以无提示方式配置用户帐户Silently configure user accounts

本文适用于在将新的 OneDrive 同步应用程序 ( # A0) 部署到其企业中的托管 Windows 计算机时,想要以无提示方式配置用户帐户的 IT 管理员。This article is for IT admins who would like to silently configure user accounts when deploying the new OneDrive sync app (OneDrive.exe) to managed Windows computers in their enterprise. 此功能适用于已加入 Azure Active Directory (Azure AD) 的计算机。This feature works for computers that are joined to Azure Active Directory (Azure AD).

如果启用此功能,OneDrive.exe 将在没有用户交互的情况下尝试以无提示方式 () 登录到 Windows 主帐户) (用于登录 Windows 的工作或学校用户帐户。If you enable this feature, OneDrive.exe will attempt to silently (without user interaction) sign in to the work or school user account that was used to sign into Windows (known as the Windows Primary Account). 该 windows 帐户必须是 Azure Active Directory (AAD) 帐户,或者通过混合身份验证配置链接到 AAD 帐户 (请参阅下面的先决条件) 。That windows account must be an Azure Active Directory (AAD) account or be linked to an AAD account through a hybrid authentication configuration (see Prerequisites below). 在 OneDrive.exe 开始同步之前,它将检查可用磁盘空间。Before OneDrive.exe begins syncing, it will check the available disk space. 如果同步用户的整个 OneDrive 将导致可用空间降到 1 GB 以下,或者如果大小超过了在未启用文件 "按需) 启用文件" 的设备上设置的阈值,则 OneDrive 将提示用户选择要同步的文件夹 (。有关使用组策略设置此阈值的信息,请参阅 设置可自动下载的用户的 OneDrive 的最大大小If syncing the user's entire OneDrive would cause the available space to drop below 1 GB or if the size exceeds the threshold you set (on devices that don't have Files On-Demand enabled), OneDrive will prompt the user to choose folders to sync. For info about setting this threshold using Group Policy, see Set the maximum size of a user's OneDrive that can download automatically.

在同步客户端中配置用户时,如果同一用户帐户将文件与以前的 OneDrive for Business 同步应用程序同步文件 ( # A0) ,则新的同步应用程序 ( # A1) 将尝试对这些文件进行同步。When the user is configured in the sync client, if the same user account is syncing files with the previous OneDrive for Business sync app (Groove.exe), the new sync app (OneDrive.exe) will attempt to take over syncing those files.

先决条件Prerequisites

在启用无提示帐户配置之前,你需要将设备加入 Azure AD。Before you can enable silent account configuration, you need to join your devices to Azure AD. 你可以将运行 Windows 10 和 Windows Server 2016 的设备直接加入 Azure AD。You can join devices running Windows 10 and Windows Server 2016 directly to Azure AD. 若要了解如何操作,请参阅将 你的工作设备加入你的组织的网络To learn how, see Join your work device to your organization's network.

如果您具有使用 Active Directory 的本地环境,则可以启用 混合 AZURE ad 加入设备 以将域中的设备加入到 Azure AD。If you have an on-premises environment that uses Active Directory, you can enable hybrid Azure AD joined devices to join devices on your domain to Azure AD. 设备必须运行以下操作系统之一:Devices must be running one of the following operating systems:

  • Windows 10Windows 10
  • Windows 8.1Windows 8.1
  • Windows 7Windows 7
  • Windows Server 2019Windows Server 2019
  • Windows Server 2016Windows Server 2016
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2012Windows Server 2012
  • Windows Server 2008 R2Windows Server 2008 R2

如果你将本地 Active Directory 与 Azure AD 联合在一起,则必须使用 AD FS 启用此功能。If you federate your on-premises Active Directory with Azure AD, you must use AD FS to enable this feature. 有关使用 Azure AD Connect 的信息,请参阅 使用快速设置使用 AZURE Ad connect入门。For info about using Azure AD Connect, see Getting started with Azure AD Connect using express settings.

备注

有关详细信息,请参阅 how to configure 混合 Azure Active Directory 已加入设备For more info, see How to configure hybrid Azure Active Directory joined devices. 若要检查联接状态并修复问题,请参阅 疑难解答混合 AZURE AD 联接的设备To check the join status and fix problems, see Troubleshoot hybrid Azure AD-joined devices.

