Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
SharePoint | Deploy And Configure On Macos | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/deploy-and-configure-on-macos.md | Use the following keys to preconfigure or change settings for your users. The ke ## List of settings +- [AddedFolderHardDeleteOnUnmount](deploy-and-configure-on-macos.md#addedfolderharddeleteonunmount) +- [AddedFolderUnmountOnPermissionsLoss](deploy-and-configure-on-macos.md#addedfolderunmountonpermissionsloss) - [AllowTenantList](deploy-and-configure-on-macos.md#allowtenantlist) - [AutomaticUploadBandwidthPercentage](deploy-and-configure-on-macos.md#automaticuploadbandwidthpercentage) - [BlockExternalSync](deploy-and-configure-on-macos.md#blockexternalsync) Use the following keys to preconfigure or change settings for your users. The ke - [Tier](deploy-and-configure-on-macos.md#tier) - [UploadBandwidthLimited](deploy-and-configure-on-macos.md#uploadbandwidthlimited) +### AddedFolderHardDeleteOnUnmount ++This setting will control the contents of the folder when an unmount of an Added Folder is detected. ++Set the setting's value to **True**, to hard-delete all the contents of the folder when an unmount of an Added Folder is received. Set the value to **False** or don't enable the setting to move the contents of the unmounted folder to the recycle-bin by default. ++The example for this setting in the .plist file is: ++```xml +<key>AddedFolderHardDeleteOnUnmount</key> +<(Bool)/> +``` ++### AddedFolderUnmountOnPermissionsLoss ++This setting will control the contents of the folder and the folder itself when the Sync client detects that the user lost permissions to an Added Folder. ++Set the setting's value to **True**, to hard-delete all the contents of the folder and the folder itself when the Sync client detects that the user lost permissions to an Added Folder. Set the value to **False** or don't enable the setting to efault mark the folder in error and prompt the user to remove it. When the user confirms the removals, the contents of the folder are moved to the recycle-bin. ++The example for this setting in the .plist file is: ++```xml +<key>AddedFolderUnmountOnPermissionsLoss</key> +<(Bool)/> +``` + ### AllowTenantList This setting prevents the users from uploading files to other organizations by specifying a list of allowed tenant IDs. If you enable this setting, the user gets an error if they attempt to add an account from an organization that isn't in the allowed tenants list. If the user is already added the account, the files stop syncing. This setting takes priority over the **BlockTenantList** setting. Do **NOT** enable both settings at the same time. |
SharePoint | Onedrive In Citrix Virtual Apps Deployment Guide | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/onedrive-in-citrix-virtual-apps-deployment-guide.md | - Previously updated : 11/14/2023 Title: Set up OneDrive in Citrix Virtual Apps------ NOCSH----- Adm_O365-- MET150-- BCS160--- Strat_OD_admin-- M365-collaboration -description: In this article, you'll learn how to enable OneDrive in Citrix Virtual Apps. ---# Set up OneDrive in Citrix Virtual Apps --This article describes how to enable and use OneDrive in Citrix Virtual Apps. --## Prerequisites --To enable OneDrive in Citrix Virtual Apps, you must have the following versions of Windows and Citrix Virtual Apps and Desktops (CVAD): --**Windows**: --- Windows 11: KB5014019-- Windows Server 2022: KB5014021-- Windows 10: KB5014023-- Windows Server 2019: KB5014022--**Citrix**: --- CVAD 7 2203 LTSR CU1 or later.-- VDA 2212 enables Shellbridge by default. All earlier versions require Shellbridge to be enabled manually.-- To enable this feature, On 2203 LTSR TS VDA (2019 Server, 2022 Server, Windows 10 RDSH, or Windows 11 RDSH) add the following registry details:-- `HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Virtual Desktop Agent`<p> - `Name: Shellbridge`<p> - `Type: REG_DWORD`<p> - `Value: 1` --To ensure that the feature is correctly enabled, open a command window (cmd.exe) and run `start ms-settings:printers`. If the feature is enabled, the printer setting window is displayed. --**We recommend adding OneDrive.exe to `LogoffCheckSysModules`**. -- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI` <p> - `Value Name:LogoffCheckSysModules` <p> - `Type:REG_SZ` <p> - `String:OneDrive.exe, Microsoft.Sharepoint.exe` <p> --> [!IMPORTANT] -> [FSLogix](/fslogix/how-to-install-fslogix) must be used in conjunction with Citrix Virtual Apps for OneDrive to be supported. --## How to set up OneDrive --1. Install OneDrive Sync app per machine. See [Install the sync app per-machine](per-machine-installation.md). -1. Install the latest version of FSLogix. See [Install FSLogix Applications](/fslogix/how-to-install-fslogix). -- > [!NOTE] - > All non-persistent VDI environments require the latest version of FSLogix. Ensure you install the latest version. See [OneDrive sync error FSLogix_unsupported_environment on VMs](/sharepoint/troubleshoot/sync/fslogix-unsupported-environment-sync-error-vm). --1. Add OneDrive to `HKLM\Software\Microsoft\Windows\CurrentVersion\` by using the following command: -- `REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /d "\"C:\Program Files\Microsoft OneDrive\OneDrive.exe\" /background"` --1. Silently configure user accounts. See [Silently configure user accounts](use-silent-account-configuration.md). -- > [!NOTE] - > Silent sign-in should work if your machine is connected to Microsoft Entra ID. Make sure to turn off this setting if your computer is not Microsoft Entra joined. |
SharePoint | Onedrive In Horizon Virtual Apps Deployment Guide | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/onedrive-in-horizon-virtual-apps-deployment-guide.md | - Previously updated : 07/25/2024 Title: Set up OneDrive in Omnissa Horizon Virtual Apps------ NOCSH----- Adm_O365-- MET150-- BCS160--- Strat_OD_admin-- M365-collaboration -description: In this article, you'll learn how to enable OneDrive in Omnissa Horizon Virtual Apps. ---# Set up OneDrive in Omnissa Horizon Virtual Apps --You can enable OneDrive in Horizon Virtual Apps using the Omnissa Dynamic Environment Manager. --## Prerequisites --To set up and run OneDrive in Horizon Virtual Apps, you'll need to configure and install the Omnissa Dynamic Environment Manager (DEM), which you can learn more about on the [Omnissa website](https://docs.omnissa.com/bundle/DEMInstallConfigGuideV2312/page/IntroductiontoDynamicEnvironmentManager.html). --For more information on configuring published apps with Omnissa Horizon, see the [guidance articles on the Omnissa website](https://docs.omnissa.com/bundle/Desktops-and-Applications-in-HorizonV2312/page/ConfigureHorizon8forPublishedApplicationsDelivery.html). --## Configure Dynamic Environment Manager for OneDrive --1. Launch the Omnissa Dynamic Environment Manager management console, select **Create Config File** and select **Use an Application Template**. --1. Select the application template (Microsoft Office 2016 and 2019, or Microsoft 365), **Select OneDrive for Business** and click **Next**. --1. Provide the file name and description and select **Finish**. --1. Add the following **Import / Export** settings: -- `[IncludeRegistryTrees]` \ - `HKCU\Software\Microsoft\Office` \ - `HKCU\Software\Microsoft\Internet Explorer` \ - `HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings` \ - `HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached` \ - `HKCU\Software\Microsoft\OneDrive` -- `[IncludeFolderTrees]` \ - `<Appdata>\Microsoft\Windows\Recent` \ - `<Appdata>\Microsoft\crypto` \ - `<Appdata>\SystemCertificates` \ - `<LocalAppdata>\Microsoft\IdentityCache` \ - `<LocalAppdata>\Microsoft\Internet Explorer` \ - `<LocalAppdata>\Microsoft\Windows\INetCache` \ ---## Validate OneDrive as default save location --Using the Omnissa Horizon client, launch any Microsoft Office or Microsoft 365 app. --1. Activate Microsoft Office or Microsoft 365. -2. After activation, save a document to verify the default save location is OneDrive. |
