Managing OneDrive on Citrix Virtual Apps and Desktops

It was only a matter of time before I got to this subject. As more and more of us adapt to new ways of working, OneDrive is bound to come to your attention sooner or later. For those of you living under rocks, OneDrive is Microsoft’s horse in the Enterprise File Share and Sync (EFSS) race – and because it is free with your Office365 entitlement, it is pretty much one of the frontrunners. The likes of Sharefile, Box, DropBox and all the others out there may well have more features and work better – but if your product is effectively free, then there is a tipping point of “good enough”; and Microsoft have already passed this threshold.

So there’s little point arguing what works best on Citrix Virtual Apps and Desktops – chances are you’ve already been told to look at OneDrive. As with Teams, Microsoft can be quite savvy by pushing this hard into the personal user space and then allowing the users themselves to pressure enterprises into adoption, because they’ve already become familiar with the product.

When it comes to putting OneDrive into Citrix or other virtualized environments – and particularly shared multi-user environments like Citrix Virtual Apps or Windows Virtual Desktop – there are a number of factors you will want to bear in mind.

Considerations

Firstly, storage. OneDrive offers users up to 1TB (yes) of space to utilize. They’re obviously not all going to use this, but it’s a huge amount of storage to potentially fill. OneDrive generally requires you to utilize the OneDrive Sync Client – but if you use this, you need to have somewhere to store the local cache.

Secondly, security. OneDrive can only sync to the C: drive (I think I covered this a bit in a previous post), and using a network drive, a junction point or even FSLogix or subst trickery to redirect that somewhere else doesn’t fool it. If you’re in the habit of applying CIS hardening policies, then especially on multi-user systems (like Citrix Virtual Apps), it is common practice to restrict access to the system drive (which is invariably C:) And this means that in these environments, you can’t use the Sync Client – because the user literally can’t access their files!

Thirdly, there is the matter of the OneDrive client itself. As with Teams, Microsoft would prefer to keep this updated and installed on a per-user basis so they can deliver new features quickly and effectively. For Citrix and RDSH environments, this doesn’t sit so well, where administrators need control of their estates and a full understanding of what is being deployed.

And finally, there is the problem of FSLogix. FSLogix is *the* best way to deal with synchronization of the OneDrive user cache, but it is categorically flagged in the documentation that “OneDrive does not support multiple simultaneous connections / multiple concurrent connections, using the same profile, under any circumstances“. This means that if you have users who require multiple connections to OneDrive, you are going to get into a file conflict nightmare as it tries to synchronize between these sessions.

Installation

I’m not going to dwell too much on the actual installation of the OneDrive Sync Client. There are only a couple of things you need to remember. This section of the article assumes that you actually want to install the Sync Client, but in the “Managing OneDrive” section below we will present three different scenarios, and only in one of these would you actually use the Sync Client. If you do go down the route of option #1 from the following section, you would use the Sync Client.

Firstly, to get the “machine installer”, which like Teams will install into %PROGRAMFILES% instead of the user profile, you simply download the latest OneDrive client and then run it with the necessary switch (shown below)

After this, I consider it best practice to, again like Teams, remove the autorun entries for the machine so that the user can choose when to invoke OneDrive from the Start Menu. This ensures that thousands of users do not all start synchronizing at once. The autorun entry for OneDrive, however, is a little tricky to find. It’s actually written into the default user profile Registry, cunningly.

The best way to track this down is to open the Registry Editor, highlight the HKEY_USERS hive, and then choose Load Hive from the File menu, and enter the path to the default user Registry file, c:\users\default\ntuser.dat

Once this is loaded you will be able to see the Registry value below in HKU\[nameyoupicked]\Software\Microsoft\Windows\CurrentVersion\RunOnce

Delete the value from here, and then don’t forget to unload the default user hive again once you have removed it, using Unload Hive from the File menu – or you will lock it in use until the machine is restarted.

You can remove this through PowerShell as well by mounting the hive as an object, should you so desire.

That’s really all you need to do for installation – make sure you install with the correct switch, and remove the auto-start entry if you want users to be able to trigger their first instance of OneDrive manually (I find this is much better on shared systems – once they’ve launched it, it will auto-start after that).

Control of the OneDrive client should be done in whatever way you manage your image. I’d suggest the best way would be a regular automated rebuild with code that fetches the latest “evergreen” version of the Sync Client, but simply adapt your current processes as you see fit.

Managing OneDrive access

Now, with the caveats about storage and security that I mentioned earlier, let’s think about how we can best manage OneDrive access for our users. There are three disparate options that you can choose from – you may be able to take pieces of them and produce your own hybrid option, but in my experience these are the three commonest ways to attack it. I’ve broken them down individually below.

Option #1 – Sync Client, FSLogix and GPOs

This will be the way Microsoft would ideally want you to do it, to offer the richest user experience. However, for reasons we will discuss, this may not be suitable or even desirable for some environments.

Firstly, you’d install the Sync Client into your environment for all of your users. Ideally, this should work with single sign-on, although dependent on your requirements you may or may not be able to do this. Secondly, you need to either install the full FSLogix Profile Container or (if you are using another profile management solution) install FSLogix Office365 Container with the IncludeOneDrive option set via GPO or Registry. Installing FSLogix means that the local cache of the user’s OneDrive files goes into the network-mounted container rather than onto the local disk. There’s still a storage overhead, but it’s on the network share instead of your local drives, and it can then be persisted from session to session without recaching.

Next you would need to configure OneDrive Files On Demand via GPO. This means that files won’t be downloaded into the user’s local cache until they are actually accessed by the user. However, architectural limitations mean that you can only use Files On Demand if you are using Windows Server 2019 or an upstream version of Windows 10 or Windows 10 Multi-User. If you’re using other OSes (particularly Server 2016), then you can’t use Files On Demand – so in these cases it’s either synchronize the entire cache into the FSLogix container (with all the storage overhead that entails), or choose one of the other options.

