Install OneDrive NGSC update on Windows 10 in OSD

This week Nickolaj Andersen released an excellent blog post on scconfigmgr.com how to install OneDrive NGSC Next Generation Sync Client with ConfigMgr:

http://www.scconfigmgr.com/2016/05/24/deploy-onedrive-next-generation-sync-client-with-configmgr/

Also there was a great post on TechNet by Paulo Jorge Morais Dias: https://blogs.technet.microsoft.com/paulodias/2016/05/24/how-to-deploy-onedrive-next-generation-sync-client-with-sccm/

I would like to share how to install OneDrive NGSC update on Windows 10 in OSD, because installing the update in an OSD task sequence improves the first run user experience on a new installed Windows 10 device. Let’s have a look what happens if a user is logging in the first time on a fresh installed Windows 10:

Windows 10 is shipped with a built-in OneDriveSetup.exe in C:\Windows\SysWow64, on Build 14342 its version number is 17.3.6381.405. Windows 10 1511 of course is shipped with a much older version.

2016-05-25 20_59_30-SysWOW64

When a user is logging in for the first time, this OneDriveSetup.exe is started by a Run key which is originated in the default users profile:

2016-05-25 21_05_32-Registry Editor

 

You can monitor the installation in the log files which are written to C:\Users\<username>\AppData\Local\Microsoft\OneDrive\setup\logs. As we can see here, the installer starts two processes with different parameters and log files, at first C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup and then C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup /peruser /childprocess.

Install_<date>.log file:

OneDrive_Install

Install-PerUser_<date>.log file:

OneDrive_Install_PerUserIf we would use the above mentioned methods to update OneDrive, there would be a second installation of the OneDrive client after first logon, and this installation is not started until the ConfigMgr is initialized and has all policies. Some users may start their OneDrive in the meantime and would get an update notification by the OneDrive client itself which tries to download the newest installer from Microsoft.

In order to achieve a really completed Windows installation after an OSD task sequence finishes, I built a ConfigMgr application which replaces the original OneDriveSetup.exe in C:\Windows\SysWow64 with the current version. If I add this application to my task sequence all new users start with an already updated installer and don’t need a second, delayed installation. In order to use this application for running machines as well, we just need a method to gather the existing user profiles.

And now it’s time to admit that I have cheated 😉 I used the brilliant Powershell App Deployment Toolkit which offers a bunch of helpful methods, for example to get all user profiles on a machine. Please find it here: http://psappdeploytoolkit.com/

If you don’t like the idea of introducing a new wrapper technology to your ConfigMgr, you can use the PowerShell script by Nickolaj Andersen to deal with existing user profiles and combine it with the following steps in your own installation script instead of using the psappdeploytoolkit.

  1. Because C:\Windows\SysWow64\OneDriveSetup.exe is owned by TrustedInstaller, change the ownership of the file
  2. Add temporary full NTFS permissions to OneDriveSetup.exe
  3. Override OneDriveSetup.exe with the current version
  4. Restore original ownership and NTFS permissions
  5. If a user is logged in, start OneDriveSetup.exe for current user
  6. If there are existing user profiles on the machine, create a runonce key in each users profile to start the update installation at the next logon

This is the code I used in the install section of the psappdeploytoolkit. Please note that it uses functions and variables from the toolkit, if you want to use it in your own native PowerShell script you need to replace them (Execute-Process vs. Start-Process, $envSystemRoot vs. $env:SystemRoot and so on).

## <Perform Installation tasks here>

# OneDriveSetup.exe is owned by TrustedInstaller, take ownership to replace file
Execute-Process -Path "$envSystem32Directory\takeown.exe" -Parameters "/f $envSystemRoot\SysWOW64\OneDriveSetup.exe"
# Grant full permissions for running user to replace file
Execute-Process -Path "$envSystem32Directory\icacls.exe" -Parameters "$envSystemRoot\SysWOW64\OneDriveSetup.exe /Grant `"$ProcessNTAccount`"`:(F)"
# Replace OneDriveSetup.exe with newer version
Copy-File -Path "$dirFiles\OneDriveSetup.exe" -Destination "$envSystemRoot\SysWOW64\OneDriveSetup.exe"
# Set ownership back to TrustedInstaller
Execute-Process -Path "$envSystem32Directory\icacls.exe" -Parameters "$envSystemRoot\SysWOW64\OneDriveSetup.exe /setowner `"NT SERVICE\TrustedInstaller`""
# Restore default permissions
If ($IsLocalSystemAccount) {
    # System account has read and execute permissions by default
    Execute-Process -Path "$envSystem32Directory\icacls.exe" -Parameters "$envSystemRoot\SysWOW64\OneDriveSetup.exe /Grant:r `"$LocalSystemNTAccount`"`:(RX)"
} else {
    Execute-Process -Path "$envSystem32Directory\icacls.exe" -Parameters "$envSystemRoot\SysWOW64\OneDriveSetup.exe /remove:g `"$ProcessNTAccount`""
}
# Run OneDriveSetup.exe for current user
Execute-Process -Path "$envSystemRoot\SysWOW64\OneDriveSetup.exe" -Parameters "/silent"

# Create runonce keys for all exisiting user profiles except default user (By default, there's a Run key in the default user profile) and except the running user
        
If ($(Get-UserProfiles -ExcludeDefaultUser)) {
        
    [scriptblock]$HKCURegistrySettings = {
            Set-RegistryKey -Key ‘HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce’ -Name ‘UpdateOneDrive’ -Value "$envSystemRoot\SysWOW64\OneDriveSetup.exe /silent" -Type String -SID $UserProfile.SID -ContinueOnError $true
    }
    Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings -UserProfiles (Get-UserProfiles -ExcludeDefaultUser -ExcludeNTAccount $ProcessNTAccount)
}

You also need some settings to configure OneDrive for enterprise usage. You could use Group Policy, but again, if you want to achieve a really completed Windows installation after OSD, you’d prefer registry keys. With psappdeploytoolkit, it is also quite easy to add them to HKEY_CURRENT_USER.

  1. Disable sync of personal OneDrive accounts
  2. Enable enterprise update cadence*
  3. Remove OneDrive personal icon in Windows Explorer

This is how you can add those registry keys easily with the toolkit:

## Perform Post-Installation tasks here

[scriptblock]$HKCURegistrySettings = {

    # Disable sync of personal OneDrive accounts    
    Set-RegistryKey -Key ‘HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive’ -Name ‘DisablePersonalSync’ -Value 1 -Type dword -SID $UserProfile.SID -ContinueOnError $true
    # Enable enterprise update cadence
    Set-RegistryKey -Key ‘HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive’ -Name ‘EnableEnterpriseUpdate’ -Value 1 -Type dword -SID $UserProfile.SID -ContinueOnError $true
    # Remove OneDrive personal icon in Windows Explorer
    Remove-RegistryKey -Key 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{018D5C66-4533-4307-9B53-224DE2ED1FE6}'
}

Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURecistrySettings

*Enterprise update cadence

This is the most annoying issue with OneDrive in managed enterprise environments. You cannot disable the automatic OneDrive update. With this registry setting, you’re just able to delay it by approximately 2 weeks and to avoid un-managed downloads by each and every client you need to be faster with your ConfigMgr deployments.

1 thought on “Install OneDrive NGSC update on Windows 10 in OSD”

  1. Great article, just a correction on misspelled word on line 13 of your second snippet
    $HKCURecistrySettings should be $HKCURegistrySettings

    So others can skip that when troubleshooting 🙂

Leave a Reply