SharePoint | Sync Vdi Support | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/sync-vdi-support.md | Previously updated : 04/11/2024 Last updated : 09/09/2024 Title: "Use the sync app on virtual desktops" For all [supported operating systems](https://support.office.com/article/cc0cb2b - Non-persistent virtual desktops that have [FSLogix Apps](/fslogix/configure-profile-container-tutorial) or [FSLogix Office Container](/fslogix/configure-office-container-tutorial), and a Microsoft 365 subscription for all of the following operating systems: - Windows 10 and 11, 32-bit or 64-bit (supports VMDK files) - Windows Server 2022 (supports VHDX)- - Windows Server 2019 (supports VHDX) - Windows Server 2016 (supports VHDX) - Windows Server 2012 R2 (supports VHDX) For all [supported operating systems](https://support.office.com/article/cc0cb2b > > For Windows Server, the [SMB network file sharing protocol](/windows-server/storage/file-server/file-server-smb-overview) is also required. >-> The OneDrive sync app is supported in a remote app scenario hosted as a [Citrix Virtual App](onedrive-in-citrix-virtual-apps-deployment-guide.md). +> The OneDrive sync app is supported in a remote app scenario hosted as a Citrix Virtual App. > > The OneDrive sync app with FSLogix does not support running multiple instances of the same container simultaneously. +## Set up OneDrive in Citrix Virtual Apps ++This article describes how to enable and use OneDrive in Citrix Virtual Apps. ++### Prerequisites ++To enable OneDrive in Citrix Virtual Apps, you must have the following versions of Windows and Citrix Virtual Apps and Desktops (CVAD): ++**Windows**: ++- Windows 11: KB5014019 +- Windows Server 2022: KB5014021 +- Windows 10: KB5014023 +- Windows Server 2019: KB5014022 ++**Citrix**: ++- CVAD 7 2203 LTSR CU1 or later. +- VDA 2212 enables Shellbridge by default. All earlier versions require Shellbridge to be enabled manually. +- To enable this feature, On 2203 LTSR TS VDA (2019 Server, 2022 Server, Windows 10 RDSH, or Windows 11 RDSH) add the following registry details: ++ `HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Virtual Desktop Agent`<p> + `Name: Shellbridge`<p> + `Type: REG_DWORD`<p> + `Value: 1` ++To ensure that the feature is correctly enabled, open a command window (cmd.exe) and run `start ms-settings:printers`. If the feature is enabled, the printer setting window is displayed. ++**We recommend adding OneDrive.exe to `LogoffCheckSysModules`**. ++ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI` <p> + `Value Name:LogoffCheckSysModules` <p> + `Type:REG_SZ` <p> + `String:OneDrive.exe, Microsoft.Sharepoint.exe` <p> ++> [!IMPORTANT] +> [FSLogix](/fslogix/how-to-install-fslogix) must be used in conjunction with Citrix Virtual Apps for OneDrive to be supported. ++### How to set up OneDrive ++1. Install OneDrive Sync app per machine. See [Install the sync app per-machine](per-machine-installation.md). +1. Install the latest version of FSLogix. See [Install FSLogix Applications](/fslogix/how-to-install-fslogix). ++ > [!NOTE] + > All non-persistent VDI environments require the latest version of FSLogix. Ensure you install the latest version. See [OneDrive sync error FSLogix_unsupported_environment on VMs](/sharepoint/troubleshoot/sync/fslogix-unsupported-environment-sync-error-vm). ++1. Add OneDrive to `HKLM\Software\Microsoft\Windows\CurrentVersion\` by using the following command: ++ `REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /d "\"C:\Program Files\Microsoft OneDrive\OneDrive.exe\" /background"` ++1. Silently configure user accounts. See [Silently configure user accounts](use-silent-account-configuration.md). ++ > [!NOTE] + > Silent sign-in should work if your machine is connected to Microsoft Entra ID. Make sure to turn off this setting if your computer is not Microsoft Entra joined. + ## See also Learn more about [VHDX](/openspecs/windows_protocols/ms-vhdx/83f6b700-6216-40f0-aa99-9fcb421206e2) and [VHD](/windows/desktop/vstor/about-vhd). |
SharePoint | Use Group Policy | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/use-group-policy.md | Previously updated : 05/23/2024 Last updated : 09/09/2024 Title: IT Admins - Use OneDrive policies to control sync settings-+ This article describes the OneDrive Group Policy objects (GPOs) that administrat 1. Install the OneDrive sync app for Windows. (For information on the builds that are being released, and on the download builds, see [release notes](https://support.office.com/article/845dcf18-f921-435e-bf28-4e24b95e5fc0?).) Installing the sync app downloads the .adml and .admx files. -1. Browse to `%localappdata%\Microsoft\OneDrive\\*BuildNumber*\adm\` (for [per-machine sync app](per-machine-installation.md) browse to `%ProgramFiles(x86)%\Microsoft OneDrive\BuildNumber\adm\` or `%ProgramFiles%\Microsoft OneDrive\BuildNumber\adm\` (depending on the OS architecture)) to the subfolder for your language, as necessary (where *BuildNumber* is the number displayed in sync app settings under the **About** tab). +2. Browse to `%localappdata%\Microsoft\OneDrive\\*BuildNumber*\adm\` (for [per-machine sync app](per-machine-installation.md) browse to `%ProgramFiles(x86)%\Microsoft OneDrive\BuildNumber\adm\` or `%ProgramFiles%\Microsoft OneDrive\BuildNumber\adm\` (depending on the OS architecture)) to the subfolder for your language, as necessary (where *BuildNumber* is the number displayed in sync app settings under the **About** tab). ![The ADM folder in the OneDrive installation directory](media/85e0fe3f-84eb-4a29-877f-c706dda4d075.png)- + 3. Copy the .adml and .admx files. 4. Paste the .admx file in your domain's Central Store, `\\\\*domain*\sysvol\domain\Policies\PolicyDefinitions` (where *domain* is your domain name, such as corp.contoso.com), and the .adml file in the appropriate language subfolder, such as en-us. If the PolicyDefinitions folder doesn't exist, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759), or use your local policy store under `%windir%\policydefinitions`. The OneDrive GPOs work by setting registry keys on the computers in your domain. ## List of policies by string ID +- (AddedFolderHardDeleteOnUnmount) [Hard-deletes the contents of an added folder when unmounted](#hard-delete-the-contents-of-an-added-folder-when-unmounted) ++- (AddedFolderUnmountOnPermissionsLoss) [Hard-deletes contents of an added folder when user loses permissions to the folder](#hard-delete-the-contents-of-an-added-folder-when-user-loses-permissions-to-the-folder) + - (AllowTenantList) [Allow syncing OneDrive accounts for only specific organizations](use-group-policy.md#allow-syncing-onedrive-accounts-for-only-specific-organizations) - (AutomaticUploadBandwidthPercentage) [Limit the sync app upload rate to a percentage of throughput](use-group-policy.md#limit-the-sync-app-upload-rate-to-a-percentage-of-throughput) Under Computer Configuration\Policies\Administrative Templates\OneDrive, navigat ![Computer Configuration policies in the Group Policy Management