The GPO for Files On Demand is located at Computer Configuration | Policies | Admin Templates | OneDrive | Use OneDrive Files On-Demand. What is interesting is that the GPO says it works on Server 2016, but this is an error, so don’t get your hopes up!

I’d also ideally configure a second option from this set of GPOs, Block file downloads when users are low on disk space. This means that if a server or host is in a low diskspace state that they won’t be able to cache any more files from OneDrive until the problem is resolved.

Another key GPO to configure is that of Storage Sense. This feature is intended to replace the Disk Cleanup Wizard but it has a really useful setting that can “dehydrate” (essentially, delete the local copy of) files that have not been accessed for a defined period of time. Set aggressively, this can keep the size of the OneDrive cache down quite well. The GPOs you need are located at Computer Configuration | Policies | Admin Templates | System | Storage Sense, and the main ones you are interested in are Allow Storage Sense, Configure Storage Sense cadence and Configure Storage Sense Cloud Content dehydration threshold.

There are a number of other options you can use with Storage Sense, and they are discussed quite nicely in this article, which was written by a nice chap from the UK.

Below, we can see the user session with all of the above configured accessing their OneDrive folder. All of the files are showing as stored in the cloud, until such a time as they are accessed.

So what are the pros and cons with this option?

On the positive side, Microsoft would recommend this way, it’s fully supported, and offers the richest user experience. Users will have the OneDrive access in Explorer that they are used to, and you can do all sorts of things around single sign-on, Known Folder Move and tenant restrictions by using the OneDrive GPOs.

But on the flip side, this is a little bit limited. It requires Server 2019 if you’re on RDSH, it isn’t suitable for multiple concurrent sessions (to be honest, it’s pretty much aimed at desktop resources only), because it uses the Sync Client anyone with CIS hardening GPOs won’t be able to use it, and there is always the problem that users could still download huge files into the cache and bloat the FSLogix profile. Don’t forget, FSLogix containers don’t automatically shrink once files are removed from them – they add state only. So if a user was to download a 20GB file and it is then “dehydrated” out of the cache, that 20GB would still be committed to the file store. A shrink maintenance script (such as this one from Jim Moyle) would need to be run after the user had logged out to actually reclaim the space. There’s nothing to say this isn’t achievable, but it takes a little bit of the slickness out of the option.

Summary of option #1

Process
  • Install OneDrive Sync Client
  • Install FSLogix Profile Container or Office Container with OneDrive option configured
  • Configure GPOs for OneDrive and Storage Sense with Files On-Demand and dehydration settings configured
Considerations
  • Familiar user experience
  • Straightforward setup process
  • Fully supported by Microsoft
  • Requires Server 2019 or 1709+ versions of Windows 10
  • Not suitable for concurrent or simultaneous sessions
  • Requires user access to the C: drive, so CIS hardening policies will render it unusable
  • Caches files into the container, which requires additional storage
  • “Dehydrated” files will need to have the storage space reclaimed via a maintenance script

Option #2 – hack it with WebDAV

If you’re unable to do the “Microsoft” way because of any of the reasons mentioned above, you can try to sling it together using the old WebDAV protocol (Web Distributed Authoring and Versioning). I know a lot of people have a visceral fear of WebDAV, mainly because they fear slow performance and Microsoft withdrawing support for it, but I recently put this into a customer environment and for their purposes (a pure published apps estate) it worked pretty much perfectly. The best benefit for Citrix Virtual Apps or other similar environments is that we are creating an “online” connection through Windows Explorer – which means there is no storage overhead whatsoever.

The fly in the ointment is that the user needs to authenticate and save their authentication credentials into their user session to be able to access this. If you’ve got profile management in place that can grab these credentials, and the users have accessed OneDrive via the web browser previously, you should be good to go, but if not, you will have to convince them to log in and then capture the settings.

If you’re using the likes of FSLogix Profile Container then the fact that you capture pretty much everything should be good (if you’re using Office Container there is an option called IncludeOfficeActivation which will help). Other profile management tools will need to be configured to capture these areas:-

  • %LOCALAPPDATA%\Microsoft\Office
  • HKCU\Software\Microsoft\Office

This should ensure that the authentication tokens persist.

To get the users to authenticate, there are a number of ways you could skin this, and one of the easiest ones I found was to present them with an application or pop-up dialog that requires them to log in to their OneDrive. You can literally point them straight to the Sharepoint root of your site – so here’s an example, my Sharepoint address is jamesrankin-my.sharepoint.com, so sending users to this location should allow them to log in and authenticate into their OneDrive correctly.

However, in order to then be able to automatically present them with their OneDrive folder, we need to do quite a bit of work. Many online guides simply suggest getting the user to log in via the web, choose the “open in File Explorer” option and then manually map it as a Network Location, but this is a lot of hard work for your average user. If we could do this automatically and have the user’s folder presented without any interaction on their end, we’d be onto a winner.

Preparation

There are a number of changes you need to put into your base image build in order to support this method.

Firstly, if you’re on a Server OS, ensure that Internet Explorer Enhanced Security Config is turned off for your users.

Next, you need to enable WebDAV. On older server operating systems this was just a case of making sure that the WebClient service was started, but on newer server OSes it isn’t even installed by default. On Windows 10 or Win10 MU, though, it is installed by default, you just need to set the service to Automatic startup. For Server 2012 and 2012 R2, you normally had to add the “Desktop Experience” feature to get the WebClient service up and running. For Server 2016 and 2019, you need to install the “WebDAV Redirector” either through Server Manager

or from PowerShell with this code

Install-WindowsFeature WebDAV-Redirector –Restart

Once this is done, you will find the WebClient service is now installed. The WebClient service should show as Automatic (Trigger Start) and be running. It would be a good idea to set a GPO or GPP to enforce this.

