How To Manage OneDrive With Group Policy
In this tutorial you will learn how to manage OneDrive with group policy (GPO). The OneDrive Group Policy objects work by setting registry keys on the computers in your domain. When you enable or disable a setting, the corresponding registry key is updated on computers in your domain.
I will guide you through obtaining the required GPO policies and importing them to Group Policy Management. Afterwards we will go through a simple deployment of OneDrive policies using Group Policy.
Task Details
- Install OneDrive Policies
- Explain OneDrive Policies
- Deploy OneDrive Policies
Task 1: Install OneDrive Policies
- You can download the OneDrive GPO Templates From Here.
- Locate these two files.
- OneDrive.adml
- OneDrive.admx
-
If you just want to review OneDrive policies in Group Policy Management, you can put these files your local store:
- Copy ONEDRIVE.ADML to C:\Windows\PolicyDefinitions\en-US
- Copy ONEDRIVE.ADMX to C:\Windows\PolicyDefinitions\
-
To use the OneDrive polices on your corporate network, you can put these files in the Active Directory Central Store:
- Copy ONEDRIVE.ADML to \\<your domain>\sysvol\<your domain>\Policies\PolicyDefinitions\en-US
- Copy ONEDRIVE.ADMX to \\<your domain>\sysvol\<your domain>\Policies\PolicyDefinitions\
Task 2: Explain OneDrive Policies
OneDrive Administrative Templates are responsible to for management of registry-based policies that allows you to configure many settings on Windows machine. With the availability of these Administrative Templates in Group Policy Management for Windows 10 and Windows 11 it is helping Administrators to easily manage applications on Windows 10 and Windows 11 or later devices using device configuration profiles. These templates are applied through Computer Configuration Administrative Templates.
There are a variety of Computer Configuration Policies that can be applied to make your life and users lives easier.
Task 3: Deploy OneDrive Policies
We finally made it to the task where we can use Group Policy Administrative Template for OneDrive to apply settings that will be pushed to the domain joined devices. What we will configure are the policies below.
- Silently Sign in users to the OneDrive Sync client.
- Silently move Windows known folder to OneDrive.
- Prevent users from moving known folders.
- Set File on-Demand states.
1. Open Group Policy Management
2. Locate Group Policy Objects, right click it and select New from the menu.
3. Enter the name OneDriveManagement and click ok.
4. Locate the newly created policy OneDriveManagement, right click it and select Edit from the menu.
5. Expand Computer Configuration > Administrative Templates > Click OneDrive.
6. Locate Silently sign in users to the OneDrive Snyc. Edit the Policy and mark it as Enabled.
7. Locate Silently move Windows known folders to OneDrive. Edit the Policy and mark it as Enabled.
8. Locate Prevent users from moving their Windows known folders to OneDrive. Edit the Policy and mark it as Enabled.
9. Locate Silently move Windows known folders to OneDrive. Edit the Policy and mark it as Enabled.
10. Locate Use OneDrive Files On-Demand. Edit the Policy and mark it as Enabled.
11. Place your OneDriveManagement policy into the OU where your user workstations are located.
12. Push group policy update to all computers, at the next reboot/startup OneDrive Policies will be applied.
Install OneDrive using Group Policy and PowerShell
I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.
Discover more from Patrick Domingues
Subscribe to get the latest posts sent to your email.
Thanks for this tutorial.
One simple question: does this apply to consumer OneDrive, or to OneDrive for Business or both, depending on the login?
Is there any way I can customize the GPO to apply only to the for Business accounts?
I’m trying to get OneDrive for Business files available in my remote desktop farm. Right now, the onedrive agent/client is not installed, but within Word, I can save directly to OneDrive for Business. However, if I try to open a file within Word from Onedrive for Business, it is stuck on ‘loading’. I’m hoping that by installing the agent I’ll be able to open files also. I intend to configure using GPO to login with SSO credentials, and prevent ‘Always keep on device’ as disk space on the farm’s session hosts is limited.
Hello,
We are currently not using onedrive in our organisation.
I have applied SRP in GPO thus I am getting warnings like
Access to C:\Users\vishekbatra\AppData\Local\Microsoft\OneDrive\22.171.0814.0004\FileCoAuth.exe has been restricted by your Administrator by the default software restriction policy level.
Access to C:\Users\vishekbatra\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe has been restricted by your Administrator by the default software restriction policy level.
I have tried to set those paths to unrestricted however it is not working. I reckon, I may need to create separate GPO for onedrive to manage it.
I also noticed that each pc have different versions. By following your instruction on Install OneDrive using Group Policy and PowerShell, how do I restrict it from updating to different version?
Similarly, which rule do I enable to stop the warning above? Once it has been done, should I remove the path rule in SRP?
Appreciate your help. Cheers!
Hello,
I recently enable SRP in our organization, it works however got the following warning to some of the PC. Though, I put those in the path rule to be unrestricted, it seems not working.
Access to C:\Users\user\AppData\Local\Microsoft\OneDrive\22.171.0814.0004\FileCoAuth.exe has been restricted by your Administrator by the default software restriction policy level.
Access to C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe has been restricted by your Administrator by the default software restriction policy level.
How do I install SAME OneDrive versions across the PC fleet through GPO?
How do I resolve the warning above?
Appreciate you help. Cheers!
Try application white listing https://blogs.manageengine.com/corporate/general/2018/10/25/application-whitelisting-using-software-restriction-policies.html#:~:text=To%20configure%20an%20SRP%20to%20operate%20in%20a,new%20GPO%2C%20or%20select%20an%20already%20existing%20one , are you sure the GPO has been updated on those systems that you are running into an error?
Hi Patrick,
Thank you for the reply.
Yes the GPO has been updated.
I did the application whitelisting, adding the paths of the onedrive to be unrestricted but still gets blocked.
Appreciate your help.
Is there a way to prevent external file sharing for OneDrive via GPO? I don’t see it in the settings.
You will make that global setting change in the Microsoft 365 portal.
Thanks for taking the time and effort to do these tutorials.
They are a big help and a timesaver.
Cheers.
Hello Jason,
Thank you for your kind words. I am glad they have come of use.
Will it work with Server 2016? I read elsewhere that it will only work on Server 2019, is it true?
Hello Samuel,
Yes, it will work with server 2016.
Does it work on 2012 as well?
hi There,
i have been assigned a task to restrict the users to save only in one drive and not in their root folder. Also the downloads should only go their document folder. please i would really appreciate your help.
group policy to restrict users to save in only in one drive not in document folder