Using ConfigMgr #MEMCM to Pin and Un-Pin OneDrive Known Folders

First blog post of 2020 using the new #MEMCM tag! One of the things asked for recently was the ability for users to “choose” to keep OneDrive “Known Folders” available offline. This isn’t necessary for a user on their Primary computer – the OneDrive files will already be local but when the user logs on to a different computer in a shared computer environment, the files will only be available on demand. We were asked to give the users the option of “Pinning” these known folders and for the admin to have the option to force it. The folders being redirected by OneDrive Known Folder Move were:-

  1. Desktop
  2. Pictures
  3. Documents
  4. Favorites (IE)

During periods of network inaccessibility and to improve performance in some situations (IE didn’t behave too well using symbolic links with files that were not synced offline) there was a request to make the Desktop and Favorites folders available Offline. This was a shared computing environment and customers could log on to any number of Windows 10 devices. And yes, IE is still being used, in anger, in a lot enterprises.

The Approach

We first needed to understand how we could make these folders and files available offline in OneDrive.

Out files can be in 3 states when approaching this:-

  1. File is available offline (Usually after it is recalled/opened)
  2. Always keep on this device – file is always kept offline (Pinned)
  3. Free Up Space – file is not kept on the device but is downloaded when accessed by the user (Default) (Recall on Data Access / Unpinned)

These file states are represented by the following icons:-

OneDrive Offline file/folder status

The terminology used since Windows 10 1703 is “Pinned”, “UnPinned” when looking to set file attributes. Lets take a look at the command in Windows 10 1909. Look for the P and U attributes below:-

attrib.exe /?

Lets use a simple PowerShell script to identify the file attributes in our lab. We have created a nested folder structure for the purpose of this blog post

Get-ChildItem $ENV:OneDrive”\Desktop” -recurse | foreach {attrib.exe $_.fullname}

We can use attrib.exe to show some basic file attributes of our files. We can see clearly the P and U attribute in play in the above example

I was looking for another way to do this because attrib.exe doesn’t show me the “Recall on Data Access” attribute although this attribute goes hand in hand with the Unpinned attribute – I stumbled across a cool discussion:-

JRV was showing how we can enumerate the attributes based on the flags. This gets really fun if you love .NET and SDKs. Not really on my radar but it was fun to look at this method to get the file attributes – including “Recall on Data Access” – Flag 0x00400000

  • Pinned = 0x00080000
  • Unpinned = 0x00100000
  • Recall on Data Access = 0x00400000
We can see which files have the Pinned, Unpinned and RecallOnDataAccess attributes set

We can also see these attributes in action when we manually pin/unpin files in OneDrive from explorer

  1. Right click the file in Explorer and select “Always Keep on this Device” (Pinned) 0x80000 Attribute Added
  2. Right click the file in Explorer and deselect “Always Keep on this Device” (Unpinned) Pinned Attribute Removed
  3. Right click the file in Explorer and select “Free up space on this device” (Recall on Data Access) 0x100000 Attribute Added
Attributes being queried by OneDrive.exe after the attributes are changed in Explorer

Where is this going?

That is what I started to think at this point. Where am I going with this? Well essentially I have concluded a few things:-

  1. By default, all OneDrive files are kept on the device but can be moved to a “Recall on Data Access / Unpinned” status if the disk runs low on space or the user chooses to “Free Up Space” on the file/folder context menu.
  2. When using the “Files on Demand” feature, all files in Onedrive are set to “Recall on Data Access / Unpinned”. The Recall on Data Access and Unpinned attributes are set.
  3. For files and folders, a user can choose to “Always Keep on this Device” in OneDrive – which is known as “Pinning” Items. This sets the Pinned attribute.
  4. When a user chooses to “Unpin” i.e deselects “Always Keep on this Device” the Pinned attribute is removed

We can keep things really simple and stick with attrib.exe, it works really well and can be executed from a PowerShell script. A nice overview can be found here

Attrib.exe enables 2 core scenarios.  “attrib -U +P /s”, makes a set of files or folders always available and “attrib +U -P /s”, makes a set of files or folders online only.

And that is what I am going to do to set the folder and file attributes to Pinned/Un-Pinned.

