OneDrive: Admins can configure a group policy to block specific folders from OneDrive Sync

imran khan August 18, 2024

In addition to being able to configure a group policy to exclude specific files or file extensions from Syncing with OneDrive, admins can now exclude folders as well. End-users will be able to see the excluded folders in the Sync configuration applied to them via their OneDrive Advanced Settings.

                                                                                                                             Roll Out :-  June 2025

  • Feature ID: 178292
  • Added to roadmap: 10/4/2023
  • Last modified: 8/1/2024
  • Product(s): OneDrive
  • Cloud instance(s): Worldwide (Standard Multi-Tenant), GCC, DoD, GCC High
  • Platform(s): Desktop, Mac
  • Release phase(s): General Availability

IT Admins - Use OneDrive policies to control sync settings



Manage OneDrive using Group Policy

  1. Install the OneDrive sync app for Windows. (For information on the builds that are being released, and on the download builds, see release notes.) Installing the sync app downloads the .adml and .admx files.

  2. Browse to %localappdata%\Microsoft\OneDrive\\*BuildNumber*\adm\ (for per-machine sync app browse to %ProgramFiles(x86)%\Microsoft OneDrive\BuildNumber\adm\ or %ProgramFiles%\Microsoft OneDrive\BuildNumber\adm\ (depending on the OS architecture)) to the subfolder for your language, as necessary (where BuildNumber is the number displayed in sync app settings under the About tab).

    The ADM folder in the OneDrive installation directory

  3. Copy the .adml and .admx files.

  4. Paste the .admx file in your domain's Central Store, \\\\*domain*\sysvol\domain\Policies\PolicyDefinitions (where domain is your domain name, such as corp.contoso.com), and the .adml file in the appropriate language subfolder, such as en-us. If the PolicyDefinitions folder doesn't exist, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows, or use your local policy store under %windir%\policydefinitions.

  5. Configure settings from the domain controller or on a Windows computer by running the Remote Server Administration Tools.

  6. Link the GPOs to an Active Directory container (a site, domain, or an organizational unit). For more information, see Link Group Policy objects to Active Directory containers.

  7. Use security filtering to narrow the scope of a setting. By default, a setting is applied to all user and computer objects within the container to which it's linked, but you can use security filtering to narrow the scope of the policy's application to a subset of users or computers. For more information, see Filtering the scope of a GPO.

The OneDrive GPOs work by setting registry keys on the computers in your domain.

  • When you enable or disable a setting, the corresponding registry key is updated on computers in your domain. If you later change the setting back to Not configured, the corresponding registry key isn't modified, and the change doesn't take effect. After you configure a setting, set it to Enabled or Disabled, going forward.

  • The location where registry keys are written has been updated. When you use the latest files, you might delete registry keys that you set previously.



  • Allow syncing OneDrive accounts for only specific organizations

    This setting lets you prevent users from easily uploading files to other organizations by specifying a list of allowed tenant IDs.

    If you enable this setting, users get an error if they attempt to add an account from an organization that isn't allowed. If a user has already added the account, the files stop syncing.

    To enter a tenant ID, in the Options box, select Show.

    This policy sets the following registry key:

    [HKLM\SOFTWARE\Policies\Microsoft\OneDrive\AllowTenantList] "1111-2222-3333-4444"

    where "1111-2222-3333-4444" is the tenant ID.

    This setting takes priority over Block syncing OneDrive accounts for specific organizations. Don't enable both settings at the same time.

Block syncing OneDrive accounts for specific organizations

This setting lets you prevent users from uploading files to another organization by specifying a list of blocked tenant IDs.

If you enable this setting, users get an error if they attempt to add an account from an organization that's blocked. If a user has already added the account, the files stop syncing.

To enter the tenant ID, in the Options box, select Show.

This policy sets the following registry key:

[HKLM\SOFTWARE\Policies\Microsoft\OneDrive\BlockTenantList] "1111-2222-3333-4444"

where "1111-2222-3333-4444" is the tenant ID.

This setting does NOT work if you enable the Allow syncing OneDrive accounts for only specific organizations setting. Don't enable both settings at the same time.



Always start OneDrive automatically when signing in to Windows

This policy overrides the user's choice, ensuring OneDrive will automatically start every time they sign in to Windows.

Enabling this policy sets the following registry key value to 1:

[HKCU\Software\Policies\Microsoft\OneDrive]"EnableAutoStart"=dword:00000001 

 

Post a Comment

0 Comments

Emoji
(y)
:)
:(
hihi
:-)
:D
=D
:-d
;(
;-(
@-)
:P
:o
:>)
(o)
:p
(p)
:-s
(m)
8-)
:-t
:-b
b-(
:-#
=p~
x-)
(k)