Editor](media/07b81d35-9ccc-4c61-8a86-52d9bcff7ddb.png) +### Hard-delete the contents of an added folder when unmounted ++If you enable this setting, when an unmount of an Added Folder is received, the Sync client will hard-delete all the contents of the folder. ++If admins disable or do not configure this setting, Sync will by default move the contents of the unmounted folder to the recycle-bin. ++Enabling this policy sets the following registry key value to 1: ++`[HKCU\SOFTWARE\Policies\Microsoft\OneDrive]"AddedFolderHardDeleteOnUnmount"=dword:00000001` ++### Hard-delete the contents of an added folder when user loses permissions to the folder ++If you enable this setting, when the Sync client detects that the user lost permissions to an Added Folder, the Sync client will hard-delete all the contents of the folder and the folder itself. ++If admins disable or do not configure this setting, Sync will by default mark the folder in error and prompt the user to remove it. When the user confirms the removals, the contents of the folder are moved to the recycle-bin. ++Enabling this policy sets the following registry key value to 1: ++`[HKCU\SOFTWARE\Policies\Microsoft\OneDrive]"AddedFolderUnmountOnPermissionsLoss"=dword:00000001` + ### Allow OneDrive to disable Windows permission inheritance in folders synced read-only This setting lets the OneDrive sync app remove all inherited permissions within read-only folders syncing on a user's PC. This removal of inherited permissions improves the performance of the sync app when syncing folders that the user has read-only permission to. Enabling this policy sets the following registry key value to 1: ### Allow syncing OneDrive accounts for only specific organizations -<a name="AllowTenantList"> </a> - This setting lets you prevent users from easily uploading files to other organizations by specifying a list of allowed tenant IDs. If you enable this setting, users get an error if they attempt to add an account from an organization that isn't allowed. If a user has already added the account, the files stop syncing. This setting takes priority over [Block syncing OneDrive accounts for specific o ### Block file downloads when users are low on disk space -<a name="MinDiskSpaceLimitInMB"> </a> - This setting lets you specify a minimum amount of available disk space and block the OneDrive sync app (OneDrive.exe) from downloading files when users have less than this amount. Users are prompted with options to help free up space. Enabling this policy sets the following registry key value to a number from 0 th ### Block syncing OneDrive accounts for specific organizations -<a name="BlockTenantList"> </a> - This setting lets you prevent users from uploading files to another organization by specifying a list of blocked tenant IDs. If you enable this setting, users get an error if they attempt to add an account from an organization that's blocked. If a user has already added the account, the files stop syncing. This setting does NOT work if you enable the [Allow syncing OneDrive accounts fo ### Convert synced team site files to online-only files -<a name="DehydrateSyncedTeamSites"> </a> - This setting lets you convert synced SharePoint files to online-only files when you enable **OneDrive Files On-Demand**. If you have many PCs syncing the same team site, enabling this setting helps you minimize network traffic and local storage usage. If you enable this setting, files in currently syncing team sites are changed to online-only files, by default. Files later added or updated in the team site are also downloaded as online-only files. To use this setting, the computer must be running Windows 10 Fall Creators Update (version 1709) or later, and you must enable **OneDrive Files On-Demand**. For information about querying and setting file and folder states, see [Query an ### Enable automatic upload bandwidth management for OneDrive -<a name="EnableAutomaticUploadBandwidthManagement"> </a> --This setting lets the OneDrive sync app (OneDrive.exe) upload data in the background only when unused bandwidth is available. It prevents the sync app from interfering with other apps that are using the network. This setting is powered by the Windows LEDBAT (Low Extra Delay Background Transport) protocol. When LEDBAT detects increased latency that indicates other TCP connections are consuming bandwidth, the sync app will reduce its own consumption to prevent interference. When network latency decreases again and bandwidth is freed up, the sync app will increase the upload rate and consume the unused bandwidth. +This setting lets the OneDrive sync app (OneDrive.exe) upload data in the background only when unused bandwidth is available. It prevents the sync app from interfering with other apps that are using the network. This setting is powered by the Windows LEDBAT (Low Extra Delay Background Transport) protocol. When LEDBAT detects increased latency that indicates other TCP connections are consuming bandwidth, the sync app reduces its own consumption to prevent interference. When network latency decreases again and bandwidth is freed up, the sync app increases the upload rate and consume the unused bandwidth. -If you enable this setting, the sync app upload rate will be set to **Adjust automatically** based on bandwidth availability, and users won't be able to change it. +If you enable this setting, the sync app upload rate is set to **Adjust automatically** based on bandwidth availability, and users won't be able to change it. If you don't configure this setting, users can choose to limit the upload rate to a fixed value (in KB/second), or set it to **Adjust automatically**. Enabling this policy sets the following registry key value to 1: ### Always start OneDrive automatically when signing in to Windows -<a name="EnableAutoStart"> </a> --This policy overrides the user's choice, ensuring OneDrive will automatically start every time they sign in to Windows. +This policy overrides the user's choice, ensuring OneDrive will automatically start every time they sign in to Windows. Enabling this policy sets the following registry key value to 1: --``` +` [HKCU\Software\Policies\Microsoft\OneDrive]"EnableAutoStart"=dword:00000001-``` +` ### Enable sync health reporting for OneDrive -<a name="EnableSyncAdminReports"> </a> - This policy lets the OneDrive sync app report sync device and health data included in administrative sync reports. -If you enable this setting, the OneDrive sync app will report device and health data to include in administrative sync reports. You must enable this setting on the devices you want to get reports from. +If you enable this setting, the OneDrive sync app reports device and health data to include in administrative sync reports. You must enable this setting on the devices you want to get reports from. If you disable or don't configure this setting, OneDrive sync app device and health data won't appear in the admin reports. When a user deletes local files from a synced location, a warning message appear If you enable this setting, users won't see the **Deleted files are removed everywhere** reminder when they delete files locally. (This reminder is called "Deleted files are removed for everyone" when a user deletes files from a synced team site.) -If you disable or don't configure this setting, the reminder will appear until users select **Don't show this reminder again**. +If you disable or don't configure this setting, the reminder appears until users select **Don't show this reminder again**. Enabling