OneDrive sync client crashes on windows 7 due to Azure AD Conditional Access

 

Introduction:

With OneDrive, you can sync files between your computer and the cloud, so you can get to your files from anywhere. You can work with your synced files directly in File Explorer and access your files even when you’re offline. Whenever you’re online, any changes that you or others make will sync automatically. By default ,Onedrive client will be installed on windows 10 and you are required to install only on Windows 7 OS. How to install OneDrive on Windows 7 with detection method using SCCM ,read http://eskonr.com/2017/12/how-to-deploy-onedrive-for-business-using-configmgr/

You can download New OneDrive sync client from https://go.microsoft.com/fwlink/p/?linkid=844652

New OneDrive sync client release notes https://support.office.com/en-us/article/new-onedrive-sync-client-release-notes-845dcf18-f921-435e-bf28-4e24b95e5fc0

Problem:

We have conditional Access that is applied to cloud apps called SharePoint online .SharePoint is backbone for Onedrive and teams ,Conditional Access applied to these 2 applications.

The new OneDrive sync client works with the conditional access control policies to ensure syncing is only done with compliant/Hybrid Azure AD Joined devices.

image

If user trying to access Teams or Onedrive using windows 7 or windows 10 ,they must be either compliant (for windows 10) or Hybrid Azure AD Join.

We recently started seeing issue on windows 7 computers (which are hybrid azure AD join) with OneDrive sync client crashes, when user try to launch after entering the credentials.

These users who are affected with this issue recently were using OneDrive from very long and there were no changes to the infra with respect to Onedrive update or O365.

image

and

clip_image001

View Problem Details/Event viewer reveals the following details:

Faulting application name: OneDrive.exe, version: 17.3.7131.1115, time stamp: 0x5a0d0bd9
Faulting module name: KERNELBASE.dll, version: 6.1.7601.24000, time stamp: 0x5a4996d4
Exception code: 0x4000001f
Fault offset: 0x0001338d
Faulting process id: 0x202c
Faulting application start time: 0x01d3c57ede869140
Faulting application path: C:\Users\username\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 206c675f-3172-11e8-b561-14abc5fc6f2e

Solution:

Have spend sometime troubleshooting the onedrive logs ,event viewer and also try to login to the laptop using different user ID if the problem repeats .The issue can be re-producible for different user as well.

After spending some time troubleshooting the issue using Onedrive logs, found out that ,the windows 7 computer is not compliant (not hybrid Azure AD Join) and also failed with modern authentication (ADAL).

When i check in Azure portal, the computer for the user shows as hybrid azure AD Join and user can access teams,outlook and other cloud apps except OneDrive.

Following is the error code from OneDrive Logs:

[9632][10948] 03-27-2018 09:05:55.470 oauthaadcredentialacquirer.cpp:839!OAuth::AADCredentialAcquirer::ParseTokenErrorResponse [1693] (INFORMATIONAL): Parsed error response. mapped value: DRX_E_AUTH_URL_ERROR_INTERACTION_REQUIRED, error: interaction_required, error_description: AADSTS53000: Windows device is not in required device state: compliant

[9632][9092] 03-27-2018 09:05:51.337 authplatform.cpp:729!AuthLibrary::AuthPlatform::IsADALEnabled [1754] (ERROR): Failed to query regkey: Software\Microsoft\OneDrive, keyname: EnableADAL with result: 2

Based on the logs, found that, Modern authentication (ADAL based) issue and is because of ADAL is not enabled for OneDrive.

Modern authentication by default is enabled for Sharepoint online which means ,client applications like OneDrive and Teams must be enabled to support ADAL .

Following are the registry keys must be created to support ADAL authentication for OneDrive:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive]
"EnableADAL"=dword:1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive]
"EnableTeamTier_Internal"=dword:1

image

you can use GPO to create these registry keys for your users.

This fix already documented in Technet support article with known issues Azure Active Directory conditional access with the OneDrive sync client on Windows 

After the registry changes applied ,issue fixed.

We are still trying to identify why did the issue reported recently even though user using the same onedrive sync client from few months and Conditional Access also applied way back.

If you hit this issue or not, you can apply the GPO changes to avoid ADAL issues with conditional Access.

This issue happens if you are using old version of onedrive application on client PC. Microsoft has confirmed that ,it is issue with onedrive hence need to update the onedrive to latest production ring OneDrive 18.044.0301.0006

If you install the latest build version ,you dont need to make any changes on registry level .If you have already made the registry changes ,installing the new version will force off ADAL returning them below config ,hence it is safe to ignore the registry changes that already made.

REG ADD HKCU\Software\Microsoft\OneDrive /v EnableADAL /t REG_DWORD /d 0 /f

Until next !

Post Comment