启用无提示配置Enable silent configuration

如果网络上的计算机已加入到本地 Active Directory,则可以使用域组策略配置无提示帐户配置。If the computers on your network are joined to Active Directory on-premises, you can use domain group policy to configure silent account configuration.

使用组策略:Using Group Policy:

  1. 启用无提示帐户配置。Enable silent account configuration. 有关信息,请参阅 使用 Windows 凭据以无提示方式登录用户到 OneDrive 同步应用For info, see Silently sign in users to the OneDrive sync app with their Windows credentials.

  2. (可选)指定将在缄默配置中自动下载的最大 OneDrive 大小。Optionally, specify the maximum OneDrive size that will download automatically in silent configuration. 有关信息,请参阅 设置可自动下载的用户的 OneDrive 的最大大小For info, see Set the maximum size of a user's OneDrive that can download automatically. 请注意,如果按需启用文件,OneDrive 将忽略最大大小值。Note that if you enable Files On-Demand, OneDrive will ignore the maximum size value.

  3. (可选)设置 OneDrive 文件夹的默认位置。Optionally, set the default location for the OneDrive folder. 有关信息,请参阅 设置 OneDrive 文件夹的默认位置For info, see Set the default location for the OneDrive folder.

提示

请参阅下面的 Verify SilentAccountConfig 部分,验证并排除配置故障。See the Verify SilentAccountConfig section below to verify and troubleshoot your configuration.

备注

无提示帐户配置不适用于需要多重身份验证的用户的设备。Silent account configuration won't work on devices for users who require multi-factor authentication. 选择第三方标识提供程序 (Idp) 受支持,但有一些注意事项。Select third-party identity providers (IdPs) are supported, but there are caveats. 有关详细信息,请务必查看 AZURE AD 联合兼容性列表For more information, make sure to check out the Azure AD federation compatibility list.

如果网络上的计算机未连接到本地 Active Directory,而仅连接到 Azure AD,我们建议使用 Intune 和 Microsoft PowerShell 脚本来设置启用缄默配置所需的注册表项。请确保您已 为 Windows 10 设备设置了自动注册If the computers on your network are not connected to Active Directory on-premises, but only to Azure AD, we recommend using Intune and a Microsoft PowerShell script to set the registry keys required to enable silent config. Be sure you have automatic enrollment set up for Windows 10 devices.

使用脚本:Using a script:

$HKLMregistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\OneDrive'##Path to HKLM keys
$DiskSizeregistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\OneDrive\DiskSpaceCheckThresholdMB'##Path to max disk size key
$TenantGUID = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

if(!(Test-Path $HKLMregistryPath)){New-Item -Path $HKLMregistryPath -Force}
if(!(Test-Path $DiskSizeregistryPath)){New-Item -Path $DiskSizeregistryPath -Force}

New-ItemProperty -Path $HKLMregistryPath -Name 'SilentAccountConfig' -Value '1' -PropertyType DWORD -Force | Out-Null ##Enable silent account configuration
New-ItemProperty -Path $DiskSizeregistryPath -Name $TenantGUID -Value '102400' -PropertyType DWORD -Force | Out-Null ##Set max OneDrive threshold before prompting

Windows 图像准备要求Windows Image Prep requirements

在 OneDrive.exe 中,SilentAccountConfig 成功设置了用户后,SilentAccountConfig 将创建 SilentBusinessConfigCompleted 注册表项。SilentAccountConfig creates a SilentBusinessConfigCompleted registry entry once SilentAccountConfig has successfully provisioned the user in OneDrive.exe. 这样可以防止 SilentAccountConfig 在用户手动停止同步时,在 OneDrive.exe 中 reprovisioning 用户。This prevents SilentAccountConfig from reprovisioning the user in OneDrive.exe if the user manually stops syncing.

