Use Intune to Configure OneDrive for Business
When using the default deployment of OneDrive for Business included in Microsoft 365 Apps for Business or Enterprise, users face many probes and settings that can be confusing or frustrating. By default, OneDrive will not sign in automatically, instead it asks the user which local profile folders they want to backup, and allows full network bandwidth to be consumed. Using Intune Administrative Templates — ADMX-backed Intune policies using the same type of XML as group policy — you can change all this, making for a seamless first-run experience.
In this article, you’ll find out how to configure Intune to achieve a OneDrive configuration that:
- Signs in the authenticated user and skips tutorial/setup pages
- Syncs the local Documents, Desktop, and Picture folders
- Controls the network utilisation of the client
- Warns the user if a significant number of files have been deleted
- Blocks syncing non-work OneDrive accounts
- Enables real-time co-authoring in Office desktop apps
- Automatically syncs SharePoint Document Libraries
- Blocks users changing their OneDrive folder path
Combined, these settings will make your OneDrive for Business deployment a smooth, user-friendly experience that keeps your helpdesk and users happy.
Create a Configuration Profile for Intune Policies
A Configuration Profile is a collection of Intune settings, managed in Microsoft Endpoint Manager.
Navigate to endpoint.microsoft.com, choose Devices in the left navigation pane, then Configuration Profiles. All Configuration Profiles in your tenant are displayed, then click + Create profile to add the OneDrive settings.
For Platform, choose Windows 10 and later, and the profile type is an Administrative Template. Then click Create. Remember, Administrative Templates are a lot like Group Policy Objects (GPOs), so the interface we’ll be configuring them in via Microsoft Endpoint Manager will look familiar if you are experienced in on-premises Active Directory GPO administration.
You must give your new profile a Name and, optionally, a Description, then proceed by clicking Next. It’s recommended you enter a meaningful description to help either your future self or other tenant administrators know the logic behind this profile. This is particularly true if you will have multiple OneDrive Configuration Profiles due to different rules for different groups.
This is where things will look familiar if you have used GPOs before. Settings are divided between Computer Configuration and User Configuration, which means a setting will apply to all users that login to that device, or the setting will follow the user regardless of which device they sign in to. All but one of the policies we will configure are exclusive to either computer or user configurations; the exception being syncing SharePoint sites, which supports either computer or user-based scenarios.
Read more: Using Sensitivity Labels with SharePoint Sites, Microsoft Teams and M365 Groups
Click All Settings then, in the search and filter bar, enter “OneDrive”. This filters the massive list of settings to only those relevant to the OneDrive client.
Now, we’ll start configuring the actual settings. Each setting to achieve the outcomes described at the start of this article should be selected, then configured as described before saving it by hitting the OK button on that setting’s page.
Co-author and share in Office desktop apps
Choose Enabled.
This setting enables real-time co-authoring and collaboration in the full version of Office apps on Windows. For example, if a file is stored in OneDrive for Business, Teams, or a SharePoint Document Library, multiple users can work together on the file and see each other’s changes as they happen. This is a big productivity boost for environments used to locked files typically seen when operating with mapped drives.
Configure team site libraries to sync automatically for Intune Policies
Choose a Name and Value.
This setting will make SharePoint Online Document Libraries available to the user via File Explorer without them having to manually choose the Sync option in that library’s web page. The Value you enter for this setting is obtained by initiating the sync process manually, then copying the library ID to your clipboard.
There are a few important points to note about this setting when it comes to Intune policies. Firstly, if a user logs in for the first time and doesn’t see the synced directory, that unfortunately is to be expected – because Microsoft advises it can take up to eight hours for it to appear. Secondly, it only works on Windows 10 1709+ with another setting, User OneDrive Files On-Demand, also enabled (more on that setting further on in this article).
Finally, Microsoft’s guidance is to not enable this on directories that will have over 5000 files or folders (that’s or, not and), and do not push this setting out to over 1000 devices.
Personally, when it comes to Intune policies, I have seen enormous libraries sync with no problems (tens of thousands of files), but you will obviously not be supported by Microsoft if you choose to do so. Furthermore, my experience isn’t the same as everyone’s — the guidance would not be there if there were no known problems. Test thoroughly and acknowledge the risk if this is a requirement.
