Replacing folder redirection and mapped network drives: Controlling the OneDrive client experience on Windows 10 with Intune
For as long as we can remember, the primary way to share files in an organization was mapped network drives. This may have included a “Public” or “Company” drive (e.g. P:\ for Public), as well as a “Home” or “User” drive (H:\ or U:\ respectively). As well, there may have been other departmental file shares, maybe mapped as other letters.
But Windows Server based file shares are looking more and more like the dinosaurs they are these days. They are clunky. They require either a local area network connection, or a VPN connection to use them. They do not support additional columns, views or metadata, nor do they provide robust search capabilities. If you want to share a file from this structure, it means attaching a copy of the file to an email, which then creates version sprawl and of course, there are now additional copies of that file “floating around” in the world and you no longer own or control that data.
SharePoint solves literally all of these issues. And many people love being able to break out of the confines of the clunky old mapped drive experience. But there is one little problem: nobody from the old world wants to access their files through a web browser. Nobody. Everyone (or most everyone) still wants the trusty, crusty old Windows File Explorer.
OneDrive client to the rescue
Well I have good news for you crusty types that just cannot let go of the past: the OneDrive client for Windows can help to bridge the adoption gap, and get your organization one step closer to ditching that old on-premises based file server.
OneDrive is not only a personal storage space for your own documents (like the Home or User drive), but the OneDrive client app will also be able to sync shared locations in SharePoint down to the client device, and display them in File Explorer–just like mapped drives. NOTE: You must have Windows 10 version 1709 or later, and preferably version 1903.
The settings that we need to enable this experience are:
- Silently sign in users to the OneDrive sync client with their Windows credentials, because we want the setup to be seamless and easy for the end user (NOTE: the machine must be Azure AD Joined or Hybrid Joined for that to work);
- Use OneDrive Files On-Demand, so we don’t have to sync literally every file to the local device–instead they can be left in the cloud and synced on-demand;
- Silently move Windows known folders to OneDrive will turn on Known Folder Move also known as the “Backup” feature–this will sync the local Desktop, Documents and Pictures folders, similar to redirected folders in the past
- And last, Configure team site libraries to sync automatically, because we would like to have the “mapped drives” show up in File Explorer without the user needing to “do” anything themselves
Rather than going up to each and every Windows 10 device to make these changes happen for the user, we can use modern Device management (Intune) to make this easy for everyone.
Step-by-Step
Before you begin go fetch the tenant ID from Azure AD admin center > Azure Active Directory > Properties blade. Copy the Directory ID.
Return to Intune, go to Device configuration > Profiles. Pick Create Profile. Give this a name like Windows 10 OneDrive Config, and a description similar to the one pictured. Pick Windows 10 and later as the Platform, and Administrative Templates as the Profile type. Click Create.
Under Settings, type “onedrive” in the search field to filter your choices.
Scroll down to find and enable the following settings:
Silently sign in users to the OneDrive sync client with their Windows credentials: Enabled.
Use OneDrive Files On-Demand: Choose Enabled. OK.
Silently move Windows known folders to OneDrive: Choose Enabled. Paste the Directory ID from the Azure AD admin center into the Tenant ID field. Click OK.
In case the client fails to silently configure, you can also enable the policy to prompt the end-user to complete the setup (Microsoft recommends this if you read the setting descriptions). I use the silent option only, and have not run into problems on 1903.
Now you should have all of the settings necessary for the initial configuration of the OneDrive client:
Under Assignments you can target a pilot group to test drive this policy out.
How to sync SharePoint library locations automatically to File Explorer using Intune and OneDrive
To map a SharePoint library just like a mapped network drive, create another new configuration profile, selecting Windows 10 and later, and Administrative Templates as the type. Filter the Settings list to “OneDrive” specific settings again, then choose the option Configure team site libraries to sync automatically (I usually pick the User Setting Type).
Click Enabled. As you will see, to configure this setting, it is necessary to retrieve the library ID for each library you wish to sync.
Therefore, navigate to the library in SharePoint Online. (1) Click Sync at the top, then (2) Cancel out of the prompt to Open Microsoft OneDrive?, finally (3) Copy library ID.
Back in the configuration profile, paste the library ID into the field called “VALUE” and give it a friendly name.
Under Assignments, you can scope these policies to the proper groups.
Note: The best way to map multiple libraries is by using a single device configuration profile, and entering multiple libraries within it. So for instance if you have a company-wide library and a departmental library, you would map both of them together in one profile. Therefore, first think about who needs access to which libraries, and then target the appropriate groups of users under Assignments, that way.