this policy sets the following registry key value to 1: `HKLM\SOFTWARE\Policies\Microsoft\OneDrive\DisableFirstDeleteDialog =dword:00000001` Enabling this policy sets the following registry key value to 1: ### Limit the sync app upload rate to a percentage of throughput -<a name="AutomaticUploadBandwidthPercentage"> </a> - This setting lets you balance the performance of different upload tasks on a computer by specifying the percentage of the computer's upload throughput that the OneDrive sync app (OneDrive.exe) can use to upload files. Setting this throughput as a percentage lets the sync app respond to both increases and decreases in throughput. The lower the percentage you set, the slower the files get uploaded. We recommend a value of 50% or higher. The sync app periodically uploads without restriction for one minute and then slows down to the upload percentage you set. This pattern lets small files upload quickly while preventing large uploads from dominating the computer's upload throughput. We recommend enabling this setting temporarily when you roll out [Silently move Windows known folders to OneDrive](use-group-policy.md#silently-move-windows-known-folders-to-onedrive), or [Prompt users to move Windows known folders to OneDrive](use-group-policy.md#prompt-users-to-move-windows-known-folders-to-onedrive) to control the network impact of uploading known folder contents. ![Upload Throughput Calculation](media/limit-upload-rate-percentage-throughput.png) > [!NOTE]-> The maximum throughput value detected by the sync app can sometimes be higher or lower than expected because of the different traffic-throttling mechanisms that your Internet Service Provider (ISP) might use. <br>For information about estimating the network bandwidth you need for a sync, see [Network utilization planning for the OneDrive sync app](network-utilization-planning.md). +> The maximum throughput value detected by the sync app can sometimes be higher or lower than expected because of the different traffic-throttling mechanisms that your Internet Service Provider (ISP) might use. For information about estimating the network bandwidth you need for a sync, see [Network utilization planning for the OneDrive sync app](network-utilization-planning.md). If you enable this setting and enter a percentage (from 10 to 99) in the **Bandwidth** box, computers use the percentage of upload throughput that you specify when uploading files to OneDrive, and users can't change it. If you disable or don't configure this setting, users can choose to limit the up ### Prevent authentication from automatically happening -<a name="DisableAutoConfig"> </a> - This setting determines whether or not the Sync client can automatically sign in. If you enable this setting, it prevents Sync from automatically signing in with an existing Microsoft Entra credential that is made available to Microsoft applications. Enabling this policy sets the following registry key value to 1: ### Prevent the sync app from generating network traffic until users sign in -<a name="PreventNetworkTrafficPreUserSignIn"> </a> - This setting lets you block the OneDrive sync app (OneDrive.exe) from generating network traffic (checking for updates) until users sign in to OneDrive or start syncing files on their computer. If you enable this setting, users must sign in to the OneDrive sync app on their computer, or select to sync OneDrive or SharePoint files on the computer, for the sync app to start automatically. Re-enable offline mode in OneDrive on the web for libraries and folders that are ### Prevent users from moving their Windows known folders to OneDrive -<a name="KFMBlockOptIn"> </a> - This setting prevents users from moving their Documents, Pictures, and Desktop folders to any OneDrive account. > [!NOTE] > Moving known folders to personal OneDrive accounts is already blocked on domain-joined PCs. -If you enable this setting, users aren't prompted with a window to protect their important folders, and the *Manage backup* command is disabled. If the users have already moved their known folders, the files in those folders will remain in OneDrive. To redirect the known folders back to the user's device, select **No**. This setting doesn't take effect if you've enabled **Prompt users to move Windows known folders to OneDrive** or **Silently move Windows known folders to OneDrive**. +If you enable this setting, users aren't prompted with a window to protect their important folders, and the *Manage backup* command is disabled. If the users have already moved their known folders, the files in those folders remain in OneDrive. To redirect the known folders back to the user's device, select **No**. This setting doesn't take effect if you've enabled **Prompt users to move Windows known folders to OneDrive** or **Silently move Windows known folders to OneDrive**. If you disable or don't configure this setting, users can choose to move their known folders. To redirect the known folders back to the user's device and enable this policy, ### Prevent users from redirecting their Windows known folders to their PC -<a name="KFMBlockOptOut"> </a> - This setting forces users to keep their Documents, Pictures, and Desktop folders directed to OneDrive. If you enable this setting, the **Stop protecting** button in the **Set up protection of important folders** window is disabled, and users receive an error if they try to stop syncing a known folder. Enabling this policy sets the following registry key value to 1: ### Prevent users from syncing libraries and folders shared from other organizations -<a name="BlockExternalSync"> </a> - The B2B Sync feature of the OneDrive sync app lets users at an organization to sync OneDrive and SharePoint libraries and folders shared with them from another organization. For more information, see [B2B Sync](b2b-sync.md). Enabling this setting prevents users at your organization from being able to use B2B Sync. After the setting is enabled (by entering value 1) on a computer, the sync app doesn't sync libraries and folders shared from other organizations. Modify the setting to the disabled state (by entering value 0) to restore B2B Sync capability for your users. Restore B2B Sync with: ### Prompt users to move Windows known folders to OneDrive -<a name="KFMOptInWithWizard"> </a> - This setting shows a window that prompts users to move their Documents, Pictures, and Desktop folders to OneDrive. If you enable this setting and provide your tenant ID, users who are syncing their OneDrive see the previous window when they're signed in. If they close the window, a reminder notification appears in the Activity Center until they move all their known folders. If users have already redirected their known folders to a different OneDrive account, they're prompted to direct the folders to the account for your organization (leaving existing files behind). For information and recommendations, see [Redirect and move Windows known folder ### Prompt users when they delete multiple OneDrive files on their local computer -<a name="LocalMassDeleteFileDeleteThreshold"> </a> - This policy sets the threshold for how many files a user can delete from a local OneDrive folder before the user is notified that the files will also be deleted from the cloud. -If you enable this policy, users will see a notification if they delete more than the specified number of files from OneDrive on their local computer. The user will be given the option to continue to remove the cloud files, or restore the local files. +If