Now you will need to find the base name of your Sharepoint site that hosts all of your user OneDrive instances. My own personal site is jamesrankin-my.sharepoint.com and it is usual to find names in this format. They should all have a sharepoint.com address of some sort. You will need this address on a few occasions in this process, so make a note of it!

You first need to make sure that your site address is added to the Trusted Sites list in your browser settings for Internet Explorer. Easiest way to do this is via the GPOs in Admin Templates | Windows Components | Internet Explorer | Internet Control Panel | Security page and use Site to zone assignment list. This GPO appears in both Computer and User Config settings so it is probably easier to use the Computer side (and better for your GPO processing efficiency). Add both the name-my.sharepoint.com address and also just name.sharepoint.com as below.

Also configure some other GPOs at this time. In Computer/User Config | Admin Templates | Windows Components | Internet Explorer | Internet Control Panel | Security | Trusted Sites Zone make sure that the option Logon options is set to Automatic logon with current username and password.

We also need to make sure that the pop-up blocker is turned off. This setting is in the same set of GPOs (that for the Trusted Sites Zone) and is called Use Pop-up blocker. Enable it and switch it to Disable as below

There is a “whitelist” option for pop-ups rather than allowing the entire zone to run them that you could use instead – Computer Config | Admin Templates | Windows Components | Internet Explorer | Pop-up allow list

Moving back to Computer/User Config | Admin Templates | Windows Components | Internet Explorer | Internet Control Panel | Security | Trusted Sites Zone, the next setting we need to configure is Turn on Protected Mode. This needs to be Enabled and set to Disable as below

We also need to do a couple of bits of configuration for the WebClient service. Configure a Computer Group Policy Preferences item to write the Registry values shown below

  • Key – HKLM\System\CurrentControlSet\Services\WebClient\Parameters
  • Name – AuthForwardServerList
  • Type – REG_MULTI_SZ
  • Value – as below (change as appropriate)

Also in the same key, add a DWORD value called SupportLocking and set this to 0 as below

Once this is done, we can now move on to getting the user’s details and authentication sorted.

User details

If you log in to your OneDrive through the web, have a look at the address bar and see what format the path is in. Here’s an example from my own tenant. Have a look at the highlighted section

This is basically my Office365 email address with the periods (.) and @ symbols replaced with underscores. Some tenants may have this slightly differently – the format may be the UPN instead, so username@domain.com with the same replacement applied (so it would show as username_domain_com). Whichever it is (it is usually the email address), we will need to pull this detail out of the user details and format it correctly. So for my tenant, we need to pull the email address from the AD user details, and parse it into the format that OneDrive uses.

The PowerShell below can be used to do this, but don’t forget you need to substitute in the name of your Sharepoint site (with the -my in the name, if it is in that format). It also sets the path to the OneDrive as a variable when it finishes.

$searcher = [adsisearcher]"(samaccountname=$ENV:USERNAME)"
$email = $searcher.FindOne().Properties.mail
$intermediate = "$email".replace("@","_")
$OneDrivePathVar = "$intermediate".replace(".","_")

$FolderLocation="\\jamesrankin-my.sharepoint.com@SSL\DavWWWRoot\personal\$OneDrivePathVar\documents"

[Environment]::SetEnvironmentVariable("OneDriveUserPath", "$FolderLocation", 'User')

If you run this code at logon, we should have the UNC OneDrive path successfully set as a variable within the user session. If your OneDrive uses the UPN format rather than the email format this code is much simpler – you just need to parse the output from whoami, so you can do it from batch rather than PowerShell

@echo off

for /f "tokens=1,2 delims=@" %%a in ('whoami /upn') do set username=%%a& set domain=%%b
for /f "tokens=1,2 delims=." %%a in ('echo %domain%') do set domain1=%%a& set domain2=%%b
set OneDriveUserPath=\\jamesrankin-my.sharepoint.com@SSL\DavWWWRoot\personal\%username%_%domain1%_%domain2%\documents

Ideally you should run the relevant piece of code as part of a logon script or Scheduled Task that executes after the user logon. As long as we get the environment variable set somehow, this bit is covered. You don’t need to run this every time a user logs on – one time only to set and save the environment variable will do.

Authentication

This is the real trick – getting the user to authenticate. There are a number of ways you could do this, and it generally only needs to be done once. I’ve seen environments where they’ve had a “OneDrive Authentication” published app that the users need to run which simply presents a browser window for them to log on to Sharepoint, and I’ve also seen published desktops popping up a browser window at first logon for them to authenticate to. Obviously, there needs to be a profile management solution in place to save the logon credentials as well, and identifying which users have actually successfully logged on and authenticated can be a bit tricky. Personally, I prefer to have a “OneDrive Authentication” published app that the users can launch – that way they only run it when necessary, and if the authentication starts failing they can easily do it again.

Internet Explorer, for some reason, is the best browser to present to get the authentication done. Point it to the root of your sharepoint site (so in my case https://jamesrankin-my.sharepoint.com)

Once the users have run it and logged in, it should save their credentials (it’s also important to note that if they get the option to “stay signed in?”, they should select Yes). If there’s MFA at this point, it will behave as normal.

Once these creds are saved into the profile solution, this now means that when the user opens a new session, the access to the OneDrive should be available as a variable – they can simply type %OneDriveUserPath% into the address bar and they will be able to access an online folder with their OneDrive data in it.

However – how can we present this a bit more nicely? Well, if you think back to my article on network drive mappings, remember that we discussed adding some Registry values that added folders into the Explorer view? We can simply leverage that – all I’ve done is add a OneDrive icon to the build that I can use, and substituted the FolderLocation variable for the OneDriveUserPath environment variable. Again, you just need to get the user to run this once, as the settings will be saved into their profile and persisted.

