Diagnostics
Written By Gregory Heath Kelly
The Scenario
During a migration from one Unified Endpoint Management (UEM) product to another, an existing user logs into their brand new Windows 10 machine for the first time. The administrator has set up the following OneDrive policies for them:
“(SilentAccountConfig) Silently sign in users to the OneDrive sync app with their Windows credentials” | Enabled
“(KFMOptInNoWizard) Silently move Windows known folders to OneDrive” | Enabled, Desktop [true], Documents [true] and Pictures [true]
… The OneDrive client whirs into action, does a little self-update, and a few minutes later there’s a notification saying that OneDrive is now logged in to your account. It’s looking good.
A few moments pass, and then the user starts to panic. It looks to them like they have lost all their Desktop folders, Documents and Pictures. They call your Helpdesk in [floods of tears | a rage | a calm but disappointed voice].
Maybe they are more diligent than that - they’ve noticed that they now seem to have two Desktop folders in their OneDrive - one called “Desktop”, the other called “Escritorio”. They also have “Documents” and “Documentos”, “Pictures” and “Imágenes”.
Did I forget to mention that our example user was Spanish, and running Windows 10 with language pack es-ES?
Worse yet, these folders have now synced up to OneDrive online, so the “damage” has been done. Replacing the user profile or device will merely recreate the same issue.
The OneDrive client, making use of the “Silently move Windows known folders to OneDrive” policy, has created regionalised (Spanish) versions of the core folders that a user relies upon for productivity, and created Folder Redirection paths to them.
The perfect storm for KFM
In this scenario, we need to review the following factors at play to find out what happened, and review some ideas on how to fix it:
An existing user (the victim),
Moving from one UEM product to another (the suspect),
Moving from an old device to a new device (the trigger),
OneDrive’s KFM technology (guilty by association).
I start my investigation by learning more than I wanted to know about OneDrive’s KFM feature.
OneDrive’s KFM technology
There are very few detailed breakdowns on what logic Known Folder Move uses to create folder redirection relationships between your OneDrive desktop application and your OneDrive account. I found the best detailed resources to be the following:
OneDrive and its (Un)known Folder Move (KFM) - Part 1 (allthingscloud.blog)
I will now do my best to summarise, and re-order, the information above into a timeline of logical checks that KFM performs to decide what to do when configuring KFM.
KFM’s Logical Timeline
(1) “vti_” hidden properties
First up - there are some hidden properties attached to every user’s OneDrive account which are populated by KFM. If you have never run KFM before (manually or interactively), you will not have these properties set.
vti_DesktopFolderGuid
vti_DocumentsFolderGuid
vti_PhotosFolderGuid
vti_CameraRollFolderGuid
vti_ScreenShotsFolderGuid
Each of these Guids stores a relative URI that is the configured path to the Desktop, Documents, Photos (etc) folders in the users OneDrive account.
When a user logs into their OneDrive account on a new machine (perhaps logging into multiple machines), as part of initial initialisation, OneDrive KFM will perform a check to see if the “vti_” properties have been set in the past.
TRY IT! You can see if your own OneDrive account “vti_” properties and relative URI's have been set by following this article:
You’ll need to install the PowerShell module pnp.powershell (as admin), import it as user, then modify Patrick’s script ever so slightly to get your results.
If the “vti_” properties exist they will be used to configure the OneDrive account locally on the system. If they have not, then OneDrive KFM moves on…
(1) “vti_” hidden properties
(2) KfmForceWindowsDisplayLanguage
Now that we know “vti_” hidden properties have not been set for our user, OneDrive KFM will check whether the OneDrive policy “KfmForceWindowsDisplayLanguage” is set to “Configured” and “True”. If it is, then KFM will use the Display Language of Windows 10 to…
Create new and regionalised folders locally on the system (e.g. Escritorio, Documentos, Imágenes), setting them up to Folder Redirection,
Sync those new folders up to OneDrive in the cloud,
Register those folder relative URIs to the “vti_” properties on the user’s OneDrive account for future use.