you enable this policy, users see a notification if they delete more than the specified number of files from OneDrive on their local computer. The user is given the option to continue to remove the cloud files, or restore the local files. > [!NOTE] > Even if you enable this policy, users won't receive notifications if they've checked the **Always remove files** checkbox on a previous notification, or if they've cleared the **Notify me when many files are deleted in the cloud** checkbox in OneDrive sync app settings. Enabling this policy sets the following registry key value to a number from 0 th ### Require users to confirm large delete operations -<a name="ForcedLocalMassDeleteDetection"> </a> - This setting makes users confirm that they want to delete files in the cloud when they delete a large number of synced files. If you enable this setting, a warning always appears when users delete a large number of synced files. If a user doesn't confirm a delete operation within seven days, the files aren't deleted. Enabling this policy sets the following registry key value to 1: ### Set the maximum size of a user's OneDrive that can download automatically -<a name="DiskSpaceCheckThresholdMB"> </a> - This setting is used with [Silently sign in users to the OneDrive sync app with their Windows credentials](use-group-policy.md#silently-sign-in-users-to-the-onedrive-sync-app-with-their-windows-credentials) on devices that don't have **OneDrive Files On-Demand** enabled. Any user who has a OneDrive that's larger than the specified threshold (in MB) is prompted to choose the folders they want to sync before the OneDrive sync app (OneDrive.exe) downloads the files. To enter the tenant ID and the maximum size in MB (from 0 to 4294967295), in the **Options** box, select **Show**. The default value is **500**. where "1111-2222-3333-4444" is the [tenant ID](find-your-office-365-tenant-id.md ### Set the sync app update ring -<a name="GPOSetUpdateRing"> </a> - We release OneDrive sync app (OneDrive.exe) updates to the public through three rings - first to Insiders, then Production, and finally Deferred. This setting lets you specify the ring for users in your organization. When you enable this setting and select a ring, users can't change it. "Insiders ring" users receive builds that let them preview new features coming to OneDrive. For more information on the builds currently available in each ring, see the [re ### Silently move Windows known folders to OneDrive -<a name="KFMOptInNoWizard"> </a> - Use this setting to redirect and move your users' Documents, Pictures, and/or Desktop folders to OneDrive without any user interaction. > [!NOTE] where "1111-2222-3333-4444" is a string value representing the [tenant ID](find- Setting this value to **1** shows a notification after a successful redirection. -If you don't set any of the following policies, then the default policy will move all the folders (Desktop, Documents, and Pictures) into OneDrive. If you want to specify the folder(s) to move, then you can set any combination of the following policies: +If you don't set any of the following policies, then the default policy will move all the folders (Desktop, Documents, and Pictures) into OneDrive. If you want to specify the folders to move, then you can set any combination of the following policies: `[HKLM\SOFTWARE\Policies\Microsoft\OneDrive]"KFMSilentOptInDesktop"=dword:00000001`: Setting this value to **1** will move the Desktop folder. For more information, see [Redirect and move Windows known folders to OneDrive]( ### Silently sign in users to the OneDrive sync app with their Windows credentials -<a name="SilentAccountConfig"> </a> - > [!IMPORTANT] > [Microsoft Authentication Library](/azure/active-directory/develop/msal-overview) (MSAL) is enabled automatically when the sync user is provisioned via `SilentAccountConfig`; so you don't have to enable it separately. > This setting is for customers who have SharePoint Server 2019. For information a ### Use OneDrive Files On-Demand -<a name="FilesOnDemandEnabled"> </a> - This setting lets you control whether **OneDrive Files On-Demand** is enabled for your organization. **OneDrive Files On-Demand** helps you save storage space on your users' computers, and minimize the network impact of a sync. The feature is available to users running Windows 10 Fall Creators update (version 1709 or later). For more information, see [Save disk space with OneDrive Files On-Demand for Windows 10](https://support.office.com/article/0e6860d3-d9f3-4971-b321-7092438fb38e). > [!IMPORTANT] Meet Windows and OneDrive sync app requirements and still can't see **OneDrive F ### Warn users who are low on disk space -<a name="WarningMinDiskSpaceLimitInMB"> </a> - This setting lets you specify a minimum amount of available disk space, and warn users when the OneDrive sync app (OneDrive.exe) downloads a file that causes them to have less than this amount. Users are prompted with options to help free up space. Enabling this policy sets the following registry key value to a number from 0 through 10240000: Enabling this policy sets the following registry key value to a number from 0 th ## User Configuration policies -<a name="Glob"> </a> - Find *User Configuration policies* under User Configuration\Policies\Administrative Templates\OneDrive. ![OneDrive settings in Group Policy Management Editor](media/8e121823-b5bf-440c-999d-c2a9ada4705d.png) ### Allow users to choose how to handle Office file sync conflicts -<a name="EnableHoldTheFile"> </a> - This setting specifies what happens when conflicts occur between Office file versions during a sync. (This option is available for Office 2016 or later only. With earlier versions of Office, both copies are always kept.) If you enable this setting, users can decide if they want to merge changes or keep both copies. To enable this setting, you must enable [Coauthor and share in Office desktop ap ### Coauthor and share in Office desktop apps -<a name="EnableAllOcsiClients"> </a> - This setting lets multiple users use the Microsoft 365 Apps for enterprise, Office 2019, or Office 2016 desktop apps to simultaneously edit an Office file stored in OneDrive. It also lets users share files from the Office desktop apps. > [!IMPORTANT] If you disable this setting, coauthoring and in-app sharing for Office files are ### Configure team site libraries to sync automatically -<a name="AutoMountTeamSites"> </a> - This setting lets you specify SharePoint team site libraries to sync automatically the next time users sign in to the OneDrive sync app (OneDrive.exe), within an eight-hour window, to help distribute network load. To use this setting, the computer must be running Windows 10 Fall Creators Update (version 1709) or later, and you must enable **OneDrive Files On-Demand**. This feature isn't enabled for on-premises SharePoint sites. Enabling this policy sets the following registry key, using the entire URL from ### Continue syncing on metered networks -<a name="DisablePauseOnMeteredNetwork"> </a> - This setting lets you turn off the auto-pause feature when devices connect to metered networks. If you enable this setting, syncing continues when devices are on a metered network. OneDrive doesn't automatically pause syncing. Enabling this policy sets the following registry key value to 1: ### Continue syncing when devices have battery saver mode turned on -<a name="DisablePauseOnBatterySaver"> </a> - This setting lets you turn off the auto-pause feature for devices that have battery saver mode turned