如果 SilentAccountConfig 已在要用作构建 Windows 部署映像的主机上成功完成,则 ((即 SysPrep) )时,需要确保在准备映像之前删除此注册表项。If SilentAccountConfig has successfully completed on a machine you're going to use as your master for building a Windows deployment image (i.e. SysPrep), you need to ensure this registry key is removed before you prepare your image. 您可以通过运行以下命令来执行此操作:You can do so by running the following command:

reg delete HKCU\Software\Microsoft\OneDrive /v SilentBusinessConfigCompleted /f

验证 SilentAccountConfigVerify SilentAccountConfig

SharePoint Online 说明 (SPO) :Instructions for SharePoint Online (SPO):

  1. 取消 OneDrive 中所有已有的业务实例的链接。Unlink all pre-existing Business instances in OneDrive.

  2. 清除以前成功的任何无提示运行的自动运行的业务配置的注册表:Clear the registry of any previous successful Silent Business Config runs:

    reg delete HKCU\Software\Microsoft\OneDrive /v SilentBusinessConfigCompleted /f
    
  3. 设置无提示配置策略注册表项 (必须从管理员 CMD 窗口运行) :Set the Silent Config policy registry entry (must be run from an administrator CMD window):

    reg add HKLM\SOFTWARE\Policies\Microsoft\OneDrive /v SilentAccountConfig /t REG_DWORD /d 0x1 /f
    
  4. 注销 Windows (Ctrl + Alt + Delete 注销) 。Sign out of Windows (Ctrl+Alt+Delete Sign Out).

  5. 登录 Windows。Sign into Windows.

  6. 您很快就会看到一个蓝色的云托盘图标。Shortly you should see a blue cloud tray icon. 单击蓝色云托架图标时,将显示 "活动中心" 弹出窗口,其中显示了第一个同步中的 "正在进行/最近" 活动。如果是这样,SilentAccountConfig 已正常工作。Clicking on the blue cloud tray icon should show the activity center pop-up showing ongoing/recent activity from the first sync. If so, SilentAccountConfig has worked correctly.

  7. 如果改为显示 "设置 OneDrive" 首次运行向导对话框,则 SilentAccountConfig 无法以无提示方式登录或失败,原因是另一个原因。If instead, you see the "Set up OneDrive" first run wizard dialog, SilentAccountConfig was unable to silently sign in or failed for another reason. 再次重复执行这些步骤,以验证是否已正确完成这些步骤。Verify you have completed these steps correctly by repeating them again. 对以下 (SSO) 步骤执行 "验证单一登录 ",确认 sso 不是问题。Perform the Verify Single Sign On (SSO) steps below to confirm that SSO is not a problem. 收集同步客户端日志以发送给工程团队以获取进一步帮助。Gather sync client logs to send to the engineering team for further help.  

本地 SharePoint 2019 + 服务器的说明:Instructions for On-Premises SharePoint 2019+ Server:

  1. 确保您可以手动获取 OneDrive 同步客户端,以便在继续之前将内容与本地 SharePoint 2019 服务器同步。Ensure you can manually get the OneDrive sync client to sync content with your on-premises SharePoint 2019 Server before proceeding. 有关详细信息,请参阅 配置同步应用程序以与 SharePoint Server 同步See Configure sync app for syncing with SharePoint Server for details.

  2. 将 SharePointOnPremPrioritization 注册表项的值设置为 1 (这将确保本地优先于 SPO,删除注册表项以还原到 SPO) :Set the SharePointOnPremPrioritization reg key value to 1 (this will ensure on-premises takes precedence over SPO, deleting the reg key to revert to SPO):

    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive /v SharePointOnPremPrioritization /t REG_DWORD /d 0x1 /f
    
  3. 执行上面的 SPO 说明中的步骤1至6。Follow steps 1 through 6 in the SPO instructions above.

  4. 如果改为显示 "设置 OneDrive" 首次运行向导对话框,则 SilentAccountConfig 无法以无提示方式登录或失败,原因是另一个原因。If instead, you see the "Set up OneDrive" first run wizard dialog, SilentAccountConfig was unable to silently sign in or failed for another reason. 再次重复执行这些步骤,以验证是否已正确完成这些步骤。Verify you have completed these steps correctly by repeating them again. 收集同步客户端日志以发送给工程团队以获取进一步帮助。Gather sync client logs to send to the engineering team for further help.

