+- [AddedFolderHardDeleteOnUnmount](deploy-and-configure-on-macos.md#addedfolderharddeleteonunmount)

+- [AddedFolderUnmountOnPermissionsLoss](deploy-and-configure-on-macos.md#addedfolderunmountonpermissionsloss)

+### AddedFolderHardDeleteOnUnmount

+This setting will control the contents of the folder when an unmount of an Added Folder is detected.

+Set the setting's value to **True**, to hard-delete all the contents of the folder when an unmount of an Added Folder is received. Set the value to **False** or don't enable the setting to move the contents of the unmounted folder to the recycle-bin by default.

+The example for this setting in the .plist file is:

+```xml

+<key>AddedFolderHardDeleteOnUnmount</key>

+<(Bool)/>

+```

+### AddedFolderUnmountOnPermissionsLoss

+This setting will control the contents of the folder and the folder itself when the Sync client detects that the user lost permissions to an Added Folder.

+Set the setting's value to **True**, to hard-delete all the contents of the folder and the folder itself when the Sync client detects that the user lost permissions to an Added Folder. Set the value to **False** or don't enable the setting to efault mark the folder in error and prompt the user to remove it. When the user confirms the removals, the contents of the folder are moved to the recycle-bin.

+The example for this setting in the .plist file is:

+```xml

+<key>AddedFolderUnmountOnPermissionsLoss</key>

+<(Bool)/>

+```

+> The OneDrive sync app is supported in a remote app scenario hosted as a Citrix Virtual App.

+## Set up OneDrive in Citrix Virtual Apps

+This article describes how to enable and use OneDrive in Citrix Virtual Apps.

+### Prerequisites

+To enable OneDrive in Citrix Virtual Apps, you must have the following versions of Windows and Citrix Virtual Apps and Desktops (CVAD):

+**Windows**:

+- Windows 11: KB5014019

+- Windows Server 2022: KB5014021

+- Windows 10: KB5014023

+- Windows Server 2019: KB5014022

+**Citrix**:

+- CVAD 7 2203 LTSR CU1 or later.

+- VDA 2212 enables Shellbridge by default. All earlier versions require Shellbridge to be enabled manually.

+- To enable this feature, On 2203 LTSR TS VDA (2019 Server, 2022 Server, Windows 10 RDSH, or Windows 11 RDSH) add the following registry details:

+ `HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Virtual Desktop Agent`<p>

+ `Name: Shellbridge`<p>

+ `Type: REG_DWORD`<p>

+ `Value: 1`

+To ensure that the feature is correctly enabled, open a command window (cmd.exe) and run `start ms-settings:printers`. If the feature is enabled, the printer setting window is displayed.

+**We recommend adding OneDrive.exe to `LogoffCheckSysModules`**.

+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI` <p>

+ `Value Name:LogoffCheckSysModules` <p>

+ `Type:REG_SZ` <p>

+ `String:OneDrive.exe, Microsoft.Sharepoint.exe` <p>

+> [!IMPORTANT]

+> [FSLogix](/fslogix/how-to-install-fslogix) must be used in conjunction with Citrix Virtual Apps for OneDrive to be supported.

+### How to set up OneDrive

+1. Install OneDrive Sync app per machine. See [Install the sync app per-machine](per-machine-installation.md).

+1. Install the latest version of FSLogix. See [Install FSLogix Applications](/fslogix/how-to-install-fslogix).

+ > [!NOTE]

+ > All non-persistent VDI environments require the latest version of FSLogix. Ensure you install the latest version. See [OneDrive sync error FSLogix_unsupported_environment on VMs](/sharepoint/troubleshoot/sync/fslogix-unsupported-environment-sync-error-vm).

+1. Add OneDrive to `HKLM\Software\Microsoft\Windows\CurrentVersion\` by using the following command:

+ `REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /d "\"C:\Program Files\Microsoft OneDrive\OneDrive.exe\" /background"`

+1. Silently configure user accounts. See [Silently configure user accounts](use-silent-account-configuration.md).

+ > [!NOTE]

+ > Silent sign-in should work if your machine is connected to Microsoft Entra ID. Make sure to turn off this setting if your computer is not Microsoft Entra joined.

+2. Browse to `%localappdata%\Microsoft\OneDrive\\*BuildNumber*\adm\` (for [per-machine sync app](per-machine-installation.md) browse to `%ProgramFiles(x86)%\Microsoft OneDrive\BuildNumber\adm\` or `%ProgramFiles%\Microsoft OneDrive\BuildNumber\adm\` (depending on the OS architecture)) to the subfolder for your language, as necessary (where *BuildNumber* is the number displayed in sync app settings under the **About** tab).