on. If you enable this setting, syncing continues when users turn on battery saver mode. OneDrive doesn't automatically pause syncing. Enabling this policy sets the following registry key value to 1: ### Disable the tutorial that appears at the end of OneDrive Setup -<a name="DisableFRETutorial"> </a> - This setting lets you prevent the tutorial from showing at the end of OneDrive Setup. If you enable this setting, users don't see the tutorial after they complete OneDrive Setup. Enabling this policy sets the following registry key value to 1: ### Limit the sync app download speed to a fixed rate -<a name="DownloadBandwidthLimit"> </a> - This setting lets you configure the maximum speed at which the OneDrive sync app (OneDrive.exe) can download files. This rate is a fixed value in kilobytes per second, and applies only to syncing, not to downloading updates. The lower the rate, the slower the files download. We recommend that you use this setting in cases where **OneDrive Files On-Demand** is NOT enabled, and where strict traffic restrictions are required, such as when you initially deploy the sync app in your organization or enable syncing of team sites. We don't recommend that you use this setting on an ongoing basis because it decreases sync app performance and negatively impacts the user experience. After the initial sync, users typically sync only a few files at a time, and it doesn't have a significant effect on network performance. If you enable this setting, computers use the maximum download rate that you specify, and users can't change it. For information about estimating the network bandwidth you need for a sync, see ### Limit the sync app upload speed to a fixed rate -<a name="UploadBandwidthLimit"> </a> - This setting lets you configure the maximum speed at which the OneDrive sync app (OneDrive.exe) can upload files. This rate is a fixed value in kilobytes per second. The lower the rate, the slower the computer uploads files. If you enable this setting and enter the rate (from 1 to 100000) in the **Bandwidth** box, computers use the maximum upload rate that you specify, and users can't change it in OneDrive settings. The maximum rate is 100000 KB/s. Any input lower than 50 KB/s sets the limit to 50 KB/s, even if the UI shows a lower value. For information about estimating the network bandwidth you need for a sync, see ### Prevent users from changing the location of their OneDrive folder -<a name="DisableCustomRoot"> </a> - This setting lets you block users from changing the location of the OneDrive folder on their computer. To use this setting, in the **Options** box, select **Show**, and enter your [tenant ID](find-your-office-365-tenant-id.md). To enable the setting, enter **1**; to disable it, enter **0**. If you disable this setting, users can change the location of their sync folder ### Prevent users from syncing personal OneDrive accounts -<a name="DisablePersonalSync"> </a> - This setting lets you block users from signing in with a Microsoft account to sync their personal OneDrive files. By default, users are allowed to sync personal OneDrive accounts. If you enable this setting, users are prevented from setting up a sync relationship for their personal OneDrive account. Users who are already syncing their personal OneDrive when you enable this setting can't continue syncing (they receive a message that syncing has stopped), but any files synced to the computer remain on the computer. Enabling this policy sets the following registry key value to 1: ### Receive OneDrive sync app updates on the Deferred ring -<a name="EnableEnterpriseUpdate"> </a> - > [!IMPORTANT] > This setting will be removed soon. We recommend using the new setting [Set the sync app update ring](use-group-policy.md#set-the-sync-app-update-ring) instead. For more information about the update rings and how the sync app checks for upda ### Set the default location for the OneDrive folder -<a name="DefaultRootDir"> </a> - This setting lets you set a specific path as the default location of the OneDrive folder on users' computers. By default, the path is under %userprofile%. If you enable this setting, the default location of the *OneDrive - {organization name}* folder is the path that you specify. To specify your tenant ID and the path, in the **Options** box, select **Show**. If you disable this setting, the local *OneDrive - {organization name}* folder ## See also -<a name="Glob"> </a> - [Deploy the new OneDrive sync app in an enterprise environment](deploy-on-windows.md) [Prevent users from installing the sync app](prevent-installation.md) |
SharePoint | Set Up Oidc Auth In Sharepoint Server Using Rsa | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-using-rsa.md | + Last updated : 08/06/2024 + Title: "Set up OIDC authentication in SharePoint Server using RSA public keys" +++++audience: ITPro +f1.keywords: +- NOCSH +++ms.localizationpriority: medium ++ms.assetid: 5cdce2aa-fa6e-4888-a34f-de61713f5096 +description: "Learn how to set up OIDC authentication in SharePoint Server using RSA public keys with Microsoft Entra ID." +++# Set up OIDC authentication in SharePoint Server using RSA public keys +++OIDC is an authentication protocol that uses JSON Web Tokens (JWTs) to verify the identity of users, and grant them access to protected resources. JWTs are digitally signed using either symmetric keys (shared between the issuer and the consumer) or asymmetric keys (public/private key pairs). ++SharePoint Server currently supports OIDC auth flow with x5c keys, which are certificates that contain the public key and other metadata. However, some OIDC providers may not use x5c keys, but instead use RSA public keys that are directly represented with RSA modulus and RSA public exponent. To support these providers, SharePoint Server added the ability to parse and validate RSA public keys in JWTs. ++This article explains the new improvements from Version 24H2 that will help you set up OIDC authentication in SharePoint Server using RSA public keys. ++## OIDC configuration with RSA public keys overview ++1. Set up OIDC with Microsoft Entra ID using Global Administrator credentials by performing the steps mentioned [here](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-1-setup-identity-provider). +1. Modify the SharePoint Server farm properties based on the version of your SharePoint Server farm. For more information, see [change SharePoint farm properties](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-2-change-sharepoint-farm-properties). +1. Configure SharePoint to trust the identity provider by creating `SPTrustedIdentityTokenIssuer` with RSA public keys [using the steps mentioned in this article](#step-3-configure-sharepoint-to-trust-the-identity-provider-with-rsa-public-keys). +1. Configure a web application in SharePoint to be federated with the Microsoft Entra OIDC, using the `SPTrustedIdentityTokenIssuer` created in the previous step. For more information, see [create a new web application](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-4-configure-the-sharepoint-web-application). +1. Ensure the web application is configured with SSL certificate. To configure the web application, perform the steps to [set the certificate](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-5-ensure-the-web-application-is-configured-with-ssl-certificate). +1. Create a team site collection as both Windows administrator and federated (Microsoft Entra ID) administrator. For more information, see [create the site