Regarding the deployment of this setting, you may want to consider two more things. First, the setting Convert synced team site files to online-only files could be used in conjunction with this to limit the files actually being retained on the device, instead only available when the device is online. This will help your bandwidth and local storage. Second, consider separating this individual setting from all the others configured in this policy. By deploying this setting as a standalone policy, you can have general OneDrive settings grouped together, deployed to all users, then separately have more control over what cloud directories are synced by other policies, scoped at a more fine-grained level.
Disable the tutorial that appears at the end of OneDrive Setup
Choose Enabled.
To improve the sign-on experience for our users, it’s recommended you hide the tutorial. I appreciate this may be counter-intuitive (“help them by hiding a guide?” I hear you shout), but in doing so we assume you have already educated your users on what OneDrive is and how to use it. We want our users to get up and running with their device and software as soon as possible, so reducing the number of clicks helps.
Limit the sync app upload rate to a percentage of throughput
Choose Enabled and a value for Bandwidth, up to 99.
The OneDrive client can essentially do a speed test of the current connection and set an upload limit based on a percentage of this. Even if the policy is set, there is a one-minute period every ten minutes to allow unlimited upload utilisation, but only for small files. This is also the period in which the maximum upload speed is calculated, which makes it dynamic based on changing availability.
Prevent users from changing the location of their OneDrive folder
Choose Enabled and enter your tenant ID as a Name with the value of 1 to enable for that tenant.
This setting will lock the folder used for OneDrive synchronisation to the default one, but can be used in conjunction with the Set the default location for the OneDrive folder if you require for it to be something else. Although users would not be prompted to choose a folder by default when we enable automatic sign-on, by enabling this setting we restrict the possibility of them choosing to stop syncing their OneDrive, then start again but choosing an alternative path.
Prevent users from syncing personal OneDrive accounts
Choose Enabled.
This self-explanatory setting will block any consumer Microsoft account from using the OneDrive client’s sync engine, thereby introducing some controls over the management of company devices in your tenant.
Require users to confirm large delete operations
Choose Enabled.
A potential crisis-averting setting, when you enable this your users will be warned by a toast notification if they delete 200 or more files.
The files will delete from the local device but, but if you choose Restore files, the cloud synchronised versions of the files will download again. Additionally, the user will be warned about this by a changed OneDrive icon in the notification area, and another warning when they click it.
Silently move Windows known folders to OneDrive
Choose Enabled, enter your Tenant ID, and choose No against Show notification to users after folders have been redirected.
If you take one setting away from this blog on Intune Policies, make it this one. This leverages a OneDrive feature called Known Folder Move (KFM) to sync the existing local user profile’s Documents, Desktop, and Pictures folders.
If your environment is introducing OneDrive for Business for the first time, this is a game changer, because it takes the folders used the most and protects them with cloud sync; one less habit you need to re-train them on. If you are introducing to a new environment for the first time, it’s best to stage the deployment — Microsoft recommends around 4,000 per week. Make sure you use the setting Limit the sync app upload rate to a percentage of throughput to not completely overwhelm your network.
Lastly, think about file paths. When KFM is enabled, the folders will go from being directly within %userprofile% to %userprofile%\OneDrive – YourCompany. The implications and risks involved are things such as an increase in the file path character count (does your line of business software support long paths?), or if users have shortcuts to files, these will need to be changed.
Silently sign in users to the OneDrive sync app with their Windows credentials
Choose Enabled.
OK, maybe this should be the “if you’re only going to take away one thing…” setting. Silent sign in will authenticate the OneDrive client with the currently signed in Windows user. This is only available as a device setting, so will apply whenever anyone new signs in. This will only work if it’s an Azure AD joined device, authenticated as an Azure AD user, or a Hybrid Azure AD joined device, authenticated a user with a synchronised or federated account.
Use OneDrive Files On-Demand
Choose Enabled.
A prerequisite for automatically synchronising SharePoint Document Libraries, and important setting even if you don’t want to sync libraries, this enables the OneDrive Files On-Demand feature on Windows 10 1709+. Files On-Demand allows files to be seen in File Explorer, but exist only in their cloud location, and only download when you need them, and are fully integrated into the OS itself so any application can open them. A user can also choose to Always keep on this device or Free up space from a file or folder’s context menu, and OneDrive will, hierarchically, download or remove an offline cache of the files.