# Editable values (change as required)

$FolderName="OneDrive - james-rankin.com"
$FolderLocation="$ENV:OneDriveUserPath"
$FolderHint="User's OneDrive documents"
$FolderIcon="C:\windows\system32\OneDrive.ico"

# Variables

$MYCLSID=$([guid]::NewGuid().ToString("B").ToUpper())
$HKCU_CLSID="HKCU:\Software\Classes\CLSID\$MYCLSID"
$HKCU_WOW6432Node_CLSID="HKCU:\Software\WOW6432Node\Classes\CLSID\$MYCLSID"

# 32-bit routines

New-Item -Path $HKCU_CLSID -Force
Set-ItemProperty -Path $HKCU_CLSID -Name "(Default)" -Value $FolderName
Set-ItemProperty -Path $HKCU_CLSID -Name "InfoTip" -Value $FolderHint
# If you wish the shortcut to appear in "Network Locations" rather than "Folders", change the following value to 9 instead of 3
Set-ItemProperty -Path $HKCU_CLSID -Name "DescriptionID" -Value 3 -type dword
Set-ItemProperty -Path $HKCU_CLSID -Name "System.IsPinnedtoNameSpaceTree" -Value 1 -Type DWORD
Set-ItemProperty -Path $HKCU_CLSID -Name "SortOrderIndex" -Value 48 -Type DWORD

New-Item -Path $HKCU_CLSID\DefaultIcon
Set-ItemProperty -Path $HKCU_CLSID\DefaultIcon -Name "(Default)" -Value $FolderIcon

New-Item -Path $HKCU_CLSID\InProcServer32
Set-ItemProperty -Path $HKCU_CLSID\InProcServer32 -Name "(Default)" -Value "shdocvw.dll"
Set-ItemProperty -Path $HKCU_CLSID\InProcServer32 -Name "ThreadingModel" -Value "Both"

New-Item -Path $HKCU_CLSID\Instance
Set-ItemProperty -Path $HKCU_CLSID\Instance -Name "CLSID" -Value "{0afaced1-e828-11d1-9187-b532f1e9575d}"

New-Item -Path $HKCU_CLSID\Instance\InitPropertyBag
Set-ItemProperty -Path $HKCU_CLSID\Instance\InitPropertyBag -Name "Attributes" -Value 15 -Type DWORD
Set-ItemProperty -Path $HKCU_CLSID\Instance\InitPropertyBag -Name "Target" -Value $FolderLocation -Type ExpandString

New-Item -Path $HKCU_CLSID\ShellEx
New-Item -Path $HKCU_CLSID\ShellEx\PropertySheetHandlers
New-Item -Path "$HKCU_CLSID\ShellEx\PropertySheetHandlers\tab 1 general"
Set-ItemProperty -Path "$HKCU_CLSID\ShellEx\PropertySheetHandlers\tab 1 general" -Name "(Default)" -Value "{21b22460-3aea-1069-a2dc-08002b30309d}"
New-Item -Path "$HKCU_CLSID\ShellEx\PropertySheetHandlers\tab 2 customize"
Set-ItemProperty -Path "$HKCU_CLSID\ShellEx\PropertySheetHandlers\tab 2 customize" -Name "(Default)" -Value "{ef43ecfe-2ab9-4632-bf21-58909dd177f0}"
New-Item -Path "$HKCU_CLSID\ShellEx\PropertySheetHandlers\tab 3 sharing"
Set-ItemProperty -Path "$HKCU_CLSID\ShellEx\PropertySheetHandlers\tab 3 sharing" -Name "(Default)" -Value "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
New-Item -Path "$HKCU_CLSID\ShellEx\PropertySheetHandlers\tab 4 security"
Set-ItemProperty -Path "$HKCU_CLSID\ShellEx\PropertySheetHandlers\tab 4 security" -Name "(Default)" -Value "{1f2e5c40-9550-11ce-99d2-00aa006e086c}"

New-Item -Path $HKCU_CLSID\ShellFolder
Set-ItemProperty -Path $HKCU_CLSID\ShellFolder -Name "Attributes" -Value 0xf080004d -type DWORD
Set-ItemProperty -Path $HKCU_CLSID\ShellFolder -Name "WantsFORPARSING" -Value ""
Set-ItemProperty -Path $HKCU_CLSID\ShellFolder -Name "HideAsDeletePerUser" -Value ""

# 64-bit routines

if ([Environment]::Is64BitOperatingSystem) {
    New-Item -Path $HKCU_WOW6432Node_CLSID -Force
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID -Name "(Default)" -Value $FolderName
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID -Name "InfoTip" -Value $FolderHint
	# If you wish the shortcut to appear in "Network Locations" rather than "Folders", change the following value to 9 instead of 3
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID -Name "DescriptionID" -Value 3 -type dword
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID -Name "System.IsPinnedtoNameSpaceTree" -Value 1 -Type DWORD
	Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID -Name "SortOrderIndex" -Value 48 -Type DWORD

    New-Item -Path $HKCU_WOW6432Node_CLSID\DefaultIcon
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID\DefaultIcon -Name "(Default)" -Value $FolderIcon

    New-Item -Path $HKCU_WOW6432Node_CLSID\InProcServer32
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID\InProcServer32 -Name "(Default)" -Value "shdocvw.dll"
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID\InProcServer32 -Name "ThreadingModel" -Value "Both"

    New-Item -Path $HKCU_WOW6432Node_CLSID\Instance
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID\Instance -Name "CLSID" -Value "{0afaced1-e828-11d1-9187-b532f1e9575d}"