collection](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-6-create-the-site-collection). +1. Set up a People Picker by using a Custom Claims Provider, or the new UPA-backed claim provider included in SharePoint Server Subscription Edition. See [set up People Picker](/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-7-set-up-people-picker). ++## Step 3: Configure SharePoint to trust the identity provider with RSA public keys ++For RSA public keys, you create or set up a `SPTrustedTokenIssuer` to store the configuration that SharePoint needs to trust as the OIDC provider. You can configure SharePoint to trust the identity provider either manually or by using the metadata endpoint. ++### Configure SharePoint OIDC with RSA public keys by using metadata endpoint ++An admin can follow the same PowerShell command that is used for x5c keys when using a metadata endpoint for RSA public keys. SharePoint figures out which kind of key is used from the metadata endpoint response and creates the `SPTrustedIdentityTokenIssuer` appropriately. For more information, see [configure SharePoint to trust Microsoft Entra ID by using metadata endpoint](set-up-oidc-auth-in-sharepoint-server-with-msaad.md#configure-sharepoint-to-trust-microsoft-entra-id-by-using-metadata-endpoint) for an example. ++### Configure SharePoint OIDC with RSA public keys manually ++When manually creating or setting up the `SPTrustedIdentityTokenIssuer` for RSA public keys, you must specify a new `-PublicKey` parameter while running the `New-SPTrustedIdentityTokenIssuer` or `Set-SPTrustedIdentityTokenIssuer` cmdlets to define the RSA public key modulus and exponent. ++#### New-SPTrustedIdentityTokenIssuer ++You can run the following PowerShell cmdlet with `-PublicKey` parameter: ++```powershell +New-SPTrustedIdentityTokenIssuer -Name "RSA-Manual" -Description "RSA Manually Created" -PublicKey $publicKeyXML -ClaimsMappings $emailClaimMap -IdentifierClaim $emailClaimMap.InputClaimType -DefaultClientIdentifier $clientIdentifier -RegisteredIssuerName $registeredissuernameurl -AuthorizationEndPointUri $authendpointurl -SignOutUrl $signouturl -Scope "openid profile" +``` ++The `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet uses the following parameters: ++| Parameter | Description | +||-| +|Name | Gives a name to the new token issuer. | +|Description | Gives a description to the new token issuer. | +| PublicKey |Specifies that the value should be an XML string defining the RSA public key modulus and exponent <br> Example of `$publicKeyXML` value: <p> `<RSAKeyValue><Modulus>modulus</Modulus><Exponent>exponent</Exponent></RSAKeyValue>`| +| ClaimsMappings | A `SPClaimTypeMapping` object, which is used to identify which claim in the `id_token` is regarded as identifier in SharePoint. | +| IdentifierClaim | Specifies the type of identifier. | +| DefaultClientIdentifier | Specifies the `client_id` of SharePoint server, which is assigned by OIDC identity provider. This is validated against aud claim in `id_token`. | +| RegisteredIssuerName | Specifies the issuer identifier, which issues the `id_token`. It's used to validate the `id_token`. | +| AuthorizationEndPointUrl | Specifies the authorization endpoint of the OIDC identity provider. | +| SignoutUrl | Specifies the sign out endpoint of the OIDC identity provider. | ++To extract the correct `$publicKeyXML` value from an x509 certificate, you can run the following PowerShell command: ++```powershell +$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 ++$cert.Import("c:\certs\YourSigningCertificateHere.cer") ++$publicKeyXml = $cert.PublicKey.Key.ToXmlString($false) +``` ++#### Set-SPTrustedIdentityTokenIssuer ++The `Set-SPTrustedIdentityTokenIssuer` cmdlet supports the new `-PublicKey` parameter for RSA public keys and takes the same `<RSAKeyValue><Modulus>modulus</Modulus><Exponent>exponent</Exponent></RSAKeyValue>` XML string that `New-SPTrustedIdentityTokenIssuer` uses. Example: ++```powershell +Set-SPTrustedIdentityTokenIssuer -Identity "RSA-Manual" -PublicKey $publicKeyXml -IsOpenIDConnect +``` ++## Improvements for OIDC configuration ++With Version 24H2, admins can expect the following improvements when configuring the SharePoint Server to trust the identity provider. ++### Allow to configure multiple client identifiers in OIDC ++Configuring of multiple client identifiers is now allowed using -ScopedClientIdentifier switch in an OIDC `SPTrustedIdentityTokenIssuer`. Run the following command: ++```powershell +Set-SPTrustedIdentityTokenIssuer -Identity <name> -ScopedClientIdentifier Dictionary<Uri,string> -IsOpenIDConnect +``` ++### Enable ClaimsMappings editing capability in Set-SPTrustedIdentityTokenIssuer ++ΓÇïΓÇïIn previous releases of SharePoint Server, when creating `SPTrustedIdentityTokenIssuer`, you need to provide the claims mappings list, which is used to map the claim from IdP token to SharePoint issued token. After `SPTrustedIdentityTokenIssuer` is created, you can only remove the existing claim mapping, or add the removed claim mapping back, which is identically the same as you removed. But, you can't add new claim mapping, which isn't originally in the list or change an existing claim mapping in place.ΓÇ» ++The new update from Version 24H2 build allows users to add a new parameter toΓÇ»`Set-SPTrustedIdentityTokenIssuer` so they can change the claims mappings list. With this new following parameter, you can even modify the claim mappings list of the token issuer. ++New parameter: `-ClaimsMappings <SPClaimMappingPipeBind[]>` ++### Support OIDC IdPs that can't work with wildcard characters in redirection URL ++Some OIDC IdPs, such as Azure Active Directory B2C, canΓÇÖt work with wildcard characters in the redirect URL. This causes SharePoint to be unable to redirect back to the original resource that is being asked after the authentication. In this release, we added a state property in the response header to preserve the redirect URL so that SharePoint will be able to know which URL to redirect to.ΓÇ» ++You can use the following PowerShell cmdlet to enable it on the tokenissuer you've created: ++```powershell +Set-SPTrustedIdentityTokenIssuer -Identity <name> -UseStateToRedirect:$True -IsOpenIDConnect +``` ++### Refresh certificate by timer job ++A new timer job (RefreshMetadataFeed) is created to automatically fetch the latest configuration settings from configured OIDC metadata endpoint on daily basis and update OIDC trusted token issuer accordingly. It includes the certificates used for token encryption and signing, token issuer, authorization endpoint and SignoutUrl. You can change the frequency of refresh by changing the timer job schedule. For example, you can change the schedule of timer job to ΓÇ£5:00 every SaturdayΓÇ¥ by using PowerShell: ++```powershell +Get-SPTimerJob refreshmetadafeed | Set-SPTimerJob -Schedule "weekly at sat 5:00" +``` ++This timer job is enabled when you set up a OIDC trusted token issuer with metadata endpoint. If you have a OIDC trusted token issuer setup before applying this update, you need to reset this token issuer again so that timer job can be enabled for this token issuer. You can reset the token issuer by using PowerShell ++```powershell +Set-SPTrustedIdentityTokenIssuer -Identity <OIDCtokenissuer> -MetadataEndPoint <URL> +``` |
