Friday, 23 March 2018

Silently Deploying OneDrive for Business with SCCM and Migrating user profile with zero User Interaction.



Pre-requisite Tasks

Download the Latest Version of OneDrive from:

Download the Latest OneDrive for Business ADMX template.

Assumptions

You have a working knowlege and access to Group Policy Management console, permissions to update ADMX templates and packaging rights within System Center Configuration manager.


The Goal - Deploy OneDrive For Business


In the my environment we currently have the following:

Windows 7 X64 systems which we are planning to migrate to Windows 10.
System Centre Configuration Manager 2007R3 which will die along with Windows 7.

This step-by-step walk-through will focus on deploying OneDrive to Windows 7 using this older SCCM version with a view to migrating user-data into the cloud prior to upgrading users with Windows 10.


Group Policy Configuration


Step
1.    Extract the Onedrive ADMX template downloaded from the above location.

2.    Open OneDrive.admx in notepad and edit it to include your tenant ID where it says {INSERT YOUR TENANT'S GUID HERE}” please note that you do not need to keep the curly brackets (or braces if you prefer) there are two entries to be modified.

3.    Edit the section that says {INSERT YOUR CHOSEN PATH HERE} to choose the default installation directory for OneDrive. In my case I have chosen the default to be C:\Users\%USERNAME%\AppData\Local\Microsoft\OneDrive.


Above: Highlighted areas have been altered.
4.    Save the ADMX file and then upload both the ADMX and ADML into your central store \\yourdomain\SYSVOL\yourdomain\Policies\PolicyDefinitions

5.    The next step is to customise the (limited) set of GPO options for your environment. In my environment I only want to deploy OneDrive to Laptop computers, due to this I’ve created two policies relating to OneDrive Settings.

The G_U_M_Global_OneDrive_Pilot – Contains both user and computer settings that can be applied to all users to have OneDrive installed.  This is currently assigned at the Grants_Zones level and applies to all users and machines in the lower rationalised group. It is being security filtered to a security group called “S_Grants_OneDrive”. It contains the following settings:


These settings are applied to the computer object. They prevent using the “remote file fetch” feature of OneDrive. 


“Automatically Launch the Onedrive Client FRE in business mode” – Makes OneDrive for Business the default logon experience instead of domestic OneDrive.

“Configure machine to receive updates after consumer Production” – Delays the updating of OneDrive to the latest consumer version (essentially allows MS to test the production on consumers first)

“Prevent users from configuring personal accounts” – Stops users from adding their own personal accounts. Business account only.


6.    That’s all the settings you get on the latest ADMX template. Additional settings such as bandwidth utilisation and enabling ADAL must be entered as registry keys. I’m deploying the following Keys via GPO.

Enables Microsoft Azure Active Directory Authentication Library (ADAL) – Modern authentication


Enables Silent Account Configuration.

Limits upload bandwidth usage to 50% of available.

Other registry settings are available and a complete listing can be found here:



7.    In addition to this, I also created a new environmental variable called “OneDriveSync” in the same policy, this will allow easier direction to the OneDrive folder. This is set to only be created if the OneDrive folder exists and points to %userprofile%\OneDrive – My Organisation Name


8.    Next I’ve created a shortcut to the OneDrive Executable on the user’s desktop, this will be useful either for the user to initiate the installation of the OneDrive software if the user clicks it, or if it already exists access the OneDrive Contents. I’ve called the shortcut “My OneDrive” the it points to %localappdata%\microsoft\OneDrive\OneDrive.exe


9.    Next I’ve set up a scheduled task, This task will launch the OneDrive executable for the first time. (as by default OneDrive is not normally launched until the user initiates it) the task will be set to run as %loggedondomain%\%loggedonuser% and points to the OneDrive Executable at %localappdata%\Microsoft\Onedrive\Onedrive.exe 


10.    The next GPO is called G_U_M_Global_Folder_Redirection_OneDrive_Loopback – this applies only to laptop Devices, it is set to be first in the processing order ahead of any existing folder redirection policies. Again, it is security filtered to the same security group. S_Grants_OneDrive. In my environment loopback processing is enabled in “merge” mode due to previous folder redirection policy and location of Users OU.

11.    Under the user settings > Policies> Windows Settings > Folder Redirection  the following redirects have been put in place to redirect Contacts, Desktop, Documents, Links, Searches, Music, Start Menu, Videos, Pictures and Saved Games to the relevant %OneDriveSync%  folder and copy any existing contents to this location.

shows redirection of contacts and documents

shows redirection of links, music, start menu, videos.

Shows folder redirection of Pictures, Saved Games and Searches.

SCCM Package Configuration

12.    Next, the SCCM job for Deployment of the OneDrive for Business software was created. Using the OneDrive Executable downloaded earlier, this was copied to my source share. 


13.    In addition I have copied a customised deployment notification script I will call prior to installation, this includes a countdown. The file can be customised with any message. A copy of the code for this is available here. (just rename to .hta)




14.    An installation .cmd file was created and contains the following settings:



This was then saved into the SCCM source location with the OneDrive executable.

15.    Next an SCCM package was created containing the deployment. 

The program triggered is peruser_business_2.cmd – this is the .cmd file we created previously. This is set to run “hidden” to prevent user interaction.

Estimated disk space was set to 300MB, time allowed was 10 minutes to complete installation (in reality it will be much faster). The program was set to be allowed to run on any platform.

The program was set to run “only when a user is logged on” – this is necessary because OneDrive is a per-user program rather then per-machine. The program is set to “run with the users rights” and requires a drive letter (as we will be running a .cmd this is to avoid issues).

In the advanced tab we have set to “run another program first” and then selected our deployment notification we created earlier. This was set to “always run this program first” and “run once for every user who logs on”.


16.    A deployment collection was created , for the moment this is simply a static collection that we will manually add systems to. In the future for deployment, the deployment groups will be staged in here. Eventually this will contain all Windows 7 laptop devices in the estate.


17.    The Advertisement for deployment was created with the following settings:

The package, program and collection are set to the ones we just created.

Advertisement start time is set from creation date, no expiration date. Set to run “as soon as possible” and “rerun if failed previously” has been configured.

Program was set to “run from distribution point when on LAN network boundary and set to “do not run program” when on slow or unreliable network boundary – this will prevent the job from starting on machines that are not on the internal network. (as we cannot verify the GPOS have been applied before deployment)

Included is the option to “allow users to run the program independently of assignments” that will allow users to trigger the installation themselves in the event of an error, or re-installation being required.

This is the completed configuration required to deploy OneDrive silently without user interaction . Below will attach a run-through of the end-user experience during deployment. I hope this has been useful to someone. If so, please leave a +1. Many thanks.