Modern IT environments face the challenge of managing user data across multiple devices while maintaining productivity, security, and compliance. Traditionally, folder redirection via Group Policy has been used to centralize user data, but it often comes with complexity and limited cloud integration.
Microsoft’s OneDrive Known Folder Move (KFM) offers a modern solution, redirecting Desktop, Documents, and Pictures folders to OneDrive, ensuring data is automatically backed up to the cloud, version-controlled, and accessible across devices. Combined with Microsoft Intune, organizations can automate KFM deployments, reduce user friction, and simplify device migrations — critical for enterprises embracing hybrid work.
In this guide, we’ll explore policy configurations, best practices, and real-world insights from large-scale KFM deployments.
Why Use OneDrive Known Folder Move?
OneDrive KFM provides significant advantages over traditional folder redirection:
- Seamless Device Migration
When a user signs into a new device, all redirected folders are automatically synced from OneDrive. In most cases, the data downloads within an hour, eliminating the need for manual file transfers. - Data Protection and Versioning
Files are automatically backed up and version-controlled. If a device is compromised or a file is accidentally deleted, IT can restore previous versions, reducing downtime and data loss. - Simplified User Experience
Users interact with their familiar folders on their device while KFM handles the backend cloud sync. Minimal training is required, which improves adoption rates. - Enterprise Security Integration
Using KFM in combination with Azure AD and Intune allows IT to enforce policies, prevent data leaks, and ensure compliance with corporate security standards.
Preparing for KFM Deployment
Before deploying KFM, IT administrators must gather critical information and plan the strategy:
- Azure Tenant Identification
- Login to Azure Active Directory.
- Copy your Tenant ID, which is required for Intune configuration and automated sign-in policies.
- Device Readiness
- Ensure devices are Azure AD joined or hybrid joined.
- Confirm OneDrive sync client is installed and updated to the latest version.
- User Communication Plan
- Inform users about upcoming folder redirection.
- Provide guidance on accessing files post-migration.
- Consider short tutorial videos instead of relying on the default OneDrive setup guide.
Configuring OneDrive Policies via Intune
Microsoft Intune allows granular control over OneDrive KFM through Administrative Templates. The key policies include:
1. Prompt Users to Move Windows Known Folders to OneDrive
- Purpose: Provides users with a call-to-action to move Desktop, Documents, and Pictures.
- Behavior: If a user dismisses the prompt, reminders appear in the Windows Activity Center.
- Best Practice: Limit deployment for existing devices to 5,000 devices/day and 20,000 devices/week to prevent service overload.
2. Prevent Users from Moving Their Windows Known Folders to OneDrive
- Purpose: Blocks users from redirecting folders to OneDrive.
- Use Case: Useful when enforcing corporate security boundaries or preventing personal accounts from syncing.
3. Silently Move Windows Known Folders to OneDrive
- Purpose: Automatically redirects folders without user interaction.
- Key Considerations:
- Move all folders or select individual ones.
- Display optional notifications post-redirect.
- Be aware of errors such as:
- File path exceeding maximum length
- Folders not in default locations
- Existing protection restrictions
Real-World Tip: Deploy silent moves in small batches for existing devices (e.g., 1,000/day) and combine with the prompt policy to catch errors automatically.
4. Prevent Users from Redirecting Windows Known Folders to Their PC
- Purpose: Enforces OneDrive as the single source of truth for Documents, Desktop, and Pictures.
- Behavior: The “Stop protecting” button in OneDrive is disabled. Users attempting to redirect folders to local storage receive an error.
Additional Recommended OneDrive Policies
To create a consistent and secure deployment, consider configuring the following settings:
- Silently Sign-in Users
- Leverages Azure AD credentials to sign users into OneDrive automatically.
- Eliminates login prompts and streamlines folder migration.
- Use Files On-Demand
- Reduces local storage usage by downloading files only when accessed.
- Ideal for devices with limited disk space or heavy multimedia storage.