But for our user, they do not have this OneDrive policy set, and so OneDrive KFM moves on…
(1) “vti_” hidden properties
(2) KfmForceWindowsDisplayLanguage
(3) PreferredLanguage is set on the User Account
KFM will now examine the user’s PreferredLanguage attribute to determine how to configure the known folders. This could be important, as the user may set Windows 10’s Display Language to English (en-US) but prefer to have their OneDrive account in Spanish (es-ES), and so they might expect their known folders to be created in Spanish. If PrefferedLanguage is set to Spanish, then KFM will use it to…
Create new and regionalised folders locally on the system (e.g. Escritorio, Documentos, Imágenes), setting them up to Folder Redirection,
Sync those new folders up to OneDrive in the cloud,
Register those folder relative URIs to the “vti_” properties on the user’s OneDrive account for future use,
But our user does not have a PreferredLanguage set on their User Account, and so OneDrive KFM moves on…
(1) “vti_” hidden proprties
(2) KfmForceWindowsDisplayLanguage
(3) PreferredLanguage is set on the User Account
(4) DEFAULT - Use Windows Display Language
At this point KFM falls back on its default configuration - to use the Display Language of the operating system when the user logs in. This is much like the option above (KfmForceWindowsDisplayLanguage), but PreferredLanguage would take precedence over this behaviour if set.
If none of the options above are set, then KFM will use the Windows Display Language (at login) to…
Create new and regionalised folders locally on the system (e.g. Escritorio, Documentos, Imágenes), setting them up to Folder Redirection,
Sync those new folders up to OneDrive in the cloud,
Register those folder relative URIs to the “vti_” properties on the user’s OneDrive account for future use.
In Summary
OneDrive will follow this order of precedence to determine what to do at every “first login” of a user account (be it a new profile, or new machine) where OneDrive Known Folder Move is configured:
(1) “vti_” hidden properties -> (2) KfmForceWindowsDisplayLanguage -> (3) PreferredLanguage -> (4) Windows Display Language (DEFAULT)
Subsequent “first logins” for the same user should always look like this:
(1) “vti_” hidden properties <- Stops here
This is because the hidden properties are written back to the OneDrive account after KFM’s first run on the user’s behalf.
So what happened to our user?
Our user did not have existing “vti” hidden properties, “KfmForceWindowsDisplayLanguage” was not configured on the device, and they did not have a “PreferredLanguage” set on their account. For this reason, the “Windows Display Language” was chosen by KFM, and new folders were created in Spanish, which were then uploaded back to OneDrive account with the new “vti_” details.
But why did this existing user not have pre-existing “vti_” hidden properties if they had been using OneDrive, and Folder Redirection, in the previous UEM environment?
The existing user account, and former UEM environment
In this situation, I recommend getting access to the former UEM environment to continue the investigation, as it can yield critically important information when handling migration issues.
In our scenario, we manage to gather a Group Policy Result file (GPRESULT) run as Computer and logged in User. The contents of the file make it abundantly clear what has happened, as Folder Redirection is found to be configured natively using Group Policy rather than KFM (using the settings available in the OneDrive ADMX template). Folder Redirection is configured sync and redirect the Desktop, Documents and Pictures folders to OneDrive, notably using English folder names.
This organisation has never used KFM before, until now.
Our user was previously using a machine where Folder Redirection in Group Policy was configured, not KFM. They migrated to a machine controlled by a new UEM solution where OneDrive KFM was introduced. KFM, not knowing any better, configured itself as instructed, causing folder “duplication” using the regional language (Spanish).
How did this get through testing?
In our example, the problem has gone unnoticed as, during testing, no users report the issue. This is because the new UEM solution and KFM settings were tested, and approved, by users who used English (en-US) as their Display Language. When English users moved from Folder Redirection (configured in English) to KFM (configured in their Display Language (also English)) they don’t notice the problem.
The problem is identified by the first user who tries the operating system in a different Display Language (Spanish (es-ES)).
Hopefully this explanation shows that, really, this is a rare issue born of an unfortunate set of circ*mstances, and limited testing of a solution, rather than OneDrive’s KFM feature.
What are our options?
