anavem.
Intermediate📱 Intune

Configure OneDrive Auto Sign-in Using Intune: Complete Enterprise Guide

Deploy OneDrive silent account configuration via Intune to automatically sign users into the sync app using Windows credentials. Covers MFA considerations and troubleshooting

20 min53views
DifficultyIntermediate
CategoryIntune
Duration20 min
Steps7

Overview

This tutorial walks IT administrators through deploying the SilentAccountConfig policy via Intune) Settings Catalog. Upon completion, users signed into Microsoft Entra ID-joined or Hybrid Entra ID-joined devices will have OneDrive automatically configured without manual credential entry. The guide also addresses the critical MFA limitation and provides workarounds for enterprise environments requiring multi-factor authentication.

Prerequisites

Before proceeding, ensure the following requirements are met:

RequirementDetails
Intune LicenseMicrosoft Intune Plan 1 or Microsoft 365 E3/E5 or Microsoft 365 Business Premium
Device EnrollmentWindows devices enrolled in Intune MDM)
Operating SystemWindows 10 1709+ or Windows 11
Device Join StateMicrosoft Entra ID joined or Hybrid Entra ID joined
OneDrive VersionSync client build 18.111.0603.0004 or later
User LicenseMicrosoft 365 license including OneDrive for Business
MFA StatusSilent config does NOT work with MFA enabled

Verify Device Join Status

Run this command on target devices to confirm Entra ID join status:

powershell

dsregcmd /status

Look for these values:

  • AzureAdJoined : YES
  • AzureAdPrt : YES (Primary Refresh Token required for SSO)

Understanding Silent Account Configuration

The SilentAccountConfig policy enables OneDrive to automatically authenticate users using their Windows Primary Account credentials. When enabled:

  1. OneDrive detects the signed-in Windows account (must be Entra ID-based)
  2. Uses the Primary Refresh Token (PRT) to silently authenticate
  3. Configures the sync client without user interaction
  4. Users still see the OneDrive Setup wizard to select folders and location

Registry Keys Created

When deployed via Intune, the following registry entries are created:

[HKLM\SOFTWARE\Policies\Microsoft\OneDrive]
"SilentAccountConfig"=dword:00000001

[HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\OneDriveNGSCv2~Policy~OneDriveNGSC]
"SilentAccountConfig_Container"=dword:00000001

MFA Considerations

⚠️ Critical Limitation: Silent account configuration will NOT work for users who require multi-factor authentication at sign-in.

Workarounds for MFA environments:

  1. Conditional Access Exclusion: Create a CA policy that excludes compliant, Entra ID-joined devices from MFA requirements for OneDrive
  2. Trusted Location: Exempt corporate network locations from MFA for the OneDrive application
  3. Primary Refresh Token: Ensure devices have a valid PRT which satisfies MFA claims on compliant devices
  4. Prompt Policy Fallback: Enable "Prompt users to move Windows known folders to OneDrive" as a backup for silent failures

Step-by-Step Tutorial

01

Access Intune Admin Center

Navigate to the policy creation interface.

  1. Open your browser and go to https://intune.microsoft.com
  2. Sign in with an account that has Intune Administrator or Global Administrator rights
  3. Navigate to Devices → Windows → Configuration
  4. Click Create → New Policy
Step 1 screenshot
Expected Result:The "Create a profile" panel appears.
02

Configure Profile Basics

Define the profile type and metadata.

  1. Select the following options:
    • Platform: Windows 10 and later
    • Profile type: Settings catalog
  2. Click Create
  3. On the Basics tab, enter:
    • Name: OneDrive - Silent Account Configuration
    • Description: `Automatically signs users into OneDrive sync app using Windows credentials. Deployed via Settings Catalog.
  4. Click Next
Step 2 screenshot
Expected Result:The Configuration settings tab opens.
04

Add Silent Sign-in Setting

Configure the SilentAccountConfig policy.

  1. Click + Add settings
  2. In the Settings picker, search for: Silently sign in users to the OneDrive
  3. Expand the OneDrive category
  4. Select: Silently sign in users to the OneDrive sync app with their Windows credentials
  5. Close the settings picker- Set the toggle to Enabled
  6. Click Next
Expected Result:The setting appears in the configuration with "Enabled" status.
04

Configure Scope Tags (Optional)

Apply administrative scope if required.

  1. Select appropriate scope tags for your organization
  2. If not using scope tags, leave as Default
  3. Click Next
Step 4 screenshot
05

Assign the Policy

Target the policy to appropriate groups.