+- (AddedFolderHardDeleteOnUnmount) [Hard-deletes the contents of an added folder when unmounted](#hard-delete-the-contents-of-an-added-folder-when-unmounted)

+- (AddedFolderUnmountOnPermissionsLoss) [Hard-deletes contents of an added folder when user loses permissions to the folder](#hard-delete-the-contents-of-an-added-folder-when-user-loses-permissions-to-the-folder)

+### Hard-delete the contents of an added folder when unmounted

+If you enable this setting, when an unmount of an Added Folder is received, the Sync client will hard-delete all the contents of the folder.

+If admins disable or do not configure this setting, Sync will by default move the contents of the unmounted folder to the recycle-bin.

+Enabling this policy sets the following registry key value to 1:

+`[HKCU\SOFTWARE\Policies\Microsoft\OneDrive]"AddedFolderHardDeleteOnUnmount"=dword:00000001`

+### Hard-delete the contents of an added folder when user loses permissions to the folder

+If you enable this setting, when the Sync client detects that the user lost permissions to an Added Folder, the Sync client will hard-delete all the contents of the folder and the folder itself.

+If admins disable or do not configure this setting, Sync will by default mark the folder in error and prompt the user to remove it. When the user confirms the removals, the contents of the folder are moved to the recycle-bin.

+Enabling this policy sets the following registry key value to 1:

+`[HKCU\SOFTWARE\Policies\Microsoft\OneDrive]"AddedFolderUnmountOnPermissionsLoss"=dword:00000001`

+This setting lets the OneDrive sync app (OneDrive.exe) upload data in the background only when unused bandwidth is available. It prevents the sync app from interfering with other apps that are using the network. This setting is powered by the Windows LEDBAT (Low Extra Delay Background Transport) protocol. When LEDBAT detects increased latency that indicates other TCP connections are consuming bandwidth, the sync app reduces its own consumption to prevent interference. When network latency decreases again and bandwidth is freed up, the sync app increases the upload rate and consume the unused bandwidth.

+If you enable this setting, the sync app upload rate is set to **Adjust automatically** based on bandwidth availability, and users won't be able to change it.

+This policy overrides the user's choice, ensuring OneDrive will automatically start every time they sign in to Windows.

+`

+`

+If you enable this setting, the OneDrive sync app reports device and health data to include in administrative sync reports. You must enable this setting on the devices you want to get reports from.

+If you disable or don't configure this setting, the reminder appears until users select **Don't show this reminder again**.

+> The maximum throughput value detected by the sync app can sometimes be higher or lower than expected because of the different traffic-throttling mechanisms that your Internet Service Provider (ISP) might use. For information about estimating the network bandwidth you need for a sync, see [Network utilization planning for the OneDrive sync app](network-utilization-planning.md).

+If you enable this setting, users aren't prompted with a window to protect their important folders, and the *Manage backup* command is disabled. If the users have already moved their known folders, the files in those folders remain in OneDrive. To redirect the known folders back to the user's device, select **No**. This setting doesn't take effect if you've enabled **Prompt users to move Windows known folders to OneDrive** or **Silently move Windows known folders to OneDrive**.

+If you enable this policy, users see a notification if they delete more than the specified number of files from OneDrive on their local computer. The user is given the option to continue to remove the cloud files, or restore the local files.

+If you don't set any of the following policies, then the default policy will move all the folders (Desktop, Documents, and Pictures) into OneDrive. If you want to specify the folders to move, then you can set any combination of the following policies:

+ Title: "Set up OIDC authentication in SharePoint Server using RSA public keys"

+audience: ITPro

+f1.keywords:

+- NOCSH

+ms.localizationpriority: medium

+ms.assetid: 5cdce2aa-fa6e-4888-a34f-de61713f5096

+description: "Learn how to set up OIDC authentication in SharePoint Server using RSA public keys with Microsoft Entra ID."

+# Set up OIDC authentication in SharePoint Server using RSA public keys

+OIDC is an authentication protocol that uses JSON Web Tokens (JWTs) to verify the identity of users, and grant them access to protected resources. JWTs are digitally signed using either symmetric keys (shared between the issuer and the consumer) or asymmetric keys (public/private key pairs).

+SharePoint Server currently supports OIDC auth flow with x5c keys, which are certificates that contain the public key and other metadata. However, some OIDC providers may not use x5c keys, but instead use RSA public keys that are directly represented with RSA modulus and RSA public exponent. To support these providers, SharePoint Server added the ability to parse and validate RSA public keys in JWTs.

