Today we are discussing Prevent users from Moving their Windows Known Folders to OneDrive. Known folders include Desktop, Documents, and Pictures, which are often redirected to OneDrive for backup. This setting, found in the OneDrive category of the settings catalog, gives administrators control over whether or not users are allowed to move these folders.
The OneDrive settings catalog offers a wide range of policies that organizations can use to manage user experience, storage behavior, and data security. Among these options, the policy to block folder redirection is an important one for organizations that do not want users to store critical files in the cloud.
When this setting is enabled, users are restricted from moving their known folders into OneDrive. They will not see the usual prompt encouraging them to “Set up protection of important folders,” and the manual “Start protection” command will also be disabled.
If users have already redirected their folders before the setting is applied, the files will remain in OneDrive. The policy does not undo previous actions; it only prevents new migrations. So Let’s look how this policy to be deployed through MS Intune.
Table of Contents
Why Does the Organization Prevent Moving Folders like Documents, Desktop, and Pictures to OneDrive?
Organization blocks moving folders like Documents, Desktop, and Pictures to OneDrive to keep files safe and managed. This prevents sensitive data from being stored in the wrong place.
Prevent users from Moving their Windows Known Folders to OneDrive
We have discussed many important points about Prevent users from Moving their Windows Known Folders to OneDrive. Now, let’s look at how it can be deployed through the Microsoft Intune Admin Center. First, go to the Devices section in the Intune Admin Center.
Next, click on Configuration profiles and then select + Create profile. When creating the profile, you will need to provide the required details such as the Platform and Profile type. For the Platform, select Windows 10 and later.
- For the Profile type, choose Settings catalog. Finally, click on Create to complete the process. This will deploy the policy through Intune.
- Enable Disable Full Screen Mode in MS Edge Browser using Intune Policy
- Allow Manual Start of Microsoft Account Sign In Assistant Using Intune Settings Catalog
- How to Allow Direct Memory Access for Data Protection Through Intune Settings Catalog
Start With Basics
After creating the profile, you will be taken to the Basics tab. Here, you need to enter the basic details such as the Name and Description of the policy. Provide an appropriate name that clearly identifies the purpose of the policy. The policy name act as an identifier, making it easier to recognize and manage later. You may also add a description to give more context about what the policy is for or how it should be used.
- Once the required details are filled in, click on Next to proceed.
How to Configure the Policy
To configure this important setting, start by going to the Add settings option in the configuration settings. Once you click on Add setting, a settings picker window will appear. In this window, select the OneDrive category. Within this category, you will find 89 available settings. From these, choose “Prevent users from moving their Windows known folders to OneDrive”.
Settings Disabled
Now you are on the Configuration settings main page. Here, you will see that the selected policy has appeared in the list. By default, it is set to Disabled. If you want to keep it disabled that means, you do not want text prediction enabled in your organization, so you can just click Next to continue.
Enable the Policy
If you want to enable this policy and your organization needs the moving known folders to Onedrive is On. To do this, toggle the switch from left to right. Once enabled, the toggle will turn blue, indicating that the setting is now Enabled.
- After enabling it, click Next to continue with the setup.
Know the Scope Tags
Now you are on the Scope Tags page. Scope tags can be important in certain cases for policy deployment. In this example, I have chosen to skip this section. However, if you want to add a scope tag to the policy, you can select the “Add scope tag” option, which is highlighted in blue.
- I’m skipping this step, So, I click Next to continue.
Know about the Assignments
When deploying a policy, the main aim is to specify which organizational group the policy should be applied to In this tab, you can easily make your selection by clicking on “Add groups” under the Include section. Once clicked, a list of available groups will appear. Then Click on the Next.
- In this example, I selected the HTMD Test Policy group.
Review + Create
The final step is the Review + Create section. You’ll see a summary of everything you’ve entered, including basic details, settings, and group assignments. If something you want to change, you can go back previous tabs and edit it. Once you’re ok with everything, click Create. You’ll get a message saying the policy was created successfully.
Monitoring Status
After creating the policy, the next step is to check if it was applied successfully. Always remember that it can take up to 8 hours for the policy to be fully deployed. If you’ve synced the policy through the Company Portal, you can check its status easily. Just go to Devices > Configuration, then search for the name of your policy in the list.
- Click on the policy to see the Device check-in status for both devices and users.
- In the screenshot below, you’ll see it says “Succeeded: 1” this means the policy was deployed successfully.
Client Side Verification
You can check the confirmation in the Event Viewer. To do this, open Event Viewer and look for Event ID 813 or 814. Go to: Applications and Services Logs > Microsoft > Windows > Device Management Enterprise Diagnostic Provider > Admin.
- There, you’ll see a list of policy-related events. It might be difficult to figure out which one shows the right details, so use the “Filter Current Log” option on the right side to narrow down the results.
- In my case, I found the policy details in the Event ID 814.
| Info |
|---|
| MDM PolicyManager: Set policy string, Policy: (BlockKnownFolderMove), Area: (OneDriveNGSCv2 ~Policy~OneDriveNGSC), EnrollmentID requesting merqe: (EB427D85-802F-46D9-A3E2- D5B414587F63), Current User: (Device), Strinq: (), Enrollment Type: (0x6), Scope: (0x0). |
Removing the Policy Group
If you want to remove any group from your policy after the policy creation you can easily do that. First go to the Device Configuration then search the policy name and now you get the policy monitoring status page. Here you have to scroll down and you will get the Assignment section there you will get an edit option.
- In the Assignment page you can see the Remove option Click on that for removing the Policy.
Delete the Policy from Intune Portal
If you want to delete the policy of Moving their Windows Known Folders to OneDrive that you created, you can easily do that. First go to the Device Configuration then search the policy name and now you get the policy here click on the 3 dot menu of the policy then click on the Delete and the policy Deleted permenantly.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.