    New-Item -Path $HKCU_WOW6432Node_CLSID\Instance\InitPropertyBag
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID\Instance\InitPropertyBag -Name "Attributes" -Value 15 -Type DWORD
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID\Instance\InitPropertyBag -Name "Target" -Value $FolderLocation -Type ExpandString

    New-Item -Path $HKCU_WOW6432Node_CLSID\ShellEx
    New-Item -Path $HKCU_WOW6432Node_CLSID\ShellEx\PropertySheetHandlers
    New-Item -Path "$HKCU_WOW6432Node_CLSID\ShellEx\PropertySheetHandlers\tab 1 general"
    Set-ItemProperty -Path "$HKCU_WOW6432Node_CLSID\ShellEx\PropertySheetHandlers\tab 1 general" -Name "(Default)" -Value "{21b22460-3aea-1069-a2dc-08002b30309d}"
    New-Item -Path "$HKCU_WOW6432Node_CLSID\ShellEx\PropertySheetHandlers\tab 2 customize"
    Set-ItemProperty -Path "$HKCU_WOW6432Node_CLSID\ShellEx\PropertySheetHandlers\tab 2 customize" -Name "(Default)" -Value "{ef43ecfe-2ab9-4632-bf21-58909dd177f0}"
    New-Item -Path "$HKCU_WOW6432Node_CLSID\ShellEx\PropertySheetHandlers\tab 3 sharing"
    Set-ItemProperty -Path "$HKCU_WOW6432Node_CLSID\ShellEx\PropertySheetHandlers\tab 3 sharing" -Name "(Default)" -Value "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
    New-Item -Path "$HKCU_WOW6432Node_CLSID\ShellEx\PropertySheetHandlers\tab 4 security"
    Set-ItemProperty -Path "$HKCU_WOW6432Node_CLSID\ShellEx\PropertySheetHandlers\tab 4 security" -Name "(Default)" -Value "{1f2e5c40-9550-11ce-99d2-00aa006e086c}"

    New-Item -Path $HKCU_WOW6432Node_CLSID\ShellFolder
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID\ShellFolder -Name "Attributes" -Value 0xf080004d -type DWORD
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID\ShellFolder -Name "WantsFORPARSING" -Value ""
    Set-ItemProperty -Path $HKCU_WOW6432Node_CLSID\ShellFolder -Name "HideAsDeletePerUser" -Value ""
}

# Add to explorer (user paths)

New-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer -ErrorAction SilentlyContinue
New-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace -ErrorAction SilentlyContinue
New-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\$MYCLSID

# Restart explorer (user only)

Stop-Process -ProcessName explorer

Some notes on this. If you’re running it on older operating systems like 2008 R2 or Windows 7, you may need to create the CLSID Registry keys explicitly as part of the script, as they may not exist by default. Also, if you’re publishing 32-bit apps, if (like I did) you put the icon it’s using into the \windows\system32 folder, don’t forget to copy it to the \windows\syswow64 folder as well.

You don’t have to use a folder embedded into Explorer like this – you can simply create a shortcut on the desktop, or make a Network Location, map a drive – or even redirect your Documents folder to it. As long as they point to the %OneDriveUserPath% variable and the user has previously authenticated, you will be good. I prefer embedding into Explorer because you can customize the icon, but pick whichever method is best for your own environment.

Here’s my embedded folder, which always takes me to the OneDrive folder no matter what server I hit or how many times I log in and out

Just a couple of things to mention – in some environments, user authentication may expire after a certain period of time. You may want to look at your security settings, Azure config and proxy servers in this case. If you do get this problem, you will simply see your entry points to the OneDrive folder become inaccessible and unresponsive.

There is a script out there called OneDriveMapper which can keep checking the authentication status for you if it runs in the background (this script does a lot of what I’ve manually set, to be honest – wish I’d unpicked it earlier!) However, as it has to run constantly it looks a little bit messy which is why I opted to do it the “manual” way instead. But if you are having problems with the authentication sticking, this might be a solution you can use.

Pros and cons wise, I’ve deployed this method a few times already and although it can be a pain to set up, once set up it works effectively. I’ve even done it on very old OSes (back to Windows Server 2003) and it works well. If you’re blocking access to the C: drive, this makes a lot of sense, and you don’t need any storage uplift at all because you’re not caching anything. On the flip side, proxy servers and security settings can sometimes make this a bit twitchy (although if you put in enough effort, you can usually overcome the issues), and there is that little bit of spectre about Microsoft possibly pulling WebDAV support from OneDrive (although there are many things that have been rumoured in this way, and not yet come to pass).

Summary of option #2

Process
  • Deploy profile management solution (such as FSLogix Profile Containers) that captures required settings
  • Turn off IE Enhanced Security Configuration
  • Enable WebDAV (process dependent on OS)
  • Ensure WebClient service is automatically started
  • Find base name of Sharepoint site
  • Add site to Trusted Sites
  • Set automatic logon for Trusted Sites zone
  • Turn off pop-up blocker for site or zone
  • Turn off Protected Mode in IE for zone
  • Set AuthForwardServerList registry value
  • Set SupportLocking registry value
  • Set script to pull either email address or UPN and format environment variable for OneDrive path
  • Publish authentication app
  • Get users to run authentication app
  • Publish shortcut, folder, network location or drive mapping into user profile that points to OneDrive path variable
Considerations
  • Works on all operating systems (have tested as far back as Server 2003)
  • No storage overhead – online connection
  • Straightforward user experience
  • Works perfectly with CIS hardening policies
  • No cost
  • Fairly complex setup process
  • Users need to authenticate manually on at least one occasion
  • Sometimes timeouts can cause issues requiring re-authentication
  • Microsoft may remove WebDAV support in OneDrive in future

Option #3 – CloudDriveMapper

Now, if you’re wanting to go the “online” route specified in this second option, but you’re concerned about authentication issues and/or support, there is a third possibility.