+This article explains the new improvements from Version 24H2 that will help you set up OIDC authentication in SharePoint Server using RSA public keys.

+## OIDC configuration with RSA public keys overview

+1. Set up OIDC with Microsoft Entra ID using Global Administrator credentials by performing the steps mentioned [here](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-1-setup-identity-provider).

+1. Modify the SharePoint Server farm properties based on the version of your SharePoint Server farm. For more information, see [change SharePoint farm properties](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-2-change-sharepoint-farm-properties).

+1. Configure SharePoint to trust the identity provider by creating `SPTrustedIdentityTokenIssuer` with RSA public keys [using the steps mentioned in this article](#step-3-configure-sharepoint-to-trust-the-identity-provider-with-rsa-public-keys).

+1. Configure a web application in SharePoint to be federated with the Microsoft Entra OIDC, using the `SPTrustedIdentityTokenIssuer` created in the previous step. For more information, see [create a new web application](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-4-configure-the-sharepoint-web-application).

+1. Ensure the web application is configured with SSL certificate. To configure the web application, perform the steps to [set the certificate](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-5-ensure-the-web-application-is-configured-with-ssl-certificate).

+1. Create a team site collection as both Windows administrator and federated (Microsoft Entra ID) administrator. For more information, see [create the site collection](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-6-create-the-site-collection).

+1. Set up a People Picker by using a Custom Claims Provider, or the new UPA-backed claim provider included in SharePoint Server Subscription Edition. See [set up People Picker](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-7-set-up-people-picker).

+## Step 3: Configure SharePoint to trust the identity provider with RSA public keys

+For RSA public keys, you create or set up a `SPTrustedTokenIssuer` to store the configuration that SharePoint needs to trust as the OIDC provider. You can configure SharePoint to trust the identity provider either manually or by using the metadata endpoint.

+### Configure SharePoint OIDC with RSA public keys by using metadata endpoint

+An admin can follow the same PowerShell command that is used for x5c keys when using a metadata endpoint for RSA public keys. SharePoint figures out which kind of key is used from the metadata endpoint response and creates the `SPTrustedIdentityTokenIssuer` appropriately. For more information, see [configure SharePoint to trust Microsoft Entra ID by using metadata endpoint](set-up-oidc-auth-in-sharepoint-server-with-msaad.md#configure-sharepoint-to-trust-microsoft-entra-id-by-using-metadata-endpoint) for an example.

+### Configure SharePoint OIDC with RSA public keys manually

+When manually creating or setting up the `SPTrustedIdentityTokenIssuer` for RSA public keys, you must specify a new `-PublicKey` parameter while running the `New-SPTrustedIdentityTokenIssuer` or `Set-SPTrustedIdentityTokenIssuer` cmdlets to define the RSA public key modulus and exponent.

+#### New-SPTrustedIdentityTokenIssuer

+You can run the following PowerShell cmdlet with `-PublicKey` parameter:

+```powershell

+New-SPTrustedIdentityTokenIssuer -Name "RSA-Manual" -Description "RSA Manually Created" -PublicKey $publicKeyXML -ClaimsMappings $emailClaimMap -IdentifierClaim $emailClaimMap.InputClaimType -DefaultClientIdentifier $clientIdentifier -RegisteredIssuerName $registeredissuernameurl -AuthorizationEndPointUri $authendpointurl -SignOutUrl $signouturl -Scope "openid profile"

+```

+The `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet uses the following parameters:

+| Parameter | Description |

+||-|

+|Name | Gives a name to the new token issuer. |

+|Description | Gives a description to the new token issuer. |

+| PublicKey |Specifies that the value should be an XML string defining the RSA public key modulus and exponent <br> Example of `$publicKeyXML` value: <p> `<RSAKeyValue><Modulus>modulus</Modulus><Exponent>exponent</Exponent></RSAKeyValue>`|

+| ClaimsMappings | A `SPClaimTypeMapping` object, which is used to identify which claim in the `id_token` is regarded as identifier in SharePoint. |

+| IdentifierClaim | Specifies the type of identifier. |

+| DefaultClientIdentifier | Specifies the `client_id` of SharePoint server, which is assigned by OIDC identity provider. This is validated against aud claim in `id_token`. |

+| RegisteredIssuerName | Specifies the issuer identifier, which issues the `id_token`. It's used to validate the `id_token`. |