Fine print on mapped libraries
Be sure to read this fine print here.
Small orgs will not have a problem with the 1,000 devices limit. But again it requires Fall Creator’s update 1709 or later to work (and 1903 is preferred in general for applying these admin templates). Oh, and you might have to wait up to 8 hours for this setting to take effect. Yep. You read that right. In my testing this held true. Sometimes a device would pick up the change within 2-4 hours, and others it wouldn’t show up until the following day, after I made a change to the policy.
On the client machine, you will not be able to get this to happen any faster using a reboot, or the manual MDM sync option under Settings > Accounts > Work and school
Nor will it work to manually run the scheduled task that pulls down a policy refresh, as it does for making certain other changes to the configuration profiles: Computer Management > Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt > {GUID} > Schedule #3 created by enrollment client
I thought for sure this is why they say up to 8 hours, because this task only repeats every 8 hours. But apparently this has no bearing on the settings that control OneDrive sync / library mappings. So it’s still a mystery to me what the wait is all about. It is disappointing, but aside from that–everything works beautifully.
Libraries that you configure to sync will eventually show up in File Explorer alongside OneDrive, under another icon that features your company’s name (as it appears in the admin portal under Settings > Organization profile).
More to come on this topic
File shares and mapped drives are quickly becoming a thing of the past, but file sharing is just getting really good for the first time with tools like OneDrive, Teams and SharePoint. I won’t lie though–there are several pitfalls to avoid when migrating files to the cloud. In fact, I find that IT pros will still sneer at the idea of SharePoint replacing their file server: they ran into one limitation or another–some issue they didn’t understand– and decided it would never work.
Well, it does. But you have to know what you’re doing, and why you’re doing it. And sure, you probably don’t want to move every single piece of dead data into SharePoint, so it isn’t going to be the one and only resting place for your obscene garbage heap of files that you have accumulated over the past couple of decades in your business. But that’s okay, too.
I have been struggling with how to communicate the migration process for a while now, but over the next few months I’ll give it another try here on the site–I’m more than open to feedback, even very critical feedback. So, keep those comments and questions coming my way, folks.
Comments (28)
Great blog – this feature is really going to come in handy with new installs!
Thanks.
Thanks for this. I’m rapidly adopting you as my go-to place for Intune and 365 Business info.
If I were to add this to all users for all groups, in theory, would it deal with the permissions and only map the ones that the user could access? My dream goal is this: to make every library auto-map for everyone, and only the ones that you have permissions to will appear for you – so it wouldn’t show any errors, or display libraries you couldn’t access at all.
In fact, if I could tick a box that would make all libraries available, now and in the future, and I didn’t have to get the IDs every time a new Team or SP site was created, that would do me just fine… :-)
While that would be nice, right now you would need to make separate policies scoped to separate groups. But I think that “security trimmed view” or similar would be an excellent request on uservoice… maybe i’ll go start that request myself…or maybe it’s there? We’ll see!
I’m testing this functionality and I’ve run into a problem. I’ve got 8 different sites/libraries, corresponding to our business units. I created separate profiles for each library and assigned them to the same test group (i.e., me), and the sync failed because of “deployment conflicts”. Does this mean each user/machine can only have one team site library sync profile assigned? This will be a problem when I go live, because certain users will be members of multiple assigned groups (i.e., business development and account management have overlapping-but-distinct membership). I don’t want to just map all the libraries under a single profile because I don’t want an entry-level employee to even see unassigned libraries like Executive in file explorer, even if they don’t have rights to open/view, unless that’s the only alternative. Any tips?
The error feedback within Intune is pretty terrible right now; that message doesn’t give you much to go on unfortunately (and none of them do yet). I would check to see if you have permission to all the libraries you are attempting to map, as another test. Then, as another test for your theory, I would suggest creating the policies differently. For example: Bob, Sally and Sarah all need access to the same set of libraries. So they are all in a group that gets those similar mappings. Scope a specific policy to that group that contains all their mappings. Repeat for others, keeping all the mappings in a single policy. What is the result? Better, same? How about starting with just one mapping for yourself, and add a second policy that has a different mapping? Is this same, different?
In my setups I have done so far it is often very simple, for instance company-wide library, and departmental library (scoped to each department). I just have a policy scoped to each department / team and they get their own department’s library plus the company library. So I have not tested the scenario you describe. Would be curious to hear what you learn testing the above out, however!
Hello. Nice guide, but the instructions on getting the SharePoint Library ID do not match what I am seeing. Clicking on the sync button from the documents tab brings up a message ‘Getting ready to sync…’ but there is not an option to get the Library ID. I have not had any luck finding any other way to get the ID’s.