- Prevent Users from Changing OneDrive Folder Location
- Ensures standardized environment and prevents users from redirecting folders to removable drives or personal cloud storage.
- Prevent Personal OneDrive Accounts
- Restricts syncing of personal Microsoft accounts to corporate devices.
- Reduces confusion, improves compliance, and maintains corporate data boundaries.
- Disable OneDrive Setup Tutorial
- Many users skip the tutorial.
- Replace with internal training materials or short video guides.
Creating the Intune Configuration Profile
Step-by-step example for deploying OneDrive KFM:
Select Platform
Choose Windows 10 and later.
Login to Intune
Navigate to: Microsoft Intune > Device Configuration > Profiles > Create Profile.
Profile Type
Select Administrative Templates.
Assign Profile Name
Example: Department – Win10 – Device – Admin Template – OneDrive v1.
Configure Policies
- Enable or disable the four key policies (prompt, prevent move, silent move, prevent redirect to PC).
- Optionally configure additional policies (Files On-Demand, silent sign-in, personal account restrictions).
Deployment Scope
For existing devices, consider staged deployment to avoid service disruption.
Assign to device groups.
Assign Settings to Profile
Prompt users to move Windows known folders to OneDrive
Use this setting to give the users a call to action to move their Windows known folders.
If users dismiss the prompt, a reminder notification will appear in the activity centre until they move all known folders or an error occurs with the move, in which case the reminder notification will be dismissed.
If a user has already redirected their known folders to a different OneDrive account, they’ll be prompted to direct the folders to the account for your organization (leaving existing files behind). Important. We recommend deploying the prompt policy for existing devices only, and limiting the deployment to 5,000 devices a day and not exceeding 20,000 devices a week.
Prevent users from moving their Windows known folder to Onedrive
If you enable these settings, users won’t be prompted with the ‘setup protection of important folders’. You should choose these options to choose what happens if users have already moved known folders.
Silently move Windows known folders to OneDrive
Use this setting to redirect and move known folders to OneDrive without any user interaction. Move all the folders or select the desired individual folders. After a folder is moved, the policy will not affect the folder again, even if the selection for the folder changes. Note You can choose to display a notification to users after their folders have been redirected. A number of errors can prevent this setting from taking effect, such as:
- A file exceeds the maximum path length
- The known folders aren’t in the default locations
- Folder protection is unavailable
- Known folders are prohibited from being redirected
Real-World Implementation Insights
From deploying KFM in enterprise environments, several practical lessons emerge:
- Staged Rollouts Reduce Issues: Redirecting thousands of user folders simultaneously can trigger sync errors or overload OneDrive servers. Limiting batch sizes helps ensure smooth migration.
- Error Handling is Key: Silent migrations may fail due to path length, pre-existing folder redirection, or permission issues. Combining silent moves with prompts ensures errors are resolved without user confusion.
- User Education Matters: Even with automated migrations, users should understand Files On-Demand, versioning, and recovery options to prevent accidental data loss.
- Hybrid Work Considerations: KFM is especially effective in hybrid environments where users switch between office PCs, laptops, and personal devices. Automatic sync ensures data continuity.
Conclusion
Deploying OneDrive Known Folder Move with Intune provides a modern, cloud-native solution for folder redirection. By centralizing Documents, Desktop, and Pictures in OneDrive:
- User data is backed up, version-controlled, and recoverable
- Device migrations become seamless, reducing IT support overhead
- Security and compliance are enforced through controlled policies
For IT professionals managing enterprise deployments, combining silent migrations, prompt policies, and additional OneDrive configurations ensures a balance between automation and user control. KFM is no longer just a convenience—it’s an essential tool for secure, cloud-integrated productivity in modern workplaces.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.
You also want to protect OneDrive by adding it to the list of default folders protected against ransomware by Defender by enabling the following policy in Intune; “Configure protected folders”
Then entering a name for it, and pasting the OneDrive location (default location is c:\Users\\OneDrive* (* is used because the path usually has a ‘- ‘ appended after “OneDrive”):