Deploy the Configuration Profile for Intune Policies
With your settings all configured, choose Next on the Configuration settings page.
This takes you to Scope tags. Configure these if your environment uses them, or do not change the defaults, then proceed by clicking Next.
The next step in deployment is Assignments, in which we specify what groups to assign or exclude from the Configuration Profile. The intricacies of how best to architect policy assignment is out of scope for this article but remember that some policies were configured for either users or devices, so we must include Azure AD groups with both of those to get the necessary settings. After making your selection, choose Next.
Finally, you are presented with the Review + create screen, within which you can double check everything has been set as expected (seriously, double check those assignments!) and make the settings live by clicking Create.
Devices in scope being deployed with Autopilot will pick up these settings during deployment, and users will experience a seamless first-run experience that will get them able to access OneDrive for Business as soon as they sign in. For existing devices, you will need to wait for the device to check in to Intune for the settings to apply, which means potentially not seeing the effects until after the next reboot.
Summary
In this article on Intune policies, you’ve learned how to create an Intune Administrative Template Configuration Profile and configure some great OneDrive settings to reduce the onus on your users to configure things and, consequently, improve their IT experience.
Due to the nature of file synchronisations, make sure you deploy these settings in conjunction with thorough planning and testing, considering available bandwidth and existing configurations.
Hi Everyone,
Does anyone know is there any policy in intune to perform below tasks.
1- Block users from Pausing/Disabling Sync on Onedrive.
2- Block users disabling “Start OneDrive When I sign in to Windows”
Thanks
Hi Everyone,
I am having major issues with achieving some of the task. Does anyone know what the solution is or if it’s even possible?
1- Block users from Pausing/Disabling Sync
2- Block users disabling “Start OneDrive When I sign in to Windows”
Ideally I would like it to run/sync all the time so users can’t make any changes to it.
Thanks
Matt
That was brilliant, our devices are mostly hybrid so took a moment or two to apply the policy but that was so much easier than the confusion users have had beforehand – I don’t suppose you’ve found a policy that will remove personal teams and deploy teams (work or school) successfully as that would also save us some time especially in the board room machines as only takes a features update and it appears again just confusing the users 🙂
Again that was brilliant thanks for pointing me in the right direction.
Great write up, thanks a bunch. We’ve already enabled a lot of these settings but its always nice to get some context. I appreciate your work.
Hi Ru
Do you have a solution in order for non admin user to save files only in Desktop and My documents onedrive-synced files and prevent local saving ?
Thanks
Hi Ruairidh.
Just came across this article and some of these ideas are great!
Will certainly being using these as a standard for future Intune Deployments
Happy Thursday Ru,
Great article indeed.
Do you have a similar article for iOS and Android devices?
I’d like to make my Intune policies more user-friendly for OneDrive for Business client deployment on mobile devices as well.
Look forward to seeing your reply
thx
ggb
Happy Thursday Ru,
Great article indeed.
Do you have a similar article for iOS and Android devices?
I’d like to make my Intune policies more user-friendly for OneDrive for Business client deployment on mobile devices as well.
Look forward to seeing your reply
thx
ggb
Now, if only this system worked realiably. I have been trying for nearly 2 months to see this operate correctly in any manner. Even have MS themselves recreating the issue and it does not want to cooperate.
Hey Jason. What part is giving you trouble? The main ones I’ve seen that can be less reliable are syncing SPO sites (timing is dreadful) or SSO (e.g. doesn’t sign in when user first logs in).
Ok but most larger customers have domain joined PCs which are not Intune enrolled, in which case this has to be done using GPOs instead. The article should maybe cover that as well.
Hey, totally agreed that most enterprises will still be configuring these kind of things with GPO, however you can manage domain joined devices with Intune if you set up Hybrid Azure AD Join, which I’d recommend for anyone that has it licensed but can’t go Azure AD only. The other thing to note is that because these Intune Admin Templates are fundamentally GPOs, you can still configuring Intune by Group Policy with these same settings if that’s your only option.