+| AuthorizationEndPointUrl | Specifies the authorization endpoint of the OIDC identity provider. |

+| SignoutUrl | Specifies the sign out endpoint of the OIDC identity provider. |

+To extract the correct `$publicKeyXML` value from an x509 certificate, you can run the following PowerShell command:

+```powershell

+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

+$cert.Import("c:\certs\YourSigningCertificateHere.cer")

+$publicKeyXml = $cert.PublicKey.Key.ToXmlString($false)

+```

+#### Set-SPTrustedIdentityTokenIssuer

+The `Set-SPTrustedIdentityTokenIssuer` cmdlet supports the new `-PublicKey` parameter for RSA public keys and takes the same `<RSAKeyValue><Modulus>modulus</Modulus><Exponent>exponent</Exponent></RSAKeyValue>` XML string that `New-SPTrustedIdentityTokenIssuer` uses. Example:

+```powershell

+Set-SPTrustedIdentityTokenIssuer -Identity "RSA-Manual" -PublicKey $publicKeyXml -IsOpenIDConnect

+```

+## Improvements for OIDC configuration

+With Version 24H2, admins can expect the following improvements when configuring the SharePoint Server to trust the identity provider.

+### Allow to configure multiple client identifiers in OIDC

+Configuring of multiple client identifiers is now allowed using -ScopedClientIdentifier switch in an OIDC `SPTrustedIdentityTokenIssuer`. Run the following command:

+```powershell

+Set-SPTrustedIdentityTokenIssuer -Identity <name> -ScopedClientIdentifier Dictionary<Uri,string> -IsOpenIDConnect

+```

+### Enable ClaimsMappings editing capability in Set-SPTrustedIdentityTokenIssuer

+ΓÇïΓÇïIn previous releases of SharePoint Server, when creating `SPTrustedIdentityTokenIssuer`, you need to provide the claims mappings list, which is used to map the claim from IdP token to SharePoint issued token. After `SPTrustedIdentityTokenIssuer` is created, you can only remove the existing claim mapping, or add the removed claim mapping back, which is identically the same as you removed. But, you can't add new claim mapping, which isn't originally in the list or change an existing claim mapping in place.ΓÇ»

+The new update from Version 24H2 build allows users to add a new parameter toΓÇ»`Set-SPTrustedIdentityTokenIssuer` so they can change the claims mappings list. With this new following parameter, you can even modify the claim mappings list of the token issuer.

+New parameter: `-ClaimsMappings <SPClaimMappingPipeBind[]>`

+### Support OIDC IdPs that can't work with wildcard characters in redirection URL

+Some OIDC IdPs, such as Azure Active Directory B2C, canΓÇÖt work with wildcard characters in the redirect URL. This causes SharePoint to be unable to redirect back to the original resource that is being asked after the authentication. In this release, we added a state property in the response header to preserve the redirect URL so that SharePoint will be able to know which URL to redirect to.ΓÇ»

+You can use the following PowerShell cmdlet to enable it on the tokenissuer you've created:

+```powershell

+Set-SPTrustedIdentityTokenIssuer -Identity <name> -UseStateToRedirect:$True -IsOpenIDConnect

+```

+### Refresh certificate by timer job

+A new timer job (RefreshMetadataFeed) is created to automatically fetch the latest configuration settings from configured OIDC metadata endpoint on daily basis and update OIDC trusted token issuer accordingly. It includes the certificates used for token encryption and signing, token issuer, authorization endpoint and SignoutUrl. You can change the frequency of refresh by changing the timer job schedule. For example, you can change the schedule of timer job to ΓÇ£5:00 every SaturdayΓÇ¥ by using PowerShell:

+```powershell

+Get-SPTimerJob refreshmetadafeed | Set-SPTimerJob -Schedule "weekly at sat 5:00"

+```

+This timer job is enabled when you set up a OIDC trusted token issuer with metadata endpoint. If you have a OIDC trusted token issuer setup before applying this update, you need to reset this token issuer again so that timer job can be enabled for this token issuer. You can reset the token issuer by using PowerShell

+```powershell

+Set-SPTrustedIdentityTokenIssuer -Identity <OIDCtokenissuer> -MetadataEndPoint <URL>

+```

+### Configure SharePoint to trust Microsoft Entra ID by using metadata endpoint

+ Title: "New and improved features in SharePoint Server Subscription Edition Version 24H2"

+audience: ITPro

+f1.keywords:

+- NOCSH

+ms.localizationpriority: high

+- IT_Sharepoint_Server

+- IT_Sharepoint_Server_Top

+- Strat_SP_server

+description: "Learn about the new features and updates to existing features in SharePoint Server Subscription Edition Version 24H2."