  1. Click + Add groups
  2. Select a Microsoft Entra security group containing:
  • Pilot group first: Start with 50-100 test users
  • Production rollout: Expand to larger groups after validation
  1. Optionally add exclusion groups
  2. Click Next
Step 5 screenshot
Expected Result:Selected groups appear in the Assignments section.
Warning:Best Practice: Microsoft recommends limiting deployment to 1,000 devices per day and 4,000 per week for existing devices.
06

Review and Create

Validate and deploy the policy.

  1. Review all configuration settings
  2. Verify assignments are correct
  3. Click Create
Expected Result:Policy appears in the Configuration profiles list with "Active" status.
07

Recommendation & Troubleshooting

For complete OneDrive automation, combine Silent Account Config with Known Folder Move (KFM).

Recommended Additional Settings

Create a second Settings Catalog policy or add these to the existing profile:

SettingValuePurpose
Silently move Windows known folders to OneDriveEnabled + Tenant IDAuto-redirects Desktop, Documents, Pictures
Prompt users to move Windows known folders to OneDriveEnabled + Tenant IDFallback if silent fails
Prevent users from redirecting their Windows known folders to their PCEnabledBlocks user opt-out
Use OneDrive Files On-DemandEnabledSaves local disk space
Allow syncing OneDrive accounts for only specific organizationsEnabled + Tenant IDSecurity: blocks personal accounts

Find Your Tenant ID

# Via Microsoft Graph PowerShell
Connect-MgGraph -Scopes "Organization.Read.All"
Get-MgOrganization | Select-Object Id, DisplayName

Or navigate to: Microsoft Entra admin centerOverviewTenant ID

KFM Registry Verification

After deployment, verify these keys exist:

[HKLM\SOFTWARE\Policies\Microsoft\OneDrive]
"KFMSilentOptIn"="<Your-Tenant-ID>"
"KFMSilentOptInWithNotification"=dword:00000001

Deploy and Synchronize

Force Policy Sync

To expedite deployment during testing:

Method 1: Company Portal

  1. Open Company Portal app
  2. Go to Settings
  3. Click Sync

Method 2: PowerShell

## Trigger Intune sync
$EnrollmentID = Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt*"} | Select-Object -ExpandProperty TaskPath -First 1
$EnrollmentID = $EnrollmentID.Split('\')[5]
Get-ScheduledTask | Where-Object {$_.TaskPath -eq "\Microsoft\Windows\EnterpriseMgmt\$EnrollmentID\"} | Start-ScheduledTask

Method 3: Settings App

  1. Open SettingsAccountsAccess work or school
  2. Select your organization connection
  3. Click InfoSync

Monitor Deployment Status

Intune Admin Center

  1. Navigate to DevicesWindowsConfiguration
  2. Select OneDrive - Silent Account Configuration
  3. Review the overview dashboard:
    • Succeeded: Policy applied successfully
    • Pending: Awaiting device check-in
    • Failed: Requires investigation
  4. Click View report for detailed device-level status

Per-Device Report

For failed deployments, check:

  1. Click on the device name
  2. Review the Settings status section
  3. Note any error codes for troubleshooting

Verify on Endpoint

Visual Verification

  1. Log into the Windows device with a targeted user account
  2. Look for the OneDrive cloud icon in the system tray
  3. Blue icon: Signed in and syncing
  4. Gray icon: Not signed in (policy may have failed)
  5. Click the icon to verify the correct account is connected

Registry Verification

## Check policy deployment
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" -Name SilentAccountConfig -ErrorAction SilentlyContinue

## Check silent config completion flag
Get-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive" -Name SilentBusinessConfigCompleted -ErrorAction SilentlyContinue

Expected values:

  • SilentAccountConfig = 1
  • SilentBusinessConfigCompleted = 1

Event Log Verification

## Query Intune diagnostic events
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" | 
    Where-Object {$_.Id -eq 814 -and $_.Message -like "*SilentAccountConfig*"} | 
    Select-Object TimeCreated, Message -First 5

Troubleshooting

Common Issues and Solutions

Issue 1: OneDrive Shows "Set up OneDrive" Instead of Auto Sign-in

Possible Causes:

  • MFA is required for the user
  • Device is not properly Entra ID joined
  • Primary Refresh Token is missing or expired

Resolution:

# Verify PRT status
dsregcmd /status | Select-String -Pattern "AzureAdPrt"

# If AzureAdPrt : NO, try:
# 1. Lock and unlock the workstation
# 2. Sign out and sign back in
# 3. Run: dsregcmd /refreshprt

Issue 2: Policy Shows as Applied but OneDrive Not Configured

Resolution:

