Windows Tutorials

How To Manage OneDrive With Group Policy

In this tutorial you will learn how to manage OneDrive with group policy (GPO). The OneDrive Group Policy objects work by setting registry keys on the computers in your domain. When you enable or disable a setting, the corresponding registry key is updated on computers in your domain.

I will guide you through obtaining the required GPO policies and importing them to Group Policy Management. Afterwards we will go through a simple deployment of OneDrive policies using Group Policy.

Task Details

  1. Install OneDrive Policies
  2. Explain OneDrive Policies
  3. Deploy OneDrive Policies

Task 1: Install OneDrive Policies

  1. You can download the OneDrive GPO Templates From Here.
  2. Locate these two files.
    • OneDrive.adml
    • OneDrive.admx
  3. If you just want to review OneDrive policies in Group Policy Management, you can put these files your local store:

    • Copy ONEDRIVE.ADML to C:\Windows\PolicyDefinitions\en-US
    • Copy ONEDRIVE.ADMX to C:\Windows\PolicyDefinitions\
  4. To use the OneDrive polices on your corporate network, you can put these files in the Active Directory Central Store:

    • Copy ONEDRIVE.ADML to \\<your domain>\sysvol\<your domain>\Policies\PolicyDefinitions\en-US
    • Copy ONEDRIVE.ADMX to \\<your domain>\sysvol\<your domain>\Policies\PolicyDefinitions\

Task 2: Explain OneDrive Policies

OneDrive Administrative Templates are responsible to for management of registry-based policies that allows you to configure many settings on Windows machine. With the availability of these Administrative Templates in Group Policy Management for Windows 10 and Windows 11 it is helping Administrators to easily manage applications on Windows 10 and Windows 11 or later devices using device configuration profiles. These templates are applied through Computer Configuration Administrative Templates.

There are a variety of Computer Configuration Policies that can be applied to make your life and users lives easier.

Task 3: Deploy OneDrive Policies

We finally made it to the task where we can use Group Policy Administrative Template for OneDrive to apply settings that will be pushed to the domain joined devices. What we will configure are the policies below.

  • Silently Sign in users to the OneDrive Sync client.
  • Silently move Windows known folder to OneDrive.
  • Prevent users from moving known folders.
  • Set File on-Demand states.

1. Open Group Policy Management

2. Locate Group Policy Objects, right click it and select New from the menu.

3. Enter the name OneDriveManagement and click ok.

4. Locate the newly created policy OneDriveManagement, right click it and select Edit from the menu.

5. Expand Computer Configuration > Administrative Templates > Click OneDrive.

6. Locate Silently sign in users to the OneDrive Snyc. Edit the Policy and mark it as Enabled.

7. Locate Silently move Windows known folders to OneDrive. Edit the Policy and mark it as Enabled.

8. Locate Prevent users from moving their Windows known folders to OneDrive. Edit the Policy and mark it as Enabled.

9. Locate Silently move Windows known folders to OneDrive. Edit the Policy and mark it as Enabled

10. Locate Use OneDrive Files On-Demand. Edit the Policy and mark it as Enabled.

11. Place your OneDriveManagement policy into the OU where your user workstations are located. 

12. Push group policy update to all computers, at the next reboot/startup OneDrive Policies will be applied.

Install OneDrive using Group Policy and PowerShell

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.


Discover more from Patrick Domingues

Subscribe to get the latest posts sent to your email.

author avatar
Patrick Domingues

14 Comments

  1. Thanks for this tutorial.

    One simple question: does this apply to consumer OneDrive, or to OneDrive for Business or both, depending on the login?

    Is there any way I can customize the GPO to apply only to the for Business accounts?

    I’m trying to get OneDrive for Business files available in my remote desktop farm. Right now, the onedrive agent/client is not installed, but within Word, I can save directly to OneDrive for Business. However, if I try to open a file within Word from Onedrive for Business, it is stuck on ‘loading’. I’m hoping that by installing the agent I’ll be able to open files also. I intend to configure using GPO to login with SSO credentials, and prevent ‘Always keep on device’ as disk space on the farm’s session hosts is limited.

  2. Hello,

    We are currently not using onedrive in our organisation.
    I have applied SRP in GPO thus I am getting warnings like
    Access to C:\Users\vishekbatra\AppData\Local\Microsoft\OneDrive\22.171.0814.0004\FileCoAuth.exe has been restricted by your Administrator by the default software restriction policy level.
    Access to C:\Users\vishekbatra\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe has been restricted by your Administrator by the default software restriction policy level.

    I have tried to set those paths to unrestricted however it is not working. I reckon, I may need to create separate GPO for onedrive to manage it.
    I also noticed that each pc have different versions. By following your instruction on Install OneDrive using Group Policy and PowerShell, how do I restrict it from updating to different version?
    Similarly, which rule do I enable to stop the warning above? Once it has been done, should I remove the path rule in SRP?

    Appreciate your help. Cheers!

  3. Hello,

    I recently enable SRP in our organization, it works however got the following warning to some of the PC. Though, I put those in the path rule to be unrestricted, it seems not working.

    Access to C:\Users\user\AppData\Local\Microsoft\OneDrive\22.171.0814.0004\FileCoAuth.exe has been restricted by your Administrator by the default software restriction policy level.
    Access to C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe has been restricted by your Administrator by the default software restriction policy level.

    How do I install SAME OneDrive versions across the PC fleet through GPO?
    How do I resolve the warning above?

    Appreciate you help. Cheers!

      1. Hi Patrick,

        Thank you for the reply.
        Yes the GPO has been updated.
        I did the application whitelisting, adding the paths of the onedrive to be unrestricted but still gets blocked.

        Appreciate your help.

  4. hi There,
    i have been assigned a task to restrict the users to save only in one drive and not in their root folder. Also the downloads should only go their document folder. please i would really appreciate your help.

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.