CloudDriveMapper is a simple yet effective product that allows users to authenticate and access a mapped drive to their OneDrive folder. It runs as an Azure enterprise app, so you will need to integrate it with your tenancy. Once you start the app, it is ridiculously simple to set up your requirements

Once you’ve selected your requirements as above, it will automatically generate a license key and prompt you to download the CloudDriveMapper client software. As soon as you’ve made a note of the license, you can then perform the installation in the usual manner for your environment.

Obviously, you will need to somehow auto-launch the CloudDriveMapper application when your users log in to either their desktops or applications. It drops an entry into the Run area of the HKLM Registry pointing to C:\Program Files\IAM Cloud\Cloud Drive Mapper\CloudDriveMapper.exe – there are many other ways that you could trigger this on a more granular basis for your environment.

Now when the user logs in, they will see a prompt for authentication (essentially what we were doing with the published app in option #2, but much more slick)

The user simply needs to enter their email address, followed by the usual prompts for password and/or MFA

Next we see the drive being mapped

And that’s all there is to it! If you open Explorer, you now have the specified drive mapped, nice and easy.

Because this points to the same UNC path under the hood as we did in option #2, this actually means you could have it as an integrated Explorer folder with a custom icon rather than a mapped drive. You would simply configure a GPO to hide the letter of the CloudDriveMapper drive, and then add the folder through PowerShell in the same way as we did earlier. What is different now is that CloudDriveMapper is handling all of the integrated authentication and the reauthentication if the connection drops, so it’s a much more seamless experience for your users.

Needless to say, CloudDriveMapper works perfectly across multiple sessions, although obviously you need to persist the user profile in order for their settings to roam.

CloudDriveMapper is without a doubt the slickest option, and even though it currently uses WebDAV, it will soon be moving to a native API which means if Microsoft kill WebDAV support in OneDrive, you should still be good. It doesn’t need any storage, it will work perfectly with CIS hardening policies, it works on older operating systems (I tested on 2008 R2, but it may well work on older), and it handles the authentication piece in a far more user-friendly fashion. Of course – the flip side is that it requires an outlay for licenses, but if you can measure that against what you’re potentially saving in storage from caching requirements, you might find it could possible pay for itself.

You can go and test CloudDriveMapper by heading over to their website here – don’t forget to tell them I sent you 😉

Summary of option #3

Process
  • Obtain CloudDriveMapper account
  • Set up options in cloud portal
  • Copy license key
  • Install agent into base image
  • Ensure CloudDriveMapper runs automatically in user session
Considerations
  • Simple setup
  • Resolves any authentication issues
  • Slick interface
  • Requires no storage
  • Works on older operating systems
  • Works perfectly with CIS hardening policies
  • No long-term reliance on WebDAV
  • Requires outlay for licenses

Summary

In a VDI or RDSH world, it probably doesn’t make a lot of sense to be using lots of disk space for OneDrive cache. As these virtualized apps and desktops rely on online capability, what’s the point of having local caches of user documents? There may be a performance aspect to this, but I think that is unlikely to be a common consideration.

You can use any of the methods specified here to reduce your reliance on OneDrive cached storage whilst still providing a familiar way for your users to access files and data. Obviously Microsoft would prefer you to use the first option, but a) it won’t work if the C: drive is blocked, and Microsoft have categorically stated they won’t fix this, and b) you’d still need to configure maintenance scripts to prune and shrink the caches in the containers. Option 2 gives you a no-cost but possibly little bit unreliable way to map into a folder for OneDrive access, whereas option 3 involves a little bit of expenditure but gives you reliability and slickness in return for your outlay.

I’m in the process of recommending each of these methods in various different customer environments where there are different appetites to change and risk. The value that they bring in terms of storage saving is a real boon – if the same applies to you, it’s really worth doing the exploration to see if you can use one of these methods too.

I probably should mention that you can leverage tools like Citrix Sharefile and Ivanti File Director to achieve functionality like this as well. In fact, I remember when File Director was called AppSense DataNow, they actually were on top of this problem way ahead of it coming to prominence – but I don’t think they marketed it particularly well, unfortunately.

Stay tuned for some videos at the end of this week, and new articles covering another episode of logon times fun and some Teams optimization settings.

Loading

64 comments

  1. Have you been thinking of a mixing option #1 and option #3?
    So users that sometimes runs a published desktop have the full rich onedrive experience and when they use published applications have access to onedrive through the mapped drive?

    For option #3, is there a way to get SSO without the users have to sign in, assuming MFA is not enabled?

    1. Like I said, you could easily mash up your own hybrid version, sure.

      Unfortunately my tenant doesn’t support SSO so I couldn’t test this. I assume it would though. CloudDriveMapper support should be able to confirm easily enough.

    2. Yes. I’ve had a demo of it and CDM supports multiple SSO options so you don’t have to enter your 365 credentials at all.

  2. I am trying to find information about OneDrive and its use of WebDAV, and in particular the DavGetV2 method. Do you know about any resources that may be available for that?

  3. Have you tried co-joining the computers to Azure AD domain to enable SSO for OneDrive? It works without WebDAV or explicit credentials entry.

    1. It’s not SSO I have a problem with, all of my targets are Azure AD joined and the user still has to enter credentials at least once.

  4. Hi James,

    Great content! I have implemented option 1 as per your guide and I appear to be having a problem with Storage Sense Dehydration. OneDrive, Files on-demand and FSLogix 365 containers are working as expected. I have set storage sense to dehydrate files that have not been opened in 1 day. However, cached OneDrive files are not being dehydrated and released back to the cloud. Do you have any troubleshooting or ideas regarding this?