Back on track

What do we need to do then? I will be creating an application in ConfigMgr to run a PowerShell script. The script will set the attributes of a Known Folder using attrib.exe.

Important Note: If you unpin or choose to keep any child item as online only, the attributes of the parent folders will remain pinned but the icon of the top level folders will change. Not sure if this is by design but I am keeping an eye on this for changes from Microsoft.

Attributes and Icons don’t always match!

The Script

This script either “Pins” or “Un-Pins” our Known Folders in OneDrive. Be sure to check the GIT Repository for any updates (Link Below). Code pasted below is accurate at time of this post.

This script will enumate the KnownFolders you specify and either Pin or UnPin the files and folders. Cool. It will also output the actions to the Users Registry so we have something to perform an Application Discovery Method against in ConfigMgr / MEMCM

An example of how we can pass parameters to this script could be:- Set_KFM_Attribute.ps1 -KnownFolder “desktop”, “documents”, “pictures” -PinStatus “unpin”

Logging to User Registry in anticipation of using an Application Detection Method in ConfigMgr / MEMCM

Putting it All Together

  • Create an Application in MEMCM (In our example we will deploy an Application to PIN the users DESKTOP items)
  • Add an Installation Program
  • Add a Repair Program
  • Add a Detection Method
  • Deploy to a User/Group

Create an Application in MEMCM

Creating a Requirement to check if OneDrive exists?

Not necessary but it might be nice to check the user has OneDrive installed before we deploy this Application to users. In one environment I created a custom Global Condition that uses a script to detect if the OneDrive path exists. Don’t forget that Global Condition scripts need to be signed. More on Signing scripts here
You could always look for a registry key too to make things a little more simple. Your custom Global Condition will be available under the “Application Requirements” but to keep this post short we will omit any “Application Requirements”. An example of using a Script or Registry Key lookup are below:-

Global Condition Script to Detect OneDrive is initialised

or you could check the following Registry Key Exists using a Global Condition too


More on Creating Global Conditions can be found at

Add an Installation Program

In our example below, we will not use a Global Condition to create a requirement for our Application.

1 . From the Application Management Workspace, select Create > Create Application from the ribbon bar

Create Application

2 . Choose Manually specify the application information and Click Next

Choose Manually specify the application information and click Next

3 . Enter an Application Name and Publisher Information and Click Next

3 . Enter an Application Name and Publisher Information and Click Next

4 . Choose a Software Centre Icon for you Application and Click Next

Choose a Software Centre Icon for you Application and Click Next

5 . To create a deployment type, Click Add

To create a deployment type, Click Add

6 . Choose Script Installer from the Type drop down box and Click Next

Choose Script Installer from the Type drop down box and Click Next

7 . Enter a Deployment Type Name and Click Next

Enter a Deployment Type Name and Click Next

8 . Enter the following Content Information:-

Content Location: \\yourserver\contentdirectory (Should contain the PowerShell Script Set_KFM_Attribute.ps1)
Installation Program * : Powershell.exe -ExecutionPolicy Bypass -File “Set_KFM_Attribute.ps1” -KnownFolder “desktop” -PinStatus “pin”

* This command line assumes you have not signed the PowerShell script. Modify the parameters according to the Execution Policy in your environment.

Click Next

Enter the Content Information detailed above

9 . Click Add Clause

Click Add Clause

10 . Set the following Detection Method HKEY_CURRENT_USER\ScriptStatus\Set_KFM_Attributes

Setting Type: Registry
Key: ScriptStatus\Set_KFM_Attributes

Click OK

Set the Detection Method to HKEY_CURRENT_USER\ScriptStatus\Set_KFM_Attributes

11 . Click Next

Click Next

12 . Specify the following User Experience settings:-

Installation Behaviour: Install for user
Installation program visibility: Hidden
Maximum allowed run time (minutes): 30 (Change this to suite your user environment. If your users have a large number of files and folders you may need to increase this)
Estimated installation time (minutes): 5 (Same advice as above in regards to this setting)

Click Next

13 . On the Installation Requirements screen, Click Next (Unless you have created a Global Condition to detect OneDrive exists as discussed earlier in the post)