  1. Clear previous silent config attempts:
# Run as the affected user
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive" -Name "SilentBusinessConfigCompleted" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive" -Name "ClientEverSignedIn" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive" -Name "PersonalUnlinkedTimeStamp" -ErrorAction SilentlyContinue
  1. Reset OneDrive:
& "$env:LOCALAPPDATA\Microsoft\OneDrive\OneDrive.exe" /reset
Start-Sleep -Seconds 10
& "$env:LOCALAPPDATA\Microsoft\OneDrive\OneDrive.exe"

Issue 3: Event ID 814 Shows Policy Error

Check the diagnostic log:

Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" -MaxEvents 50 | 
    Where-Object {$_.Message -like "*OneDrive*"} | 
    Format-List TimeCreated, Id, Message

Look for:

  • Event ID 813: Policy processing started
  • Event ID 814: Policy applied successfully
  • Event ID 404: Policy application failed

Issue 4: Generate MDM Diagnostic Report

For escalation to Microsoft Support:

  1. Go to SettingsAccountsAccess work or school
  2. Select your organization
  3. Click InfoCreate report
  4. Share the generated report with support

Rollback Procedure

To remove the policy configuration:

# Remove machine-level policy keys
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" -Recurse -Force -ErrorAction SilentlyContinue

# Remove user-level completion flags
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive" -Name "SilentBusinessConfigCompleted" -Force -ErrorAction SilentlyContinue

# Restart OneDrive
Stop-Process -Name "OneDrive" -Force -ErrorAction SilentlyContinue
Start-Process "$env:LOCALAPPDATA\Microsoft\OneDrive\OneDrive.exe"

Conclusion

Deploying OneDrive silent account configuration via Intune significantly improves user experience and ensures consistent data protection across your organization. By combining this with Known Folder Move policies, you create a seamless onboarding experience where users' critical files are automatically backed up to the cloud from day one.

Key takeaways:

  • Silent configuration requires Entra ID-joined or Hybrid Entra ID-joined devices with valid PRT
  • MFA must be excluded or satisfied via device compliance for silent sign-in to work
  • Always pilot to a small group before organization-wide deployment
  • Combine with KFM policies for complete OneDrive automation
  • Monitor deployment via Intune reports and Event ID 814 on endpoints

For organizations with strict MFA requirements, consider implementing device-based Conditional Access policies that satisfy MFA claims for compliant, managed devices - this allows silent sign-in while maintaining security posture.

Frequently Asked Questions

No. Silent account configuration explicitly does not support multi-factor authentication. The feature relies on Single Sign-On (SSO) via the Windows Primary Refresh Token (PRT). If your Conditional Access policies require MFA for all cloud apps, you must either exclude OneDrive from MFA requirements on compliant devices or accept that users will need to manually sign in.

OneDrive will sign in using the Windows Primary Account - the account used to sign into Windows. If users have additional accounts, they can add them manually after the initial silent configuration completes.

Yes. For Active Directory-joined devices not managed by Intune, use the OneDrive Group Policy ADMX templates. The policy is located at: Computer Configuration → Administrative Templates → OneDrive → Silently sign in users to the OneDrive sync app with their Windows credentials.

Typically 15-60 minutes after device check-in. You can force a sync from the Company Portal or Settings app to expedite. The policy requires OneDrive to restart to take effect.

Yes. Windows 365 Cloud PCs that are Entra ID-joined will receive and process the policy. Ensure the Cloud PC has a valid PRT by verifying with dsregcmd /status.

Silent Sign-in (SilentAccountConfig): Automatically authenticates the user to OneDrive without credential prompts. Known Folder Move (KFM): Redirects Desktop, Documents, and Pictures folders to OneDrive for automatic backup. These are separate but complementary features. Microsoft recommends enabling both for optimal user experience.

Comments

Want to join the discussion?

Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.

Sign in

Continue Learning

View All
Deploy Bitwarden Self-Hosted on Linux: Complete Guide
Linux

Deploy Bitwarden Self-Hosted on Linux: Complete Guide

Take full control of your passwords by self-hosting Bitwarden on your own Linux server. This step-by...

Jan 5, 2026Read More →
Deploy Windows 11 25H2 with Microsoft Intune: Enterprise Step-by-Step Tutorial
Intune

Deploy Windows 11 25H2 with Microsoft Intune: Enterprise Step-by-Step Tutorial

Learn how to deploy Windows 11 25H2 using Microsoft Intune. This step-by-step enterprise tutorial co...

Jan 3, 2026Read More →
Windows Autopilot Device Preparation v2: Step-by-Step Setup in Microsoft Intune
Intune

Windows Autopilot Device Preparation v2: Step-by-Step Setup in Microsoft Intune

Learn how to configure Windows Autopilot Device Preparation (v2) in Intune: prerequisites, groups, p...

Jan 2, 2026Read More →