Odd, have you tried another browser?
I tried Internet Explorer and it shows me the URL, but how do I extract the Library ID?
Just an update… After logging into SharePoint with an account that had administrator permissions, I was able to see the show library ID link. That link is not there when a normal user clicks on the sync button.
I had a similar experience with one of my libraries not showing the ID link, but it was the second time I opened it and hit Sync. Once I closed my browser session and then went back into the site, I was able to see the ID link again.
I was able to resolve my problem with conflicting profile assignments by rethinking how to apply them. Rather than creating a different config profile for each site/library and then assigning those to my actual departmental groups (which meant that some users had 5-6 profiles assigned, each defining the setting for “Configure sites to sync automatically” differently), I created new groups with membership based on which libraries those users needed access to, and then created a single profile with the relevant library mappings for each of those groups. Worked like a charm (after 8 hours!). So, lesson learned: specific policy settings can’t be aggregated piecemeal for users via overlapping profile assignments, even if it seems like it “should” work for that particular setting.
Hey Steve,
This was very helpfull, thanks.
Did you use security groups and added the users to those groups?
Or did you achieve this using device groups?
Great Article Alex :)
I have also recently implemented the same Admin Template solution (including KFM), which is currently going through POC testing.
We have also had the same constraint as Steve#1 with multiple site library’s across 3,000+ users, but will try/test his solution. ;)
I have one quick question: Have you got around the duplicate desktop shortcuts via KFM yet?
Many Thanks
John
Sorry, what does “duplicate desktop shortcut” refer to?
Hi Alex,
Thanks for the great article once again. We use most of your best practices to get our Intune and Azure AD up to par. I’m running into an issue where the SharePoint libraries are not showing in OD4B. My PC is Azure AD joined and I have synced the policies you set down and waited over 8 hours. I’ve been reading around about a possible regedit that is needed. Have you come across this yet?
Note: It’s showing succeeded under device and user however I don’t show anything in File Explorer.
Not in 1903, I have seen it show up after 8 hour wait thus far…
Great write up, I used this guide to get Intune set up two weeks ago thank you very much.
now today in checking how I setup auto mapping to shared folders I noticed that the Libary ID is no longer displayed in the dialog. I have tried different browsers, classic view everything that has been suggested and it is no longer showing up.
Did you end up finding the libray id ?
I cant find it :(
Found it.. You have to be the site owner
Really loved this write up, found it by googling something not quite related but falls within the realm of what I was working on. I touched SharePoint via onedrive in 2014 and it was pure garbage – file folder quantity and file quantity limits within a site, bandwidth throttling – DropBox at that time was superior.
Now that I’ve found this, wondering if there’s a way to auto deploy the site without manually syncing using only Business Premium or Essentials licensing – MUST Intune be purchased (Or Microsoft 365 or O365 E3)
Thanks!!
There are GPO’s for OneDrive client available as well. But moving forward every org should be updating their licensing to Microsoft 365 in my opinion. If they don’t do that, then they need to account for modern management and security via different tools. They need a modern identity provider, they need MDM, they need some kind of information protection solution, etc. But why buy from a bunch of different vendors when you can get everything you need in one $20 bundle?
Any idea of this works from Redirected GPO to OneDrive, without moving the files to local first? We have discovered that when a client already has redirected files to a server, that we have to change the GPO to move them local, and then move them to OneDrive manually. Doing it manually says a GPO is in affect that stops it from going to One Drive, so we remove redirection to local, but then we still have to go back and say “No policy is enabled”, then we can manually move them to OndDrive.
Any idea if this will let us skip these steps?
No, you have to kill your old folder redirection first. Everything must be local with no redirection policy in place. This is not per se an article on how to go from point A to point B but rather just pointing out that you can accomplish the same type of experience but differently with this newer method.
Have you ever tried to use multiple libraries using the “Configure team site libraries to sync automatically” policy – As we only ever get 1 syncing but if we check the registry we can see its pulling the other locations just not showing them and its driving me nuts! Thank you for the guide :)
What I have experienced is that you can enter more than one library into a single policy, and they tend to sync okay. The problem is when we configure multiple policies each with a single shared library or different libraries. Then it seems to get confused and only sync the first policy that is applied. Are you seeing differently now?
Loved the article, so many of the points you made really hit home and match my experience. I’ve just created the configuration profile and only time will tell if it’s worked or not. The GUI’s a little different from when you create the article but still managed to complete without issue.
Thank you for this, awesomely explained!