    Thanks

    1. Hmmm, I never had a problem with this. Anything in the event logs? Is the Storage Sense Scheduled Task running OK? if you configure other aspects of Storage Sense (like clearing Downloads), does that part work properly?

      1. Is dehydration dependent on users logging out? If they disconnect and the session gets reset would it still dehydrate?

        1. Very good question! I *believe* it is supposed to happen regardless of the session state, but I would put this to the test….

  5. Hello James,
    thanks a lot for this very nice article!!

    I have one question, though and cannot find any reliable information elsewhere…

    Do you think it is OK to switch off protected mode for the trusted sites (or Intranet, see next question) zone?
    Would it be better security-wise to move the onedrive/sharepoint sites to the Intranet Zone and disable protected mode there?

    1. Absolutely fine IMHO to switch off Protected Mode for Trusted Sites, I don’t recall it ever being of benefit. These are Microsoft-managed sites – I’m pretty willing to trust them.

  6. Hi James,
    but the CloudDriveMapper solution will then also store some cache on the c: drive of your Citrix SBC server?
    Take for example a word doc that you’re modifying on a citrix session…
    Thanks for your nice article,
    Filip S.

    1. Well yes, but that’s just temp files, not a full cache as in a copy of the entire folder. The GPOs in question (the ones that restrict the C: drive) don’t stop processes (such as Word) from writing to the C: drive, they simply restrict a user’s ability to drill through them and view them using Explorer. So if you have the entire cache locally in the sync client, you can’t browse your own files, whereas with CloudDriveMapper the browsing is done on the “cloud” OneDrive and therefore the limited “caching” that is the writing of a temporary file in use by Office is completely allowed, as it should be.

  7. Hi James,

    With Citrix offering Citrix UPL as the replacement for UPD, would that not be an option? Looking at the blogs it says its supported, but when I’ve tried in practice OneDrive never works.

    1. You’d hit the same drawbacks as FSLogix I guess, and also you’d be tied to MCS or PVS on Windows 10 as those are the pre-requisites for UPL to work.

  8. HI James,

    great article and we are trying to get onedrive working on Windows Server 2019 with files on demand and using Fslogix profile containers and GPOs.

    It’s working but we are finding that at random times anywhere from 30mins to 2 hours there is a crash in shellexperiencehost.exe. There is another error for the user at exactly the same time relating to cortana and searchui.exe.

    This only happens when OneDrive is installed. If we remove OneDrive from the build we do not get any more crashes. When it crashes the taskbar icons disappear and then come back but the start and search menus no longer function correctly.

    Have you seen/heard of this issue? we are running the latest sync client for OneDrive. I’ve also remove any anti virus to test, but still the same issue. The next test will just be to temporarly stop fslogix to see if this is causing any issue or purely just a onedrive issue.

    Thanks,
    Steve

  9. Option #2, Set script to pull either email address or UPN and format environment variable for OneDrive path. I see the script there, where/how/when is this running?

        1. The first one is the one you need to capture (if using email as the path). The batch script is the one for UPN. The third PS script is only if you want to configure a special folder to access the path.

  10. Hello James, I chose option#1 without FSLogix container solution. SSO to OneDrive, AllUser install everything looks good. Files are synced on demand. Biggest draw back we have is C: restriction. Is there anyway to get C: restriction working? Something like Ivanti File director?

  11. James, C: restriction can be over come by redirecting OneDrive to different persistent drive. and cleanup onedrive folder from persistent periodically

    1. I’ve tried that, and it doesn’t work. Can you enlighten me how you redirected OneDrive to a different drive? Simply pointing it at D:, for instance, fails when running the initial OneDrive configuration.

    2. OK, I’ve retested, and now it works, which is extremely annoying. I can’t find anything in the OneDrive release notes to indicate when it changed. I’m going to test with FSLogix and a repointed secondary drive, just to see what the upshot is.

  12. Hello James, thank you for all the information you provide in your articles, it has been key to us getting up and running with FSLogix and OneDrive in Citrix.

    I had one questions, just to confirm, Office Containers set to unique disk per session and to include the OneDrive data does not fix the issue of OneDrive not supporting multiple sessions from the same profile correct?

    I was hoping that just enough of the users OneDrive info would be in the office container that it would work but from my testing it does not.

  13. Have you tested “Silently Move Windows Known Folders to OneDrive” yet?

    We enabled and configured it via GPO but it will not automatically start redirecting known folders to OneDrive for some reason. Works just fine if I open the settings>Backup tab>Manage backups and turn it on manually but for some reason I can’t get it to do this automatically.

    We do not have any Folder Redirection GPOs set either. I even went as far as creating a new fresh computer config GPO with all of our regular settings along with the OneDrive settings and it still won’t redirect automatically.

    Thanks!

    1. I’ve heard tell of people experiencing this problem. Delete the entire OneDrive configuration from the Registry and filesystem for the user and try it again.

      1. Thanks, for added context this is on a Server 2019 OS with the per-machine install of OneDrive.

        I did delete the HKCU Onedrive section and rebooted but no luck.

  14. Thanks for a great post!

    We are using Fslogix and OneDrive with Files On-Demand sync option #1
    But we have an issue though that some users in Citrix are choosing “Always keeps on this device”.
    Do you know if its possible to disable that option for users?
    Because I think the files will not be removed to cloud only with Storage Sense if the user have activated this on the OneDrive folder. Or should it work, do you know?

    1. I don’t think there’s a policy to do that – you could run a script to change the attributes on the files though maybe?

  15. Thanks for the great article!

    I have followed and implemented all steps for #2 and can access the SharePoint Site by putting %OneDriveUserPath% into the address bar and I did access the online folder with my SharePoint data in it. When I run the script to embed the folder to File Explorer, it does embed the folder but can’t see my SharePoint folders and data as I did when I used %OneDriveUserPath% … any insights?

