OneDrive Known Folder Move KFM allows you to redirect common Windows folders (Desktop, Documents and Pictures) to the users personal OneDrive. Redirecting users’ personal folders allows for easier device migrations or swaps. Because user data is backed up on OneDrive when the user signs into a new device all their personal data will be automatically downloaded. This occurs in under an hour in most cases, and the user doesn’t have to worry about saving files manually before switching devices.
Further, with personal folder redirection, users’ documents, pictures, and other files will automatically be backed up and version controlled so losing documents becomes a thing of the past. If the user’s device is hacked, restoration becomes much easier – just roll back to a previous version.
OneDrive Known Folder Move is the modern replacement for the well-known folder redirection group policy. The deployment with Microsoft Intune allows you to trigger or automate the OneDrive KFM configuration for your end-users.
The following 4 policies are needed to control the OneDrive Known Folder Move feature.
You will need to configure these Group Policies here:
- Enable the policy “Prompt users to move Windows known folders to OneDrive” (This will only be used if you want the user interaction)
- Enable the policy “Prevent users from moving their Windows known folder to Onedrive” and select “Leave them” under options.
- Enable the policy “Silently move Windows known folders to OneDrive”
- Enable the policy “Prevent users from redirecting their Windows known folders to their PC”
The settings you configure are entirely up to you, however I also recommend the following:
- Require users to confirm large delete operations
- Does what it says on the box: helps users think twice before deleting valuable data.
- Silently sign in users to the OneDrive sync client with their Windows credentials
- This is normally their Azure AD credentials if the device is AAD joined & Intune managed.
- Use OneDrive Files On-Demand
- Prevents users from downloading more data than they have storage capacity for on their device by only downloading the data the user accesses.
PREPARATION
- Login to Azure and navigate to Azure Active Directory.
- Under Overview, copy your Tenant ID for later use.
PROFILE CREATION
1. Login to Azure and navigate to Microsoft Intune, navigate to Device configuration > Profile, then click Create Profile.
2. Select platform Windows 10 and later and profile Administrative Templates, then click Create.
3. Give the profile an appropriate name e.g. Department – Win10 – Device – Administrative Template – Microsoft OneDrive v1 and click Next.
Assign Settings to Profile
Prompt users to move Windows known folders to OneDrive
Use this setting to give the users a call to action to move their Windows known folders.
If users dismiss the prompt, a reminder notification will appear in the activity centre until they move all known folders or an error occurs with the move, in which case the reminder notification will be dismissed.
If a user has already redirected their known folders to a different OneDrive account, they’ll be prompted to direct the folders to the account for your organization (leaving existing files behind). Important. We recommend deploying the prompt policy for existing devices only, and limiting the deployment to 5,000 devices a day and not exceeding 20,000 devices a week.
Prevent users from moving their Windows known folder to Onedrive
If you enable these settings, users won’t be prompted with the ‘setup protection of important folders’. You should choose these options to choose what happens if users have already moved known folders.
Silently move Windows known folders to OneDrive
Use this setting to redirect and move known folders to OneDrive without any user interaction. Move all the folders or select the desired individual folders. After a folder is moved, the policy will not affect the folder again, even if the selection for the folder changes. Note You can choose to display a notification to users after their folders have been redirected. A number of errors can prevent this setting from taking effect, such as:
- A file exceeds the maximum path length
- The known folders aren’t in the default locations
- Folder protection is unavailable
- Known folders are prohibited from being redirected
For info about these errors, see Fix problems with folder protection.
Important – We recommend deploying the silent policy for existing devices and new devices while limiting the deployment of existing devices to 1,000 devices a day and not exceeding 4,000 devices a week. We also recommend using this setting together with “Prompt users to move Windows known folders to OneDrive.” If moving the known folders silently does not succeed, users will be prompted to correct the error and continue.
Prevent users from redirecting their Windows known folders to their PC
When IT admin chooses this setting, it forces users to keep their Documents, Pictures, and Desktop folders directed to OneDrive. Once enabled, the “Stop protecting” button in the “Set up protection of important folders” window will be disabled and users will receive an error if they try to stop syncing a known folder. However, if If you disable or do not configure this setting, users can choose to redirect their known folders back to their PC.
Additional OneDrive Policies that can be recommended.
I suggest configuring the following settings:
- Disable the tutorial that appears at the end of the OneDrive Setup
- Commonly I have found users skip this tutorial as they see it as an annoyance. It is better to communicate the features of OneDrive through other methods such as short video tutorials
- Prevent users from changing the location of their OneDrive folder
- Provides a standardized environment that is easier to support and prevents users from doing odd things such as redirecting it to removable storage or other cloud storage accounts.
- Prevent users from syncing personal OneDrive accounts
- Should be enabled alongside other policies to prevent users syncing personal Microsoft accounts to work devices, preventing confusion around software ownership and defining a security boundary.
- Show OneDrive Sign In
- The aim of this is to silently enable KFM
You also want to protect OneDrive by adding it to the list of default folders protected against ransomware by Defender by enabling the following policy in Intune; “Configure protected folders”
Then entering a name for it, and pasting the OneDrive location (default location is c:\Users\\OneDrive* (* is used because the path usually has a ‘- ‘ appended after “OneDrive”):