Use KFM anyway
Despite what has happened here, there is still a good argument for using KFM anyway, despite it causing issues for existing users. Though not very graceful, you could ask users to simply move the contents of their orphaned “Desktop” “Documents” and “Pictures” folders into their newly created folders. It could be feasible with the creation and distribution of some form of knowledge article.
Pros
Once the problem is fixed once, it is fixed forever for that user account,
Newly created users will not get this issue,
You get to use KFM right now.
Cons
Reputational risk for the IT department for not automating a fix,
Users must fix their own OneDrive having moved to the new UEM solution,
Users may make mistakes with their own data,
Users that struggle may generate a volume of helpdesk tickets.
Address the issue with automation
There are ways to retrieve and modify the “vti_” hidden properties on a per-user basis, as detailed in this article: OneDrive and its (Un)known Folder Move (KFM) - Part 2 (allthingscloud.blog). You have to install and use the pnp.powershell module, then authenticate as the user, to make the changes. I have tested it and can confirm that if you manually set the “vti_” values to the desired folder destinations, you can get ahead of the issue (remember that KFM will prioritise those values above all else) and prevent it happening before they migrate.
The only issue with this approach is that it is not very scalable as a solution, and unless someone clever finds a way of making use of a Global Administrator account to modify the values en-masse for all user accounts, I don’t see this being useful when dealing with 100s of user accounts.
Pros
Get ahead of the issue, removing any reputational risk,
You get to use KFM right now.
Cons
Not scalable, as it stands,
User interaction may still be required to provide their credentials if using Multi-Factor Authentication, even if a fix was semi-automated using pnp.powershell.
Kick the can down the road - switch off KFM
If Folder Redirection was previously configured natively with Group Policy, why not continue using it? It sounds obvious but if KFM is causing issues, you could simply switch it off and return to using Folder Redirection technology (you can enforce the setting “(KFMBlockOptOut) Prevent users from redirecting their Windows known folders to their PC” to stop anyone manually using the OneDrive wizard to set KFM up).
Though this technology is dated, and not nearly as dynamic as OneDrive’s KFM, it allows you to postpone the resolution of the issue until further research is conducted on an automatable fix. Remember, this problem has occurred during a migration scenario, and a lot of resources have already been spent to get this far.
Turn it off, kick the can down the road, and mark it down as a problem for tomorrow.
Pros
Resolves the issue with minimal effort (depending on your new UEM solution - Intune does not carry CSP settings for Folder Redirection),
Removes reputational risk from an already complicated migration project,
Cons
Passes the problem on, rather than resolving anything.
As with many problems, the chosen resolution will depend on a number of complicating factors - that’s what makes finding solutions to problems challenging and interesting!
Lessons learned
Though this investigation started with all fingers pointing at OneDrive’s KFM feature, I actually think we’ve learned that KFM is a very flexible and dynamic way of setting up Folder Redirection. I would recommend it to anyone, but advise in an migration scenario to check the ways in which Folder Redirection have been set up in the past - you may have a technical debt to pay first.
This problem also evaded detection during initial, and perhaps limited, testing of KFM. This gave false confidence to the engineering team that the feature was behaving as expected. This is so often the case because our testing groups are limited, or poorly representative of the needs of the business.
Test your features and settings internally with IT, but find ways to spread that testing further afield. If you are an international company, find representatives from abroad to provide feedback early on. If you have multiple departments with different software or hardware, get them into your earlier Deployment Rings so that you can get meaningful feedback.
No-one wants to be a canary for a poorly constructed configuration change, but I guarantee you that their manager would rather the proverbial canary has issues than see the whole department affected!
Useful Resources
Redirect and move Windows known folders to OneDrive - OneDrive | Microsoft Docs
Use OneDrive policies to control sync settings - OneDrive | Microsoft Docs
OneDrive and its (Un)known Folder Move (KFM) - Part 1 (allthingscloud.blog)
OneDrive and its (Un)known Folder Move (KFM) - Part 2 (allthingscloud.blog)
OneDriveKFMKnown Folder MoveGroup PolicyIntuneUEM
Gregory Heath Kelly