    Regards,
    Abe

  16. Absolutely great article. This helped me a lot but I do not understand the OneDrive ‘multiple simultaneous connections’ issue.
    In what user scenario/behavior does this occur?
    Best regards,
    Simon

    1. If you have multiple published applications open on different servers, or multiple published desktops open, and they are all connecting to the same OneDrive account through the Sync Client.

      1. Hi James
        in a similar way to this request, i read above that with FsLogix use it should ‘technically’ work. have you tested this yet so far ?
        Is there any other official tool where it’s supported ? thinking of WEM ?
        we are in the same struggle situation where same user could launch 2 to 3 or even more published app at the same time and they need access to their data which are via OneDrive

        thanks
        eric

        1. The FSLogix approach would only work, and be supported, if you’re using diff disks. Otherwise it will get into a file sync nightmare.

          How would you do OneDrive with WEM?

          If I were you, I’d just use CloudDriveMapper or simply give them access to the OneDrive folder directly and remove the whole problem of synchronization. Much easier.

          1. Hi James

            thanks for the prompt reply, much appreciated !
            we do have diff disk enable within fslogix with the profiletype set to try for read-write profile and fall back to read-only. being honnest, we haven’t faced/tested this yet since i just noticed yesterday that from published app onedrive do not get launched..so i followed one of your article and came to this one 🙂
            for WEM, i’m just asking if you ever try with. We are highly thinking in the future to move to WEM completely
            by direct onedrive folder access you mean using the onedrive sync client or follow your guidance above to point onedrive to the direct internet faced ?
            thanks !

  17. Evaluated all the options.
    1) onedrive worked well downside uses cache and would create service desk calls if sync issues and storage space in FSLogix profile Also could potentially cause issues if users started to sync network drives/My documents. (not enough group policies to lock it down).
    2) Requires internet explorer and for me required IE to be logged onto every login to authenticate. (If we could get the auth automated this would have been the best.
    3) Cloud drive mapper looked the best option out of all of them but could not justify the cost.

    We went with secret option number 4 (do not installed one drive) Instruct the end users to use Teams Select files >Cloud Storage > One drive and access OneDrive files from here. (no login) and all documents can be opened in the full desktop app

    1. Sorry not sure what you mean. Does changing a Teams option mean you can then use the full OneDrive sync client? If so then how is the cache handled? Or are you saying changing a Teams option loads a direct OneDrive connection into Windows Explorer somehow? If it does, can you please elaborate?

  18. Hi James,

    WE have done Migration of Network drive to OneDrive and configured Onedrive sync client in Citrix Environment using FSLogix. But we are using Windows server 2016 . so how can we handle the OneDrive Synching caching as we can not use file on demand Policy.

    1. Unfortunately on Server 2016 you either have to cache the entire OneDrive folder, or you have to move away from FSLogix and use a direct connection instead.

      1. We have a citrix environment with roaming profile.

        How can we cache the entire onedrive folder without adding storage in local c drive.
        We have to use fslogix as its a roaming profile server

        1. You use Microsoft roaming profiles? The simple answer is move everything to FSLogix Profile Container, this will remove the roaming profile and cache OneDrive without requiring any local storage. Solving about a hundred problems at once.

          1. But we don’t want to replace our existing profile solution upm. So with existing configuration that is windows server 2016 and FSLogix office container how can we cache the entire one drive folder.

          2. You said you were using roaming profiles, not UPM.

            With UPM, you don’t even need to use FSLogix. Just use the UPM container feature to capture the OneDrive folder. The latest version of UPM supports OneDrive caching.

  19. We have Citrix environment with fslogix o365 and onedrive configure. SilentAccountconfisg is set to 1 which means SSO and folder setup happens automatically. However we have problem with SSO intermittently. We have vhdmode set as 3 which will create seperate VHD when user logs in to multiple sessions. We see SSO breaks mostly when second simultaneous vdi is launched. Any thoughts?

  20. Hi James

    Another great article which we followed some time ago using option 1 and everything has been running absolutely fine for us with version 2022 build 22.045.0227.004. However, we’ve been trying to upgrade to any later version and run into this weird issue where for any new users/profiles, the OneDrive client now takes exactly 22 minutes to sign in the first time, whereas on the current version we have it signs in straight away. Once the newer version signs in, then it’s fine after that.

    Checked that all the relevant URLs and IP addresses (https://learn.microsoft.com/en-gb/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) are reachable. Ruled out FSLogix, Appsense and Citrix ICA as potential issues. Got a call logged with MS about it too, but so far they are drawing a blank. Wondered if it’s something you’ve come across at all?

    Thansk

    Phil

      1. Hi James

        Absolutely nothing. It’s mad. Hoping MS can help us out, otherwise we won’t be upgrading OneDrive any time son!

        Cheers

        Phil

        1. Hi James,
          Does the MS announcement here regarding OneDrive with Citrix Seamless mode “https://www.tenforums.com/windows-10-news/198910-announcements-onedrive-files-experiences-microsoft-365-a.html” resolve this issue?

          Thanks
          Shaun

        2. Phil – it’s a year later and we are experiencing this issue after moving from Citrix onprem to Cloud. Change is that we are now using Azure AD authentication and FAS with insession certificates use enabled. OneDrive won’t consistently autostart and when it does processes forever. Did you ever fix your issue?

  21. James,

    Have you seen this issue when you enable “Include OneDrive data” in the group policy, the OneDrive doesn’t automatically sign on.

    Windows 2019 with Citrix 2203. FSLogix only for Outlook Cache and Ivanti EM for the rest (I know).

Leave a Reply

Your email address will not be published. Required fields are marked *