policy and try again.

The policy must be removed or disabled and then synchronized to the device. In addition, because this is a Folder Redirection policy, the user needs to log out and back in again to complete the process.

Another issue you may see after KFM has completed, particularly if the user is restoring settings onto a new machine or a new profile has been created, is duplication of desktop shortcuts. Because some programs (e.g., Teams, Edge, and Chrome) create desktop shortcuts for users in their profile at first logon, these will be saved into the OneDrive folder. If a user then logs in to a new machine or has a new profile created, the shortcuts will be created before OneDrive synchronizes, and then the existing shortcuts will be duplicated onto the user’s new desktop. Although not a showstopper, it’s a little messy and annoying.

Duplicate shortcuts

Duplicate shortcuts

To avoid this, you must stop the automatic creation of desktop shortcuts in the profiles of new users. You can do this by tracking down the method used to create the desktop shortcut by the program in question. This obviously depends on the application, but I’ve covered some of the common methods for Chrome, Edge, and Teams below.

Chrome uses a stub to drop the shortcut onto the desktop, which is found at HKLM\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}, and is a string value called StubPath. Delete this from the image, and it won’t be created.

Avoid duplicate Chrome shortcuts

Avoid duplicate Chrome shortcuts

Microsoft Teams uses a Registry entry in HKLM\Software\Wow643Node\Microsoft\Windows\CurrentVersion\Run (x64) or HKLM\Software\Microsoft\Windows\CurrentVersion\Run (x86) to create the desktop shortcut that you see. Remove this entry, which is usually called TeamsMachineInstaller.

Avoid duplicate Teams shortcuts

Avoid duplicate Teams shortcuts

Microsoft Edge’s creation of a desktop shortcut can be turned off by creating a Registry key in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer—a DWORD value called DisableEdgeShortcutCreation with a value of 1.

Avoid duplicate Edge shortcuts

Avoid duplicate Edge shortcuts

If you don’t create these “system-generated” user desktop shortcuts, you should avoid the issue of duplication when the Desktop folder is restored from OneDrive.

Summary ^

KFM is a handy method of smoothing the OneDrive migration process, particularly in environments where users have historically relied on the Desktop folder for data storage. When configured in silent mode, KFM can ensure that the move to OneDrive is commenced by the administrator and remains almost invisible to the end user.

KFM has some foibles, particularly around environments that have already redirected Documents, Pictures, and Desktop folders to network drives. However, as long as these environments take a structured approach to turning off the Folder Redirection and moving the local copies into OneDrive, it should not present too much of a challenge.

The real problem area lies in Remote Desktop Session Host environments where users log on to multiple servers and leverage Folder Redirection. For these users, disabling Folder Redirection to allow the KFM migration presents a number of issues. The best way around this is to disable Folder Redirection policies and capture the required system folders into a profile management system of some type that can then store them as if they are local and complete the migration from there.

1+

Poll: Does your organization plan to introduce Artifical Intelligence?

Read 4sysops without ads and for free by becoming a member!

2 Comments
  1. Ankur Patel 5 months ago

    Hi James,

        Is there any specific reason where desktop files/icons not showing when users login to other computers, what we have learnt is that we go to onedrive- go to settings - backup - manage backup - start backup. once we do that desktop/files and icons comes back. we have apply all the GPO that you have recomended. Kindly please help.

    0

  2. Richie T. 4 months ago

    I'd like to know if it is possible to exclude the Desktop folder from KFM and only move Documents and Pictures folders up to OneDrive.

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account