若要阻止无提示的业务配置:To prevent Silent Business Config:

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive /v SilentAccountConfig /f

验证 (SSO) 上的单一登录是否正常运行Verify that Single Sign On (SSO) is working

SilentAccountConfig 发生故障的最常见原因是,在没有用户交互的情况下 OneDrive.exe 凭据不可用。The most common reason for SilentAccountConfig to fail is the credentials are not available to OneDrive.exe without user interaction. 继续执行这些说明以确定是否是你的案例中的问题。Proceed with these instructions to determine if this is a problem in your case.

如果您具有您认为应与 SilentAccountConfig 配合使用的计算机,则可以手动验证 SSO 是否正常运行,以确保正确配置了环境。If you have a machine you think should work with SilentAccountConfig you can manually verify that SSO is working correctly to ensure that the environment is configured correctly.

  1. 通过运行以下命令临时强制启用 ADAL:Temporarily force ADAL on by running this command:

    reg add HKCU\Software\Microsoft\OneDrive /v EnableADAL /t REG_DWORD /d 1 /f
    
  2. 在 "任务管理器详细信息" 选项卡中关闭任何正在运行的 OneDrive.exe 进程 (验证-Ctrl + Shift + Esc) 。Shut down any running OneDrive.exe processes (verify in the Task Manager Details tab - Ctrl+Shift+Esc).

  3. 「开始」菜单-OneDrive,如果未取消链接/停止同步任何企业帐户并重新启动) ,应看到 " 设置 OneDrive " 对话框 (。Start menu - OneDrive, you should see the Set up OneDrive dialog (if not unlink/stop syncing any business accounts and start over).

  4. 输入用户登录 Windows 时使用的相同电子邮件地址 (尝试 alias@domain 和 domain\alias 表单) 。Enter the same email address that the user used to sign into Windows (try alias@domain and domain\alias forms).

  5. 单击对话框上的 " 登录 " 按钮。Click the Sign In button on the dialog.

  6. 对话框应切换到带旋转图标的 "登录" 页面,等待几秒钟。The dialog should switch to a "signing in" page with a spinning icon for a few seconds.然后,它应继续转到向导的下一部分,而不要求输入密码。 It should then proceed to the next part of the wizard without asking for a password.

  7. 如果你没有收到密码提示,则恭喜你的身份验证环境已正确配置,SilentAccountConfig 应适用于你的用户。If you do not get a password prompt, congratulations, your auth environment is properly configured and SilentAccountConfig should work for your users.

  8. 如果您确实看到密码提示,则环境未正确配置为无提示登录。If you do see a password prompt, the environment is not configured properly for silent sign on.这可能是由于计算机加入域的方式存在问题 (例如,信任关系问题) ,ADFS 配置的问题,需要用户交互的 AAD CA 策略,您未提供用于登录 Windows 的用户电子邮件地址,或其他一些原因。  This could be due to a problem with how the machine is domain joined (for example, a trust relationship problem), a problem with ADFS configuration, an AAD CA policy requiring user interaction, you didn't provide the same user email address as the one used to sign into Windows, or some other reason. 在 SilentAccountConfig 将为您工作之前,您需要解析阻止无提示签出的任何内容。You will need to resolve whatever is blocking silent sign on before SilentAccountConfig will work for you.

  9. 删除在第1步中添加的 EnableADAL 键:Remove the EnableADAL key you added in step 1:

    reg delete HKCU\Software\Microsoft\OneDrive /v EnableADAL /f
    

备注

使用 SilentAccountConfig 时,无需指定 EnableADAL = 1。When using SilentAccountConfig, you do not need to specify EnableADAL=1. 仅当在上述步骤中手动测试 SSO 时才需要执行此操作,以便在手动登录 (而不是使用 SilentAccountConfig 登录) 。This is only necessary when manually testing SSO in the above steps where we manually sign in (instead of using SilentAccountConfig to sign in). 但是,如果您希望手动设置 OneDrive 同步的用户受益于 SSO 以最大限度地减少需要在同步中输入密码的频率,可以在用户的计算机上部署 EnableADAL 密钥。However, if you want users who manually set up OneDrive sync to benefit from SSO to minimize how often they need to enter a password in sync, you can deploy the EnableADAL key on your users' computers.