+# New and improved features in SharePoint Server Subscription Edition Version 24H2

+Learn about the new features and updates introduced in the SharePoint Server Subscription Edition Version 24H2 feature update.

+## Summary of the features

+The following table provides a summary of the new features introduced in the SharePoint Server Subscription Edition Version 24H2 feature update.

+|**Feature**|**Release ring**|**More information**|

+|:--|:--|:--|

+| **Search vertical customization in modern search results** | Standard release | For more information, see [Search vertical customization in modern search results](new-and-improved-features-in-sharepoint-server-subscription-edition-24h1-release.md#search-vertical-customization-in-modern-search-results). <br> <br>This was part of *Early release* in the Version 24H1 feature update. <br/> |

+| **OpenID Connect (OIDC) integration with SharePoint certificate management** | Standard release | For more information, see [OpenID Connect (OIDC) integration with SharePoint certificate management](new-and-improved-features-in-sharepoint-server-subscription-edition-24h1-release.md#openid-connect-oidc-integration-with-sharepoint-certificate-management). <br> <br>This was part of *Early release* in the Version 24H1 feature update. <br/> |

+| **End of support notification for SharePoint Server builds** |Standard release |For more information, see [End of support notification for SharePoint Server builds](#end-of-support-notification-for-sharepoint-server-builds).|

+| **Support RSA public key in OIDC authentication configuration** |Early release |For more information, see [Support RSA public key in OIDC authentication configuration](#support-rsa-public-key-in-oidc-authentication-configuration).|

+## Detailed description of features

+This section provides detailed descriptions of the new and updated features in SharePoint Server Subscription Edition Version 24H2.

+> [!NOTE]

+> Features previously introduced in the Version 24H1 feature update will not be described here. For more information on Version 24H1, see [New and improved features in SharePoint Server Subscription Edition Version 24H1](new-and-improved-features-in-sharepoint-server-subscription-edition-24h1-release.md).

+### End of support notification for SharePoint Server builds

+SharePoint Server Subscription Edition (SPSE) displays notifications in Central Administration and the SharePoint Management Shell when the build of SPSE that's currently installed is approaching its end of support date. The notifications direct SharePoint farm administrators to install the latest update for SPSE to ensure uninterrupted support.

+SharePoint Server Subscription Edition follows the [Modern Lifecycle Policy](/lifecycle/policies/modern) and doesn't have a fixed [End of Support](/lifecycle/definitions#end-of-support) date. However, SharePoint Server Subscription Edition does have a [product servicing policy](../product-servicing-policy/updated-product-servicing-policy-for-sharepoint-server-se.md) that says builds will be supported for one year after its release date. After one year, the build will no longer be supported. This is to ensure that customers stay up to date so they aren't missing important security and quality fixes that are already released, which could cause security breaches in their environments or unnecessary support cases with Microsoft Support.

+The triggers for the notifications are as follows:

+- **6 months until "end of support" date:** Provide an **informational** notice in Central Administration and the SharePoint Management Shell informing the admin that the current build is approaching the end of support, and they should install a newer update.

+- **3 months until "end of support" date:** Provide a **warning notice** in Central Administration and the SharePoint Management Shell informing the admin that the current build is approaching the end of support, and they should install a newer update.

+- **Beyond "end of support" date:** Provide an **error** notice in Central Administration and the SharePoint Management Shell informing the admin that the current build is no longer supported, and they should install a newer update. This error also appears in the Windows Application Event Log.

+### Support RSA public key in OIDC authentication configuration

+OIDC is an authentication protocol that uses JSON Web Tokens (JWTs) to verify the identity of users, and grant them access to protected resources. JWTs are digitally signed using either symmetric keys (shared between the issuer and the consumer) or asymmetric keys (public/private key pairs).

+Some OIDC providers use RSA public keys that are directly represented with RSA modulus and RSA public exponent. To support these providers, SharePoint Server Subscription Edition Version 24H2 now gives the ability to parse and validate RSA public keys in JWTs.

+For more information, see [Set up OIDC authentication in SharePoint Server using RSA public keys](../security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-using-rsa.md).

+|[New and improved features in SharePoint Server Subscription Edition Version 24H2](new-and-improved-features-in-sharepoint-server-subscription-edition-24h2-release.md) <br/> |Learn about the new features and updates to existing features in SharePoint Server Subscription Edition Version 24H2. <br/> |