SharePoint | Set Up Oidc Auth In Sharepoint Server With Msaad | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad.md | You can configure SharePoint to trust the identity provider in either of the fol > [!NOTE] > Follow either the manual configuration steps or the metadata endpoint steps, but not both. > Using the metadata endpoint is recommended because it simplifies the process.-### Configure SharePoint to trust Microsoft Entra OIDC by using metadata endpoint ++### Configure SharePoint to trust Microsoft Entra ID by using metadata endpoint SharePoint Server Subscription Edition now supports using the OIDC metadata discovery capability when creating the Trusted Identity Token Issuer. |
SharePoint | New And Improved Features In Sharepoint Server Subscription Edition 24H2 Release | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/what-s-new/new-and-improved-features-in-sharepoint-server-subscription-edition-24h2-release.md | + Last updated : 09/10/2024 + Title: "New and improved features in SharePoint Server Subscription Edition Version 24H2" +++++audience: ITPro +f1.keywords: +- NOCSH +++ms.localizationpriority: high ++- IT_Sharepoint_Server +- IT_Sharepoint_Server_Top +- Strat_SP_server ++description: "Learn about the new features and updates to existing features in SharePoint Server Subscription Edition Version 24H2." +++# New and improved features in SharePoint Server Subscription Edition Version 24H2 +++Learn about the new features and updates introduced in the SharePoint Server Subscription Edition Version 24H2 feature update. ++## Summary of the features ++The following table provides a summary of the new features introduced in the SharePoint Server Subscription Edition Version 24H2 feature update. ++|**Feature**|**Release ring**|**More information**| +|:--|:--|:--| +| **Search vertical customization in modern search results** | Standard release | For more information, see [Search vertical customization in modern search results](new-and-improved-features-in-sharepoint-server-subscription-edition-24h1-release.md#search-vertical-customization-in-modern-search-results). <br> <br>This was part of *Early release* in the Version 24H1 feature update. <br/> | +| **OpenID Connect (OIDC) integration with SharePoint certificate management** | Standard release | For more information, see [OpenID Connect (OIDC) integration with SharePoint certificate management](new-and-improved-features-in-sharepoint-server-subscription-edition-24h1-release.md#openid-connect-oidc-integration-with-sharepoint-certificate-management). <br> <br>This was part of *Early release* in the Version 24H1 feature update. <br/> | +| **End of support notification for SharePoint Server builds** |Standard release |For more information, see [End of support notification for SharePoint Server builds](#end-of-support-notification-for-sharepoint-server-builds).| +| **Support RSA public key in OIDC authentication configuration** |Early release |For more information, see [Support RSA public key in OIDC authentication configuration](#support-rsa-public-key-in-oidc-authentication-configuration).| ++## Detailed description of features ++This section provides detailed descriptions of the new and updated features in SharePoint Server Subscription Edition Version 24H2. ++> [!NOTE] +> Features previously introduced in the Version 24H1 feature update will not be described here. For more information on Version 24H1, see [New and improved features in SharePoint Server Subscription Edition Version 24H1](new-and-improved-features-in-sharepoint-server-subscription-edition-24h1-release.md). +++### End of support notification for SharePoint Server builds ++SharePoint Server Subscription Edition (SPSE) displays notifications in Central Administration and the SharePoint Management Shell when the build of SPSE that's currently installed is approaching its end of support date. The notifications direct SharePoint farm administrators to install the latest update for SPSE to ensure uninterrupted support. ++SharePoint Server Subscription Edition follows the [Modern Lifecycle Policy](/lifecycle/policies/modern) and doesn't have a fixed [End of Support](/lifecycle/definitions#end-of-support) date. However, SharePoint Server Subscription Edition does have a [product servicing policy](../product-servicing-policy/updated-product-servicing-policy-for-sharepoint-server-se.md) that says builds will be supported for one year after its release date. After one year, the build will no longer be supported. This is to ensure that customers stay up to date so they aren't missing important security and quality fixes that are already released, which could cause security breaches in their environments or unnecessary support cases with Microsoft Support. ++The triggers for the notifications are as follows: ++- **6 months until "end of support" date:** Provide an **informational** notice in Central Administration and the SharePoint Management Shell informing the admin that the current build is approaching the end of support, and they should install a newer update. ++- **3 months until "end of support" date:** Provide a **warning notice** in Central Administration and the SharePoint Management Shell informing the admin that the current build is approaching the end of support, and they should install a newer update. ++- **Beyond "end of support" date:** Provide an **error** notice in Central Administration and the SharePoint Management Shell informing the admin that the current build is no longer supported, and they should install a newer update. This error also appears in the Windows Application Event Log. ++### Support RSA public key in OIDC authentication configuration ++OIDC is an authentication protocol that uses JSON Web Tokens (JWTs) to verify the identity of users, and grant them access to protected resources. JWTs are digitally signed using either symmetric keys (shared between the issuer and the consumer) or asymmetric keys (public/private key pairs). ++Some OIDC providers use RSA public keys that are directly represented with RSA modulus and RSA public exponent. To support these providers, SharePoint Server Subscription Edition Version 24H2 now gives the ability to parse and validate RSA public keys in JWTs. ++For more information, see [Set up OIDC authentication in SharePoint Server using RSA public keys](../security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-using-rsa.md). |
SharePoint | What S New | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/what-s-new/what-s-new.md | Articles contain an overview of new and improved product features, updates, depr |**Content**|**Description**| |:--|:--|+|[New and improved features in SharePoint Server Subscription Edition Version 24H2](new-and-improved-features-in-sharepoint-server-subscription-edition-24h2-release.md) <br/> |Learn about the new features and updates to existing features in SharePoint Server Subscription Edition Version 24H2. <br/> | |[New and improved features in SharePoint Server Subscription Edition Version 24H1](new-and-improved-features-in-sharepoint-server-subscription-edition-24h1-release.md) <br/> |Learn about the new features and updates to existing features in SharePoint Server Subscription Edition Version 24H1. <br/> | |[New and improved features in SharePoint Server Subscription edition](new-and-improved-features-in-sharepoint-server-subscription-edition.md) <br/> |Learn about the new features and updates to existing features in SharePoint Server Subscription edition. <br/> | |[What's deprecated or removed from SharePoint Server Subscription edition](what-s-deprecated-or-removed-from-SharePoint-Server-Subscription-Edition.md) <br/> |Learn about the features and functionality that are deprecated or removed in SharePoint Server Subscription edition. <br/> | |