Prevent users from disabling OneDrive Desktop app

Brass Contributor

I'm looking for a method that prevents users from disabling the OneDrive desktop app. I'm using Intune device configuration policies to configure KFM, silent configuration and I've enabled the setting "Silently sign in users to the OneDrive sync app with their Windows credentials". The PC successfully uses the Windows creds to log the user into their ODfB account, however the user can disable the OD desktop app from its settings by deselecting "Start OneDrive when I sign in to Windows". Is there a way to disable this setting, preferably from Intune?

 

Environment: AAD Joined, Win 10 Ent latest build, policies via Intune, OS deployment via Autopilot.

4 Replies

@johnjjohn 

To prevent users from disabling the OneDrive desktop app and deselecting the "Start OneDrive when I sign in to Windows" setting, you can utilize Group Policy settings in combination with Intune.

Here is how you can do it:

  1. Create a new Group Policy Object (GPO) or edit an existing GPO that targets the computers you want to apply the policy to.
  2. Open the Group Policy Management Editor and navigate to the following policy setting: Computer Configuration > Administrative Templates > Windows Components > OneDrive
  3. Locate the policy setting named "Prevent users from syncing personal OneDrive accounts" and set it to "Enabled". This policy prevents users from adding personal OneDrive accounts to the OneDrive desktop app.
  4. Additionally, you can enable the policy setting named "Prevent users from synchronizing personal OneDrive accounts" to further restrict the use of personal OneDrive accounts.
  5. Save and apply the GPO to the appropriate organizational units or devices.
  6. Next, configure Intune to apply the Group Policy settings to the targeted devices using the Administrative Templates profile in Intune. You can create a new Administrative Templates profile or modify an existing one.
  7. In the Administrative Templates profile, navigate to the corresponding policy setting mentioned above and configure it to match the Group Policy setting you applied earlier.
  8. Assign the profile to the targeted devices or user groups in Intune.

By combining Group Policy settings with Intune, you can enforce the desired OneDrive desktop app configuration and prevent users from disabling specific settings related to OneDrive.

 

Thanks for the reply. Could you clarify the solution: Enabling the setting "Prevent users from syncing personal OneDrive accounts" disables the ability for users to deselect the setting "Start OneDrive when I sign in to Windows"?
I apologize for the confusion in my previous response. Enabling the "Prevent users from syncing personal OneDrive accounts" setting does not directly disable the ability for users to deselect the "Start OneDrive when I sign in to Windows" setting.

The "Prevent users from syncing personal OneDrive accounts" setting specifically prevents users from adding personal OneDrive accounts to the OneDrive desktop app. It focuses on restricting the synchronization of personal accounts alongside the organizational OneDrive for Business.

To prevent users from deselecting the "Start OneDrive when I sign in to Windows" setting, you need to use a different approach. One option is to use Group Policy settings or Intune policies to configure and enforce the desired OneDrive settings, including the automatic startup of OneDrive when users sign in to Windows.

By applying the appropriate Group Policy or Intune policies, you can ensure that the "Start OneDrive when I sign in to Windows" setting remains enabled and users cannot disable it. This approach provides more granular control over the specific behavior and configuration of OneDrive on users' devices.
I haven't been able to locate within GPO or Intune policies, the setting that enforces and disables the ability for the user to disable "Start OneDrive when I sign in to Windows".