Key Takeaways:
- Organizations may need to restrict OneDrive file sync to prevent data leakage or enforce compliance.
- Admins can configure Intune device configuration profiles to block OneDrive sync.
- Useful in environments where cloud storage is restricted or only specific apps are allowed.
- Once applied, users will be unable to sync files to OneDrive from their devices.
Let’s discuss How to Completely Lockdown OneDrive File Sync With Intune Policy. OneDrive File Sync policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client.
Enabling this setting prevents users from accidentally (or intentionally) uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client. This security concern applies to any cloud-based file storage application installed on a workstation, not just the one supplied with Windows.
For organization this policy provides many benefits. After enabling this policy, Users can’t access OneDrive from the OneDrive app and file picker. Windows Store apps can’t access OneDrive using the WinRT API. OneDrive doesn’t appear in the navigation pane in File Explorer. OneDrive files aren’t kept in sync with the cloud.
Users can’t automatically upload photos and videos from the camera roll folder after enabling this policy. If your organization uses Microsoft 365, be aware that this setting will prevent users from saving files to OneDrive or SkyDrive.
Table of Contents
How to Completely Lockdown OneDrive File Sync with Intune Policy
On high-security or unmanaged devices, organizations want to ensure that sensitive company data cannot be “cached” locally. If a device is stolen, no local copies of cloud files exist. So Disabling Sync is the best option for your organizations.
| Notes |
|---|
| Allow syncing OneDrive accounts for only specific organizations – a computer based setting that restricts OneDrive client connections to only approved tenant IDs. |
| Prevent users from synchronizing personal OneDrive accounts – a user-based setting that prevents use of consumer OneDrive (i.e. non-business). |
- Benefits of OneDrive Hide Deleted Files Reminder using Intune Policy
- Prevent users from Moving their Windows Known Folders to OneDrive
- Enable Removable Drive Locations Policy in Windows for Indexing Control using Intune
How to Start Policy Creation
As an Admin, you can quickly configure this policy on your organisation. To start the Policy Creation, open the Microsoft Intune Admin center. Then go to Devices > Configuration >+ Create > +New Policy.
Profile Creation
Profile creation is the necessary step that helps you to assign the policy to appropriate platform and Profile. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Filling the Basic Tab
Naming the policy is the primary step that help admins to identify the policy later. This is important and necessary step that allows you to know the purpose of the policy. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Configure OneDrive File Sync
With Settings Picker, you can use the Configuration Settings Tab. On this tab, you can click on the +Add Settings hyperlink to get the Settings Picker. The settings picker shows huge number of settings. Here, I would like to select the settings by browsing by Category. I choose System. Then, I choose Disable One Drive File Sync settings.
Enable or Disable OneDrive File Sync
If you enable this policy setting. Users can’t access OneDrive from the OneDrive app and file picker. Packaged Microsoft Store apps can’t access OneDrive using the WinRT API. OneDrive doesn’t appear in the navigation pane in File Explorer.
OneDrive files aren’t kept in sync with the cloud. Users can’t automatically upload photos and videos from the camera roll folder. If you disable or don’t configure this policy setting, apps and features can work with OneDrive file storage.
Scope Tags
With scope tags, you create a restriction to the visibility of the Read Aloud feature in Microsoft Edge. It helps to organise resources as well. Here, I would like to skip this section, because it is not mandatory. Click on the Next button.
Assignments Tab for Selecting Group
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync the assigned device on Company Portal. Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Event Viewer Details
Event Viewer helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
| Event ID Details |
|---|
| MDM PolicyManager: Set policy int, Policy: (DisableOneDriveFileSync), Area: (System), EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0). |
Removing the Assigned Group from OneDrive File Sync Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete OneDrive File Sync
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
This policy setting lets you prevent apps and features from working with files on OneDrive. This policy is applicable for Windows 10, version 1703 [10.0.15063] and later.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.