14 . On the Software Dependencies screen, Click Next

15 . On the Summary screen, Click Next

16 . Click Close

17 . Click Edit (We want to edit the Deployment Type to add a “Repair Program” option)

18 . On the Programs tab, copy the Installation Program and paste it into the Repair Program box then Click OK

Adding a Repair Program will give the User the option of “Re-Running” this script at a later date from Software Centre. Cool! (Although Software Centre will display the “Repair” button which may confuse users)

On the Programs tab, copy the Installation Program and paste it into the Repair Program box then Click OK

19 . Click Next (Twice)

20 . Click Close

Deploy the Application to a User/s

1 . From the Applications Workspace, highlight our new app and Click Deploy on the Ribbon bar

Click Deploy on the Ribbon bar

2 . To choose a Collection for Deployment, Click Browse

Click Browse

3 . Select the target User or User Group to deploy the application to and Click OK (I am using All Users because it is my lab environment – I don’t expect you to use that Collection!)

4 . Click Next

5 . Choose a Distribution Point or Distribution Point Group to deploy this application content to and Click Next

6 . Select the following Deployment Settings

Action: Install
Purpose: Available
Allow end users to attempt to repair this application: Check (This will allow the User to re-run this script again from the Software Centre)

Click Next

Select the Deployment Settings outlined above

7 . On the Schedule page, set the options that suite your environment and Click Next

8 . On the User Experience page, set the options that suite your environment and Click Next

9 . On the Alerts page, set the options that suite your environment and Click Next

10 . On the Summary page, Click Next

11 . Click Close

Seeing the Script in Action

I am going to log on to a Windows 10 client in my lab. The user account logged in has OneDrive installed and a GPO has set the Known Folder Move settings already

We can tell a few things from the screenshot below:-

1. The New Application is available in Software Centre to my user
2. KFM GPO has mapped my Desktop Folder to OneDrive and I can see stuff
3. My Desktop files are currently not on my computer, their attribute is set to “Recall on Data Access”

User logged on in my lab environment

Lets go and run the Application in Software Centre and see what happens. Select the Application and Click Install

Click Install

The Script is running, I was quick with the screen grab and can see my file statuses changing! (So much fun)

File and Folder Status changing as the script runs

And once the Application has completed we get a “Repair” option in Software Centre and ALL our Desktop files are now “Pinned” Offline

Application Installation Succeeded

Lets check the Registry! The Application Succeeded which means our Detection Method has read the relevant Registry Keys installed by the script.
The script has created the Key used for Application Detection but also some other useful values for troubleshooting like:-

  1. Which Attributes were last passed by the script
  2. Which Folders were specified when the script last ran
  3. What date/time did the script last run
The Script also sets some useful registry entries for Admin purposes


What a long post!

I now have a better appreciation of OneDrive and how file attributes work when pinning and unpinning stuff. There is a slight quirk with top level folder icons not matching its pinned/unpinned attribute but this may get “looked at” in future versions.

If the user clicked “Repair” the same script will run again and re-pin everything. We can create multiple applications and pass different parameters to the same script to achieve different outcomes. For example, some users may wish to free up space on their computer so deploying the script with the “UnPin” parameter could be handy

I am using the “Repair” option A LOT these days when deploying scripts. If the ConfigMgr team are reading this, I would love the option to change the “repair” button to a “re-run” button for these type of deployments….A guy can dream haha 🙂

Let me know if you think this process can be improved. See you next time 🙂 Ben

4 thoughts on “Using ConfigMgr #MEMCM to Pin and Un-Pin OneDrive Known Folders”

  1. Hi Ben,
    A question… the Known Folder Move options that I know of will only redirect Desktop, Documents, and Pictures. How are you getting it to also redirect IE Favorites?

    1. smoke and mirrors 🙂

      Setting these reg keys using GPP to redirect Favorites to OneDrive at logon

      HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders = %UserProfile%\OneDrive – Company\Favorites
      HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders = %UserProfile%\OneDrive – Company\Favorites

      We also redirect the TEMPLATES folder to “OneDrive\Documents\Templates” in a similar manner. It ensures the users templates follow them in a shared computing environment.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.


This site uses Akismet to reduce spam. Learn how your comment data is processed.