βοΈπͺπ»CP - OneDrive
What this page is about π¦β
By now, you probably figured out from the title (and the emojis π§ ) that this policy is about Windows devices. Specifically, OneDrive. Specifically-er, making sure users donβt mess it up.
This configuration is here to make sure:
- End-users donβt store precious work files only on their local machines
- Known folders (Desktop, Documents, Pictures) are always backed up to OneDrive
- There is zero ambiguity about who owns what β and how it syncs
Because yes, technically it's "for the user" β but actually it's for everyone using the device, not just the first one who logs in before you manage to block BYOD π
Why this matters βοΈβ
You don't want someone's private recipes, blurry holiday photos or highly sensitive "cat tax" images to end up in the corporate OneDrive by accident. Thatβs why device-level enforcement is the way to go.
Oh, and we're excluding devices that donβt use OneDrive anyway. Because... obviously. π―
π οΈ OneDrive Configuration Tableβ
Below youβll find all settings neatly laid out, with values, context, and copy-pasteable fields. You're welcome.
| Setting | State | Additional Info / Values |
|---|---|---|
| Allow OneDrive to disable Windows permission inheritance in folders synced read-only | Enabled | |
| Always use the user's Windows display language when provisioning known folders in OneDrive | Enabled | |
| Exclude specific kinds of files from being uploaded | Enabled | Keywords: Microsoft teams.lnk |
| Hide the "Deleted files are removed everywhere" reminder | Enabled | |
| Prevent users from redirecting their Windows known folders to their PC | Enabled | |
| Prompt users to move Windows known folders to OneDrive | Enabled | Tenant ID: ${SUPERVISION_TENANTID} |
| Set the sync app update ring | Enabled | Update ring: Production |
| Silently move Windows known folders to OneDrive | Enabled | - Desktop: True- Documents: True- Pictures: True- Show notification: No- Tenant ID: ${SUPERVISION_TENANTID} |
| Silently sign in users to the OneDrive sync app with their Windows credentials | Enabled | |
| Use OneDrive Files On-Demand | Enabled | |
| Warn users who are low on disk space | Enabled | Minimum available disk space: 1024 MB |
π₯ Group Assignmentsβ
β Included groups:β
All Devices
β Excluded groups:β
- π‘οΈπͺπ»βοΈ
Group | Autopilot Devices - IoT - π‘οΈπͺπ»βοΈ
Group | Autopilot Devices - Kiosk - π‘οΈπͺπ»βοΈ
Group | Autopilot Devices - W365 Boot
Why?
Because those devices donβt use OneDrive. Letβs not force feed sync settings to a Kiosk screen that loops PowerPoint all day.
π‘ SuperVision Tipβ
Some settings ask for a Tenant ID. And while it may be tempting to paste in your own and call it a dayβ¦ donβt. Seriously.
If you copy-paste your own Tenant ID into a policy that gets deployed to all customers β congrats, you just connected every OneDrive client to the wrong cloud. π¨π₯
β Use this instead:β
SuperVision will dynamically inject the correct tenant ID for each environment. One tag to rule them all. πͺ
Final Thoughts πβ
OneDrive is a brilliant tool β when used properly. This config makes sure:
- Users donβt have to think
- You donβt have to clean up their mess
- Data is backed up by default
Because trust me, when the CFO deletes their desktop folder, you will get the call. And nobody wants that.
Standardize like a pro.
Configure with intent.
And never trust a folder called Temp.